“Tor Stinks” … because It Requires Manual (Digital) Tails

Screen shot 2013-10-04 at 11.31.05 AM“Tor stinks,” the Guardian reports one NSA document asserting, in a new story on NSA’s efforts to break that encryption system.

And while Bruce Schneier explains how the NSA uses similar techniques to those the Chinese government uses to spy on its users — something called Egotistical Giraffe — to break Tor, and the NSA has been able to crack other users’ communications via their poor hygiene outside of Tor (as with this week’s bust of Silk Road), the NSA has thus far been unable to systematically break the system.

At base, though, NSA believes that Tor stinks because,

We will never be able to de-anonymize all Tor users all the time.

With manual analysis we can de-anonymize a very small fraction of Tor users, however no success at de-anonymizing a user in response to a TOPI request/on demand.

Another complaint the NSA has is their methods for cracking Tor right now are “difficult to combine meaningfully with passive Sigint.” That is, they can’t just feed everything into a system and get potential targets to pop out.

To me, this boils down to a complaint that if the NSA wants to track users — the ones they can identify — they have to work as hard as cops used to in physically tracking suspects. That means (as NSA’s recent success busting 2 Tor users makes clear) they can track people. They just have to work at it.

We’ll hear a lot about how breaking Tor is a noble cause and NSA (and GCHQ) have to do it to keep us safe from the “very naughty people” who use Tor. But ultimately, it seems, one question is whether the NSA should get to break the law to make it as easy to track encrypted users as using GPS to track physical location has become.

NSA wants its targets to — effectively — come to it. It doesn’t want to have to identify targets and then crack their communications. But Tor, at least thus far, has made it as hard to do so as it used to be to physical track suspects.

“Everyday Americans” Are Increasingly Foreign Intelligence Now

[youtube]U-yLQPO_8E0[/youtube]

Yesterday, the Guardian revealed that the NSA is storing online metadata (including browsing information) for up to a year.

The National Security Agency is storing the online metadata of millions of internet users for up to a year, regardless of whether or not they are persons of interest to the agency, top secret documents reveal.

[snip]

The guide goes on to explain Marina’s unique capability: “Of the more distinguishing features, Marina has the ability to look back on the last 365 days’ worth of [Digital Network Information] metadata seen by the Sigint collection system, regardless whether or not it was tasked for collection.” [Emphasis original.]

So in addition to our phone metadata, the government is keeping our browsing metadata in case it needs it.

Remember, over a fifth of the query violations recorded by the NSA in the first quarter of 2012 accessed this database.

As interesting as this disclosure is, I’m just as interested in the way NSA responded to Guardian’s request for a rationale for this practice and some sense of how much of it includes US person data.

The Guardian approached the NSA with four specific questions about the use of metadata, including a request for the rationale behind storing 365 days’ worth of untargeted data, and an estimate of the quantity of US citizens’ metadata stored in its repositories.

But the NSA did not address any of these questions in its response, providing instead a statement focusing on its foreign intelligence activities.

“NSA is a foreign intelligence agency,” the statement said. “NSA’s foreign intelligence activities are conducted pursuant to procedures approved by the US attorney general and the secretary of defense, and, where applicable, the foreign intelligence surveillance (Fisa) court, to protect the privacy interests of Americans.

“These interests must be addressed in the collection, retention, and dissemination of any information. Moreover, all queries of lawfully collected data must be conducted for a foreign intelligence purpose.”

It continued: “We know there is a false perception out there that NSA listens to the phone calls and reads the email of everyday Americans, aiming to unlawfully monitor or profile US citizens. It’s just not the case.

“NSA’s activities are directed against foreign intelligence targets in response to requirements from US leaders in order to protect the nation and its interests from threats such as terrorism and the proliferation of weapons of mass destruction.” [my emphasis]

This non-answer does three things.

  • As with Ron Wyden’s repeated requests for the number of Americans targeted through the back door loophole, the NSA refuses to quantify the scope of this collection
  • It names all the spying on US person data “foreign intelligence” as a means to legitimize it
  • It denies accessing the content of “everyday Americans” rather than denying it accesses the content of Americans, period

I’m beginning to realize why NSA keeps responding with that last bullet — we are not reading your content. More and more, it appears not to be a denial that they access US person content (once you get into Internet “metadata” you’re quickly getting into content in any case), but rather a denial that they access the US person content of “everyday Americans.” Which suggests they do access the content of certain Americans who, because their activities might fall under categories the NSA claims “US leaders” have deemed foreign intelligence, are no longer considered “everyday Americans.”

And once you get beyond the fearmongering excuse of terror terror terror, you realize this is not just Muslims and Arabs (not that that would make it right in any case).

We live in an increasingly globalized world in which “everyday Americans” have a wide range of entirely legitimate reasons to engage with people outside of this country. At the core of this dragnet, it appears, is the argument that such legitimate activities somehow exclude you from the designation of “everyday Americans.”

But it’s not going to disclose whether it considers you an “everyday American” exempt from all this domestic-as-foreign spying or not.

Update: Musical accompaniment suggested by billmon.

Did OLC Rule Americans Have Voluntarily Allowed NSA to Collect Their Communications Domestically?

Some weeks ago, I waded into a discussion between Charlie Savage and Ben Wittes to suggest that a still-secret OLC opinion Ron Wyden mentioned back in January might serve as the basis for collecting US person communications at the phone switches.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

I suspect this opinion — whatever question it addresses — makes the case that Americans have given NSA voluntary permission to collect US person communications from certain (I’m not sure which ones) switches.

Whatever it says, though, Ron Wyden just asked for the opinion again.

Over the last few years I have written multiple letters to Attorney General Holder regarding a particular opinion from the Justice Department’s Office of Legal Counsel that interprets common commercial service agreements. I have said that I believe that this opinion is inconsistent with the public’s understanding of the law, and that it needs to be both withdrawn and declassified. Despite multiple follow-ups from my staff I still have not received a response to any of these letters. Can you tell me when I can expect a response?

The biggest reason public understanding of the law would matter, after all, is if OLC were interpreting it to reflect voluntary consent for collection of data that the public didn’t realize they had given. And we know NSA wants to — if it is not already — scan communications for malicious code in the name of cybersecurity on critical infrastructure networks the same way it is doing on government networks.

Remember, this is one of 4 questions Wyden would have asked had DiFi allowed an elected Senator to ask questions rather than an NSA apologist to appear. Wyden had apparently alerted Keith Alexander to what those questions were.

Heck, this is even a question aplogist Ben Wittes has expressed an interest in. For once it is his questions, in addition to members of Congress, that are not getting answered.

Say Hello To Our New Friends At Just Security

Screen shot 2013-09-23 at 11.46.58 AMWe do a lot of things here at Emptywheel including occasionally, goofing off. But our primary focus has always been the intersection of security issues, law and politics. I think I can speak for Marcy and Jim, and I certainly do for myself, we would love it if that intersection were not so critical in today’s world. But, alas, it is absolutely critical and, for all the voices out there in the community, there are precious few that deep dive into the critical minutiae.

Today we welcome a new and important player in the field, the Just Security Blog. It has a truly all star and broad lineup of contributors (most all of whom are listed as “editors” of one fashion or another), including good friends such as Steve Vladeck, Daphne Eviatar, Hina Shamsi, Julian Sanchez, Sarah Knuckey and many other quality voices. It is an ambitious project, but one that, if the content already posted on their first day is any indication, will be quite well done. The home of Just Security is the New York University School of Law, so they will have ample resources and foundation from which to operate for the long run.

Ironically, it was little more than three years ago (September 1, 2010 actually) that the Lawfare Blog went live to much anticipation (well, at least from me). Whether you always agree with Ben Wittes, Bobby Chesney, Jack Goldsmith and their contributors or not, and I don’t always, they have done this field of interest a true service with their work product, and are a fantastic and constantly evolving resource. There is little question but that Just Security intends to occupy much of the same space, albeit it in a complimentary as opposed to confrontational manner. In fact, it was Ben Wittes who hosted the podcast with Steve Vladeck and Ryan Goodman that serves as the multi-media christening of Just Security.

Orin Kerr (who is also a must read at Volokh conspiracy), somewhat tongue in cheek, tweeted that the cage match war was on between Lawfare and Just Security. That was pretty funny actually, but Orin made a more serious point in his welcome post today, and a point that I think will greatly interest the readers of Emptywheel:

Whereas Lawfare tend to have a center or center-right ideological orientation, for the most part, Just Security‘s editorial board suggests that it will have a progressive/liberal/civil libertarian voice.

From my understanding, and my knowledge of the people involved, I believe that to be very much the case. And that is a very good thing for us here, and the greater discussion on so much of our work.

So, say hello to our new friends at Just Security, bookmark them and give them a read. Follow them on Twitter. You will be better informed for having done so.

In Wake of Revelations about Corruption and Coercion, OCC Wails about Bank Cybersecurity

Over 3 months ago, the Guardian revealed that the President reserved the right to declare “inherent right of self defense” to access private networks deemed part of our critical infrastructure in the name of cybersecurity.

2 weeks ago, the Guardian, ProPublica, and NYT reported that, to make it easier to spy on others, the NSA had “deliberately weakened the international encryption standards adopted by developers.”

Also 2 weeks ago, FP reported that “many corporate participants” in an NSA initiative to protect US critical infrastructure “say Alexander’s primary motive” in that initiative “has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies.”

And just this week, Spiegel provided details of how NSA conducts Man-in-the-Middle attacks — hacks — on financial giants like VISA and SWIFT.

Yet none of those revelations prevented Comptroller of the Currency Thomas Curry to give a fairly breathtaking speech yesterday about financial cybersecurity.

In it, a member of the Executive Branch that has made everyone less security by corrupting encryption said,

The growing sophistication and frequency of cyberattacks is a cause for concern, not only because of the potential for disruption, but also because of the potential for destruction of the systems and information that support our banks. These risks, if unchecked, could threaten the reputation of our financial institutions as well as public confidence in the system.

A member of a regime that is routinely hacking financial entities said,

The global nature of the Internet means they can conduct their activity from almost anywhere, including in countries with regimes that, at worst, sponsor attacks and, at a minimum, act as criminal havens by turning a blind eye toward criminal behavior.

And a member of the government that has hacked key third party providers like SWIFT and cooperated with third party telecoms to just steal data said,

Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system.

I recognize the cybersecurity threat to banks is real. I’d like to be protected against criminals trying to steal my money online and I endorse OCC including IT security among things bank inspectors review. I grant that Curry may well be operating in good faith when he says all these things. But when he talks about partnerships like this, he simply loses credibility.

Clearly, much of the responsibility for assessing cyber threats is housed in other agencies, from the Department of Homeland Security to the FBI to the National Security Agency. They are on the front lines, and they are the ones that are doing the most within government to identify, evaluate, and respond to threats in this area. However, we – the OCC, the FFIEC, and the other regulatory agencies individually – are working closely with them to strengthen the coordination and overall effectiveness of government’s approach to cybersecurity of critical infrastructure.

[snip]

But this is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country.

The banks’ regulators may believe he is in a position to lecture about collegiality in the face of threats. But since the government is one of the biggest of those threats, it doesn’t strike me as all that convincing.

NSA’s Corruption of Cryptography and Its Methods of Coercion

Just one more day to give as part of Emptywheel’s fundraising week.

I want to return to last week’s Edward Snowden related scoop (Guardian, ProPublica/NYT) that the NSA has corrupted cryptography. Remember, there are several reasons the story was important:

  • NSA lost the battle for the Clipper Chip and turned instead to achieve the same goals via means with less legal sanction
  • NSA broke some companies’ encryption by “surreptitiously stealing their encryption keys or altering their software or hardware”
  • NSA also worked to “deliberately weaken[] the international encryption standards adopted by developers”

One key result of this — as Rayne and Julian Sanchez have emphasized — is to make everyone more exposed to hackers.

This is a bit like publishing faulty medical research just to prevent a particular foreign dictator from being cured. It makes everyone on the Internet more vulnerable, increasing the chances that dissidents will be uncovered by despotic regimes and that corporations will fall victim to cybercriminals.

[snip]

Bear this in mind the next time you see people on Capitol Hill wringing their hands about the threat of a possible “Digital Pearl Harbor”—especially if they think the solution is to give more data and authority to the NSA. Because the agency is apparently perfectly happy to hand weapons to criminals and hostile governments, as long as it gets to keep spying too.

And since then, the NSA has responded to rampant cyberattacks and threats of them against targets it cares about by demanding yet more access to those targets’ data, as explained by Shane Harris in a Keith Alexander profile.

Under the Defense Industrial Base initiative, also known as the DIB, the NSA provides the companies with intelligence about the cyberthreats it’s tracking. In return, the companies report back about what they see on their networks and share intelligence with each other.

Pentagon officials say the program has helped stop some cyber-espionage. But many corporate participants say Alexander’s primary motive has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies — to make them the NSA’s digital scouts. What is billed as an information-sharing arrangement has sometimes seemed more like a one-way street, leading straight to the NSA’s headquarters at Fort Meade.

“We wanted companies to be able to share information with each other,” says the former administration official, “to create a picture about the threats against them. The NSA wanted the picture.”

After the DIB was up and running, Alexander proposed going further. “He wanted to create a wall around other sensitive institutions in America, to include financial institutions, and to install equipment to monitor their networks,” says the former administration official. “He wanted this to be running in every Wall Street bank.”

That aspect of the plan has never been fully implemented, largely due to legal concerns. If a company allowed the government to install monitoring equipment on its systems, a court could decide that the company was acting as an agent of the government. And if surveillance were conducted without a warrant or legitimate connection to an investigation, the company could be accused of violating the Fourth Amendment. Warrantless surveillance can be unconstitutional regardless of whether the NSA or Google or Goldman Sachs is doing it.

“That’s a subtle point, and that subtlety was often lost on NSA,” says the former administration official. “Alexander has ignored that Fourth Amendment concern.”

With all that as background, I want to return to a post I did months ago, laying out the methods the Presidential Policy Directive on Cyberwar envisioned for getting cooperation from private companies. It defines four kinds of access to private computer networks:

  • Network defense, which is what network owners do or USG (or contractors) do at their behest to protect key networks. I assume this like anti-virus software on steroids.
  • Cyber collection that, regardless of where it occurs, is done in secret. This is basically intelligence gathering about networks.
  • Nonintrusive Defensive Countermeausres, which is more active defensive attacks, but ones that can or are done with the permission of the network owners. This appears to be the subset of Defensive Cybereffects Operations that, because they don’t require non-consensual network access, present fewer concerns about blowback and legality.
  • Defensive Cybereffects Operations, which are the entire category of more active defensive attacks, though the use of the acronym DCEO appears to be limited to those defensive attacks that require non-consensual access to networks and therefore might cause problems. The implication is they’re generally targeted outside of the US, but if there is an imminent threat (that phrase again!) they can be targeted in the US.

In the area of cyberdefense or offense (remember, this is an overlapping part of NSA’s mission with cryptography) the government envisions collecting information (because cryptography overlaps with this mission, this might be included in that secret data collection) without a network owner’s consent, conducting defensive measures with a network owner’s consent, or conducting defensive measures without a network owner’s consent (the latter is only supposed to happen in the US with the President’s authorization).

Read more

Stupid Smartphones and Their Lying Lies

[Apple iPhone 5s via TheVerge.com]

[Apple iPhone 5c via TheVerge.com]

If you value emptywheel’s insights, donate the equivalent of a couple beers—and thanks for your readership and support.

My Twitter timelines across multiple accounts are buzzing with Apple iPhone 5s announcement news. Pardon me if I can’t get excited about the marvel that is iPhone’s new fingerprint-based biometric security.

Let’s reset all the hype:

There is no smartphone security available on the market we can trust absolutely to keep out the National Security Agency. No password or biometric security can assure the encryption contained in today’s smartphones as long as they are built on current National Institute of Standards and Technology (NIST) standards and/or the Trusted Computing Platform. The NSA has compromised these standards and TCP in several ways, weakening their effectiveness and ultimately allowing a backdoor through them for NSA use, bypassing any superficial security system.

There is nothing keeping the NSA from sharing whatever information they are gleaning from smartphones with other government agencies. Citizens may believe that information gleaned by the NSA ostensibly for counterterrorism may not be legally shared with other government agencies, but legality/illegality of such sharing does not mean it hasn’t and isn’t done. (Remember fusion centers, where government agencies were supposed to be able to share antiterrorism information? Perhaps these are merely window dressing on much broader sharing.)

There is no exception across the best known mobile operating systems to the vulnerability of smartphones to NSA’s domestic spying. Although Der Spiegel’s recent article specifically calls out iOS, Android, and Blackberry smartphones, Windows mobile OS is just as exposed. Think about it: if your desktop, laptop, and your netbook are all running the same Windows OS versions needing patches every month to fix vulnerabilities, the smartphone is equally wide open as these devices all use the same underlying code, and hardware built to the same NIST standards. Additionally, all Windows OS will contain the same Microsoft CryptoAPI believed to be weakened by the NSA.

If any of the smartphone manufacturers selling into the U.S. market say they are secure against NSA domestic spying, ask them to prove it. Go ahead and demand it — though it’s sure to be an exercise in futility. These firms will likely offer some non-denial denials and sputtering in place of a firm, “Yes, here’s proof” with a validated demonstration.

Oh, and the Touch ID fingerprint biometrics Apple announced today? You might think it protects not against the NSA but the crook on the street. But until Apple demonstrates they pass a gummy bear hackability test, don’t believe them.

And watch for smartphone thieves carrying tin snips.

NSA and Compromised Encryption: The Sword Cuts Both Ways

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

If you want fresh and weedy perspectives you won’t find in corporate-owned media, please donate!

A friendly handshake is offered;
Names are swapped after entry;
The entrant delivers a present;
The present is unboxed with a secret key…

And * BOOM *

Payload delivered.

This is cyber weapon Stuxnet‘s operations sequence. At two points in the sequence its identity is masked — at the initial step, when identity is faked by a certificate, and at the third step, when the contents are revealed as something other than expected.

The toxic payload is encrypted and cannot be read until after the handshake, the name swap, and then decrypted when already deep inside the computer.

In the wake of the co-reported story on the National Security Agency’s efforts to crack computer and network encryption systems, the NSA claims they are only doing what they must to protect the country from terrorists, criminals, and cyber attacks generated by individuals, groups, and nation-state actors.

Defense, though, is but one side of the NSA’s sword; it has two lethal edges.

While use of encryption tools may prevent unauthorized access to communications, or allow malicious code to be blocked, the same tools can be used to obstruct legitimate users or shut down entire communications systems.

Encryption APIs (ex: Microsoft CryptoAPI embedded in Windows operating systems) are often used by higher level applications — for example, a random number generator within the API used to create unique keys for access can also be used to create random names or select random event outcomes like a roll of the dice.

In Stuxnet alone we have evidence of encryption-decryption used as cyber warfare, the application planned/written/supported in some way by our own government. This use was Pandora’s Box opened without real forethought to the long-term repercussions, including unintended consequences.

We know with certainty that the repercussions weren’t fully considered, given the idiocy with which members of Congress have bewailed leaks about Stuxnet, in spite of the fact the weapon uncloaked itself and pointed fingers in doing so.

One of the unconsidered/ignored/unintended consequences of using weaponry requiring encryption-decryption is that the blade can cut in the other direction.

Imagine someone within the intelligence community “detonating” a cyber weapon built in the very same fashion as Stuxnet.

A knock at the door with a handshake;
Door open, package shoved in, treated as expected goods;
Encrypted content decrypted.

And then every single desktop computer, laptop, netbook, tablet, and smartphone relying on the same standardized, industry-wide encryption tools “detonates,” obstructing all useful information activities from personal and business work to telecommunications. Read more

3 Tech Issues the Non-Technologist NSA Technical Committee Needs to Address

A number of people are asking why I’m so shocked that President Obama appointed no technologists for his NSA Review Committee.

Here are three issues that should be central to the Committee’s discussions that are, in significant part, technology questions. There are more. But for each of these questions, the discussion should not be whether the Intelligence Community thinks the current solution is the best or only one, but whether it is an appropriate choice given privacy implications and other concerns.

  • Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata
  • Whether the NSA can avoid collecting Multiple Communication Transactions as part of upstream collection
  • How to oversee unaudited actions of technical personnel

There are just three really obvious issues that should be reviewed by the committee. And for all of them, it would be really useful for someone with the technical background to challenge NSA’s claims to be on the committee.

Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata

One of the most contentious NSA practices — at least as far as most Americans go — is the collection of all US person phone metadata for the Section 215 dragnet. Yet even Keith Alexander has admitted — here in an exchange with Adam Schiff in a House Intelligence Committee hearing on June 18 — that it would be feasible to do it via other means, though perhaps not as easy.

REP. SCHIFF: General Alexander, I want to ask you — I raised this in closed session, but I’d like to raise it publicly as well — what are the prospects for changing the program such that, rather than the government acquiring the vast amounts of metadata, the telecommunications companies retain the metadata, and then only on those 300 or so occasions where it needs to be queried, you’re querying the telecommunications providers for whether they have those business records related to a reasonable, articulable suspicion of a foreign terrorist connection?

Read more

The No-Technologist Technology Review Panel

In addition to the four people ABC earlier reported would be part of Obama’s Committee to Learn to Trust the Dragnet, Obama added … another law professor, Geoffrey Stone. (Stone is [see update], along with Swire, a worthwhile member. But not a technologist.)

What’s fucking crazy about the committee is it has zero technologists to review a topic that is highly technical. Obama implicitly admits as much! He sells this committee for their “immense experience in national security, intelligence, oversight, privacy and civil liberties.” National security, intelligence, oversight, privacy, civil liberties. No technology.

On August 9, President Obama called for a high-level group of experts to review our intelligence and communications technologies. Today the President met with the members of this group: Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire.

These individuals bring to the task immense experience in national security, intelligence, oversight, privacy and civil liberties. The Review Group will bring a range of experience and perspectives to bear to advise the President on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.

The President thanked the Members of the Group for taking on this important task and looks forward to hearing from them as their work proceeds. Within 60 days of beginning their work, the Review Group will brief their interim findings to the President through the Director of National Intelligence, and the Review Group will provide a final report and recommendations to the President. [my emphasis]

So in spite of the fact that the White House highlights technology in its mandate, that didn’t lead them to find even a single technologist.

Also: Cass Sunstein.

Also: the Committee does, in fact, report its findings through James Clapper, the guy whose programs they will review, they guy who lied to Congress.

At least the White House isn’t promising — as Obama originally did — that it will be an “outside” “independent” committee.

Update: Egads. I take back what I said about Stone, who said this in June.

[W]hat should Edward Snowden have done? Probably, he should have presented his concerns to senior, responsible members of Congress. But the one thing he most certainly should not have done is to decide on the basis of his own ill-informed, arrogant and amateurish judgment that he knows better than everyone else in government how best to serve the national interest. The rule of law matters, and no one gave Edward Snowden the authority to make that decision for the nation. His conduct was more than unacceptable; it was criminal.