EO 12333

1 2 3 17

Data Mining Research Problem Book, Working Thread

Yesterday, Boing Boing liberated a fascinating 2011 GCHQ document from the Snowden collection on GCHQ’s partnership with Heilbronn Institute for Mathematical Research on datamining. It’s a fascinating overview of collection and usage. This will be a working thread with rolling updates.

In addition to BoingBoing’s article, I’ll update with links to other interesting analysis.

[1] The distribution list is interesting for the prioritization, with 4 NSA research divisions preceding GCHQ’s Information and Communications Technology Research unit. Note, too, the presence of Livermore Labs on the distribution list, along with an entirely redacted entry that could either be Sandia (mentioned in the body), a US university, or some corporation. Also note that originally only 18 copies of this were circulated, which raises real questions about how Snowden got to it.

[9] At this point, GCHQ was collecting primarily from three locations: Cheltenham, Bude, and Leckwith.

[9-10] Because of intake restrictions (which I believe other Snowden documents show were greatly expanded in the years after 2011), GCHQ can only have 200 “bearers” (intake points) on “sustained cover” (being tapped) at one time. Each collected at 10G a second. GCHQ cyclically turns on all bearers for 15 minutes at a time to see what traffic is passing that point (which is how they hack someone, among other things). Footnote 2 notes that analysts aren’t allowed to write up reports on this feed, which suggests research, like the US side, is a place where more dangerous access to raw data happens.

[10] Here’s the discussion of metadata and content; keep in mind that this was written within weeks of NSA shutting down its Internet dragnet, probably in part because it was getting some content.

Roughly, metadata comes from the part of the signal needed to set up the communication, and content is everything else. For telephony, this is simple: the originating and destination phone numbers are the metadata, and the voice cut is the content. Internet communications are more complicated, and we lean on legal and policy interpretations that are not always intuitive. For example, in an HTTP request, the destination server name is metadata (because it, or rather its IP address, is needed to transmit the packet), whereas the path-name part of the destination URI is considered content, as it is included inside the packet payload (usually after the string GET or POST). For an email, the to, from, cc and bcc headers are metadata (all used to address the communication), but other headers (in particular, the subject line) are content; of course, the body of the email is also content.

[10] This makes it clear how closely coming up as a selector ties to content collection. Remember, NSA was already relying on SPCMA at this point to collect US person Internet comms, which means their incidental communications would come up easily.

GCHQ’s targeting database is called BROAD OAK, and it provides selectors that the front-end processing systems can look for to decide when to process content. Examples of selectors might be telephone numbers, email addresses or IP ranges.

[11] At the Query-Focused Dataset level (a reference we’ve talked about in the past), they’re dealing with: “the 5-tuple (timestamp, source IP, source port, destination IP, destination port) plus some information on session length and size.”

[11] It’s clear when they say “federated” query they’re talking global collection (note that by this point, NSA would have a second party (5 Eyes) screen for metadata analysis, which would include the data discussed here.

[11] Note the reference to increased analysis on serious crime. In the UK there’s not the split between intel and crime that we have (which is anyway dissolving at FBI). But this was also a time when the Obama Admin’s focus on Transnational Crime Orgs increased our own intel focus on “crime.”

[12] This is why Marco Rubio and others were whining about losing bulk w/USAF: the claim that we are really finding that many unknown targets.

The main driver in target discovery has been to look for known modus operandi (MOs): if we have seen a group of targets behave in a deliberate and unusual way, we might want to look for other people doing the same thing.

Continue reading

Silencing Whistleblowers, 12 Years Later

As reported by Zoe Tillman, Thomas Tamm, the first whistleblower to go to Eric Lichtblau with reports of Stellar Wind, is being investigated for ethical violations by the DC Bar. The complaint alleges he failed to report that people within DOJ were violating their legal obligations to superiors, up to and including the Attorney General, and that he took confidences of his client (which the complaint defines as DOJ) to the press.

The question, of course, is why the Bar is pursuing this now, years after Tamm’s actions became public. Tillman describes the complaint as having had some kind of virgin birth, from Bar members reading the news accounts rather than someone complaining.

D.C. Disciplinary Counsel Wallace Shipp Jr. declined to comment on the charges against Tamm. The ethics case was opened in 2009, but the charges weren’t filed until late December. The disciplinary counsel’s office has working in recent years to clear a backlog of old cases.

Shipp said the disciplinary counsel’s office launched the investigation after reading about Tamm’s case in news reports. It was opened under the office’s name, which generally means there is no outside complainant.

That’s a funny explanation, given that the complaint doesn’t reference the press reports, most notably Michael Isikoff’s 2008 report on Tamm’s whistleblowing, which describes Tamm going to two of his superiors (though not, admittedly, all the way to Attorney General Ashcroft).

It’s unclear to what extent Tamm’s office was aware of the origins of some of the information it was getting. But Tamm was puzzled by the unusual procedures—which sidestepped the normal FISA process—for requesting wiretaps on cases that involved program intelligence. He began pushing his supervisors to explain what was going on. Tamm says he found the whole thing especially curious since there was nothing in the special “program” wiretap requests that seemed any different from all the others. They looked and read the same. It seemed to Tamm there was a reason for this: the intelligence that came from the program was being disguised. He didn’t understand why. But whenever Tamm would ask questions about this within OIPR, “nobody wanted to talk about it.”

At one point, Tamm says, he approached Lisa Farabee, a senior counsel in OIPR who reviewed his work, and asked her directly, “Do you know what the program is?” According to Tamm, she replied: “Don’t even go there,” and then added, “I assume what they are doing is illegal.” Tamm says his immediate thought was, “I’m a law-enforcement officer and I’m participating in something that is illegal?” A few weeks later Tamm bumped into Mark Bradley, the deputy OIPR counsel, who told him the office had run into trouble with Colleen Kollar-Kotelly, the chief judge on the FISA court. Bradley seemed nervous, Tamm says. Kollar-Kotelly had raised objections to the special program wiretaps, and “the A.G.-only cases are being shut down,” Bradley told Tamm. He then added, “This may be [a time] the attorney general gets indicted,” according to Tamm. (Told of Tamm’s account, Justice spokesman Boyd said that Farabee and Bradley “have no comment for your story.”)

Compare that version with how the complaint describes Tamm doing precisely what the complaint says he failed to do.

Respondent learned that these applications involved special intelligence obtained from something referred to as “the program.” When he inquired about “the program” of other members of the Office of Intelligence Policy and Review, he was told by his colleagues that it was probably illegal.

Isikoff describes Tamm going to two of his superiors, “a senior counsel in OIPR who reviewed his work,” and “the deputy OIPR counsel,” the former of one of whom is the one who told him “I assume what they are doing is illegal.” The complaint rewrites that story — what ostensibly is the source of the complaint — and turns these superiors into “colleagues.”

Mind you, according to this story, there is one superior within OIPR to whom Tamm didn’t go: Counsel James Baker. He was the guy who was laundering applications to the FISC in ways Colleen Kollar-Kotelly found unacceptable.

Baker, of course, is currently the General Counsel of FBI, someone who reviews a slew of applications for larger programs, including those that go to FISC.

So 12 years after Tamm leaked DOJ’s secrets to the NYT, he is being investigated by the Bar because he didn’t go to the right superiors with his complaints, one of who just happens to be the FBI General Counsel.

FBI’s Open NSL Requests

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.

Update:

I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.

Martin Luther King Jr., Subversives, and the PATRIOT Dragnet

In a superb column today, Alvaro Bedoya recalls the long, consistent history during which people of color and other minorities, including Martin Luther King, Jr., were targeted in the name of national security.

The FBI’s violations against King were undeniably tinged by what historian David Garrow has called “an organizational culture of like-minded white men.” But as Garrow and others have shown, the FBI’s initial wiretap requests—and then–Attorney General Robert Kennedy’s approval of them—were driven by a suspected tie between King and the Communist Party. It wasn’t just King; Cesar Chavez, the labor and civil rights leader, was tracked for years as a result of vague, confidential tips about “a communist background,” as were many others.

Many people know that during World War II, innocent Americans of Japanese descent were surveilled and detained in internment camps. Fewer people know that in the wake of World War I, President Woodrow Wilson openly feared that black servicemen returning from Europe would become “the greatest medium in conveying Bolshevism to America.” Around the same time, the Military Intelligence Division created a special “Negro Subversion” section devoted to spying on black Americans. Near the top of its list was W.E.B. DuBois, a “rank Socialist” whom they tracked in Paris for fear he would “attempt to introduce socialist tendencies at the Peace Conference.”

I think Bedoya, as many people do, gives FBI Director Jim Comey a big pass on surveillance due to the Director’s stunt of having agents-in-training study what the Bureau did to King. I have written about how Comey’s claim to caution in the face of the MLK example don’t hold up to the Bureau’s current, known activities.

Comey engages in similar obfuscation when he points to FBI’s treatment of Martin Luther King Jr., whose treatment at the hands of the FBI he holds up to FBI Agents as a warning. The FBI Director describes the unlimited amount of surveillance the Bureau subjected King to based solely on the signature of Hoover and the Attorney General  “Open-ended. No time limit. No space restriction. No review. No oversight.” While it is true that the FBI now gets court approval to track civil rights leaders, they do track them, especially in the Muslim community. And without oversight, the FBI can and does infiltrate houses of worship with informants, as they did with African-American churches during the Civil Rights movement. FBI can obtain phone and Internet metadata records without judicial oversight using National Security Letters — which they still can’t count accurately to fulfill congressionally mandated reporting. The FBI has many tools that evade the kind of oversight Comey described, and because of technology many of them are far more powerful than the tools wielded against Dr. King.

But I’m particularly interested in Bedoya’s reminder that the government targeted African Americans for surveillance as subversives in the wake of World War I.

The government’s practice of targeting specific kinds of people, often people of color, as subversives continued, after all. It’s something J. Edgar Hoover continued throughout his life, keeping a list of people to be rounded up if anything happened.

I’ve been thinking about that practice as I’ve been trying to explain, even to civil liberties supporters, why the current 2-degree targeted dragnet is still too invasive of privacy. We’ve been having this discussion for 2.5 years, and yet still most people don’t care that completely innocent people 2 degrees — 3, until 2014 — away from someone the government has a traffic-stop level of suspicion over will be subjected to the NSA’s “full analytic tradecraft.”

The discussion of a Subversives List makes me think of this article from 2007 (which I first wrote about here and here). The story explains that the thing that really freaked out the hospital “heroes” in 2004 was not the Internet dragnet itself, but instead the deployment of Stellar Wind against Main Core, which appears to be another name for this Subversives List.

While Comey, who left the Department of Justice in 2005, has steadfastly refused to comment further on the matter, a number of former government employees and intelligence sources with independent knowledge of domestic surveillance operations claim the program that caused the flap between Comey and the White House was related to a database of Americans who might be considered potential threats in the event of a national emergency. Sources familiar with the program say that the government’s data gathering has been overzealous and probably conducted in violation of federal law and the protection from unreasonable search and seizure guaranteed by the Fourth Amendment.

According to a senior government official who served with high-level security clearances in five administrations, “There exists a database of Americans, who, often for the slightest and most trivial reason, are considered unfriendly, and who, in a time of panic, might be incarcerated. The database can identify and locate perceived ‘enemies of the state’ almost instantaneously.” He and other sources tell Radar that the database is sometimes referred to by the code name Main Core. One knowledgeable source claims that 8 million Americans are now listed in Main Core as potentially suspect. In the event of a national emergency, these people could be subject to everything from heightened surveillance and tracking to direct questioning and possibly even detention.

[snip]

Another well-informed source—a former military operative regularly briefed by members of the intelligence community—says this particular program has roots going back at least to the 1980s and was set up with help from the Defense Intelligence Agency. He has been told that the program utilizes software that makes predictive judgments of targets’ behavior and tracks their circle of associations with “social network analysis” and artificial intelligence modeling tools.

“The more data you have on a particular target, the better [the software] can predict what the target will do, where the target will go, who it will turn to for help,” he says. “Main Core is the table of contents for all the illegal information that the U.S. government has [compiled] on specific targets.” An intelligence expert who has been briefed by high-level contacts in the Department of Homeland Security confirms that a database of this sort exists, but adds that “it is less a mega-database than a way to search numerous other agency databases at the same time.”

[snip]

The following information seems to be fair game for collection without a warrant: the e-mail addresses you send to and receive from, and the subject lines of those messages; the phone numbers you dial, the numbers that dial in to your line, and the durations of the calls; the Internet sites you visit and the keywords in your Web searches; the destinations of the airline tickets you buy; the amounts and locations of your ATM withdrawals; and the goods and services you purchase on credit cards. All of this information is archived on government supercomputers and, according to sources, also fed into the Main Core database.

[snip]

Main Core also allegedly draws on four smaller databases that, in turn, cull from federal, state, and local “intelligence” reports; print and broadcast media; financial records; “commercial databases”; and unidentified “private sector entities.” Additional information comes from a database known as the Terrorist Identities Datamart Environment, which generates watch lists from the Office of the Director of National Intelligence for use by airlines, law enforcement, and border posts. According to the Washington Post, the Terrorist Identities list has quadrupled in size between 2003 and 2007 to include about 435,000 names. The FBI’s Terrorist Screening Center border crossing list, which listed 755,000 persons as of fall 2007, grows by 200,000 names a year. A former NSA officer tells Radar that the Treasury Department’s Financial Crimes Enforcement Network, using an electronic-funds transfer surveillance program, also contributes data to Main Core, as does a Pentagon program that was created in 2002 to monitor anti-war protestors and environmental activists such as Greenpeace.

Given what we now know about the dragnet, this article is at once less shocking and more so. Much of the information included — phone records and emails — as well as the scale of the known lists — such as the No Fly List — are all known. Others, such as credit card purchases, aren’t included in what we know about the dragnet, though we have suspected. The purported inclusion of peace protestors, in what appears to be a reference to CIFA, is something I’ll return to.

Mostly, though, this article takes the generally now-known scope of the dragnet and claim that it serves as the function that those Subversives lists from days past have. As such (and assuming it is true in general outline, and I have significant reason to believe it is) it does two things for our understanding. First, it illustrates what I have tried to in the past, what it means to be exposed to the full complement of NSA’s analytical tradecraft. But it also reframes what our understanding of what 2-degree of suspicion from a traffic stop means.

Whether or not this Main Core description is accurate, it invites us to think of this 2-degree dragnet as a nomination process to be on the Subversives list. Unlike in Hoover’s day, when someone had to keep up a deck of index cards, here it’s one interlocking set of data, all coded to serve both as a list and a profiling system for anyone on that list.

To the extent that this dragnet still exists (or has been magnified with the rollout of XKeyscore), and it absolutely does for Muslims 2 degrees from a terrorist suspect, this is what the dragnet is all about: getting you on that list, which serves as a magnet for all the rest of your information to be sucked in and retained, so that if the government ever feels like it has to start cracking down on dissidents, it has that list, and a ton of demographic data, ready at had.

Update: See this Global Research post on COG programs.

AT&T Says Its Voluntary Sharing of Customer Data Is Classified

Back in October, I wondered whether companies would be able to claim they had chosen not to participate in CISA’s voluntary data sharing in their transparency reports. While CISA prohibits the involuntary disclosure of such participation, I don’t know that anything prohibits the voluntary disclosure, particularly of non-participation.

A related question is playing out right now over a shareholder resolution filed by Arjuna Capital asking AT&T to reveal its voluntary sharing with law enforcement and intelligence agencies.

The resolution asks only for a report on sharing that is not legally mandated, and exempts any information that is legally protected.

Resolved, shareholders request that the Company issue a report, at reasonable
expense and excluding proprietary or legally protected information, clarifying the
Company’s policies regarding providing information to law enforcement and
intelligence agencies, domestically and internationally, above and beyond what is legally required by court order or other legally mandated process, whether and how
the policies have changed since 2013, and assessing risks to the Company’s finances
and operations arising from current and past policies and practices.

AT&T has asked the SEC for permission to ignore this resolution based, in part, on the claim that its voluntary cooperation would be a state secret that requires AT&T to effectively Glomar its own shareholders.

Screen Shot 2016-01-14 at 10.08.35 AM

The Sidley Austin opinion cites the Espionage Act for its claim that this information is a state secret. It also pretends this is all about the NSA, when FBI and DEA play a critical role in some of the surveillance AT&T is believed to willingly participate in.

The resolution doesn’t seem to include any question specifically addressing OmniCISA participation, though it was written before final passage of OmniCISA last month.

The response from AT&T raises interesting questions about whether a telecom (or other electronic communications service provider) can be obligated for voluntary activity.

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Continue reading

The Three Kinds of Dragnet Searches NSA Did When Only Doing Contact Chaining

This is going to be a weedy post in which I look at a key detail revealed by 2010 NSA Inspector General reviews of the Section 215 phone dragnet. The document was liberated by Charlie Savage last year.

At issue is the government’s description, in the period after the Snowden leaks, of what kind of searches it did on the Section 215 phone dragnet. The searches the government did on Section 215 dragnet data are critical to understanding a number of things: the reasons the parallel Internet dragnet probably got shut down in 2011, the squeals from people like Marco Rubio about things the government lost in shutting down the dragnet, and the likely scope of collection under USA Freedom Act.

Throughout the discussion of the phone dragnet, the administration claimed it was used for “contact chaining” — that is, exclusively to show who was within 3 (and starting in 2014, 2) degrees of separation, by phone calls [or texts, see update] made, from a suspected terrorist associate.

Here’s how the administration’s white paper on the program described it in 2013.

This telephony metadata is important to the Government because, by analyzing it, the Government can determine whether known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities within the United States. The program is carefully limited to this purpose: it is not lawful for anyone to query the bulk telephony metadata for any purpose other than counterterrorism, and Court-imposed rules strictly limit all such queries.

Though some claims to Congress and the press were even more definitive that this was just about contact chaining.

The documents on the 2009 violations released under FOIA made it clear that, historically at least, querying wasn’t limited to contact chaining. Almost every reference in these documents to the scope of the program includes a redaction after “contact chaining” in the description of the allowable queries. Here’s one of many from the government’s first response to Reggie Walton’s questions about the program.

Screen Shot 2016-01-05 at 10.48.44 AM

The redaction is probably something like “pattern analysis.”

Because the NSA was basically treating all Section 215 data according to the rules governing EO 12333 in 2009 (indeed, at the beginning of this period, analysts couldn’t distinguish the source of the two authorizations), it subjected the data to a number of processes that did not fit under the authorization in the FISC orders — things like counts of all contacts and automatic chaining on identifiers believed to be the same user as one deemed to have met the Reasonable Articulable Standard. The End to End report finished in summer 2009 described one after another of these processes being shut down (though making it clear it wanted to resume them once it obtained FISC authorization). But even in these discussions, that redaction after “contact chaining” remained.

Screen Shot 2016-01-05 at 11.00.33 AM

Even in spite of this persistent redaction, the public claims this was about contact chaining gave the impression that the pattern analysis not specifically authorized by the dragnet orders also got shut down.

The IG Reports that Savage liberated gives a better sense of precisely what the NSA was doing after it cleared up all its violations in 2009.

The Reports were ordered up by the FISC and covered an entire year of production (there was a counterpart of the Internet dragnet side, which was largely useless since so much of that dragnet got shut down around October 30, 2009 and remained shut down during this review period).

The show several things:

  • NSA continued to disseminate dragnet results informally, even after Reggie Walton had objected to such untrackable dissemination
  • Data integrity techs could — and did on one occasion, which was the most significant violation in the period — access data directly and in doing so bypass minimization procedures imposed on analysts (this would be particularly useful in bypassing subject matter restrictions)
  • Already by 2010, NSA did at least three different kinds of queries on the database data: in addition to contact chaining, “ident lookups,” and another query still considered Top Secret

It’s the last item of interest here.

The first thing to understand about the phone dragnet data is it could be queried two places: the analyst front-end (the name of which is always redacted), and a “Transaction Database” that got replaced with something else in 2011. (336)

Screen Shot 2015-08-29 at 7.08.12 PM

Basically, when the NSA did intake on data received from the telecoms, it would create a table of each and every record (which is I guess where the “transaction” name came from), while also making sure the telecoms didn’t send illegal data like credit card information.

Doing queries in the Transaction Database bypassed search restrictions. The March 2010 audit discovered a tech had done a query in the Transaction Database using a selector the RAS approval (meaning NSA had determined there was reasonable articulable suspicion that the selector had some tie to designated terrorist groups and/or Iran) of which had expired. The response to that violation, which NSA didn’t agree was a violation, was to move that tech function into a different department at NSA, away from the analyst function, which would do nothing to limit such restriction free queries, but would put a wall between analysts and techs, making it harder for analysts to ask techs to perform queries they would be unable to do.

Because the direct queries done for data integrity purposes were not subject to auditing under the phone dragnet orders, the monthly reports distinguished between those and analyst queries, the latter of which were audited to be sure they were RAS approved. But as the April 2010 report and subsequent audits showed, analysts also would do an “ident lookup.” (83)

Screen Shot 2015-08-29 at 2.16.18 PM

The report provided this classified/Five Eyes description of “ident lookups.”

Screen Shot 2015-08-29 at 2.19.12 PM

The Emphatic Access Restriction was a tool implemented in 2009 to ensure that analysts only did queries on RAS-approved selectors. What this detail reveals is that, rather than consulting a running list somewhere to see whether a selector was RAS approved, analysts would instead try to query, and if the query failed, that’s how they would learn the selector was not RAS approved.

We can’t be sure, but that suggests RAS approval went beyond simple one-to-one matching of identifiers. It’s possible an ident lookup needed to query the database to see if the data showed a given selector (say, a SIM card) matched another selector (say, a phone number) which had been RAS approved. It might go even further, given that NSA had automatically done searches on “correlated” numbers (that is, on a second phone number deemed to belong to the same person as the approved primary number that had been RAS approved). At least, that’s something NSA had done until 2009 and said it wanted to resume.

In other words, the fact that an ident lookup query queried the data and not just a list of approved selectors suggests it did more than just cross-check the RAS approval list: at some level it must tested the multiple selectors associated with one user to see if the underlying selectors were, by dint of the user himself being approved, themselves approved.

Indent lookups appear fairly often in these IG reports. Less frequent is an entirely redacted kind of query such as described but redacted in the September 2010 report. (166)

Screen Shot 2015-08-29 at 3.41.18 PM

The footnote description of that query is classified Top Secret NOFORN and entirely redacted.

Screen Shot 2015-08-29 at 3.49.14 PM

I have no idea what that query would be, but it’s clear it is done on the analyst facing interface, and only on RAS approved selectors.

The timing of this third query is interesting. Such queries appear in the September and October 2010 audits. That was a period when, in the wake of the July 2010 John Bates approval to resume the Internet dragnet, they were aligning the two programs again (or perhaps even more closely than they had been in 2009). It also appears after a new selector tracking tool got introduced in June 2010. That said, I’m unaware of anything in the phone dragnet orders that would have expanded the kinds of queries permitted on the phone dragnet data.

We know they had used the phone dragnet until 2009 to track burner phones (that is, matching calling patterns of selectors unknown to have a connection to determine which was a user’s new phone). We know that in November 2012, FISC approved an automated query process, though NSA never managed to implement it technically before Obama decided to shut down the dragnet. We also know that in 2014 they started admitting they were also doing “connection” chaining (which may be burner phone matching or may be matching of selectors). All are changes that might relate to more extensive non-chain querying.

We also don’t know whether this kind of query persisted from 2010 until last year, when the dragnet got shut down. I think it possible that the reasons they shut down the Internet dragnet in 2011 may have implicated the phone dragnet.

The point, though, is that at least by 2010, NSA was doing non-chain queries of the entire dragnet dataset that it considered to be approved under the phone dragnet orders. That suggests by that point, NSA was using the bulk set as a set already (or, more accurately, again, after the 2009 violations) by September 2010.

Last March James Clapper explained the need to retain records for a period of time, he justified it by saying you needed the historical data to discern patterns.

Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?

Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.

This would be consistent with the efforts to use the bulk dataset to find burner identities, at a minimum. It would also be consistent with Marco Rubio et al’s squeals about needing the historical data. And it would be consistent with the invocation of the National Academy of Sciences report on bulk data (though not on the phone dragnet), which NSA’s General Counsel raised in a Lawfare post today.

In other words, contrary to public suggestions, it appears NSA was using the phone dragnet to conduct pattern analysis that required the bulk dataset. That’s not surprising, though it is something the NSA suggested they weren’t doing.

They surely are still doing that on the larger EO 12333 dataset, along with a lot more complex kinds of analysis. But it seems some, like Rubio, either think we need to return to such bulk pattern analysis, or has used the San Bernardino attack to call to resume more intrusive spying.

Update: One of the other things the IG Reports make clear is that NSA was (unsurprisingly) collecting records of non-simultaneous telephone transactions. That became an issue when, in 2011, NSA started to age-off 5 year old data, because they would have some communication chains that reflected communications that were more than 5 years old but which were obtained less than 5 years before.

Screen Shot 2015-08-29 at 6.18.57 PM

My guess is this reflects texting chains that continued across days or weeks.

Why Tell the Israeli Spying Story Now?

“Intelligence professionals have a saying: There are no friendly intelligence services,” the WSJ describes former House Intelligence Chair Mike Rogers saying, on the record. While there’s no way of telling — particularly not with WSJ’s described “more than two dozen current and former U.S. intelligence and administration officials” sources behind it’s blockbuster story on US spying on Bibi Netanyahu and other Israelis, Rogers is a likely candidate for some of the other statements attributed to “former US officials,” a moniker that can include agency officials, consultants, and members of Congress.

Which is awfully funny, given that two of the people squealing most loudly in response to the story are Rogers’ immediate predecessor, Crazy Pete Hoekstra, who called it a “Maybe unprecedented abuse of power,” and successor, Devin Nunes, who has already started an investigation into the allegations in the story.

It is the height of hypocrisy for these men, who have been privy to and by their silence have assented to this and, in Crazy Pete’s case, far worse patently illegal spying, to wail about a story that shows the Administration abiding by NSA minimization procedures they’ve both celebrated as more than adequate to protect US person privacy. If NSA’s minimization procedures are inadequate to protect US persons, the first thing Nunes should do is repeal FISA Amendments Act, which can expose far more people than the tailored, presumably EO 12333 tap placed on Bibi, not to mention OmniCISA, which can be targeted at Americans and will have even fewer protections for US persons.

The immediate attempt by a bunch of surveillance maximalists to turn compliant spying into a big scandal raises the question of why this story is coming out now, not incidentally just after Iran turned over its uranium stockpile over to Russia and in the process achieved another big step of the Iran deal.

I’m not in any way meaning to slight the WSJ reporting. Indeed, the story seems to show a breadth of sources that reflect a broad range of interests, and as such is not — as would otherwise be possible — Mike Rogers attempting to leak something to the WSJ so his fellow Republicans can make a stink about things.

This story includes “current and former U.S. officials” providing a list of leaders they claim were detasked from spying in 2014 — François Hollande, Angela Merkel, and other NATO leaders — and those they claim were not — along with Bibi Netanyahu, Turkey’s leader Recep Tayyip Erdogan. Of course, like James Clapper’s claim that Edward Snowden’s leaks forced the NSA to shut down its full take spying on Afghanistan, this “confirmation” may instead have been an effort to cover for collection that has since been restarted, especially given the story’s even more revealing explanation that, “Instead of removing the [surveillance] implants, Mr. Obama decided to shut off the NSA’s monitoring of phone numbers and email addresses of certain allied leaders—a move that could be reversed by the president or his successor.” Obama did not eliminate the infrastructure that allows him to request surveillance (in actually, monitoring of surveillance going on in any case) to be turned on like a switch, and this WSJ article just conveyed that detail to Hollande and Merkel.

So the story could serve as disinformation to cover up restarted surveillance, and it could serve as a cue for the bogus, unbelievably hypocritical political scandal that Crazy Pete and Nunes appear to want to make it.

But I’m just as interested in the dick-waving in the story.

Some of the most interesting details in the story — once you get beyond the wailing of people like Crazy Pete and Devin Nunes probably swept up in intercepts described in the story — pertain to what NSA did and did not learn about Bibi’s efforts, largely executed through Israeli Ambassador to the US Ron Dermer, to thwart the Iran deal. A key detail here is that while (it is implied) NSA destroyed most or all of the intercepts involving members of Congress directly with Bibi, they passed on (with US person identities masked) the reports back through foreign ministry channels of discussions with or on behalf of Bibi.

The NSA has leeway to collect and disseminate intercepted communications involving U.S. lawmakers if, for example, foreign ambassadors send messages to their foreign ministries that recount their private meetings or phone calls with members of Congress, current and former officials said.

“Either way, we got the same information,” a former official said, citing detailed reports prepared by the Israelis after exchanges with lawmakers.

In other words, NSA might not pass on the intercepts of calls members of Congress had with Bibi directly, but they would pass on the reports that Dermer or Bibi’s aides would summarize of such discussions. And according to “a former official” (curiously not described as high ranking) by passing on the reports of such conversations, “we got the same information.”

Usually, but not always, according to the story.

It describes that “Obama administration officials” (which may but probably doesn’t include intelligence officials) didn’t learn about John Boehner’s invitation to Bibi to address Congress ahead of time, even though Boehner extended that invite through Dermer.

On Jan. 8, John Boehner, then the Republican House Speaker, and incoming Republican Senate Majority Leader Mitch McConnell agreed on a plan. They would invite Mr. Netanyahu to deliver a speech to a joint session of Congress. A day later, Mr. Boehner called Ron Dermer, the Israeli ambassador, to get Mr. Netanyahu’s agreement.

Despite NSA surveillance, Obama administration officials said they were caught off guard when Mr. Boehner announced the invitation on Jan. 21.

According to the description of the article, this call should have been fair game to be shared with the White House as a report through the foreign ministry, but either wasn’t reported through normal channels on the Israeli side or NSA didn’t pass it along.

But, according to the story, the White House did get many of the details about Dermer’s attempt to scotch the Iran deal.

The NSA reports allowed administration officials to peer inside Israeli efforts to turn Congress against the deal. Mr. Dermer was described as coaching unnamed U.S. organizations—which officials could tell from the context were Jewish-American groups—on lines of argument to use with lawmakers, and Israeli officials were reported pressing lawmakers to oppose the deal.

[snip]

A U.S. intelligence official familiar with the intercepts said Israel’s pitch to undecided lawmakers often included such questions as: “How can we get your vote? What’s it going to take?”

Let me interject and note that, if the people squealing about these intercepts weren’t such raging hypocrites, I might be very concerned about this.

Consider the Jane Harman case. In 2009 it got reported that NSA and FBI collected conversations Jane Harman had (probably on an individual FISA wiretap) with AIPAC suspects in which Harman allegedly agreed to help squelch the criminal investigation into the organization in exchange for help getting the Chairmanship of the House Intelligence Committee. The position, not incidentally, that all the people (save Mike Rogers, who seems to have had no problem with them) squealing about these intercepts have held or currently hold. At least according to 2009 reports on this, lawyers in then Attorney General Alberto Gonzales’ DOJ considered criminal charges against Harman, but chose not to pursue them, because Gonzales — who had criminally, personally authorized the Stellar Wind program in March 2004 — needed Harman’s support in advance of NYT breaking the Stellar Wind story at the end of 2005. That suggests (if these stories are to be believed) Gonzales used Harman’s purported criminal exposure to get protection against his own.

Now, Crazy Pete was out of power well before these particular intercepts were described (though may have his own reason to be concerned about what such intercepts revealed), but in the same period, Devin Nunes got himself appointed HPSCI Chair, just like AIPAC was allegedly brokering with Harman. He got himself appointed HPSCI Chair by the guy, Boehner, who invited Bibi to address Congress.

And what were AIPAC and other groups — who allegedly were offering congressional leadership posts back in 2005 — offering lawmakers last year to oppose the Iran deal? “What’s it going to take?” the intercepts apparently recorded.

What were they offering?

This is the reason permitting lawmakers’ communications to be incidentally collected is such a risk — because it collects the sausage-making behind legislative stances — but also defensible — because it might disclose untoward quid pro quo by foreign governments of members of Congress. It is a real concern that the Executive is collecting details of Congress’ doings. More protections, both for Members of Congress and for regular schlubs, are needed. But wiretapping the incidentally collected communications with foreign leaders is not only solidly within the parameters of Congressionally-approved NSA spying, but may sometimes be important to protect the US.

That’s the kind of the thing the White House may have seen outlines of in the reports it got on Darmer’s attempts — though the report indicates that Democratic lawmakers and Israelis who supported the Iranian deal (probably including former Mossad head Efraim Halevy, who was criticizing Bibi and Darmer’s efforts in real time) were sharing details of Darmer’s efforts directly with the White House.

In the final months of the campaign, NSA intercepts yielded few surprises. Officials said the information reaffirmed what they heard directly from lawmakers and Israeli officials opposed to Mr. Netanyahu’s campaign—that the prime minister was focused on building opposition among Democratic lawmakers.

Which brings me to the dick-waving part. Here’s the last line of the WSJ story.

The NSA intercepts, however, revealed one surprise. Mr. Netanyahu and some of his allies voiced confidence they could win enough votes.

Some of this story is likely to be disinformation for our allies, much of this story seems to be warning (both friendly and unfriendly) to those likely implicated by the intercepts. But this just seems like dick-waving, the spook-and-politician equivalent of spiking the football and doing a lewd dance in the end zone. The Israelis surely knew all the monitoring was going on (even if members of Congress may have been stupid about them), especially given the way John Kerry, as laid out in the story, raised concerns about Israeli spying during negotiations. But this line, the final reveal in the story, mocks the Israelis and their American interlocutors for assuming they had enough to offer — “What’s it going to take to get your vote?”– to kill the Iran deal.

This may, in part, be an effort to get those implicated in the intercepts to exercise some more caution. But it also seems to be a victory dance, just as Russia ships away Iran’s uranium stockpiles.

What a Social Media Check for Visas Would Require

There’s a bunch of fevered commentary arising out of the report that Tashfeen Malik, one of the perpetrators of the San Bernardino attack, espoused extremism on Facebook before she entered the country. Otherwise sane members of Congress are submitting legislation calling for the government to review social media before granting a visa.

Here’s why that’s dumb.

First, let’s look at whether the State Department really could have found Malik’s posting before granting her a K1 visa. As CNN reported, Malik hadn’t actually been plotting jihad in the open, as much of the reporting on this suggests.

Tashfeen Malik advocated jihad in messages on social media, but her comments were made under a pseudonym and with strict privacy settings that did not allow people outside a small group of friends to see them, U.S. law enforcement officials told CNN on Monday.

[snip]

The New York Times reported on Sunday that U.S. immigration officials conducted three background checks on Malik when she emigrated from Pakistan but allegedly did not uncover social media postings in which she said she supported violent jihad and wanted to be a part of it.

According to the law enforcement officials, because Malik used a pseudonym and privacy controls, her postings would not have been found even if U.S. authorities had reviewed social media as part of her visa application process.

A U.S. official told CNN shortly after the San Bernardino attack that the United States only recently began reviewing the social media activity of visa applicants from certain countries. The date that these types of reviews began is not clear, but it was after Malik was considered, the source said.

So to get to the posts in question, someone would have had to match her pseudonym to a known identifier of hers, access her private communication, and then translate it from Urdu.

The NSA (though not State) actually has the ability to do that. They’d probably find her pseudonym either the way the FBI reportedly did, by giving Facebook her known email which they’d find was tied to that account, or they’d stick known identifiers (including name, email, credit card with which she paid her visa fee) into a tool the NSA has for correlating identities.

This process would be helped, of course, if DHS’ online visa application system was working, because that would not only increase the chances you’d get a working email for the applicant, but it would also give you at least one IP address you could also correlate on. But the effort to do that has become the worst kind of boondoggle, with a billion dollars spent and just one online form working. So this whole process would be started with less certainty attached to any online identifier.

The NSA also has the ability to read private posts — on Facebook at least. Given that at the time Malik applied for her visa she was neither a US person (I’m still not certain whether she would have been treated as a US person just with a fiance visa, on application for a Green Card, or on receipt of one), nor in the country, NSA could have used PRISM (with the added benefit that it would provide a bunch more identities to check).

Of course, you’d also want to check non-US social media, like Telegram (which ISIS has reportedly been using) and Vkontakte (which the Tsarnaev brothers used). That’s going to be harder to do.

Finally, you’d have to translate any posts Malik wrote from Urdu to English. While an initial translation could be done by machine, to understand any subtleties of the posting, you’d need to get a human translator to do the work, and even for key languages like Urdu and Arabic, the government has far too few translators.

So you could do such a check, at least for US-based social media, but you’d have to involve the NSA.

Now consider the resource demands of doing this. There are upwards of 450,000 immigrant visas issued each year.  There are another 750,000 student and temporary work visas, both categories of which are closer to a typical terrorist profile than a fiance visa (that doesn’t include exchange visitors and a range of other kinds of work visas).

Last year, the government targeted 92,000 people under Section 702, which you’d have  to use to get just private (not encrypted) communications. So you’d have to do an order of magnitude more PRISM searches every year to thoroughly check the social media of just the most obvious visa applicants. You’d either have to vastly expand NSA’s workstaff — and require key social media providers, like Facebook, to do the same just to stay ahead of compliance requests — or you’d have to pull them off of investigating targets about which they have some reason to be interested already.

Of course, if you did that — if you passed a law requiring all immigrants and long term visa applicants to be checked — then you’d make it far easier for people to evade detection, because you’d be alerting the few people who’d want to evade detection that you would check their accounts. They could then move to social media, like Telegram, that the US would have a harder time checking, and encrypt their messages.

Moreover, you’d be making this great effort at a time when much more obvious problems (such as that online form!) haven’t been fixed. Most importantly, since 9/11, it has been a top priority to track the exits of short term visitors (including those people with visa waivers), and the government still hasn’t managed that yet. If you want to make America more safe, you’d be far better served finally fixing that problem than reading a million people’s secret social media posts.

NSA Propagandist John Schindler Suggests Boston Marathon Terrorist Attack Not “Major Jihadist Attack”

NSA propagandist John Schindler has used the San Bernardino attack as an opportunity to blame Edward Snowden for the spy world’s diminished effectiveness, again.

Perhaps the most interesting detail in his column is his claim that 80% of thwarted attacks come from an NSA SIGINT hit.

Something like eighty percent of disrupted terrorism cases in the United States begin with a SIGINT “hit” by NSA.

That’s mighty curious, given that defendants in these cases aren’t getting notice of such SIGINT hits, as required by law, as ACLU’s Patrick Toomey reminded just last week. Indeed, the claim is wholly inconsistent with the claims FBI made when it tried to claim the dragnet was effective after the Snowden leaks, and inconsistent with PCLOB’s findings that the FBI generally finds such intelligence on its own. Whatever. I’m sure the discrepancy is one Schindler will be able to explain to defense attorneys when they subpoena him to explain the claim.

Then there’s Schindler’s entirely illogical claim that the shut-down of the phone dragnet just days before the attack might have helped to prevent it.

The recent Congressionally-mandated halt on NSA holding phone call information, so-called metadata, has harmed counterterrorism, though to what extent remains unclear. FBI Director James Comey has stated, “We don’t know yet” whether the curtailing of NSA’s metadata program, which went into effect just days before the San Bernardino attack, would have made a difference. Anti-intelligence activists have predictably said it’s irrelevant, while some on the Right have made opposite claims. The latter have overstated their case but are closer to the truth.

As Mike Lee patiently got Jim Comey to admit last week, if the Section 215 phone dragnet (as opposed to the EO 12333 phone dragnet, which remains in place) was going to prevent this attack, it would have.

Schindler then made an error that obscures one of the many ways the new phone dragnet will be better suited to counterterrorism. Echoing a right wing complaint that the government doesn’t currently review social media accounts as part of the visa process, he claimed “Tashfeen Malik’s social media writings [supporting jihad] could have been easily found.” Yet at least according to ABC, it would not have been so easy. “Officials said that because Malik used a pseudonym in her online messages, it is not clear that her support for terror groups would have become known even if the U.S. conducted a full review of her online traffic.” [See update.] Indeed, authorities found the Facebook post where Malik claimed allegiance to ISIS by correlating her known email with her then unknown alias on Facebook. NSA’s new phone program, because it asks providers for “connections” as well as “contacts,” is far more likely to identify multiple identities that get linked by providers than the old program (though it is less likely to correlate burner identities via bulk analysis).

Really, though, whether or not the dragnet could have prevented San Bernardino which, as far as is evident, was carried out with no international coordination, is sort of a meaningless measure of NSA’s spying. To suggest you’re going to get useful SIGINT about a couple who, after all lived together and therefore didn’t need to use electronic communications devices to plot, is silliness. A number of recent terrorist attacks have been planned by family members, including one cell of the Paris attack and the Charlie Hebdo attack, and you’re far less likely to get SIGINT from people who live together.

Which brings me to the most amazing part of Schindler’s piece. He argues that Americans have developed a sense of security in recent years (he of course ignores right wing terrorism and other gun violence) because “the NSA-FBI combination had a near-perfect track record of cutting short major jihadist attacks on Americans at home since late 2001.” Here’s how he makes that claim.

Making matters worse, most Americans felt reasonably safe from the threat of domestic jihadism in recent years, despite repeated warnings about the rise of the Islamic State and terrible attacks like the recent mass-casualty atrocity in Paris. Although the November 2009 Fort Hood massacre, perpetrated by Army Major Nidal Hasan, killed thirteen, it happened within the confines of a military base and did not involve the general public.

Two months before that, authorities rolled up a major jihadist cell in the New York City area that was plotting complex attacks that would have rivalled the 2005 London 7/7 atrocity in scope and lethality. That plot was backed by Al-Qa’ida Central in Pakistan and might have changed the debate on terrorism in the United States, but it was happily halted before execution – “left of boom” as counterterrorism professionals put it.

Jumping from the 2009 attacks (and skipping the 2009 Undiebomb and 2010 Faisal Shahzad attempts) to the Paris attack allows him to suggest any failure to find recent plots derives from Snowden’s leaks, which first started in June 2013.

However, the effectiveness of the NSA-FBI counterterrorism team has begun to erode in the last couple years, thanks in no small part to the work of such journalists-cum-activists. Since June 2013, when the former NSA IT contactor [sic] Edward Snowden defected to Moscow, leaking the biggest trove of classified material in all intelligence history, American SIGINT has been subjected to unprecedented criticism and scrutiny.

There is, of course, one enormous thing missing from Schindler’s narrative of NSA perfection: the Boston Marathon attack, committed months before the first Snowden disclosures became public. Indeed, even though the NSA was bizarrely not included in a post-Marathon Inspector General review of how the brothers got missed, it turns out NSA did have intelligence on them (Tamerlan Tsarnaev was in international contact with known extremists and also downloaded AQAP’s Inspire magazine repeatedly). Only, that intelligence got missed, even with the multiple warnings from FSB about Tamerlan.

Perhaps Schindler thinks that Snowden retroactively caused the NSA to overlook the intelligence on Tamerlan Tsarnaev? Perhaps Schindler doesn’t consider an attack that killed 3 and injured 260 people a “major jihadist attack”?

It’s very confusing, because I thought the Boston attack was a major terrorist attack, but I guess right wing propagandists trying to score points out of tragedy can ignore such things if it will spoil their tale of perfection.

Update: LAT reports that Malik’s Facebook posts were also private, on top of being written under a pseudonym. Oh, and also in Urdu, a language the NSA has too few translators in. The NSA (but definitely not the State Department) does have the ability to 1) correlate IDs to identify pseudonyms, 2) require providers to turn over private messages — they could use PRISM and 3) translate Urdu to English. But this would be very resources intensive and as soon as State made it a visa requirement, anyone trying to could probably thwart the correlation process.

1 2 3 17
Emptywheel Twitterverse
bmaz @tomwatson @SusanSarandon @SenSanders No, because, once again, this perceived slight is complete garbage. Seriously, you need to get a grip.
8mreplyretweetfavorite
bmaz @KellyFlood3 Hey Buddy!
10mreplyretweetfavorite
bmaz @ryanlcooper Which is not to say that greater economic equality couldn't be a positive step on racism though. It certainly would be.
15mreplyretweetfavorite
bmaz @ryanlcooper I've been to Sanders stump live, he never says that and neither does anybody else I know.
15mreplyretweetfavorite
emptywheel @drvox Doesn't that undermine your entire comic book BernieBro arg? You said, "Well, these past events were bc of right wing nuts."
19mreplyretweetfavorite
emptywheel RT @wizardkitten: Staring to think there is a Reagan birthday curse surrounding Dem messaging today.... https://t.co/sP5s7deEzY
20mreplyretweetfavorite
bmaz @MonaHol This is spot on in many ways https://t.co/R7SC8wlDjs
27mreplyretweetfavorite
bmaz The case against Hillary Clinton https://t.co/R7SC8wlDjs An excellent and sober look at the substantive issues with a Clinton Presidency.
32mreplyretweetfavorite
emptywheel @beardedcrank Lehman, Goldman will be issue for Kasich, Jeb, Cruz if they get nomination. But that's all a bit more. @nickconfessore
36mreplyretweetfavorite
emptywheel @nickconfessore Well, and that she's a Democrat. Don't imagine Condi's post-State speeches would ever cause her same problem if she ran.
41mreplyretweetfavorite
emptywheel Hoping new Beyonce video makes NFL think back to Janet's boob with nostalgia and fear.
43mreplyretweetfavorite
February 2016
S M T W T F S
« Jan    
 123456
78910111213
14151617181920
21222324252627
2829