This interview Ron Wyden did with Oregon Public Radio includes a lot of what you might expect from him, including an argument that weakening encryption makes us less safe, including possibly exposing kids (because their location gets identified) to pedophiles.
But the most interesting part of this interview are the three times Ron Wyden made it clear, in his inimitable fashion, that someone better ask NSA whether they can decrypt this phone. To me, the interview sounds like this:
Let me tell you what I think is noteworthy here. This is a fight between FBI and Apple. I think it’s noteworthy that nobody has heard from the NSA on this. [around 2:00]
And I want to come back to the fact that the NSA has not been heard from on this and I think that that is noteworthy. [before 7:25]
[After finally being asked what he had heard from NSA] I’m on the intelligence committee, so I’m bound, I take an oath, to not get into classified matters so I’m just going to, uh, leave that there with respect to the NSA. [at 8:30]
We’ve had experts like Susan Landau and Richard Clarke insist that NSA can get into this phone. Jim Comey, in testimony before HJC, sort of dodged by claiming that NSA doesn’t have the ability to get into a phone with this particular configuration.
But Ron Wyden sure seems to think the NSA might have more to say about that.
Golly, I can’t imagine what he thinks the NSA might have to offer about this phone.
I’ve been harping on the Review Group (and Leahy-Sensenbrenner’s) recommendation to end bulk collection with National Security Letters. I’ve also noted the Review Group’s nod to EO 12333 in its use of the phrase “or under any other authority” when recommending limits to Section 702.
So I wanted to draw attention to this language from Tuesday’s Senate Judiciary Committee hearing with the Review Group, in which Chris Coons asks Richard Clarke what other authorities the Review Group had considered. Clarke notes that the phone dragnet provides a small fraction of the data collected.
COONS: The review, if I might, Mr. Clarke, my last question, it looks at two authorities, Section 702 and Section 215. And these are both sections about which there’s been a lot of public debate and discussion.
But the review group also recommends greater government disclosure about these and other surveillance authorities it possesses. But the report, appropriately and understandably, does not itself disclose any additional programs.
What review, if any, did the group make of undisclosed programs or could you at least comment about whether lessons learned from such review is, in fact, reflected in the report?
CLARKE: Well, there was a great deal of metadata collected by the national security letter program. And we do speak to that in the recommendations.
There was also a great deal of communications-related information collected under the executive order 12333.
Public attention is focused on 215, but 215 produces a small percentage of the overall data that’s collected.
That’s consistent with what this post shows — that the US based metadata collection is just a small fraction of a large collection of metadata, and the 12333 collected data is at least partly duplicative of (but not subject to the same protections as) the Section 215 dragnet (and NSLs are subject to even less protection).
But I’m glad to see someone like Clarke echoing the warnings I’ve been giving.
New America Foundation did a study of 225 terrorist plots to try to discern the source of the investigation. There are numerous obvious flaws to the study — many of which stem from the government’s own efforts to obscure the sources of what they do, some of which stem from a lack of awareness about how the government responded to other tips by collecting more NSA intelligence, some of which stem from ignoring the dragnet that existed in illegal form before the FISC-approved one.
With those caveats, NAF finds what has been reported for months: only the Basaaly Moalin’s provision of less than $10,000 to al-Shabaab stemmed from the phone dragnet.
Which provides the WaPo with another opportunity to report this as news. I’ll take it: any little bit helps!
WaPo and NAF also report what I reported 5 months ago: that the government delayed 2 months after identifying Moalin’s ties indirectly to Aden Ayro before wiretapping him. Remember, they say they need the dragnet to avoid delays in investigation.
Perhaps the most interesting part of WaPo’s report on this, though, are Richard Clarke’s comments. As a follow-up on the NSA Review Group’s comment on the risk to quality of life posed by the dragnet, Clarke claims the dragnet would still be too intrusive if it had contributed to every plot.
“Although we might be safer if the government had ready access to a massive storehouse of information about every detail of our lives, the impact of such a program on the quality of life and on individual freedom would simply be too great,” the group’s report said.
Said Clarke: “Even if NSA had solved every one of the [terrorist] cases based on” the phone collection, “we would still have proposed the changes.”
This is actually a fairly stunning comment (and not one, I suspect, Mike Morell, who is also quoted, would support). Even if the dragnet had identified every potential terrorist plot, Clarke says, it would still be too intrusive.
I think the dragnet is plenty intrusive — and I think plenty of the ways it infringes on privacy are those not accounted in NAF’s analysis (such as the use of the dragnet to pick targets for informants or conduct back door searches). Still: to suggest the dragnet would not be worth every single one of these leads?
As part of a section on “Technical Measures to Increase Security and User Confidence,” Recommendation 29 of the NSA Review Group is, in part, the following:
We recommend that, regarding encryption, the US Government should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software;
Several paragraphs into this section, the Group with no tech experts asserts,
Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.
This appears to be based on an Appendix provided by NSA addressing the reliability of certain encryption systems. I’m not competent to assess the claims or comprehensiveness of that presentation and eagerly await some reviews of this report from the tech experts. [Update: William Ockham notes the Appendix doesn’t include the standard NSA is accused of weakening.]
The very next paragraph, with bullet points, reads,
Nonetheless, it is important to take strong steps to enhance trust in this basic underpinning of information technology. Recommendation 32 is designed to describe those steps. The central point is that trust in encryption standards, and in the resulting software, must be maintained. Although NSA has made clear that it has not and is not now doing the activities listed below, the US Government should make it clear that:
- NSA will not engineer vulnerabilities into the encryption algorithms that guard global commerce;
- The United States will not provide competitive advantage to US firms by the provision to those corporations of industrial espionage;
- NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product; and
- NSA will not hold encrypted communication as a way to avoid retention limits.
I consider myself a bit of an aficionado in NSA claims, and I can only think of one place where they’ve made even some of these claims, sort of: the obviously bogus talking points NSA sent home at Thanksgiving. That document made a similar caveated comment about industrial espionage and assured that NSA will not demand changes by any vendor, noting it did not have the authority to do so. I pointed out some of the loopholes to those claims here.
I don’t think they have said anything about engineering vulnerabilities into encryption standards; in any case, the allegation was that they inserted vulnerabilities into certain standards through persuasion, not engineering. Besides, ODNI General Counsel Robert Litt has stated explicitly (and not all that surprisingly) that cracking encryption is their job.
Finally, I don’t think the NSA has ever addressed the fact that their minimization standards clearly allow them to keep encrypted communication forever. They like to lie about that one instead. To place in their mouth a claim that they won’t do so to get around retention limits (particularly followed, as it is, by a recommendation for how not to do this) is thin comfort coming from an agency that considers encryption possible evidence of terrorism.
I doubt this assertion that NSA doesn’t try to weaken encryption is fooling anyone. Indeed, it appears less than 30 pages after the Report states, in justifying moving Information Assurance out of NSA,
When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access.
So it’s hard to treat this entire passage as anything else but the “strong step to enhance trust” they say is necessary within it.
The NSA Review Group makes worthwhile recommendations on a reorganization of NSA–the most aggressive one of which — to split the DIRNSA from the CyberCommand position — Obama already pre-empted. Moving Information Assurance out of NSA would also create a champion for privacy, albeit a hopelessly weak one (they even state it should be moved to DHS, but Congress would never agree to do so).
But ultimately on this and some other cybersecurity related issues (including its toothless recommendation on Zero Days that immediately follows this section), the Report serves only to pretend the US doesn’t engage in weakening security as part of its offensive attacks using the Internet.
Update: Oh, as to that Appendix that doesn’t include the standard everyone has been worried about? Someone’s just found a fatal bug in the standard.
An advisory published Thursday warns that a “FIPS module” of the widely used OpenSSL library contained a “fatal bug” in its implementation of Dual EC_DRBG. Credible doubts about the trustworthiness of the deterministic random bit generator surfaced almost immediately after National Security Agency (NSA) officials shepherded it through an international standards body in 2006. In September, those fears were rekindled when The New York Times reported the algorithm may contain an NSA-engineered backdoor that makes it easier for government spies to decode encrypted communications.
The fatal Dual EC_DRBG bug resides in the FIPS Object Module v2.0, an optional OpenSSL library used to build crypto apps that are certified by the US government’s Federal Information Processing Standards. When using the module’s implementation of Dual EC_DRBG, the application crashes and can’t be recovered. That’s an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world’s most powerful country.
As you have likely heard by now, a former FBI agent has agreed to plead guilty to leaking material about the second underwear bomb attempt to reporters in May of 2012. Charlie Savage of the New York Times has the primary rundown:
A former Federal Bureau of Investigation agent has agreed to plead guilty to leaking classified information to The Associated Press about a foiled bomb plot in Yemen last year, the Justice Department announced on Monday. Federal investigators said they identified him after obtaining phone logs of Associated Press reporters.
The retired agent, a former bomb technician named Donald Sachtleben, has agreed to serve 43 months in prison, the Justice Department said. The case brings to eight the number of leak-related prosecutions brought under President Obama’s administration; under all previous presidents, there were three such cases.
“This prosecution demonstrates our deep resolve to hold accountable anyone who would violate their solemn duty to protect our nation’s secrets and to prevent future, potentially devastating leaks by those who would wantonly ignore their obligations to safeguard classified information,” said Ronald C. Machen Jr., the United States attorney for the District of Columbia, who was assigned to lead the investigation by Attorney General Eric H. Holder Jr.
In a twist, Mr. Sachtleben, 55, of Carmel, Ind., was already the subject of a separate F.B.I. investigation for distributing child pornography, and has separately agreed to plead guilty in that matter and serve 97 months. His total sentence for both sets of offenses, should the plea deal be accepted by a judge, is 140 months.
Here is the DOJ Press Release on the case.
So Sachtleben is the leaker, he’s going to plead guilty and this all has a nice beautiful bow on it! Yay! Except that there are several troubling issues presented by all this tidy wonderful case wrap up.
First off, the information on the leak charges refers only to “Reporter A”, “Reporter A’s news organization” and “another reporter from Reporter A’s news organization”. Now while the DOJ may be coy about the identities, it has long been clear that the “news organization” is the AP and “Reporter A” and “another reporter” are AP national security reporters Matt Apuzzo and Adam Goldman (I’d hazard a guess probably in that order) and the subject article for the leak is this AP report from May 7, 2012.
What is notable about who the reporters are, and which story is involved, is that this is the exact matter that was the subject of the infamous AP phone records subpoenas that were incredibly broad – over 20 business and personal phone lines. These subpoenas, along with those in the US v. Steven Kim case collected against James Rosen and Fox News, caused a major uproar about the sanctity of First Amendment press and government intrusion thereon.
The issue here is that Attorney General Eric Holder and the DOJ, as a result of the uproar over the Continue reading
Spencer Ackerman has a review of how the first two meetings of Obama’s Non-Tech Tech Review panel have gone. And while they went about as horribly as I suspected — certainly there was no talk of actually fixing obvious problems with the dragnet — there are a few details that show how “most exceptional” this effort is.
The White House, having taken pains to pretend James Clapper is not in charge of the Director of National Intelligence Review Group on Intelligence and Communications Technologies, referred comment to James Clapper.
The White House deferred comment to the Office of the Director of National Intelligence, which did not respond.
The Non-Tech Tech Review Panel comes with a kiddie table — or rather, a conference room almost two miles away from the White House, where the tech giants got to eat.
During its first round of meetings, the panel, known as the Review Group on Intelligence and Communications Technology, separated two groups of outside advisers. One group included civil libertarian organizations such as the ACLU and the Electronic Privacy Information Center. It met in a conference room on K and 20th Streets. Morrell and Clarke did not attend.
The other, which met in the White House Conference Center, included technology companies that have participated – sometimes uneasily and at court behest – in NSA surveillance. All five panel members participated.
I’m not surprised the CIA’s representative on the Committee to Make You Love the Dragnet refused to be seen at the kiddie table with civil libertarians. But Richard Clarke?
Finally, the tech companies appear not to have sent tech experts.
The meeting itself struck [New America Foundation VP Sascha] Meinrath as bizarre. Representatives from the technology firms were identified around the table not by their names, but by placards listing their employers. There was minimal technical discussion of surveillance mechanisms despite the presence of technology companies; Meinrath took the representatives to be lawyers, not technologists.
When it appeared like the meeting would discuss a surveillance issue in a sophisticated way, participants and commissioners suggested it be done in a classified meeting.
Apparently, Cass Sunstein didn’t even have to get caught proposing weird conspiracy theories to make this thing a laughingstock.
A number of people are asking why I’m so shocked that President Obama appointed no technologists for his NSA Review Committee.
Here are three issues that should be central to the Committee’s discussions that are, in significant part, technology questions. There are more. But for each of these questions, the discussion should not be whether the Intelligence Community thinks the current solution is the best or only one, but whether it is an appropriate choice given privacy implications and other concerns.
There are just three really obvious issues that should be reviewed by the committee. And for all of them, it would be really useful for someone with the technical background to challenge NSA’s claims to be on the committee.
Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata
One of the most contentious NSA practices — at least as far as most Americans go — is the collection of all US person phone metadata for the Section 215 dragnet. Yet even Keith Alexander has admitted — here in an exchange with Adam Schiff in a House Intelligence Committee hearing on June 18 — that it would be feasible to do it via other means, though perhaps not as easy.
REP. SCHIFF: General Alexander, I want to ask you — I raised this in closed session, but I’d like to raise it publicly as well — what are the prospects for changing the program such that, rather than the government acquiring the vast amounts of metadata, the telecommunications companies retain the metadata, and then only on those 300 or so occasions where it needs to be queried, you’re querying the telecommunications providers for whether they have those business records related to a reasonable, articulable suspicion of a foreign terrorist connection?
In addition to the four people ABC earlier reported would be part of Obama’s Committee to Learn to Trust the Dragnet, Obama added … another law professor, Geoffrey Stone. (Stone is [see update], along with Swire, a worthwhile member. But not a technologist.)
What’s fucking crazy about the committee is it has zero technologists to review a topic that is highly technical. Obama implicitly admits as much! He sells this committee for their “immense experience in national security, intelligence, oversight, privacy and civil liberties.” National security, intelligence, oversight, privacy, civil liberties. No technology.
On August 9, President Obama called for a high-level group of experts to review our intelligence and communications technologies. Today the President met with the members of this group: Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire.
These individuals bring to the task immense experience in national security, intelligence, oversight, privacy and civil liberties. The Review Group will bring a range of experience and perspectives to bear to advise the President on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.
The President thanked the Members of the Group for taking on this important task and looks forward to hearing from them as their work proceeds. Within 60 days of beginning their work, the Review Group will brief their interim findings to the President through the Director of National Intelligence, and the Review Group will provide a final report and recommendations to the President. [my emphasis]
So in spite of the fact that the White House highlights technology in its mandate, that didn’t lead them to find even a single technologist.
Also: Cass Sunstein.
Also: the Committee does, in fact, report its findings through James Clapper, the guy whose programs they will review, they guy who lied to Congress.
At least the White House isn’t promising — as Obama originally did — that it will be an “outside” “independent” committee.
Update: Egads. I take back what I said about Stone, who said this in June.
[W]hat should Edward Snowden have done? Probably, he should have presented his concerns to senior, responsible members of Congress. But the one thing he most certainly should not have done is to decide on the basis of his own ill-informed, arrogant and amateurish judgment that he knows better than everyone else in government how best to serve the national interest. The rule of law matters, and no one gave Edward Snowden the authority to make that decision for the nation. His conduct was more than unacceptable; it was criminal.
ABC reports that, along with former CIA Deputy Director Mike Morell, former Homeland Security Czar Richard Clarke, and former Obama special assistant for economic policy Peter Swire, the White House (or James Clapper — who knows at this point) has picked Cass Sunstein for its Review Committee on NSA programs.
Frankly, a lot of people are investing misplaced confidence that Richard Clarke will make this committee useful. While he’s good on a lot of issues, he’s as hawkish on cybersecurity as anyone else in this country. And as I keep pointing out, these programs are really about cybersecurity. Richard Clarke is not going to do a damned thing to rein in a program that increasingly serves to surveil US Internet data to protect against cyberthreats.
But Sunstein? Really?
As Glenn Greenwald (yeah — that Glenn; did they really think no one would raise this point?) reported back in 2010, Sunstein wrote a paper in 2008 advocating very creepy stealth measures against “conspiracy theories.”
In 2008, while at Harvard Law School, Sunstein co-wrote a truly pernicious paper proposing that the U.S. Government employ teams of covert agents and pseudo-”independent” advocates to “cognitively infiltrate” online groups and websites — as well as other activist groups — which advocate views that Sunstein deems “false conspiracy theories” about the Government. This would be designed to increase citizens’ faith in government officials and undermine the credibility of conspiracists. The paper’s abstract can be read, and the full paper downloaded, here.
Sunstein advocates that the Government’s stealth infiltration should be accomplished by sending covert agents into “chat rooms, online social networks, or even real-space groups.” He also proposes that the Government make secret payments to so-called “independent” credible voices to bolster the Government’s messaging (on the ground that those who don’t believe government sources will be more inclined to listen to those who appear independent while secretly acting on behalf of the Government). This program would target those advocating false “conspiracy theories,” which they define to mean: “an attempt to explain an event or practice by reference to the machinations of powerful people, who have also managed to conceal their role.”
And remember, a big mandate for this committee is not to review the programs to see if we can make them more privacy-protective, but simply to increase our trust in them. Which goes to the core of what Sunstein was talking about in his paper: using covert government propaganda to, in this case, better sell covert government spying.
Well, if Obama and Clapper’s rollout hadn’t already discredited this committee, Sunstein’s selection sure does.
In what may be one of those stories telegraphing investigative details between people being investigated, the WaPo updates the StuxNet investigation.
Prosecutors are pursuing “everybody — at pretty high levels, too,” said one person familiar with the investigation. “There are many people who’ve been contacted from different agencies.”
The FBI and prosecutors have interviewed several current and former senior government officials in connection with the disclosures, sometimes confronting them with evidence of contact with journalists, according to people familiar with the probe.
Here’s the detail everyone is focusing on (and I’ve seen similar claims on reporting of other leak investigations).
Investigators, they said, have conducted extensive analysis of the e-mail accounts and phone records of current and former government officials in a search for links to journalists.
Former prosecutors said these investigations typically begin by compiling a list of people with access to the classified information. When government officials attend classified briefings or examine classified documents in secure facilities, they must sign a log, and these records can provide an initial road map for investigators.
Former prosecutors said investigators run sophisticated software to identify names, key words and phrases embedded in e-mails and other communications, including text messages, which could lead them to suspects.
The FBI also looks at officials’ phone records — who called whom, when, for how long. Once they have evidence of contact between officials and a particular journalist, investigators can seek a warrant to examine private e-mail accounts and phone records, including text messages, former prosecutors said.
Prosecutors and the FBI can examine government e-mail accounts and government-issued devices, including cellphones, without a warrant. They can also look at private e-mail accounts without a warrant if those accounts were accessed on government computers. [my emphasis]
This description may well be how the government is conducting the StuxNet (and the UndieBomb 2.0 investigation, which the article also describes).
But if WaPo is relying solely on former prosecutors, this description may be totally outdated.
After all–as I’ve reported repeatedly in the past–the 2011 update of FBI’s Domestic Investigations and Operations Guide permits using National Security Letters to get journalists’ contacts in National Security investigations (as all of these would be).
A heavily-redacted section (PDF 166) suggests that in investigations with a national security nexus (so international terrorism or espionage, as many leak cases have been treated) DOJ need not comply with existing restrictions requiring Attorney General approval before getting the phone records of a journalist. The reason? Because NSLs aren’t subpoenas, and that restriction only applies to subpoenas.
Department of Justice policy with regard to the issuances of subpoenas for telephone toll records of members of the news media is found at 28 C.F.R. § 50.10. The regulation concerns only grand jury subpoenas, not National Security Letters (NSLs) or administrative subpoenas. (The regulation requires Attorney General approval prior to the issuance of a grand jury subpoena for telephone toll records of a member of the news media, and when such a subpoena is issued, notice must be given to the news media either before or soon after such records are obtained.) The following approval requirements and specific procedures apply for the issuance of an NSL for telephone toll records of members of the news media or news organizations. [my emphasis]
So DOJ can use NSLs–with no court oversight–to get journalists’ call (and email) records rather than actually getting a subpoena.
The section includes four different approval requirement scenarios for issuing such NSLs, almost all of which are redacted. Though one only partly redacted passage makes it clear there are some circumstances where the approval process is the same as for anyone else DOJ wants to get an NSL on:
If the NSL is seeking telephone toll records of an individual who is a member of the news media or news organization [2 lines redacted] there are no additional approval requirements other than those set out in DIOG Section 126.96.36.199.3 [half line redacted]
And the section on NSL use (see PDF 100) makes it clear that a long list of people can approve such NSLs:
- Deputy Director
- Executive Assistant Director
- Associate EAD for the National Security Branch
- Assistant Directors and all DADs for CT/CD/Cyber
- General Counsel
- Deputy General Counsel for the National Security Law Branch
- Assistant Directors in Charge in NY, Washington Field Office, and LA
- All Special Agents in Charge
In other words, while DOJ does seem to offer members of the news media–which is itself a somewhat limited group–some protection from subpoena, it also seems to include loopholes for precisely the kinds of cases, like leaks, where source protection is so important.
In other words, this story about starting with the sign-in logs of people who’ve been briefed on a particular topic, then gather call records of those officials?
That may be what happened.
Or it may work the other way, with the government identifying a story it doesn’t like and then using call records to trace back from there to the potential sources of the story.
This curious phrasing would support the latter scenario.
[DC US Attorney Ronald] Machen is examining a leak to the Associated Press that a double agent inside al-Qaeda’s affiliate in Yemen allowed the United States and Saudi Arabia to disrupt the plot to bomb an airliner using explosives and a detonation system that could evade airport security checks.
The AP, after all, didn’t report that UndieBomb 2.0 was actually a sting set up by a Saudi-run infiltrator (and their reporting, at least, suggested they didn’t know UndieBomber 2.0 was an informant). John Brennan and Richard Clarke told that story. And yet WaPo describes the investigation as focusing on the AP part of the story, not the more damning part about an infiltrator.
If and when John Brennan goes unpunished for revealing the most damning part of this story, it’ll become increasingly clear: not only is the government starting with the journalists’ phone and email contacts, but it is doing so with journalists it might otherwise want to silence.