Posts

Adam Schiff Makes Clear FBI Is Using Section 215 Like the 2014 Exception

/19 Comments/in , /by

For months, Congress has been debating the reauthorization of Section 215 of the PATRIOT Act. The House passed a compromise bill before COVID shut-downs really halted everything in Congress, though did so in such a way as to prevent Zoe Lofgren from offering any amendments. After the Senate failed to act, the provision (and two related ones lapsed). Then, a few weeks ago, the Senate passed a version that added an amendment from Mike Lee and Patrick Leahy that strengthened the amicus to the previously passed House bill. But an amendment offered by Ron Wyden and Steve Daines failed by one vote after Tom Carper said that Pelosi had warned him its passage would gut FISA (and after Bernie Sanders and Patty Murray didn’t make it for the vote). The operative language of their amendment read,

(C) An application under paragraph (1) may not seek an order authorizing or requiring the production of internet website browsing information or internet search history information.

Zoe Lofgren and Warren Davidson tried to pass that amendment in the House. Over a weekend of heated negotiations, they limited the Wyden-Daines language to apply just to US persons.

(C) An application under paragraph (1) may not seek an order authorizing or requiring the production of internet website browsing information or internet search history information of United States persons.

At first, Wyden endorsed the Lofgren-Davidson language. Except then Adam Schiff gave Charlie Savage a statement that suggested the amendment would only prevent the government from seeking to obtain Americans’ internet information, not prevent it altogether.

But in his own statement, Mr. Schiff put forward a narrower emphasis. Stressing the continued need to investigate foreign threats, he described the compromise as banning the use of such orders “to seek to obtain” an American’s internet information.

That led Ron Wyden to withdraw his support. Leadership withdrew that amendment from the Rule.

Schiff’s ploy seems to suggest one way the government is using Section 215.

Wyden had previously asked how each of three applications for Section 215 would appear in counts:

  • An order in which an IP address used by multiple people is the target
  • An order collecting all the people who visit a particular website
  • An order collecting all the web browsing and internet searches of a single user

I’ve argued in the past that the FBI wouldn’t go to the trouble of a Section 215 order for a person who was not otherwise targeted, the last bullet. Schiff’s willingness to limit collection to foreigners is consistent with that (because targeting non-US persons has a lower probable cause level), meaning that’s not the function the government is so intent on preserving.

Which leaves Wyden’s IP address used by multiple people and a website, what I have suggested might be VPNs and WikiLeaks. Those are the applications that Schiff (and Pelosi) are going to the mat to protect.

That makes something that happened in 2014 important. That year, FISC permitted the government to remain tasked on a selector under 702 (which can only target foreigners) even after finding that Americans were using the selector, provided the US person content was purged after the fact. Except ODNI made a list of enumerated crimes — virtually all of which exploit the Dark Web — that Section 702 content could be used to prosecute. Richard Burr codified that principle when the law was reauthorized in 2017.

Schiff has invoked the same principle — allowing the FBI to target a URL or IP, and in the name of obtaining foreign intelligence, obtaining the US person activity as well. Because this is not treated as “content,” the government may not be limited to instances where the US person activity is location obscured (though it’s possible this is just about obtaining VPN traffic, and not something like WikiLeaks).

Wyden called the resulting practice (remember, this is status quo), as “dragnet surveillance.”

“It is now clear that there is no agreement with the House Intelligence Committee to enact true protections for Americans’ rights against dragnet collection of online activity, which is why I must oppose this amendment, along with the underlying bill, and urge the House to vote on the original Wyden-Daines amendment,” Wyden said.

So once again — still — the government is using a foreign targeted law to obtain leads of Americans to investigate. That, apparently, is what Pelosi considers the key part of FISA: honey pots to identify Americans to investigate.

Meanwhile, DOJ doesn’t even like the changes Lee and Leahy implemented, falsely claiming that the law — which requires DOJ to meet the standards laid out voluntarily by FBI’s response to the DOJ IG Report — does nothing to address the problems identified by the IG Report.

The Department worked closely with House leaders on both sides of the aisle to draft legislation to reauthorize three national security authorities in the U.S.A. Freedom Act while also imposing reforms to other aspects of FISA designed to address issues identified by the DOJ Inspector General. Although that legislation was approved with a large, bipartisan House majority, the Senate thereafter made significant changes that the Department opposed because they would unacceptably impair our ability to pursue terrorists and spies. We have proposed specific fixes to the most significant problems created by the changes the Senate made. Instead of addressing those issues, the House is now poised to further amend the legislation in a manner that will weaken national security tools while doing nothing to address the abuses identified by the DOJ Inspector General.

Accordingly, the Department opposes the Senate-passed bill in its current form and also opposes the Lofgren amendment in the House. Given the cumulative negative effect of these legislative changes on the Department’s ability to identify and track terrorists and spies, the Department must oppose the legislation now under consideration in the House. If passed, the Attorney General would recommend that the President veto the legislation.

Trump, meanwhile, is opposing the bill because it doesn’t go far enough.

WARRANTLESS SURVEILLANCE OF AMERICANS IS WRONG!

Republicans are inventing reasons to oppose it after supporting it in March.

Back in March, Billy Barr said he could do what he needed to with EO 12333. It’s unclear how he’d coerce providers.

But Schiff’s efforts to defeat Wyden make it clear this is a function designed to identify Americans.

Update: I had thought a current vote was on FISA, but is on China sanctions, so I’ve deleted.

Ron Wyden Hints at How the Intelligence Community Hides Its Web Tracking Under Section 215

/2 Comments/in /by

Ron Wyden had an amendment to Section 215 that would have limited the use of that provision to obtain web traffic information that fell one vote short in the Senate, partly because Nancy Pelosi whipped Tom Carper against it and partly because two Senators (Bernie Sanders and Patty Murray) didn’t get back for a vote. In an effort to resuscitate the amendment in the House under Zoe Lofgren and Warren Davidson’s leadership (which would surely pass if Section 215 got bounced back to the Senate), Ron Wyden released a letter to Ric Grenell trying to force some transparency about how the IC hides the scope of the use of Section 215 to get web search and Internet traffic information.

The letter asks Grenell to explain how Section 215 orders served on IP addresses, rather than email addresses, might get counted in transparency provisions.

How would the government apply the public reporting requirements for Section 215 to web browsing and internet searches? In this context, would the target or “unique identifier” be an IP address?

If the target or “unique identifier” is an IP address, would the government differentiate among multiple individuals using the same IP address, such as family members and roommates using the same Wi-Fi network, or could numerous users appear as a single target or “unique identifier”?

If the government were to collect web browsing information about everyone who visited a particular website, would those visitors be considered targets or “unique identifiers” for purposes of the public reporting? Would the public reporting data capture every internet user whose access to that website was collected by the government?

If the government were to collect web browsing and internet searches associated with a single user, would the public reporting requirement capture the scope of the collection? In other words, how would the public reporting requirement distinguish between the government collecting information about a single visit to a website or a single search by one person and a month or a year of a person’s internet use?

Wyden here lays out three use cases for how the IC might (one should assume does) use Section 215 to get web traffic.

  • An order in which an IP address used by multiple people is the target
  • An order collecting all the people who visit a particular website
  • An order collecting all the web browsing and internet searches of a single user

The government is required to report:

(5)the total number of orders issued pursuant to applications made under section 1861(b)(2)(B) of this title and a good faith estimate of—

(A)the number of targets of such orders; and

(B)the number of unique identifiers used to communicate information collected pursuant to such orders;

Taking each of his three scenarios, here’s what I believe the government would report.

An order in which an IP address used by multiple people is the target

In the first scenario, the government is trying to obtain everyone who “uses” a particular IP address. The scenario laid out by Wyden is a WiFi router used by family or friends, but both because the House Report prohibited such things in 2015 and because DOJ IG has raised questions about targeting everyone who uses a Friends and Family plan, I doubt that’s what the IC really does.

Rather, I suspect this is about VPNs and other servers that facilitate operational security. The government could hypothetically obtain four orders a year getting “VPNs,” requiring providers of each of the 10 major VPNs in the country to provide the IP addresses of all the incoming traffic, which would show the IP addresses of everyone who was using their location obscuring traffic.

In such a case, the targeted VPN IP addresses wouldn’t be communicating information at all. The users would get no information back. Therefore, the IC would only report the number of targets of such orders. If the “target” were defined as VPN, the number would be reported as 4 (for each of the 4 orders); if the “target” were defined as the specific VPN providers, the number of targets would be reported as 10.

The IC would entirely hide the number of individual Americans affected.

An order collecting all the people who visit a particular website

This application would seek to learn who visited a particular website. The classic case would be Inspire magazine, the AQAP propaganda. But I could also see how the IC might want to collect people who visit WikiLeaks’ submission page, or any number of sites that would offer information of interest to foreign spies (even DNI’s report on surveillance collection!). In such a use case, the government might ask not for the information provided to the user, but instead the incoming IP addresses of every request to the website. Again, this would not reflect a communication of information (and certainly not to the end user), so would not be reported under 5B.

If the targets were defined as “AQAP propaganda sites,” Inspire and all its affiliates might be reported as just one target (or might even be counted on a more generalized 215 order targeting AQAP or WikiLeaks, and so not as a unique 215 order at all).

The end users here would, again, not be counted if the collection request deliberately asked for something that did not “communicate information,” though I’m not sure precisely what technical language the government would use to accomplish this.

An order collecting all the web browsing and internet searches of a single user

This use case would ask how a 215 order targeting an individualized target (like Carter Page) shows up in transparency reports. If this were an order served on Google targeting a single account identifier for Google (say, Page’s Gmail account), the government might treat that Gmail identifier as the unique identifier, even though the government was getting information on every time this unique identifier obtained information.

Even in the criminal context, prosecutors don’t always target Google histories (for example, they did not with Joshua Schulte, and so got Google searches going back to before he joined the CIA). In the intelligence context, the FBI is given even more leeway to obtain everything, based off the logic that it’s harder to find clandestine activity.

In other words, Wyden has pointed to three use cases, all of which the IC is surely using, which existing transparency reporting requirements would entirely obscure the impact of.

How the Purpose of the Data Sharing Portal Changed Over the OmniCISA Debate

/2 Comments/in /by

Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.

Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.

I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.

With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.

With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.

While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.

[snip]

Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.

It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.

Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.

  1. CISA in Context: Privacy Protections and the Portal

  2. CISA in Context: The Voluntary Sharing Model and that “Other” Portal

  3. CISA in Context: Government Use and What Really Matters for Civil Liberties

Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.

So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?

Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?

At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.

Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.

Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.

Its concerns included:

  • Because companies could share with other agencies, the bill permitted sharing content with law enforcement. “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
  • The bill permitted companies to share more information than that permitted under the existing portal. “Unlike the President’s proposal, the Senate bill includes ‘any other attribute of a cybersecurity threat’ within its definition of cyber threat indicator.”
  • Because the bill required sharing in real time rather than in near-real time, it would mean DHS could not do all the privacy scrubs it was currently doing. “If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further.”
  • Sharing in real rather than near-real time also means participants might get overloaded with extraneous information (something that has made existing info-sharing regimes ineffective). “If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.”
  • The bill put the Attorney General, not DHS, in charge of setting the rules for the portal. “Since sharing cyber threat information with the private sector is primarily within DHS’s mission space, DHS should author the section 3 procedures, in coordination with other entities.”
  • The 90-day implementation timeline was too ambitious; according to DHS, the bill should provide for an 180-day implementation. “The 90-day timeline for DHS’s deployment of a process and capability to receive cyber threat indicators is too ambitious, in light of the need to fully evaluate the requirements pertaining to that capability once legislation passes and build and deploy the technology.”

As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.

Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.

All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.

Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.

Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.

In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.

Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.

At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.

This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.

Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).

Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.

Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.

Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.

Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.

Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,

From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.

But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.

[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.

[snip]

AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.

That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.

In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.

But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.

[snip]

That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.

To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.

And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.

Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.

The Pro-Scrub Language Added to CISA Is Designed to Eliminate DHS’ Scrub

/3 Comments/in /by

I’ve been comparing the Manager’s Amendment (MA) Richard Burr and Dianne Feinstein introduced Wednesday with the old bill.

A key change — one Burr and Feinstein have highlighted in their comments on the floor — is the integration of DHS even more centrally in the process of the data intake process. Just as one example, the MA adds the Secretary of Homeland Security to the process of setting up the procedures about information sharing.

Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in coordination with the heads of the appropriate Federal entities, develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government. [my emphasis]

That change is applied throughout.

But there’s one area where adding more DHS involvement appears to be just a show: where it permits DHS conduct a scrub of the data on intake (as Feinstein described, this was an attempt to integrate Tom Carper’s and Chris Coons’ amendments doing just that).

This is also an issue DHS raised in response to Al Franken’s concerns about how CISA would affect their current intake procedure.

To require sharing in “real time” and “not subject to any delay [or] modification” raises concerns relating to operational analysis and privacy.

First, it is important for the NCCIC to be able to apply a privacy scrub to incoming data, to ensure that personally identifiable information unrelated to a cyber threat has not been included. If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further. While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language as currently written would complicate efforts to do so. DHS needs to apply business rules, workflows and data labeling (potentially masking data depending on the receiver) to avoid this problem.

Second, customers may receive more information than they are capable of handling, and are likely to receive large amounts of unnecessary information. If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.

While the current Cybersecurity Information Sharing Act recognizes the need for policies and procedures governing automatic information sharing, those policies and procedures would not effectively mitigate these issues if the requirement to share “not subject to any delay [or] modification” remains.

To ensure automated information sharing works in practice, DHS recommends requiring cyber threat information received by DHS to be provided to other federal agencies in “as close to real time as practicable” and “in accordance with applicable policies and procedures.”

Effectively, DHS explained that if it was required to share data in real time, it would be unable to scrub out unnecessary and potentially burdensome data, and suggested that the “real time” requirement be changed to “as close to real time as practicable.”

But compare DHS’s concerns with the actual language added to the description of the information-sharing portal (the new language is in italics).

(3) REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall—

(A) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 104(c) through the real-time process described in subsection (c) of this section—

(i) are shared in an automated manner with all of the appropriate Federal entities;

(ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—

(I) agreed upon unanimously by all of the heads of the appropriate Federal entities;

(II) carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and

(III) uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and

This section permits one of the “appropriate Federal agencies” to veto such a scrub. Presumably, the language only exists in the bill because one of the “appropriate Federal agencies” has already vetoed the scrub. NSA (in the guise of “appropriate Federal agency” DOD) would be the one that would scare people, but such a veto would equally as likely to come from FBI (in the guise of “appropriate Federal agency” DOJ), and given Tom Cotton’s efforts to send this data even more quickly to FBI, that’s probably who vetoed it.

If you had any doubts the Intelligence Community is ordering up what it wants in this bill, the language permitting them a veto on privacy protections should alleviate you of those doubts.

On top of NSA and FBI’s veto authority, there’s an intentional logical problem here. DHS is one of the “appropriate Federal agencies,” but DHS is the entity that would presumably do the scrub. Yet if it can’t retain data before any other agency, it’s not clear how it could do a scrub.

In short, this seems designed to lead people to believe there might be a scrub (or rather, that under CISA, DHS would continue to do the privacy scrub they are currently doing, though they are just beginning to do it automatically) when, for several reasons, that also seems to be ruled out by the bill. And ruled out because one “appropriate Federal agency” (like I said, I suspect FBI) plans to veto such a plan.

So it has taken this Manager’s Amendment to explain why we need CISA: to make sure that DHS doesn’t do the privacy scrubs it is currently doing.

I’ll explain in a follow-up post why it would be so important to eliminate DHS’ current scrub on incoming data.

Sheldon Whitehouse’s Horrible CFAA Amendment Gets Pulled — But Will Be Back in Conference

/5 Comments/in /by

As I noted yesterday, Ron Wyden objected to unanimous consent on CISA yesterday because Sheldon Whitehouse’s crappy amendment, which makes the horrible CFAA worse, was going to get a vote. Yesterday, it got amended, but as CDT analyzed, it remains problematic and overbroad.

This afternoon, Whitehouse took to the Senate floor to complain mightily that his amendment had been pulled — presumably it was pulled to get Wyden to withdraw his objections. Whitehouse complained as if this were the first time amendments had not gotten a vote, though that happens all the time with amendments that support civil liberties. He raged about the Masters of the Universe who had pulled his amendment, and suggested a pro-botnet conference had forced the amendment to be pulled, rather than people who have very sound reasons to believe the amendment was badly drafted and dangerously expanded DOJ’s authority.

For all Whitehouse’s complaining, though, it’s likely the amendment is not dead. Tom Carper, who as Ranking Member of the Senate Homeland Security Committee would almost certainly be included in any conference on the bill, rose just after Whitehouse. He said if the provision ends up in the bill, “we will conference, I’m sure, with the House and we will have an opportunity to revisit this, so I just hope you’ll stay in touch with those of us who might be fortunate enough to be a conferee.”

The NSA’s Retroactive Discovery of Tamerlan Tsarnaev

/17 Comments/in , /by

In the days after the Boston Marathon attack last year, NSA made some noise about expanding its domestic surveillance so as to prevent a similar attack.

But in recent days, we’ve gotten a lot of hints that NSA may have just missed Tamerlan Tsarnaev.

Consider the following data points.

First, in a hearing on Wednesday, Intelligence Community Inspector General Charles McCullough suggested that the forensic evidence found after the bombing might have alerted authorities to Tamerlan Tsarnaev’s radicalization.

Senator Tom Carper: If the Russians had not shared their initial tip, would we have had any way to detect Tamerlan’s radicalization?

[McCullough looks lost.]

Carper: If they had not shared their original tip to us, would we have had any way to have detected Tamerlan’s radicalization? What I’m getting at here is just homegrown terrorists and our ability to ferret them out, to understand what’s going on if someone’s being radicalized and what its implications might be for us.

McCullough: Well, the Bureau’s actions stemmed from the memo from the FSB, so that led to everything else in this chain of events here. You’re saying if that memo didn’t exist, would he have turned up some other way? I don’t know. I think, in the classified session, we can talk about some of the post-bombing forensics. What was found, and that sort of thing. And you can see when that radicalization was happening. So I would think that this would have come up, yes, at some point, it would have presented itself to law enforcement and the intelligence community. Possibly not as early as the FSB memo. It didn’t. But I think it would have come up at some point noting what we found post-bombing.

Earlier in the hearing (around 11:50), McCullough described reviewing evidence “that was within the US government’s reach before the bombing, but had not been obtained, accessed, or reviewed until after the bombing” as part of the IG Report on the attack. So some of this evidence was already in government hands (or accessible to it as, for example, GCHQ data might be).

We know some of this evidence not accessed until after the bombing was at NSA, because the IG Report says so. (See page 20)

Screen Shot 2014-04-12 at 12.37.13 PM

That may or may not be the same as the jihadist material Tamerlan posted to YouTube in 2012, which some agency claims could have been identified as Tamerlan even though he used a pseudonym for some of the time he had the account.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.” After reviewing a draft of this report, the FBI commented that Tsarnaev’s YouTube display name changed from “muazseyfullah” to “Tamerlan Tsarnaev” on or about February 12, 2013, and suggested that therefore Tsarnaev’s YouTube account could not be located using the search term “Tamerlan Tsarnaaev” before that date.20 The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

20 In response to a DOJ OIG request for information supporting this statement, the FBI produced a heavily redacted 3-page excerpt from an unclassified March 19, 2014, EC analyzing information that included information about Tsarnaev’s YouTube account. The unredacted portion of the EC stated that YouTube e-mail messages sent to Tsarnaev’s Google e-mail account were addressed to “muazseyfullah” prior to February 12, 2013, and to “Tamerlan Tsarnaev” beginning on February 14, 2013. The FBI redacted other information in the EC about Tsarnaev’s YouTube and Google e-mail accounts.

The FBI may not have been able to connect “muazseyfullah” with Tamerlan, but that’s precisely what the NSA does with its correlations process; it has a database that does just that (though it’s unclear whether it would have collected this information, especially given that it postdated the domestic Internet dragnet being shut down).

Finally, there’s the matter of the Anwar al-Awlaki propaganda.

An FBI analysis of electronic media showed that the computers used by Tsarnaev contained a substantial amount of jihadist articles and videos, including material written by or associated with U.S.-born radical Islamic cleric Anwar al-Aulaqi. On one such computer, the FBI found at least seven issues of Inspire, an on-line English language magazine created by al-Aulaqi. One issue of this magazine contained an article entitled, “Make a Bomb in the Kitchen of your Mom,” which included instructions for building the explosive devices used in the Boston Marathon bombings.

Information learned through the exploitation of the Tsarnaev’s computers was obtained through a method that may only be used in the course of a full investigation, which the FBI did not open until after the bombings.

The FBI claims they could only find the stuff on Tamerlan’s computer using methods available in full investigations (this makes me wonder whether the FBI uses FISA physical search warrants to remotely search computer hard drives).

But that says nothing about what NSA (or even FBI, back in the day when they had the full time tap on Awlaki, though it’s unclear what kind of monitoring of his content they’ve done since the government killed him) might have gotten via a range of means, including, potentially, upstream searches on the encryption code for Inspire.

In other words, there’s good reason to believe — and the IC IG seems to claim — that the government had the evidence to know that Tamerlan was engaging in a bunch of reprehensible speech before he attacked the Boston Marathon, but they may not have reviewed it.

Let me be clear: it’s one thing to know a young man is engaging in reprehensible but purportedly protected speech, and another to know he’s going to attack a sporting event.

Except that this purportedly protected speech is precisely — almost exactly — the kind of behavior that has led FBI to sic multiple informants and/or undercover officers on other young men, including Adel Daoud and Mohamed Osman Mohamud, even in the absence of a warning from a foreign government.

And they didn’t here.

Part of the issue likely stems from communication failures between FBI and NSA. The IG report notes that “the relationship between the FBI and the NSA” was one of the most relevant relationships for this investigation. Did FBI (and CIA) never tell the NSA of the Russian warning? And clearly they never told NSA of his travel to Russia.

But part of the problem likely stems from the way NSA identifies leads — precisely the triaging process I examined here. That is, NSA is going to do more analysis on someone who communicates with people who are already targeted. Obviously, the ghost of Anwar al-Awlaki is one of the people targeted (though the numbers of young men who have Awlaki’s propaganda is likely huge, making that a rather weak identifier). The more interesting potential target would be William Plotnikov, the Canadian-Russian boxer turned extremist whom Tamerlan allegedly contacted in 2012 (and it may be this communication attempt is what NSA had in its possession but did not access until after the attacks). But I do wonder whether the NSA didn’t prioritize similar targets in countries of greater focus, like Yemen and Somalia.

It’d be nice to know the answer to these questions. It ought to be a central part of the debate over the NSA and its efficacy or lack thereof. But remember, in this case, the NSA was specifically scoped out of the heightened review (as happened after 9/11, which ended up hiding the good deal of warning the NSA had before the attack).

We’ve got a system that triggers on precisely the same kind of speech that Tamerlan Tsarnaev engaged in before he attacked the Marathon. But it didn’t trigger here.

Why not?

Fat Al Gore Menaces the Homeland and Homeland Security Experts Don’t Care

/8 Comments/in , /by

Six days ago, Fat Al Gore (my shorthand for climate change) attacked the Philippines, killing as many 10,000 and leaving 250,000 homeless.

It was Fat Al Gore’s most successful attack thus far.

With Fat Al Gore’s growing success in mind, consider these data points.

Senate Homeland Security Committee doesn’t recognize Fat Al Gore as a threat

The Senate Homeland Security Committee is holding a hearing on “Threats to the Homeland.” It is focused almost entirely on what witnesses describe a dispersed Al Qaeda threat (which doesn’t have the ability to attack in the US), self-radicalized extremists who don’t have the ability to conduct large-scale attacks, and cybersecurity (though Carl Levin did bring up corporate anonymity as a threat, and Republicans brought up Benghazi, which isn’t the “Homeland” at all; also, Ron Johnson leaked that Secret Service officers have proven unable to keep their dick in their pants in 17 countries).

None of the three witnesses even mentioned climate change in their testimony.

Obama’s Chief of Staff threatened to “kill” Steven Chu for admitting islands would disappear because of climate change

Meanwhile, the lead anecdote of this mostly interesting (but in parts obviously bullshit) profile of how Obama disempowered his cabinet ministers tells how Rahm went ballistic because Steven Chu (whose energy initiative created a bunch of jobs) publicly admitted that some islands will disappear because of climate change.

In April 2009, Chu joined Obama’s entourage for one of the administration’s first overseas trips, to Trinidad and Tobago for a Summit of the Americas focused on economic development. Chu was not scheduled to address the media, but reporters kept bugging Josh Earnest, a young staffer, who sheepishly approached his boss, White House press secretary Robert Gibbs, with the ask. “No way,” Gibbs told him.

“Come on,” Earnest said. “The guy came all the way down here. Why don’t we just have him talk about all the stuff he’s doing?”

Gibbs reluctantly assented. Then Chu took the podium to tell the tiny island nation that it might soon, sorry to say, be underwater—which not only insulted the good people of Trinidad and Tobago but also raised the climate issue at a time when the White House wanted the economy, and the economy only, on the front burner. “I think the Caribbean countries face rising oceans, and they face increase in the severity of hurricanes,” Chu said. “This is something that is very, very scary to all of us. … The island states … some of them will disappear.”

Earnest slunk backstage. “OK, we’ll never do that again,” he said as Gibbs glared. A phone rang. It was White House chief of staff Rahm Emanuel calling Messina to snarl, “If you don’t kill [Chu], I’m going to.”

Much later the story notes that Heather Zichal is on her way out too.

Even blue-chip West Wingers such as economic adviser Gene Sperling and climate czar Heather Zichal are heading for the exits.

Washington insiders applaud fracking while ignoring climate change

Meanwhile, also as part of its big new magazine spread, Politico has two related pieces on DC insiders views.

There’s this “Real Game Changers” piece capturing the “big forces they see shaking up U.S. politics.” David Petraeus talks about “the ongoing energy revolution in the U.S.” Jeb Bush promises, “With natural gas as an exponentially growing source, we can re-industrialize.” And while several thinkers describe the problem of economic inequality, only Al Gore talks about Fat Al Gore.

Carbon pollution from burning fossil fuels is changing our climate and transforming our world. From more destructive and more frequent climate-related extreme weather events, floods and droughts, melting ice and rising sea levels, to climate refugees, crop failure, higher asthma rates and water scarcity, the consequences are profound. As citizens, we’re already paying the high costs. Billions of dollars to clean up after extreme weather events. Rising insurance bills. Lives lost.

Meanwhile, former respectable energy historian turned shill Daniel Yergin congratulates America on being almost energy independent.

Here’s his only mention of the word “climate.”

In a major climate speech this past June, he declared, “We should strengthen our position as the top natural gas producer because, in the medium term at least, it not only can provide safe, cheap power, but it can also help reduce our carbon emissions.”

Yes, we’re going to fight climate change by burning carbon (gas) instead of carbon (coal).

To be fair to the DC elite, the reason we’re embracing fracking is to give ourselves space to ditch the terrorist funding Saudis. So there is a real national security purpose to it.

But of course, it’s a purpose that addresses a far less urgent threat than that terrorist Fat Al Gore, who just killed 10,000 people.