WannaCry Attribution: Missing the Sarcasm Tag

Parts of the security community has decided that Lazarus, a hacking group associated with North Korea, is behind WannaCry, including the global ransomware attack from a few weeks back. That’s based on significant reuse of code from earlier Lazarus activities.

But to explain certain aspects of the attack — notably, why Lazarus would become incompetent at ransomware after having been perfectly competent at it in the past — proponents of this theory are adopting some curious theories. For example, this — in Symantec’s report on the code reuse — doesn’t make any sense at all.

The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

It’s effectively the equivalent of saying, “using just three bitcoin wallets doesn’t make sense [it doesn’t, if your goal is actual ransomware], so we’ll just claim that’s further proof that there must be few people involved.” In interviews, Symantec’s technical director has explained away other inconsistencies in this story by hackers working for a brutal dictator with a penchant for executing those who cross them by suggesting they were moonlighting when they blew up Lazarus’ ransomware by misdeploying it with Eternal Blue.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

Krypt3ia has a post making fun of the nonsense theories out there.

  • LAZARUS code snippets found in WANNACRY samples
  • LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
  • LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
  • LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS
  • LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
  • LAZARUS aka UNIT 108 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
  • LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

Note the last bullet is a reference to another post he did, where he showed another piece of code in WannaCry was taken from folks working to reverse engineer Eternal Blue for Metasploit. That piece of borrowed code doesn’t permit you to blame the Evil Hermit Kingdom, though, so no one is talking about it.

Perhaps the oddest piece of evidence presented relating the claim North Korea did WannaCry comes from CNBC.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

CNBC must be referring to this passage from Shadow Brokers’ latest screed.

In May, No dumps, theshadowbrokers is eating popcorn and watching “Your Fired” and WannaCry. Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country? The oracle is telling theshadowbrokers North Korea is being responsible for the global cyber attack Wanna Cry. Nukes and cyber attacks, America has to go to war, no other choices! (Sarcasm) No new ZeroDays.

As part of a narrative of how reasonable it was to release all these files after they’ve been patched (all the while threatening far more damaging leaks), Shadow Brokers comments on WannaCry. Importantly, it lays out one detail — the kill switches — that doesn’t make sense if the goal was true ransomware, as well as another detail — “caring about target country”? — that I don’t understand. (Russia was hit badly in the attack, the US very lightly, and there were reports that Arabic speaking countries weren’t hard hit, which I find interesting since it is the one Microsoft supported language that for which a ransomware note was not included.)

But the part that CNBC has read to mean Shadow Brokers endorsed this theory instead does nothing of the sort; if anything, it does the opposite. I read it as a comment about how quickly we go from dodgy attribution to calling for war. And it comes with a sarcasm tag!

Moreover, why would you take Shadow Brokers’ endorsement for anything? Either they did WannaCry (which actually seems to be what CNBC suggests; Krypt3ia makes fun of that possibility, too), in which case any endorsement might be disinformation, or they didn’t do it, and they’d have no more clue who did than the rest of us.

The entire exercise in attribution with WannaCry is particularly odd given the assumptions that it is what it looks like, traditional ransomware, in spite of all the evidence to suggest it is not. And so we’ll just ignore obvious tags, like a “sarcasm” tag, because accounting for such details gets very confusing.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

I Con the Record Transparency Bingo (4): How 151 Million Call Events Can Look Reasonable But Is Besides the Point

Other entries in I Con the Record Transparency Bingo:

(1) Only One Positive Hit on a Criminal Search

(2): The Inexplicable Drop in PRTT Numbers

(3): CIA Continues to Hide Its US Person Network Analysis

If your understanding of the phone dragnet replacing the old USA Freedom dragnet came from the the public claims of USA Freedom Act boosters or from this NYT article on the I Con the Record report, you might believe 42 terrorist suspects and their 3,150 friends made 48,000 phone calls last year, which would work out to 130 calls a day … or maybe 24,000 perfectly duplicative calls, which works out to about 65 calls a day.

That’s the math suggested by these two entries in the I Con the Record Transparency Report — showing that the 42 targets of the new phone dragnet generated over 151 million “call detail records.” But as I’ll show, the impact of the 151 million [corrected] records collected last year is in some ways far lower than collecting 65 calls a day, which is a good thing! But it supports a claim that USAF has an entirely different function than boosters understood.

 

Here’s the math for assuming these are just phone calls. There were 42 targets approved for use in the new phone dragnet for some part of last year. Given the data showing just 40 orders, they might only be approved for six months of the year (each order lasts for 180 days), but we’ll just assume the NSA gets multiple targets approved with each order and that all 42 targets were tasked for the entirety of last year (for example, you could have just two orders getting 42 targets approved to cover all these people for a year).

In its report on the phone dragnet, PCLOB estimated that each target might have 75 total contacts. So a first round would collect on 42 targets, but with a second round you would be collecting on 3,192 people. That would mean each of those 3,192 people would be responsible for roughly 48,000 calls a year, every single one of which might represent a new totally innocent American sucked into NSA’s maw for the short term [update: that would be up to a total of 239,400 2nd-degree interlocutors]. The I Con the Record report says that, “the metric provided is over‐inclusive because the government counts each record separately even if the government receives the same record multiple times (whether from one provider or multiple providers).” If these were phone calls between just two people, then if our terrorist buddies only spoke to each other, each would be responsible for 24,000 calls a year, or 65 a day, which is certainly doable, but would mean our terrorist suspects and their friends all spent a lot of time calling each other.

The number becomes less surprising when you remember that even with traditional telephony call records can capture calls and texts. All of a sudden 65 becomes a lot more doable, and a lot more likely to have lots of perfectly duplicative records as terrorists and their buddies spend afternoons texting back and forth with each other.

Still, it may mean that 65 totally innocent people a day get sucked up by NSA.

All that said, there’s no reason to believe we’re dealing just with texts and calls.

As the report reminds us, we’re actually talking about session identifying information, which in the report I Con the Record pretends are “commonly referred to” as “call events.”

Call Detail Records (CDR) – commonly referred to as “call event metadata” – may be obtained from telecommunications providers pursuant to 50 U.S.C. §1861(b)(2)(C). A CDR is defined as session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call. See 50 U.S.C. §1861(k)(3)(A). CDRs do not include the content of any communication, the name, address, or financial information of a subscriber or customer, or cell site location or global positioning system information. See 50 U.S.C. §1861(k)(3)(B). CDRs are stored and queried by the service providers. See 50 U.S.C. §1861(c)(2).

Significantly, this parenthesis — “(including an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number)” — suggests that so long as something returns a phone number, a SIM card number, or a handset number, that can be a “call event.” That is, a terrorist using his cell phone to access a site, generating a cookie, would have the requisite identifiers for his phone as well as a time associated with it. And I Con the Record’s transparency report says it is collecting these “call event” records from “telecommunications” firms, not phone companies, meaning a lot more kinds of things might be included — certainly iMessage and WhatsApp, possibly Signal. Indeed, that’s necessarily true given repeated efforts in Congress to get a list of all electronic communications service providers company that don’t keep their “call records” 18 months and to track any changes in retention policies. It’s also necessarily true given Marco Rubio’s claim that we’re sending requests out to a “large and significant number of companies” under the new phone dragnet.

The fine print provides further elements that suggest both that the 151 million events collected last year are not that high. First, it suggests a significant number of CDRs fail validation at some point in the process.

This metric represents the number of records received from the provider(s) and stored in NSA repositories (records that fail at any of a variety of validation steps are not included in this number).

At one level, this means NSA’s results resulted in well more than 151 million events collected. But it also means they may be getting junk. One thing that in the past might have represented a failed validation is if the target no longer uses the selector, though the apparent failure at multiple levels suggests there may be far more interesting reasons for failed validation, some probably technically more interesting.

In addition, the fine print notes that the 151 million call events include both historical events collected with the first order as well as the prospective events collected each day.

CDRs covered by § 501(b)(2)(C) include call detail records created before, on, or after the date of the application relating to an authorized investigation.

So these events weren’t all generated last year — if they’re from AT&T they could have been generated decades ago. Remember that Verizon and T-Mobile agreed to a handshake agreement to keep their call records two years as part of USAF, so for major providers providing just traditional telephony, a request will include at least two years of data, plus the prospective collection. That means our 3,192 targets and friends might only have had 48 calls or texts a day, without any duplication.

Finally, there’s one more thing that suggests this huge number isn’t that huge, but that also it may be a totally irrelevant measure of the privacy impact. In NSA’s document on implementing the program from last year, it described first querying the NSA Enterprise Architecture to find query results, and then sending out selectors for more data.

Once the one-hop results are retrieved from the NSA’s internal holdings, the list of FISC-approved specific selection terms, along with NSA’s internal one-hop results, are submitted to the provider(s).

In other words — and this is a point that was clear about the old phone dragnet but which most people simply refused to understand — this program is not only designed to interact seamlessly with EO 12333 collected data (NSA’s report says so explicitly, as did the USAF report), but many of the selectors involved are already in NSA’s maw.

Under the old phone dragnet, a great proportion of the phone records in question came from EO 12333. NSA preferred then — and I’m sure still prefers now — to rely on queries run on EO 12333 because they came with fewer limits on dissemination.

Which means we need to understand the 65 additional texts — or anything else available only in the US from a large number of electronic communications service providers that might be deemed a session identifier — a day from 42 terrorists and their 3150 buddies on top of the vast store of EO 12333 records that form the primary basis here.

Because (particularly as the rest of the report shows continually expanding metadata analysis and collection) this is literally just the tip of an enormous iceberg, 151 million edge cases to a vast sea of data.

Update: Charlie Savage, who has a really thin skin, wrote me an email trying to dispute this post. In the past, his emails have almost universally devolved into him being really defensive while insisting over and over that stuff I’ve written doesn’t count as reporting (he likes to do this, especially, with stuff he claims a scoop for three years after I’ve written about it). So I told him I would only engage publicly, which he does here.

Fundamentally, Charlie disputes whether Section 215 is getting anything that’s not traditional telephony (he says my texts point is “likely right,” apparently unaware that a document he obtained in FOIA shows an issue that almost certainly shows they were getting texts years ago). Fair enough: the law is written to define CDRs as session identifiers, not telephony calls; we’ll see whether the government is obtaining things that are session identifiers. The I Con the Record report is obviously misleading on other points, but Charlie relies on language from it rather than the actual law. Charlie ignores the larger point, that any discussion of this needs to engage with how Section 215 requests interact with EO 12333, which was always a problem with the reporting on the topic and remains a problem now.

So, perhaps I’m wrong that it is “necessarily” the case that they’re getting non-telephony calls. The law is written such that they can do so (though the bill report limits it to “phone companies,” which would make WhatsApp but not iMessage a stretch).

What’s remarkable about Charlie’s piece, though, is that he utterly and completely misreads this post, “About half” of which, he says, “is devoted to showing how the math to generate 151 million call events within a year is implausible.”

The title of this post says, “151 Million Call Events Can Look Reasonable.” I then say, “But as I’ll show, the impact of the 131 [sic, now corrected] million records collected last year is in some ways far lower than collecting 65 calls a day, which is a good thing!” I then say, “The number becomes less surprising when you remember that even with traditional telephony call records can capture calls and texts. All of a sudden 65 becomes a lot more doable, and a lot more likely to have lots of perfectly duplicative records as terrorists and their buddies spend afternoons texting back and forth with each other.” I go on to say, “The fine print provides further elements that suggest both that the 151 million events collected last year are not that high.” I then go on to say, “So these events weren’t all generated last year — if they’re from AT&T they could have been generated decades ago.”

That is, in the title, and at least four times after that, I point out that 151 million is not that high. Yet he claims that my post aims to show that the math is implausible, not totally plausible.  (He also seems to think I’ve not accounted for the duplicative nature of this, which is curious, since I quote that and incorporate it into my math.)

In his email, I noted that this post replied not just to him, but to others who were alarmed by the number. I said specifically with regards the number, “yes, you were among the people I subtweeted there. But not the only one and some people did take this as just live calls. It’s not all about you, Charlie.”

Yet having been told that that part of the post was not a response to him, Charlie nevertheless persisted in completely misunderstanding the post.

I guess he still believed it was all about him.

Maybe Charlie should spend his time reading the documents he gets in FOIA more attentively rather than writing thin-skinned emails assuming everything is about him?

Update: Once I pointed out that Charlie totally misread this post he told me to go back on my meds.

Since he’s being such a douche, I’ll give you two more pieces of background. First, after I said that I knew CIA wasn’t tracking metadata (because it’s all over public records), Charlie suggested he knew better.

Here’s me twice pointing out that the number of call events was not (just) calls (as he had claimed in his story), a point he mostly concedes in his response.

Here’s the lead of his story:

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Grassley Continues to Ask Worthwhile Questions about the Steele Dossier

In this post, I noted several details made clear by Christopher Steele’s defense in a lawsuit pertaining to the dossier he did for opponents to Donald Trump:

  • Steele also shared his dossier with an active British intelligence official, which is a second channel via which the US intelligence community may have obtained the dossier in spite of their hilariously unconvincing denials
  • Steele’s claims he wasn’t sharing actual copies of the dossier with the press, at least, don’t accord with other public claims
  • Steele said absolutely nothing about how he shared the dossier with the FBI (which may have been an alternative channel via which it leaked)
  • Steele obtained the most inflammatory claims in the dossier at a time when he claims neither to have been paid nor to have been actively collecting intelligence (and paying sources)

Taken together, these inconsistencies suggest certain alternative stories about the dossier. For example, it’s possible the dossier was used as a way to launder intelligence gathered via other means, as a way to protect sources and methods. It’s likely the US IC had more awareness and involvement in the dossier than they’ve publicly claimed.

With that in mind, I find it very interesting that Chuck Grassley claims to have found inconsistencies in the story FBI and DOJ are giving him about the dossier.

As I noted at the time, Grassley raised some really good questions in a letter to FBI back on March 6, questions made all the more salient given three somewhat conflicting reports about whether the FBI ever paid Steele.

Yesterday, he held a presser to release another letter to FBI, which he sent last Friday. He explained that nine days after he sent his letter, Comey briefed him and Dianne Feinstein on the circumstances surrounding Mike Flynn’s ouster, and answered a few of the questions Grassley had asked in his March 6 letter. But FBI never did respond to the letter itself, beyond sending a four sentence boilerplate letter on April 19, claiming the questions had been answered in the briefing.

In the letter, Grassley makes clear that documents the committee received from DOJ since (are these not FBI? If so are they NSD?) conflict with what Comey relayed in the briefing in that FBI actually had a more substantive relationship than Comey let on.

There appear to be material inconsistencies between the description of the FBI’s relationship with Mr. Steele that you did provide in your briefing and information contained in Justice Department documents made available to the Committee only after the briefing.  Whether those inconsistencies were honest mistakes or an attempt to downplay the actual extent of the FBI’s relationship with Mr. Steele, it is essential that the FBI fully answer all of the questions from the March 6 letter and provide all the requested documents in order to resolve these and related issues.

Significantly, after having asked these questions about public reports that FBI had discussed paying Steele,

All FBI records relating to the agreement with Mr. Steele regarding his investigation of President Trump and his associates, including the agreement itself, all drafts, all internal FBI communications about the agreement, all FBI communications with Mr. Steele about the agreement, all FBI requests for authorization for the agreement, and all records documenting the approval of the agreement.

[snip]

Did the agreement with Mr. Steele ever enter into force?  If so, for how long?  If it did not, why not?

Grassley is restating that question, asking for documentation of all payments to Steele.

Documentation of all payments made to Mr. Steele, including for travel expenses, if any; the date of any such payments; the amount of such payments; the authorization for such payments.

He asked about it in today’s oversight hearing with Comey, and Comey insisted the appearance of conflict was easy to explain (and promised to explain it). I suspect DOJ may have paid for Steele’s travel to the US in October 2016, which might be fine, but that was also when Steele shared his dossier with David Corn. Otherwise, Comey refused to answer in a public forum questions about whether FBI made any representations to a judge relying on the dossier (for example for the FISA order), whether the FBI was aware that Steele paid sources who paid subsources, and whether Comey or the FBI knew that Fusion employed a former Russian intelligence officer who was (like Mike Flynn and Paul Manafort) were serving as an unregistered agent of a foreign power, in this case to help Russia fight Magnitsky sanctions.

The last question pertains to Fusion employee, Rinat Akhmetshin. In July 2016, Hermitage Capital Management filed a FARA complaint against him and number of other people alleging they were unregistered lobbyists for Prevezon Holdings, a Cyprus based firm that was seeking to push back against sanctions. The complaint alleges, among other things, that Akhmetshin is a former GRU officer, hired to generate negative publicity, and has been ” accused of organizing, on behalf of Russian oligarch Andrey Melnichenko, for the computers of International Mineral Resources to be hacked to steal “confidential, personal and otherwise sensitive information” so that it could be disseminated.”

Grassley surely raised the issue (as he also did in a March letter to Dana Boente in the latter’s role as Acting Attorney General) to accuse Steele’s associates of the same things Steele and others have accused Paul Manafort of (and Mike Flynn has admitted). But it seems an utterly valid issue in any case, not least because it raises questions of why Fusion brought in Steele when Akhmetshin could have collected Russian intelligence on Trump himself. Did he? If so, was that included in the parts of the dossier we haven’t seen. More importantly, was Akhmetshin still around when the dossier got leaked? Does he have any ongoing ties with Russia that might lead to the murder of sourced named in the dossier?

In today’s hearing, Grassley said that Fusion refused to cooperate with the questions he posed to them about the dossier. It seems the firms paid to compile that dossier are obfuscating on both sides of the Atlantic.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

I Con the Record Transparency Bingo (3): CIA Continues to Hide Its US Person Network Analysis

As I noted in this post on the single positive hit in a criminal back door 702 search and this post on the inexplicable drop in PRTT numbers, I’m going to clarify things I’m seeing confusion over in the I Con the Record Transparency Report, then do a full working thread.

This year’s report shows a steady increase in the number of metadata searches in raw Section 702 data, a 22% (6,555 query) increase off year.

The graphic admits that these 30,355 queries don’t include the FBI (because the transparency procedures passed by USAF freedom pretty much exempted FBI from everything important). But then further down in the written text, I Con the Record admits that one agency of the IC could not estimate its metadata queries.

As with last year’s transparency report, one IC element remains currently unable to provide the number of queries using U.S. person identifiers of unminimized Section 702 non-content information.

That Agency is the CIA, not the FBI (which isn’t required to count its queries).

We know this from a number of places, including James Clapper’s original report on back door searches to Ron Wyden and the PCLOB 702 report (page 58). PCLOB’s most recent Recommendations update noted that CIA hasn’t implemented the recommendation to track foreign intelligence purpose for queries because it has not yet updated its data management. Nor do ODNI and DOJ review it.

The status of the CIA metadata queries remains the same as reported in the Board’s Recommendations Assessment Report of January 2015, namely with respect to the CIA’s metadata queries using U.S. person identifiers, the CIA accepted and plans to implement this recommendation as it refines internal processes for data management. Thus, the CIA’s new minimization procedures do not reflect changes to implement this recommendation with regard to metadata queries.

[snip]

U.S. person queries by the NSA and CIA are already subject to rigorous executive branch oversight (with the exception of metadata queries at the CIA), supplying this additional information to the FISC could help guide the court by highlighting whether the minimization procedures are being followed and whether changes to those procedures are needed.

And a recently ACLU liberated report on CIA’s back door searches also cites data management reasons for not documenting these searches.

CiA’s metadata-only repository does not have the capacity for documenting why the query is reasonably likely to provide foreign intelligence information. Upon opening the repository, however, users will be met with a pop-up reiterating the query standard and requiring their assent before they may proceed.

I officially bet a quarter that CIA will find a way to count this next year, as by then, many of these queries will have moved to EO 12333 querying, which does not get counted.

So the report on metadata searches only shows what NSA does. Since last year, we have confirmed that these metadata queries include upstream 702 data, which carry their own risks.

And we also now have a sense that those queries are automated. The I Con the Record report explains this is just a good faith effort.

The above is a good faith estimate of the number of queries concerning a known U.S. person that the government conducted of unminimized (i.e., raw) lawfully acquired Section 702 metadata.

That’s because this is done by algorithm and business rule, not by any kind of tracking (I’m guessing because of the way metadata is used to triage newly collected identifiers).

NSA will rely on an algorithm and/or a business rule to identify queries of communications metadata derived from the FAA 702 [redacted] and telephony collection that start with a United States person identifier. Neither method will identify those queries that start with a United States person identifier with 100 percent accuracy.

The privacy community made great celebration about shutting down a phone dragnet that was just used to query 200 or so selectors. Meanwhile, each year the NSA, alone, conducts thousands more such queries (and in a way that likely ties more closely to content searches). And 3 years after people started pressuring it to do so, CIA still doesn’t count how many queries it is doing.

Which likely means CIA is doing a whole bunch of network analysis on US persons that it doesn’t want us to know about.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Stagnant Wages And Slow Productivity Growth

This article on productivity at Forum Economics says that there has been a global slowdown in productivity growth, and discusses some common explanations. As I pointed out, there is every reason to think that the actual slowdown in productivity growth is greater than the numbers suggest. That’s because productivity grows when output increases while hours worked remains the same or declines, as happens when firms exercise market power to increase prices without changed costs. Forum Economics argues that if productivity growth slows down, workers will not be able to improve their standards of living, explaining:

Household income is dependent on wages, which are consequently dependent on a firm’s ability to grow through greater productivity. The widening gap in productivity would account for the widening gap in household income and consequently, social equality.

At one level, this is just a version of the economic maxim that markets pay people what they are worth. In this case, the argument is that the productive people get the increased rewards. In the case of exercise of market power, this means that some people benefit from exercise of market power, and we know it isn’t the producers of the goods and services; it’s the people at the top, holders of debt and equity, and financiers.

At another level, it says that companies can’t pay higher wages unless workers increase their productivity. And certainly not at the expense of returns to capital.

Economists used to think there was some magic connection between productivity and wages. That was generally true for some time. But, as this This chart shows the relationship between wages and productivity split beginning around 1980, while productivity was growing rapidly.

That’s just after Paul Volker, then Fed Chair, raised interest rates to ludicrous levels. At the same time, economists were preaching that the problem facing the economy was inadequate levels of capital. So Reagan and the Republicans, along with plenty of complicit Democrats, slashed taxes on the rich, reduced regulations, deregulated industries, and clobbered unions. At the same time, they increased taxes on the working people of the country by increasing FICA taxes.

That worked. According to this 2012 report from Bain & Co.:

By 2010, global capital had swollen to some $600 trillion, tripling over the past two decades. Today, total financial assets are nearly 10 times the value of the global output of all goods and services. …

Our analysis leads us to conclude that for the balance of the decade, markets will generally continue to grapple with an environment of capital superabundance.

This article estimates total financial assets at about $294 Trillion in 2014. And, of course, banks have an almost unlimited capacity to lend for any useful purpose. There is certainly no shortage of capital today.

Once capital achieves a new baseline of return, it doesn’t drop back without a bitter fight, sometimes just political, but always with the threat or reality of physical violence. That’s how labor got its share in the first place, a fact no one wants to talk about. When was the last time you heard an economist discuss the violence in the coal fields, the violence that won miners safer working conditions and better wages. Once labor loses its power, workers can’t defend themselves, and can’t force the rich to share the benefits that flow from any level of productivity, whether or not that level is increasing. And indeed, the rich are now taking all the gains from productivity and more, the labor participation rate is at pre-1980 levels, and wages have been stagnant for decades. Even so, all discussion about wages is centered around increasing productivity, as if it mattered to workers when all the benefits flow to the richest among us.

One school of thought blames workers, saying they have to increase their training and preparation for the work force. A kinder version blames hysterisis effects, the idea that when workers are unemployed for extended periods, they lose their skills. The Republican answer is invest in yourself, borrow money, and get that training. Of course, you take all the risks, for example, whether you can master the schooling, or figure out what training might get you a job, or find a school that will actually train you, and by the way, if you fail, you still have to pay until you die. The Democratic version is jobs training, but that’s only sporadically available, and it’s always underfunded and rarely useful, thanks to the neoliberals in both parties. As to the older people in the workforce who can’t retrain, and can’t move to where there are jobs, both parties do nothing. We don’t just blame the victims, we ignore them, and treat them as losers who deserve nothing.

Many of the 23 economic writers cited in the Focus Economics article, and the other experts it discusses, say the problem is inadequate business investment. So the solutions offered are centered around stimulating demand and cutting taxes and regulations. No one explains how this solves the problem of the rich taking all the gains.

There are few outside the box observations. A couple of the writers think maybe the problem is that there are too many low-productivity jobs available, and too few high-productivity jobs. People see the available jobs as dead-end, and their treatment as demeaning, and they don’t do more than the absolute minimum necessary to get that minuscule paycheck. Another writer points out that the next wave of capital investment is not going to make people more productive, it’s going to replace them. I assume he means industrial robots, for the short term at least.

Another suggests that we are already very efficient at a lot of things, and in those areas, improvements in productivity won’t make much difference. In areas we aren’t very efficient at, it’s going to require something enormous to make a difference, or we would already done it. John Quiggan says that the financial sector has separated itself from the productive sector, which seems true. You can almost hear the words “Vampire Squid”. All these are intractable problems.

But I think the problem is different. The economic orthodoxy is that capital is always efficient, while labor is always bloated, lazy, indifferent, greedy, demanding, corrupt and insufferable. That was and is the rallying cry of the union-busters, and you can hear it today. That is a perfect description of the capitalists of today. They don’t want to take risks. They want protected markets, special tax treatment, immunity from criminal prosecution and civil suits, and they have the money to pay off politicians to get that and more. They want all the money. They don’t want to pay their share. They want the right to wreck the economy with impunity. They want the right to screw consumers into the ground. They want the right to destroy the environment. And they want to make all the decisions about the future.

We have the power to solve that problem if we have the will.

Update: after I posted, I ran across this astonishing article by Michael Hiltzik at the Los Angeles Times, discussing the reaction of Wall Street analysts to American Airlines decision to increase pay to its pilots and flight attendants. Do read it.

Notre Dame undergrad (math); JD, Indiana University at Bloomington; 1st Lieutenant, US Army.; private practice in corporate and securities law; Assistant AG in Tennessee for consumer protection and securities; Blue Sky Securities Commissioner, Tennessee; private practice, bankruptcy and corporate law.

I have had a lifelong interest in economics. For most of my career, that interest was practical, focused on the problems in front of me. Lately I have been more interested in economics as a theory, especially its impact on the lives of people like those I met in my bankruptcy practice, and on the politics of money in the US. I also enjoy reading philosophers, starting in college and steadily expanding my reading ever since. I wrote at FireDogLake for a number of years.

Generally, I think the problem facing the US is the dominance of neoliberal discourse. I think it clouds the vision, and limits the kinds of problems that can be identified and solved. For example, the existence and danger of climate change can easily be identified in a scientific discussion. However, the problem does not fit the neoliberal discourse because science insists that the pursuit of individual and corporate self-interest will lead to devastation. In neoliberal discourse, the pursuit of self-interest always leads to Eden.

The neoliberal project has two prongs. One is the police function of crushing dissent and alternative views. The police function is provided by government agencies and private and institutional actors. The counterpart is the economic system , which is operated by government and by private and institutional actors. Some of these actors operate in both spheres. I focus on the second prong.

The Productivity Problem

Productivity growth is apparently trending downward around the globe. The problem is addressed in Focus Economics, Why is Productivity Growth So Low: 23 Economic Experts Weigh In. The author, whose name I can’t find, begins by explaining the problem as economists see it.

Productivity is considered by some to be the most important area of economics and yet one of the least understood. Its simplest definition is output per hour worked, however, productivity in the real world is not that simple. Productivity is a major factor in an economy’s ability to grow and therefore is the greatest determinant of the standard of living for a given person or group of people. It is the reason why a worker today makes much more than a century ago, because each hour of work produces more output of goods and services.

It’s certainly true that the concept is important. The simple definition gives us the rough idea but the details are very difficult indeed. The text gives us the example of productivity at a branch bank.

Bill Conerly put it well in an article for Forbes: “Take banking, for example. Your checking account is clear as mud. The bank provides to you the service of processing checks, for which you don’t pay (aside from exorbitant fees for bounced checks and stop-payments). However, the bank does not pay you a market rate of interest on the money you keep in your checking account. It’s a trade: free services in exchange for free account balances. Government statisticians estimate the dollar value of the trade, so that the productivity of bankers can be assessed, but the figures are not very precise.

At least in that example, we can see how productivity improvement at a bank might improve your standard of living, perhaps indirectly by enabling the bank to pay a bit more interest on your checking account. Here are three different kinds of examples, in which we can see how improvements in reported productivity result in worse outcomes for us.

Productivity is defined as the ratio of output to hours worked. Output is measured by receipts to the producer. Hours worked are collected by the Census Bureau.

1. A pharmaceutical company raises the price of its generic drugs with no change in its costs. Its receipts go up while hours worked remain the same. Under the definition, productivity goes up.

2. A high frequency trading company inserts itself into an increasing number of purchases of securities on stock exchanges. The purchaser pays a higher price. The HFT company has higher revenue but hours worked remain the same. Again, by this definition, productivity goes up.

3. Two dominant corporations in the same industry merge. The new company fires a lot of people. Hours worked go down. Prices remain the same in the short run, and rise as the new entity exercises oligopoly power. With hours down and receipts up, productivity rises by definition.

Are these examples realistic? In the medicine example, this article lays out the issues. For those interested, this chart shows the value of pharmaceuticals and medicines shipped by manufacturers beginning in 2000. It shows that there was a steady rise, with a sudden jump in 2013. This chart shows that per capita expenditure on pharmaceuticals and other medical products has nearly doubled since 2000.

It’s likely that there are several causes for this, not least the startling prices sought for new drugs. Government productivity figures do not take into account any improvement in the results that new drugs bring, although quality adjustments are made in calculating inflation figures. Given the increased pressure from insurers and doctors to switch to generics, and increased focus on drug prices as a problem, it’s reasonable to see this data and various reports as support for my drugs example. But it’s hard to put a dollar value on it.

On the second example, here’s an article from CFA Magazine written in 2011, detailing the costs of high frequency trading. More recent reports say that the problems are going away, and who knows because it’s hidden behind a wall of words mostly from the people who run the systems and their friends at the exchanges, and the captured SEC. Here’s a review of the literature (behind a paywall), which concludes with this: “This suggests that the identified economic benefits of HFTs (market making, venue competition, more trading opportunities) outweigh their economic costs (large-order predation and run games).” For my purposes, it’s clear that the older article tells us that initially, at least, HFT operated as my example suggests, raising productivity without doing anything useful.

As to the third example, the impact of private equity on employment is everywhere, and the concentration of economic power in oligopoly control of most industries is obvious. Dave Dayen has been writing about it for some time; here’s a recent example. Oligopolistic control also reduces paychecks for the remaining workers.

In these examples, and I could produce many more, productivity as defined by economists goes up but individual consumers are worse off. That is maddening. Once upon a time, we might have thought we could just ignore this kind of thing as an insignificant part of GNP, but that’s not true today, either in the US or globally. The economy, measured by output, is growing, but it is the opposite of the notion of productivity as good for society: it makes people’s lives worse. Except, of course, for a few rich people.

My three examples are exercises of market power. Here’s a long but worthwhile discussion of the harm it does and its increasing presence in the economy. Market power is not the same as rent-seeking, which is usually defined as an effort to get the government to give special treatment to one of a number of competitors. Both are damaging and both inflate productivity figures.

My examples show that reported productivity growth is most likely higher than the kind of productivity growth that the author discusses, the kind that increases the amount of goods and services available in the economy. It’s not unusual for an economics writer to assume only good people operate in the capitalist economy, and ignore the crooks and the cheats. Suppose the author is right that rising productivity that makes for a better life. If real productivity growth is even lower than the low reported productivity growth, his logic explains why life is getting worse for most of us.

Notre Dame undergrad (math); JD, Indiana University at Bloomington; 1st Lieutenant, US Army.; private practice in corporate and securities law; Assistant AG in Tennessee for consumer protection and securities; Blue Sky Securities Commissioner, Tennessee; private practice, bankruptcy and corporate law.

I have had a lifelong interest in economics. For most of my career, that interest was practical, focused on the problems in front of me. Lately I have been more interested in economics as a theory, especially its impact on the lives of people like those I met in my bankruptcy practice, and on the politics of money in the US. I also enjoy reading philosophers, starting in college and steadily expanding my reading ever since. I wrote at FireDogLake for a number of years.

Generally, I think the problem facing the US is the dominance of neoliberal discourse. I think it clouds the vision, and limits the kinds of problems that can be identified and solved. For example, the existence and danger of climate change can easily be identified in a scientific discussion. However, the problem does not fit the neoliberal discourse because science insists that the pursuit of individual and corporate self-interest will lead to devastation. In neoliberal discourse, the pursuit of self-interest always leads to Eden.

The neoliberal project has two prongs. One is the police function of crushing dissent and alternative views. The police function is provided by government agencies and private and institutional actors. The counterpart is the economic system , which is operated by government and by private and institutional actors. Some of these actors operate in both spheres. I focus on the second prong.

How to Spy on Carter Page

I have no personal knowledge of the circumstances surrounding the alleged wiretapping of Carter Page, aside from what WaPo and NYT have reported. But, in part because the release of the new, annual FISC report has created a lot of confusion, I wanted to talk about the legal authorities that might have been involved, as a way of demonstrating (my understanding, anyway, of) how FISA works.

FISC did not (necessarily) reject more individual orders last year

First, let’s talk about what the FISC report is. It is a new report, mandated by the USA Freedom Act. As the report itself notes, because it is new (a report covering the period after passage of USAF), it can’t be compared with past years. More importantly, because the FISA Court uses a different (and generally more informative) reporting approach, you cannot — as both privacy groups and journalists erroneously have — compare these numbers with the DOJ report that has been submitted for years (or even the I Con the Record report that ODNI has released since the Snowden leaks); that’s effectively an apples to grapefruit comparison. Those reports should be out this week, which (unless the executive changes its reporting method) will tell us how last year compared with previous years.

But comparing last year’s report to the report from the post-USAF part of 2015 doesn’t sustain a claim that last year had record rejections. If we were to annualize last year’s report (covering June to December 2015) showing 5 rejected 1805/1824 orders (those are the individual orders often called “traditional FISA”) across roughly 7 months, it is actually more (.71 rejected orders a month or .58% of all individual content applications) than the 8 rejected 1805/1824 orders last year (.67 rejected orders a month or .53% of all individual content applications). In 2016, the FISC also rejected an 1861 order (better known as Section 215), but we shouldn’t make too much of that either given that that authority changed significantly near the end of 2015, plus we don’t have this counting methodology for previous years (as an example, 2009 almost surely would have at least one partial rejection of an entire bulk order, when Reggie Walton refused production of Sprint records in the summertime).

Which is a long-winded way of saying we should not assume that the number of traditional content order rejections reflects the reports that FBI applied for orders on four Trump associates but got rejected (or maybe only got one approved for Page). As far as we can tell from this report, 2016 had a similar number of what FISC qualifies as rejections as 2015.

The non-approval of Section 702 certificates has no bearing on any Russian-related spying, which means Page would be subject to back door searches

Nor should my observation — that the FISC did not approve any certifications for 1881a (better known as Section 702, which covers both upstream and PRISM) reflect on any Carter Page surveillance. Given past practice when issues delayed approvals of certifications, it is all but certain FISC just extended the existing certifications approved in 2015 until the matters that resulted in an at least 2 month delay were resolved.

Moreover, the fact that the number of certificates (which is probably four) is redacted doesn’t mean anything either: it was redacted last year as well. That number would be interesting because it would permit us to track any expansions in the application of FISA 702 to new uses (perhaps to cover cybersecurity, or transnational crime, for example). But the number of certificates pertains to the number of people targeted only insofar as any additional certificates represent one more purpose to use Section 702 on.

In any case, Snowden documents, among other things, show that a “foreign government” certificate has long been among the existing certificates. So we should assume that the NSA has collected the conversations of known or suspected Russian spies located overseas conducted on PRISM providers; we should also assume that as a counterintelligence issue implicating domestic issues, these intercepts are routinely shared in raw form with FBI. Therefore, unless last year’s delay involved FBI’s back door searches, we should assume that when the FBI started focusing on Carter Page again last spring or summer, they would have routinely searched on his known email addresses and phone numbers in a federated search and found any PRISM communications collected. In the same back door search, they would have also found any conversations Page had with Russians targeted domestically, such as Sergey Kislyak.

The import of the breakdown between 1805 and 1824

Perhaps the most important granular detail in this report — one that has significant import for Carter Page — is the way the report breaks down authorizations for 1805 and 1824.

1805 covers electronic surveillance — so the intercept of data in motion. It might be used to collect phone calls and other telephony communication, as well as (perhaps?) email communication collected via upstream collection (that is, non-PRISM Internet communication that is not encrypted); it may well also cover prospective PRISM and other stored communication collection. 1824 covers “physical search,” which when it was instituted probably covered primarily the search of physical premises, like a house or storage unit. But it now also covers the search of stored communication, such as someone’s Gmail or Dropbox accounts. In addition, a physical search FISA order covers the search of hard drives on electronic devices.

As we can see for the first time with these reports, most individual orders cover both 1805 and 1824 (92% last year, 88% in 2015), but some will do just one or another. (I wonder if FBI sometimes gets one kind of order to acquire evidence to get the other kind?)

As filings in the Keith Gartenlaub case make clear, “physical search” conducted under a FISA order can be far more expansive than the already overly expansive searches of devices under a Title III warrant. Using a FISA 1824 order, FBI Agents snuck into Gartenlaub’s house and imaged the hard drives from a number of his devices, ostensibly looking for proof he was spying on Boeing for China. They found no evidence to support that. They did, however, find some 9-year old child pornography files, which the government then “refound” under a criminal search warrant and used to prosecute him. Among the things Gartenlaub is challenging on appeal is the breadth of that original FISA search.

Consider how this would work with Carter Page. The NYT story on the Page order makes it clear that FBI waited until Page had left the Trump campaign before it requested an order covering him.

The Foreign Intelligence Surveillance Court issued the warrant, the official said, after investigators determined that Mr. Page was no longer part of the Trump campaign, which began distancing itself from him in early August.

I suspect this is a very self-serving description on the part of FBI sources, particularly given reports that FISC refused orders on others. But regardless of whether FISC or the FBI was the entity showing discretion, let’s just assume that someone was distinguishing any communications Page may have had while he was formally tied to the campaign from those he had after — or before.

This is a critical distinction for stored communications because (as the Gartenlaub case makes clear) a search of a hard drive can provide evidence of completely unrelated crime that occurred nine years in the past; in Gartenlaub’s case, they reportedly used it to try to get him to spy on China and they likely would do the equivalent for Page if they found anything. For Page, a search of his devices or stored emails in September 2016 would include emails from during his service on Trump’s campaign, as well as emails between the time Page was interviewed by FBI on suspicion of being recruited by Victor Podobnyy and the time he started on the campaign, as well as communications going back well before that. So if FISC (or, more generously, the FBI) were trying to exclude materials from during the campaign, that might involve restrictions built into the request or the final order

The report covering 2016 for the first time distinguishes between orders FISC modifies (FISC interprets this term more broadly than DOJ has in its reports) and orders FISC partly denies. FISC will modify an order to, among other things,

(1) impos[e] a new reporting requirement or modifying one proposed by the government;

(2)  chang[e] the description or specification of a targeted person, of a facility to be subjected to electronic surveillance or of property to be searched;

(3)  modify[] the minimization procedures proposed by the government; or

(4)  shorten[] the duration of some or all of the authorities requested

Using Page as an example, if the FISC were permitting FBI to obtain communications from before the time Page joined the campaign but not during it, it might modify an order to require additional minimization procedures to ensure that none of those campaign communications were viewed by the FBI.

The FISC report explains that the court will partly deny orders and “by approving some targets, some facilities, places, premises, property or specific selection terms, and/or some forms of collection, but not others.” Again, using Page as an example, if the court wanted to really protect the election related communications, it might permit a search of Page’s homes and offices under 1824, but not his hard drives, making any historic searches impossible.

There’s still no public explanation of how Section 704/Section 705b work, which would impact Page

Finally, the surveillance of Carter Page implicates an issue that has been widely discussed during and since passage of the FISA Amendments Act in 2008, but not in a way that fully supports a democratic debate: how NSA spies on Americans overseas.

Obviously, the FBI would want to spy on Page both while he was in the US, but especially when he was traveling abroad, most notably on his frequent trips to Russia.

The FISA Amendments Act for the first time required the NSA to obtain FISC approval before doing that. As I explain in this post, for years, public debate has claimed that was done under Section 703 (1881b in this report). But abundant evidence shows it is all done under 704 (1881c in this report). The biggest difference between the two, according to an internal NSA document, is the government doesn’t explain its methods in the latter case. With someone who would be spied on both in the US and overseas, that spying would be done under 705b (conducted under 1881d section b), which permits the AG to approve of spying overseas (effectively, 704 authority) for those already approved under a traditional order.

This matters in the context of spying on Carter Page for two reasons. First, as noted government doesn’t share details about how it spies overseas with the court. And some of the techniques we know NSA to use — such as XKeyscore searches drawing on bulk overseas collection — would seem to present additional privacy concerns on top of the domestic authorities. If the FBI (or more likely, the FISC) is going to try to bracket off any communications that occur during the period Page was associated with the campaign, that would have to be done for overseas surveillance as well, most critically, for Page’s July trip to Russia.

This report shows that 704, like the domestic authorities, also gets modified sometimes, so it may be that FISC did just that — permitted NSA to collect information covering that July meeting, but imposed some minimization procedures to protect the campaign.

But it’s unclear whether the court would have an opportunity to do so for 705b, which derives from Attorney General authorization, not court authorization. I assume that’s why 1881d was not included in this reporting requirement, but it seems adding 705b reporting to Title VII reauthorization this year would be a fairly minor change, but one that might reveal how often the government uses more powerful overseas spying techniques on Americans. It’s unclear to me, for example, whether any modifications or partial approvals the FISC made on a joint 1805/1824 order covering Page would translate into a 705b order, particularly if the modifications in question included additional reporting to the FISC.

Carter Page might one day be the first American to get review of his FISA dossier

All of which is why, no matter what you think of Carter Page’s alleged role in influencing the Trump campaign to favor Russia, I hope he one day gets to review his FISA dossier.

No criminal defendant has ever gotten a review of the FISA materials behind the spying, in spite of clear Congressional intent, when the law was passed in 1978, to allow that in certain cases. Because of the publicity surrounding this case, and the almost unprecedented leaking about FISA orders, Page stands a better chance than anyone else of getting such review (particularly if, as competing stories from CNN and Business Insider claim, the dossier formed a key, potentially uncorroborated part of the case against him). Whatever else happens with this case, I think Page should get that review.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The WikiLeaks Deterrent Theory, AKA the Arbitrary Official Secrets Act

Three outlets yesterday — first the WaPo, then CNN, then NYT — reported that DOJ is considering charges against Julian Assange and WikiLeaks. The discussion of what charges, and for what leaks, differs between the reports.

While mentioning the Vault 7 leaks, WaPo also focuses on Chelsea Manning’s leaks and Assange’s discussions about how to gain access.

In March, WikiLeaks published thousands of files revealing secret cyber-tools used by the CIA to convert cellphones, televisions and other ordinary devices into implements of espionage. The FBI has made significant progress in the investigation of the leak, narrowing the list of possible suspects, officials said. The officials did not describe WikiLeaks’ exact role in the case beyond publishing the tools.

Prosecutors are also reexamining the leaks from Chelsea Manning, the Army soldier who was convicted in 2013 of revealing sensitive diplomatic cables. Manning chatted with Assange about a technique to crack a password so Manning could log on to a computer anonymously, and that conversation, which came up during Manning’s court-martial, could be used as evidence that WikiLeaks went beyond the role of publisher or journalist.

Alexa O’Brien tweeted out some thoughts and links to what any further prosecution of the Manning leak might entail.

CNN, which is the most certain charges have already been drawn up, explains that DOJ believes WikiLeaks’ actions changed in nature with Edward Snowden.

The US view of WikiLeaks and Assange began to change after investigators found what they believe was proof that WikiLeaks played an active role in helping Edward Snowden, a former NSA analyst, disclose a massive cache of classified documents.

I think that may be demonstrably true of Sarah Harrison, who helped a fugitive escape. But I’m not sure the US has equally compelling evidence against Assange.

Perhaps the most interesting discussion comes from NYT, which discusses the ongoing debate — with “senior Justice Department officials … pressuring prosecutors” over what is realistic and what authorities actually want, which is an Espionage conviction.

The official, speaking on the condition of anonymity because the details of the discussions remain secret, said senior Justice Department officials had been pressuring prosecutors in the Eastern District of Virginia to outline an array of possible charges against Mr. Assange.

But the official said prosecutors remained skeptical that they could pursue the most serious charges, of espionage, with regard to the documents Mr. Assange disclosed years ago with the help of an Army intelligence analyst, Chelsea Manning. Ms. Manning was convicted and sent to prison, but President Barack Obama commuted her sentence in January.

Given how few people Trump has confirmed into positions in government, these outlets should be a bit more descriptive. In that passage, for example, and the following from WaPo, what does “senior justice department official” mean when US Attorney Dana Boente is (as I’ve noted but none of these stories do) also acting DAG and acting AG for any Russia-related charges.

Prosecutors in recent weeks have been drafting a memo that contemplates charges against members of the WikiLeaks organization, possibly including conspiracy, theft of government property or violating the Espionage Act, officials said. The memo, though, is not complete, and any charges against members of WikiLeaks, including founder Julian Assange, would need approval from the highest levels of the Justice Department.

Would Boente be approving charges filed under Boente’s name?

Though that may not matter. Rod Rosenstein, who will become DAG shortly, has himself pursued excessive charges in leak cases, both against Thomas Drake and Hal Martin.

Perhaps the most interesting claim is that the FBI thought indicting Assange — who likely won’t be prosecuted in any case unless Ecuador suddenly changes their mind about their house guest — would provide some kind of deterrent effect.

Officials have said that the F.B.I. supports prosecuting Mr. Assange. Several years ago, the agency sent a series of documents to the Justice Department outlining charges that investigators claimed to have evidence to support. At the time, F.B.I. counterintelligence agents believed that charging Mr. Assange would deter him from posting new troves of American documents.

I think you’d have to be daft to think prosecuting Assange would deter him from posting more, assuming this happened while he was in the Ecuadoran Embassy. Prosecuting him would only mean he’d have less to lose — and, frankly, more reason to post things that might please America’s adversaries, like Russia.

But it might serve as deterrence for other publishing outlets that aren’t holing up in an Embassy. Short of some really distinguishing actions (and Harrison’s might amount to that in the Snowden case), indicting Assange would put everyone else with a SecureDrop on notice that they, too, might be prosecuted. Surely, DOJ would pick and choose who gets prosecuted. They might choose other easily easily targeted people — people who are gay, people who no longer live in this country, people who have too many dogs — to similarly make examples of (though pity the fool that challenges Glenn Greenwald’s First Amendment rights.

DOJ wants to start cutting away at the First Amendment. All the better for them, if in the name of prosecutorial discretion, Jeff Sessions’ DOJ could pick and choose which publishers’ speech gets curtailed.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Think Tank Story Actually Suggests the Think Tank Wasn’t That Important

Reuters has what at first seemed to be an important story, based on three current and four former US officials (a descriptor which can include members of Congress or their staffers) noting that a think tank close to Putin laid out a plan to influence the US election in two separate reports last year. But in fact, the story actually may undermine some of its own claims.

Before I describe the reports, consider two inconsistent claims made in the story. First, the article claims that these two reports were central to the Obama Administration’s conclusions on Russian interference.

The documents were central to the Obama administration’s conclusion that Russia mounted a “fake news” campaign and launched cyber attacks against Democratic Party groups and Clinton’s campaign, the current and former officials said.

These officials — seven of them!! — suggest there’s a tie between these two reports and the total conclusion, the fake news and the hacking.

But then later in the story, half the officials state that the reports never once mentioned the hacks. They explain that detail away by saying that the two parts of the campaign — the hacking and the propaganda — reinforced each other because RT and Sputnik do what RT and Sputnik allegedly do anyway, make the most of opportunities to cause the US discomfort.

Neither of the Russian institute documents mentioned the release of hacked Democratic Party emails to interfere with the U.S. election, according to four of the officials. The officials said the hacking was a covert intelligence operation run separately out of the Kremlin.

The overt propaganda and covert hacking efforts reinforced each other, according to the officials. Both Russia Today and Sputnik heavily promoted the release of the hacked Democratic Party emails, which often contained embarrassing details.

Again, before we get into the reports themselves, note that the sources here appear to have oversold this story. Or the Obama Administration thinking on this is … problematic. Because there’s no way two reports on propaganda — of the sort American think tanks and the CIA develop for elections and adversaries all over the world, even if the CIA doesn’t run state media outlets like Russia does to implement them — that don’t mention the hack should be presented as proof of (or proof against) the whole kit and kaboodle, the hack-and-leak plus propaganda. Either these reports weren’t central to the plan, or the propaganda effort had nothing to do with the hacking one. In other words, these documents should in no way lead Obama (or us) to conclude anything about the hacking.

That’s all the more true when you consider the description of these reports.

[The seven sources] described two confidential documents from the think tank as providing the framework and rationale for what U.S. intelligence agencies have concluded was an intensive effort by Russia to interfere with the Nov. 8 election. U.S. intelligence officials acquired the documents, which were prepared by the Moscow-based Russian Institute for Strategic Studies [en.riss.ru/], after the election.

The institute is run by retired senior Russian foreign intelligence officials appointed by Putin’s office.

The first Russian institute document was a strategy paper written last June that circulated at the highest levels of the Russian government but was not addressed to any specific individuals.

It recommended the Kremlin launch a propaganda campaign on social media and Russian state-backed global news outlets to encourage U.S. voters to elect a president who would take a softer line toward Russia than the administration of then-President Barack Obama, the seven officials said.

A second institute document, drafted in October and distributed in the same way, warned that Democratic presidential candidate Hillary Clinton was likely to win the election. For that reason, it argued, it was better for Russia to end its pro-Trump propaganda and instead intensify its messaging about voter fraud to undermine the U.S. electoral system’s legitimacy and damage Clinton’s reputation in an effort to undermine her presidency, the seven officials said.

The first report was done in June (no date specified). Per the description, it didn’t even take an anti-Hillary stance, but instead an anti-Obama stance, which translates into anti-Hillary but not as strongly as it could, given Hillary’s specific actions that have infuriated Putin. The second was done in October (again, no date specified) and by description adopted a stance Republicans in this country have adopted towards elections for decades, to delegitimize elections your preferred candidate loses.

The dates are more important (and I find the non-disclosure of the actual dates to be telling, whether that decision was made by the seven sources or by Reuters, as the dates would provide another detail that would allow us to assess the credibility of this story).

Let’s review the timeline of the hack-and-leak narrative. APT 29, associated with FSB, hacked the DNC during summer 2015, and stayed there, quietly. Then, according to the existing narrative, as part of the kind of operation we’ve seen many times, in mid-March 2016 APT 28, associated with GRU also hacked the DNC, as well as John Podesta. DC Leaks, which is supposed to be part of the same operation, registered its domain on April 19. As Thomas Rid pointed out yesterday, FireEye believes the same people tried to register “electionleaks” a week earlier, on April 12. A persona calling himself Guccifer 2.0 appeared on June 15 and started leaking documents currently (and not entirely correctly, I believe) attributed to the DNC hack, immediately after the WaPo and Crowdstrike revealed the hack and attributed it to Russia. Which is to say the first think tank document (which again, is described as anti-Obama, not anti-Hillary) post-dated the beginning of what is considered the hack-and-leak campaign by three months and the beginning of the set-up to leak stolen documents by two. If the report is dated after June 15, it post-dated the first Guccifer 2.0 leaks, yet made no mention of their possible exploitation as part of the propaganda campaign (there are still unexplained problems with claims about the Guccifer persona, but I will bracket them here).

Then there’s the second report, from some unrevealed date in October. Again, it’s crucially important whether the report was done before or after October 7, when even outside observers learned there was going to be a second batch of leaks because Wikileaks started releasing the Podesta emails. Nevertheless, anyone following closely would have known (at least from Roger Stone) more might be coming, and insiders in both the Democratic Party and the Kremlin knew there were more documents that could be released. But this second report once again made no mention of hacked documents, not the ones that had leaked in the summer, and not the ones that were already or were about to be leaked.

That’s some pretty remarkable disinterest in available propaganda material that everyone following closely knew about. Though it’s worth noting that the Podesta emails didn’t support the “illegitimate election” narrative being pushed by the think tank in October as well as the DNC emails that were already public and available for propaganda purposes.

Taking just the think tank documents as evidence, which is what the seven sources behind this story do in advancing them as proof, you would conclude that there was actually not a strong tie between the hack-and-leak campaign and the propaganda one, because even after the entire world knew about the former, those strategizing the latter didn’t accommodate for the former.

All of which is to say that if we’re to believe these think tank documents provided “the framework and rationale” for the Russian election operation story, then we should conclude the dominant narrative is incorrect, that there actually was no intention of coordinating the hack-and-leak part of the operation with the propaganda part, or even that the hack-and-leak wasn’t part of that grand framework. Alternately, we might conclude that these think tank documents represent what tangential people with close ties to Putin thought smart advice, but which aren’t actually proof of Putin’s intent except insofar as sycophants reflect the perceived intent of those they’re serving.

Later the article does provide an explanation that sustains the current narrative of a coordinated hack-and-leak and propaganda campaign. Even before the first strategy document that purportedly provided the rationale and framework for the campaign, Reuters’ sources reveal, the Kremlin had already instructed media outlets to favor Trump.

Four of the officials said the approach outlined in the June strategy paper was a broadening of an effort the Putin administration launched in March 2016. That month the Kremlin instructed state-backed media outlets, including international platforms Russia Today and Sputnik news agency, to start producing positive reports on Trump’s quest for the U.S. presidency, the officials said.

That order, coming from the Kremlin itself which therefore might accommodate for what Reuters’ sources call a covert campaign even though by all reports, starting in March, the second wave of hacking stopped all effort at maintaining persistent secrecy from its targets, certainly could reflect coordination between the propaganda and the hack-and-leak parts of the campaign. It would suggest the Kremlin moved its propaganda arms at the same time APT 28 set out to ostentatiously collect what APT 29 had already been secretly collecting, documents that could provide material for the propaganda.

If so (and I have no problem interpreting it as such), then it suggests that the think tank documents should not be considered all that informative, as they appear to ignore stuff even Americans were commenting heavily on. Indeed, the story provides more evidence to suggest they weren’t that key in directing the campaign. In the US, at least, think tanks often recommend policies that coincide with (blatantly obvious) policies already chosen; it’s a good way to appear to influence policy even while chasing it. But that doesn’t mean we or anyone else should take it as definitive proof of anything.

One more comment. As stunning as it is to learn of Russian think tank documents that made no mention of the hack-and-leak campaign, or even the documents that became available as a result, months after the leaking started, it’s worth reminding that the Trump dossier, for whatever juicy evidence it presents about Trump associates potentially colluding with Russians, also doesn’t reflect any prospective knowledge of the hack-and-leak campaign (though it certainly discusses its implementation after the fact). In fact, its retrospective reports suggest that in mid-September, the consensus was that the hack-and-leak campaign was backfiring, with advisors suggesting they didn’t need to release more documents to make Hillary look “weak and stupid.” And when, five days after the Podesta emails first started coming out, the dossier reported on the emails being released, it suggested a great deal of anger within the Kremlin both that the emails hadn’t done more besides create backlash and that Trump was such a divisive figure.

The two data points, taken together, might support a close hold on the hack-and-leak effort (in spite of the obviousness with which it was carried out). But it’s worth noting that in spite of rampant leaking and some vague allegations of more, we have yet to see or learn of a data point that predicted the hack-and-leak campaign, not even via intelligence agencies that knew about the earlier APT 29 hack for nine months.

One final note. I’ve long mocked the intelligence community for calling the combined efforts of APT 28 and 29, along with the propaganda effort, “Grizzly Steppe” for the way it dissolves all distinction between the various parts of the program. This is an example of why I think it unwise: because it clouds people’s ability to assess and try to address flaws in the individual parts of the campaign which may be quite important.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Pompeo Likens Wikileaks’ Release of CIA’s Hacking Tools to Philip Agee

In a speech designed to generate headlines, CIA Director Mike Pompeo just attacked WikiLeaks as a “a non-state hostile intelligence service often abetted by state actors like Russia.” The speech was explicitly a response to an op-ed Julian Assange had in the WaPo a few days ago.

Now, for those of you who read the editorial page of the Washington Post—and I have a feeling that many of you in this room do—yesterday you would have seen a piece of sophistry penned by Mr. Assange. You would have read a convoluted mass of words wherein Assange compared himself to Thomas Jefferson, Dwight Eisenhower, and the Pulitzer Prize-winning work of legitimate news organizations such as the New York Times and the Washington Post. One can only imagine the absurd comparisons that the original draft contained.

But the speech deserves closer analysis for several reasons.

CIA Directors hoping to build trust should fact and hypocrisy check better

First, it had the predictable CIA Director errors. As an example, it pretends to be rebutting “false narratives” purportedly spread by WikiLeaks, but uses as an example “the fanciful nation that they spy on their fellow citizens via microwave ovens,” a suggestion first spread by KellyAnne Conway, not WikiLeaks (though WikiLeaks responded by pointing to ways to spy with microwaves, though not ovens). It suggests Assange “directed Chelsea Manning in her theft of specific secret information;” had Assange’s direction been that clear cut, he would have been indicted. Perhaps most hilariously, a guy who — nine months ago — was applauding a WikiLeaks release today had this to say:

First, it is high time we called out those who grant a platform to these leakers and so-called transparency activists. We know the danger that Assange and his not-so-merry band of brothers pose to democracies around the world. Ignorance or misplaced idealism is no longer an acceptable excuse for lionizing these demons.

Yes. By all means, we should call out those who grant a platform to WikiLeaks. Like Mike Pompeo.

The never-ending defense of all spying overseas

The speech is also worth reviewing because of something that has become tiresome in recent years.

To rebut that false narrative Pompeo rebuts a claim that’s beside the point to WikiLeaks’ presentation of the CIA Vault 7 files (though it is one WikiLeaks has suggested on Twitter): that CIA spies on Americans.

[W]e are an intelligence organization that engages in foreign espionage. We steal secrets from foreign adversaries, hostile entities, and terrorist organizations. We analyze this intelligence so that our government can better understand the adversaries we face in a challenging and dangerous world.

[snip]

So I’d now like to make clear what CIA doesn’t do. We are a foreign intelligence agency. We focus on collecting information about foreign governments, foreign terrorist organizations, and the like—not Americans. A number of specific rules keep us centered on that mission and protect the privacy of our fellow Americans. To take just one important example, CIA is legally prohibited from spying on people through electronic surveillance in the United States. We’re not tapping anyone’s phone in Wichita.

Assange has focused primarily not on domestic spying, but on how incompetent CIA was for losing its hacking tools and for the proliferation risk it poses. Here’s what Assange said in his op-ed.

Our most recent disclosures describe the CIA’s multibillion-dollar cyberwarfare program, in which the agency created dangerous cyberweapons, targeted private companies’ consumer products and then lost control of its cyber-arsenal. Our source(s) said they hoped to initiate a principled public debate about the “security, creation, use, proliferation and democratic control of cyberweapons.”

Pompeo admits aggressive use of tools, and promises better security

That’s not a point that Pompeo really debates, though he does say,

CIA is aggressive in our pursuit of the information we need to help safeguard our country. We utilize the whole toolkit at our disposal, fully employing the authorities and capabilities that Congress,

As for losing the cyber toolkit (Pompeo does not, of course, confirm that that is what WikiLeaks has been releasing), Pompeo does promise these changes to improve CIA’s own security.

Second, there are steps that we have to take at home—in fact, this is a process we’ve already started. We’ve got to strengthen our own systems; we’ve got to improve internal mechanisms that help us in our counterintelligence mission. All of us in the Intelligence Community had a wake-up call after Snowden’s treachery. Unfortunately, the threat has not abated.

I can’t go into great detail, but the steps we take can’t be static. Our approach to security has to be constantly evolving. We need to be as clever and innovative as the enemies we face. They won’t relent, and neither will we.

We can never truly eliminate the threat but we can mitigate and manage it. This relies on agility and on dynamic “defense in depth.” It depends on a fundamental change in how we address digital problems, understanding that best practices have to evolve in real time. It is a long-term project but the strides we have taken—particularly the rapid and tireless response of our Directorate of Digital Innovation—give us grounds for optimism.

If these changes go beyond finally ensuring all devices require multi-factor authentication (something a Mike Pompeo overseen CIA did not have this time last year), then it will be a good thing.

The Philip Agee comparison

But I’m perhaps most interested in the implicit comparison Pompeo makes to start his speech. He suggests a comparison between Philip Agee (and the murder of Chief of Station Richard Welch after being outed by Agee) and WikiLeaks (or perhaps Assange personally).

That man was Philip Agee, one of the founding members of the magazine Counterspy, which in its first issue in 1973 called for the exposure of CIA undercover operatives overseas. In its September 1974 issue, Counterspy publicly identified Richard Welch as the CIA Chief of Station in Athens. Later, Richard’s home address and phone number were outed in the press in Greece.

In December 1975, Richard and his wife were returning home from a Christmas party in Athens. When he got out of his car to open the gate in front of his house, Richard Welch was assassinated by a Greek terrorist cell. At the time of his death, Richard was the highest-ranking CIA officer killed in the line of duty.

That’s a pretty remarkable way to introduce this speech. Perhaps to defend it, in the section of the speech dedicated to painting WikiLeaks as a hostile actor, Pompeo notes AQAP thanked WikiLeaks for tipping it off to a way to fight the US it hadn’t thought of.

Following a recent WikiLeaks disclosure, an al Qa’ida in the Arabian Peninsula member posted a comment online thanking WikiLeaks for providing a means to fight America in a way that AQAP had not previously envisioned.

That’s still a long way from posting CIA officers’ identities.

Security firms begin to expose CIA’s roles

All that said, I can’t help but wonder whether this spat between former WikiLeaks booster Mike Pompeo and WikiLeaks stems from a development that I’ve been anticipating: when security firms start treating US intelligence hackers like they do Russian or Chinese ones.

In the wake of WikiLeaks’ Vault 7 documents, both Symantec and Kaspersky wrote reports on Vault 7 hacks they had seen working with clients. Symantec provided a very convincing table correlating the compilation time of what they’ve seen with the evidence WikiLeaks presented.

Symantec also described the victims generally (including describing what sounds like CIA detasking as soon as they realized they had accidentally attacked a US target).

Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker.

Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.

Kaspersky offered no such public detail.

Nevertheless, these reports are just one of several developments of late (which I hope to return to) that exhibit the US’ hackers being treated like Russian or Chinese hackers are — as general adversaries outside of their country. If, as seems likely given Symantec’s description of European victims, some of the victims are nominal US allies, that’ll grow worse.

If I’m right, it’s a significant development. It may not equate to a CIA officer being outed. But it may case far more problems.

Update: As a number of people have made clear, Agee was not responsible for Welch’s death. So I’ve deleted those words.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.