The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

As of August 29, 2016, Not All High Risk Users at NSA Had Two-Factor Authentication

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Working Thread: HPSCI’s Full Unbelievably Shitty Snowden Report

In September, I did a post asking why the House Intelligence Committee report on Edward Snowden was so unbelievably shitty. My post was just based off a summary released by the Committee. HPSCI has now released the full report.

This will be a working thread.

Summary: The summary, with all its obvious errors, remains unchanged. So see my earlier post for the problems with that.

PDF 6: The report starts with a claim that Snowden’s leaks were the “most massive and damaging in history.” But the claim was made in 2014. Since then we’ve had two more damaging leaks, the OPM leak and the Shadow Brokers leak.

PDF 6: In my earlier post, I wrote about how the deference given to the ongoing criminal investigation into Snowden seemed very similar to — but was far less defensible than — the approach Stephen Preston used when he was General Counsel at CIA. He was General Counsel at DOD when this report started, suggesting he adopted the same approach. Worse, we now know from emails released this year that the exec had actually moved on by May 2014, meaning the claim was not sustainable when made in August 2014.

PDF 7: On the education paragraph, see this post.

PDF 7: Rather than asking the military why Snowden was discharged, the committee asked NSA’s security official. As Bart Gellman notes, his official Army record backs Snowden, not the security official.  Then they say (in the footnote) that they “found node evidence that Snowden was involved in a training accident.”

PDF 9: This page cites from a CIA IG report on Snowden’s complaints about the treatment of TISOs overseas. It actually shows him trying to complain through channels.

PDF 10: Note that HPSCI claimed a paragraph based on information classified confidential was classified secret.

PDF 11: I’m curious why they redacted footnote 43.

PDF 11: Report notes a new derogatory report was submitted after Snowden left Geneva but also after his next employer hired him. It doesn’t seem too serious. Report notes that the alert function for Scattered Castles got updated after that.

PDF 12: The reports that he went to Thailand and China are second-hand, based off what an NSA lawyer said his former co-workers said. Both support an awareness that Snowden was making his privacy concerns known, including this quote (which is likely out of context and may refer to an individual program):

… Snowden expressing his view that the U.S. government had overreached on surveillance and that it was illegitimate for the government to obtain data on individuals’ personal computers.

PDF 13: Why would HPSCI (or NSA, for that matter) depend on the comments of co-workers to learn what Snowden did during a leave of absence? Also note, this is classified Secret, which means it must have some security function.

PDF 13: Note they had an interview with a lawyer and a security official on the same day.

PDF 13: His co-workers claimed Snowden frequently showed up late. That would mean he’d be home for the entirely of the East Coast day.

PDF 13: Snowden expressed concern that SOPA/PIPA would lead to online censorship, but his co-worker was dismissive bc he hadn’t read the bill.

PDF 14: The claim that Snowden went to a hackers conference in China is sourced to a co-worker who didn’t like Snowden much.

PDF 14: Note in the patch discussion, they hide the kind of person that the interviewee for this information is.

PDF 14: Snowden did something after being called out for bringing in a manager.

PDF 15: The report claims that Snowden started downloading docs in July 2012. Snowden has said that was part of transferring docs. But it also coincides with the period when he was trouble shooting a 702 template, so they may think this is how he got the FISA data.

PDF 15: Snowden had access to wget on NSA’s networks for the same reason Chelsea Manning did, IIRC: because the networks were unreliable. Snowden said he did this to move files from MD to HI. There’s a redacted paragraph that it sourced to a “HPSCI recollection summary paper,” which seems odd and unreliable.

PDF 15: The methods Snowden used paper is classified REL to USA, FVEY, presumably because Snowden was grabbing GCHQ documents.

PDF 16: Here’s the funny quote about Snowden violating privacy. Note the first redacted sentence here is not sourced to an NSA document, but instead to a NSA Legislative Affairs document.

PDF 18: The end of this betrays NSA’s efforts to make light of glaring security holes: the CD-ROM/USB port on Snowden’s computer, and the ability for him to download data w/o a buddy (they currently require a buddy).

PDF 19: THe complaints about Snowden’s “resumé inflation” are a valid point. But what does it say that no one at NSA checks these things.

PDF 20: After Snowden moved to Booz, he went back to his old computer to be able to download the files he had new access to. I had been wondering about that.

PDF 20: All the details about Snowden’s flight are taken from public reports, not FBI or CIA reports or even NSA’s timeline, which must cover it. Did NSA’s timeilne, which is dated . That is bizarre.

PDF 21: Note the classification mark for 132, which seems to conclude that Snowden’s motivation was to inform the public.

PDF 21: The report says Snowden left some encrypted hard drives behind, sourced to a 2/4/14 briefing not cited elsewhere. Working from memory I think this is the Flynn one.

PDF 21: The description of what others had said about Snowden’s interest in privacy conflicts with what NSA said internally. 

PDF 22: I will return to the description of the 702 training.

PDF 22: Note they source the training issue to someone unnamed. This appears to be the same person who described the patch issue (PDF 14), with an interview on October 28. That means it couldn’t have been the training person, and surely didn’t have first-hand knowledge.

PDF 23: The report cites the emails (without describing who they were addressed to) and the I Con the Record report on the email. Which means I’ve reviewed this issue more closely than HPSCI.

PDF 23: The section on whether Snowden was a whistleblower doesn’t cite his CIA IG contact.

PDF 25: Some of the foreign influence section obviously says there was none (see the Keith Alexander comment). Plus, this doesn’t cite other public comments saying there is no evidence of any foreign tie.

PDF 26: FN 166 is the bad briefing. Note that 1/5 of the documents Snowden took were blank.

PDF 29: This section describes the damage assessment. I find it very significant the NCSC has stopped reviewing T3 and T2 documents, which must suggest, in part, that they trust the security of the documents and/or have confirmed via some means that there aren’t more out there.

PDF 34: Yet another complaint about not fixing the removable media problem.

PDF 34: A description of the Secure the Net initiative, with four measures outstanding, and taking over a year to get to buddy system with SysAdmins.

PDF 35-36: There’s a list of things HPSCI ordered the IC to do after Snowden.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

How HPSCI’s Staffers Used Miscitations to Turn Edward Snowden into a Lying Flunkie

I want to take a close look at this paragraph (from PDF 7) of the House Intelligence report on Snowden, to show how they’re (mis)using information.

In its first claim, HPSCI says Snowden was “by his own account,” a “poor student.” It cites this Greenwald and Poitras intro to Snowden, which says something different: “By his own admission, he was not a stellar student.”

The next claim says he dropped out of high school in his sophmore year and then took community college classes, which relies on this report, which in turn cites the public schools as well as the Guardian story.

1991-1998: Snowden attends schools in the Anne Arundel County Public School System in Maryland from the elementary level to high school, where he dropped out his sophomore year. He’ll later say he earned his GED. (Source: Anne Arundel County Public Schools, The Guardian)

1999-2005: Snowden takes a variety of classes from Anne Arundel Community College in Arnold, Maryland. He does not take any cyber security or computer science classes, however, and he never earns a certificate or degree. (Source: Anne Arundel Community College)

Note, the committee has said it didn’t do an investigation because of the ongoing criminal investigation into Snowden. But there is no reason they couldn’t have called Anne Arundel County Public Schools rather than relying on an ABC piece; it wouldn’t have required a long distance call!

The third claim is that Snowden hoped the (community college) classes would permit him to earn a GED, “but nothing the Committee found indicates he did so.” That’s not sourced. Again, it doesn’t say whether or not they called Maryland.

This is what Bart Gellman said in September about Snowden’s claim to have gotten a GED.

I do not know how the committee could get this one wrong in good faith. According to the official Maryland State Department of Education test report, which I have reviewed, Snowden sat for the high school equivalency test on May 4, 2004. He needed a score of 2250 to pass. He scored 3550. His Diploma No. 269403 was dated June 2, 2004, the same month he would have graduated had he returned to Arundel High School after losing his sophomore year to mononucleosis. In the interim, he took courses at Anne Arundel Community College.

The fourth claim is that Snowden told TAO he did have a GED, claiming to have received it on 6/21/2001 from “Maryland High School.”

Finally, the report says that Snowden stated that he did not have a degree of any type, citing this NYT profile rather than citing the forum itself or even the Ars Technica article that first reported it. It is absolutely true that Snowden said he didn’t have a high school diploma, but in context, Snowden was responding to someone focused primarily on a college degree.

Visigothan: No college degree.

Over 10 years work experience in my field

No communicable or other diseases

Not a religious wackjob

I think I’m good on everything except the college degree.

TheTrueHOOHA: First off, the degree thing is crap, at least domestically. If you really have ten years of solid, provable IT experience (and given that you say you’re 25, I think it’d probably be best to underestimate), you CAN get a very well paying IT job. You just need to be either actively looking now or get the fuck out of California. I have no degree, nor even a high school diploma, but I’m making much more than what they’re paying you even though I’m only claiming six years of experience. It’s tough to “break in,” but once you land a “real” position, you’re made.

Now, unless the forum has changed over the years (in which case the date could be wrong), the NYT miscited Snowden, claiming he said “I don’t have a degree of ANY type. I don’t even have a high school diploma,” when in fact the forum itself says he said, “I have no degree, nor even a high school diploma.” Moreover, in context, Snowden is distinguishing between a “degree” and a “diploma,” which may suggest he’s thinking of the actual class work versus the (GED) degree.

That claim is modified by this footnote, citing an unnamed “associate” — is this Pulitzer Prize winning Bart Gellman they’re talking about? — describing that Snowden did get a GED in 2004. [Update: Indeed it is! HPSCI hid how credible the source for this was and what he based if off of!!]

But having acknowledged that there are official records they could consult but have not, they instead just present the admittedly conflicting claims made in secondary sources (assuming they got the dates correct, but there are dates that are absolutely incorrect elsewhere in this report). There’s no actual attempt to contact local schools to get to the bottom of it all.

And yet, they then use these conflicting claims (based on inaccurate citations) to claim, in the summary, that Snowden is a “serial exaggerator.”

To make that claim with respect to his high school education, you would actually have had to do the work to ascertain the truth. The report made no effort to do so.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Matt Olsen Admits He Didn’t Bargain on a President Trump

Something predictable, but infuriating, happened at least week’s Cato conference on surveillance.

A bunch of spook lawyers did a panel, at which they considered the state of surveillance under Trump. Former White House Director of Privacy and Civil Liberties Tim Edgar asked whether adhering to basic norms, which he suggested would otherwise be an adequate on surveillance, works in a Trump Administration.

In response, former NSA General Counsel Matt Olsen provided an innocuous description of the things he had done to expand the dragnet.

I fought hard … in the last 10 [years] when I worked in national security, for increasing information sharing, breaking down barriers for sharing information, foreign-domestic, within domestic agencies, and for the modernization of FISA, so we could have a better approach to surveillance.

Then, Olsen admitted that he (who for three years after he left NSA headed up the National Counterterrorism Center managing a ton of analysts paid to imagine the unimaginable) did not imagine someone like Trump might come along.

As I fought for these changes, I did not bargain on a President Trump. That was beyond my ability to imagine as a leader of the country in thinking about how these policies would actually be implemented by the Chief Executive.

It was beyond his ability [breathe, Marcy, breathe] to imagine someone who might abuse power to come along!!!

What makes Olsen’s comment even more infuriating that I called out Olsen’s problematic efforts to “modernize” FISA and sustain the phone dragnet even in spite of abuse in September, in arguing that Hillary could not, in fact, be supporting a balanced approach on intelligence if she planned on hiring him, as seemed likely.

Olsen was the DOJ lawyer who oversaw the Yahoo challenge to PRISM in 2007 and 2008. He did two things of note. First, he withheld information from the FISC until forced to turn it over, not even offering up details about how the government had completely restructured PRISM during the course of Yahoo’s challenge, and underplaying details of how US person metadata is used to select foreign targets. He’s also the guy who threatened Yahoo with $250,000 a day fines for appealing the FISC decision.

Olsen was a key player in filings on the NSA violations in early 2009, presiding over what I believe to be grossly misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets. Basically, working closely with Keith Alexander, he hid the fact that NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.

These comments were used, in this post by former NSA Compliance chief John DeLong and former NSA lawyer Susan Hennessey (the latter of whom was on this panel) to unbelievably dishonestly suggest that surveillance skeptics, embodied by me and EFF’s Nate Cardozo (who has been litigating some of these issues for years), took our understanding of NSA excesses from one footnote in a FISA Court opinion, rather than from years of reading underlying documents.

Readers are likely aware of the incident, which has become a persistent reference point for NSA’s most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that “NSA lawyers routinely lie, even to the secret rubber stamp FISA court”; another cited it in claiming DOJ’s attorneys made “misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets” and that “NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.”

These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight.

Never mind that I actually hadn’t cited the footnote. Never mind that then FISA Judge Reggie Walton was the first to espouse my “false” view, even before seven more months of evidence came out providing further support for it.

The underlying point is that these two NSA people were so angry that I called out Matt Olsen for documented actions he had taken that they used it as a foil to make some pretty problematic claims about the oversight over NSA spying. But before they did so, they assured us of the integrity of the people involved (that is, Olsen and others).

It’s tempting to respond to these accusations by defending the integrity of the individuals involved. After all, we know from firsthand experience that our former colleagues—both within the NSA and across the Department of Justice, the Office of the Director of National Intelligence, and the Department of Defense—serve the public with a high degree of integrity. But we think it is important to move beyond the focus on who is good and who is bad, and instead explore the history behind that footnote and the many lessons learned and incorporated into practice. After all, we are ultimately a “government of laws,” not of people.

 

 

We are a government of laws, not people, they said in October, before laying out oversight that (they don’t tell you, but I will once I finally get back to responding to this post) has already proven to be inadequate. I mean, I agree with their intent — that we need(ed) to build a bureaucracy that could withstand the craziest of Executives. But contrary to what they claim in their piece and the presumably best intent of DeLong, they didn’t do that.

They now seem to realize that.

In the wake of the Trump victory, a number of these people are now admitting that maybe their reassurances about the bureaucracy they contributed to — which were in reality based on faith in the good intentions and honesty and competence of their colleagues — were overstated. Maybe these tools are too dangerous for an unhinged man to wield.

And, it turns out, one of the people largely responsible for expanding the dragnet that its former defenders now worry might be dangerous for Donald Trump to control never even imagined that someone like Trump might come along.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9th Circuit Rules that Mohamed Osman Mohamud Might Have Killed Like a Bunch of White Mass Killers Had the FBI Not Intervened

The last paragraph of a 9th Circuit Judge John Owens opinion rejecting Mohamed Osman Mohamud’s appeal reads,

Many young people think and say alarming things that they later disavow, and we will never know if Mohamud—a young man with promise—would have carried out a mass attack absent the FBI’s involvement. But some “promising” young people—Charles Whitman, Timothy McVeigh, and James Holmes, to name a few from a tragically long list—take the next step, leading to horrific consequences. While technology makes it easier to capture the thoughts of these individuals, it also makes it easier for them to commit terrible crimes. Here, the evidence supported the jury’s verdict, and the government’s surveillance, investigation, and prosecution of Mohamud were consistent with constitutional and statutory requirements.

Mohamud had appealed on several grounds. Generally, he argued that he had been entrapped, that Section 702 was unconstitutional, and that that evidence should be thrown out because he was not informed in timely fashion.

The court was (as they had been in the hearing) most sympathetic to Mohamud’s entrapment case, but found that even though he was first approached before he turned 18 (Mohamud was 19 when he pressed a button believing it would set off a bomb at Portland’s Pioneer Square), the entrapment was less than what happened with James Cromitie, a case the 2nd Circuit upheld.

Nevertheless, the court found that a jury might reasonably find that Mohamud was predisposed to commit a bombing, even before government incitement.

In sum, viewing the evidence in the light most favorable to the government, we cannot say that “no reasonable jury could have concluded that [Mohamud was] predisposed to commit the charged offense[].” Davis, 36 F.3d at 1430. We therefore conclude that the district court properly rejected his defense of entrapment as a matter of law.

The court was less sympathetic to Mohamud’s FISA challenge.

But their argument on this front is pretty weird. The court dodges any ruling on a foreign intelligence exception that the government claimed.

Because the incidental collection excepts this search from the Fourth Amendment’s warrant requirement, we need not address any “foreign intelligence exception.”

Instead, it invokes the Third Party doctrine, suggesting that because Mohamud wrote to someone — anyone! —  to suggest he had a diminished expectation of privacy in his side of emails.

It is true that prior case law contemplates a diminished expectation of privacy due to the risk that the recipient will reveal the communication, not that the government will be monitoring the communication unbeknownst to the third party. See, e.g., United States v. Miller, 425 U.S. 435, 443 (1976); United States v. White, 401 U.S. 745, 752 (1971); Hoffa v. United States, 385 U.S. 293, 302 (1966). While these cases do not address the question of government interception, the communications at issue here had been sent to a third party, which reduces Mohamud’s privacy interest at least somewhat, if perhaps not as much as if the foreign national had turned them over to the government voluntarily. See also Hasbajrami, 2016 WL 1029500 at *11 & n.18 (observing same distinction).

The court then admits that the sheer volume of incidental collection under Section 702 might be a problem, but suggests that minimization procedures thereby acquire more importance (while bracketing the problem of post-collection querying — also known as back door searches — the FBI conducts all the time).

Mohamud and Amici also contend that the “sheer amount of ‘incidental’ collection” separates § 702 from prior cases where courts have found such collection permissible. We agree with the district court’s observation that the most troubling aspect of this “incidental” collection is not whether such collection was anticipated, but rather its volume, which is vast, not de minimis. See PCLOB Report at 114 (“The term ‘incidental’ is appropriate because such collection is not accidental or inadvertent, but rather is an anticipated collateral result of monitoring an overseas target. But the term should not be understood to suggest that such collection is infrequent or that it is an inconsequential part of the Section 702 program.”). This quantity distinguishes § 702 collection from Title III and traditional FISA interceptions. However, the mere fact that more communications are being collected incidentally does not make it unconstitutional to apply the same approach to § 702 collection, though it does increase the importance of minimization procedures once the communications are collected.24

24 To the extent that Amici argue that the incidental overhear doctrine permits the unconstitutional and widespread retention and querying of the incidentally collected information, that issue is not before us.

Which brings us to this passage assessing the value of those minimization procedures with increased import.

While Executive Branch certification contributes some degree of further protection, it does not weigh heavily. Typically in the Fourth Amendment context, review from a neutral magistrate is considered the appropriate check on the Executive, which otherwise may be motivated by its interest in carrying out its duties. See, e.g., Leon, 468 U.S. at 913–14 (explaining that in obtaining a search warrant, a neutral magistrate is “a more reliable safeguard against improper searches than the hurried judgment of a law enforcement officer ‘engaged in the often competitive enterprise of ferreting out crime’” (citation omitted)). Under these circumstances, where the only judicial review comes in the form of the FISC reviewing the adequacy of procedures, this type of internal oversight does not provide a robust safeguard. The government notes that in In re Sealed Case, 310 F.3d 717, 739 (FISA Ct. Rev. 2002), the FISA Review Court observed that Congress recognized that certification by the AG in the traditional FISA context would “‘assure [ ] written accountability within the Executive Branch’ and provide ‘an internal check on Executive Branch arbitrariness.’” (citation omitted). However, as described above, § 702 differs in important ways from traditional FISA, and a mechanism that might provide additional protections above and beyond those already employed in a traditional FISA context provides far less assurance and accountability in the § 702 context, which lacks those baseline protections. See also Clapper, 133 S. Ct. at 1144–45.

Accordingly, although we do not place great weight on the oversight procedures, under the totality of the circumstnces, we conclude that the applied targeting and minimization procedures adequately protected Mohamud’s diminished privacy interest, in light of the government’s compelling interest in national security,

In other words, in the section assessing incidental collection, the court points to the import of minimization procedures. But when it comes to minimization procedures, it does “not place great weight” on them, because of the government’s compelling interest in national security. It is ultimately an argument about necessity based on national security.

Ultimately, then, the court argues that it was okay for the government to read Mohamud’s emails without a warrant, in spite of its admission of weaknesses in the government’s argument about a diminished expectation of privacy and minimization procedures. It does so by invoking three older (though still young) white mass killers, all of whom worked domestically.

While the court definitely relies on targeting rules limiting 702 to someone overseas, with its seeming admission that both its Third Party and its minimization procedure arguments are inadequate (as well as its decision that none of this has to do with a foreign intelligence exception), it gets frightfully close to making an argument that doesn’t distinguish foreign communications from domestic.

Perhaps Owens invokes those three white men to emphasize, unconvincingly, that that doesn’t mean Mohamud was targeted in a way a white non-Muslim wouldn’t be, but given the legal argument that’s left, the opinion is all the more troubling.

Update: Orin Kerr — who knows a lot more about law than I do — doesn’t like this opinion either. Among other common impressions, he’s not happy that Owens borrowed from a not really well written District opinion.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Two Lessons of the Robin Raphel Case

If you haven’t already, you should read this long story on how longtime US diplomat Robin Raphel came to have her life turned upside down based on a frivolous espionage investigation. The piece has earned a lot of praise both for the reporting that went into it and the writing.

I want to point to a few lessons from the piece.

The “Tip”

As the piece explains, Raphel served for decades in Pakistan and South Asia generally, developing a lot of close ties there (she also did a stint in Iraq at the beginning of the war).

Over the years, she was one of the few remaining people who would get out of US compounds to go meet with Pakistanis directly. Precisely because she was engaging directly (or collecting human intelligence, in the view of the spooks), she would be captured in a great deal of intercepts targeting her interlocutors, meaning anything that appeared amiss would elicit attention from the NSA analysts reviewing the intercepts.

The NSA regularly swept up Pakistani communications “to, from or about” senior U.S. officials working in the country. Some American officials would appear in Pakistani intercepts as often as once a week. What Raphel didn’t realize was that her desire to engage with foreign officials, the very skill set her supervisors encouraged, had put a target on her back.

By the time Raphel returned to Pakistan under the Obama Administration, the NSA included Pakistan’s ruling party by name in the Section 702 foreign government certificate, which provides some indication of how much NSA was vacuuming up.

As far back as the 1990s, intelligence agencies deemed Raphel to be too sympathetic to Pakistani views, a view which continued when she returned to Pakistan under Obama.

In 2013, FBI received a “tip” purportedly implicating Raphel based off intercepts targeted at Pakistanis.

In February 2013, according to law-enforcement officials, the FBI received information that made its agents think Raphel might be a Pakistani mole.

The tip came in the form of intercepted communications that suggested Raphel had shared sensitive inside information without authorization. Two officials said this included information collected on wiretaps of Pakistani officials in the U.S.

The description of this tip suggests Raphel was talking with Pakistanis located in the US. Even there, there is room for ambiguity; it could also suggest (but probably doesn’t) that the wiretaps, not the Pakistani officials, were in the US.

 

The article also suggests Raphel’s conversations with a Pakistani woman named Maleeha Lodhi were among the most interesting to spies. When Raphel was Assistant Secretary of South Asian Affairs in the mid-1990s, Lodhi was Ambassador to the US, but she had been a journalist before and returned to journalism after that post; she is now Pakistan’s representative to the UN.

[Lodhi] had returned to the news business, writing a regular column and appearing as a commentator on Pakistani television. American officials said they had no doubt that Lodhi was more than an ordinary journalist, however.

In her six years in Washington as Pakistan’s ambassador, Lodhi had earned a reputation as a reliable source for what Pakistani officials were thinking, and in particular, as a trusted conduit for relaying messages to Pakistan’s senior military leadership in Rawalpindi, U.S. officials said. She was, in State Department parlance, an “influencer.” One reason U.S. officials trusted her: The NSA had long been monitoring her communications.

In other words, the NSA was targeting a journalist’s communications. The story presents conflicting viewpoints about how much of Lodhi’s information got back to the Pakistani government, with US sources insinuating that because she shared a lot of information with the Pakistani government, she wasn’t really a journalist. To a great degree that’s just a rationalization.Not only does the same kind of information sharing between journalists and government officials happen here. But the US targeted Lodhi not because she was deemed a threat, but because she was a good source of information. I suspect WSJ’s sources shared those competing claims in an attempt to obscure, from both Congress and FISA Court observers, how broadly the NSA targets off foreign government 702 certificates, such that it can include journalists with close ties but no formal relationship with a foreign government.

Moreover, the two versions of the basis of the tip on Raphel — Pakistani officials in the US versus Lodhi — may also serve to obscure what authority she first got targeted under. That is, if she was targeted under Section 702 but the government didn’t tell her that, then WSJ’s sources would have reason to invent a traditional FISA source of her targeting.

WSJ’s sources are probably also engaging in misdirection with the details offered in this passage.

Investigators began what they call “circling the target,” which means examining the parts of Raphel’s life they could explore without subpoenas or warrants. Sitting in their cubicles on the fourth floor of the FBI’s Washington Field Office, a modern sandstone-colored building on the edge of Chinatown, the agents began to map her network of contacts and search for signs of disloyalty.

One of the first things they looked at was her “metadata”—the electronic traces of who she called or emailed, and also when and for how long. Her metadata showed she was in frequent contact with a host of Pakistan officials that didn’t seem to match what the FBI believed was her rank and role.

After all, the NSA would have already had every bit of metadata reflecting a conversation between Raphel and a targeted official, and the story makes it clear elsewhere a great many of Raphel’s interlocutors were targeted. Indeed, in court filings, the NSA has made it clear that it prioritizes intercepts that reflect a conversation with an American. So the NSA analysts who first alerted the FBI to Raphel’s conversations would have based that alert, in significant part, on precisely that kind of metadata analysis. Sure, the FBI would recollect that metadata, laundering the original source, but the government would have already have analyzed a great deal of it before tipping Raphel to FBI.

Spooks making claims about classified information

Across decades, because NSA and then FBI were collecting intercepts of Raphel’s conversations, she fell afoul of spooks who claimed information she learned on her own could only have come from intelligence agencies and therefore must be classified.

This actually happened twice, with the first time happening almost two decades before she was targeted personally. The first time came in the mid-1990s.

Not long after the amendment passed, Deputy Secretary of State Strobe Talbott sent an aide to Raphel’s office with a disturbing message.

According to officials, the aide told Raphel U.S. spy agencies had intercepted communications in which Pakistani officials suggested that Raphel had revealed sensitive information to them about what the U.S. knew about Pakistan’s nuclear work. U.S. intelligence officials said the information was classified and the disclosure wasn’t authorized.

Raphel denied disclosing too much. She consulted with top officials at the State Department’s internal intelligence branch, who recommended she ask Diplomatic Security—the security and law enforcement arm of the State Department—to investigate the matter.

Diplomatic Security agents interviewed Raphel about the alleged disclosures. They found no evidence of wrongdoing and took no disciplinary action against her.

The story suggests this 1990s incident arose, at least in part, out of animus on the part of spooks over her close ties and seeming empathy with the Pakistanis. The inquiry into her communications led her to keep records of her conversations, which she then took home with her when she first retired from State in 2004. When the FBI did a sneak and peek warrant on her home, they found these records and considered them mishandled classified information.

The CIA increasingly claimed readily available information belonged exclusively to them after Cameron Munter started objecting to drone strikes.

After Cameron Munter took over as the U.S. ambassador to Pakistan in 2010, the competing forces of intelligence and diplomacy began to collide. When Munter pushed the CIA to be more “judicious” in its drone strikes in the tribal areas, the CIA’s station chief responded by telling diplomats not to discuss the drone program even in private meetings with senior Pakistani officials. If asked, he told them, they should change the subject.

Senior diplomats in Islamabad knew this was impossible. The drone program came up all the time. There was no way to avoid the topic.

Raphel didn’t know the key details because her Top Secret clearance didn’t include access to the “compartment” that covered the covert program. When her Pakistani contacts complained about the strikes, Raphel told them what other diplomats would say—that the U.S. wouldn’t need to do so many if the Pakistani army did more to rein in militants in the tribal areas, according to people she spoke with.

Unsurprisingly, drone strikes were one of the topics that the FBI latched onto in her conversations with Lodhi, along with rumors of a coup and discussions of negotiations with the Taliban. Raphel was learning of such information independent of spy sources, yet because it replicated the information learned via spy sources, they claimed it was highly classified.

As the agents listened to the back-and-forth, they would check with U.S. intelligence officials to see if the topics which Raphel discussed with Lodhi— drones, coups and reconciliation talks with the Taliban—were classified. They were repeatedly told that yes, they were.

[snip]

During her visit, Raphel was in regular phone contact with Lodhi, who invited her to come to her home library to talk privately over tea. Officials briefed on the investigation said the information they exchanged during the trip about the prospects of a coup was similar to what U.S. spy agencies were picking up—the same kind of information that intelligence officials were putting in the President’s Daily Brief.

This is, of course, the same thing that happened with some, though not all, of Hillary’s emails (and unsurprisingly, some of Raphel’s communications were shared via aides with Hillary): the CIA claimed that they owned such information, and as such, any discussion outside of secure channels must be evidence of sharing classified information. In both cases, the information was readily available elsewhere.

Particularly when exacerbated by turf sensitivities and jealousy over Raphel’s access to top Pakistani officials, however, this can be a lethal combination. The CIA gets to criminalize officials for sharing information it deems its exclusive purview, even if those officials discovered the information independently.

The WSJ tells a story about the double edged sword of America’s dragnet: the degree to which it can implicate honest people because it captures so much, as well as the gaps in knowledge that result from overdependence on SIGINT.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Sessions Nomination and the “Emergency Exception”

Donald Trump will nominate Jefferson Beauregard Sessions III to be Attorney General.

Most of the uproar over the appointment has, justifiably, focused on the fact that Sessions is such a racist he was denied confirmation to be a District Court Judge in the 1980s. We will also learn, going forward, about how deeply embedded in Alabama’s unique kind of corruption Sessions is.

But something more recent is as alarming, albeit for different reasons.

In June, Sessions proposed an amendment to ECPA reform that would mandate providers turn over communications content if a government official declared that it was an emergency.

(1) IN GENERAL.—A provider of electronic communication service or remote computing service shall disclose to a governmental entity a wire or electronic communication (including the contents of the communication) and a record or other information pertaining to a subscriber or customer if a representative of the governmental entity reasonably certifies under penalty of perjury that an emergency involving the danger of death or serious physical injury requires disclosure without delay.

As Al Gidari explained in a post on this provision, providers already can, at their discretion, turn over such communications in case of an emergency.

For the last 15 years, providers have routinely assisted law enforcement in emergency cases by voluntarily disclosing stored content and transactional information as permitted by section 2702 (b)(8) and (c)(4) of Title 18. Providers recently began including data about emergency disclosures in their transparency reports and the data is illuminating. For example, for the period January to June 2015, Google reports that it received 236 requests affecting 351 user accounts and that it produced data in 69% of the cases. For July to December 2015, Microsoft reports that it received 146 requests affecting 226 users and that it produced content in 8% of the cases, transactional information in 54% of the cases and that it rejected about 20% of the requests. For the same period, Facebook reports that it received 855 requests affecting 1223 users and that it produced some data in response in 74% of the cases. Traditional residential and wireless phone companies receive orders of magnitude more emergency requests. AT&T, for example, reports receiving 56,359 requests affecting 62,829 users. Verizon reports getting approximately 50,000 requests from law enforcement each year.

This amendment would have eliminated that discretionary review, which — as Gidari went on to explain — often serves to weed out requests for which there isn’t really an emergency or in which authorities are just fishing to further an investigation.

Remember, in an emergency, there is no court oversight or legal process in advance of the disclosure. For over 15 years, Congress correctly has relied on providers to make a good faith determination that there is an emergency that requires disclosure before legal process can be obtained. Providers have procedures and trained personnel to winnow out the non-emergency cases and to deal with some law enforcement agencies for whom the term “emergency” is an elastic concept and its definition expansive.

Part of the problem, and the temptation, is that there is no nunc pro tunc court order or oversight for emergency requests or disclosures. Law enforcement does not have to show a court after the fact that the disclosure was warranted at the time; indeed, no one may ever know about the request or disclosure at all if it doesn’t result in a criminal proceeding where the evidence is introduced at trial. In wiretaps and pen register emergencies, the law requires providers to cut off continued disclosure if law enforcement hasn’t applied for an order within 48 hours.  But if disclosure were mandatory for stored content, all of a user’s content would be out the door and no court would ever be the wiser. At least today, under the voluntary disclosure rules, providers stand in the way of excessive or non-emergency disclosures.

A very common experience among providers when the factual basis of an emergency request is questioned is that the requesting agency simply withdraws the request, never to be heard from again. This suggests that to some, emergency requests are viewed as shortcuts or pretexts for expediting an investigation. In other cases when questioned, agents withdraw the emergency request and return with proper legal process in hand shortly thereafter, which suggests it was no emergency at all but rather an inconvenience to procure process. In still other cases, some agents refuse to reveal the circumstances giving rise to the putative emergency.

In other words, if this amendment had passed, it would have created a black hole of surveillance, in which authorities could obtain content simply by declaring an emergency (remember, from 2002 until 2006, there was a highly abusive FBI phone metadata program that worked by invoking an emergency).

I raise this not to minimize the biggest reason Sessions is unsuitable to be AG: his racism and his regressive ideas on immigration.

Rather, I raise it to point out that in addition to selectively pursuing people of color (and delegitmizing those who defend their due process), Sessions would undoubtedly seek tools that would make it easier to do so without any oversight.

All Trump’s named nominees thus far save Reince Preibus couch their racism in terms of claims of “emergency.” Those claims, tied to Sessions’ views on legal process, would make for an unchecked executive.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

One Thing Edward Snowden Is Not a Fucking Idiot About

Gizmodo’s Matt Novak is outraged that fucking idiot Edward Snowden told a conference some stupid things. I agree that this was a pretty stupid comment.

Snowden also addressed his tweet from October 21st in which he said that, “There may never be a safer election in which to vote for a third option.” Snowden told us that he more or less stands by his tweet and that anything else “freezes us into a dynamic of ‘you must always choose between two bad options’” which is a “fundamentally un-American idea.”

The thing that really outraged Novak, however, is that Snowden said technical means are more important than policy as a way to protect liberty.

What got me so riled up about Snowden’s talk? He firmly believes that technology is more important than policy as a way to protect our liberties. Snowden contends that he held this belief when Obama was in office and he still believes this today, as Donald Trump is just two months away from entering the White House. But it doesn’t make him right, no matter who’s in office.

“If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far. And if history is any guide, they are the least effective means of seeing change we want to see,” Snowden said on stage in Oakland from Russia, completely oblivious to how history might actually be used as a guide.

Snowden spoke about how important it is for individuals to act in the name of liberty. He continually downplayed the role of policy in enacting change and trotted out some libertarian garbage about laws being far less important than the encryption of electronic devices for the protection of freedoms around the world.

“Law is simply letters on a page,” Snowden said. It’s a phrase that’s still ringing in my ears, as a shockingly obtuse rejection of civilized society and how real change happens in the world.

How do we advance the cause of liberty around the world? Encrypt your devices, according to Snowden. Okay, now what? Well, Snowden’s tapped out of ideas if you get beyond “use Signal.”

Novak went on to recite big legislation — notably, the Civil Rights and Voting Rights Acts — that has been critical to advancing the cause of liberty with the boundaries of the US. I agree that they have.

That said, I’m all but certain I spend more time working on surveillance policy than Novak. I’m no shrug in the work to improve surveillance policy.

But there are several things about surveillance that are different. First (as Snowden pointed out), “Technology knows no jurisdiction.” One aspect of the government’s dragnet is that it spies on Americans with data collected overseas under EO 12333. And Congress has been very reluctant to — and frankly pretty ineffective at — legislating surveillance that takes place outside the relatively narrow (geographic and legal) boundaries of FISA. Without at least reinterpretation of Supreme Court precedent, it’s not clear how much Congress can legislate the spying currently conducted under EO 12333.

Either we need to come up with a way to leverage other jurisdictions so as to limit surveillance overseas (which will require technology in any case, because the NSA is better at spying than any other jurisdiction out there), or we need to find some way to make it harder for the government to spy on us by doing it overseas. The latter approach involves leveraging technology.

And all that assumes the Trump Administration won’t use the very same approach the Bush Administration did: to simply blow off the clear letter of the law and conduct the spying domestically anyway. At least now, it would be somewhat harder to do because Google has adopted end-to-end encryption and Signal exists (we’re still fighting policy battles over terms under which Google can be coerced into turning over our data, but Signal has limited the amount to which it can be coerced in the same way because of its technological choices).

The other important point is, especially going forward, it will be difficult to work on policy without using those technological tools. “Use Signal” may not be sufficient to protecting liberties. But it is increasingly necessary to it.

It may be that Novak is aware of all that. Nothing in his article, however, reflects any such awareness.

Edward Snowden may be a fucking idiot about some things. But anyone who imagines we can protect liberties by focusing exclusively on policy is definitely a fucking idiot.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

NSA Conducts FISA Section 704 Collection Using Transit Collection

Please consider donating to support this work. It’s going to be a long four years. 

The Intercept has a fascinating new story confirming what many people already intuited: AT&T’s spooky building at 33 Thomas Street is a key NSA collection point, and the NSA has equipment inside the building (it’s almost certainly not just NSA; this is probably also where AT&T collects much of their Hemisphere database and it likely includes AT&T’s special service center for FBI NSLs).

The Intercept released a bunch of documents with the story, including this one on FAIRVIEW.

It shows that FISA Section 704/705a are among the authorities used with FAIRVIEW, ostensibly collected under “Transit” authority, but with the collection done at TITANPOINT (which is the code name for 33 Thomas Street).

screen-shot-2016-11-16-at-3-05-47-pm

As I explain in this post, there are three authorities in the FISA Amendments Act that are supposed to cover US persons: 703 (spying with the help of domestic partners on Americans who are overseas), 704 (spying on Americans who are overseas, using methods for which they would have an expectation of privacy), and 705, which is a hybrid.

But Snowden documents — and this IG Report — make it clear only 704 and 705b are used.

Screen Shot 2016-05-13 at 3.38.08 AM

Unsurprisingly, the disclosure standards are higher for 703 — the authority they don’t use — than they are for 704. In other words, they’re using the authority to spy on Americans overseas that is weaker. Go figure.

But here’s the other problem. 704/705b are two different authorities and — as reflected in Intelligence Oversight Board reports — they are treated as such. Which means they are using 704 to spy on targets that are overseas, not just defaulting to 705b hybrid orders (which would require the person to be in the US some of the time).

But they are doing it within the US, using the fiction that the collection is only “transiting” the US (that is, transiting from one foreign country to another). This seems to indicate the NSA is conducting electronic surveillance on US persons located overseas — which seems clearly to fall under 703 — but doing it under 704 by claiming traffic transiting the US isn’t really collection in the US. Correction: Because the person is located overseas, it doesn’t count as electronic surveillance. In any case, this seems to be effectively a way around the intent of 703.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.