In one of the hot-take pieces on the Democratic primary many people are talking about today, Jonathan Chait — fresh off being certified as a wonk by Paul Krugman — distinguishes between what he calls Hillary Clinton’s “pluralist” approach and Bernie Sanders’ “statist” vision.
Sanders did not so much dispute the efficacy of Dodd-Frank as to broaden the question. His fixation with Wall Street is not systemic risk — i.e., the chance that another crash will trigger an economic meltdown. He frames Wall Street as a problem of political economy, not economy. Wall Street is so big and rich that it is inherently dangerous, and will by its nature corrupt the political system.
Clinton does not believe that. Her political ideal is what some political scientists have called “pluralism.” A pluralist politics venerates the careful balancing of competing interests. It is okay to bring business to the bargaining table as long as there is also a place for labor, environmentalists, consumer advocates, and other countervailing interests. Clinton’s Democratic Party, and Obama’s, is one in which pluralist agreements struck important progress not only in financial reform but also health care, public investment, green energy, and other priorities.
Sanders does not completely reject the products of these pluralist compromises. (He grudgingly accepts them as worthwhile, piecemeal steps.) What he rejects is the political model that treats pluralism as the normal model of political action. Sanders believes the interest of the public is not divided, it is united, and only the corrupt influence of big business has thwarted it. He consequently vows to smash its power through a combination of a mass upsurge in political activism and campaign-finance reform.
A Democratic Party as monolithically statist as the modern Republican Party is anti-government — one in which any defense of free markets or business is dismissed — would look very different than anything within American historical experience. After decades of this being taken for granted, it has finally become necessary to defend moderation as a governing creed.
Let’s ignore how Chait caricatures Sanders for the moment, warning of an awful “statist” Democratic party in which “any defense of free markets or business is dismissed,” and take his view of Hillary’s pluralism on its face.
In Hillary’s Democratic party, citizens exercise their influence through various interest groups. There’s business (presented here as a monolith), and there there’s “labor, environmentalists, consumer advocates, and other countervailing interests,” and together they compromise on incrementalist policy about which everyone gets a say.
That is, in fact, how the mainstream Democratic party organizes itself, and Hillary’s endorsement by virtually all of the organizations deemed to represent one of these players reflects it. She does have support from business, but she also has support from League of Conservation Voters, Planned Parenthood, Human Rights Campaign, and other big organizations. (There’s a breathtaking list of her endorsements here — you have to scroll down quite a way to get to the institutional endorsements.) This is what that “establishment organization” hubbub was about: that Hillary has the support of the groups deemed to represent the various pluralities of the Democratic party.
On that list are most of the national labor unions. That’s not surprising. Hillary is (still) a favorite to win nomination and after that the general election, and all these organizations are ensuring they’ll have a seat at that pluralist table Hillary sets (though it’s not clear what the unions that backed Obama early in 2008 really got out of the deal; he certainly didn’t deliver the Employee Free Choice Act, as he had suggested he’d try to do). Union leaders endorse early because it ensures they’ll have the ear of the presumptive president.
Even there, as some have noted, a few unions that let members decide who to endorse endorsed Bernie.
But here’s the thing. Just 11.1% of workers were in a union last year. And to the extent that the Democratic party’s pluralism is mediated through these national organizations, it means the views of workers as such are largely represented by organizations they don’t have any stake in, organizations whose workers make 26% more than non-union workers. And we wonder why so few of these workers show up to vote for Democrats?
I asked Chait on Twitter where these more marginalized workers would get their seat at the pluralist table and thus far haven’t gotten an answer.
This question is probably most pressing with regards to the most exciting labor organizing in recent years: the SEIU-backed Fight for 15, which has found a model that works for franchises, and which has also notched a number of key local wins for a higher minimum wage. Importantly, where it succeeds in raising wages for an entire city, people within and outside of the movement structure will do better. But a lot of workers who would be incorporated at the pluralist table by a push for a living minimum wage are not and would not be SEIU members.
Fight for 15 is an issue where there’s a clear policy difference between Hillary, who favors raising the minimum wage to $12 (which is not a living wage in many areas of this country) and Bernie, who enthusiastically supports the $15 goal.
Nevertheless, SEIU endorsed Hillary. Jacobin explained the logic shortly after the endorsement.
If Clinton is going to win — because she has to win — then delaying a primary endorsement has no upside. The union would simply jeopardize its spot on Clinton’s crowded list of favors to return.
But the access argument is also unpersuasive. In 2007 the union was divided internally over whether to back John Edwards or Obama. In the end the national union allowed its state affiliates to go their separate ways, only uniting behind Obama after Edwards had dropped out after the first round of primaries. Opting not to come out early for Obama didn’t prevent the union from mobilizing members and resources for the general election. Similarly, SEIU will be indispensable to the Democratic nominee’s chances in November, so it is hard to argue that Clinton could shut the union out.
Comments from SEIU’s largest local suggest the union is perfectly happy to see Sanders pressing Clinton to take more left-leaning positions. But the labor movement still sees the election solely through the prism of its outcome — not in terms of what Sanders’s candidacy represents, or makes possible.
That narrow electoralism could end up harming Fight for 15 — not just the union’s most important campaign, but arguably the most important labor battle happening today. SEIU’s decision to provide the financial largesse for Fight for 15 comes from the indisputably correct observation that unless the labor movement can bring millions of low-wage workers into its fold, organized labor is scheduled for expiry.
Yet before the endorsement announcement, SEIU President Mary Kay Henry toldAl Jazeera that though the union is expecting “candidates up and down the ticket who are willing to get in the streets and champion this demand,” support for a $15 minimum wage is not a “litmus test” but an “aspirational demand.”
Over the last three years, SEIU has spent tens of millions of dollars and galvanized the labor movement around an inspiring fight. It has justified this enormous expenditure to its members by correctly arguing that they won’t be able to protect and improve their own standards unless something is done to boost the wages of the worst paid workers.
But if the union actually believed it could win on this issue — if it believed it could lead — then a litmus test is exactly what it would be. Clinton would just have to get in line. Members and non-members have shown that they are willing to fight for $15 and a union. What does it say to them if they now are asked to knock on doors calling for $12 and a Clinton?
That is, Hillary’s pluralist table, which leaves little space for the overwhelming majority of workers who aren’t represented by a union, had already dealt away the key policy platform the key voice pulling up to that table has pursued.
Partly that’s a testament to the desperation of unions — that they’re willing to trade their key issues even to get a seat at the table, and partly that’s a testament to the lack of representation for most workers who might sit there.
But having set the table like that, there’s little prospect the large numbers of workers who haven’t been as active in Democratic politics of late will have much sway in face of the powerful banks who don’t appear to have traded away key issues for their time with Hillary.
Notably: these lower income voters, along with the more widely noted younger voters, are precisely those whom Bernie is winning (though as the primary moves to more racially diverse states, that is expected to change).
There’s a key failing in the pluralist vision painted by Chait (even taking it on its face): even to win a seat at the table, labor — and really just that fraction of workers who enjoy union representation — had already started compromising, well before the bankers even sat down for their scotch.
And no matter how this primary ends up, that’s not something that’s sustainable, particularly not in the wake of the financial disaster that pushed so many people closer to the edge. If Clinton is going to win with a pluralist table, there needs to be, for both electoral and social justice reasons, a seat, a lot of seats, for all the workers who have fallen by the electoral wayside in recent years. Bernie has gotten their attention. What does Hillary plan to do to keep it?
Some weeks ago, the government went to Silicon Valley to ask for new ways to counter ISIS’ propaganda. We’re now seeing the response to that request, with the report that Google will show positive ads when people search for extremist content.
In a new development, Google said it’s testing ways to counter extremist propaganda with positive messages on YouTube and in Google search results.
Google executive Anthony House told MPs that taking extremist videos down from YouTube isn’t enough, and people searching for that content should be presented with competing narratives:
We should get the bad stuff down, but it’s also extremely important that people are able to find good information, that when people are feeling isolated, that when they go online, they find a community of hope, not a community of harm.
There are two programs being tested by Google to make sure the positive messages are seen by people seeking out extremist content: one to make sure the “good” kind of videos are easily found on YouTube; and another to display positive messages when people search for extremist-related terms.
The second program involves giving grants to nonprofit organizations to use Google AdWords to display competing ads alongside the search results for those extremist-related terms.
If Google wants to do this, that’s fine.
But I’m wondering about the legal standard here. It’s unclear whether Google will only show these “positive” (whoever and however that gets defined) when people search for “extremist” content, or whether they’ll show Google ads to those whose email content reflects an interest in “extremist” material.
In both cases, however, Google will use material that counts as “content” to decide to show these ads.
And then what happens? That is, what happens to Google’s records determining that these users should get that content? Do the records, stripped of the content itself, count as a third party record that can be obtained with a subpoena? Or do they count as content?
Congress hasn’t passed legislation requiring tech companies to report their terrorist users. But does having Google use its algorithms to determine who is an extremist give the government a way to find out who Google thinks is an extremist?
During yesterday’s Congressional hearing — and really, since the Governor’s hand-picked Task Force first gave him an interim report in December — employees from Michigan’s Department of Environmental Quality have come in for most of the blame for poisoning Flint.
But today, Progress Michigan published some emails that suggest DEQ’s employees are unwilling to take the fall, at least not by themselves. They show that in March of last year, a supervisor in Gennesee County’s health department wrote people in Flint and at DEQ asking for help with data on water quality after getting no response to a FOIA in January 2015.
In the email, the supervisor noted that a spike in Legionnaires coincided with the switch to Flint’s water. Jerry Ambrose was then the Emergency Manager of Flint; it’s unclear why he was using a GMail address as EM.
In the next few days, officials at DEQ exchanged some panicked emails, pretty much blaming Flint for the non-response, noting that DEQ “became peripherally aware” of the spike in Legionnaires, but also bitching about the Genesee County supervisor suggesting that it might be tied to the switch to Flint river water.
It appears that panicked email was printed out by then DEQ Director Dan Wyant’s assistant, Mary Beth Thelen, then initialed by Wyant, presumably indicating he had read it.
Also included on that email, though, was Harvey Hollins.
As I noted here, in December, in response to a recommendation from Governor Snyder’s hand-picked Flint Task Force, the governor picked Hollins to be the single “independent” person overseeing response to the Flint crisis. It was absurd to pick him in the first place, because (as this shows) Hollins had been personally involved all along. But he is, at least on paper, in charge of response.
In other words, the email chain shows that both Snyder’s hand-picked EM and the guy in charge of liaising with Flint knew, over a year ago, that Legionnaires (which has since killed at least 9 people) might be tied to the water switchover.
Progress Michigan doesn’t note how they came by this email. But it’s pretty clear it was Wyant’s personal copy of it. In December — in response to another suggestion by the Task Force — Snyder had Wyant resign. Since then, Attorney General Bill Schuette pointed to Wyant’s resignation (which he originally expressed sadness about) to justify opening up his own investigation into the crisis.
All of which suggests to me that Wyant is unwilling to be the sole scapegoat for this crisis.
Yesterday, Boing Boing liberated a fascinating 2011 GCHQ document from the Snowden collection on GCHQ’s partnership with Heilbronn Institute for Mathematical Research on datamining. It’s a fascinating overview of collection and usage. This will be a working thread with rolling updates.
In addition to BoingBoing’s article, I’ll update with links to other interesting analysis.
 The distribution list is interesting for the prioritization, with 4 NSA research divisions preceding GCHQ’s Information and Communications Technology Research unit. Note, too, the presence of Livermore Labs on the distribution list, along with an entirely redacted entry that could either be Sandia (mentioned in the body), a US university, or some corporation. Also note that originally only 18 copies of this were circulated, which raises real questions about how Snowden got to it.
 At this point, GCHQ was collecting primarily from three locations: Cheltenham, Bude, and Leckwith.
[9-10] Because of intake restrictions (which I believe other Snowden documents show were greatly expanded in the years after 2011), GCHQ can only have 200 “bearers” (intake points) on “sustained cover” (being tapped) at one time. Each collected at 10G a second. GCHQ cyclically turns on all bearers for 15 minutes at a time to see what traffic is passing that point (which is how they hack someone, among other things). Footnote 2 notes that analysts aren’t allowed to write up reports on this feed, which suggests research, like the US side, is a place where more dangerous access to raw data happens.
 Here’s the discussion of metadata and content; keep in mind that this was written within weeks of NSA shutting down its Internet dragnet, probably in part because it was getting some content.
Roughly, metadata comes from the part of the signal needed to set up the communication, and content is everything else. For telephony, this is simple: the originating and destination phone numbers are the metadata, and the voice cut is the content. Internet communications are more complicated, and we lean on legal and policy interpretations that are not always intuitive. For example, in an HTTP request, the destination server name is metadata (because it, or rather its IP address, is needed to transmit the packet), whereas the path-name part of the destination URI is considered content, as it is included inside the packet payload (usually after the string GET or POST). For an email, the to, from, cc and bcc headers are metadata (all used to address the communication), but other headers (in particular, the subject line) are content; of course, the body of the email is also content.
 This makes it clear how closely coming up as a selector ties to content collection. Remember, NSA was already relying on SPCMA at this point to collect US person Internet comms, which means their incidental communications would come up easily.
GCHQ’s targeting database is called BROAD OAK, and it provides selectors that the front-end processing systems can look for to decide when to process content. Examples of selectors might be telephone numbers, email addresses or IP ranges.
 At the Query-Focused Dataset level (a reference we’ve talked about in the past), they’re dealing with: “the 5-tuple (timestamp, source IP, source port, destination IP, destination port) plus some information on session length and size.”
 It’s clear when they say “federated” query they’re talking global collection (note that by this point, NSA would have a second party (5 Eyes) screen for metadata analysis, which would include the data discussed here.
 Note the reference to increased analysis on serious crime. In the UK there’s not the split between intel and crime that we have (which is anyway dissolving at FBI). But this was also a time when the Obama Admin’s focus on Transnational Crime Orgs increased our own intel focus on “crime.”
 This is why Marco Rubio and others were whining about losing bulk w/USAF: the claim that we are really finding that many unknown targets.
The main driver in target discovery has been to look for known modus operandi (MOs): if we have seen a group of targets behave in a deliberate and unusual way, we might want to look for other people doing the same thing.
As I noted, after years of legislating Section 702 of the FISA Amendments Act in public, yesterday the House Judiciary Committee had a closed hearing on it, which raises all sorts of questions about what has changed.
The agencies presenting to the committee did provide an unclassified statement for the record that is mostly stuff we know (one of the most interesting details is that it considers upstream telephony collection to be a different kind of collection than upstream Internet collection). But it does provide 3 examples of things that it would explain to the committee in classified session. One is utterly predictable: examples of counterterrorism intelligence obtained under Section 702.
Section 702 collection is a major contributor to NSA’s counterterrorism reporting and on other topics as well. Since its enactment in 2008, the number of signals intelligence reports issued by NSA based at least in part on Section 702 collection has grown exponentially. CIA and FBI state that they have acquired highly valuable and often unique intelligence through Section 702 collection. Numerous real-life examples that demonstrate the broad range of important information that the Intelligence Community has obtained can be provided to the Committee in a classified setting. While these examples which identify specific targets and operations must remain classified, the following declassified example provides just one instance of the many contributions Section 702 has made to our national security.
Of course, the IC shouldn’t be permitted to present such things in secret, as so many of their cases have been shown to be bogus (or not provided 702 notice) in the past. It is now down to one unclassified case — Najibullah Zazi — where they used 702, and that wasn’t even all that central (which may be why they never did get 702 notice).
The other two are more interesting. They include:
Recall, as late as 2011, the IC was known to have 3 certificates a counterterrorism certificate, a counterproliferation one, and a foreign government one, which serves as a grab bag. Because it was so obvious the IC was using Section 702 for cybersecurity, I mistakenly claimed they had a cyber certificate, but as late as 2012, they had not yet obtained one. Perhaps the IC needed classified session to explain all this.
But how weird would it be to brief HJC on a Section 702 cyber certificate while DHS and DOJ are implementing OmniCISA, which will enable upstream searches for cyber signatures within the US? Perhaps that’s what they were doing, but it would be interesting timing.
Which makes me wonder, again, about whether there’s another kind of certificate, perhaps one targeted at Tor?
In any case, there is something significant about the set of certificates the IC has or is asking for (probably the former, given that it makes a big show here of releasing the documents tied to the 2014 certification process, but not those tied to the 2015 certification process).
I’m sure that’s not the only thing the IC wanted to brief HJC on in secret. But it does appear to be one thing they did brief in secret. (Side note: I have reason to believe the IC did not tell the truth, even within the IC, about what certificates they got at the beginning of the PRISM process, so at least this would suggest they’re now being more forthcoming.)
I hope to have a further update about the ongoing effort to bury the Flint water crisis before the Oversight and Government Reform hearing on Wednesday morning.
But in the meantime I wanted to point to this passage, helpfully dropped out of the US Attorney’s investigation in Detroit:
The Federal Bureau of Investigation said on Tuesday it was joining a criminal investigation of lead-contaminated drinking water in Flint, Michigan, exploring whether laws were broken in a crisis that has captured international attention.
Federal prosecutors in Michigan were working with an investigative team that included the FBI, the U.S. Postal Inspection Service, the U.S. Environmental Protection Agency’s Office of Inspector General and the EPA’s Criminal Investigation Division, a spokeswoman for the U.S. Attorney’s Office in Detroit said.
An FBI spokeswoman said the agency was determining whether federal laws were broken, but declined further comment.
I’m actually not at all surprised FBI is involved in this investigation. That sort of comes with the territory of a US Attorney investigation, it seems.
But the US Postal Inspection Service? Here’s the kind of crime they investigate:
Report these issues to the U.S. Postal Inspection Service online:
- Mail fraud May include scams or deceptive ads via the mail, or postage fraud.
- Mail theft Under Inquiry Type, select Problem. Under Customer Service, select Support, and Mail Theft. Under Additional Information, explain why your complaint is mail theft-related.
- Identity theft
- Unsolicited Sexually Oriented Advertising
If you believe you’re a victim of fraud related to the U.S. Mail, including mailed sweepstakes, lotteries, on-line auctions, work-at-home scams or chain letters, report your concern to the U.S. Postal Inspection Service as mail fraud.
They often get brought in as an investigative partner if the government needs to track what has been mailed, and mail fraud charges can serve as hand add-on charges in cases where someone used the mail to help commit a crime.
I can imagine a lot of things the FBI might be investigating. But I know of no facts, thus far, that involve mail-related crimes.
Back in 2013, the President’s Review Group recommended that NSA’s defensive function — the Information Assurance Directorate — be removed from NSA. I’ve put the entirety of that recommendation below, but PRG recommended the change to:
Not only didn’t President Obama accept that recommendation, but he pre-empted it in several ways, before the PRG could publicly release their findings.
[O]n Thursday night, the Wall Street Journal and New York Times published leaked details from the recommendations from the review group on intelligence and communications technologies, a panelPresident Obama set up in August to review the NSA’s activities in response to theEdward Snowden leaks.
The stories described what they said were recommendations in the report as presented in draft form to White House advisors; the final report was due to the White House on Sunday. There were discrepancies in the reporting, which may have signaled the leaks were a public airing of disputes surrounding the review group (both articles noted the results were “still being finalized”). The biggest news item were reports about a recommendation that the director of the NSA(Dirnsa) and Cyber Command positions be split, with a civilian leading the former agency.
Before the final report was even delivered, the White House struck. On Friday, while insisting that the commission report was not yet final, national security council spokesperson Caitlin Hayden announced the White House had already decided the position would not be split. A dual-hatted general would continue to lead both.
By all appearances, the White House moved to pre-empt the results of its own review group to squelch any recommendation that the position be split.
Today, Ellen Nakashima reports that NSA will go further still, and completely merge its offensive and defensive missions.
In place of the Signals Intelligence and Information Assurance directorates, the organizations that historically have spied on foreign targets and defended classified networks against spying, the NSA is creating a Directorate of Operations that combines the operational elements of each.
Some lawmakers who have been briefed on the broad parameters consider restructuring a smart thing to do because an increasing amount of intelligence and threat activity is coursing through global computer networks.
“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”
But there have been rumblings of discontent within the NSA, which is based at Fort Meade, Md., as some fear a loss of influence or stature.
Some advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger “sigint” collection arm, which has about eight times as many personnel. The latter spies on overseas targets by hacking into computer networks, collecting satellite signals and capturing radio waves.
While Nakashima presents some conflicting views on whether IAD will be able to cooperate with industry, none of the comments she includes addresses the larger bureaucratic issue: that defense is already being shortchanged in favor of the glitzier offensive function.
But Edward Snowden did weigh in, in response to a comment I made on this onTwitter.
When defense is an afterthought, it’s not a National Security Agency. It’s a National Spying Agency.
It strikes me this NSA reorganization commits the country to a particular approach to cybersecurity that will have significant ramifications for some time. It probably shouldn’t be made with the exclusive review of the Intelligence Committees mostly in secret.
We recommend that the Information Assurance Directorate—a large component of the National Security Agency that is not engaged in activities related to foreign intelligence—should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense.
In keeping with the concept that NSA should be a foreign intelligence agency, the large and important Information Assurance Directorate (IAD) of NSA should be organizationally separate and have a different reporting structure. IAD’s primary mission is to ensure the security of the DOD’s communications systems. Over time, the importance has grown of its other missions and activities, such as providing support for the security of other US Government networks and making contributions to the overall field of cyber security, including for the vast bulk of US systems that are outside of the government. Those are not missions of a foreign intelligence agency. The historical mission of protecting the military’s communications is today a diminishing subset of overall cyber security efforts.
We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest. A chief goal of NSA is to access and decrypt SIGINT, an offensive capability. By contrast, IAD’s job is defense. When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access. This conflict of interest has been a prominent feature of recent writings by technologists about surveillance issues.
A related concern about keeping IAD in NSA is that there can be an asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.
Another reason to separate IAD from NSA is to foster better relations with the private sector, academic experts, and other cyber security stakeholders. Precisely because so much of cyber security exists in the private sector, including for critical infrastructure, it is vital to maintain public trust. Our discussions with a range of experts have highlighted a current lack of trust that NSA is committed to the defensive mission. Creating a new organizational structure would help rebuild that trust going forward.
There are, of course, strong technical reasons for information-sharing between the offense and defense for cyber security. Individual experts learn by having experience both in penetrating systems and in seeking to block penetration. Such collaboration could and must occur even if IAD is organizationally separate.
In an ideal world, IAD could form the core of the cyber capability of DHS. DHS has been designated as the lead cabinet department for cyber security defense. Any effort to transfer IAD out of the Defense Department budget, however, would likely meet with opposition in Congress. Thus, we suggest that IAD should become a Defense Agency, with status similar to that of the Defense Information Systems Agency (DISA) or the Defense Threat Reduction Agency (DTRA). Under this approach, the new and separate Defense Information Assurance Agency (DIAA) would no longer report through intelligence channels, but would be subject to oversight by the cyber security policy arm of the Office of the Secretary of Defense.
There’s a paper that has been making waves, claiming it has found a formula to debunk conspiracies based on the likelihood if they were real, they would have already been leaked. Never mind that people have already found fault with the math, the study has another glaring flaw. It treats the PRISM program — and not, say, the phone dragnet — as one of its “true” unknown conspiracies.
PRISM — one part of the surveillance program authorized by Section 702 of the FISA Amendments Act — was remarkable in that it was legislated in public. There are certainly parts of Section 702 that were not widely known, such as the details about the “upstream” collection from telecom switches, but even that got explained to us back in 2006 by Mark Klein. There are even details of how the PRISM collection worked — its reliance on network mapping, the full list of participants. There are details that were exposed, such as that the government was doing back door searches on content collected under it, but even those were logical guesses based on the public record of the legislative debates.
Which is why it is so remarkable that — as I noted here and here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to cover the program that has been the subject of open hearings going back to at least 2008.
The hearing is taking place as we speak with the following witnesses.
This suggests there is either something about the program we don’t already know, or that the government is asking for changes to the program that would extend beyond the basic concept of spying on foreigners in the US using US provider help.
I guess we’re stuck wildarseguessing what those big new secrets are, given the Intelligence Community’s newfound secrecy about this program.
Some observations about the witnesses. First, between Litt and Evans, these are the lawyers that would oversee the yearly certification applications to FISC. That suggests the government may, in fact, be asking for new authorities or new interpretations of authorities.
Darby would be in charge of the technical side of this program. Since the PRISM as it currently exists is so (technologically) simple, that suggests the new secrets may involve a new application of what the government will request from providers. This might be an expansion of upstream, possibly to bring it closer to XKeyscore deployment overseas, possibly to better exploit Tor. Remember, too, that under USA Freedom Act, Congress authorized the use of data collected improperly, provided that it adheres to the new minimization procedures imposed by the FISC. This was almost certainly another upstream collection, which means there’s likely to be some exotic new upstream application that has caused the government some problems of late.
Note that the sole FBI witness oversees counterterrorism, not cybersecurity. That’s interesting because it would support my suspicions that the government is achieving its cybersecurity collection via other means now. But also that any new programs may be under the counterterrorism function. Remember, the NatSec bosses, including Jim Comey, just went to Silicon Valley to ask for help applying algorithms to identify terrorism content. Remember, too, that such applications would have been useless to prevent the San Bernardino attack if they were focused on the public social media content. So it may be that NSA and FBI want to apply algorithms identifying radicalizers to private content.
Finally, and critically, remember the Apple debate. In a public court case, Apple and the FBI are fighting over whether Apple can be required to decrypt its customers’ smart device communications. The government has argued this is within the legal notion of “assistance to law enforcement.” Apple disagrees. I think it quite possible that the FBI would try to ask for decryption help to be included under the definition of “assistance” under Section 702. Significantly, these witnesses are generally those (including Bob Litt and FBI counterterrorism) who would champion such an interpretation.
Between this report, released today, on DOD Inspector General’s ongoing work and the Intelligence Community’s Inspector General Semiannual report, released in mid-January, the Intelligence Community is doing a whole bunch of audits and inspections of its own network security, some of them mandated by Congress. And there are at least hints that all is not well in the networks that enable the Intelligence Community to share profusely.
The most interesting description of a report from ICIG’s Semiannual review, for example, suggests that, given the IC’s recent move to share everything on an Amazon-run cloud, the bad security habits of some elements of the IC are exposing other elements within the IC.
AUD-2015-006: Transition to the Intelligence Community Cloud Audit
The DNI, along with Intelligence Community leadership, determined that establishing a common IT architecture across the IC could advance intelligence integration, information sharing, and enhance security while creating efficiencies. This led to the Intelligence Community Information Technology Enterprise, an IC-wide initiative coordinated through the Office of the Intelligence Community Chief Information Officer. IC ITE’s sharing capability is enabled by a cloudbased architecture known as the IC Cloud – a secure resource delivering IT and information services and capabilities to the entire community. The cloud will allow personnel to share data, systems, and applications across the IC. The IC elements’ effective transition to the IC ITE cloud environment is key to achieving the initiative’s overarching goals and as such, systems working together in a cloud environment creates potential security concerns.
In particular, information system security risks or vulnerabilities to one IC element operating within IC ITE may put all IC elements at risk. Information from a joint IG survey of 10 IC elements suggested that the elements may have the differing interpretations of policies and requirements, or are not fully aware of their responsibilities for transitioning to the IC Cloud. As a result of these preliminary observations, IC IG initiated an audit that will: 1. Assess how the IC elements are planning to transition to the IC ITE Cloud environment; 2. Determine IC elements’ progress in implementing cloud transition plans; and, 3. Compare how IC elements are applying the risk management framework to obtain authorizations to operate on the IC Cloud. We plan to issue a report by the end of the first quarter of FY 2017. [my emphasis]
The IC is banking quite a bit on being able to share safely within the cloud. I would imagine that fosters a culture of turf war and recriminations for any vulnerabilities. It certainly seems that this report arises out of problems — or at least the identification of potential problems — arising from the move to the cloud. Note that this report won’t be completed until the end of this calendar year.
Then there’s this report, which was mandated in a classified annex of the Intelligence Authorization passed in December and, from the looks of things, started immediately.
Audit of Controls Over Securing the National Security Agency Network and Infrastructure (Project No. D2016-DOOORC-0072.000)
We plan to begin the subject audit in January 2016. Our objective is to determine whether initiatives implemented by the National Security Agency are effective to improve security over its systems, data, and personnel activities. Specifically, we will determine whether National Security Agency processes and technical controls are effective to limit privileged access to National Security Agency systems and data and to monitor privileged user actions for unauthorized or inappropriate activity. The classified annex to accompany H.R. 2596, the Intelligence Authorization Act for Fiscal Year 2016, contained a Department of Defense Inspector General classified reporting requirement. This audit is the first in a series. We will consider suggestions from management on additional or revised objectives.
It seems to be an assessment — the first in a series — of whether limits on privileged access to NSA systems are working. This may well be a test of whether the changes implemented after the Snowden leak (such as requiring two parties to be present when performing functions in raw data, such as required on dragnet intake) have mitigated what were some obviously huge risks.
I’m mostly curious about the timing of this report. You would have thought the implementation of such controls would come automatically with some kind of audit, but they’re just now, 2.5 years later, getting around to that.
Here are some other reports from the ICIG report, the latter three of which indicate a real focus on information sharing.
AUD-2015-007: FY 2015 Consolidated Federal Information Security Modernization Act of 2014 Capstone Reports for Intelligence Community Elements’ Inspectors General
This project will focus on FY 2015 FISMA report submissions from the OIGs for the IC elements operating or exercising control of national security systems. We will summarize 11 IC elements’ information security program strengths and weaknesses; identify the cause of the weaknesses in these programs, if noted by the respective OIGs; and provide a brief summary of the recommendations made for IC information security programs. To perform this evaluation, we will apply the Department of Homeland Security FY 2015 IG FISMA metrics for ten information security program areas.
1. Continuous Monitoring Management 2. Security Configuration Management 3. Identity and Access Management 4. Incident Response and Reporting 5. Risk Management 6. Security Training 7. Plan of Action and Milestones 8. Remote Access Management 9. Contingency Planning 10. Contractor Systems We will issue our report by the end of the first quarter of FY 2016
INS-2015-004: Inspection: Office of the Intelligence Community Chief Information Officer
The IC CIO is accountable for overall formulation, development, and management of the Intelligence Community Information Technology Enterprise. The scope of our review was limited and informed by a concurrent IC IG Audit survey of IC ITE, as well as an ongoing evaluation of IC ITE progress by the ODNI Systems and Resources Analyses office. Additional details of this report are in the classified annex.
INS-2015-005: Joint Evaluation of Field Based Information Sharing Entities
Along with our OIG partners at the Departments of Justice and Homeland Security, we are evaluating federally supported entities engaged in field-based domestic counterterrorism, homeland security, and information sharing activities in conjunction with state, tribal, and local law enforcement agencies. This review is in response to a request from Senate committees on Intelligence, Judiciary, Homeland Security and Governmental Affairs. We will issue our report during FY 2016.
INS-2015-006: Inspection: ODNI Office of the Program Manager–Information Sharing Environment
We last inspected the ODNI PM-ISE office in 2013 and are conducting a follow-up review with a focus on resource management.
Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.
Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.
I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.
With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.
With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.
While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.
Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.
It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.
Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.
Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.
So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?
Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?
At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.
Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.
Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.
Its concerns included:
As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.
Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.
All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.
Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.
Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.
In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.
Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.
At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.
This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.
Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).
Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.
Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.
Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.
Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.
Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,
From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.
But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.
[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.
AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.
That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.
In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.
But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.
That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.
To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.
And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.
Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.