Tag Archives: NSA

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

By:  Wednesday March 6, 2013 5:00 pm

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

•  Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

•  Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Continue reading


Ron Wyden: Liar, Liar, Alexander Pants on Fire

By:  Thursday December 27, 2012 2:29 pm

Ron Wyden, Dianne Feinstein, and a few other Senators are conducting what constitutes “a debate” on the FISA Amendments Act extension.

The highlight of the debate, thus far, came when DiFi promised to wave a classified letter answering some of Ron Wyden’s questions around in front of the TV. Mind you, she has not yet fulfilled that promise. But she made the promise, so I am glued to the screen waiting for her to embody the ridiculous nature of this so-called debate by waving her letter in lieu of telling us what it actually says.

Aside from that excitement, however, the high point of the debate has come from Ron Wyden, repeatedly suggesting NSA head General Keith Alexander is a liar.

At issue was a speech Alexander made in July at the DefCon hackers conference. He made two claims that Wyden and Mark Udall questioned in an October letter.

Specifically, you said:

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrayed privacy protections for Americans’ communications as being stronger than they actually are. We urge you to correct this statement, so that Congress and the public can have a debate over the renewal of this law that is informed by at least some accurate information about the impact it has had on Americans’ privacy.

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false.” We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark. Specifically we ask that you please answer the following questions:

  • The intelligence community has stated repeatedly that it is not possible to provide even a rough estimate of how many American communications have been collected under the FISA Amendments Act, and has even declined to estimate the scale of this collection. Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, or at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?
  • Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

Alexander replied to Wyden and Udall on November 13. In it, he responded to the first Wyden/Udall question by claiming he was speaking about a foreign intelligence context.

I noted at the outset that NSA has a foreign intelligence mission, and my subsequent reference focused on the type of circumstance in which U.S. person information may be disseminated when this foreign intelligence requirement is not met (e.g., when there is evidence of a crime).

He went on to rehearse the legal requirements for minimization, which only applies to information not deemed “foreign intelligence information.” That is, he basically admitted that information deemed to be foreign intelligence information can be shared.

Alexander answered the second Wyden/Udall question by dodging.

Second, my response did not refer to or address whether it is possible to identify the number of U.S. person communications that may be lawfully but incidentally intercepted pursuant to foreign intelligence collection directed against non-U.S. persons located outside the United States as authorized under FAA 702.

In your letter, you asked for unclassified answers to several questions that you feel are important to allow the public to better understand my remarks delivered at the conference. While I appreciate your desire to have responses to these questions on the public record, they directly relate to operational activities and complete answers would necessarily include classified information essential to our ability to collect foreign intelligence.

Wyden referred to these letters at least twice in his various speeches in this “debate.” And while he has been careful to suggest that Alexander may have just misspoke, he has repeatedly made it clear that Alexander lied when he said US person data could not be shared.

I don’t know why General Alexander described minimization as he did. But why did it take Udall and I to make big push to correct?

The implication, it seems, is that the government has simply deemed all the US person information they collect to be foreign intelligence (indeed, elsewhere Jeff Merkley talked about how the “relevant to an investigation” standard makes all conceivable information context for foreign intelligence), meaning minimization requirements are largely meaningless.

In response to Alexander’s claims on hundreds of millions of dossiers, Wyden noted, over and over again, that in spite of NSA’s refusal to answer the question of how many Americans’ data has been collected, Alexander did not in his response–and has not since–denied that NSA keeps hundreds of millions of dossiers on people.

Director of NSA would not provide public answer on whether NSA keeps hundreds of millions of dossiers on people.

Clearly, Alexanders denial that NSA keeps dossiers (which itself stems from claims former NSA coder William Binney made) is simply a word game about the meaning of dossier. NSA doesn’t have dossiers, you see. It has information on hundreds of millions of Americans.

Information–that Wyden makes clear–is not subject to the plain meaning of minimization requirements.


When Overseers Become Talking Heads

By:  Monday December 3, 2012 10:35 am

The entire Benghazi pseudo-scandal can reportedly be traced back to House Intelligence Committee Ranking Member Dutch Ruppersberger’s request for talking points he could use to respond to journalists.

Three days after the lethal attack on the American Mission in Benghazi, Libya, Representative C. A. Dutch Ruppersberger of Maryland, the top Democrat on the House Intelligence Committee, asked intelligence agencies to write up some unclassified talking points on the episode. Reporters were besieging him and other legislators for comment, and he did not want to misstate facts or disclose classified information.

More than 10 weeks later, the four pallid sentences that intelligence analysts cautiously delivered are the unlikely center of a quintessential Washington drama, in which a genuine tragedy has been fed into the meat grinder of election-year politics.

Before I get too far, remember that Ruppersberger (D-NSA) is one of the geniuses who believe the way to stem leaks is to prevent intelligence professionals from giving background briefings. Remember, too, that the talking points that have caused so much trouble were almost certainly tweaked to protect the intercepts Ruppersberger’s constituent, the NSA, had collected. Nevertheless, this guy, who presumably supports the principle of not telling militants we’ve got their phone tapped, and who thinks people with a more developed understanding of sensitivities around intelligence should not be able to brief the press directly, had to have his talking points so he could talk to the press himself.

Ruppersberger’s inconsistency on this point reminded me that after the super secret drone killing of some American citizens last year, the Gang of Four all weighed in to assure Americans that Anwar al-Awlaki’s death was “legitimate” because there had been “a process.” The Gang’s loquacity contrasted sharply with the Administration’s silence on the very same issue, one reiterated since in the Administration’s Glomar claims about topics the Gang of Four feels welcome to discuss. That contrast is all the more troubling given that Ruppersberger admitted that the Gang of Four does not know who is on the Kill List (and therefore didn’t really know whether the killing of Samir Khan was “legitimate”).

It’s all very neat. Not only does the Gang of Four enjoy immunity from prosecution under the Speech or Debate Clause. But they were–and presumably are–serving as journalistic sources on topics about which they aren’t (though legally should be) fully informed.

Last week Julian Sanchez and Mike Masnick rehashed an earlier version of this, when the Bush Administration armed the Intelligence Committees with talking points that would reinforce their lies that the Terrorist Surveillance Program constituted the entirety of the illegal wiretap program.

Note what that does to the whole question of “legitimacy.” The Gang of Four only knows what Administration and agency officials tell them.  Yet, even in spite of potential and real limits to their knowledge of a program (and a history of deliberately misleading briefings on such topics), they will weigh in and declare something “legitimate.”

We have a problem in this country with the way our intelligence community communicates publicly (see Dan Drezner and Nada Bakos addressing different aspects of this problem.)

But the solution clearly is not the one the national security establishment increasingly appears to be adopting: to turn the four men and women who purportedly exercise the only oversight of the most sensitive programs into talking heads. That process almost certainly ensures incomplete briefing of these “overseers.” Worse, still, it guarantees a kind of complicity that makes the overseers-turned-talking-heads useless for oversight.

WIth their push to limit background briefings, the Gang of Four have raised their own stock as journalistic sources. But they’ve also further gutted the inadequate oversight we’ve got over intelligence.


Michael Hayden, Privacy and Counterterrorism Frugality Champion

By:  Thursday October 25, 2012 3:51 pm

Of 1,423 words in an article questioning whether deficit hawkery might cut the domestic spying budget, Scott Shane devotes over a sixth–roughly 260–describing what former NSA and CIA Director Michael Hayden thinks about the balances between funding and security.

Remarkably, none of those 260 words disclose that Hayden works for Michael Chertoff’s consulting group, which profits off of big domestic spying. This, in an article that cites Chertoff’s electronic border fence among the expensive counterterrorism duds that were subsequently shut down (Shane mentions “puffer” machines as well, but not the Rapiscan machines that Chertoff’s group lobbied for, which are now being withdrawn as well).

And then there’s a passage of Shane’s article that touches on topics in which Hayden’s own past actions deserve disclosure.

Like other intelligence officials after 2001, Mr. Hayden was whipsawed by public wrath: first, for failing to prevent the Sept. 11 attacks, and then, a few years later, for having permitted the National Security Agency to eavesdrop on terrorism suspects in the United States without court approval.

Perhaps, as a result, he often says that the American people need to instruct the government on where to draw the line. He told an audience at the University of Michigan last month, for instance, that while a plot on the scale of the Sept. 11 attacks was highly unlikely, smaller terrorist strikes, like the shootings by an Army psychiatrist at Fort Hood in Texas in 2009, could not always be stopped.

“I can actually work to make this less likely than it is today,” Mr. Hayden said. “But the question I have for you is: What of your privacy, what of your convenience, what of your commerce do you want to give up?”

To be fair, Shane counters Hayden’s claims by noting that “secrecy … makes it tough for any citizen to assess counterterrorism programs.”

But he doesn’t mention one of the biggest examples where Hayden–where anyone–chose both the most expensive and most privacy invasive technology: the wiretap program Hayden outsourced to SAIC rather than use in-house solutions.

As Thomas Drake has made clear, by outsourcing to SAIC, Hayden spent 300 times as much as he would have with the in-house solution.

One of them was Lieutenant General Michael Hayden, the head of the agency: he wanted to transform the agency and launched a massive modernization program, code named: “Trailblazer.” It was supposed to do what Thin Thread did, and more.

Trailblazer would be the NSA’s biggest project. Hayden’s philosophy was to let private industry do the job. Enormous deals were signed with defense contractors. [Bill] Binney’s Thin Thread program cost $3 million; Trailblazer would run more than $1 billion and take years to develop.

“Do you have any idea why General Hayden decided to go with Trailblazer as opposed to Thin Thread, which already existed?” Pelley asked.

[snip]

Asked to elaborate, Drake said, “Careers are built on projects and programs. The bigger, the better their career.” [my emphasis]

Along the way, Hayden repeatedly blew off Congressional staffer Diane Roark’s inquiries about privacy protection.

When Binney heard the rumors, he was convinced that the new domestic-surveillance program employed components of ThinThread: a bastardized version, stripped of privacy controls. “It was my brainchild,” he said. “But they removed the protections, the anonymization process. When you remove that, you can target anyone.” He said that although he was not “read in” to the new secret surveillance program, “my people were brought in, and they told me, ‘Can you believe they’re doing this? They’re getting billing records on U.S. citizens! They’re putting pen registers’ ”—logs of dialled phone numbers—“ ‘on everyone in the country!’ ”

[snip]

[Former HPSCI staffer Diane Roark] asked Hayden why the N.S.A. had chosen not to include privacy protections for Americans. She says that he “kept not answering. Finally, he mumbled, and looked down, and said, ‘We didn’t need them. We had the power.’ He didn’t even look me in the eye. I was flabbergasted.” She asked him directly if the government was getting warrants for domestic surveillance, and he admitted that it was not. [my emphasis]

So it’s not just disclosure of all the ways Hayden has and does profit off of continued bloated domestic surveillance that Shane owes his readers: he also should refute Hayden’s claims about the relationship between cost, privacy, and efficacy.

Michael Hayden’s SAIC-NSA boondoggle is one case where secrecy no longer hides how much money was wasted for unnecessary privacy violations.

Yet somehow, that spectacular example of the unnecessary waste in domestic spying doesn’t make it into the 260 words granted to Hayden to argue we need continued inflated spending.


If Everything NSA Does is “Auditable,” Why Can’t NSA Tell Us How Many Americans They’ve Spied On?

By:  Saturday July 28, 2012 11:57 am

NSA Director Keith Alexander just said this to the hackers at DefCon (while wearing an absolutely ridiculous hacker costume):

“We get oversight by Congress, both intel committees and their congressional members and their staffs,” he continued, “so everything we do is auditable by them, by the FISA court … and by the administration. And everything we do is accountable to them…. We are overseen by everybody. And I will tell you that those who would want to weave the story that we have millions or hundreds of millions of dossiers on people is absolutely false.”

But a month ago, Alexander’s Inspector General told Ron Wyden that an estimate of the number of people inside the United States who have had their communications collected or reviewed under the FISA Amendments Act “was beyond the capacity of his office.” Of note, the IG and NSA leadership–that is, presumably Alexander himself–claimed such a review would “violate the privacy of U.S. persons.”

I look forward to Ron Wyden’s response to Alexander’s seeming reversal on that earlier letter with claims of this unlimited auditability.


NSA Director Keith Alexander: The FBI Does the Domestic Collection

By:  Wednesday March 21, 2012 8:35 am

Congressman Hank Johnson asked NSA Director Keith Alexander about James Bamford’s Wired article describing the data storage and analysis center in UT. Unfortunately, rather than ask Alexander about these activities–storage and analysis–Johnson asked Alexander about data collection. Here are excerpts of the exchange:

Johnson: Does NSA have the ability to identify Cheney bashers based on the content of their emails?

Alexander: No. Can I explain? NSA does not have the ability to do that in the United States. In the United States we would have to go through an FBI process–a warrant–to serve it to somebody to actually get it.

Johnson: But you do have the capability to do it?

Alexander: Not in the United States. We’re not authorized to collect nor do we have the equipment in the United States.

Johnson: “NSA’s signals intercepts include eavesdropping on domestic phone calls and inspection of domestic emails.” Is that true?

Alexander: No, not in that context. I think what he’s trying to raise is are we gathering all the information on the United States? No, that is not correct.

Johnson: What judicial consent is required for NSA to intercept communications and information involving American citizens?

Alexander: Within the United States, that would be the FBI lead.  If it was foreign actor in the United States the FBI would still have the lead and could work that with the NSA or other intelligence agencies as authorized. But to conduct that kind of collection in the United States it would have to go through a court order and a court would have to authorize it. We’re not authorized to do it nor do we do it.

Note that Alexander never denies that such capabilities exist. Rather, he says that FBI would intercept communications–with a court order–and FBI would search for certain content–with a warrant.

Also note, all of Alexander’s responses were in the present tense: he doesn’t say the NSA hasn’t done these things. Only that the NSA is not now authorized to do them and does not do them.

We know several things about the government’s collection in the US. First, the telecoms own the equipment–they’re the ones that do the intercepts, not FBI or NSA. Second, the FBI can and does get bulk data information from telecoms and other businesses using Section 215 of the PATRIOT Act.

I will have more to say about this later–until then, read this post and this post as background.

There is a great deal of circumstantial information to suggest that after the 2004 hospital confrontation–which was in part a response to Congress prohibiting any DOD use of data mining on Americans–chunks of the illegal wiretap program came to be authorized under Section 215 of the PATRIOT Act, which authorizes FBI data collection.

There’s nothing General Alexander said in this non-denial denial that would conflict with the notion that FBI collects data the telecoms intercept using Section 215 of the PATRIOT Act.


The Rationale for NSA’s Bottomless Pit of Data: Hackers

By:  Monday March 19, 2012 9:24 pm

In his must-read report on the bottomless data pit containing the NSA is building in Utah, James Bamford described the public explanations NSA Deputy Director Chris Inglis made when he broke ground on the facility.

[NSA deputy director Chris Inglis] arrived in Bluffdale at the site of the future data center, a flat, unpaved runway on a little-used part of Camp Williams, a National Guard training site. There, in a white tent set up for the occasion, Inglis joined Harvey Davis, the agency’s associate director for installations and logistics, and Utah senator Orrin Hatch, along with a few generals and politicians in a surreal ceremony. Standing in an odd wooden sandbox and holding gold-painted shovels, they made awkward jabs at the sand and thus officially broke ground on what the local media had simply dubbed “the spy center.” Hoping for some details on what was about to be built, reporters turned to one of the invited guests, Lane Beattie of the Salt Lake Chamber of Commerce. Did he have any idea of the purpose behind the new facility in his backyard? “Absolutely not,” he said with a self-conscious half laugh. “Nor do I want them spying on me.”

For his part, Inglis simply engaged in a bit of double-talk, emphasizing the least threatening aspect of the center: “It’s a state-of-the-art facility designed to support the intelligence community in its mission to, in turn, enable and protect the nation’s cybersecurity.” While cybersecurity will certainly be among the areas focused on in Bluffdale, what is collected, how it’s collected, and what is done with the material are far more important issues. Battling hackers makes for a nice cover—it’s easy to explain, and who could be against it? [my emphasis]

Inglis used hackers as cover for a spying facility that would collect and decrypt “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital ‘pocket litter’.” That is, Inglis used the threat of hackers to cover up for the fact that the government was spying on everyone.

Mind you, this was back in January 2011–before Anonymous threatened to take the Toobz down at a time when a key Anonymous hacker was being run by the FBI. Indeed, Inglis used hackers as his excuse for collecting massive amounts of data on everyone in the thick of the WikiLeaks excitement.

Nevertheless, Bamford describes Inglis publicly misleading about the centrality of hackers in the purpose of the bottomless pit when in fact the purpose is far broader. Particularly given the FBI’s recently exposed role running hackers, Inglis’ “double-talk” raises real questions about all the fear-mongering about hackers.


Operation Buckshot Yankee and WikiLeaks

By:  Saturday December 10, 2011 9:37 am

Ellen Nakashima had a long article on Thursday using the 2008 thumb drive infection of DOD’s networks (including, she mentions in passing, the top-secret JWICS system) to describe the evolution of our approach to cybersecurity.

The whole thing is worth a close reading. But I’m particularly interested (as always) in reading it with WikiLeaks in mind. As Nakashima notes after describing the supposedly stringent response to the 2008 infection, which included “banning” thumb drives, Bradley Manning is suspected of downloading entire databases via the same means, removable media.

As the NSA worked to neutralize Agent.btz on its government computers, Strategic Command, which oversees deterrence strategy for nuclear weapons, space and cyberspace, raised the military’s information security threat level. A few weeks later, in November, an order went out banning the use of thumb drives across the Defense Department worldwide. It was the most controversial order of the operation.

Agent.btz had spread widely among military computers around the world, especially in Iraq and Afghanistan, creating the potential for major losses of intelligence. Yet the ban generated backlash among officers in the field, many of whom relied on the drives to download combat imagery or share after-action reports.

[snip]

The ban on thumb drives has been partially lifted because other security measures have been put in place.

Continue reading


Anglo-Americans at Cyberwar: Two Weeks of Cupcakes

By:  Saturday June 11, 2011 10:06 am

I’ve been meaning to return to this Ellen Nakashima story on our cyberwar efforts. As you recall, it lays out the turf war between the CIA and DOD over clandestine cyberops, partly by telling the story a fight over whether or not to disrupt the jihadist online magazine “Inspire.”

Last year, for instance, U.S. intelligence officials learned of plans by an al-Qaeda affiliate to publish an online jihadist magazine in English called Inspire, according to numerous current and senior U.S. officials. And to some of those skilled in the emerging new world of cyber-warfare, Inspire seemed a natural target.

The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander, argued that blocking the magazine was a legitimate counterterrorism target and would help protect U.S. troops overseas. But the CIA pushed back, arguing that it would expose sources and methods and disrupt an important source of intelligence. The proposal also rekindled a long-standing interagency struggle over whether disrupting a terrorist Web site overseas was a traditional military activity or a covert activity — and hence the prerogative of the CIA.

The CIA won out, and the proposal was rejected. But as the debate was underway within the U.S. government, British government cyber-warriors were moving forward with a plan.

When Inspire launched on June 30, the magazine’s cover may have promised an “exclusive interview” with Sheik Abu Basir al-Wahishi, a former aide to Osama bin Laden, and instructions on how to “Make a Bomb in the Kitchen of Your Mom.” But pages 4 through 67 of the otherwise slick magazine, including the bomb-making instructions, were garbled as a result of the British cyber-attack.

It took almost two weeks for al-Qaeda in the Arabian Peninsula to post a corrected version, said Evan Kohlmann, senior partner at Flashpoint Global Partners, which tracks jihadi Web sites.

The Telegraph elaborated on that story by telling of the swell cupcake recipes MI6 replaced the bomb recipe with.

The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit “lone-wolf” terrorists with a new English-language magazine, the Daily Telegraph understands.

When followers tried to download the 67-page colour magazine, instead of instructions about how to “Make a bomb in the Kitchen of your Mom” by “The AQ Chef” they were greeted with garbled computer code.

The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for “The Best Cupcakes in America” published by the Ellen DeGeneres chat show.

Written by Dulcy Israel and produced by Main Street Cupcakes in Hudson, Ohio, it said “the little cupcake is big again” adding: “Self-contained and satisfying, it summons memories of childhood even as it’s updated for today’s sweet-toothed hipsters.”

It included a recipe for the Mojito Cupcake – “made of white rum cake and draped in vanilla buttercream”- and the Rocky Road Cupcake – “warning: sugar rush ahead!”

By contrast, the original magazine featured a recipe showing how to make a lethal pipe bomb using sugar, match heads and a miniature lightbulb, attached to a timer.

So apparently this operation against Inspire, which had government hackers and their bosses on two continents scheming and in-fighting, succeeded in delaying for two weeks the publication of a bomb recipe that probably existed elsewhere on the Internet already.

With cupcakes.

And these spooks are apparently impressed enough with themselves that they’re boasting about it openly to journalists.

Dudes. Two weeks of cupcakes do not equate to Stuxnet.

I’ve been pondering the apparent self-congratulation over this op ever since I read this story, particularly in light of the seeming similarity between this op and the WikiLeaks hack last year. Do our cyberwarriors consider it a legitimate “win” to simply delay the publication of a transnational internet operation for a week or so? At what cost? And by “cost,” I mean both the tens of millions we’re investing to develop, apparently, the capability to engage in juvenile pranks. And also the cost in credibility as a purported defender of free speech wastes its time harassing, but not preventing, the free speech of groups it doesn’t like.

I mean, there must be more to our cyberwarfare than two weeks of cupcakes, isn’t there?

Of course, there must be, if the CIA was concerned about sources and methods. Presumably, CIA was already monitoring who was reading Inspire. Which–whatever it says about the First Amendment in this country–is probably still a better use of cyberwar time and dollars than two weeks of cupcakes.

Or are we to believe that the Generals think we’re going to win the GWOT by playing cyber-whack-a-mole with a group whose competitive advantage over us is in its nimbleness?


Did Thomas Drake Include Privacy Concerns in His Complaints to DOD’s Inspector General?

By:  Monday May 23, 2011 5:52 am

I’ve been reviewing the docket on Thomas Drake’s case to see whether it touches on the privacy concerns Drake had about NSA’s post-9/11 activities.

It appears it doesn’t, even while there was an ongoing dispute about whether or not Drake will have access to the materials he submitted to the DOD Inspector General in support of claims that the ThinThread program operated more effectively than the Trailblazer program that Michael Hayden chose to enrich SAIC with instead (the Judge ruled that material would be admissible, but not a formal whistleblower defense, which Drake wasn’t trying to do anyway).

There are a couple of reasons why the silence, in the legal filings, about privacy concerns is interesting (aside from the fact that it’s a focus of Jane Mayer’s article.

First, because the two-sentence summary of the conclusion of the DOD IG Report on Trailblazer and ThinThread that the defense provides in a filing doesn’t address privacy.

In 2004, after more than a year of fact-finding, the Inspector General issued its initial audit findings. In a report entitled, “Requirements for the Trailblazer and Thinthread Systems,” the auditors concluded that “the National Security Agency is inefficiently using resources to develop a digital network exploitation system that is not capable of fully exploiting the digital network intelligence available to analysts from the Global Information Network . . . (T)he NSA transformation effort may be developing a less capable long-term digital network exploitation solution that will take longer and cost significantly more to develop.” The NSA continued to support the “less capable” program and its successor.

Which suggests the IG Report may not have addressed the claim that, in addition to being less efficient at “connecting the dots” than ThinThread, Trailblazer also offered none of the privacy protections ThinThread had.

That’s important because the government argued that Drake couldn’t claim to be a whistleblower because, by 2007, the issues at hand were resolved. They’re arguing both that any whistleblower claims would be mooted because Turbulence, Trailblazer’s successor, integrated “significant portions” of ThinThread, and that the debate was “over” by 2007, when Drake was (according to the indictment) serving as a source for Baltimore Sun reporter Siobhan Gorman.

In or about December 2004, the DOD IG completed its audit of [Trailblazer], including the allegations raised in the complaint letter. The NSA responded in August 2004 and February 2005, stating that based on the judgments of NSA’s experienced technical experts, the allegations were unfounded. Nonetheless, NSA agreed to incorporate significant portions of [ThinThread] into [Trailblazer] as a result of the DOD IG recommendations, thus largely mooting the issues raised in the complaint. In addition, starting in late 2005 and early 2006, the NSA transitioned away from [Trailblazer] to [Turbulence], another corporate architecture solution for Signals Intelligence collection.

[snip]

Just as importantly, by 2007, the timeframe of the charges in this case, there was no imminent harm faced by the defendant, because [Trailblazer] had incorporated elements of [ThinThread], and also because NSA had transitioned away from [Trailblazer] to [Turbulence].

[snip]

The defendant’s actions had no impact in the debate regarding the efficacy of [Trailblazer and ThinThread], because NSA had begun transitioning to [Turbulence] by 2006. Put simply, the debate was over.

There’s a lot going on in this passage. Obviously, the government is trying to claim that since Drake was allegedly collecting information for Gorman in 2007, he couldn’t claim he was whistleblowing.

Mind you he was not claiming he was whistleblowing, in the legal sense. He was only trying to get the IG materials to prove that’s why he collected three of the documents he’s accused of willingly keeping; basically, he’s arguing that if he overlooked three documents out of 5 boxes worth originally collected for the IG–and did not retain the really classified materials–that he basically just overlooked the three documents, rather than willfully retained them.

And the government is playing funny with dates. After all, they say Drake served as a source for Gorman from February 27, 2006, to November 28, 2007. The key story about ThinThread Drake served as a source for was dated May 18, 2006. And one of the charges accuses Drake of obstruction for shredding other documents. So not only is the 2007 date bogus because it igonores debates ongoing in 2006, but the government suggests that either Drake would be guilty for illegally retaining information, or obstructing an investigation. Moreover, Drake maintains he inadvertently included the three IG-related documents in the several boxes of unclassified materials, so the fact the debate was over is pointless.

Moreover, the successor to Trailblazer, Turbulence, was suffering from the same management problems Trailblazer had, as the defense notes just after citing the IG Report. The government wants to pretend the shift from Trailblazer to Turbulence ended the complaints about management problems, but it didn’t.

But then there’s the way the government portrays the IG complaint: efficacy. As I laid out the other day, there are four ways, Gorman’s sources claim, that ThinThread was better than Trailblazer:

The program the NSA rejected, called ThinThread, was developed to handle greater volumes of information, partly in expectation of threats surrounding the millennium celebrations. Sources say it bundled together four cutting-edge surveillance tools. ThinThread would have:

* Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.

In other words, privacy was just one of three ways ThinThread was better than Trailblazer, according to Gorman’s sources.

But that’s not the aspect the government seems to address. That is, the government seems to be saying that, because Turbulence adopted some of the approaches of ThinThread that made it more efficient at analysis, Drake can’t complain. The suggestion is (though we can’t know because of the secrecy) privacy is not, like efficacy, an adequate reason to blow the whistle. Neither privacy, nor the Constitution.

And that’s interesting for two more reasons. First, because the government references a notebook of documents Drake provided that had nothing to do with the IG Report.

There was, for example, a notebook of documents provided by the defendant, many of which had nothing to do with the IG’s audit, but this notebook was destroyed before the case began, and after the IG completed its audit.

Is it playing games with the scope of the audit? That is, did Drake provide materials on privacy, which the IG didn’t include within the scope of its report? If so, the IG’s destruction of the notebook, in violation of DOD’s document retention policy, is all the more interesting.

Then, finally, the debates about privacy continued into 2007 and 2008. In August 2007, specifically, Mike McConnell nixed a Democratic version of the Protect America Act because it required the government to tell FISA judges what the plan for minimizing US person data is and allowed the judges to review for compliance. Debates on how to fix PAA continued throughout the fall and into the following year, with Russ Feingold and Sheldon Whitehouse both trying to make real improvements on the minimization requirements.

The government seems to want to say that Drake’s privacy concerns aren’t a valid whistleblowing concern. Because, I guess, government officials aren’t allowed to whistleblow about citizens’ rights.