emptywheel

Why Is HPSCI’s Snowden Report So Inexcusably Shitty?

There’s now a growing list of things in the HPSCI report on Snowden that are either factually wrong, misleading, or spin.

One part of the spin the report admits itself: the committee assessed damage based on the 1.5 million documents Snowden touched — an approach the now discredited General Michael Flynn presented in briefings to the committee — rather than the far more limited set the Intelligence Community included in its damage assessment.

Over the past three years, the IC and the Department of Defense (DOD) have carried out separate reviews with differing methodologies of the damage Snowden caused. Out of an abundance of caution, DOD reviewed all 1.5 million documents Snowden removed. The IC, by contrast, has carried out a damage assessment for only a small subset of the documents. The Committee is concerned that the IC does not plan to assess the damage of the vast majority of documents Snowden removed.

Clearly, the IC wants a real assessment of the damage Snowden caused. HPSCI, however, appears to be interested in the most damning, which makes sense given that members of Congress actively solicited information they could use to damage Snowden.

Here are other problems with the report.

From Bart Gellman’s rebuttal:

  • HPSCI claimed the “bilateral tibial stress fractures” that led to Snowden’s discharge were “shin splints.”
  • HPSCI claimed he never got a GED. According to official Maryland records, Snowden got his equivalent degree on June 2, 2004.
  • HPSCI claimed Snowden was a computer technician at CIA. At the end he served as a “solutions referent/cyber referent” working on cyber contracts.
  • HPSCI claimed Snowden’s effort to show a security hole in CIA’s human resources intranet was an effort to doctor his performance evaluations.

From me:

HPSCI claimed Snowden failed the Section 702 training. According to an email from the SIGINT Compliance Chief, Snowden did pass it (the Chief had not checked whether or not Snowden had really failed it).“He said he had failed it multiple times (I’d have to check with ADET on that). He did pass the course at some point.”

The claim Snowden didn’t pass the test stems from an email written a year after an exchange between him and a Compliance training person. The training person wrote the email in direct response to Snowden’s claims that he had “contacted N.S.A. oversight and compliance bodies.” While it may be true Snowden failed the test before he passed it, there are enough irregularities with the email claim and related story it should not be credited without backup. When we asked NSA for specific answers about that email in conjunction with this story, they flipped out and went nuclear and preemptively released all the emails rather than provide the very easy answers to validate the email story.

From Patrick Eddington:

HPSCI claimed Snowden could have reported complaints to the committee, but HPSCI killed an effort to extend whistleblower protections to intelligence contractors in 2012.

Eddington and Steven Aftergood both suggest the shitty HPSCI report is good reason to embrace a set of reforms to improve HPSCI oversight.

But depending on the reason for the utter shittiness of the report, I think it might just warrant shutting the entire committee down and devolving oversight to real committees, like Judiciary, Homeland Security, and Armed Services. Remember, every single member of the committee, Democrat or Republican, signed this report. Every single one. For some reason, even fairly smart people like Adam Schiff and Jackie Speier signed off on something with inexcusable errors.

So I wanted to point to this passage on methodology.

The Committee’s review was careful not to disturb any criminal investigation or future prosecution of Snowden, who has remained in Russia since he fled there on June 23, 2013. Accordingly, the Committee did not interview individuals whom the Department of Justice identified as possible witnesses at Snowden’s trial, including Snowden himself, nor did the Committee request any matters that may have occurred before a grand jury. Instead, the IC provided the Committee with access to other individuals who possessed substantively similar knowledge as the possible witnesses. Similarly, rather than interview Snowden’s NSA coworkers and supervisors directly, Committee staff interviewed IC personnel who had reviewed reports of interviews with Snowden’s co-workers and supervisors.

So for this inexcusably shitty report, HPSCI did not interview:

  • Direct witnesses (presumably including the Compliance training woman whose email on 702 training is dodgy and probably also Booz and Dell contractors who might risk losing contracts)
  • Snowden’s co-workers
  • Snowden’s supervisors

They did interview:

  • People who possessed “substantively similar knowledge” as the people DOJ think might be witnesses at trial
  • People who reviewed reports of interviews with Snowden’s co-workers and supervisors

HPSCI spent two years but didn’t interview any of the direct witnesses.

Now, as a threshold matter, the publicly released emails provide good reason to doubt the adequacy of this indirect reporting on Snowden’s colleagues. Here’s how the Chief of NSA’s CI Division backed the conclusion that Snowden never talked about concerns about NSA surveillance with his colleagues.

Our findings are that we have found no evidence in the interviews, email, or chats reviewed that support his claims. Some coworkers reported discussing the Constitution with Snowden, specifically his interpretation of the Constitution as black and white, and others reported discussing general privacy issues as it relates to the Internet. Not one mentioned that Snowden mentioned a specific NSA program that he had a problem with. Actually, many of the people interviewed affirmed that he never complained about any NSA program. We also did not have any reflection that he asked anyone how he should/could report perceived wrongdoing.

So colleagues — who would presumably be in great fear of association with Snowden, especially in interviews with NSA’s Counterintelligence people — nevertheless revealed that they discussed the Constitution (and Snowden’s black and white interpretation of it) and general privacy issues about the Internet. “Many” of the interviewees said he never complained about any NSA program, which raises questions about what those excluded from this “many” said.

But it appears that NSA’s CI investigators only considered mention of specific programs to be a complaint, not general discussions about privacy and the Constitution.

We should assume the interview reports back to HPSCI members and staffers were similarly scoped.

There’s another reason I’m interested in this methodology section. That’s the implication from Spencer Ackerman’s series on SSCI’s Torture Report that CIA successfully used the John Durham investigation to undermine the SSCI investigation.

In August 2009, US attorney general Eric Holder expanded the remit of the prosecutor looking at the tapes destruction, John Durham, to include the torture program, much as the Senate committee had. The justice department’s new mandate was not as broad as the Senate’s. It would only concern itself with torture that exceeded the boundaries set for the CIA by the Bush-era justice department. Still, for all of Obama’s emphasis on looking forward and not backward, now the CIA had to face its greatest fear since launching the torture program: possible prosecution.

Holder’s decision, ironically, would ultimately hinder the committee more than the CIA, and lead to a criticism that the agency would later use as a cudgel against the Senate.

Typically, when the justice department and congressional inquiries coincide, the two will communicate in order to deconflict their tasks and their access. In the case of the dual torture investigations, it should have been easy: Durham’s team accessed CIA documents in the exact same building that Jones’s team did.

But every effort Jones made to talk with Durham failed. “Even later, he refused to meet with us,” Jones said.

Through a spokesman, Durham, an assistant US attorney in Connecticut, declined to be interviewed for this story.

The lack of communication had serious consequences. Without Durham specifying who at CIA he did and did not need to interview, Jones could interview no one, as the CIA would not make available for congressional interview people potentially subject to criminal penalty. Jones could not even get Durham to confirm which agency officials prosecutors had no interest in interviewing. “Regrettably, that made it difficult for our committee to do interviews. So the judgment was, use the record,” said Wyden, the Oregon Democrat on the panel.

[snip]

The CIA stopped compiling the Panetta Review in 2010 after Durham told Preston that CIA risked complicating any prosecution if it “made different judgments than the prosecutors had reached”, Charlie Savage reported in his 2015 book Power Wars.

Not only did CIA’s General Counsel Stephen Preston (who later served as DOD General Counsel from October 2013 until June 2015) use the Durham investigation to halt the CIA’s own internal investigation into the worthlessness of their torture, but it served as the excuse to withhold cooperation from SSCI. That, in turn, gave Republicans an excuse to disavow the report.

With the HPSCI report, an FBI investigation has again been used as an excuse to limit congressional oversight.

HPSCI’s failure to interview any of the relevant people directly is all the weirder given that there should be no problem for a witness to appear before both the grand jury and the committee. Certainly, House Oversight had no problem interviewing some of the subjects of the Hillary email investigation! And unlike the email investigation, with the Snowden one, few if any of the people who might serve as witnesses at any Snowden trial would be subjects of the investigation; they’d have no legal risk in also testifying to the committee. Snowden is the one at legal risk, and he has already been charged. And curiously, we’re hearing no squawking from Republicans about the necessity of direct interviews for the integrity of an investigation, like we heard with the Senate Torture Report.

One thing is certain: the public is owed an explanation for how HPSCI came to report knowably false information. The public is owed an explanation for why HPSCI is effectively serving as NSA’s propaganda wing.

And if we don’t get one, we should shut down the entire charade of post-Church Committee oversight committee.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

emptywheel

HPSCI: We Must Spy Like Snowden To Prevent Another Snowden

I was going to write about this funny part of the HPSCI report anyway, but it makes a nice follow-up to my post on Snowden and cosmopolitanism, on the importance of upholding American values to keeping the servants of hegemon working to serve it.

As part of its attack on Edward Snowden released yesterday, the House Intelligence Committee accused Snowden of attacking his colleagues’ privacy.

To gather the files he took with him when he left the country for Hong Kong, Snowden infringed on the privacy of thousands of government employees and contractors. He obtained his colleagues’ security credentials through misleading means, abused his access as a systems administrator to search his co-workers’ personal drives, and removed the personally identifiable information of thousands of IC employees and contractors.

I have no doubt that many — most, perhaps — of Snowden’s colleagues feel like he violated their privacy, especially as their identities are now in the possession of a number of journalists. So I don’t make light of that, or the earnestness with which HPSCI’s sources presumably made this complaint (though IC employee privacy is one of the things all journalists who have reported these stories have redacted, to the best of my knowledge).

But it’s a funny claim for several reasons. Even ignoring that what the NSA does day in and day out is search people’s personal communications (including millions of innocent people), this kind of broad access is the definition of a SysAdmin.

HPSCI apparently never had a problem with techs getting direct access to our dragnet metadata, as they had and (now working in pairs) still have, for those of us two degrees away from a suspect.

Plus, HPSCI has never done anything publicly to help the 21 million clearance holders whose PII China now holds. Is it possible they’re more angry at Snowden than they are at China’s hackers, who have more ill-intent than Snowden?

But here’s the other reason this complaint is laugh-out-loud funny. HPSCI closes its report this way:

Finally, the Committee remains concerned that more than three years after the start of the unauthorized disclosures, NSA and the IC as a whole, have not done enough to minimize the risk of another massive unauthorized disclosure. Although it is impossible to reduce the change of another Snowden to zero, more work can and should be done to improve the security of the people and the computer networks that keep America’s most closely held secrets. For instance, a recent DOD Inspector General report directed by the Committee had yet to effectively implement its post-Snowden security improvements. The Committee has taken actions to improve IC information security in the Intelligence Authorization Acts for Fiscal Years 2014, 2015, 2016, and 2017, and looks forward to working with the IC to continue to improve security.

First, that timeline — showing an effort to improve network security in each year following the Snowden leaks — is completely disingenuous. It neglects to mention that the Intel Committees have actually been trying for longer than that. In the wake of the Manning leaks, it became clear that DOD’s networks were sieve-like. Congress tried to require network monitoring in the 2012 Intelligence Authorization. But the Administration responded by insisting 2013 — 3 years after Manning’s leaks — was too soon to plug all the holes in DOD’s networks. One reason Snowden succeeded in downloading all those files is because the network monitoring hadn’t been rolled out in Hawaii yet.

So HPSCI is trying to pretend Intel Committee past efforts didn’t actually precede Snowden by several years, but those efforts failed to stop Snowden.

The other reason I find this paragraph — which appears just four paragraphs after it attacks Snowden for the invasion of his colleagues’ privacy — so funny is that in the 2014 Intelligence Authorization (that is, the first one after the Snowden leaks), HPSCI codified an insider threat program, requiring the Director of National Intelligence to,

ensure that the background of each employee or officer of an element of the intelligence community, each contractor to an element of the intelligence community, and each individual employee of such a contractor who has been determined to be eligible for access to classified information is monitored on a continual basis under standards developed by the Director, including with respect to the frequency of evaluation, during the period of eligibility of such employee or officer of an element of the intelligence community, such contractor, or such individual employee to such a contractor to determine whether such employee or officer of an element of the intelligence community, such contractor, and such individual employee of such a contractor continues to meet the requirements for eligibility for access to classified information;

This insider threat program searches IC employees hard drives (one of Snowden’s sins).

Then, the following year, HPSCI got even more serious, mandating that the Director of National Intelligence look into credit reports, commercially available data, and social media accounts to hunt down insider threats, including by watching for changes in ideology like those Snowden exhibited, developing an outspoken concern about the Fourth Amendment.

I mean, on one hand, this isn’t funny at all — and I imagine that Snowden’s former colleagues blame him that they have gone from having almost no privacy as cleared employees to having none. This is what people like Carrie Cordero mean when they regret the loss of trust at the agency.

But as I have pointed out in the past, if someone like Snowden — who at least claims to have had good intentions — can walk away with the crown jewels, we should presume some much more malicious and/or greedy people have as well.

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

The Intelligence world has gotten itself into a pickle, at once demanding that a great deal of information be shared broadly, while trying to hide what information that includes, even from American citizens. It aspires to be at once an enormous fire hose and a leak-proof faucet. That is the inherent impossibility of letting the secret world grow so far beyond management — trying to make a fire hose leak proof.

Some people in the IC get that — I believe this is one of the reasons James Clapper has pushed to rein in classification, for example.

But HPSCI, the folks overseeing the fire hose? They don’t appear to realize that they’re trying to replicate and expand Snowden’s privacy violations, even as they condemn them.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

emptywheel

Hillary Clinton’s Three Devices

I really don’t want to get bogged down in the Hillary email story. But given the ongoing discussions about whether claims she used the personal server to avoid oversight have merit, I did two more things. First, I did this timeline. Without going into too much detail, there are decisions made after requests for emails that suggest avoiding oversight was driving some of this. That’s especially true given the conflicting stories from Paul Combetta pertaining to his actions in late 2014 and March 2015; he ended up deleting Hillary’s emails after being informed of the House Oversight request for them. He may have only revealed that with an immunity deal.

The other detail I want to focus on is the number of devices Hillary had. Hillary defenders often point to her claim that she used the Blackberry for convenience to claim she surely wasn’t avoiding oversight. But I think the FBI report shows that she had three devices, not just one.

Most of the attention on the number of her devices focuses on the fact that she had 13 serial BBs, none of which were handed over to the FBI (instead of her actual BBs,, Williams & Connolly turned over two other BBs, though without SIM or SD cards).

It is true that her 13 BBs were used serially, not at once, which makes Hillary Clinton just like Tom Brady in her serial use of phones: she’s just a famous person who likes to swap out her phones all the time. The difference being that Tom Brady was told he didn’t need to keep his phone, whereas Hillary was under record-keeping obligations even before any investigation started. And Brady at least had had his comms reviewed by lawyers before he deleted his phone.

But it’s not the 13 BB detail that poses problems to Hillary’s single device claim. It’s this passage.

screen-shot-2016-09-08-at-5-14-21-am

Justin Cooper, the Bill Clinton staffer who ran much of the tech in the Chappaqua basement, says that Hillary used both a Blackberry and a flip phone for calls. Huma Abedin and Cheryl Mills dispute that, though in terms that leave some wiggle room (curiously, FBI apparently didn’t ask Monica Hanley, who bought all of Hillary’s Blackberries). There were 2 phone numbers Hillary used, the latter of which only became the Blackberry number after her tenure as SoS. But footnote 8 reveals that there were 4 mobile devices that used what appears to be the second number during her tenure as SoS. This seems to indicate that Cooper is right: Hillary had both an email phone and a series of 4 telephony phones, the latter of which were not email capable.

The footnote makes clear FBI didn’t pursue these telephony phones because they were, by definition, outside the scope of an email leak investigation (which is one of the many reasons one needs to come to this report with an understanding of the narrow scope of the investigation). But any use of flip phones would not be outside the scope of an FRA investigation, because they undermine Hillary’s claim that she adopted the BBs for singe-device convenience.

Then there’s the passage on page 9 that shows there were also 5 iPads that were potentially used for emails, 3 of which were turned over to the FBI (indeed, one of them actually had draft emails from 2012). This suggests that at least during 2012, Hillary had still another device: 3 devices, not 1. She may not have used the iPads for email throughout her tenure, but she did, apparently, use them in some sense.

Finally, there are two more mysterious devices that aren’t accounted for: a personally-owned computer in both of Hillary’s 2 household SCIFs. Amid the discussion of those SCIFs (including the detail that both were not secure at times, which undermines claims that her only SCIF violation was bringing her BB just inside the State SCIF) is this detail.

According to Abedin, Cooper, and [redacted] there were personally-owned desktop computers in the SCIFs in Whitehaven and Chappaqua. Conversely, Clinton stated to the FBI she did not have a computer of any kind of the SCIFs in her residences. According to Abedin and Clinton, she did not use a computer, and she primarily used her BlackBerry or iPad for checking e-mails.

There is admittedly another conflict in the testimony here, between every aide asked and Hillary, but given that even Abedin and Hillary’s [redacted] staffer say there were personally-owned computers in the SCIFs, I tend to believe it.

But Abedin says Hillary didn’t use them, and I sort of believe that too. But that raises questions about 1) why personally-owned computers were in the SCIF in the first place, which is surely also a violation of SCIF rules, especially if Hillary didn’t use them, but also 2) who was using them. The passage also makes it clear Hillary’s aides had access to the SCIF so perhaps they were?

In any case, we can’t be certain given the redactions and conflicting testimony, but according to my count, Hillary probably had three parallel devices during her tenure as Secretary of State: her BB, a flip phone, and an iPad (the latter of which may or may not have been regularly used for comms, though it was at least briefly in 2012), as well as two SCIF desktops that she personally didn’t use.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Misunderstandings of the Anti-Transparency Hillary-Exonerating Left

It wasn’t enough for Matt Yglesias to write a widely mocked piece calling for less transparency, now Kevin Drum has too. It all makes you wonder whether there’s some LISTERV somewhere — the successor to JOURNOLIST, from which leaked emails revealed embarrassing discussions of putting politics above principle, perhaps — where a bunch of center-left men are plotting about how to finally end the email scandal that Hillary herself instigated with a stupid decision to host her own email. Especially given this eye-popping paragraph in Drum’s piece:

Part of the reason is that Hillary Clinton is a real object lesson in how FOIA can go wrong when it’s weaponized. Another part is that liberals are the biggest fans of transparency, and seeing one of their own pilloried by it might make them take a second look at whether it’s gone off the rails. What we’ve seen with Hillary Clinton is not that she’s done anything especially wrong, but that a story can last forever if there’s a constant stream of new revelations. That’s what’s happened over the past four years. Between Benghazi committees and Judicial Watch’s anti-Hillary jihad, Clinton’s emails have been steadily dripped out practically monthly, even though there’s never been any compelling reason for it. It’s been done solely to keep her alleged corruption in the public eye.

Even setting aside that his piece generally ignores (perhaps, betrays no knowledge of) the widely-abused b5 exemption that already lets people withhold precisely the kinds of deliberations that Drum wants to kill FOIA over (and is used to withhold a lot more than that), this paragraph betrays stunning misunderstanding about the Clinton email scandal. Not least, the degree to which many of the delays have arisen from Clinton’s own actions.

It led me to go back to read this post, which engages in some cute spin and selective editing, but really gives up the game in this passage.

Oddly, the FBI never really addresses the issue of whether Hillary violated federal record retention rules. They obviously believe that she should have used a State email account for work-related business, but that’s about it. I suppose they decided it was a non-issue because Hillary did, in fact, retain all her emails and did, in fact, turn them over quickly when State requested them.

There’s also virtually no discussion of FOIA. What little there is suggests that Hillary’s only concern was that her personal emails not be subjected to FOIA simply because they were held on the same server as her work emails.

Of course the FBI never really addresses how Hillary violated the Federal Records Act. Of course the FBI never really addresses how Hillary tried to avoid FOIA. (Note too that Drum ignores that some of those “personal” emails have been found to be subject to FOIA and FRA and Congressional requests; they weren’t actually personal.)

That’s because this wasn’t an investigation into violating the Federal Records Act. As I wrote in this post summarizing Jim Comey’s testimony to Oversight and Government Reform:

The FBI investigation that ended yesterday only pertained to that referral about classified information. Indeed, over the course of the hearing, Comey revealed that it was narrowly focused, examining the behavior of only Clinton and four or five of her close aides. And it only pertained to that question about mishandling classified information. That’s what the declination was based on: Comey and others’ determination that when Hillary set up her home-brew server, she did not intend to mishandle classified information.

This caused some consternation, early on in the hearing, because Republicans familiar with Clinton aides’ sworn testimony to the committee investigating the email server and Benghazi were confused how Comey could say that Hillary was not cleared to have her own server, but aides had testified to the contrary. But Comey explained it very clearly, and repeatedly. While FBI considered the statements of Clinton aides, they did not review their sworn statements to Congress for truth.

That’s important because the committee was largely asking a different question: whether Clinton used her server to avoid oversight, Federal Record Act requirements, the Benghazi investigation, and FOIA. That’s a question the FBI did not review at all. This all became crystal clear in the last minutes of the Comey testimony.

Chaffetz: Was there any evidence of Hillary Clinton attempting to avoid compliance with the Freedom of Information Act?

Comey: That was not the subject of our criminal investigation so I can’t answer that sitting here.

Chaffetz: It’s a violation of law, is it not?

Comey: Yes, my understanding is there are civil statutes that apply to that. I don’t know of a crimin–

Chaffetz: Let’s put some boundaries on this a little bit — what you didn’t look at. You didn’t look at whether or not there was an intention or reality of non-compliance with the Freedom of Information Act.

Comey: Correct.

Having started down this path, Chaffetz basically confirms what Comey had said a number of times throughout the hearing, that FBI didn’t scrutinize the veracity of testimony to the committee because the committee did not make a perjury referral.

Chaffetz: You did not look at testimony that Hillary Clinton gave in the United States Congress, both the House and the Senate?

Comey: To see whether it was perjurious in some respect?

Chaffetz: Yes.

Comey: No we did not.

[snip]

Comey: Again, I can confirm this but I don’t think we got a referral from Congressional committees, a perjury referral.

Chaffetz: No. It was the Inspector General that initiated this.

Now, let me jump to the punch and predict that OGR will refer at least Hillary’s aides, and maybe Hillary herself, to FBI for lying to Congress. They might even have merit in doing so, as Comey has already said her public claims about being permitted to have her own email (which she repeated to the committee) were not true. Plus, there’s further evidence that Hillary used her own server precisely to maintain control over them (that is, to avoid FOIA).

As I said in my earlier post, I’m loathe to admit this, because I’d really like to be done with this scandal (I’d like, even more, to come up with sensible policy proposals like fixing email and text archiving to prevent this from happening in every presidential administration). All the questions about whether Hillary chose to keep her own server to avoid oversight (or, as Chaffetz asked today, to obstruct OGR’s investigation) has never been investigated by FBI. Those requests even have more merit than Democrats are making out — in part for precisely this reason, FBI has never considered at least some evidence to support the case Hillary deliberately avoided FRA, including a string of really suspicious timing. As I wrote in my other post, I also think they won’t amount to anything, in part because these laws (including laws prohibiting lying to Congress) are so toothless. But they are a fair question.

All that said, it is incorrect to take a report showing the FBI not charging Hillary for intentionally mishandling classified information and conclude from that that hers is an example of FRA and FOIA gone amuck. On the contrary. Hillary has never been exonerated for trying to avoid FOIA and FRA. The evidence suggests it would be hard to do that.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Jim Comey, Poker Face, and the Scope of the Clinton Investigation(s)

Screen Shot 2016-07-07 at 10.11.04 PMI write this post reluctantly, because I really wish the Hillary investigations would be good and over. But I don’t think they are.

After having watched five and a half hours of the Clinton investigation hearing today, I’ve got new clarity about what the FBI has been doing for the last year. That leads me to believe that this week’s announcement that DOJ will not charge Clinton is simply a pause in the Clinton investigation(s). I believe an investigation will resume shortly (if one is not already ongoing), though that resumed investigation will also end with no charges — for different reasons than this week’s declination.

First, understand how this all came about. After the existence of Hillary’s server became known, State’s IG Steve Linick started an investigation into it, largely focused on whether Hillary (and other Secretaries of State) complied with Federal Records Act obligations. In parallel, as intelligence agencies came to complain about State’s redactions of emails released in FOIA response, the Intelligence Committee Inspector General Charles McCullough intervened in the redaction process and referred Clinton to the FBI regarding whether any classified information had been improperly handed. As reported, State will now resume investigating the classification habits of Hillary and her aides, which will likely lead to several of them losing clearance.

The FBI investigation that ended yesterday only pertained to that referral about classified information. Indeed, over the course of the hearing, Comey revealed that it was narrowly focused, examining the behavior of only Clinton and four or five of her close aides. And it only pertained to that question about mishandling classified information. That’s what the declination was based on: Comey and others’ determination that when Hillary set up her home-brew server, she did not intend to mishandle classified information.

This caused some consternation, early on in the hearing, because Republicans familiar with Clinton aides’ sworn testimony to the committee investigating the email server and Benghazi were confused how Comey could say that Hillary was not cleared to have her own server, but aides had testified to the contrary. But Comey explained it very clearly, and repeatedly. While FBI considered the statements of Clinton aides, they did not review their sworn statements to Congress for truth.

That’s important because the committee was largely asking a different question: whether Clinton used her server to avoid oversight, Federal Record Act requirements, the Benghazi investigation, and FOIA. That’s a question the FBI did not review at all. This all became crystal clear in the last minutes of the Comey testimony.

Chaffetz: Was there any evidence of Hillary Clinton attempting to avoid compliance with the Freedom of Information Act?

Comey: That was not the subject of our criminal investigation so I can’t answer that sitting here.

Chaffetz: It’s a violation of law, is it not?

Comey: Yes, my understanding is there are civil statutes that apply to that. I don’t know of a crimin–

Chaffetz: Let’s put some boundaries on this a little bit — what you didn’t look at. You didn’t look at whether or not there was an intention or reality of non-compliance with the Freedom of Information Act.

Comey: Correct.

Having started down this path, Chaffetz basically confirms what Comey had said a number of times throughout the hearing, that FBI didn’t scrutinize the veracity of testimony to the committee because the committee did not make a perjury referral.

Chaffetz: You did not look at testimony that Hillary Clinton gave in the United States Congress, both the House and the Senate?

Comey: To see whether it was perjurious in some respect?

Chaffetz: Yes.

Comey: No we did not.

[snip]

Comey: Again, I can confirm this but I don’t think we got a referral from Congressional committees, a perjury referral.

Chaffetz: No. It was the Inspector General that initiated this.

Now, let me jump to the punch and predict that OGR will refer at least Hillary’s aides, and maybe Hillary herself, to FBI for lying to Congress. They might even have merit in doing so, as Comey has already said her public claims about being permitted to have her own email (which she repeated to the committee) were not true. Plus, there’s further evidence that Hillary used her own server precisely to maintain control over them (that is, to avoid FOIA).

That said, there are two reasons why Hillary and her aides won’t be prosecuted for lying to Congress: James Clapper and Scott Bloch.

Clapper you all know about. The Director of National Intelligence — unlike Clinton — was not under oath when he spectacularly lied to Ron Wyden. Nor was he referred to DOJ for prosecution. But that recent lie will make FBI hesitate.

DOJ will hesitate even more given the history of Scott Bloch. bmaz has written a slew of posts about this but the short version is that the former Office of Special Counsel lied to this very committee and wiped his hard drive to obscure that fact. He ultimately pled guilty, but when the magistrate handling the case pointed out that the plea carried a minimum one month sentence, Bloch and DOJ went nuts and tried to withdraw his plea. bmaz and a bunch of whistleblowers who had been poorly treated by Bloch went nuts in turn. All to no avail. After DOJ claimed there were secret facts that no one understood, the court agreed to sentence Bloch to just one day in jail.

In other words, to keep one of their own out of jail, DOJ made expansive claims about how unimportant lying to Congress is. Even assuming DOJ would ignore their own recent historical claims about the frivolity of lying to Congress, Hillary’s lawyers could use that precedent to argue that lying to Congress has, effectively, been decriminalized (unilaterally by the Executive Branch!).

So FBI will investigate it. Comey might even refer, this time, for prosecution, because the evidence is actually far stronger that Hillary used her own server to avoid oversight (and that she was less than forthcoming about that to Congress). But that, too, won’t be prosecuted because you basically can’t prosecute lying to Congress after the Bloch case.

Which brings me to the funniest part of this exchange with Chaffetz (which, coming as it did in the last minutes of the hearing, has escaped most notice).

Chaffetz: Did you look at the Clinton Foundation?

Comey: I’m not going to comment on the existence or non-existence of any other investigation.

Chaffetz: Was the Clinton Foundation tied into this investigation?

Comey: I’m not going to answer that.

Understand: Comey had already commented on the existence or non-existence of other investigations, commenting at length on the non-investigation of questions pertaining to FOIA and FRA, even describing how many people (four to five) were subjects of this investigation. Comment on non-existence of investigation, comment on non-existence of investigation, comment on non-existence of investigation.

And for what it’s worth, the Clinton Foundation probably couldn’t have been part of the scope of this, given that this was only focused on four to five people (note, a Clinton Foundation investigation would better explain why FBI gave Brian Pagliano immunity, another topic on which Comey would not comment).

But when asked about the Clinton Foundation, he claimed he couldn’t say. All of a sudden, refusal to comment on existence or non-existence of investigation.

Now, I’m just going to say I don’t think anything will come of that, because I doubt FBI would clear Hillary on one issue but not the related one (plus, given SCOTUS’ ruling in the Bob McDonnell case, it probably became impossible to prosecute any Clinton Foundation violations). But Comey’s answer does make it clear that FBI considers questions about improperly handling classified information, avoiding FOIA and other oversight, lying about avoiding FOIA, and deals made with the Clinton Foundation to be different things.

I think that doesn’t change that Hillary won’t be indicted. But I do think she will continue to be investigated in conjunction with questions about what she did and said to avoid FOIA and other oversight.

Update: This post has been tweaked.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Some Legislative Responses to Clinton’s Email Scandal

The Republicans have reverted to their natural “Benghazi witchhunt” form in the wake of Jim Comey’s announcement Tuesday that Hillary Clinton and her aides should not be charged, with Comey scheduled to testify before the House Oversight Committee at 10 AM.

Paul Ryan wrote a letter asking James Clapper to withhold classified briefings from Hillary. And the House Intelligence Committee is even considering a bill to prevent people who have mishandled classified information from getting clearances.

In light of the FBI’s findings, a congressional staffer told The Daily Beast that the House Intelligence Committee is considering legislation that could block security clearances for people who have been found to have mishandled classified information in the past.

It’s not clear how many of Clinton’s aides still have their government security clearances, but such a measure could make it more difficult for them to be renewed, should they come back to serve in a Clinton administration.

“The idea would be to make sure that these rules apply to a very wide range of people in the executive branch,” the staffer said. (Clinton herself would not need a clearance were she to become president.)

It’s nice to see the same Republicans who didn’t make a peep when David Petraeus kept — and still has — his clearance for doing worse than Hillary has finally getting religion on security clearances.

But this circus isn’t really going to make us better governed or safer.

So here are some fixes Congress should consider:

Add some teeth to the Federal/Presidential Records Acts

As I noted on Pacifica, Hillary’s real crime was trying to retain maximal control over her records as Secretary of State — probably best understood as an understandable effort to withhold anything potentially personal combined with a disinterest in full transparency. That effort backfired spectacularly, though, because as a result all of her emails have been released.

Still, every single Administration has had at least a minor email scandal going back to Poppy Bush destroying PROFS notes pertaining to Iran-Contra.

And yet none of those email scandals has ever amounted to anything, and many of them have led to the loss of records that would otherwise be subject to archiving and (for agency employees) FOIA.

So let’s add some teeth to these laws — and lets mandate and fund more rational archiving of covered records. And while we’re at it, let’s ensure that encrypted smart phone apps, like Signal, which diplomats in the field should be using to solve some of the communication problems identified in this Clinton scandal, will actually get archived.

Fix the Espionage Act (and the Computer Fraud and Abuse Act)

Steve Vladeck makes the case for this:

Congress has only amended the Espionage Act in detail on a handful of occasions and not significantly since 1950. All the while, critics have emerged from all corners—the academy, the courts, and within the government—urging Congress to clarify the myriad questions raised by the statute’s vague and overlapping terms, or to simply scrap it and start over. As the CIA’s general counsel told Congress in 1979, the uncertainty surrounding the Espionage Act presented “the worst of both worlds”:

On the one hand the laws stand idle and are not enforced at least in part because their meaning is so obscure, and on the other hand it is likely that the very obscurity of these laws serves to deter perfectly legitimate expression and debate by persons who must be as unsure of their liabilities as I am unsure of their obligations.

In other words, the Espionage Act is at once too broad and not broad enough—and gives the government too much and too little discretion in cases in which individuals mishandle national security secrets, maliciously or otherwise.

To underscore this point, the provision that the government has used to go after those who shared classified information with individuals not entitled to receive it (including Petraeus, Drake, and Manning), codified at 18 U.S.C. § 793(d), makes it a crime if:

Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted … to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the officer or employee of the United States entitled to receive it …

This provision is stunningly broad, and it’s easy to see how, at least as a matter of statutory interpretation, it covers leaking—when government employees (“lawfully having possession” of classified information) share that information with “any person not entitled to receive it.” But note how this doesn’t easily apply to Clinton’s case, as her communications, however unsecured, were generally with staffers who were“entitled to receive” classified information.

Instead, the provision folks have pointed to in her case is the even more strangely worded § 793(f), which makes it a crime for:

Whoever, being entrusted with or having lawful possession or control of [any of the items mentioned in § 793(d)], (1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or (2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed … fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer …

Obviously, it’s easy to equate Clinton’s “extreme carelessness” with the statute’s “gross negligence.” But look closer: Did Clinton’s carelessness, however extreme, “[permit] … [classified information] to be removed from its proper place of custody or delivered to anyone in violation of [her] trust”? What does that even mean in the context of intangible information discussed over email? The short answer is nobody knows: This provision has virtually never been used at least partly because no one is really sure what it prohibits. It certainly appears to be focused on government employees who dispossess the government of classified material (like a courier who leaves a satchel full of secret documents in a public place). But how much further does it go?

There’s an easy answer here, and it’s to not use Clinton as a test case for an unprecedented prosecution pursuant to an underutilized criminal provision, even if some of us think what she did was a greater sin than the conduct of some who have been charged under the statute. The better way forward is for Congress to do something it’s refused to do for more than 60 years: carefully and comprehensively modernize the Espionage Act, and clarify exactly when it is, and is not, a crime to mishandle classified national security secrets.

Sadly, if Congress were to legislate the Espionage Act now, they might codify the attacks on whistleblowers. But they should not. They should distinguish between selling information to our adversaries and making information public. They should also make it clear that intent matters — because in the key circuit, covering the CIA, the Pentagon, and many contractors, intent hasn’t mattered since the John Kiriakou case.

Eliminate the arbitrariness of the clearance system

But part of that should also involve eliminating the arbitrary nature of the classification system.

I’ve often pointed to how, in the Jeffrey Sterling case, the only evidence he would mishandle classified information was his retention of 30-year old instructions on how to dial a rotary phone, something far less dangerous than what Hillary did.

Equally outrageous, though, is that four of the witnesses who may have testified against Sterling, probably including Bob S who was the key witness, have also mishandled classified information in the past. Those people not only didn’t get prosecuted, but they were permitted to serve as witnesses against Sterling without their own indiscretions being submitted as evidence. As far as we know, none lost their security clearance. Similarly, David Petraeus hasn’t lost his security clearance. But Ashkan Soltani was denied one and therefore can’t work at the White House countering cyberattacks.

Look, the classification system is broken, both because information is over-classified and because maintaining the boundaries between classified and unclassified is too unwieldy. That broken system is then magnified as people’s access to high-paying jobs are subjected to arbitrary review of security clearances. That’s only getting worse as the Intelligence Community ratchets up the Insider Threat program (rather than, say, technical means) to forestall another Manning or Snowden.

The IC has made some progress in recent years in shrinking the universe of people who have security clearances, and the IC is even making moves toward fixing classification. But the clearance system needs to be more transparent to those within it and more just.

Limit the President’s arbitrary authority over classification

Finally, Congress should try to put bounds to the currently arbitrary and unlimited authority Presidents claim over classified information.

As a reminder, the Executive Branch routinely cites the Navy v. Egan precedent to claim unlimited authority over the classified system. They did so when someone (it’s still unclear whether it was Bush or Cheney) authorized Scooter Libby to leak classified information — probably including Valerie Plame’s identity — to Judy Miller. And they did so when telling Vaughn Walker could not require the government to give al Haramain’s lawyers clearance to review the illegal wiretap log they had already seen before handing it over to the court.

And these claims affect Congress’ ability to do their job. The White House used CIA as cover to withhold a great deal of documents implicating the Bush White House in authorizing torture. Then, the White House backed CIA’s efforts to hide unclassified information, like the already-published identities of its torture-approving lawyers, with the release of the Torture Report summary. In his very last congressional speech, Carl Levin complained that he was never able to declassify a document on the Iraq War claims that Mohammed Atta met with a top Iraqi intelligence official in Prague.

This issue will resurface when Hillary, who I presume will still win this election, nominates some of the people involved in this scandal to serve in her White House. While she can nominate implicated aides — Jake Sullivan, Huma Abedin, and Cheryl Mills — for White House positions that require no confirmation (which is what Obama did with John Brennan, who was at that point still tainted by his role in torture), as soon as she names Sullivan to be National Security Advisor, as expected, Congress will complain that he should not have clearance.

She can do so — George Bush did the equivalent (remember he appointed John Poindexter, whose prosecution in relation to the Iran-Contra scandal was overturned on a technicality, to run the Total Information Awareness program).

There’s a very good question whether she should be permitted to do so. Even ignoring the question of whether Sullivan would appropriately treat classified information, it sets a horrible example for clearance holders who would lose their clearances.

But as far as things stand, she could. And that’s a problem.

To be fair, legislating on this issue is dicey, precisely because it will set off a constitutional challenge. But it should happen, if only because the Executive’s claims about Navy v. Egan go beyond what SCOTUS actually said.

Mandate and fund improved communication system

Update, after I posted MK reminded me I meant to include this.

If Congress is serious about this, then they will mandate and fund State to fix their decades-long communications problems.

But they won’t do that. Even 4 years after the Benghazi attack they’ve done little to improve security at State facilities.

Update: One thing that came up in today’s Comey hearing is that the FBI does not routinely tape non-custodial interviews (and fudges even with custodial interviews, even though DOJ passed a policy requiring it). That’s one more thing Congress could legislate! They could pass a simple law requiring FBI to start taping interviews.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Does Jim Comey Think Thomas Drake Exhibited Disloyalty to the United States?

As you’ve no doubt heard, earlier today Jim Comey had a press conference where he said Hillary and her aides were “extremely careless in their handling of very sensitive, highly classified information” but went on to say no reasonable prosecutor would prosecute any of them for storing over 100 emails with classified information on a server in Hillary’s basement. Comey actually claimed to have reviewed “investigations into mishandling or removal of classified information” and found no “case that would support bringing criminal charges on these facts.”

Our investigation looked at whether there is evidence classified information was improperly stored or transmitted on that personal system, in violation of a federal statute making it a felony to mishandle classified information either intentionally or in a grossly negligent way, or a second statute making it a misdemeanor to knowingly remove classified information from appropriate systems or storage facilities.

[snip]

Although there is evidence of potential violations of the statutes regarding the handling of classified information, our judgment is that no reasonable prosecutor would bring such a case. Prosecutors necessarily weigh a number of factors before bringing charges. There are obvious considerations, like the strength of the evidence, especially regarding intent. Responsible decisions also consider the context of a person’s actions, and how similar situations have been handled in the past.

In looking back at our investigations into mishandling or removal of classified information, we cannot find a case that would support bringing criminal charges on these facts. All the cases prosecuted involved some combination of: clearly intentional and willful mishandling of classified information; or vast quantities of materials exposed in such a way as to support an inference of intentional misconduct; or indications of disloyalty to the United States; or efforts to obstruct justice. We do not see those things here.

To be clear, this is not to suggest that in similar circumstances, a person who engaged in this activity would face no consequences. To the contrary, those individuals are often subject to security or administrative sanctions. But that is not what we are deciding now.

Before we get into his argument, consider a more basic point: It is not Jim Comey’s job to make prosecutorial decisions. Someone else — whichever US Attorney oversaw the prosecutors on this case, Deputy Attorney General Sally Yates, or Loretta Lynch — makes that decision. By overstepping the proper role of the FBI here, Comey surely gave Lynch cover — now she can back his decision without looking like Bill Clinton convinced her to do so on the tarmac. But he has no business making this decision, and even less business making it public in the way he did (the latter of which points former DOJ public affairs director Matthew Miller was bitching about).

But let’s look at his judgment.

Given that Jeffrey Sterling has been in prison for a year based off a slew of metadata (albeit showing only 4:11 seconds of conversation between James Risen and Sterling) and three, thirty year old documents, classified Secret, describing how to dial a phone, documents which were presented to prove Sterling had the “intent” to retain a document FBI never showed him retaining, I’m particularly interested in Comey’s judgment that no reasonable prosecutor would bring charges based on the facts found against Hillary. Similarly, given the history of the Thomas Drake prosecution, in which he was charged with Espionage because he kept a bunch of documents on NSA’s fraud, at the direction of the Inspector General, which the FBI found in his basement.

I can only imagine Comey came to his improper public prosecutorial opinion via one of two mental tricks. Either he — again, not the prosecutor — decided the only crime at issue was mishandling classified information (elsewhere in his statement he describes having no evidence that thousands of work emails were withheld from DOJ with ill intent, which dismisses another possible crime), and from there he decided either that it’d be a lot harder to prosecute Hillary Clinton (or David Petraeus) than it would be someone DOJ spent years maligning like Sterling or Drake. Or maybe he decided that there are no indications that Hillary is disloyal to the US.

Understand, though: with Sterling and Drake, DOJ decided they were disloyal to the US, and then used their alleged mishandling of classified information as proof that they were disloyal to the US (Drake ultimately plead to Exceeding Authorized Use of a Computer).

Ultimately, it involves arbitrary decisions about who is disloyal to the US, and from that a determination that the crime of mishandling classified information occurred.

For what its worth, I think most of these cases should involve losing security clearances rather than criminal prosecution (though Petraeus also lied to FBI). But we know, even there, the system is totally arbitrary; DOJ has already refused to answer whether any of Hillary’s aides will be disciplined for their careless handling of classified information and Petraeus never did lose his clearance. Nor did the multiple witnesses who testified against Sterling who themselves mishandled classified information lose their security clearance.

Which is another way of saying our classification system is largely a way to arbitrarily label people you dislike disloyal.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

How Did Booz Employee Analyst-Trainee Edward Snowden Get the Verizon 215 Order?

One thing I’ve been pondering as I’ve been going through the Snowden emails liberated by Jason Leopold is the transition Snowden made just before he left. They show that in August 2012, Snowden was (as we’ve heard) a Dell contractor serving as a SysAdmin in Hawaii.

Screen Shot 2016-06-10 at 1.48.37 PM

The training he was taking (and complaining about) in around April 5 – 12, 2013 was in preparation to move into an analyst role with the National Threat Operations Center.

Screen Shot 2016-06-10 at 1.55.17 PM

That would mean Snowden would have been analyzing US vulnerabilities to cyberattack in what is a hybrid “best defense is a good offense” mode; given that he was in HI, these attacks would probably have been launched predominantly from, and countermeasures would be focused on, China. (Before Stewart Baker accuses me of showing no curiosity about this move, as Baker did about the Chinese invitation to Snowden’s girlfriend to a pole dancing competition, I did, but got remarkably little response from anyone on it.)

It’s not clear why Snowden made the switch, but we have certainly seen a number of cybersecurity related documents — see the packet published by Charlie Savage in conjunction with his upstream cyber article. Even the PRISM PowerPoint — the second thing released — actually has a cybersecurity focus (though I think there’s one detail that remains redacted). It’s about using upstream to track known cyberthreat actors.

Screen Shot 2016-06-10 at 2.09.14 PM

I suspect, given the inaccuracies and boosterism in this slide deck, that it was something Snowden picked up while at Booz training, when he was back in Maryland in April 2013. Which raises certain questions about what might have been available at Booz that wasn’t available at NSA itself, especially given the fact that all the PRISM providers’ names appear in uncoded fashion.

Incidentally, Snowden’s job changes at NSA also reveal that there are Booz analysts, not NSA direct employees, doing Section 702 analysis (though that is technically public). In case that makes you feel any better about the way the NSA runs it warrantless surveillance programs.

Anyway, thus far, all that makes sense: Snowden got into a cybersecurity role, and one of the latest documents he took was a document that included a cybersecurity function (though presumably he could have gotten most of the ones that had already been completed as a SysAdmin before that).

But one of the most sensitive documents he got — the Verizon Section 215 primary order — has nothing to do with cybersecurity. The Section 215 dragnet was supposed to be used exclusively for counterterrorism. (And as I understand it, there are almost no documents, of any type, listing provider names in the Snowden stash, and not all that many listing encoded provider names). But the Verizon dragnet order it is dated April 23, 2013, several weeks into the time Snowden had moved into a cybersecurity analytical role.

Screen Shot 2016-06-10 at 2.29.20 PM

There’s probably an easy explanation: That even though NSA is supposed to shift people’s credentials as they move from job to job, it hadn’t happened for Snowden yet. If that’s right, it would say whoever was responsible for downgrading Snowden’s access from SysAdmin to analyst was slow to make the change, resulting in one of the most significant disclosures Snowden made (there have been at least some cases of credentials not being adjusted since Snowden’s leaks, too, so they haven’t entirely addressed what would have to be regarded as a major fuck-up if that’s how this happened).

Interestingly, however, the declassification stamp on the document suggests it was classified on April 12, not April 23, which may mean they had wrapped up the authorization process, only to backdate it on the date it needed to be reauthorized. April 12, 2013 was, I believe, the last day Snowden was at Fort Meade.

Screen Shot 2016-06-10 at 2.34.33 PM

Whatever the underlying explanation, it should be noted that the most sensitive document Snowden leaked — the one that revealed that the government aspired to collect phone records from every single Verizon customer (and, significantly, the one that made court challenges possible) — had to have been obtained after Snowden formally left his SysAdmin, privileged user, position.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Carrie Cordero’s Counterintelligence Complaints

I wasn’t going to respond to Carrie Cordero’s Lawfare piece on my and Jason Leopold’s story on NSA’s response to Edward Snowden’s claims he raised concerns at the agency, largely because I think her stance is fairly reasonable, particularly as compared to other Snowden critics who assume his leaks were, from start to finish, an FSB plot. But a number of people have asked me to do so, so here goes.

Let’s start with this:

As far as we know – even after this new reporting – Snowden didn’t lodge a complaint with the NSA Inspector General. Or the Department of Defense Inspector General. Or the Intelligence Community Inspector General. He didn’t follow up with the NSA Office of General Counsel. He didn’t make phone calls.  He didn’t write letters. He didn’t complain to Members of Congress who would have been willing to listen to his concerns.

Now here’s the rub: do I think that had he done all these things, the programs he questioned would have been shut down and there would have been the same effect as his unauthorized disclosures? No. He probably would have been told that more knowledgeable lawyers, leadership officials, congressmen and dozens of federal judges all assessed that the activities he questioned were legal.

Without noting the parts of the article that show that, nine months into the Snowden leaks and multiple hearings on the subject, Keith Alexander still didn’t know how contractors might raise complaints, and that the NSA editing of its Q&A on Snowden show real questions about the publicity and viability of reporting even to the IG, especially for legal violations, Cordero complains that he did not do so. Then she asserts that had Snowden gone to NSA’s IG (ignoring the record of what happened to Thomas Drake when he did the same), the programs would not have changed.

And yet, having taken a different approach, some of them have changed. Some of the programs — notably Section 215, but also tech companies’ relationship with the government, when exposed to democratic and non-FISA court review, and FISA court process itself — did get changed. I think all but the tech company changes have largely been cosmetic, Cordero has tended to think reforms would go too far. But the record shows that Snowden’s leaks, along with whatever else damage critics want to claim they caused, also led to a democratic decision to shift the US approach on surveillance somewhat. Cordero accuses Snowden of doing what he did because of ego — again, that’s her prerogative; I’m not going to persuade people who’ve already decided to think differently of Snowden — but she also argues that had Snowden followed the already problematic methods to officially report concerns, he would have had less effect raising concerns than he had in fact. Some of what he exposed may have been legally (when argued in secret) sustainable before Snowden, but they turned out not to be democratically sustainable.

Now let’s go back to how Cordero characterizes what the story showed:

Instead, the report reveals:

  • An NSA workforce conducting a huge after-action search for documents seeking to affirm or refute Snowden’s claim that he had raised red flags internally before resorting to leaking classified documents;
  • Numerous officials terrified that they would miss something in the search, knowing full-well how easily that could happen in NSA’s giant and complex enterprise; and
  • The NSA and ODNI General Counsels, and others in the interagency process –doing their job.

The emails in the report do reveal that government officials debated whether to release the one document that was evidence that Snowden did, in fact, communicate with the NSA Office of General Counsel. It’s hard to be surprised by this. On one hand, the one email in and of itself does not support Snowden’s public claim that he lodged numerous complaints; on the other hand, experienced senior government officials have been around the block enough times to know that as soon as you make a public statement that “there’s only one,” there is a very high likelihood that your door will soon be darkened by a staff member telling you, “wait, there’s more.” So it is no wonder that there was some interagency disagreement about what to do.

For what it’s worth, I think the emails show a mixed story about how well various participants did their job. They make Admiral Rogers look great (which probably would have been more prominently noted had the NSA not decided to screw us Friday night, leading to a very rushed edit job). They make Raj De, who appears to have started the push to release the email either during or just as Snowden’s interview with Brian Williams finished airing (it aired at 10:00 PM on May 28; though note the time stamps on this string of De emails are particularly suspect), look pretty crummy, and not only for that reactive response. (I emailed De for comment but got no response.)

Screen Shot 2016-06-05 at 12.57.44 PM

Later on, Cordero admits that, in addition to the OGC email, the story reported for the first time that there had also been a face-to-face conversation with one of the people involved in responding to that email.

The Vice report reveals that Snowden did do at least these things related to his interest in legal authorities and surveillance activities: (i) he clicked on a link to send a question to NSA OGC regarding USSID 18 training, which resulted in an emailed response from an NSA attorney; and (ii) he had a personal interaction (perhaps a short conversation) with a compliance official regarding questions in a training module. But according to the report, in his public statements, “Snowden insisted that he repeatedly raised concerns while at the NSA, and that his concerns were repeatedly ignored.”

(Note Cordero entirely ignores that interviews with Snowden’s colleagues — the same people whom she characterized as terrified they’d miss something in the media response but doesn’t consider whether they would be even more terrified conversations about privacy with Snowden might be deemed evidence of support for him — found a number of them having had conversations about privacy and the Constitution).

She doesn’t get into the chronology of the NSA’s treatment of the face-to-face conversation, though. What the story lays out is this:

  • Released emails show NSA now asserts that Snowden complained about two training programs within the span of a week, possibly even on the same day, with Compliance being involved in both complaints (Snowden would have known they were involved in the OGC response from forwarded emails)
  • Given the record thus far, it appears that there is no contemporaneous written record of the face-to-face complaint (we asked the NSA for any and that’s when they decided to just release the emails in the middle of the night instead of responding, though I assume there is an FBI 302 from an interview with the training woman)
  • Given the record thus far, NSA only wrote up that face-to-face complaint the day after and because NSA first saw teasers from the April 2014 Vanity Fair article revealing Snowden’s claim to have talked to “oversight and compliance”
  • In spite of what I agree was a very extensive (albeit frantic and limited in terms of the definition of “concern”) search, NSA did not — and had not, until our story — revealed that second contact, even though it was written up specifically in response to claims made in the press and well before the May 29 release of Snowden’s email
  • In the wake of NSA not having acknowledged that second contact, a senior NSA official wrote Admiral Rogers a fairly remarkable apology and (as I’ll show in a follow-up post) the NSA is now moving the goal posts on whom they claim Snowden may have talked to

Now, I actually don’t know what happened in that face-to-face contact. We asked both sides of the exchange very specific questions about it, and both sides then declined to do anything but release a canned statement (the NSA had said they would cooperate before they saw the questions). Some would say, so what? Snowden was complaining about training programs! Training programs, admittedly, that related to other documents Snowden leaked. And at least one training program, as it turns out, that the NSA IG had been pushing Compliance to fix for months, which might explain why they don’t want to answer any questions. But nevertheless “just” training programs.

I happen to care about the fact that NSA seems to have a pattern of providing, at best, very vague information about how seriously NSA has to take FISA (or, in the one program we have in its entirety, perfectly legal tips about how to bypass FISA rules), but I get that people see this as just a training issue.

I also happen to care about the fact that when Snowden asked what NSA would like to portray as a very simple question — does what would be FISA take precedence over what would be EO 12333 — it took 7 people who had been developing that training program to decide who and how to answer him. That question should be easier to answer than that (and the emailed discussion(s) about who and how to answer were among the things conspicuously withheld from this FOIA).

But yes, this is just two questions about training raised at a time (we noted in the story) when he was already on his way out the door with NSA’s secrets.

Which is, I guess, why the balance of Cordero’s post takes what I find a really curious turn.

If this is all there is – a conversation and a question  – then to believe that somehow NSA attorneys and compliance officials were supposed to divine that he was so distraught by his NSA training modules that he was going to steal the largest collection of classified documents in NSA history and facilitate their worldwide public release, is to live in a fantasy land.

No, what this new report reveals is that NSA lawyers and compliance personnel take questions, and answer them. Did they provide a simple bureaucratic response when they could or should have dug deeper? Maybe. Maybe not.

Because what they apparently do not do is go on a witch hunt of every employee who asks a couple legal questions. How effective do we think compliance and training would be, if every person who asks a question or two is then subject to intense follow-up and scrutiny? Would an atmosphere like that support a training environment, or chill it?

[snip]

NSA is an organization, and a workforce, doggedly devoted to mission, and to process. In the case of Snowden, there is an argument (one I’ve made before) that its technical security and counterintelligence function failed. But to allude – as today’s report does – that a couple questions from a low level staffer should have rung all sorts of warning bells in the compliance and legal offices, is to suggest that an organization like NSA can no longer place trust in its workforce. I’d wager that the reason the NSA lawyers and compliance officials didn’t respond more vigorously to his whispered inquiries, is because they never, in their wildest dreams, believed that a coworker would violate that trust.

Cordero turns a question about whether Snowden ever complained into a question about why the NSA didn’t notice he was about to walk off with the family jewels because he complained about two training programs.

There are two reasons I find this utterly bizarre. First, NSA’s training programs suck. It’s not just me, based on review of the few released training documents, saying it (though I did work for a number of years in training), it’s also NSA’s IG saying the 702 courses, and related materials, are factually wrong or don’t address critical concepts. Even the person who was most negative towards Snowden in all the emails, the Chief of SID Strategic Communications Team, revealed that lots of people complain about the 702 test (as is also evident from the training woman’s assertion they have canned answers for such complaints).

Complaints about fairness/trick questions are something that I saw junior analysts in NTOC … would pose — these were all his age and positional peers: young enlisted Troops, interns, and new hires. Nobody that has taken this test several times, or worked on things [redacted] for more than a couple of years would make such complaints. It is not a gentleman’s course. *I* failed it once, the first time I had to renew.

I’m all for rigorous testing, but all the anecdotes about complaints about this test may suggest the problem is in the test, not the test-takers. It’s not just that — as Cordero suggested — going on a witch hunt every time someone complains about training courses would chill the training environment (of a whole bunch of people, from the sounds of things). It’s that at precisely the moment Snowden took this training it was clear someone needed to fix NSA’s training, and Cordero’s response to learning that is to wonder why someone didn’t launch a CI investigation.

Which leads me to the other point. As Cordero notes, this is not the first time she has treated the Snowden story as one primarily about bad security. I happen to agree with her about NSA’s embarrassing security: the fact that Snowden could walk away with so much utterly damns NSA’s security practices (and with this article we learn that, contrary to repeated assertions by the government, he was in an analytical role, though we’ve already learned that techs are actually the ones with unaudited access to raw data).

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

Carrie Cordero’s lesson, aside from grading the participants in this email scrum with across-the-board As, is that Snowden complaining about the same training programs the IG was also complaining about should have been a counterintelligence issue but wasn’t because of the great trust at NSA. That argument, taken in tandem with Cordero’s vouching for NSA’s employees, should not, itself, inspire trust.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

You Can Get Clearance If You Always Believed in the Fourth Amendment, But Not if You’re a Fourth Amendment Convert

Screen Shot 2016-05-14 at 8.43.08 PMOn Thursday night at 11PM, in advance of an Oversight and Government Reform hearing scheduled at 9AM Friday, James Clapper’s office rolled out a new policy integrating the use of social media in security clearance reviews. Basically, the government can use public social media in making security clearance determinations, but can’t ask for your password, friend you to collect information, or access your non-public social media activity. They additionally claim, implausibly, they won’t keep anything unnecessary to make such determinations.

Even taking those caveats in good faith, the policy should not be regarded as a risk-free policy, because government bureaucrats don’t have a perfect record with attribution (something National Counterintelligence Director William Evanina admitted in the hearing) and they have a still worse one with irony. Plus, the history of FBI prosecutions of alleged terrorists for RTs suggests they will read certain actions in social media with a certain kind of intent that may not be true.

Worse, Evanina said two ridiculous things in the hearing that raises real questions about the policy and his ability to implement it fairly.

First, Thomas Massie asked Evanina whether political views would be considered. Massie, after having noted the committee notes suggested a social media search might have identified Snowden as a potential threat (Snowden did spend time online before his classified career, but nothing would have obviously flagged him), also noted their similar political contribution histories. “Do you take into account political support when you’re doing background research on social media?” After Evanina explained the background check would not review that, Massie asked specifically about whether a person supported a candidate who was strong on the Fourth Amendment.”Your belief in Fourth Amendment would not have any predication on whether you could hold or maintain a security clearance,” Evanina replied in response.

Breaking! You can believe in the Fourth Amendment and get a security clearance. 

Only, that’s not true if you’re a convert to the Fourth Amendment (as Snowden arguably was, given his online comments).

Barely mentioned at the hearing were the guidelines the Intelligence Authorization had laid out for this policy, which I wrote about here and here.

(C) publicly available information, whether electronic, printed, or other form, including relevant security or counterintelligence information about the covered individual or information that may suggest ill intent, vulnerability to blackmail, compulsive behavior, allegiance to another country, change in ideology, or that the covered individual lacks good judgment, reliability, or trustworthiness; [my emphasis]

One thing Congress explicitly wanted to measure was “change in ideology” (I believe this was always included in security clearance determinations, but it has a much different impact if one is reviewing everyone’s candid thoughts), the kind of thing when someone who once railed against leakers in public comments goes on to question whether surveillance has gotten out of hand, as Snowden did.

Or as a lot of other people did, when they considered the impact of their dragnets.

The other ridiculous thing Evanina said came in response to Ted Lieu’s concerns about the number of Asian Americans charged with spying charges that later collapsed (something that Judy Chu has also been hitting on). Lieu also mentioned that since the public reports of spying cases collapsing, he has heard from some people who believe they were denied security clearances because of their (presumably Chinese-American) ethnicity.

So Lieu asked Evanina if that’s ever a consideration.

Evanina not only claimed that it is not a consideration (in spite of the case of the man who was denied clearance because of the USAID-tied organization his wife worked for), but he offered up that in his 19 years at FBI, they had also never used ethnicity as a reason for investigation.

There’s one ginormous problem with that claim (which was sworn).

Evanina was at FBI when, in 2008, they changed the Domestic Investigations and Operations Guide (as noted above) to permit consideration of First Amendment protected activities, including religion, among the things FBI Agents may take into account during an investigation.

FBI employees may take appropriate cognizance of the role religion may play in the membership or motivation of a criminal or terrorism enterprise. If, for example, affiliation with a certain religious institution or a specific religious sect is a known requirement for inclusion in a violent organization that is the subject of an investigation, then whether a person of interest is a member of that institution or sect is a rational and permissible consideration. Similarly, if investigative experience and reliable intelligence reveal that members of a terrorist or criminal organization are known to commonly possess or exhibit a combination of religion-based characteristics or practices (e.g., group leaders state that acts of terrorism are based in religious doctrine), it is rational and lawful to consider such a combination in gathering intelligence about the group-even if any one of these, by itself, would constitute an impermissible consideration.

Worse, Evanina served in a policy role when, in 2011, they reinforced this permission in that year’s DIOG.

Admittedly, religion is not the same thing as ethnicity. But for a number of ethnicities, including Chinese and Muslim Arabs, religion can stand in for a kind of ethnicity.

It may be that Evanina was foolish enough to raise his FBI experience, which might be entirely unrelated to the practice of security clearance evaluations. But he did. And that raised some really good reasons (on top of the known record and explicit direction from Congress about what this social media approach should entail) to doubt his assurances to the committee about civil liberties problems with this policy.

I get that it makes sense to review someone’s social media to see if they can keep a secret. But it is also the case that the IC generally, the FBI in particular, and Evanina personally, are not credible on this point.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.