The Lesson Trump Has (Thus Far) Not Taught Us: Civilian Casualties

I have a confession.

There’s something I like about the Trump Administration.

It’s the way that his unpopularity taints long-standing policies or practices or beliefs, making people aware of and opposed to them in a way they weren’t when the same policies or beliefs were widely held under George Bush or Barack Obama. Many, though not all, of these policies or beliefs were embraced unquestioningly by centrists or even avowed leftists.

I’ve been keeping a running list in my mind, which I’ll begin to lay out here (I guess I’ll update it as I remember more).

  • Expansive surveillance
  • The presumption of regularity, by which courts and the public assume the Executive Branch operates in good faith and from evidence
  • Denigration of immigrants
  • Denigration of Muslims
  • Denigration health insurance

As an example, Obama deported a huge number of people. But now that Trump has expanded that same practice, it has been made visible and delegitimized.

In short, Trump has made things that should always have been criticized are now being far more widely so.

But there’s one thing that Trump has escalated that has thus far — with the singular exception of the botched raid on Yemen — escaped widespread condemnation: the bombing of civilians. There was the Al Jineh mosque on March 16, a school sheltering families in Raqqa on March 21, and this strike last week in Mosul, not to mention continued Saudi attacks in Yemen that the US facilitates.

Again, I’m not saying such civilian strikes didn’t happen under Obama. And it’s not clear whether this spate of civilian bombings arises from a change in the rule of engagement put in place in December, the influence of James Mattis, or Trump’s announced review of rules of engagement. But civilians are dying.

And for the most part, unlike all the other horrible things happening under President Trump, they’re getting little notice and condemnation in the US.

Update: This NYT story on the Mosul strike says that the increased civilian casualties do reflect a change in rules of engagement put in place under Trump.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

When a White Republican Gets Spied On, Privacy Suddenly Matters

As expected, much of today’s hearing on the Russian hack consisted of members of Congress — from both parties — posturing for the camera.

At first, it seemed that the Republican line of posturing — complaining about the leak that exposed Mike Flynn’s conversations with Ambassador Sergey Kislyak — tracked Donald Trump’s preferred approach, to turn this into a witch hunt for the leakers.

But it was actually more subtle than that. It appears Republicans believe the leaks about Flynn have (finally) made Congress skittish about incidental collection of US person communications as part of FISA collection. And so both Tom Rooney and Trey Gowdy spent much of their early hearing slots discussing how much more difficult the leak of Flynn’s name will make Section 702 reauthorization later this year. In the process, they should have created new fears about how painfully ignorant the people supposedly overseeing FISA are.

Rooney, who heads the subcommittee with oversight over NSA, started by quizzing Mike Rogers about the process by which a masked US person identity can be disclosed. Along the way, it became clear Rooney was talking about Section 702 reauthorization even while he was talking traditional FISA collection, which doesn’t lapse this year.

Rooney: If what we’re talking about is a serious crime, as has been alleged, in your opinion would leaking of a US person who has been unmasked and disseminated by intelligence community officials, would that leaking hurt or help our ability to conduct national security.

Rogers: Hurt.

Rooney: Ok, if it hurts, this leak, which through the 702 tool, which we all agree is vital–or you and I at least agree to that–do you think that that leak actually threatens our national security. If it’s a crime, and if it unmasks a US person, and this tool is so important it could potentially jeopardize this tool when we have to try to reauthorize it in a few months, if this is used against our ability to reauthorize this tool, and we can’t get it done because whoever did this leak, or these nine people that did this leak, create such a stir, whether it be in our legislative process or whatever, that they don’t feel confident a US person, under the 702 program, can be masked, successfully, and not leaked to the press, doesn’t that hurt–that leak–hurt our national security.

Eventually Admiral Rogers broke in to explain to his congressional overseer very basic facts about surveillance, including that Flynn was not and could not have been surveilled under Section 702.

Rogers: FISA collection on targets in the United States has nothing to do with 702, I just want to make sure we’re not confusing the two things here. 702 is collection overseas against non US persons.

Rooney: Right. And what we’re talking about here is incidentally, if a US person is talking to a foreign person that we’re listening to whether or not that person is unmasked.

Nevertheless, Rooney made it very clear he’s very concerned about how much harder the Flynn leak will make it for people like him to convince colleagues to reauthorize Section 702, which is even more of a privacy concern than traditional FISA.

Rooney: But it’s really going to hurt the people on this committee and you in the intelligence community when we try to retain this tool this year and try to convince some of our colleagues that this is really important for national security when somebody in the intelligence community says, you know what the hell with it, I’m gonna release this person’s name, because I’m gonna get something out of it. We’re all gonna be hurt by that. If we can’t reauthorize this tool. Do you agree with that?

A little later, Trey Gowdy got his second chance to complain about the leak. Referencing Rogers’ earlier explanation that only 20 people at NSA can unmask a US person identity, Gowdy tried to figure out how many at FBI could, arguing (this is stunning idiocy here) that by finding a finite number of FBI officials who could unmask US person identities might help assuage concerns about potential leaks of US persons caught in FISA surveillance.

Comey: I don’t know for sure as I sit here. Surely more, given the nature of the FBI’s work. We come into contact with US persons a whole lot more than the NSA does because we may be conducting — we only conduct our operations in the United States to collect electronic surveillance. I can find out the exact number. I don’t know it as I sit here.

Gowdy: I think Director Comey given the fact that you and I agree that this is critical, vital, indispensable. A similar program is coming up for reauthorization this fall with a pretty strong head wind right now, it would be nice to know the universe of people who have the power to unmask a US citizen’s name. Cause that might provide something of a road map to investigate who might have actually disseminated a masked US citizen’s name.

Here’s why this line of questioning from Gowdy is unbelievably idiotic. Both for traditional FISA, like the intercept targeting Kislyak that caught Flynn, and for Section 702, masking and unmasking identities at FBI is not the concern. That’s because the content from both authorities rests in FBI’s databases, and anyone cleared for FISA can access the raw data. And those FBI Agents not cleared for FISA can and are encouraged just to ask a buddy who is cleared to do it.

In other words, every Agent at FBI has relatively easy way to access the content on Flynn, so long as she can invent a foreign intelligence or criminal purpose reason to do so.

Which is probably why Comey tried to pitch something he called “culture” as adequate protection, rather than the very large number of FBI Agents who are cleared into FISA.

Comey: The number is … relevant. What I hope the US–the American people will realize is the number’s important but the culture behind it is in fact more important. The training, the rigor, the discipline. We are obsessive about FISA in the FBI for reasons I hope make sense to this committee. But we are, everything that’s FISA has to be labeled in such a way to warn people this is FISA, we treat this in a special way. So we can get you the number but I want to assure you the culture in the FBI and the NSA around how we treat US person information is obsessive, and I mean that in a good way.

So then Gowdy asks Comey something he really has a responsibility to know: what other agencies have Standard Minimization Procedures. (The answer, at least as the public record stands, is NSA, CIA, FBI, and NCTC have standard minimization procedures, with Main Justice using FBI’s SMPs.)

Gowdy: Director Comey I am not arguing with you and I agree the culture is important, but if there are 100 people who have the ability to unmask and the knowledge of a previously masked name, then that’s 100 different potential sources of investigation. And the smaller the number is, the easier your investigation is. So the number is relevant. I can see the culture is relevant. NSA, FBI, what other US government agencies have the authority to unmask a US citizen’s name?

Comey: Well I think all agencies that collect information pursuant to FISA have what are called standard minimization procedures which are approved by the FISA court that govern how they will treat US person information. So I know the NSA does, I know the CIA does, obviously the FBI does, I don’t know for sure beyond that.

Gowdy: How about Main Justice?

Comey: Main Justice I think does have standard minimization procedures.

Gowdy: Alright, so that’s four. NSA, FBI, CIA, Main Justice. Does the White House has the authority to unmask a US citizen’s name?

Comey: I think other elements of the government that are consumers of our can ask the collectors to unmask. The unmasking resides with those who collected the information. And so if Mike Rogers’ folks collected something, and they send it to me in a report and it says it’s US person #1 and it’s important for the FBI to know who that is, our request will go back to them. The White House can make similar requests of the FBI or NSA but they don’t on their own collect, so they can’t on their own unmask.

That series of answers didn’t satisfy Gowdy, because from his perspective, if Comey isn’t able to investigate and find a head for the leak of Flynn’s conversation with Kislyak — well, I don’t know what he thinks but he’s sure an investigation, possibly even the prosecution of journalists, is the answer.

Gowdy: I guess what I’m getting at Director Comey, you say it’s vital, you say it’s critical, you say that it’s indispensable, we both know it’s a threat to the reauthorization of 702 later on this fall and oh by the way it’s also a felony punishable by up to 10 years. So how would you begin your investigation, assuming for the sake of argument that a US citizen’s name appeared in the Washington Post and the NY Times unlawfully. Where would you begin that investigation?

This whole series of questions frankly mystifies me. I mean, these two men who ostensibly provide oversight of FISA clearly didn’t understand what the biggest risk to privacy is –back door searches of US person content — which at the FBI doesn’t even require any evidence of wrong-doing. That is the biggest impediment to reauthorizing FISA.

And testimony about the intricacies of unmasking a US person identity — particularly when a discussion of traditional FISA serves as stand-in for Section 702 — does nothing more than expose that the men who supposedly oversee FISA closely have no fucking clue — and I mean really, not a single fucking clue — how it works. Devin Nunes, too, has already expressed confusion on how access to incidentally collected US person content works.

Does anyone in the House Intelligence Committee understand how FISA works? Bueller?

In retrospect, I’m really puzzled by what is so damning about the Flynn leak to them. I mean, don’t get me wrong, I’m very sympathetic to the complaint that the contents of the intercepts did get leaked. If you’re not, you should be. Imagine how you’d feel if a Muslim kid got branded as a terrorist because he had a non-criminal discussion with someone like Anwar al-Awlaki? (Of course, in actual fact what happened is the Muslim kids who had non-criminal discussions with Awlaki had FBI informants thrown at them until they pressed a button and got busted for terrorism, but whatever.)

But Rooney and Gowdy and maybe even Nunes seemed worried that their colleagues in the House have seen someone like them — not a young Muslim, but instead a conservative white man — caught up in FISA, which has suddenly made them realize that they too have conversations all the time that likely get caught up in FISA?

Or are they worried that the public discussion of FISA will expose them for what they are, utterly negligent overseers, who don’t understand how invasive of privacy FISA currently is?

If it’s the latter, their efforts to assuage concerns should only serve to heighten those concerns. These men know so little about FISA they don’t even understand what questions to ask.

In any case, after today’s hearing I am beginning to suspect the IC doesn’t like to have public hearings not because someone like me will learn something, but because we’ll see how painfully little most of the so-called overseers have learned in all the private briefings the IC has given them. If these men don’t understand the full implications of incidental collection, two months after details of Flynn’s conversations have been leaked, then it seems likely they’ve been intentionally mis or underinformed.

Or perhaps they’re just not so bright.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Ron Wyden’s Complaints about Section 702

In this post, I reviewed the Intelligence Community’s dubious history of refusing to count how many Americans get swept up under FISA Section 702. Of particular note, I showed that when Wyden first asked for a number of how many Americans were sucked up, the NSA was in the process of conducting a partial count (on how many Americans were caught up in one kind of upstream collection); yet the government neither told Wyden that count was going on or answered his question. Even the limited count NSA conducted resulted in a FISC ruling that the US person collection violated the Constitution.

I wanted to turn, now, to the litany of concerns about Section 702 Ron Wyden laid out earlier this week.

Ultimately, Wyden’s biggest concern is about reverse targeting.

But before he gets there, he lays out a number of ways Americans can be sucked in, some of which are familiar, some of which are less so.

Upstream collection

For example, he lays out MCTs (when a completely unrelated communication is sucked in with a targeted one) and SCTs (when an about communication picks up an entirely domestic communication). About this, Wyden notes no foreigners need to be involved.

The law only requires that one of the parties to the communication who again could be another American is overseas and even that requirement is hard for the government to meet in practice. So the implications here ought to be pretty obvious. You don’t even have to be communicating with one of the government’s targets to be swept up in Foreign Intelligence Surveillance Act collection. You don’t even have to be communicating with a foreigner.

Note, especially, his point that the requirement that one communication be overseas “is hard for the government to meet in practice.”

Tasking errors

Wyden describes accidental targeting — which (given my review of all available reporting, at least) is very closely policed.

The first are targeting mistakes in which contrary to the law, the target turns out to be an American or someone in the United States. The full impact of these mistakes on law-abiding Americans is not readily apparent. The most recent public report on section 702 noted that there were compliance incidents involving surveillance of foreigners in the United States and surveillance of Americans.

Tasking problems are closely policed, but as Wyden notes, the most recent report showed a number of tasking problems, representing a big spike in the number of such compliance problems.

My working hypothesis is that the increase in identified tasking problems stems from the implementation of additional documentation in response to the PCLOB report. Most of this spike is related to one office completely misapplying a certificate (which makes me wonder if there’s a new, possibly fourth, certificate). But there were also tasking errors. The unredacted section actually says none of these affected US persons and people in the US, but there are three paragraphs redacted that may describe older tasking problems.

One foreigner list-servs

Wyden also notes that it only takes one person on an email to grant the entire email foreignness designation.

It is also important to note that the government is prohibited from collecting communications only when the sender of an e-mail and everyone receiving that e-mail are in the United States. So an American in the United States can send an e-mail to another American in the United States, but if the e-mail also goes to an overseas target, it’s going to be collected. So that then brings us to the different kinds of collection under section 702 and how it affects the liberties of our people in different ways.

Imagine a group of people — say hackers — collaborating on some IRC channel where one known participant was foreign. That would meet the foreignness designation and lead to the collection of everyone, American or not, participating.

American business people doing business overseas

Wyden also emphasizes that the definition of “foreign intelligence” is so broad that the target doesn’t have to be suspected of any wrongdoing.

The statute requires that the collection be conducted, quote, to acquire foreign intelligence information. As implemented the standard for targeting individuals under the program is that the government has reason to believe that these persons possess or are expected to receive or are likely to communicate foreign intelligence information. Obviously that is broad. It doesn’t even require that a target be suspected of wrongdoing.

And it’s in that context that he raises the possibility that an “American business leader” could easily be collected.

[T]hink about how easy it would be for an American business leader to be in contact with a broad set of potential targets of this program. Consider how easy it would be for Americans communicating with other Americans to forward the e-mails of these people. All of this could be collected by the government.

Of course, any business person could be collected in such a way (or scientists, which appears to be what has gotten a lot of Chinese-American scientists in trouble).

Reverse targeting

But as I said, Wyden seems most concerned about the standard for reverse targeting, which he raised as a newly urgent concern in 2013. According to the standard currently implemented, reverse targeting is extremely rare — perhaps just three instances, with the most recent occurring in the December 2014 to May 2015 period.

One of NSA’s tasking errors involved the tasking of a facility that was used by a nonUnited States person located outside the United States that was determined to involve reverse targeting.

[snip]

In this incident, the Attorney General authorized the targeting of the United States person pursuant to Section 705(b) of FISA. This reverse targeting incident resulted from an NSA analyst misunderstanding the reverse targeting prohibition and not because an NSA analyst intentionally attempted to violate Section 702 or NSA policy.

The American being targeted was overseas and got targeted, under Section 705(b) anyway. A completely redacted footnote excuses the analyst’s error.

But Wyden suggests that several other factors may lead to more reverse targeting than gets identified by the current standard of review. He suggests back door searches (which he notes Bush didn’t do, at least not for the first several years of PRISM, though I suspect it actually happened at FBI) make the problem worse.

This issue was concerning in 2008 when the Foreign Intelligence Surveillance Act amendments passed with a prohibition on reverse targeting, but that was before the Congress knew about the collection of e-mails that are only about a foreign target and that could be to and from Americans. That was before the Obama administration sought and obtained authority to conduct warrantless searches for communications to, from and about Americans out of section 702 PRISM collection.

[snip]

Before 2011, the FISA court prohibited, prohibited queries for U.S. persons. I’m going to repeat that: Under the Bush Administration and the first two years of the Obama Administration, it was not possible to conduct these back-door, warrantless searches of law-abiding Americans. Then the Obama Administration sought to change the rules and obtained authority to conduct them.

While he doesn’t provide much detail, he points to the expanded ability of those doing the back door searches (presumably, I’d imagine, those at CIA and FBI) to also nominate people for targeting.

Each of the agencies authorized to conduct these warrantless searches, the N.S.A., the F.B.I., the C.I.A., are also authorized to identify the overseas targets of section 702. The agencies that have developed an interest in Americans’ communications and are actually looking for these communications are the same agencies that are in a position to encourage ongoing collection of those communications by targeting the overseas party.

Such targeting still has to undergo NSA targeting review, meaning the actual target has to be overseas and have, according to NSA’s review team, foreign intelligence value unto himself. But it would be fairly easy for the FBI to target someone known to communicate prolifically with an American to be able to get the American’s side of the conversation. To make things worse, FBI has devolved its targeting to field offices, and I’m not convinced the reviews of field offices are as rigorous as they were at Headquarters. Not all field offices even get reviewed (though I assume the ones doing the most foreign targeting are), and the tracking on US persons caught up in all this has diminished with the devolution.

I share Wyden’s concerns — especially given NSA’s dodgy response to the Snowden documents released last year.

Given the volume of information the NSA and, derivatively, CIA and FBI, collect, it would be very easy to get away with reverse targeting, particularly the more you move targeting into the hands of people leading investigations, as has happened at FBI.

Wyden is not the only one concerned about this. Ted Lieu, fresh off the classified 702 briefing last week, seemed pretty concerned as well (as well as Rand Paul, though I’m not sure if Paul has had briefing on this). We won’t get the kind of granularity we need to understand how big of a problem this is.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

The other day, Ron Wyden gave a long speech on FISA Section 702, purportedly explaining why he was voting against Dan Coats to be Director of National Intelligence. Wyden voted against Coats because his former colleague would not commit to providing a number of the number of Americans swept up under Section 702. Given that it’s always a good idea to read Wyden closely, I wanted to summarize what he said. I’ll look at his complaints in a separate post, but for now I wanted to focus on Wyden’s description of the bogus explanations James Clapper and others gave Wyden in his past efforts to get the number of Americans sucked up in 702. I summarized the known exchanges that occurred on this issue before Clapper’s famous “not wittingly” lie here.

In 2011, both Wyden and John Bates were asking for numbers at the same time — NSA refused both

The first request for a count is temporally significant(update: I think I just missed this one in the past). In April 2011, Wyden and Mark Udall asked for the number.

In April of 2011, our former colleague, Senator Mark Udall, and I then asked the Director of National Intelligence, James Clapper, for an estimate.

According to Clapper’s response, they sent a written letter with the request on July 14, 2011. The timing of this request is critically important because it means Wyden and Udall made the request during the period when NSA and FISA Judge John Bates were discussing the upstream violations (see this post for a timeline). As part of that long discussion Bates had NSA do analysis of how often it collected US person communications that were completely unrelated to a targeted one (MCTs). Once Bates understood the scope of the problem, he asked how many US person communications it collected that were a positive hit on the target that were the only communication collected (SCTs).

But the timing demands even closer scrutiny. On July 8, John Bates went to DOJ to express “serious concerns” — basically, warning them he might not be able to reauthorize upstream surveillance. On July 14 — the same day Wyden and Udall asked Clapper for this information — DOJ asked Bates for another extension to respond to his questions, promising more information. Clapper blew off Wyden and Udall’s request in what must be record time — on July 26. On August 16, DOJ provided their promised additional information to Bates. That ended up being a count of how many Americans were affected in MCTs.

That means Clapper claimed he couldn’t offer a number even as NSA was doing precisely the kind of count that Wyden and Udall wanted, albeit for just one kind of 702 collection. And, as Wyden suggested in his speech, Clapper’s answer was non-responsive, answering how many US persons had their communications reviewed, rather than how many had their communications collected.

In July of that year, the director wrote back and said, and I quote, it was not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority of the Foreign Intelligence Surveillance Act. He suggested reviewing the classified number of disseminated intelligence reports containing a reference to a U.S. Person, but that is very different than the number of Americans whose communications have been collected in the first place. And that’s what this is all about.

Then, after the government presented the information on how many US persons were collected via MCTs to Bates in August, Bates asked them to go back and count SCTs.

NSA refused.

Both FISC and members of SSCI were asking for this information in the same time period, and NSA refused to provide the count.

Since NSA wouldn’t help him, Bates invented an estimate himself, calculating that some 46,000 entirely domestic communications were collected under upstream collection each year.

NSA’s manual review focused on examining the MCTs acquired through NSA’s upstream collection in order to assess whether any contained wholly domestic communications. Sept. 7, 2011 Hearing Tr. at 13-14. As a result, once NSA determined that a transaction contained a single discrete communication, no further analysis of that transaction was done. See Aug. 16 Submission at 3. After the Court expressed concern that this category of transactions might also contain wholly domestic communications, NSA conducted a further review. See Sept. 9 Submission at 4. NSA ultimately did not provide the Court with an estimate of the number of wholly domestic “about” SCTs that may be acquired through its upstream collection. Instead, NSA has concluded that “the probability of encountering wholly domestic communications in transactions that feature only a single, discrete communication should be smaller — and certainly no greater — than potentially encountering wholly domestic communications within MCTs.” Sept. 13 Submission at 2.

The Court understands this to mean that the percentage of wholly domestic communications within the universe of SCTs acquired through NSA’s upstream collection should not exceed the percentage of MCTs within its statistical sample. Since NSA found 10 MCTs with wholly domestic communications within the 5,081 MCTs reviewed, the relevant percentage is .197% (10/5,081). Aug. 16 Submission at 5.

NSA’s manual review found that approximately 90% of the 50,440 transactions in the same were SCTs. Id. at 3. Ninety percent of the approximately 13, 25 million total Internet transactions acquired by NSA through its upstream collection during the six-month period, works out to be approximately 11,925,000 transactions. Those 11,925,000 transactions would constitute the universe of SCTs acquired during the six-month period, and .197% of that universe would be approximately 23,000 wholly domestic SCTs. Thus, NSA may be acquiring as many as 46,000 wholly domestic “about” SCTs each year, in addition to the 2,000-10,000 MCTs referenced above.

Presumably, Wyden learned that NSA had been doing such a count in October, well after Clapper had given his first non-responsive answer.

The 2012 privacy violation claim

Wyden skips the next request he made, when on May 4, 2012, he and Udall asked the Intelligence Community Inspector General Charles McCullough for a number (I laid out the timing of the request in this post). When they also tried to include language in the FAA reauthorization requiring the IGs to come up with a number, SSCI refused, citing their outstanding request to McCullough. Of course, McCullough did not get back to the Senators with his refusal to do such a count until after the bill had passed out of committee. He responded by saying NSA IG George Ellard didn’t have the capacity for such a review, and besides, it would violate the privacy of Americans to find out how much NSA was violating their privacy.

I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Clapper blows off 12 Senators

In response, Wyden rounded up some privacy minded Senators to sign onto a letter asking for an estimate of the number. In this week’s speech, Wyden noted that he said he’d be willing to take an estimate. He didn’t remind his listeners that he and his friends also asked whether such an estimate had been done.

  • Have any entities made any estimates — even imprecise estimates — about how many US communications have been collected under section 702 authorities?

The answer to that question — at least with regards to upstream collection — was yes. NSA had estimated the MCTs and Bates, using their estimate, had made an even rougher estimate of the SCTs. But as I noted here, members of Congress relying on the purported disclosure to Congress about the upstream violations wouldn’t know that — or that the upstream violations involved entirely US person collection. As Wyden noted in his speech, Congress didn’t get this information before the reauthorized FAA.

We still got no answer. And section 702 was reauthorized without this necessary information.

Clapper’s least untruthful answer

Wyden also doesn’t address Clapper’s famous March 2013 lie. Since the exposure of the phone dragnet, most discussions have assumed Wyden was probing only about that program. But the question, as asked, absolutely applied to incidental collection.

Wyden: Does the NSA collect any type of data, at all, on millions, or hundreds of millions of Americans?

Clapper: No sir.

Wyden: It does not?

Clapper: There are cases where they could inadvertently, perhaps, uh, collect, but not wittingly.

Indeed, several of Clapper’s many excuses claim he was thinking of content when he responded. Even if he were, his first answer would still be yes: the NSA collects on so many millions of Americans incidentally that it refuses to count it. But Clapper’s “not wittingly” response is almost certainly not a goof, since he gave it after Wyden had provided a day’s warning the question would be asked and after two different John Bates’ opinions that made it clear that he would forgive the collection of content so long as NSA didn’t know about it, but once they knew about it, then it would become illegal. The not wittingly response reinforces my firm belief that the reason the government refuses to count this is because then a great deal of their Section 702 collection would be deemed illegal under those two FISC precedents.

Clapper’s blow-off becomes Dan Coats’ blow-off

Which is where Wyden brings us up to date, with both house of Congress asking for such a number and — after promises it would be forthcoming — not getting it.

So last year looking at the prospect of the law coming up, there was a renewed effort to find out how many law-abiding Americans are getting swept up in these searches of foreigners. In April 2016 a bipartisan letter from members of the House Judiciary Committee asked the Director of National Intelligence for a public estimate of the number of communications or transactions involving United States persons are collected under section 702 on an annual basis. This letter coming from the House Democrats and Republicans, again asked for a rough estimate. This bipartisan group suggested working with director clapper to determine the methodology to get this estimate.

In December there were hints in the news media that something might be forthcoming, but now we’re here with a new administration considering the nomination of the next head of the intelligence community who has said that reauthorizing section 702 is his top legislative priority and that there is no answer in sight to the question Democrats and Republicans have been asking for over six years. How many innocent law-abiding Americans are getting swept up in these searches under a law that targets foreigners overseas?

There’s one tiny tidbit he doesn’t mention here. Coats never answered that he wouldn’t provide an answer. Rather, he said he didn’t understand the technical difficulties behind providing one (not even after participating in the 2012 vote where this was discussed). In his confirmation hearing, Coats explained one reason why he couldn’t learn what the technical difficulties were before he was confirmed. When he resigned the Senate, his clearance had lapsed, and during his confirmation process, his new clearance was being processed. That meant that for this — and any other classified question that Coats might want to consider anew — he was unable to get information.

The Senate doesn’t seem to care about this serial obstruction, however. Coats was confirmed with an 85-12 vote, with the following Senators voting against confirmation.

Baldwin (D-WI)
Booker (D-NJ)
Duckworth (D-IL)
Gillibrand (D-NY)
Harris (D-CA)
Markey (D-MA)
Merkley (D-OR)
Paul (R-KY)
Sanders (I-VT)
Udall (D-NM)
Warren (D-MA)
Wyden (D-OR)

Given how hard the IC is trying to hide this, the actual exposure of US persons must be fairly significant. We’ll see whether Congress finds another way to force this information out of the IC.

Updated with more granular timing on the 2011 exchange.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Yahoo Indictment: Erectile Dysfunction Marketing, Plus Stuff NSA Does All the Time

With much fanfare today, DOJ indicted four men for pawning Yahoo from 2014 to 2016. The indictment names two FSB officers, Dmitry Dokuchaev (who was charged by Russia with treason in December) and Igor Sushchin (who worked undercover at a Russian financial company), and two other hackers, Alexsey Belan (who has been indicted in the US twice and was named in December’s DNC hack sanctions) and Karim Baratov (who, because he lives in Canada, was arrested and presumably will be extradited).

Among the charged crimes, they accused Belan of using his access to the Yahoo network to game search results for erectile dysfunction drugs, for which he got commission from the recipient of the redirected traffic.

BELAN leveraged his access to Yahoo’s network to enrich himself: (a) through an online marketing scheme, by manipulating Yahoo search results for erectile dysfunction drugs; (b) by searching Yahoo user email accounts for credit card and gift card account numbers and other information that could be monetized; and (c) by gaining unauthorized access to the accounts of more than 30 million Yahoo users, the contacts of whom were then stolen as part of a spam marketing scheme.

But almost the entirety of the rest of the indictment — forty-seven charges worth — consist of stuff the FBI and NSA do both lawfully in this country and under EO 12333 in other countries (almost certainly including Russia).

Collect metadata and then collect content over time

Consider the details the indictment provides about how these Russians obtained information from Yahoo and other email services, including Google.

First, they collected a whole bunch of metadata.

[T]he conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion.

The US did this in bulk under the PRTT Internet dragnet program from 2004 to 2011, and now conducts similar metadata collection overseas (as well as — in more targeted fashion — under PRISM). Mind you, the Russians got far more types of metadata than the US did under the PRTT program.

account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”

But this likely gives you an understanding of the kinds of things the US does collect overseas, as well as via the PRISM program.

The Russians then either accessed the accounts directly or created fake cookies to access accounts (note, the US also gets cookies lawfully from at least some Internet providers; I suspect they also do so under the new USA Freedom collection).

The indictment provides this comment about how many Yahoo user accounts the Russians accessed by minting cookies over the almost three years they were in Yahoo’s networks (January 2014 to December 1, 2016; this may not represent the entirety of the Yahoo content they accessed).

The conspirators utilized cookie minting to access the contents of more than 6,500 Yahoo user accounts.

Compare that to US requests from Yahoo in just 2015. Yahoo turned over content on at least 40,000 accounts under FISA (first half, second half) and content in response to 2,356 US law enforcement requests during a period when government requests averaged 1.8 account per request (so roughly 4,240 accounts).

Once they accessed the accounts, they maintained access to them, as the government does under PRISM.

The conspirators used their access to the AMT to (among other unauthorized actions) maintain persistent unauthorized access to some of the compromised accounts.

The Russians used both the metadata and content stolen from Yahoo to obtain access to other accounts, both in the US and in Russia.

the conspirators used the stolen Yahoo data to compromise related user accounts at Yahoo, Google, and other webmail providers, including the Russian Webmail Provider

Again, this is a key function of metadata requests by the US — to put together a mosaic of all the online accounts of a given target, so they can access all the accounts that may be of interest.

Like PRISM (but reportedly unlike the scan of all Yahoo emails FBI had done in 2015), the Russians were not able to search all of Yahoo’s email for content. Instead they searched metadata to find content of interest.

The AMT did not permit text searches of underlying data. It permitted the conspirators to access information about particular Yahoo user accounts. However, by combining their control of the stolen UDE copy and access to the AMT, the conspirators could, for example, search the UDE contents to identify Yahoo user accounts for which the user had provided a recovery email account hosted by a specific company of interest to the conspirators (e.g., “[email protected]”)­ showing that the user was likely an employee of the company of interest-and then use information from the AMT to gain unauthorized access to the identified accounts using the means described in paragraph 26.

And, as we’ll see below, the Russians “hunted SysAdmins,” as we know NSA does, to get further access to whatever networks they managed.

In other words, aside from the Viagra ads and credit card theft, the Russians were doing stuff that America’s own spies do all the time, using many of the same methods.

Let me be clear: I’m not saying this means America is just as evil as Russia. Indeed, as the list of targets suggests, a lot of this collection serves for internal spying purposes, something the US primarily does under the guise of Insider Threat analysis. Rather, I’m simply observing that except for some of the alleged actions of Belan, this indictment is an indictment for spying, not typical hacking.

The US didn’t indict anyone in China when it hacked Google in 2013. Nor did China indict the US when details of America’s far greater sabotage of Huawei networks emerged under the Snowden leaks. But the US chose to indict not just Belan, but also three people engaged in nation-state spying. Why?

Redefine economic espionage

I find all this particularly interesting given that the government included four charges — counts 2 and 4 through 6 — related to economic espionage for stealing the following:

a. Yahoo’s UDB and the data therein, including user data such as the names of Yahoo users, identified recovery email accounts and password challenge answers, and Yahoo-created and controlled data regarding its users’ accounts;

b. Yahoo’s AMT, its method and manner of functioning and capabilities, and the data it contained and provided; and

c. Yahoo’s cookie minting source code.

The US always justifies its global spying by claiming that it does not engage in industrial espionage, based on the flimsy explanation that it doesn’t share any information with allegedly private companies (including government contractors like Lockheed) they can use to compete unfairly.

But here we are, treating nation-state information collection — the kinds of actions our own hackers do all the time — as economic espionage. The only distinction here is that Belan also used his Yahoo access for personal profit. And yet Sushchin and Dokuchaev are also named in those counts.

Which raises the question of why DOJ decided to indict this as they did, especially since it risks an escalation of spying-related indictments. If I were Russia (maybe even China) I’d draw up indictments of American spies who’ve accessed Vkontakte or Yandex and accuse them of economic espionage.

I’ve got several suggestions:

  • To leverage Baratov to learn more about the other three indictees (and FSB Officer 3, who is also mentioned prominently in the indictment)
  • To expose Russia’s targets
  • To expose FSB’s internal spying

Leverage Baratov to learn more about the other three indictees (and FSB Officer 3)

The US is almost certainly never going to get custody of Sushchin, Dokuchaev, or Belan, who are all in Russia safe from any extradition requests. That’s not true of Baratov, who was arrested and whose beloved Aston Martin and Mercedes Benz will be seized. These charges are larded on in such a way as to incent cooperation from Baratov.

Which means the government probably hopes to use the indictment to learn more about the other three indictees.

Remember: Belan was named in the sanctions on the DNC hack. So it may be that DOJ wants more information about those he works with, possibly up to and including on the DNC hack.

Expose Russia’s targets

Then there are the very long descriptions of the kind of people the accused collected on. The indictment highlights these three examples.

For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. (“Google”) webmail accounts of:

a. an assistant to the Deputy Chairman of the Russian Federation;

b. an officer of the Russian Ministry of Internal Affairs;

c. a physical training expert working in the Ministry of Sports of a Russian republic;

Then provides this list of people hacked at Yahoo:

  • a diplomat from a country bordering Russia who was posted in a European country
  • the former Minister of Economic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”)
  • a Russian journalist and investigative reporter who worked for Kommersant Daily
  • a public affairs consultant and researcher who analyzed Russia’s bid for World Trade Organization membership
  • three different officers of U.S. Cloud Computing Company 1
  • an account of a Russian Deputy Consul General
  • a senior officer at a Russian webmail and internet-related services provider

And this list of people targeted by Belan (who may or may not have been related to his own efforts rather than FSB’s):

  • 14 employees of a Swiss bitcoin wallet and banking firm
  • a sales manager at a major U.S. financial company
  • a Nevada gaming official
  • a senior officer of a major U.S. airline
  • a Shanghai-based managing director of a U.S. private equity firm
  • the Chief Technology Officer of a French transportation company
  • multiple Yahoo users affiliated with the Russian Financial Firm

And this list of people Baratov hacked at Gmail and other ISPs:

  • an assistant to the Deputy Chairman of the Russian Federation
  • a managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;
  • an officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;
  • a physical training expert working in the Ministry of Sports of a Russian republic;
  • a Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation
  • the CEO of a metals industry holding company in a country bordering Russia
  • a prominent banker and university trustee in a country bordering Russia
  • a managing director of a finance and banking company in a country bordering Russia
  • a senior official in a country bordering Russia

For those who weren’t alerted by Yahoo or Google they’d been hacked, these descriptions provide enough detail (as well as partial email addresses for some targets) to figure it out from the indictment.

Expose FSB’s internal spying

As these descriptions make clear, some of these targets are potentially well-connected people in Russia: a Russian Deputy Consul General, someone from Department K, the office of the Deputy Chairman of the Russian Federation, the Chairman of a Russian Federation Council committee (who also happens to be a businessman). Perhaps those people were targeted for sound political reasons — perhaps counterintelligence or corruption, for example. Or perhaps FSB was just trying to gain leverage in the political games of Russia.

Remember: One of the guys — Dokuchaev — is already being prosecuted in Russia for treason. These details might give Russia more details to go after him.

Sushchin is a special example. As the indictment explains, he was working undercover at some Russian financial firm, but it’s unclear whether his firm knew he was FSB or not.

SUSHCHIN was embedded as a purported employee and Head of Information Security at the Russian Financial Firm, where he monitored the communications of Russian Financial Firm employees, although it is unknown to the grand jury whether the Russian Financial Firm knew of his FSB affiliation.

But it’s clear that Sushchin’s role here was largely to conduct some very focused spying on the firm that he worked for.

In one instance, in or around April 2015, SUSHCHIN ordered DOKUCHAEV to target a number ofindividuals, including a senior board member ofthe Russian Financial Firm, his wife, and his secretary; and a senior officer ofthe Russian Financial Firm (“Corporate Officer l “).

[snip]

[I]n or around April 2015, SUSHCHIN sent DOKUCHAEV a list of email accounts associated with Russian Financial Firm personnel and family members to target, including Google accounts. During these April 2015 communications, SUSHCHIN identified a Russian Financial Firm employee to DOKUCHAEV as the “main target.” Also during these April 2015 communications, SUSHCHIN forwarded to DOKUCHAEV an email sent by that “main target’s” wife to a number of other Russian Financial Firm employees. SUSHCHIN added the cover note “this may be of some use.”

Maybe that operation was known by his employers; maybe it wasn’t. Certainly, his cover has now been blown.

All of which is to say that — splashy as this indictment is — the unstated reasons behind it are probably far more interesting than the actual charges listed in it.

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

One Way to Hide Section 702 Spying on US Persons

I noted something in the batch of Semiannual Section 702 Assessments I Con the Record released in January that may explain one reason why the government has such problems giving defendants who’ve been captured in Section 702 surveillance the notice required under the law.

Starting with the 14th Assessment — the one released in February 2016, which covers December 2014 to May 2015 (which also began to integrate feedback from PCLOB), the assessments started to reveal that disseminated reports don’t identify where information on a US Person comes from.

23 (C//NF) NSA does not maintain records that allow it to readily determine, in the case of a report that includes information from several sources, from which source a reference to a U.S. person was derived. Accordingly, the references to U.S. person identities may have resulted from collection pursuant to Section 702 or from other authorized signals intelligence activity conducted by NSA that was reported in conjunction with information acquired under Section 702. Thus, the number provided above is assessed to likely be over-inclusive. NSA has previously provided this explanation in its Annual Review pursuant to Section 702(l)(3) that is provided to Congress.

Presumably, the reports track that intelligence in the report comes from Section 702, or else they wouldn’t be able to track how often serialized reports contain US person information derived from Section 702- or PAA-acquired data, which is where this footnote appears. (In this reporting period, 9.7% of reports including US person information.) But they don’t track which tidbits come from 702 and which come from — say — EO 12333 authorized information or foreign partners.

Given that these reports get circulated outside of NSA (and even outside those people cleared into Section 702), that might mean someone with a dual intelligence/law enforcement role would see the information, pursue further investigation, and yet not know that the investigation “derived” from 702 data, which would then mean the defendant might never get notice.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

FISA Is Not a Magic Word

The NYT had an article yesterday reporting on investigations into three (not four) of Donald Trump’s associates. The lead explains that authorities are reviewing “intercepted communications” in an investigation.

American law enforcement and intelligence agencies are examining intercepted communications and financial transactions as part of a broad investigation into possible links between Russian officials and associates of President-elect Donald J. Trump, including his former campaign chairman Paul Manafort, current and former senior American officials said.

The article differs from many of the reports on investigations into Trump because it is not so breathless and shows far more understanding of how DOJ works. Sadly, most readers appear not to have gotten this far into the story, which admits it’s not even clear whether the investigation is primarily about ties between Trump and the DNC hack.

It is not clear whether the intercepted communications had anything to do with Mr. Trump’s campaign, or Mr. Trump himself. It is also unclear whether the inquiry has anything to do with an investigation into the hacking of the Democratic National Committee’s computers and other attempts to disrupt the elections in November.

A number of people, including — bizarrely! — former DHS Assistant Secretary for Intergovernmental Affairs Juliette Kayyem have asked why the NYT article doesn’t mention FISA.

Great piece. Honest ? Is there reason why it doesn’t mention word FISA? I don’t know other ways to intercept comms.

Kayyem asks that, even about an article that partially raises another — the most common — way intercepts get done: by targeting foreigners.

The counterintelligence investigation centers at least in part on the business dealings that some of the president-elect’s past and present advisers have had with Russia. Mr. Manafort has done business in Ukraine and Russia. Some of his contacts there were under surveillance by the National Security Agency for suspected links to Russia’s Federal Security Service, one of the officials said.

The Russians alleged to have bought off Manafort, and the Russians alleged to have hacked the DNC are all legal targets without a FISA order (unless they’re targeting in the US, and even then, in some cases you wouldn’t need a FISA order). But these people are described as Russians and Ukrainians in Europe, so no FISA order needed. Moreover, the BBC article that started this line of reporting made clear the investigation arises from an intercept from a Baltic ally. Even if the US did the spying, foreign targets could be collected on under EO 12333 or under Section 702 of FISA without an individual order, and the Manafort sides of those conversations would be read. Indeed, those communications would be read precisely because a US person was having conversations with targets of interest.

So to review, here are the ways that the government might collect data in this case.

  • As the BBC reported, the US gets intercepts from its foreign partners, and appears to have done so here.
  • For foreign targets like those described, much US surveillance takes place under EO 12333. The NSA is collecting on switches and satellites carrying such communications, and to the extent that they’re not encrypted (or encrypted using technology the NSA has broken) those communications are readily available without a court order.
  • Those foreign targets located in Europe are also legal targets under Section 702. For national security cases (including counterintelligence ones) NSA routinely shares the raw feed off such collection with FBI, and FBI is not only allowed to read both sides of those conversations, but to go back and search for US persons in them without any suspicion of wrong-doing.
  • This counterintelligence investigation is primarily about money changing hands. That’s Treasury’s job, and its methods of coercion for collecting information don’t usually involve courts. Banks are obliged to hand over certain kinds of suspicious transfers in any case. Treasury also gets to go to SWIFT and get what it wants. That’s not an “intercept” in the traditional sense, but is likely a key piece of evidence in this case.

The issue, then, is when someone like Manafort becomes the target of the investigation and/or when Russians in the US (but not exclusively at an Embassy) are targeted. In that case, the following might explain intercepts.

  • In some respects, Manafort’s behavior reeks of classic influence peddling, a lobbyist gone wrong. To the extent that’s the case, it might be investigated under regular criminal law with pretty much the same secrecy that FISA will give you (especially given that multiple sources are leaking like sieves about FISA orders now). So FBI could have obtained a criminal warrant targeting Manafort’s communications.
  • To target Manafort anywhere in the world, the FBI/NSA would need a FISA order. Domestically, that’d be a traditional order(s). Given the overseas connection, they’d likely get a 705b order, allowing them to keep spying if Manafort were to leave the country.
  • To target Russians who are in the country but not at the Russian embassy, the government would need a FISA order.

To be sure, there were earlier reports that FBI asked for FISA orders in June and July, finally obtaining one (not three) in October. Even there, the original BBC report suggested the Americans were not the primary targets, but foreign targets, though it misstates who could actually be targeted (and seems to think Russian banks would require a FISA order).

Lawyers from the National Security Division in the Department of Justice then drew up an application. They took it to the secret US court that deals with intelligence, the Fisa court, named after the Foreign Intelligence Surveillance Act. They wanted permission to intercept the electronic records from two Russian banks.

Their first application, in June, was rejected outright by the judge. They returned with a more narrowly drawn order in July and were rejected again. Finally, before a new judge, the order was granted, on 15 October, three weeks before election day.

Neither Mr Trump nor his associates are named in the Fisa order, which would only cover foreign citizens or foreign entities – in this case the Russian banks

A more recent, but breathless, version of the story originally misstated the standard for FISA, but does get closer to suggesting Trump’s associates are the targets.

Note that in one place NYT refers to “investigations” plural.

The F.B.I. is leading the investigations, aided by the National Security Agency, the C.I.A. and the Treasury Department’s financial crimes unit.

It is possible that there are separate investigation(s), one targeting Manafort for clear influence peddling, another targeting Roger Stone for apparent involvement in the hand-off of DNC documents to Wikileaks, and a third for corrupt business dealings on the part of Carter Page. It is also possible that such independent investigations could converge on the election, if what the Trump dossier claims is true. It is further possible that if all of those investigations converged into one election-related investigation, there’d still be no way to prove Trump knew of Russian involvement; right now, only his associates have been “targeted,” to the extent even that has occurred. (Roger Stone, of course, is an old hand at giving the President plausible deniability about the rat-fucking done in his name.)

Finally, there’s one more (delicious) detail most people have missed. Just last week the intelligence community rolled out its new EO 12333 sharing guidelines. I suspect such guidelines were in place between FBI and NSA before then; for a variety of reasons I think they may have been sharing such data since … September. But as I’ll show in a follow-up, one very clear objective for the expanded EO 12333 sharing is to give FBI (and CIA) direct access to raw EO 12333 collected information for counterintelligence purposes. That means all those intercepts on Russian and Ukrainian people talking to Manafort, going back over a year? At least as of January 3, the FBI (and CIA) can have those, including Manafort’s side of the conversation, in raw form.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

As of August 29, 2016, Not All High Risk Users at NSA Had Two-Factor Authentication

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Working Thread: HPSCI’s Full Unbelievably Shitty Snowden Report

In September, I did a post asking why the House Intelligence Committee report on Edward Snowden was so unbelievably shitty. My post was just based off a summary released by the Committee. HPSCI has now released the full report.

This will be a working thread.

Summary: The summary, with all its obvious errors, remains unchanged. So see my earlier post for the problems with that.

PDF 6: The report starts with a claim that Snowden’s leaks were the “most massive and damaging in history.” But the claim was made in 2014. Since then we’ve had two more damaging leaks, the OPM leak and the Shadow Brokers leak.

PDF 6: In my earlier post, I wrote about how the deference given to the ongoing criminal investigation into Snowden seemed very similar to — but was far less defensible than — the approach Stephen Preston used when he was General Counsel at CIA. He was General Counsel at DOD when this report started, suggesting he adopted the same approach. Worse, we now know from emails released this year that the exec had actually moved on by May 2014, meaning the claim was not sustainable when made in August 2014.

PDF 7: On the education paragraph, see this post.

PDF 7: Rather than asking the military why Snowden was discharged, the committee asked NSA’s security official. As Bart Gellman notes, his official Army record backs Snowden, not the security official.  Then they say (in the footnote) that they “found node evidence that Snowden was involved in a training accident.”

PDF 9: This page cites from a CIA IG report on Snowden’s complaints about the treatment of TISOs overseas. It actually shows him trying to complain through channels.

PDF 10: Note that HPSCI claimed a paragraph based on information classified confidential was classified secret.

PDF 11: I’m curious why they redacted footnote 43.

PDF 11: Report notes a new derogatory report was submitted after Snowden left Geneva but also after his next employer hired him. It doesn’t seem too serious. Report notes that the alert function for Scattered Castles got updated after that.

PDF 12: The reports that he went to Thailand and China are second-hand, based off what an NSA lawyer said his former co-workers said. Both support an awareness that Snowden was making his privacy concerns known, including this quote (which is likely out of context and may refer to an individual program):

… Snowden expressing his view that the U.S. government had overreached on surveillance and that it was illegitimate for the government to obtain data on individuals’ personal computers.

PDF 13: Why would HPSCI (or NSA, for that matter) depend on the comments of co-workers to learn what Snowden did during a leave of absence? Also note, this is classified Secret, which means it must have some security function.

PDF 13: Note they had an interview with a lawyer and a security official on the same day.

PDF 13: His co-workers claimed Snowden frequently showed up late. That would mean he’d be home for the entirely of the East Coast day.

PDF 13: Snowden expressed concern that SOPA/PIPA would lead to online censorship, but his co-worker was dismissive bc he hadn’t read the bill.

PDF 14: The claim that Snowden went to a hackers conference in China is sourced to a co-worker who didn’t like Snowden much.

PDF 14: Note in the patch discussion, they hide the kind of person that the interviewee for this information is.

PDF 14: Snowden did something after being called out for bringing in a manager.

PDF 15: The report claims that Snowden started downloading docs in July 2012. Snowden has said that was part of transferring docs. But it also coincides with the period when he was trouble shooting a 702 template, so they may think this is how he got the FISA data.

PDF 15: Snowden had access to wget on NSA’s networks for the same reason Chelsea Manning did, IIRC: because the networks were unreliable. Snowden said he did this to move files from MD to HI. There’s a redacted paragraph that it sourced to a “HPSCI recollection summary paper,” which seems odd and unreliable.

PDF 15: The methods Snowden used paper is classified REL to USA, FVEY, presumably because Snowden was grabbing GCHQ documents.

PDF 16: Here’s the funny quote about Snowden violating privacy. Note the first redacted sentence here is not sourced to an NSA document, but instead to a NSA Legislative Affairs document.

PDF 18: The end of this betrays NSA’s efforts to make light of glaring security holes: the CD-ROM/USB port on Snowden’s computer, and the ability for him to download data w/o a buddy (they currently require a buddy).

PDF 19: THe complaints about Snowden’s “resumé inflation” are a valid point. But what does it say that no one at NSA checks these things.

PDF 20: After Snowden moved to Booz, he went back to his old computer to be able to download the files he had new access to. I had been wondering about that.

PDF 20: All the details about Snowden’s flight are taken from public reports, not FBI or CIA reports or even NSA’s timeline, which must cover it. Did NSA’s timeilne, which is dated . That is bizarre.

PDF 21: Note the classification mark for 132, which seems to conclude that Snowden’s motivation was to inform the public.

PDF 21: The report says Snowden left some encrypted hard drives behind, sourced to a 2/4/14 briefing not cited elsewhere. Working from memory I think this is the Flynn one.

PDF 21: The description of what others had said about Snowden’s interest in privacy conflicts with what NSA said internally. 

PDF 22: I will return to the description of the 702 training.

PDF 22: Note they source the training issue to someone unnamed. This appears to be the same person who described the patch issue (PDF 14), with an interview on October 28. That means it couldn’t have been the training person, and surely didn’t have first-hand knowledge.

PDF 23: The report cites the emails (without describing who they were addressed to) and the I Con the Record report on the email. Which means I’ve reviewed this issue more closely than HPSCI.

PDF 23: The section on whether Snowden was a whistleblower doesn’t cite his CIA IG contact.

PDF 25: Some of the foreign influence section obviously says there was none (see the Keith Alexander comment). Plus, this doesn’t cite other public comments saying there is no evidence of any foreign tie.

PDF 26: FN 166 is the bad briefing. Note that 1/5 of the documents Snowden took were blank.

PDF 29: This section describes the damage assessment. I find it very significant the NCSC has stopped reviewing T3 and T2 documents, which must suggest, in part, that they trust the security of the documents and/or have confirmed via some means that there aren’t more out there.

PDF 34: Yet another complaint about not fixing the removable media problem.

PDF 34: A description of the Secure the Net initiative, with four measures outstanding, and taking over a year to get to buddy system with SysAdmins.

PDF 35-36: There’s a list of things HPSCI ordered the IC to do after Snowden.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.