emptywheel

1 2 3 876

NSA Gets Full Take on FISA-Authorized Web Forums

Screen Shot 2015-07-02 at 6.03.50 PMAmong the document dump associated with the Intercept’s two stories on XKeyscore, there’s one that has importance outside of the discussion of how XKeyscore works in the slide deck on how XKS works on web forum data.

It reveals what was fairly predictable, but has never been confirmed: That the NSA obtains “full take” on US-based web forums that it can get FISA orders for.

This has been suggested in a number of terrorist proceedings — that the targets were first identified in a forum, and from there targeted for more surveillance (or, just as often, for an FBI undercover sting).

The XKS deck in question further makes clear that the NSA saves all of the data from such forums, so that data will come up in XKS queries going forward. Further, the NSA can pull the messages that use one of the most popular extremist tools for encryption.

All this almost certainly means that the same web forum data would be available to FBI Agents for back door searches at the Assessment level, so even the mere participation in a web forum may target someone for further investigation (or even, for coercion to become an informant himself).

Again, this has been fairly clear for some time. But this slide deck confirms what the government has been obscuring from defense attorneys.

 

XKeyscore Suffers from Same Giant Oversight Loophole as Phone Dragnet and SIGDEV: No Tech Audits

I’ve long pointed to a giant oversight hole in key NSA programs: in both the domestic phone dragnet and SIGDEV (research and development), tech activities are excluded from auditing requirements.

In a piece reviewing what happens with XKS today, Intercept’s Micah Lee points out that the same loophole appears to exist in XKeyscore, the querying system that filters through the globally collected data. Sysadmins not only don’t have their own audited log-ins (a condition that appears to be what was in existence for the PRTT dragnet until 2009), but they can access the system outside of the normal querying process that gets audited.

When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.

Now, Lee is just pointing out a problem that exists technically, based on the documents describing the system.

But as we’ve seen, with the phone dragnet, at least, this is by design. The NSA simply doesn’t track tech functions as closely as it does analysts, which are more closely watched (but some, not all, of whose activities are still subject to randomness of audits), even though some techs have more direct access to raw data (by necessity). Indeed, what Snowden accomplished would have been impossible — or at least, would have been tracked more quickly than months — if this weren’t the case.

Whether or not you support NSA’s dragnet, this is a bureaucratic problem, one that rightly raises questions about the good faith of the system.

NSA said that after Snowden they instituted two person sign-off for some activities. They’d do well to release evidence they have actually done so.

CryptoWars, the Obfuscation

The US Courts released its semiannual Wiretap Report the other day, which reported that very few of the attempted wiretaps last year were encrypted, with even fewer thwarting law enforcement.

The number of state wiretaps in which encryption was encountered decreased from 41 in 2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.

Motherboard has taken this data and concluded it means the Feds have been overstating their claim they’re “going dark.”

[N]ew numbers released by the US government seem to contradict this doomsday scenario.

[snip]

“They’re blowing it out of proportion,” Hanni Fahkoury, an attorney at the digital rights group Electronic Frontier Foundation (EFF), told Motherboard. “[Encryption] was only a problem in five cases of the more than 3,500 wiretaps they had up. Second, the presence of encryption was down by almost 50 percent from the previous year.

“So this is on a downward trend, not upward,” he wrote in an email.

Much as I’d like to, I’m not sure I agree with Motherboard’s (or Hanni Fahkoury’s) conclusion.

Here’s what the data show since 2012, which was the first year jurisdictions reported being unable to break encryption (2012; 2013):

Screen Shot 2015-07-02 at 11.07.09 AM

You’ll see lots of parenthetical entries and NRs. That’s because this data is not being reported systematically. Parenthetical references are to encrypted feeds not reported until years after they get set, and usually those have been decrypted by the time they’re reported. NRs show that we have not getting these numbers, if they exist, from federal law enforcement (and the numbers can’t be zero, as reported here, because FBI has been taking down targets like Silk Road). The reporting on this ought to raise real questions about the quality of the data being reported and perhaps might spark some interest in mandating better reporting of this data so it can be tracked. But it also suggests that — at a time when law enforcement are just beginning to find encryption they can’t break (immediately) — there’s a lot of noise in the data. Does 2013’s 2% of encrypted targets and half-percent that couldn’t be broken represent a big problem? It depends on who the target is — a point I’ll come back to.

Congress will soon have that opportunity (but won’t avail themselves of it).

Even as US Courts were reporting still very low levels of encryption challenges faced by law enforcement, both the Senate Judiciary Committee and the Senate Intelligence Committee announced hearings next Wednesday where Jim Comey will have yet another opportunity to try to present a compelling argument that he should have back doors into our communication. SJC even saw fit to invite witnesses with opposing viewpoints, which the “intelligence” committee saw no need to do.

In an apparent attempt to regain some credibility before these hearings (Jim Comey is nothing if not superb at working the media), Comey went to Ben Wittes to suggest his claimed concern with increasing use of encryption has to do with ISIS’ increasing use of encryption. Ben quotes from Comey’s earlier comments to CNN then riffs on that in light of what Comey just told him in a conversation.

“Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption,” Comey said. “This is the ‘going dark’ problem in high definition.”

Comey said ISIS is increasingly communicating with Americans via mobile apps that are difficult for the FBI to decrypt. He also explained that he had to balance the desire to intercept the communication with broader privacy concerns.

“It is a really, really hard problem, but the collision that’s going on between important privacy concerns and public safety is significant enough that we have to figure out a way to solve it,” Comey said.

Let’s unpack this.

As has been widely reported, the FBI has been busy recently dealing with ISIS threats. There have been a bunch of arrests, both because ISIS has gotten extremely good at the inducing self-radicalization in disaffected souls worldwide using Twitter and because of the convergence of Ramadan and the run-up to the July 4 holiday.

As has also been widely reported, the FBI is concerned about the effect of end-to-end encryption on its ability to conduct counterterrorism operations and other law enforcement functions. The concern is two-fold: It’s about data at rest on devices, data that is now being encrypted in a fashion that can’t easily be cracked when those devices are lawfully seized. And it’s also about data in transit between devices, data encrypted such that when captured with a lawful court-ordered wiretap, the signal intercepted is undecipherable.

[snip]

What was not clear to me until today, however, was the extent to which the ISIS concerns and the “going dark” concerns have converged. In his Brookings speech, Comey did not focus on counterterrorism in the examples he gave of the going dark problem. In the remarks quoted by CNN, and in his conversation with me today, however, he made clear that the landscape is changing fast. Initial recruitment may take place on Twitter, but the promising ISIS candidate quickly gets moved onto messaging platforms that are encrypted end to end. As a practical matter, that means there are people in the United States whom authorities reasonably believe to be in contact with ISIS for whom surveillance is lawful and appropriate but for whom useful signals interception is not technically feasible.

Now, Ben incorrectly blurs the several roles of FBI here. FBI’s interception of ISIS communiques may be both intelligence and law enforcement. To the extent they’re the former — to the extent they’re conducted under FISA — they won’t show up in US Courts’ annual report.

But they probably should, if Comey is to have any credibility on this front.

Moreover, Ben simply states that “there are people in the United States whom authorities reasonably believe to be in contact with ISIS for whom surveillance is lawful and appropriate.” But there’s no evidence presented to support this. Indeed, most of the so-called ISIS prosecutions have shown 1) where probable cause existed, it largely existed in the clear, in Twitter conversations and other online postings and 2) there may not have been probable cause before FBI ginned it up.

It ought to raise real questions about whether Comey’s going dark problem is a law enforcement one — with FBI being unable to to access evidence on real criminals — or is an intelligence one — with FBI being unable to access First Amendment protected speech that nevertheless may be important for an understanding of the threat ISIS poses domestically. Again, the data is not there, one way or another, but given the law enforcement data, we ought to demand real numbers for intelligence intercepts. Another pertinent question is whether this encrypted data is easily accessible to NSA (ISIS recruiters are almost entirely going to be legitimate NSA targets located overseas), but not to FBI?

And all this presumes that Comey is telling the truth about ISIS and not — as he and just about every member of the Intelligence Community has done routinely — used terror threats to be able to get authorities to wield against other kinds of threats, especially hackers (which is not to say hackers aren’t a target, just that the IC likes to pretend its authorities serve an exclusively CT purpose when they clearly do not). The law enforcement data, at least, show that even members of very sophisticated drug distribution networks are using encryption at a really low level. Is ISIS’ ability to coach potential recruits into using encrypted products on Twitter really that much better, or is Comey really talking about hackers who more obviously have the technical skills to encrypt their communications?

Thus far, Comey would have you believe that intelligence — counterterrorism — targets encrypt at a much higher rate than even drug targets. But the data also suggest even federal law enforcement (that is, Comey’s agency, among others) aren’t tracking this very effectively, and so can’t present reliable numbers.

Before we go any further in this cryptowar debate, we ought to be able to get real numbers on how serious the problem is.

FBI’s 26-Day Old OPM FLASH Notice

Shane Harris, who has been closely tracking the bureaucratic implications of the OPM hack, has an update describing a “FLASH” notice FBI just sent out to the private sector.

Or rather, FBI just re-sent the FLASH notice they sent on June 5, 26 days earlier, because they realized some recipients (including government contractors working on classified projects) did not have their filters set to accept such notices from the FBI.

The FBI is warning U.S. companies to be on the lookout for a malicious computer program that has been linked to the hack of the Office of Personnel Management. Security experts say the malware is known to be used by hackers in China, including those believed to be behind the OPM breach.

The FBI warning, which was sent to companies Wednesday, includes so-called hash values for the malware, called Sakula, that can be used to search a company’s systems to see if they’ve been affected.

The warning, known as an FBI Liaison Alert System, or FLASH, contains technical details of the malware and describes how it works. While the message doesn’t mention the OPM hack, the Sakula malware is used by Chinese hacker groups, according to security experts. And the FBI message is identical to one the bureau sent companies on June 5, a day after the Obama administration said the OPM had been hacked, exposing millions of government employees’ personal information. Among the recipients of both alerts are government contractors working on sensitive and classified projects.

[snip]

In an email obtained by The Daily Beast, the FBI said it was sending the alert again because of concerns that not all companies had received it the first time. Apparently, some of their email filters weren’t configured to let the FBI message through.

Consider the implications of this.

It is unsurprising that the initial FLASH got stuck in companies’ email filters if the hashes included with the notice were treated as suspicious code by the companies’ anti-malware screens. The message likely looked like malware because it is. (Of course, this story may now have alerted those trying to hack recipients of FBI’s FLASH notices that the FBI wasn’t previously whitelisted by recipients, but probably just got whitelisted, but that’s a matter for another day.)

The delayed FLASH receipt says far more about the current state of data-sharing, just as the Senate sets to debate the Cybersecurity Information Sharing Act, which (Senate boosters claim) companies ostensibly need before they’re willing to share data with the government.

First, it suggests that FBI either did not send out such a FLASH in response to what it learned from Anthem hack, which presumably would have gone out at least by February (which, if even OPM had acted on the alert, might have identified its hack 2 months before it did get identified), or if it did it also got stuck in companies’ — and OPM’s — malware filter.

But it also seems to suggest that the private sector — including sensitive government contractors – haven’t been receiving other FBI FLASHes (presuming the filter settings have been set to exclude any such notice including something that looked like malware). They either never noticed they weren’t getting them or never bothered to set their filters to receive them.

That may reflect a larger issue, though. As Jennifer Granick has repeatedly noted, key researchers and corporations have not, up to now anyway, seen much value in sharing with the government.

I’ve been told by many entities, corporate and academic, that they don’t share with the government because the government doesn’t share back. Silicon Valley engineers have wondered aloud what value DHS has to offer in their efforts to secure their employer’s services. It’s not like DHS is setting a great security example for anyone to follow. OPM’s Inspector General warned the government about security problems that, left unaddressed, led to the OPM breach.

Perhaps recipients didn’t have their filters set to accept notices from FBI because none of them have ever been useful?

Another factor behind reluctance to share with the government is an unwillingness to get personnel security clearances, though that should not be a factor here.

The implication appears to be, though, that the government was unable — because of recipient behavior and predispositions — to share information on the most important hack of recent years.

We’re about to have a debate about immunizing corporations further, as if that’s the problem. But this delayed FLASH strongly suggests it is not.

Once Again Sammy Alito’s Speculative Chain of Possibilities Proves True

Back when SCOTUS Justice Sam Alito wrote the opinion booting the ACLU-argued challenge to Section 702, he said the plaintiffs’ worries — that the US government was collecting their international communications under Section 702 — were too speculative to give them standing to challenge the constitutionality of the statute.

In sum, respondents’ speculative chain of possibilities does not establish that injury based on potential future surveillance is certainly impending or is fairly traceable to §1881a.

The named plaintiff in that suit — the NGO wildly speculating that the US government was reading its international communication with human rights victims and others — was Amnesty International.

Today, UK’s Investigatory Powers Tribunal informed Amnesty International that unnamed UK government agencies have been intercepting their communications.

In a shocking revelation, the UK’s Investigatory Powers Tribunal (IPT) today notified Amnesty International that UK government agencies had spied on the organization by intercepting, accessing and storing its communications.

[snip]

“After 18 months of litigation and all the denials and subterfuge that entailed, we now have confirmation that we were in fact subjected to UK government mass surveillance. It’s outrageous that what has been often presented as being the domain of despotic rulers has been occurring on British soil, by the British government,” said Salil Shetty, Amnesty International’s Secretary General.

Admittedly, this doesn’t confirm that Amnesty has been swept up in 702 collection, but given the likelihood that one of the agencies, plural, that has intercepted Amnesty’s communications is GCHQ, and given the broad sharing between it and its Five Eyes partner NSA, it is almost certain NSA has those communications as well (if they didn’t actually collect some of them).

Amnesty is trying to gain clarity from the US on whether it, too, has spied on the NGO.

But, predictably, Amnesty had a better idea of what a threat the government posed for its work than Sammy Alito did.

 

In Reauthorizing the Dragnet, FISC Makes a Mockery of the Amicus Provision

Between a ruling by Dennis Saylor issued on June 17, while I was away, and a ruling by Michael Mosman issued and released today, the FISA Court has done the predictable: ruled both that the lapse of the PATRIOT Act on June 1 did not mean the law reverted to its pre-PATRIOT status (meaning that it permitted collection of records beyond hotel and rental car records), and ruled that the dragnet can continue for 6 more months.

In other words, the government is back in the business of conducting a domestic dragnet of phone records. Huzzah!

As I said, the FISC’s ultimate rulings — that it will treat USA F-ReDux as if it passed before the lapse (a fair but contestable opinion) and that it will permit the dragnet to resume for 6 months — are unsurprising. It’s how they get there, and how they deal with the passage of USA F-ReDux and the rebuke from the 2nd Circuit finding the dragnet unlawful, that I find interesting.

Reading both together, in my opinion, shows how increasingly illegitimate the FISC is making itself. It did so in two ways, which I’ll address in two posts. In this one, I’ll treat the FISC’s differing approaches to the amicus provision.

USA F-ReDux was a deeply flawed bill (and some of my predictions about its weaknesses are already being fulfilled). But it was also intended as a somewhat flaccid critique of the FISC, particularly with its weak requirement for an amicus and its stated intent, if not an effective implementation, to rein in bulk collection.

Congress at least claimed to be telling the FISC it had overstepped both its general role by authorizing programmatic collection orders and its specific interpretation of Section 215. One of its solutions was a demand that FISC stop winging it.

The Court’s response to that was rather surly.

A timeline may help to show why.

June 1: Section 215 lapses

June 2: USA F-ReDux passes and government applies to restart the dragnet

June 5: Ken Cuccinelli and FreedomWorks challenge the dragnet but not resumption of post-PATRIOT Section 215 (Section 109)

June 5: Michael Mosman orders government response by June 12, a supplemental brief from FreedomWorks on Section 109 by June 12, immediate release of government’s June 2 memorandum of law

June 12: Government submits its response and FreedomWorks submits its Section 109 briefing, followed by short response to government submission

June 17: In response to two non-bulk applications, Dennis Saylor rules he doesn’t need amicus briefing to decide Section 109 question then rules in favor of restoration of post-PATRIOT Section 215

June 29: Michael Mosman decides to waive the 7-day application rule, decides to treat FreedomWorks as the amicus in this case while denying all other request for relief, and issues order restarting dragnet for until November 29 (the longest dragnet order ever)

After having been told by Congress FISC needs to start consulting with an amicus on novel issues, two judges dealt with that instruction differently.

In part, what happened here (as has happened in the past, notably when Colleen Kollar-Kotelly was reviewing the first Protect America Act certifications while Reggie Walton was presiding over Yahoo’s challenge to their orders) is that one FISC judge, Saylor, was ruling whether two new orders (BR 15-77 and 15-78) could be approved giving the lapse in Section 215 (which became a ruling on how to interpret Section 109) while another FISC judge, Mosman, was reviewing what to do with the FreedomWorks challenge. That meant both judges were reviewing what to do with Section 109 at the same time. On June 5, Mosman ordered up the briefing that would make FreedomWorks an amicus without telling them they were serving as such until today. FreedomWorks did offer up this possibility when they said they were “amenable to [designation as an amicus curiae] by this Court, as an alternative to proceeding under this Motion in Opposition,” but they also repeatedly requested an oral hearing, most recently a full 17 days ago.

The Court now turns to the Movants’ alternative request to participate as amici curiae. Congress, through the enactment of the USA FREEDOM Act, has expressed a clear preference for greater amicus curiae involvement in certain types of FISC proceedings.

[Mosman reviews of the amicus language of the law]

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.7

7 [footnote talking about courts’ broad discretion on how they use amicus]

That is, on June 29, Mosman found this circumstance requires an amicus under the law, and relied on briefing ordered way back on June 5 and delivered on June 12, while denying any hearing in the interim.

Meanwhile, in a June 17 ruling addressing what I consider the more controversial of the two questions Mosman treated — whether the lapse reverted Section 215 to its pre-PATRIOT status — Saylor used this logic to decide he didn’t need to use an amicus.

[3 paragraphs laying out how 103(i)(2)(A) requires an amicus unless the court finds it is not appropriate, while section 103(i)(2)(B) permits the appointment of an amicus]

The question presented here is a legal question: in essence, whether the “business records” provision of FISA has reverted to the form it took before the adoption of the USA PATRIOT Act in October 2001. That question is solely a matter of statutory interpretation; it presents no issues of fact, or application of facts to law, and requires no particular knowledge or expertise in technological or scientific issues to resolve. The issue is thus whether an amicus curiae should be appointed to assist the court in resolving that specific legal issue.

The legal question here is undoubtedly “significant” within the meaning of Section 1803(i)(2)(A). If Section 501 no longer provides that the government can apply for or obtain orders requiring the production of a broad range of business records and other tangible things under the statute, that will have a substantial effect on the intelligence-gathering capabilities of the government. It is likely “novel,” as well, as the issue has not been addressed by any court (indeed, the USA FREEDOM Act, is only two weeks old). The appointment of an amicus curiae would therefore appear to be presumptively required, unless the court specifically finds that such an appointment is “not appropriate.”

Because the the statute is new, the court is faced for the first time with the question of when it is “not appropriate” to appoint an amicus curiae. There is no obvious precedent on which to draw. Moreover, the court as a whole has not had an opportunity to consider or adopt any rules addressing the designation of amicus curiae.

The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, “not appropriate”) even though an application presents a “novel or significant interpretation of the law.” At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome. In other words, Congress must have intended the court need not appoint amicus curiae to point out obvious legal issues or obvious legal conclusions, even if the issue presented was “novel or significant.” Accordingly, the court believes that if the appropriate outcome is sufficiently clear, such that no reasonable jurist would reach a different decision, the appointment of an amicus curiae is not required under the statute.

This is such an instance. Although the statutory framework is somewhat tangled, the choice before the court is actually clear and stark: as described below, it can apply well established principles of statutory construction and interpret the USA FREEDOM Act in a manner that gives meaning to all its provisions, or it can ignore those principles and conclude that Congress passed an irrational statute with multiple superfluous parts.

That is, 5 days after FreedomWorks submitted briefing on the particular issue in question — Section 109 — Saylor decided he did not need an amicus even though this was obviously a novel issue. While FreedomWorks only addressed one of its responses to the question of the lapse, it did argue that, “Congress was fully aware ofthe problems associated with passing the expiration date and they chose to do nothing to fix those problems.”

And Saylor did not do what Mosman did, recognize that even though there wasn’t an amicus position set up, the court could easily find one, even if it asked the amicus to brief under 103(i)(2)(B). Indeed, by June 17, former SSCI Counsel Michael Davidson — literally the expert on FISA sunset provisions — had written a JustSecurity post describing the lapse as a “huge problem.” So by the time Saylor had suggested that “no reasonable jurist” could disagree with him, the author of the sunset provision in question had already disagreed with him. Why not invite Davidson to submit a brief?

It seems Mosman either disagrees with Saylor’s conclusion about the seriousness of Congress’ “preference for greater amicus curiae involvement” (though, having read Saylor’s opinion, he does say appointment under 103(i)(2)(A) “is not appropriate,” though without adopting his logic for that language in the least), or has been swayed by the criticism of people like Liza Goitein and Steve Vladeck responding to Saylor’s earlier opinion.

All that said, having found a way to incorporate an amicus — even one not knowingly acting as such during briefing — Mosman than goes on to completely ignore what the government and JudicialWatch said about the lapse — instead just declaring that “the government has the better end of the dispute” — and to justify that judgment, simply quoting from Saylor.

On June 1, 2015, the language of section 501 reverted to how it read on October 25, 2001. See page 2 supra. The government contends that the USA FREEDOM Act, enacted on June 2, 2015, restored the version of section 501 that had been in effect immediately before the June 1 reversion, subject to amendments made by that Act. Response at 4. Movants contend that the USA FREEDOM Act had no such effect. Supplemental Brief at 1-2. The Court concludes that the government has the better of this dispute.

Another judge of this Court recently held that the USA FREEDOM Act effectively restored the version of section 501 that had been in effect immediately before the June 1 sunset. See In reApplication of the FBI for Orders Requiring the Production ofTangible Things, Docket Nos. BR 15-77, 15-78, Mem. Op. (June 17, 2015). In reaching that conclusion, the Court noted that, after June 1, Congress had the power to reinstate the lapsed language and could exercise that power “by enacting any form of words” making clear “its intention to do so.” Id. at 9 (internal quotation marks omitted). The Court found that Congress indicated such an intention through section 705(a) of the USA FREEDOM Act, which amended the pertinent sunset clause8 by striking the date “June 1, 2015,” and replacing it with “December 15, 2019.” Id. at 7-9. Applying fundamental canons of statutory interpretation, the Court determined that understanding section 705(a) to have reinstated the recently-lapsed language of section 501 of FISA was necessary to give effect to the language of the amended sunset clause, as well as to amendments to section 501 of FISA made by sections 101 through 107 of the USA FREEDOM Act, and to fit the affected provisions into a coherent and harmonious whole. Id. at 10-12. The Court adopts the same reasoning and reaches the same result in this case.

JudicialWatch’s argument was the mirror image of Saylor’s — that “Congress was fully aware of the problems associated with passing the expiration date and they chose to do nothing to fix those problems” — and yet Mosman doesn’t deal with it in the least. His colleague had ruled, and so the government must have the better side of the argument.

That’s basically the logic Mosman uses on the underlying question, which I hope to return to. Even in making a symbolic nod to the amicus, Mosman is still engaging in the legally suspect navel gazing that has become the signature of the FISC.

Mind you, I’m not surprised by all this. That was very clearly what was going to happen to the amicus, and one reason why I said it’d be likely a 9-year process until we had an advocate that would make the FISC a legitimate court.

But this little exhibition of navel gazing has only reinforced my belief that we should not wait that long. There is no reason to have a FISC anymore, not now that virtually every District court has the ability to conduct the kind of classified reviews that FISC judges do. And as we’re about to see (Jameel Jaffer promised he’s going to ask the 2nd Circuit for an injunction today), the competing jurisdictions that in this case let District Court judges dismiss Appellate judges as less preferable than the government are going to create legal confusion for the foreseeable future (though one the government and FISC are likely going to negate by using the new fast track review process I warned about).

The FISC is beyond saving. We should stop trying.

In Course Pitch, Scooter and Wolfie Admit Iraq War Failures, But Make No Mention of Iraqi Casualties

While I was gone, the NeoCon Hertog Foundation announced an “advanced institute” featuring Scooter Libby and Paul Wolfowitz describing the “unexpected events, rivalries, counter-moves, mistakes, and imperfect understandings” behind the Iraq War, which also appears to offer some second-guessing about how the Iraq War still made sense even in light of the catastrophe it wrought.

It seems Judy Miller is not the only Iraq Hawk trying to relitigate her Iraq failures (the timing may not be unrelated, as Roger Hertog, has funded all three Iraq Hawks, among others).

I’m particularly interested in this paragraph, seemingly admitting the failures of Iraq while weighing it against what is portrayed as the failure of the first Gulf War.

Twice in the last quarter century America has gone to war with Iraq, and the two were in a state of low-level conflict during the interim. Both times America went to war with Congressional authorization, at the head of an international coalition, and in support of U.N. Resolutions. The 1990–1 Persian Gulf War ended quickly with minimal U.S. casualties, but left a brutal dictator in place and American interests at risk. The U.S. invasion of Iraq in 2003 quickly removed the regime that had repeatedly defied America and gave Iraqis a chance to devise their own future. However, the war soon devolved into a messy combination of insurgency and sectarian fighting that brought thousands of U.S. casualties, sapped American will and credibility, and worked to the benefit of America’s other regional nemesis, Iran. These events occurred not in isolation, but against the backdrop of broader international developments, particularly the ending of the Cold War, the attacks of 9/11/2001, and the on-going U.S. confrontation with radical Islam.

Iraq War 2.0 removed the defiant Saddam, who purportedly threatened American interests — Scooter and Wolfie judge — but it helped out “America’s other regional nemesis,” Iran.

At least the Iraq War architects are willing to admit their blunders made Iran stronger.

But the assessment of the impact on Iraq is the signature here: America generously gifted Iraqis with “a chance to devise their own future” — Scooter and Wolfie judge, making no mention of America’s past role in Saddam’s rise and success against Iraq — but it brought a “messy combination of insurgency and sectarian fighting … and thousands of U.S. casualties [that] sapped American will and credibility,” as if American will and credibility should have any role in the matter of giving Iraqis a chance to devise their own future, which was only granted, according to this description, because America’s formerly favored dictator threatened its interests.

Not only does the passage make no sense, but it obscures the other horrible thing about Scooter and Wolfie’s legacy: half a million Iraqi dead, or more.

Twelve years after these policy makers brought us to war on a pack of lies, their conception of failures doesn’t even account for the hundreds of thousands of purportedly liberated Iraqis they killed.

Floating Security

Screen Shot 2015-06-29 at 11.25.57 AMGreetings! I’m back, just in time to refill the liquor cabinet. Thanks to Rayne, Jim, bmaz, and Ed for their fascinating posts while I was gone (and if you haven’t read it, I especially recommend Ed’s series on paradigms in economics).

As I mentioned before I left, I just took a vacation with my mom, who turned 75 during our trip. Because seeing Russia and Scandinavia were on her bucket list but she has mobility limitations, we decided to go on a Baltic cruise for the trip (it was my first cruise). Which meant, among other things, we we sailing from Germany past Poland and Kaliningrad to Lithuania on the last days of a NATO war game involving the Baltics, and we were docked in St. Petersburg for 3 days.

While I don’t know whether it was related to the war games, on the night of June 17-18, the ship took what a long-time sailor told us the next day seemed like an evasive maneuver at 2 AM that woke everyone I spoke to up. The following day, at around 6 (almost no one was awake because it was our one sailing day), the crew noted a ship tracking us on our starboard side that seemed very unusual to them. It pulled up ahead of the cruise ship far enough I couldn’t get a good picture or binocular check (it had a mostly red flag) when I returned, but was there for about 6 hours. I suck ass at military ship identification but it might have been a frigate. In any case, the New Cold War™ has not yet heated up sufficiently to turn our cruise ship into the Lusitania, so you’re all stuck with me.

I was just as interested in the security procedures for the ship. There are obvious measures (as those of you who have taken cruises surely know): a card check as you get on and off the boat every time, with metal detectors every time you get back on the boat. What I found interesting, though, were the less obvious measures, something you’d need to have for something that would otherwise be such an easy target but for which you wouldn’t want passengers to realize it. For example, there were undercarriage checks (the kind that are meant to be obvious in places like Brazil) that were not obviously visible. There were deck guards (one of whom got sheepish when I got into a conversation about the sunset he was taking a picture of), which are probably intended to minimize teenage pregnancies as much as anything else, but which keep a low profile on outer decks late at night. You couldn’t see security cameras anywhere, but I’m sure they were omnipresent. I’m really interested in the security checks employees undergo, as there can be up to 1,000 tip-dependent employees from developing nations on board. In any case, I imagine the cruise ship tracks everyone’s movement on board through use of key cards.

I was also interested in how cruise ship security intersected with Russian security (Russia has a 3-day exception to its visa requirement for cruise ship passengers who use a tour guide in Russia and return to their ship every night, but it requires going through customs every time you leave the ship and there is fine print that got a few people in trouble). Every time you left the ship, you’d first be scanned off the ship, then interact with a surly Russian border guard (I tried to little avail to butter them up with my very rudimentary Russian). On return, you’d go through a Russian metal detector to get into the port facility — but the guards only made you put bags through their x-ray machine, not all metal, and they pretty much ignored when you set off the metal detector. In other words, while Russia made a show of preventing weapons or bombs from entering the cruise ship terminal, it was pretty ineffective (there was a toll entry to get to the port itself by car, bus, or truck, though, which may limit what kinds of people could even get to the port). Then, you’d be checked out of Russia by the same surly border guards. Next you’d be checked into the boat and put through another metal detector upon entering the ship (though there were a few weak points to this process that I won’t mention). Though admittedly, the ship security was probably also designed as much to find booze and food that passengers were taking onto the ship, both of which had ostensible security purposes, but also served the cruise’s business model of ensuring captive consumption of booze on board.

In any case, the cruise ship obviously didn’t trust Russia’s security measures, but the latter probably rely much more on their own intelligence and policing.

All of which is to say the cruise ship is an exercise in a mix between security theater (the not entirely perfect metal detector on board) and more obscure but presumably more effective measures. Given the volume of passengers that have to be processed in quick order, it would seem to be proof that such an approach is possible in other areas (including aviation), but we choose not to use it. Or maybe cruise ships are 1) better able to do a cost-benefit analysis and 2) subject to fewer US laws. I’m now interested in more about how cruise ships carry out their security, though expect much of it is secret.

One final observation. I found Lithuania (Klaipeda, right on the border with Kaliningrad) to be the most fascinating stop, in part because it has been a cruise destination for a shorter period of time than, say, Tallinn, and so has not been transformed as much. Mom and I took a ferry to the Curonian Spit, then took a taxi down the spit and then back to Klaipeda; our taxi drivers were a son and then his father in succession. That’s where my (as I noted, very rudimentary) Russian was most interesting. At the ferry, I was told clearly not to use it at all by a maybe 55-year old woman. The son, who had excellent Hollywood English, was more measured. His father, who reminded that he had had to use Russia all through school and military service, was very happy to have a quasi conversation in Russian with me (we occasionally resorted to Polish and Czech at times, as better mutually comprehensible languages). I found the mixed feelings about Russian, in a place with a very audible Russian minority, to be fascinating. But then, Lithuania is ground zero for the New Cold War™ and I can understand how rising tensions exacerbate underlying divisions.

Anyway, that’s the sum of my impressions from being unable to entirely turn off the security side of my brain.

emptywheel Takes a Vacation!

This is just a quick post to note that I’ll be on vacation, with limited access to the Toobz, for the next two weeks. If something major hits, I may sneak back on and post, but I hope to instead spend quality time with my mom.

bmaz claims he’s going to pick up some slack and I know Ed has some quality stuff planned. Hopefully, Rayne will continue to track some of the interesting hacking developments. And Jim’s schedule may finally free up enough to resume posting next week.

In the meantime, here’s to my mom, who is having a big birthday on Thursday, is a remarkable woman, and put up with me for many years and surely made me a better person along the way (imagine how awful I’d be without her influence?!?!).

Amazon’s Transparency Report: “Certain Purchase History”

Last week, precisely 10 days after USA F-Redux — with its different formulas allowing for provider transparency –passed, Amazon released its first transparency report. In general, the report shows that Amazon either doesn’t retain — or successfully pushes back — against a lot of requests. For example, Amazon provided no or only partial information to a third of the 813 subpoenas it received last year.

Also of note, in a post accompanying the report, Stephen Schmidt claimed that “Amazon never participated in the NSA’s PRISM program,” which may not be all that surprising given that it has only received 25 non-national security search warrants.

As I’ve already suggested, I find the most interested detail to be the timing: given that Amazon has gotten crap as the only major company not to release a transparency report before, I suspect either that Amazon had a new application 2 years ago when everyone started reporting, meaning it had to wait until the new collection had aged under the reporting guidelines, or something about the more granular reporting made the difference for Amazon. Amazon reported in the 0-250 range (including both NSLs and other FISA orders), so it may just have been waiting to be able to report that lower number.

That said, Amazon received 13 non-national security court orders (aside from the one take down order they treat separately, which I believe has to do with an ISIL site), only 4 of which they responded fully to. I think this category would be where Amazon would count pen registers. And I’d expect Amazon to get pen registers in connection with their hosting services. If any of the 0 to 250 National Security orders are pen registers, it could be fairly intrusive.

Finally, Amazon clarified (sort of) something of particular interest. While Amazon makes clear that content stored in a customer’s site is content (self-evident, I know, but there are loopholes for stored content, which is a big part of why Amazon would be of interest (and was when Aaron Swartz was using them as a hosting service).

Non-content. “Non-content” information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information. Content.

“Content” information means the content of data files stored in a customer’s account.

But Amazon doesn’t include “certain purchase history information” to be content.

As the country’s biggest online store, that’s where Amazon might be of the most interest. Indeed, in the legal filings pertaining to Usaamah Abdullah Rahim (the claimed ISIL follower whom Boston cops shot and killed on June 2) show they were tracking Rahim’s Amazon purchase of a knife very closely.

If you wanted to do a dragnet of purchase records, you’d include Amazon in there one way or another. And such a dragnet order might represent just one (or four) of the fewer than 250  orders Amazon got in a year.

It’s not surprising they’re treating (“certain”) purchase records as metadata. But it is worth noting.

1 2 3 876
Emptywheel Twitterverse
bmaz @kevinjonheller Looks like an interesting side dish. Would I eat that with pork or beef?
1hreplyretweetfavorite
bmaz @kevinjonheller If there is no meat, it is not BBQ.
1hreplyretweetfavorite
bmaz @RubenGallego Hey, by the way, @KateWGallego did a fantastic job on @kjzzphoenix yesterday on necessity of transportation infrastructure tax
2hreplyretweetfavorite
bmaz RT @WIRED: Here's hoping the Air Force doesn't kill off our toughest warplane http://t.co/kH4BBbKMLs http://t.co/smhNDLMcsH
2hreplyretweetfavorite
bmaz @xbradtc @Johngcole ...and that is exactly why his estate and liability carriers are negotiating a paid settlement as we speak.
3hreplyretweetfavorite
bmaz @xbradtc @Johngcole I've seen both videos, and Breitbart absolutely did indeed smear and defame Sherrod...
3hreplyretweetfavorite
bmaz RT @Johngcole: And if wingnuts still keep pestering Takei, ask them to show the links to their outrage when Breitbart was smearing Sherrod.
3hreplyretweetfavorite
JimWhiteGNV @3DogCouch Probably won't go, but will ask for pics.
7hreplyretweetfavorite
JimWhiteGNV @pastordan I don't want to scare you, but those ten years are hard...
7hreplyretweetfavorite
JimWhiteGNV In related news, I'm old.
8hreplyretweetfavorite
JimWhiteGNV Egad. Got an email tonight for a 40th high school reunion.
8hreplyretweetfavorite
JimWhiteGNV @johnmanuelba Any updates to Buddy's condition?
8hreplyretweetfavorite
July 2015
S M T W T F S
« Jun    
 1234
567891011
12131415161718
19202122232425
262728293031