emptywheel

1 2 3 855

The “Torture Works” Story

After Adam Goldman exposed the identity of Jihadi John, ISIL’s executioner, as Mohammed Emwazi, it set off an interesting response in Britain. CagePrisoners — the advocacy organization for detainees — revealed details of how MI5 had tried to recruit Emwazi and, when he refused, had repeatedly harassed him and his family and prevented him from working a job in Kuwait (where he was born).

While that certainly doesn’t excuse beheadings, it does raise questions about how the intelligence services track those it has identified as potential recruits and/or threats.

And seemingly in response to those questions, the former head of MI6 has come forward to say that torture has worked in a ticking time bomb scenario — that of the toner cartridge plot in 2010.

In his first interview since stepping down from Secret Intelligence Service in January, Sir John Sawers told the BBC yesterday that torture “does produce intelligence” and security services “set aside the use of torture… because it is against the values” of British society, not because it doesn’t work in the short term. Sir John defended the security services against accusations they had played a role in the radicalising of British Muslims, including Mohammed Emwazi, who it is claimed is the extremist responsible for the murder of hostages in Syria.

The IoS can reveal details of a dramatic “Jack Bauer real-time operation” to foil an al-Qaeda plot to bring down two airliners in 2010. According to a well-place intelligence source, the discovery of a printer cartridge bomb on a UPS cargo aircraft at East Midlands airport was possible only because two British government officials in Saudi Arabia were in “immediate communication” with a team reportedly using torture to interrogate an al-Qaeda operative as part of “ticking bomb scenario” operation.

The terror plot was to use cartridge bombs to bring down two aircraft over the eastern United States. However, British authorities intercepted the first device at the cargo airport hub after what they described as a “tip-off” from Saudi Arabia. A second device was intercepted aboard a freight plane in Dubai; both aircraft had started their trips in Yemen.

The IoS understands there was a frantic search prompted by “two or three” calls to Saudi Arabia after the tip-off, with security services battling to find the device. French security sources revealed the device was within 17 minutes of detonating when bomb disposal teams disarmed it.

One intelligence source said: “The people in London went back on the phone two or three times to where the interrogation was taking place in Riyadh to find out specifically where the bomb was hidden. There were two Britons there, in immediate communication with where the interrogation was taking place, and as soon as anything happened, they were in touch with the UK. It was all done in real time.”

I find this rather interesting for several reasons.

At the time, multiple sources on the Saudi peninsula revealed that authorities learned of this plot — and therefore learned about the bombs — from an apparent double agent (and former Gitmo detainee), Jabir al-Fayfi, who had left AQAP and alerted the Saudis to the plot. If so, it would mean what was learned from torture (if this account can be trusted) was the precise location of the explosives in planes that boxes that had already been isolated. I’m not certain, but that may mean this “success” prevented nothing more than an explosion in a controlled situation, because it had already been tipped by a double agent who presumably didn’t need to be tortured to share the information he had been sent in to obtain.

That is, the story, as provided, may be overblown.

Or may be referring to torture that happened in a different place and time, as part of an effort to “recruit’ al-Fayfi.

But I’m interested in it for further reasons.

The toner cartridge story significantly resembles the UndieBomb 2.0 plot, which was not only tipped by a double agent, but propagated by it (indeed, I recently raised questions about whether leaks about both were part of the same investigation). But in that case, the double agent came not via Gitmo and Saudi “deradicalization,” but via MI5, via a recruitment effort very like what MI5 used with Emwazi.

Indeed, it is not unreasonable to imagine that Emwazi knew that double agent and/or that CagePrisoners has suspicions about who he is.

I have increasingly wondered whether the treatment of a range of people implicated in Yemeni and/or Somali networks (MI5 accused Emwazi of wanting to travel to the latter) derives from the growing awareness among networks who have intelligence services have tried to recruit who else might have been recruited.

Which might be one reason to tie all this in with “successful torture” — partly a distraction, partly an attempt to defer attention from a network that is growing out of control.

Will Verizon Challenge the Government’s Fishy Dragnet?

Tim Edgar has a fascinating post on how the SCOTUS decision in Yates v US — in which a guy busted for throwing away undersized fish was let off because those fish do not constitute a tangible object under the law — might have repercussions for the phone dragnet.

The Supreme Court let Yates off the hook.  Five justices agreed that a fish is not a tangible object.  At first blush, this seems a bit implausible.  Justice Kagan certainly thought so.  Her eloquent dissent cites Dr. Seuss’s One Fish Two Fish Red Fish Blue Fish – for a time, my favorite book – as authority that fish are, indeed, tangible objects.  I expect it is the first use of any book by Dr. Seuss as legal authority in an opinion of the Supreme Court, and I must say that I found it squarely on point, if not ultimately persuasive.

Justice Ginsburg’s opinion for the plurality explains that fish are not tangible objects because “in law as in life . . . the same words, placed in different contexts, sometimes mean different things.”

[snip]

Surprisingly, Yates has real implications for national security surveillance.   The NSA’s bulk collection of telephone records is based on section 215 of the Patriot Act, which amended the business records provision of the Foreign Intelligence Surveillance Act (FISA).  That provision is titled “Access to certain business records for foreign intelligence and international terrorism investigations.”  It allows the government to obtain an order from the FISA court “requiring the production of any tangible things(including books, records, papers, documents, and other items)” in national security investigations.

Does this literally mean “any tangible things,” or is this just a catch-all ensuring that  all types of business records are covered?  While the provision is very broad even if limited to business records or data, until Yates it might have meant literally anything at all.  For example, it might be tempting for the government to use it to obtain, in national security investigations, the kind of physical items that would otherwise have required a physical search order.  As a FISA business records order requires only relevance, and not probable cause, that would be a dangerous loophole.  Yates closes it.

Perhaps more to the point, Yates also weakens the government’s bulk collection theory for telephone records.  While Yates is interpreting a different statute, the logic is clear: the words “any tangible things” should not be read literally.  Instead, they must be read in context, taking account of the words immediately surrounding it, the title of the section, the structure of the law, and its purpose.  Read in this way, it is clear that “tangible things” should not be read to encompass things far afield from the sorts of business records that Congress expected would be sought in national security investigations.

[snip]

Bulk collection is qualitatively, not just quantitatively, different from the sorts of requests for records, documents, or other “tangible things” ordinarily made by government both in law enforcement and intelligence investigations. 

Steve Vladeck made a similar observation on Twitter earlier today, so Edgar is not the only one raising this question.

As it happens, today is dragnet renewal day. Which not only means that some FISC judge will reapprove the dragnet, but that providers will get new Secondary Orders. And — as happened in January 2014, when Verizon challenged an order based on Richard Leon’s decision in Klayman v. Obama — that presents the providers with an opportunity to challenge the order based on new legal developments.

And it’s not just Verizon that has a new opportunity to challenge the government’s fishy dragnets.

I’ve long suspected that the government has, in limited fashion, used Section 215 to obtain DNA material (they have databases of DNA from Gitmo detainees, for example, and I can imagine that they’d love to obtain DNA samples where they exist).

More interestingly, we’ve been talking about the government’s use of Section 215 to obtain Internet data, probably in hacking investigations. If, as a number of people suspect, they’re using it to get data flow records, that may be deemed even further away from common definitions of “tangible things.” And the Internet companies are riled up.

So let’s have it, providers! Some challenges to the fishy dragnet!

Update: In the post announcing the reauthorization (yesterday, actually) of the dragnet, I Con the Record noted that this one expires on June 1. I suppose that’s designed to add pressure on the reauthorization fight.  I think that works out to be a 95 day dragnet.

The Government Continues to Play Hide and Seek with Surveillance Authorities

Last year, I described the effort by the Reaz Qadir Khan’s lawyers to make the government list all the surveillance it had used to catch him (which, significantly, would either be targeted off a dead man or go back to the period during with the government used Stellar Wind). In October the government wrote a letter dodging most notice. Earlier this year, Judge Michael Mosman (who happens to also be a FISA judge) deferred the notice issues until late in the CIPA process. Earlier this month, Khan plead guilty to accessory to material support for terrorism after the fact.

Another defendant accused of material support, Jamshid Muhtorov, replicated that tactic, demanding notice of all the types of surveillance used against him (his co-defendant, Bakhtiyor Jumaev, joined the motion). The government responded to that motion yesterday.

A comparison of the two responses is instructive.

Part of what the government does in both is to rehearse the notice requirements of a particular statute, stating that in this case the evidence hasn’t met those terms. It does so, we can be certain, whether or not the surveillance has been used. That’s because the government addressed FISA Section 703 notice in the Khan case, and we know the government doesn’t use 703 by itself at all.

The responses the government made for both Section 215 request, in which the government said it has no duty to notice Section 215 and a defendant would not have standing nor would have a suppression remedy,

Screen Shot 2015-02-27 at 3.07.00 PM

And PRTT, in which the government listed 5 criteria, all of which must be met to require notice, were virtually identical.

Screen Shot 2015-02-27 at 3.08.35 PM

Which is why I’m interested that the government’s treatment of EO 12333 notice was different (in both cases, there’s good reason to believe EO 12333 surveillance was involved, though in the case of Khan, that would likely include the illegal dragnet).

With Khan, the government remained completely silent about the questions of EO 12333 collection.

Whereas with Muhtorov — who was likely included in the Internet metadata dragnet, but probably not in Stellar Wind — the government argues he would only get notice if Muhtorov could claim evidence used against him in a proceeding was obtained via allegedly illegal electronic surveillance.

Therefore, under circumstances where § 3504 applies, the government would be required to affirm or deny the occurrence of the surveillance only when a defendant makes a colorable claim that evidence is inadmissible because it was “the primary product of” or “obtained by the exploitation of” allegedly unlawful electronic surveillance as to which he is aggrieved.

Then it included a [sealed material redacted] notice.

Which seems tantamount to admission that EO 12333 data was used to identify Muhtorov, but that in some way his prosecution was did not arise from that data as a “primary product.”

Muhtorov was IDed in a chat room alleged to have ties to the Islamic Jihad Union, which I presume though don’t know is hosted overseas. So that may have  been EO 12333 surveillance. But it may be that his communications on it were collected via 702 using the Internet dragnet as an index.

Is the government arguing that using a dragnet the FISC declared to be in violation of FISC orders only as a Dewey Decimal system for other surveillance doesn’t really count?

American Hegemony: Delivering “Unpredictable Instability” the World Over

I love Global Threat Hearings and curse you Richard Burr for holding the Senate Intelligence Committee’s hearing in secret.

At least John McCain had the courage to invite James Clapper for what might have been (but weren’t) hard questions in public in front of Senate Armed Services Committee Thursday.

Clapper started with a comment that was not prominent in (though it definitely underscored) his written testimony (Update: Here’s the transcript of his as-delivered statement.)

Unpredictable instability is the new normal.The year 2014 saw the highest rate of political instability since 1992. The most deaths as a result of state-sponsored mass killings since the early 1990s. And the highest number of refugees and internally displaced persons (or IDPs) since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.

It’s a damning catalog. All the more so given that the US has been the world’s unquestioned hegemon since that period in the early 1990s when everything has been getting worse, since that period when the first President Bush promised a thousand points of light.

And while the US can’t be held responsible for all the instability in the world right now, it owns a lot of it: serial invasions in the Middle East and the coddling of Israel account for many of the refugees (though there’s no telling what would have happened with the hundred thousand killed and millions of refugees in Syria had the second President Bush not invaded Iraq, had he taken Bashar al-Assad up on an offer to partner against al Qaeda, had we managed the aftermath of the Arab Spring differently).

US-backed neoliberalism and austerity — and the underlying bank crisis that provided the excuse for it — has contributed to instability elsewhere, and probably underlies those countries that Clapper thinks might grow unstable in the next year.

We’re already seeing instability arising from climate change; the US owns some of the blame for that, and more for squandering its leadership role on foreign adventures rather than pushing a solution to that more urgent problem (Clapper, by the way, thinks climate change is a problem but unlike Obama doesn’t consider it the most serious one).

There are, obviously, a lot of other things going on. Clapper talked admiringly of China’s modernization of its military, driven by domestically developed programs, an obvious development when a country becomes the manufacturing powerhouse of the world. But China’s growing influence comes largely in the wake of, and in part because of, stupid choices the US has made.

There was, predictably, a lot of discussion about cyberthreats, even featuring Senate Intelligence Committee member Angus King arguing we need an offensive threat (we’ve got one — and have been launching pre-emptive strikes for 9 years now — as he would know if he paid attention to briefings or read the Intercept or the New York Times) to deter others from attacking us with cyberweapons.

Almost everyone at the hearing wanted to talk about Iran, without realizing that a peace deal with it would finally take a step towards more stability (until our allies the Saudis start getting belligerent as a result).

Still, even in spite of the fact that Clapper started with this inventory of instability, there seemed zero awareness of what a damning indictment that is for the world’s hegemon. Before we address all these other problems, shouldn’t we focus some analysis on why American hegemony went so badly wrong?

FBI Now Claiming Section 215 (Which Is Different Than the Phone Dragnet) Has a Big Role in Hacking Investigations

Admittedly, after its alarmism on encryption, one should always treat FBI claims about necessary tools skeptically. But I’m interested in the claim, made by FBI’s Assistant Director of its Cyber Division, that the Bureau relies on 215 for computer intrusion investigations.

The FBI’s cyber crime investigations would “obviously” suffer if Congress doesn’t reauthorize Section 215 of the Patriot Act, which allows the FBI to request business records from major companies.

“If that expires, obviously it’s going to impact what we do as an organization and certainly on cyber,” said Joseph Demarest, assistant director of the FBI’s Cyber Division, during a roundtable discussion with reporters Tuesday.

Congress must reauthorize the controversial portion of the law by June 1. Civil liberties advocates argue the 215 program is an invasion of privacy, granting the National Security Agency (NSA) blanket authority to spy on Americans.
But two leaders of the FBI’s digital crime unit said losing the program would reduce the bureau’s effectiveness.

The business records request program based on Section 215 allows the FBI to obtain customer records from places like major telecom companies without going through the public court system.

“We use that in working with, I’ll say major providers,” Demarest said. “And we’re looking at historical records.”

“Not having the ability to use that as a vehicle to obtain that information,” Demarest added, “that’s the problem we face.”

The FBI argues that the 215 program approach allows investigators to go after cyber crooks without tipping their hand to possible accomplices.

Let me interject and note that the reporting on this — and therefore presumably the questions asked at this little eat-the-journalists-for-lunch-event — was atrocious.

The guy in charge of hacking told a group of reporters they rely on Section 215 to investigate hacking. And several of those reporters then reported that he said they needed the phone dragnet.

If true, that would be huge news, because the phone dragnet has pretty tight controls limiting its use to terrorists and Iran. So if the NSA is now also using the phone dragnet to catch hackers, it means the government has blown up the definition of hackers even further than they obviously have.

But it’s unlikely that’s what Demarest meant, though that doesn’t mean his comment, if true, isn’t newsworthy for other reasons.

The reporters claiming the FBI uses the phone dragnet to catch hackers are — as far too many activist organizations do — probably conflating the phone dragnet, a program authorized by Section 215, with Section 215, which authorizes the collection of a lot more things — things like money transfers, explosives precursors, hotel records, probably credit card data, and Internet records – including in what you and I would call bulk, even if Bob Litt would not.

There were roughly 180 Section 215 orders last year. Only 5 of those orders supported the phone dragnet.

I’m guessing, but probably what Demarest was talking about is FBI’s (note, not NSA’s) reliance, since 2009, to collect records from Internet companies.  At least during 2011 and 2012, the majority of the Section 215 orders were for Internet records.

We can say a few things about this collection. First, FBI conducted the collection using NSLs until 2009, when publication of an OLC opinion limiting the interpretation of phone records covered by NSLs led the Internet companies to successfully challenge the use of NSLs to collect that data anymore. This collection obtains “electronic communication transaction records,” but for something other than the Internet equivalent of call time and participants (because that’s what the OLC opinion excluded).  These orders are probably fairly programmatic, because it can take 30 to 40 days to obtain a Section 215 order (meaning the FBI would run whatever collection on a set of standing orders, just like they do the phone dragnet). And these collections are probably substantive enough that FISC imposed minimization procedures on the collection.

And, we can now guess (assuming, of course, the FBI isn’t talking out of its arse again) that these collections support cyberinvestigations.

One reason this is important, however, is that it changes the stakes for reauthorization of Section 215. If the FBI considers this mission critical, it means activists should account for this collection when they consider the leverage they have in debates moving forward.

NSA’s Dysfunctional Post-Tasking Checks

I noted this in both my working threads on the NSA, CIA and FBI minimization procedures, but it deserves more attention. Sometime in the last several years, the process by which NSA determines whether something they’ve collected is of a person in the US started going flukey, during certain periods. So now there’s a subset of data that analysts — at NSA, CIA, and FBI — all have to check for foreignness before they use it. That also means there is US person data that has been collected but not properly identified.

All three minimization procedures have a paragraph like this:

In the event that NSA seeks to use any information acquired pursuant to section 702 during a time period when there is uncertainty about the location of the target of the acquisition because the [redacted] post-tasking checks described in NSA’s section 702 targeting procedures, NSA will follow its internal procedures for determining whether such information may be used (including, but not limited to, in FISA applications, section 702 targeting, and disseminations). Except as necessary to assess location under this provision, NSA may not use or disclose any information acquired pursuant to section 702 during such time period unless NSA determines, based on the totality of the circumstances, that the target is reasonably believed to have been located outside the United States at the time the information was acquired. If the NSA determines that the target is reasonably believed to have been located inside the United States at the time the information was acquired, such information will not be used and will be promptly destroyed.

Both the fact that this section appears in the Destruction of Raw Data section in NSA’s SMPs (and not the section dedicated to challenges with upstream collection), and the fact that it appears in both the CIA and FBI SMPs (suggesting this is data they’d be getting in raw format, which they don’t get from upstream collection), suggest that this is general 702 data, not upstream data, where NSA has been known to have had a problem in the past.

The fact that the same paragraph, almost verbatim, shows up in all three places, plus the language about using such data for FISA applications, suggests this language came from or is in the SMPs to keep the FISA Court happy. Indeed, there’s probably a nice FISC opinion that explains how FISC learned that NSA’s targeting process was flawed.

We know this problem was identified sometime between October 2011 and July 2014 because this language doesn’t show up in the 2011 NSA SMPs. There are few things that are identifiable in the Intelligence Oversight Board reports that could be a dysfunction that would merit a FISC order, though there are a number — such as these two redacted paragraphs on Systems Errors in the middle of the FISA section of the Q1 2013 (which covers the last three months of 2012) report that might be such a problem.

Screen Shot 2015-02-25 at 8.56.26 AM

Or perhaps the problem is even more recent, meaning it would have been reported in the 2 years of IOB reports we don’t have.

To be sure, it appears FISC has required that all agencies accessing raw data do the kind of location checks that the failed system would otherwise have done. So US person data won’t be used, it’ll just sit in NSA’s (or CIA or FBI’s) servers until it is discovered.

But this is one of a number of examples we see in the IOB reports (the purge process, which was also not working for a while, is another; that seems to have been or is being fixed with the Master Purge List that appears in these SMPs) where the software checks designed to protect Americans failed. That doesn’t indicate any animus or ill-intent. But it does suggest the complexity of this system continues to result in failures that — regardless of intent — also present a privacy risk.

FBI Now Holding Up Michael Horowitz’ Investigation into the DEA

Man, at some point Congress is going to have to declare the FBI legally contemptuous and throw them in jail.

They continue to refuse to cooperate with DOJ’s Inspector General, as they have been for basically 5 years. But in Michael Horowitz’ latest complaint to Congress, he adds a new spin: FBI is not only obstructing his investigation of the FBI’s management impaired surveillance, now FBI is obstructing his investigation of DEA’s management impaired surveillance.

I first reported on DOJ IG’s investigation into DEA’s dragnet databases last April. At that point, the only dragnet we knew about was Hemisphere, which DEA uses to obtain years of phone records as well as location data and other details, before it them parallel constructs that data out of a defendant’s reach.

But since then, we’ve learned of what the government claims to be another database — that used to identify Shantia Hassanshahi in an Iranian sanctions case. After some delay, the government revealed that this was another dragnet, including just international calls. It claims that this database was suspended in September 2013 (around the time Hemisphere became public) and that it is no longer obtaining bulk records for it.

According to the latest installment of Michael Horowitz’ complaints about FBI obstruction, he tried to obtain records on the DEA databases on November 20, 2014 (of note, during the period when the government was still refusing to tell even Judge Rudolph Contreras what the database implicating Hassanshahi was). FBI slow-walked production, but promised to provide everything to Horowitz by February 13, 2015. FBI has decided it has to keep reviewing the emails in question to see if there is grand jury, Title III electronic surveillance, and Fair Credit Reporting Act materials, which are the same categories of stuff FBI has refused in the past. So Horowitz is pointing to the language tied to DOJ’s appropriations for FY 2015 which (basically) defunded FBI obstruction.

Only FBI continues to obstruct.

There’s one more question about this. As noted, this investigation is supposed to be about DEA’s databases. We’ve already seen that FBI uses Hemisphere (when I asked FBI for comment in advance of this February 4, 2014 article on FBI obstinance, Hemisphere was the one thing they refused all comment on). And obviously, FBI access another DEA database to go after Hassanshahi.

So that may be the only reason why Horowitz needs the FBI’s cooperation to investigate the DEA’s dragnets.

Plus, assuming FBI is parallel constructing these dragnets just like DEA is, I can understand why they’d want to withhold grand jury information, which would make that clear.

Still, I can’t help but wonder — as I have in the past — whether these dragnets are all connected, a constantly moving shell game.

That might explain why FBI is so intent on obstructing Horowitz again.

Does the FBI STILL Have an Identity Crisis?

I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.

Both the NSA and CIA minimization procedures have some form of this definitional paragraph (this one is NSA’s):

Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.

Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.

Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.

Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215′s requirement that it adopt minimization procedures specific to Section 215.

One holdup was disagreement over what constituted US person identifying information.

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)

One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.

When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.

While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.

And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.

Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.

Working Thread: 702 Minimization Procedures (NSA and CIA)

NSA

These SMPs have not changed significantly since they were changed in the wake of the 2011 upstream ruling. The exceptions are:

(1) “of information, including non-publicly available information” was added to the first paragraph. This may suggest NSA is also using publicly available information (which you would think they would anyway, if only to integrate public Twitter and other social media) in their analysis.

(1) The third paragraph (which has a counterpart in FBI SMPs) is new. I wonder whether there have been IG access problems in the past, notably when both FBI and NSA did big 702 IG Reports in 2012?

(2) (f) I’ve added this to the FBI SMPs. But NSA and CIA SMPs, unlike FBI ones, include this language defining what identification means. FBI has been dodging this on other issues as well in recent years (including the illusory 215 SMPs), so I suspect its lack of such language suggests FBI’s interpreting it very narrowly.

(2) (j) Some of these paragraphs now marked unclassified, such as this one, were marked S/SI in 2011. That you Snowden.

(3) (k)(3) This changes an automatic loss of USP rights if someone loses their resident alien status from the 2011 SMPs.

(3) (b)(1) In 2011, this paragraph specified “in processing cycle” in the earliest practicable point, suggesting it may have gotten moved later.

(4) This takes out a paragraph (formerly paragraph 3) on retaining storage tapes.

(4) (1)(a) The “including metadata” language is newly unredacted, as another reference to obtaining metadata from upstream collection also is.

(5) Through these SMPs, including at (b)(1), add language about how to deal with upstream transactions, permitting the use of them if they’re targeted and aren’t all USPs.

(6) Paragraph 4 is the other newly unredacted discussion of metadata use.

(7-8) The destruction paragraphs 3 and 4 are both entirely new. The 2011 stuff seems to reflect a decision at the end of 2011 to destroy its upstream USP transactions. The litigation paragraph reflects some other language elsewhere.

(8) Paragraph e has counterparts in the FBI and CIA SMPs, suggesting there was a significant problem with location tracking. Unless I’m mistaken, that doesn’t show up in IOB reports (as, for example, the purge tool does).

(9) There are more strictures in place for deciding to keep domestic communications.

(10) The last (unnumbered) paragraph on the page adds the ability to share target location.

(11) Note the reference to the Master Purge List, which was a big issue in recent years (because it wasn’t functioning the way it was supposed to).


CIA

(1-2) CIA has better repository language than FBI.

(2) Note NCS Director gets to decide to retain things longer than 5 years (though I would assume this would change if Brennan gets his Cyber expansion).

(2) CIA gets to keep unminimized USP data if they “may be a target of intelligence activities of a foreign power.”

(2) As with NSA (though their language is different), the CIA gets to keep USP data if “a United States person has engaged or may be engaging in the unauthorized disclosure of properly classified national security information.” Surely the FBI gets to keep this too, they just describe it differently.

(2) I do believe this USP retention is unique to CIA:

The information concerns corporations or other commercial organizations the deletion of which would hamper the correlation of foreign intelligence information on the same subject;

(3) Amid a slew of USP retention clauses (including one for people who pose a threat of sabotage to any US IC facility, which is problematic), there’s entirely redacted h. My guess is this is about people who facilitate terrorism but who aren’t terrorists (or perhaps who read stuff that is bad).

(3) As with FBI, the metadata paragraph (4a) is fairly broad, and permits copying of all such metadata.

(4) As with FBI, there’s this oblique paragraph (4b) that doesn’t require tracking of queries that don’t get to the underlying FISA data.

(4) CIA, unlike FBI and NSA, explicitly limits the technical database to technical personnel.

(5) CIA has a paragraph like FBI and NSA permitting them to keep data for a year to assess whether they’ve been compromised.

(5) CIA’s Attorney Client paragraph is similar to what FBI’s used to be.

(6) It’s odd that CIA has a long passage on federal translators or technical assistance, whereas NSA has its international one. I’d expect CIA to rely on other governments too (though it does have a foreign govt dissemination section too, of similar length).

(6) Unsurprisingly, CIA has multiple ways to share with foreign governments, all but translation redacted.

(9) Bizarrely, an entire big paragraph is redacted to end the SMPs. It probably deals with USP (or domestically collected) data, by context, but that’s a WAG.

After Failing at the White House, Then Illegally Hacking SSCI, Brennan Wants Cyber

Back during John Brennan’s confirmation process, I noted he got zero questions about cybersecurity, in spite of the fact that that is a big part of the portfolio of the White House Homeland Security Czar (as has been made evident by Lisa Monaco’s central role in the Sony hack response).

Since then, John Brennan permitted his subordinates to hack the email accounts supposedly designated for the Senate Intelligence Committee’s designated use.

Those are both reasons you should be concerned by the news that — as part of a larger “subject matter” reorganization of CIA, Brennan wants to hack.

U.S. officials said Brennan’s plans call for increased use of cyber capabilities in almost every category of operations — whether identifying foreign officials to recruit as CIA informants, confirming the identities of targets of drone strikes or penetrating Internet-savvy adversaries such asthe Islamic State.

Several officials said that Brennan’s team has even considered creating a new cyber directorate — a step that would put the agency’s technology experts on equal footing with the operations and analysis branches that have been pillars of the CIA’s organizational structure for decades.

All the more so given that neither all of the Intelligence Committees nor NSA’s leadership knows what Brennan is up to.

Brennan provided only broad outlines of his plan in recent congressional meetings that excluded all but the four highest-ranking members of the House and Senate intelligence panels. A senior U.S. intelligence official said that some senior NSA executives remain in the dark on Brennan’s cyber ambitions.

But then, if all of SSCI knew what Brennan was up to, I guess it’d be harder for him to hack them in the future.

1 2 3 855
Emptywheel Twitterverse
bmaz @bmaz Picture for last tweet (just because): http://t.co/5XJBgnbYOn
8hreplyretweetfavorite
bmaz If I've found on kitchen counter book titled "How To Boil Water", should I not leave one called "How To Breathe Air"??
8hreplyretweetfavorite
bmaz @TyreJim I have seen both live, and as great as Merry is, live I think Lisa Fischer is better.
8hreplyretweetfavorite
bmaz @TyreJim Yes. As I recall, she was like pregnant and asleep when the call came. Which makes what she did all the more awesome.
8hreplyretweetfavorite
bmaz .@TyreJim Either way pieces of hollow trash like Kanye West+Kardashian ought not exist is same human frame as Jagger/Richards+Clayton/Fisher
9hreplyretweetfavorite
bmaz Oh, a storm is threat'ning My very life today If I don't get some shelter Oh yeah, I'm gonna fade away War, children, it's just a shot away.
9hreplyretweetfavorite
bmaz @AZ_Dream_Killer Bad equivocation.
9hreplyretweetfavorite
emptywheel I mean I'm still winning bc I rescheduled my flights from airport bar in Beer Mecca and now am home. But they rescheduled my reschedule. :(
9hreplyretweetfavorite
emptywheel Thought I had wung this ice storm cancellation sweepstakes. Then I learned I was wrong. But at least I can sleep past 4AM.
9hreplyretweetfavorite
JimWhiteGNV RT @bmaz: Also, if you think Bibi Netanyahu is the answer to your question of enlightenment and hope for the world, you might be a blitheri…
10hreplyretweetfavorite
bmaz Also, if you think Bibi Netanyahu is the answer to your question of enlightenment and hope for the world, you might be a blithering idiot.
10hreplyretweetfavorite
bmaz Seriously, there are dumb ass pieces of demagoguery shit on both sides of the ideological divide; but fuck both without a lick of truth
10hreplyretweetfavorite
March 2015
S M T W T F S
« Feb    
1234567
891011121314
15161718192021
22232425262728
293031