EO 12333

1 2 3 10

FBI Is Not “Surveilling” WikiLeaks Supporters in Its Never-Ending Investigation; Is It “Collecting” on Them?

The FOIA for records on FBI’s surveillance of WikiLeaks supporters substantially ended yesterday (barring an appeal) when Judge Barbara Rothstein ruled against EPIC. While she did order National Security Division to do a more thorough search for records, she basically said the agencies had properly withheld records under Exemption 7(A) for its “multi-subject investigation into the unauthorized disclosure of classified information published on WikiLeaks, which is ‘still active and ongoing’ and remains in the investigative stage.” (Note, the claim that the investigation is still in what FBI calls an investigative stage, which I don’t doubt, is nevertheless dated, as the most recent secret declarations in this case appear to have been submitted on April 25, 2014, though Rothstein may not have read them until after she approved such ex parte submissions on July 29 of last year.)

In so ruling, Rothstein has dodged a key earlier issue, which is that all three entities EPIC FOIAed (DOJ’s Criminal and National Security Division and FBI) invoked a statutory Exemption 3 from FOIA, but refused to explain what statute they were using.

2 Defendants also rely on Exemptions 1, 3, 5, 6, 7(C), 7(D), 7(E), and 7(F). The Court, finding that Exemption 7(A) applies, does not discuss whether these alternative exemptions may apply.

I have argued — and still strongly suspect — that the government was relying, in part, on Section 215 of PATRIOT, as laid out in this post.

In addition to the Exemption 3 issue Rothstein dodged, though, there were three other issues that were of interest in this case.

First, we’ve learned in the 4 years since EPIC filed this FOIA that their request falls in the cracks of the language the government uses about its own surveillance (which it calls intelligence, not surveillance). EPIC asked for:

  1. All records regarding any individuals targeted for surveillance for support for or interest in WikiLeaks;
  2. All records regarding lists of names of individuals who have demonstrated support for or interest in WikiLeaks;
  3. All records of any agency communications with Internet and social media companies including, but not limited to Facebook and Google, regarding lists of individuals who have demonstrated, through advocacy or other means, support for or interest in WikiLeaks; and
  4. All records of any agency communications with financial services companies including, but not limited to Visa, MasterCard, and PayPal, regarding lists of individuals who have demonstrated, through monetary donations or other means, support or interest in WikiLeaks. [my emphasis]

As I’ve pointed out in the past, if the FBI obtained datasets rather than lists of the people who supported WikiLeaks from Facebook, Google, Visa, MasterCard, and PayPal, FBI would be expected to deny it had lists of such supporters, as it has done. We’ve since learned about the extent to which it does collect datasets when carrying out intelligence investigations.

Then there’s our heightened understanding of the words “target” and “surveillance” which are central to request 1. The US doesn’t target a lot of Americans, but it does collect on them. And when it does so — even if it makes queries that return their identifiers — it doesn’t consider that “surveillance.” That is, the FBI would only admit to having responsive data to request 1 if it were obtaining FISA or Title III warrants against mere supporters of WikiLeaks, rather than — say — reading their email to Julian Assange, whom FBI surely has targeted and still targets under Section 702 and other surveillance authorities, or even, as I guarantee you has happened, looked up people after the fact and discovered they had previous conversations with Assange. We’ve even learned that NSA collects vast amounts of Internet communications that talk “about” a targeted person’s selector, meaning that Americans’ communications might be pulled if they used WikiLeaks or Assange’s Internet identifiers in the body of their emails or chats. None of that would count as “targeted” “surveillance,” but it is presumably among the kinds of things EPIC had in mind when it tried to learn how FBI’s investigation of WikiLeakas was implicating completely innocent supporters.

I noted the way FBI’s declaration skirted both these issues some years ago, and everything we’ve learned since only raises the likelihood that FBI is playing a narrow word game to claim that it doesn’t have any responsive records, but out of an act of generosity it nevertheless considered the volumes of FBI records that are related to the request that it nevertheless has declared 7(A) over. Rothstein’s order replicates the use of the word “targeting” to discuss FBI’s search, suggesting the distinction is as important as I suspect.

Plaintiff first argues that the release of records concerning individuals who are simply supporting WikiLeaks could not interfere with any pending or reasonably anticipated enforcement proceeding since their activity is legal and protected by the First Amendment. Pl.’s Cross-Mot. at 14. This argument is again premised on Plaintiff’s speculation that the Government’s investigation is targeting innocent WikiLeaks supporters, and, for the reasons previously discussed, the Court finds it lacks merit.

All  of which brings me to the remaining interesting subtext of this ruling.

Five years after the investigation into WikiLeaks must have started in earnest, 20 months after Chelsea Manning was found guilty for leaking the bulk of the documents in question, and over 10 months since Rothstein’s most recent update on the “investigation” in question, Rothstein is convinced these records may adequately be withheld because there is an active investigation.

While it’s possible DOJ is newly considering charges related to other activities of WikiLeaks — perhaps charges relating to WikiLeaks’ assistance to Edward Snowden in escaping from Hong Kong, though like Manning’s verdict, that was over 20 months ago — it’s also very likely the better part of whatever ongoing investigation into WikiLeaks is ongoing is an intelligence investigation, not a criminal one. (See this post for my analysis of the language they used last year to describe the investigation.)

Rothstein is explicit that DOJ still has — or had, way back when she read fresh declarations in the case — a criminal investigation, not just an intelligence investigation (which might suggest Assange’s asylum in the Ecuador Embassy in London is holding up something criminal).

In stark contrast to the CREW panel, this Court is persuaded that there is an ongoing criminal investigation. Unlike the vague characterization of the investigation in CREW, Defendants have provided sufficient specificity as to the status of the investigation, and sufficient explanation as to why the investigation is of long-term duration. See e.g., Hardy 4th Decl. ¶¶ 7, 8; Bradley 2d Decl. ¶ 12; 2d Cunningham Decl. ¶ 8.

Yet much of her language (which, with one exception, relies on the earliest declarations submitted in this litigation) sounds like that reflecting intelligence techniques as much as criminal tactics.

Here, the FBI and CRM have determined that the release of information on the techniques and procedures employed in their WikiLeaks investigation would allow targets of the investigation to evade law enforcement, and have filed detailed affidavits in support thereof. Hardy 1st Decl. ¶ 25; Cunningham 1st Decl. ¶ 11. As Plaintiff notes, certain court documents related to the Twitter litigation have been made public and describe the agencies’ investigative techniques against specific individuals. To the extent that Plaintiff seeks those already-made public documents, the Court is persuaded that their release will not interfere with a law enforcement proceeding and orders that Defendants turn those documents over.

[snip]

In the instant case, releasing all of the records with investigatory techniques similar to that involved in the Twitter litigation may, for instance, reveal information regarding the scope of this ongoing multi-subject investigation. This is precisely the type of information that Exemption 7(A) protects and why this Court must defer to the agencies’ expertise.

I’m left with the impression that FBI has reams of documents responsive to what EPIC was presumably interested in — how innocent people have had their privacy compromised because they support a publisher the US doesn’t like — but that they’re using a variety of tired dodges to hide those documents.

Partnering with the Kiwis, NSA “Protects” Us from Climate Resistors?

The Intercept has what will be the first in a series of partnering articles with New Zealand’s great surveillance reporter Nicky Hager on the role of New Zealand’s SIGINT agency, Government Security Communications Bureau, in the Five Eyes dragnet. As part of it, they target south Pacific islands that its hard to understand as a threat to anyone.

Since 2009, the Government Communications Security Bureau intelligence base at Waihopai has moved to “full-take collection”, indiscriminately intercepting Asia-Pacific communications and providing them en masse to the NSA through the controversial NSA intelligence system XKeyscore, which is used to monitor emails and internet browsing habits.

[snip]

The documents identify nearly two dozen countries that are intensively spied on by the GCSB. On the target list are most of New Zealand’s Pacific neighbours, including small and vulnerable nations such as Tuvalu, Nauru, Kiribati and Samoa.

Other South Pacific GCSB targets are Vanuatu, the Solomon Islands, New Caledonia, Fiji, Tonga and French Polynesia. The spy agency intercepts the flows of communications between these countries and then breaks them down into individual emails, phone calls, social media messages and other types of communications. All this intelligence is immediately made available to the NSA, which is based in Maryland, near Washington, DC.

Effectively, the NSA forces GCSB to spy on these teeny tiny countries in the middle of the Pacific in order to benefit from our dragnet.

And for what?!?!

Even the CIA acknowledges that Nauru has no military, and it somewhat optimistically claims Nauru has no international disputes.

Screen Shot 2015-03-04 at 1.34.33 PM

The same is true of Tuvalu.

Screen Shot 2015-03-04 at 1.37.13 PM

Both have a dispute, of course. The rich lifestyles of the rest of the world (which Tuvalu shared in for a period of Phosphate exploitation) threaten to wipe these nations off the face of the earth with rising ocean levels. To the extent they might be threats to the US, it is because the citizens of Tuvalu and Nauru speak with the moral authority of some of the first peoples who will be wiped off the face of the earth because of climate change.

Aside from that, Tuvalu has its own Internet domain; Nauru has become a tax haven.

Still, it’s hard to believe that the most powerful country in the world, which has an active military population that is 136 times the population of these countries, is really threatened by either of these countries.

But nevertheless, we’re forcing New Zealand to get “full take” from them, as the price of admission to our spying club.

How Internet Dragnettery Got Way More Permissive Under PRISM

I’m finally working through the minimization procedures released earlier this month as part of the blitz claiming that the Intelligence Community has made big changes in the year since President Obama’s surveillance speech. Here’s my first working thread, on FBI’s Section 702 minimization procedures (SMPs).

The SMPs provide one sense of why the NSA shut down the Internet dragnet in 2011. As a court filing last year made clear, one of the places the Internet metadata analysis moved to was Section 702. And FBI’s SMPs show that collecting and analyzing metadata via PRISM would be far more permissive in a number of ways than doing it under the rules laid out under the PRTT orders.

The first reason is obvious: whereas the PRTT dragnet could only be used for terrorism purposes, FBI can pull metadata from foreign selectors identified for any number of reasons: there are counterterrorism and counterproliferation certificates, as well as a foreign government one that appears to get used very broadly, including to cover hackers, which the government seems to treat as a counterintelligence function.

Moreover, FBI can disseminate metadata results far more broadly. It can disseminate USP data for all foreign intelligence information, which would include counterterrorism, counterproliferation, and (assuming they’re treating hacking as a clandestine intelligence activity) hackers. And it can disseminate such metadata analysis to state, local, tribal, and other agencies. There’s only protection for USP identities if FBI pulled it for foreign power purposes (that is, who’s chatting with Angela Merkel).

Those receiving the data would be told there are SMPs, but they wouldn’t require any training to receive such query results.

And that’s all before you consider that FBI can “transfer some or all such metadata to other FBI electronic and data storage systems,” which seems to broaden access to it still further.

Users authorized to access FBI electronic and data storage systems that contain “metadata” may query such systems to find, extract, and analyze “metadata” pertaining to communications. The FBI may also use such metadata to analyze communications and may upload or transfer some or all such metadata to other FBI electronic and data storage systems for authorized foreign intelligence or law enforcement purposes.

In this same passage, the definition of metadata is curious.

For purposes of these procedures, “metadata” is dialing, routing, addressing, or signaling information associated with a communication, but does not include information concerning the substance, purport, or meaning of the communication.

I assume this uses the very broad definition John Bates rubber stamped in 2010, which included some kinds of content. Furthermore, the SMPs elsewhere tell us they’re pulling photographs (and, presumably, videos and the like). All those will also have metadata which, so long as it is not the meaning of a communication, presumably could be tracked as well (and I’m very curious whether FBI treats location data as metadata as well).

Using PRISM data, it would be far, far easier to “correlate” multiple identities, so as to show (for example) all the people chained off of one person’s multiple Google identities, because the providers know these (note, too, this seems to have been something the government started asking Yahoo for months after Protect America Act started).

Then there’s retention. While some of the key numbers are redacted, the base retention level for FBI 702 data is 5 years, and for data deemed to have a foreign intelligence purpose it is longer — perhaps as long as the 20 and 30 year retention for FBI records (plus 5 years on the front end). So whereas the NSA had to throw out the underlying data after 4.5 and, for a period, 5 years, they can keep underlying data far longer at the FBI.

Finally, there’s tracking. It appears the FBI doesn’t have to track the metadata queries it makes at all.

The FBI shall identify FISA-acquired information in its storage systems, other than those used solely for link analysis of metadata, that has been reviewed and meets those standards.2

2 Although the FBI need not mark metadata as meeting the retention standards or as having been disseminated, the FBI must still assess whether the metadata meets the requirements for dissemination pursuant to Section V prior to actually disseminating the information.

Indeed, this may be the real problem for FBI’s counting of back door searches — that they don’t require the tracking of metadata queries at all.

And I think it’s possible (though I’m less sure about this) the curious language I noted in USA Freedom Act exempting communications metadata from cloud providers may also hide what isn’t already protected under back door searches, basically not counting this metadata collection as such.

So whereas under the PRTT program the NSA tracked every single metadata query, using PRISM data there’d be almost no tracking at all.

There are, I think, just two limits in using PRISM to do Internet dragnettery (but remember, some of this almost certainly moved overseas under SPCMA as well, which wouldn’t have these particular limits). First, depending on how a provider retains their data (and how long a user retains her own communications), the FBI might not have access to 5 years of communications data when it first started tracking someone (though it seems NSA primarily needed 2 years, and given how long people keep email, there’d often be far more than 5 years available).

And finally — and this is a significant one — there’s the requirement that the government only target people overseas. So unless FBI is permitted to pull two or three degrees of communication off of targets (and they might be!), it would harder, though not impossible, to show internal communication patterns.

Still, I can see how they’d find the PRTT dragnet to have performance limits. Because, for the purpose of tracking those with ties to known overseas threats, pulling metadata from PRISM would be far permissive if you did it at FBI.

 

34 Years Later, Treasury Is Still Operating without Procedures to Protect Americans under EO 12333

With almost no explanation, PCLOB just released this table ODNI compiled showing the status of procedures Agencies follow to protect US person information when using data obtained under EO 12333. This is something PCLOB has been pushing for since August 2013, when it sent a letter to Attorney General Holder pointing out that some agencies weren’t in compliance with the EO.

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.

So I assume the release of this table is designed to pressure the agencies that have been stalling this process.

The immediate takeaway from this table is that, 34 years after Ronald Reagan ordered agencies to have such procedures in Executive Order 12333 and 18 months after PCLOB pushed for agencies to follow the EO, several intelligence agencies still don’t have Attorney General approved procedures. Those agencies and the interim procedures they’re using are:

The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).

United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).

Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.

Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).

I’m not surprised about DHS I&A because — as I noted — most people who track it know that it has never managed to do what it claims it should be doing. And I’m not all that worried about the Coast Guard; how much US person spying are they really doing, after all?

One should always worry about the DEA, and the fact that DEA has only had procedures affecting some of its use of EO 12333 intelligence is par for the course. I mean, limits on what it can share with CIA, but no guidelines on what it can share with FBI? And no guidelines on what it has dragnet collected overseas, where it is very active?

But I’m most troubled by Treasury OIA. In part, that’s because it doesn’t have anything in place — it has just been operating on EO 12333, apparently, in spite of EO 12333′s clear requirement that agencies have more detailed procedures in place. But Treasury’s failure to develop and follow procedures to protect US persons is especially troubling given the more central role OIA has — which expanded in 2004 — in researching and designating terrorists, weapons proliferators, and drug kingpins.

OIA makes intelligence actionable by supporting designations of terrorists, weapons proliferators, and drug traffickers and by providing information to support Treasury’s outreach to foreign partners. OIA also serves as a unique and valuable source of information to the Intelligence Community (IC), providing economic analysis, intelligence analysis, and Treasury intelligence information reports to support the IC’s needs.

As it is, such designations and the criminalization of US person actions that might violation sanctions imposed pursuant to such designations are a black box largely devoid of due process (unless you’re a rich Saudi business man). But Treasury’s failure to establish procedures to protect US persons is especially troubling given how central these three topics — terrorists, weapons proliferation, and drugs — are in the intelligence communities overseas collection. This is where bulk collection happens. And yet any US persons suck up in the process and shared with Treasury have only ill-defined protections?

Treasury’s role in spying on Americans may be little understood. But it is significant. And apparently they’ve been doing that spying without the required internal controls.

 

DOJ Says It’s Not Legally Required to Tell Wyden Whether Executive Branch Conduct Was Legal

Via Ali Watkins’ story on Dianne Feinstein’s vindication by the Senate parliamentarian, Ron Wyden has written Eric Holder a letter listing all the unfinished business he’d like the Attorney General to finish before going off to his sinecure defending banks (my assessment, not Wyden’s).

Three of the requests are familiar:

  • A request to know the limits of using deadly force against Americans outside of declared war zones
  • A request for the withdrawal and declassification of an OLC opinion on common commercial service agreements
  • A request that Holder share the Torture Report widely so it can be useful (or maybe even just open it)

But a fourth is, as far as I know, new:

I have asked repeatedly over the past several years for the Department of Justice’s opinion on the lawfulness of particular conduct that involved an Executive Branch agency. I finally received a response to these inquiries in June 2014; however the response simply stated that the Department of Justice was not statutorily obligated to respond to my question. I suppose there my not be a particular law that requires the Department to answer this question, but this response is nonetheless clearly troubling. My question was not hypothetical, and I did not ask to see any pre-decisional legal advice — I simply asked whether the Justice Department believed that the specific actions taken in this case were legal. It would be reasonable for the Department to say “Yes, this conduct was lawful” and explain why, or to say “No, this appears to have been unlawful” and take appropriate follow-up action. Refusing to answer at all is highly problematic and clearly undermines effective oversight of government agencies, especially since the actions in question were carried out in secret. For these reasons, I renew my request for an answer to the question, and I hope that you can help provide one.

Uh, with all due respect, Senator, I believe Holder has given you an answer: While I don’t know what the actions in question are, it seems the answer is, “Yes, those actions were illegal, but since we’re not going to do anything about it, we’re not going to tell you that.”

Or perhaps, “Yes, those actions were illegal. But if the President orders them, we don’t consider them illegal.”

Wyden has apparently been asking this for “several years.” While that doesn’t entirely rule out CIA spying on SSCI (which, after all, DOJ has answered by not prosecuting), it seems it is some other action he learned about under Obama’s tenure.

So is DOJ refusing to prosecute some clearly illegal action that happened under Obama?

Working Thread: New and Improved Dragnettery

I Con the Record has released a series of changes to the dragnet to fulfill President Obama’s directive to improve privacy. This will be a working thread.

Seeking Independent Advice

This section lays out all the independent advice the IC has sought in the last 18 months, from the advice largely ignored (President’s Review Group) to narrowly scoped (the National Academies of Science report that assessed whether the IC could get the same features of the current phone dragnet, without assessing whether it was effective) to the largely inane (Congressional hearings).

It doesn’t really address whether it’s using this advice effectively. There seems to be an underlying efficacy question still missing.

Privacy and Civil Liberties Protections

This appears to be the meat of the report.

It starts by linking to the interim report that basically exempted the most privacy intrusive parts of NSA’s dragnet — bulk collection and research — from its privacy protections.

It then links all the agencies’ efforts to implement

These will take closer review. Note that DEA’s report only covers its Office of National Security Intelligence, which seems to suggest there’s a lot more — a whole lot more — intelligence that falls outside this area. And it’s really perfunctory. Compare the storage section with that of DHS, which at least has standards it has to meet for the security of the data it keeps (even if we know DHS is so technologically backwards they can’t really meet this).

FBI

I can already see some problems with FBI’s entry (which conveniently cannot be cut and paste). For example, it assumes any minimized data it receives adheres to certain standards. “Unless it possesses specific information to the contrary, the FBI will presume that any evaluated or minimized section 702 information it receives from other IC elements meets these standards.” The recently liberated 702 report showed that this left a bit of gap in compliance.

Then there’s the exception that eats the rule, in which prohibits FBI from keeping any unevaluated non-US person data for longer than 5 years “unless retention of comparable information concerning U.S. persons would be permitted under section 2.3 of Executive Order 12333.” FBI’s interpretation of exceptions here are very broad.

FBI’s queries language is not tied to law enforcement investigations. That likely means that it retains the ability to do queries for assessments, which require no evidence of wrong-doing.

When FBI talks about oversight, it describes “periodic auditing.” Given that the 702 IG report showed that FBI had basically blown off statutory requirements for auditing and reports for 2 of 3 years reviewed, I’d like to see something more concrete than this…

Incidentally, note that FBI just signed this on February 2. It appears they were the last (or among the last) agencies to finish these (probably after deadline, too, as this was supposed to be rolled out on the 1 year anniversary of Obama’s speech).

NSA

There are some interesting exceptions in the NSA report, including the ginormous one for bulk collection. I’m particularly interested in a few of these:

Screen Shot 2015-02-03 at 10.49.14 AM

 

The economic advantage language appears to get weaker and weaker in here. It now states that identifying trade violations does not constitute a competitive advantage. It also permits the collection of private trade secrets for national security purposes — which is what China would say it is doing when it steals our secrets.

I think the retention language has gotten slightly broader, now. The encrypted communication exception has been rewritten to include anything not processed into intelligible form.

It also states, “personal information about the routine activities of a non-U.S. person would not be disseminated without some indication that the personal information is related to an authorized foreign intelligence requirement.” Consider how this language would work for what we know to have been spying on the online sex habits of people the US wants to discredit. First, they only need “some indication” that the dissemination is tied to a FI requirement. There’s also that word, “related to,” which as we know now means “all.” In other words, this exception would still permit really intrusive spying, if we thought the target was a nice FI target.

Others

Love this from DOE: “The origins of specific information contained in evaluated or finished intelligence products—or the specific means by which such information was collected—may not in all cases be evident to DOE-IN or DOE as a recipient of such intelligence products.” State has a very similar caveat.

Non-NSA DOD components just adopted NSA’s document.

Judicial Redress

→']);" class="more-link">Continue reading

CIA’s Careful Terrorism

Both WaPo and Newsweek have stories out on CIA’s role in assassinating Imad Mugniyah in 2008. As described, Michael Hayden loved the idea, but then got a bit squeamish about ordering a hit. Luckily, President Bush was all too happy to approve it. Here’s Newsweek:

“General Hayden, at first, was all for this,” the former official said, “But slowly, or maybe not so slowly, the realization set in for him that he was ordering an assassination, that basically he was putting out a hit. And once he became pretty much cognizant of the fact that he was basically ordering the murder of someone, he got cold feet. He didn’t fancy himself as a Corleone.”

And he wasn’t, really. That role would ultimately fall to the president.

“Obviously [Hayden] had to get authority for this, and authority could come from only one person, and that would be POTUS,” said the participant. “So he went down to see President Bush. It took Bush apparently only about 30 seconds to say, ‘Yes, and why haven’t you done this already? You have my blessing. Go with God.’”

[snip]

But in late December, with the bomb ready and Mugniyah firmly in their sights, Hayden “started to get really cold feet again,” the participant said. He decided to go see President Bush personally—on Christmas Eve 2007, at Camp David.

“On Christmas Eve morning, he and [Deputy CIA Director Steven] Kappes fly up to Camp David to see POTUS, to say, ‘Okay, look, here’s what we got, everything is in place, do we still have the go-ahead?’ And POTUS basically threw both of them out, saying, ‘Why are you up here wasting my time on Christmas Eve? Get the fuck out and go do this. Not quite in those terms. But it was, ‘Yes, I’ve already given you my approval. Go do this; go with God.’”

“Go with our Christian God,” I guess Bush meant.

Both pieces emphasize how careful the CIA and Mossad were with their terrorist tactics, to make sure only their target was killed. Again, Newsweek:

Finally, the car was in place. But then there were always other people around. Weeks more went by. Hayden’s demands that only Mugniyah be killed, and no one else, with no collateral damage, had to be met.

“It was always either he wasn’t alone, or he had his kids with him, or somebody else with him, or there were casuals in the area, or he was gone, he was in the Bekka [Valley] or someplace else, he wasn’t in his apartment,” the participant said. “The rules of engagement were so tight that he probably walked past the thing dozens of times but they just couldn’t do anything because somebody was there or it just didn’t fit into the rules of engagement.”

“They were keeping watch on this just about all the time,” he added. “They were taking shifts, a station officer and a Mossad officer. The Mossad officer was there just to make the confirmation that, ‘yeah, that’s him.’”

The kill was made all the harder by the way the bomb would be detonated. There was a two-second delay from the time the CIA and Mossad agents in the lookout post pushed the button to when the bomb exploded. Under the plan, the Mossad agent would ID Mugniyah, and the CIA man would press the remote control.

“So you would have to count—one, one thousand; two, one thousand… “ the participant said. “They had about six seconds from the time he came out of the apartment door to the time he moved out of the danger zone. So they had to do it really fast.”

And WaPo notes how tedious it was to get approval to kill a guy whose attacks on the US were years earlier, under Reagan.

Former U.S. officials, all of whom spoke on the condition of anonymity to discuss the operation, asserted that Mughniyah, although based in Syria, was directly connected to the arming and training of Shiite militias in Iraq that were targeting U.S. forces. There was little debate inside the Bush administration over the use of a car bomb instead of other means.

“Remember, they were carrying out suicide bombings and IED attacks,” said one official, referring to Hezbollah operations in Iraq.

[snip]

The authority to kill Mughniyah required a presidential finding by President George W. Bush. The attorney general, the director of national intelligence, the national security adviser and the Office of Legal Counsel at the Justice Department all signed off on the operation, one former intelligence official said.

The former official said getting the authority to kill Mughniyah was a “rigorous and tedious” process. “What we had to show was he was a continuing threat to Americans,” the official said, noting that Mughniyah had a long history of targeting Americans dating back to his role in planning the 1983 bombing of the U.S. Embassy in Beirut.

“The decision was we had to have absolute confirmation that it was self-defense,” the official said.

(Note, Newsweek says the Finding was signed under Reagan, which actually makes more sense since the Gloves Come Off Memorandum of Notification Bush and Obama have relied on was also a modification of a Finding signed by him.)

This is, presumably, meant to be a big success story for CIA. My hope, however, is that it adds some nuance to debates about our use of drones. If the US kills more collateral casualties using drones than using a classic terrorist technique — in both cases making really attenuated claims about current threats — which is the greatest terror technique?

Update: Kevin Jon Heller argues the US violated the Terrorist Bombing Convention.

Levitation: Inspire-Ing Work from CSE

Screen shot 2015-01-29 at 11.33.43 AMThe Intercept and CBC have a joint story on a Canadian Security Establishment project called Levitation that seems to confirm suspicions I’ve had since before the Snowden leaks. It targets people based on their web behavior (the story focuses on downloads from free file upload sites, but one page of the PPT makes it clear they’re also tracking web search terms and other behaviors), and once it finds behavior of suspicion (such as accessing bomb-making instructions; it calls these “events”) it uses SIGINT tools, including NSA’s MARINA, to work backwards off those accessing those materials to get IPs, cookies, facebook IDs, and the like to identify a suspect.

The PPT is the most detailed explanation that I’ve seen of how the SIGINT agencies do “correlations” — a function about which I believe ODNI continues to hide an August 20, 2008 FISC opinion. It appears to do so in two ways: first, by tracking known correlations. But also, by analyzing similar activities from around the same time from the same IP, then coming up with other identifiers that, with varying degrees of probability, are probably the same user. This serves, in part, to come up with new identifiers to track.

I’ve argued the NSA does similar analysis using known codes tied to Inspire (not the URL, necessarily, but possibly the encryption code included in each Inspire edition) on upstream collection, which would basically identify the people within the US who had downloaded AQAP’s propaganda magazine. One reason I’m so confident NSA does this is because of the high number of FBI sting operations that seem to arise from some 20-year old downloading Inspire, which them appears to get sent out to a local FBI office for further research into online activities and ultimately approaches by a paid informant or undercover officer.

Screen shot 2015-01-29 at 11.46.15 AMIn other words, this kind of analysis seems to lie at the heart of a lot of the stings FBI initiates.

But as the “Scoreboard” slide in this presentation makes clear, what this process gives you is not validated IDs, but rather probabilistic matches (which FISC appears to deal with using minimization procedures, suggesting they let NSA collect on these probabilistic matches with the understanding they have to treat the data in some certain way if it ends up being a false positive).

That’s important not just for the young men whom FBI decides might make worthwhile targets (even if they’re being targeted, largely, on their First Amendment activities).

It’s important, too, for the false negatives, by far the most important of which I believe to be the Tsarnaev brothers, both of whom reportedly had downloaded multiple episodes of Inspire, as well as other similar jihadist material, and on whom NSA had collected data it never accessed until after the attack, but neither of whom got targeted off this correlation process before they attacked the Boston Marathon.

That is, this really important possible false negative, just as much as the dubious positives that end up getting unbalanced young men targeted by the FBI, may say as much about the reliability of this process as anything else.

This CSE PPT is not yet proof that my suspicions are entirely accurate (though my claims here about correlations are based on officially released documents). But they strongly suggest my suspicions have been correct.

And — particularly given ODNI’s refusal to release what appears to be a key opinion describing the terms on which FISC permits the use of these correlations — this ought to elicit far more conversations about how NSA and its Five Eye partners “correlate” identities and how those correlations get used.

More Visibility on Stingrays

On New Year’s Eve, Chuck Grassley released details of ongoing discussions he and Patrick Leahy have had with the FBI about its use of Stingray (or IMSI catcher) technology, which the FBI and other agencies use to identify cell phone location. Also early last month, the Minneapolis Star-Tribune liberated copies of the documents Minnesota’s Bureau of Criminal Apprehension had to sign to get a Stingray (which is less redacted than an NDA released by the Tacoma Police Department to Muckrock in September). Together the documents provide new insight onto how the FBI manages the use of Stingrays around the country.

In his release on Stingrays, Grassley revealed that FBI had recently changed its policy on Stingray use — though the “changed” policy probably affects very little Stingray use.

[W]e understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

We have concerns about the scope of the exceptions.  Specifically, we are concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests of other individuals who are not the targets of the interception, but whose information is nevertheless being collected when these devices are being used.  We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected.  But there is a question as to whether this sufficiently safeguards privacy interests.

I say this probably doesn’t affect much Stingray use because we already know the US Marshal Service makes up a lot of the known Federal use of Stingrays (at least that use that obtains Pen Registers to use the Stingrays). They would presumably be hunting fugitives, which is one of the overly broad exceptions in FBI’s “new” policy. We discovered last year just how elastic the federal government’s interpretation of “imminent danger” can be. And the most common — and troubling — known use of Stingrays are in public spaces (like legal protests) to track participants.

Indeed, in the one known example where a Stingray was used to discover the identity of a suspect, Daniel Rigmaiden, the government got a warrant for its use, albeit one obtained without fully explaining how it works.

So it’s not clear that this “new” policy will change all that much. Moreover, Grassley is focused on federal use of the technology, and not the way federal use intersects with and controls local use.

Now couple that with this non-disclosure agreement (pages 10-15, h/t SanLeandroPrivacy) sent in June 2012. The NDA explains that,

Disclosing the existence of and the capabilities provided by such equipment/technology to the public would reveal sensitive technological capabilities possessed by the law enforcement community and may allow individuals who are the subject of investigation wherein this equipment/technology is used to employ countermeasures to avoid detection by law enforcement. This would not only potentially endanger the lives and physical safety of law enforcement officers and other individuals, but also adversely impact criminal and national security investigations.

If that’s such a big worry, then maybe it shouldn’t be so widely available in the first place? Also, I see how seamlessly the FBI moves from law enforcement to national security functions…

The NDA then goes onto tell the BCA the following (among other things):

  • BCA should only use it for “public safety operations or criminal investigations.”
  • BCA accepts liability for violations of Federal law, irrespective of the FBI approval, if any, of [redacted].
  • The BCA will [redacted] to ensure deconfliction of respective missions.

Then there’s a very long paragraph laying out something else the BCA “shall not” do.

So over the course of the NDA, we got from “law enforcement” purposes, to national security investigations, to “public safety operations.” The NDA clearly envisions FBI approval of some use of this technology, suggesting an ongoing relationship with this local agency. That is further established by FBI’s concern about “deconfliction of respective missions,” meaning FBI expects BCA to communicate about how it will use its Stingray with out agencies who might be using their Stingrays (or BCA’s Stingray?) in ways that might set off a turf war. Plus whatever that “shall not” paragraph says.

The point is, the FBI is not just demanding that BCA not tell anyone that it has a Stingray and how Stingray’s use (see this Chris Soghoian and Stephanie Pell paper for why that’s a futile fight anymore anyway). It is also demand certain things about cooperation between agencies. And while that makes sense from a bureaucratic standpoint, it also may suggest there’s more reason to keep FBI involved in these local operations than just secrecy. After all, as more and more local police departments get Stingrays and sign these agreements with FBI, the FBI is assured there’s a network of Stingrays across the country that will be deployed if necessary. Given the inclusion of national security investigations in this NDA (which, after all, is all that FBI thought it needed to get NSA to collect all our phone records), it at least introduces the possibility of a more systematic FBI program for which the FBI relies on local Stingrays.

That’s just a latent concern of mine — we don’t yet have the proof of it (we’ll have to liberate far more NDAs to get it). But it does seem logical, given the role FBI is playing in this process, all in the guise of futile secrecy.

The NSA’s Funny Numbers, Again

Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).

According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).

Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).

Screen Shot 2015-01-05 at 5.12.52 PM

Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.

And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.

Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).

Here’s what the NSA reported internally:

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

Here’s what NSA told the IOB about this violation:

[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively  by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]

Here’s what PCLOB had to say about this violation:

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.

Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.

One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.

The glitches are letting us down.

 

1 2 3 10
Emptywheel Twitterverse
JimWhiteGNV Home alone for most of the weekend to watch baseball, but first I'm going to make curried chicken with carrots and rutabaga. Because reasons
1hreplyretweetfavorite
JimWhiteGNV @Ali_Gharib You shared the smoke with it, didn't you?
1hreplyretweetfavorite
JimWhiteGNV Speaking of Iran douchebaggery, isn't it interesting that it appears that we won't get UANI case tried before negotiation deadline?
1hreplyretweetfavorite
JimWhiteGNV My only regret is that Menendez is going down for something other than his Iran douchebaggery. But I'll take it, and gladly.
1hreplyretweetfavorite
JimWhiteGNV RT @NCAACWS: WEEKEND ITINERARY Fri - Watch College Baseball Sat - Watch College Baseball Sun - Watch College Baseball SCHEDULE: http://t.…
2hreplyretweetfavorite
emptywheel RT @EamonJavers: NEW: US government officials complain Silicon Valley firms are dragging their feet on getting security clearances. http://…
3hreplyretweetfavorite
emptywheel @KevinBankston @csoghoian has a history of non-delivery with those he deems easy targets. @ageis @ashk4n @ahoymehearties @NewAmerica
3hreplyretweetfavorite
emptywheel @matthewt_ny Is there a Q&A during which you can ask "Why not Wall Street"?
3hreplyretweetfavorite
emptywheel @KevinBankston He's probably just trying to get whiskey out of @csoghoian. @ashk4n @ahoymehearties
4hreplyretweetfavorite
bmaz @emptywheel @matthewt_ny Or Schumer
4hreplyretweetfavorite
emptywheel @benjaminwittes Better if he respond indirectly by riling up prestigious judges on the other side of the world. @steve_vladeck
4hreplyretweetfavorite
emptywheel By Preet? RT @matthewt_ny: "He is a true superstar," among American lawyers, we're told of Preet.
4hreplyretweetfavorite
March 2015
S M T W T F S
« Feb    
1234567
891011121314
15161718192021
22232425262728
293031