What to Do about Computer Crime Laws

/13 Comments/in /by

In a long piece published in AlterNet on Tuesday, I noted that Aaron Swartz’ treatment was not all that unusual.

In some ways, what was happening to Swartz was not all that unusual. George Washington University Law Professor Orin Kerr — a leading expert on computer crime law who is sympathetic to the issues Swartz championed — explains that the government’s charges fall within the norm for computer crimes. Moreover, the tactics used in this case are normal for the Department of Justice. The government often multiplies charges in order to coerce defendants to plead guilty without a trial.

[snip]

The laws governing computer crime criminalize all sorts of actions that don’t seem like they should be crimes. The government inflates charges beyond all proportion to coerce plea deals. The government’s prosecutorial powers are overwhelming. This administration and these prosecutors have aggressively used the law to shut off the free flow of information.

So to the extent people are horrified by how Swartz was treated, they should also be horrified by the abuse of prosecutorial discretion more generally, whether it affects a genius like Swartz nabbed on an computer crime charge or a regular person brought in on drug charges.

That same day, I suggested we’d be far better off–and far truer to Aaron Swartz’ ethic–trying to fix systemic problems than avenging him personally (though I also called for firing Lanny Breuer, the head of DOJ’s Criminal Division).

One of the most ethical suggestions I’ve seen (and I’m not even sure if there is a White House petition for it) is to fix the Computer Fraud and Abuse Act. [Update: Thanks to Saul Tannenbaum,here it is.]

The government should never have thrown the book at Aaron for accessing MIT’s network and downloading scholarly research. However, some extremely problematic elements of the law made it possible. We can trace some of those issues to the U.S. criminal justice system as an institution, and I suspect others will write about that in the coming days. But Aaron’s tragedy also shines a spotlight on a couple of profound flaws of the Computer Fraud and Abuse Act in particular and gives us an opportunity to think about how to address them.

I didn’t know Aaron personally, but he doesn’t strike me as the kind of guy who would seek individualized solutions to systemic problems. And one of the problems with the system that destroyed him is a law that badly criminalizes actions that don’t present much harm.

Orin Kerr has now finished the second of two posts on Swartz, which says some of the same things–though in much more comprehensive and expert fashion.

 I think it’s important to realize that what happened in the Swartz case happens it lots and lots of federal criminal cases. Yes, the prosecutors tried to force a plea deal by scaring the defendant with arguments that he would be locked away for a long time if he was convicted at trial. Yes, the prosecutors filed a superseding indictment designed to scare Swartz evem more in to pleading guilty (it actually had no effect on the likely sentence, but it’s a powerful scare tactic). Yes, the prosecutors insisted on jail time and a felony conviction as part of a plea. But it is not particularly surprising for federal prosecutors to use those tactics. What’s unusual about the Swartz case is that it involved a highly charismatic defendant with very powerful friends in a position to object to these common practices. That’s not to excuse what happened, but rather to direct the energy that is angry about what happened. If you want to end these tactics, don’t just complain about the Swartz case. Don’t just complain when the defendant happens to be a brilliant guy who went to Stanford and hangs out with Larry Lessig. Instead, complain that this is business as usual in federal criminal cases around the country — mostly with defendants who no one has ever heard of and who get locked up for years without anyone else much caring.

Kerr and I differ on two points. He is silent about the role Obama’s DOJ has in setting certain priorities–both in punishing the liberation of information and in targeting the hacking community in Cambridge. That deserves attention: but the attention should be focused, IMO, at the people setting that emphasis, not those implementing it.

Kerr also argues–fairly compellingly, I think–that we’d be better off letting the courts fix the problem with the Computer Fraud and Abuse Act than letting Zoe Lofgren do so.

A lot of people have wondered how to amend the computer crime laws in response to the Swartz tragedy. So far I have seen a lot of interest in this, but not a lot of sensible proposals. Already, Rep. Lofgren stepped forward with “Aaron’s Law,” , text here, which would amend the statutory definition of “exceeds authorized access.” This isn’t new text: It’s just the definition of “exceeds authorized access” that was passed by the Senate Judiciary Committee last year to try to stop Lori Drew-like prosecutions. This amendment is well meaning, no doubt, but I think it is a bad idea for two reasons. First, it is weirdly disconnected from the Swartz case. Swartz would still have faced exactly the same criminal liability under “Aaron’s Law” that he did without it.

Second, after the en banc Nosal case in the Ninth Circuit, I think the smart move for those of us who want a narrow reading of the CFAA is probably to wait for the Supreme Court to resolve the circuit split. Kozinski’s opinion in Nosal is terrific, and it went far beyond the approach taken by “Aaron’s Law” in limiting the CFAA; instead, it adopted the interpretation I recommended in my 2003 article that the CFAA should be limited to breaching code-based restrictions. Read more

The December 2010 Black Hole in the Network Interface Closet

/91 Comments/in /by

As I’ve suggested, I’m very interested in pinpointing when and how the Federal government first got involved in the investigation of the JSTOR downloading and what role MIT had in the Feds getting involved. While Swartz’ lawyers put together a timeline of the investigation, it constitutes grand jury material that is currently sealed (though you can be sure the content of it would have been aired during Swartz’ trial).

And while we can get a pretty good idea of how the investigation proceeded from court documents, there two periods about which I have questions: December 2010, and the day of January 4, 2011.

The timeline below shows how Swartz allegedly accessed JSTOR documents, along with the response that JSTOR, MIT, and the government took. As you can see, the investigative narrative sort of fades out for the entire month of December 2010, when Swartz had a computer hooked right into MIT’s network. And then–due to what gets vaguely described as new tools to track flows on MIT’s own network–they found Swartz’ computer. But there’s a weird lapse in time, too: JSTOR notes that Swartz is downloading again around Christmas. But MIT doesn’t go find the computer–which it has recently acquired the ability to do–until January 4. Note, too, that the indictment treats the downloads from November 29 to December 26 as one charge, and those from December 27 to January 4, as another.

That leads to January 4, 2011, when according to the public fillings, the Cambridge cops and Secret Service got brought in and–almost immediately–SS takes over the case and MIT hands over data flow materials to SS without demanding a warrant. HuffPo explained that process this way:

According to the source close to the investigation, when MIT employees found the laptop, they contacted MIT police, who called Cambridge police, where the call was then routed to a detective assigned to the New England Electronic Crimes Task Force. That detective contacted another member of the task force, Michael Pickett, a special agent with the U.S. Secret Service, who helped lead the investigation.

In addition, MIT allows SS to get Carnegie Mellon’s CERT to collect the signals from Swartz’ laptop in a dropbox; when Swartz’ lawyers first asked for CERT’s notes on that data flow, the government refused to turn it over, saying that since they would not call any CERT experts to testify they didn’t have to.

I’m wondering several things. First, what were the new tools MIT used to analyze their networks in December 2010? Where did they come from? When did they get them? Was the JSTOR download the reason they did?

And also, what kind of legal analysis did MIT go through before they just let the government into their networks?

Finally, what obligations was MIT under to file Suspicious Activity Reports to the government regarding the JSTOR downloads and when did those obligations kick in? Did MIT comply with those obligations? Did the government know MIT’s network was compromised as early as September, or not until Cambridge brought in SS in January?

To be clear: I’m not suggesting anything nefarious about this–though I am mindful of this, from the scope of the investigation MIT President Rafael Reif has ordered: “I have asked that this analysis describe the options MIT had and the decisions MIT made, in order to understand and to learn from the actions MIT took.” That is, Reif now wants to know which of the decisions MIT pursued they had legal choices to avoid.

The government’s consolidated response to Swartz’ suppression motion claims that “neither local nor federal law enforcement officers were investigating Swartz’s downloading action before January 4, 2011, when MIT first found the laptop.” Note, they refer just to Swartz’ downloading action, not Swartz (though that may just be legal particularity), so it is possible though unlikely that federal law enforcement officers were investigating other activities of Swartz before then (we know the FBI had investigated his PACER downloads the previous year).

Note: the following timeline depends on the assertions of both the government and Swartz’ lawyers. It represents alleged facts as presented by self-interested parties, not uncontested facts. Documents used include the hardware search warrant affidavit,  superseding indictment, motion for discoverypre January 4 suppression motion, January 4-6 suppression motionconsolidated response to motion to suppress, and exhibit to supplement to motion to suppress. I’ve also included Swartz’ FOIAs, as described in this Jason Leopold story, because I find some of the coincidences intriguing (see especially the timing of his request for Secret Service access to encrypted files and CERT, which I’ll return to in a later post). Read more

OK, But Can We Also Fire Lanny Breuer?

/22 Comments/in , , /by

I’ve lost count of how many White House petitions are seeking some kind of vengeance for the harsh treatment of Aaron Swartz. Fire Carmen Ortiz. Fire Stephen Heymann. Pardon Swartz. Commute John Kiriakou’s sentence.

One of the most ethical suggestions I’ve seen (and I’m not even sure if there is a White House petition for it) is to fix the Computer Fraud and Abuse Act. [Update: Thanks to Saul Tannenbaum, here it is.]

The government should never have thrown the book at Aaron for accessing MIT’s network and downloading scholarly research. However, some extremely problematic elements of the law made it possible. We can trace some of those issues to the U.S. criminal justice system as an institution, and I suspect others will write about that in the coming days. But Aaron’s tragedy also shines a spotlight on a couple of profound flaws of the Computer Fraud and Abuse Act in particular and gives us an opportunity to think about how to address them.

I didn’t know Aaron personally, but he doesn’t strike me as the kind of guy who would seek individualized solutions to systemic problems. And one of the problems with the system that destroyed him is a law that badly criminalizes actions that don’t present much harm.

Moreover, as Corey Robin argues in this post, asking Obama to take action to absolve the actions of his own government defeats the point.

Asking the state to pardon Swartz doubly empowers and exonerates the state. It cedes to the state the power to declare who is righteous and who is wrong (and thereby obscures the fact that it is the state that is the wrongful actor in this case). The petitioning language to Obama only adds to this. The statement depicts Obama as somehow the good father who stands above the fray—much like how the Tsar was depicted in the petition of the Russian workers who marched with Father Gapon on the Winter Palace in 1905 and were summarily slaughtered.

Pardoning Swartz also would allow the government, effectively, to pardon itself.

These petitions seem to serve the purpose of pretending that Swartz’ treatment was abnormal.

It was not.

Not only has Obama’s Administration treated all those who liberate information without his government’s sanction as dangerous criminals, but his DOJ has been ruthless against just about everyone who is not a Wall Street Executive.

Jesslyn Radack–who knows how aggressively Obama’s DOJ has targeted those who free information as well as anyone–discusses the legal futility of trying to go after Stephen Heymann. But she also notes that the real remedy to prevent more people from experiencing what Swartz did is to start fixing DOJ.

What might be more realistic is for citizens to demand that the Senate Judiciary Committee exercise meaningful oversight over the out-of-control Justice Department, which has waged an unprecedented, unaccountable, brutal war on whistleblowers and hackers, and to create something akin to the Church Committee to investigate the improper monitoring and targeting of hackers, whistleblowers, Occupy participants, journalists, and a numerous other groups of non-violent “offenders” who’ve done nothing to harm anyone or the country, and have been acting purely in the public interest.

It would be a good start (though SJC Chairman Patrick Leahy has been lax in examining any Obama Administrations abuses).

But there is one action Obama could take today that would both address some of the problems with his dysfunctional DOJ and attest he means to change things systematically: Fire DOJ’s Criminal Division head, Lanny Breuer.

Lanny Breuer is not the only reason Obama’s DOJ has been so aggressive (though he has been instrumental in ensuring it ignores bank crimes). There are far more senior and far less senior people who have fostered DOJ’s overreach. But Breuer runs this system. Moreover, as the head of this system of prosecutorial overreach, he has actually explicitly rewarded abuse.

If we want to fix the injustice that was done to Aaron Swartz, we need to fix the aspects of the system that rewarded such behavior. We need to fix the law that empowered the prosecutors gunning for him. We need to put some breaks on DOJ’s power. And we should start by getting rid of the guy who has fostered this culture of abuse for the last four years.

DOJ Invoked Aaron Swartz’ Manifesto To Justify Investigative Methods

/17 Comments/in /by

In the original July 14, 2011 indictment of Aaron Swartz, DOJ described him this way.

Aaron Swartz lived in the District of Massachusetts and was a fellow at Harvard University’s Center for Ethics. Although Harvard provided Swartz access to JSTOR’s services and archive as needed for his research, Swartz used MIT’s computer networks to steal well over 4,000,000 articles from JSTOR. Swartz was not affiliated with MIT as a student, faculty member, or employee or in any other manner other than his and MIT’s common location in Camrbidge. Nor was Swartz affiliated in any way with JSTOR.

In their September 12, 2012 superseding indictment, DOJ described him this way.

Aaron Swartz lived in the District of Massachusetts and was a fellow at Harvard University’s Safra Center for Ethics. Swartz was no affiliated with MIT as a student, faculty member, or employee or in any other manner. Although Harvard provided Swartz access to JSTOR’s services and archive as needed for his research, Swartz used MIT’s computer networks to steal millions of articles from JSTOR.

On November 16, 2012, they wrote this motion to rebut Swartz’ claims that a number of the searches MIT and the Secret Service conducted in their investigation were improper and should be suppressed.

During the period alleged in the Superseding Indictment, Aaron Swartz was a fellow at Harvard University’s Safra Center for Ethics, on whose website he was described as a “writer, hacker and activist.” Harvard provided Swartz with access to JSTOR’s services and archives as needed for his research there. Swartz was not a student, faculty member, or employee of MIT. In the Guerilla Open Access Manifesto, which Swartz actively participated in drafting and had posted on one of his websites, Swartz advocated “tak[ing] information, wherever it is stored, mak[ing] our copies and shar[ing] them with the world.”

In other words, precisely at the moment the government defended all the searches it did of Swartz, it (for the first time, I believe) introduced a new descriptor (in addition to the adjectives “writer, hacker, and activist”): Swartz wrote the Guerilla Open Access Manifesto.

The reference is particularly odd, being introduced (though not elaborated on) in this brief defending the investigative approach used by MIT and then the government. It effectively invokes First Amendment protected speech to justify investigative tactics.

The timeline laid out in the rest of the brief claims (not entirely credibly) they had no idea who was downloading from JSTOR until they arrested him in January 2011 (note, too, it is predictably vague about when the Secret Service got involved). So what Swartz wrote two years before the JSTOR downloads started is (or should be) utterly irrelevant to the legitimacy of investigative tactics, because according to the government they didn’t know about that until a good bit later.

Unless of course Secret Service was involved earlier, in which case under DOJ’s current Domestic Investigation and Operations Guide, they could use First Amendment activity as part of the predicate for an investigation.

But that’s not the narrative they lay out in this brief.

And look at the passage from the Manifesto they quote in the brief, which appears in this larger passage.

There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.

We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks. [my emphasis]

In context, much of the manifesto advocates for things that are perfectly legal: sharing documents under Fair Use. Taking information that is out of copyright and making it accessible. Purchasing databases and putting them on the web.

Aside from sharing passwords, about the only thing that might be illegal here (depending on copyright!) is downloading scientific journals and uploading them to file sharing networks.

Precisely what the government accused Swartz of.

But they don’t cite that passage. Rather, they cite the “making copies” passage–something not inherently illegal. As if that justified the investigative tactics they used.

Used as it is in this page-limited brief arguing why their tactics were legal, the citation is really bizarre. But it does seem to admit that the government considers Swartz’ role in the Open Access movement to be as much proof he was a criminal as that he chose to download the documents at MIT and not Harvard.

What Kind of Fishing Trip Did the Government Conduct into Aaron Swartz’ Amazon Data?

/10 Comments/in /by

Yesterday, privacy researcher Chris Soghoian posted an interesting exchange he had with Aaron Swartz in March 2011.

But then I wondered about Amazon. Amazon not only has a lot of private data on its own, but they host a lot of other websites with personal data. It seems like everyone is using Amazon EC2 these days ­­ Reddit and Netflix and Foursquare and more. Even sites that aren’t hosted on EC2, like 37 signals, still use S3 for backup. The “truly paranoid” tarsnap uses both EC2 and S3. (Yes, tarsnap encrypts your data, but [it sometimes has bugs][b] and doesn’t protect against traffic analysis.) Hell, even WikiLeaks was hosted there at one point.

What’s disturbing is that this means your personal data isn’t just accessible by the people who operate these sites ­­ it’s also accessible by Amazon. And anyone Amazon decides to hand it to.

What are Amazon’s policies? I’ve had several conversations with them about this, but they refuse to comment on the record. Still, I’m in the rare position of getting to experience them first­hand. A couple years ago the government sent Amazon a subpoena for information about an EC2 instance I’d purchased. Amazon handed it over without stopping to warn me. When I asked them about it specifically, they refused to comment. When I asked them about their general policy, they refused to comment. The only reason I found out about it was because I filed a FOIA request with the Department of Justice. The DOJ was more transparent about this than Amazon.

As best as I can tell, this is Amazon’s policy: When the government asks, turn stuff over. Never tell the people affected. Don’t give them a chance to object.

The exchange ends with Soghoian asking if Swartz will publish his piece, to which Swartz says he cannot.

I thought of that and wish I could, but I can’t put my name on it right now personal reasons.

The exchange happened, we now know, in between the time the Cambridge police first arrested him for breaking and entering and the time the government indicted him for a slew of computer crimes. It seems likely that those “personal reasons” include negotiations with the Secret Service about the JSTOR downloads (we know Swartz and his lawyer met with the Secret Service that summer and turned over some hard drives).

As Swartz himself pointed out, this exchange also happened in the wake of news that the government had issued orders to Twitter–basically within a day of the time the Secret Service triggered Swartz’ initial arrest–for the communications of people associated with WikiLeaks.

The exchange is notable because of a request Swartz’ lawyer made the following year, at the beginning of the pre-trial discovery process. In addition to asking how the government had obtained a bunch of communication involving Swartz and others, his lawyer asked to see everything returned from grand jury subpoenas and orders served on MIT and JSTOR–which makes sense in this case–but also Twitter, Google, and Amazon.

These paragraphs request information relating to grand jury subpoenas. Paragraph 1 requested that the government provide “[a]ny and all grand jury subpoenas – and any and all information resulting from their service – seeking information from third parties including but not limited to Twitter. MIT, JSTOR, Internet Archive that would constitute a communication from or to Aaron Swartz or any computer associated with him.” Paragraph 4 requested “[a]ny and all SCA applications, orders or subpoenas to MIT, JSTOR, Twitter, Google, Amazon, Internet Archive or any other entity seeking information regarding Aaron Swartz, any account associated with Swartz, or any information regarding communications to and from Swartz and any and all information resulting from their service.” Paragraph 20 requested “[a]ny and all paper, documents, materials, information and data of any kind received by the Government as a result of the service of any grand jury subpoena on any person or entity relating to this investigation.”

Swartz requests this information because some grand jury subpoenas used in this case contained directives to the recipients which Swartz contends were in conflict with Rule 6(e)(2)(A), see United States v. Kramer, 864 F.2d 99, 101 (11th Cir. 1988), and others sought certification of the produced documents so that they could be offered into evidence under Fed. R. Evid. 803(6), 901. Swartz requires the requested materials to determine whether there is a further basis for moving to exclude evidence under the Fourth Amendment (even though the SCA has no independent suppression remedy).

[snip]

Moreover, defendant believes that the items would not have been subpoenaed by the experienced and respected senior prosecutor, nor would evidentiary certifications have been requested, were the subpoenaed items not material to either the prosecution or the defense. Defendant’s viewing of any undisclosed subpoenaed materials would not be burdensome, and disclosure of the subpoenas would not intrude upon the government’s work product privilege, as the subpoenas were served on third parties, thus waiving any confidentiality or privilege protections. [my emphasis]

Effectively, Swartz’ lawyer was indicating that he had seen subpoenas and orders that requested information from–among others–Amazon, but not all of what these providers had returned in exchange was turned over as evidence in the case. He was trying to see what else the government had. He’s also making it clear that the government asked for the information in such a form that could be entered as evidence in a trial (meaning the government would not have to call an employee from Amazon or another service provider to certify the authenticity of the data, who could then be questioned by the defense).

And he’s suggesting that if the prosecutor asked for these things, then they must be relevant in this case, and therefore discoverable.

I suspect, though, that that last claim is not what the lawyer really thought. I suspect that he believed the grand jury investigating Swartz–during precisely the same period when Swartz was researching how Amazon might respond to a government request for information–had conducted a fishing trip on other issues, and had done so in such a way that any information gleaned could be used both to prosecute the alleged JSTOR download but also any other crime.

Now I suspect that DOJ’s original request to Amazon–the one Swartz mentioned to Soghoian–dated to Swartz’ efforts to liberate PACER. It shows up in the part of his FBI file Swartz published on his blog.

Data that was exfiltrated went to one of two Amazon IP addresses.

Investigation has determined that the Amazon IP address used to access the PACER system belongs to Aaron Swartz.

So it’s possible the grand jury was reinvestigating what Aaron had done two years earlier, even though DOJ had earlier declined to press charges, in an effort to criminalize Swartz’ efforts to liberate information generally.

But given the timing and Swartz’ own tie to the WikiLeaks orders, I also wonder whether there was something else there–whether Swartz believed the government had information pertaining to activities entirely unrelated to JSTOR or PACER.

Ultimately, Swartz didn’t get this information. As to the communications, the judge assumed the government’s assurances that they had neither used a civil administrative subpoena nor “court ordered electronic surveillance” to get his communications closed the issue (given that the government investigated WikiLeaks as an Espionage case, the government might have claimed access to some of this under the PATRIOT Act simply because of Swartz’ ties to the Cambridge hacktavist community). And she refused to turn over the grand jury information on the grounds that the government may use such inquiries to chase down every lead, even if those leads are unrelated.

So it’s not clear Swartz ever learned what the government was looking for in its fishing expedition with Amazon.

Two Days Before MIT and Cambridge Cops Arrested Aaron Swartz, Secret Service Took Over the Investigation

/83 Comments/in /by

The public story of Aaron Swartz’ now-tragic two year fight with the Federal government usually starts with his July 19, 2011 arrest.

But that’s not when he was first arrested for accessing a closet at MIT in which he had a netbook downloading huge quantities of scholarly journals. He was first arrested on January 6, 2011 by MIT and Cambrige, MA cops.

According to a suppression motion in his case, however two days before Aaron was arrested, the Secret Service took over the investigation.

On the morning of January 4, 2011, at approximately 8:00 am, MIT personnel located the netbook being used for the downloads and decided to leave it in place and institute a packet capture of the network traffic to and from the netbook.4 Timeline at 6. This was accomplished using the laptop of Dave Newman, MIT Senior Network Engineer, which was connected to the netbook and intercepted the communications coming to and from it. Id. Later that day, beginning at 11:00 am, the Secret Service assumed control of the investigation. [my emphasis]

In fact, in one of the most recent developments in discovery in Aaron’s case, the government belatedly turned over an email showing Secret Service agent Michael Pickett offering to take possession of the hardware seized from Aaron “anytime after it has been processed for prints or whenever you [Assistant US Attorney Stephen Heymann] feel it is appropriate.” Another newly disclosed document shows the Pickett accompanied the local cops as they moved the hardware they had seized from Aaron around.

According to the Secret Service, they get involved in investigations with:

  • Significant economic or community impact
  • Participation of organized criminal groups involving multiple districts or transnational organizations
  • Use of schemes involving new technology

Downloading scholarly articles is none of those things.

A lot of people are justifiably furious with US Attorney Carmen Ortiz and AUSA Heymann’s conduct on this case.

But the involvement of the Secret Service just as it evolved from a local breaking and entry case into the excessive charges ultimately charged makes it clear that this was a nationally directed effort to take down Swartz.

MIT’s President Rafael Reif has expressed sadness about Aaron’s death and promised an investigation into the university’s treatment of Aaron. I want to know whether MIT–which is dependent on federal grants for much of its funding–brought in the Secret Service.

Will NYT’s Ombud Encourage a NYT Pre-Sentencing Memo for Bradley Manning, Too?

/9 Comments/in , , , /by

When I first read Scott Shane’s long profile of John Kiriakou, I thought, “how interesting that the NYT is doing a piece that exposes the government’s double standards just in time for the sentencing of Kiriakou, one of their sources.”

That’s not to say I’m not glad to see the piece: the profile did more to raise the scandal of Kiriakou’s prosecution than just about anything short of a 60 Minutes piece might.

And I’m much less interested in Shane’s references to his own role in Kiriakou’s indictment

Mr. Kiriakou first stumbled into the public limelight by speaking out about waterboarding on television in 2007, quickly becoming a source for national security journalists, including this reporter, who turned up in Mr. Kiriakou’s indictment last year as Journalist B.

[snip]

After Mr. Kiriakou first appeared on ABC, talking with Brian Ross in some detail about waterboarding, many Washington reporters sought him out. I was among them. He was the first C.I.A. officer to speak about the procedure, considered a notorious torture method since the Inquisition but declared legal by the Justice Department in secret opinions that were later withdrawn.

Then I am by this passage.

In 2008, when I began working on an article about the interrogation of Khalid Shaikh Mohammed, I asked him about an interrogator whose name I had heard: Deuce Martinez. He said that they had worked together to catch Abu Zubaydah, and that he would be a great source on Mr. Mohammed, the architect of the Sept. 11 attacks.

He was able to dig up the business card Mr. Martinez had given him with contact information at Mitchell Jessen and Associates, the C.I.A. contractor that helped devise the interrogation program and Mr. Martinez’s new employer.

Mr. Martinez, an analyst by training, was retired and had never served under cover; that is, he had never posed as a diplomat or a businessman while overseas. He had placed his home address, his personal e-mail address, his job as an intelligence officer and other personal details on a public Web site for the use of students at his alma mater. Abu Zubaydah had been captured six years earlier, Mr. Mohammed five years earlier; their stories were far from secret. [my emphasis]

As I have mapped out before, the indictment strongly suggests that Kiriakou was Shane’s source for Martinez’ phone number, and with that suggestion, implies that Shane got Martinez’ identity from Kiriakou rather than one of the 23 other sources he had for the article.

With this passage, Shane rebuts what would have been a key point at trial (and may help Kiriakou in his sentencing). At least according to Shane, he not only learned of Martinez’ identity before he asked Kiriakou about it, but was able to find Martinez’ home address and email on an alumni network site. (Note, Shane doesn’t address whether Kiriakou was the source for the “magic box” technology discussed in the article, about which Kiriakou was also alleged to have lied to CIA’s Publication Review Board.)

In short, the whole article serves as a narrative pre-sentencing memo, offering a range of reasons why Kiriakou should get less than the 30 months his plea deal currently recommends.

Read more

No Easy Day, WikiLeaks, and Mitt’s 47%: Three Different Approaches to Illicitly-Released Information

/8 Comments/in , , , , /by

[youtube]nYXXkOLgMqQ[/youtube]

Last week, DOD issued a guidance memo instructing DOD personnel what they are–and are not–permitted to do with the Matt Bissonnettte book, No Easy Day, that they claim has sensitive and maybe even classified information. DOD personnel,

  • are free to purchase NED;
  • are not required to store NED in containers or areas approved for the storage of classified information, unless classified statements in the book have been identified;
  • shall not discuss potentially classified and sensitive unclassified information with persons who do not have an official need to know and an appropriate security clearance;
  • who possess either firsthand knowledge of, or suspect information within NED to be classified or sensitive, shall not publically speculate or discuss potentially classified or sensitive unclassified information outside official U.S. Government channels (e.g., Chain-of-Command, Public Affairs, Security, etc.);
  • are prohibited from using unclassified government computer systems to discuss potentially classified or sensitive contents ofNED, and must not engage in online discussions via social networking or media sites regarding potentially classified or sensitive unclassified information that may be contained in NED.

The memo points to George Little’s earlier flaccid claims that the book contains classified information as the basis for this policy, even though those claims fell far short of an assertion that there was actually classified information in the book.

The strategy behind this policy seems to be to accept the massive release of this information, while prohibiting people from talking about what information in the book is classified or sensitive–or even challenging Little’s half-hearted claim that it is classified. Moreover, few of the people bound by this memo know what the President insta-declassified to be able to tell his own version of the Osama bin Laden raid, so the memo also gags discussions about information that has likely been declassified, not to mention discussions about the few areas where Bissonnette’s version differs from the Administration’s official version.

Still, it does let people access the information and talk about it generally.

Compare that policy with the Administration’s three-prong approach to WikiLeaks information:

  • Government employees cannot discuss–and are not supposed to consult at all–WikiLeaks cables. The treatment of Peter Van Buren for–among other things–linking to some WikiLeaks cables demonstrates the lengths to which the government is willing to go to silence all discussion of the cables. (Though I imagine the surveillance of social media will be similar to enforce the DOD guidance.)
  • Gitmo lawyers not only cannot discuss material–like the dodgy intelligence cable that the government used to imprison Latif until he died of still undisclosed causes or the files that cite tortured confessions to incriminate other detainees–released by WikiLeaks unless the press speaks of them first. But unlike DOD personnel who do not necessarily have a need to know, Gitmo lawyers who do have a need to know couldn’t consult WikiLeaks except in closely controlled secure conditions.
  • The Government will refuse to release cables already released under FOIA. While to some degree, this strategy parallels the DOD approach–whereas the NED policy avoids identifying which is and is not classified information, the WikiLeaks policy avoids admitting that cables everyone knows are authentic are authentic, the policy also serves to improperly hide evidence of illegal activity through improper classification.

Now, one part of the Administration’s logic behind this approach to purportedly classified information (thus far without the legal proof in either case, or even a legal effort to prove in the case of Bissonnette) is to limit discussion of information that was allegedly released via illegal means. Read more

With What Databases Has NCTC Cross-Referenced with FBI’s 12 Million iDevice User IDs?

/29 Comments/in , /by

Update, 6/13/13: For those coming to this via my Twitter link, subverzo reminded me that this turned out to be a false claim. The data came from an Apple developer, not from FBI. 

Sorry for the confusion.

As you may have heard, Anonymous and AntiSec hacked into a database of 12 million Apple Universal Device IDs that were in an FBI officer’s laptop and released 1 million of them, ostensibly so some people could identify if their device was one of those FBI was tracking.

They claimed to have tapped into a Dell laptop owned by Special Agent Christopher K. Stangl, an FBI cyber security expert. They downloaded several files, including one that contained “12,367,232 Apple iOS devices including Unique Device Identifiers (UDID)” and other personal information, they wrote in a text file published online. “[The] personal details fields referring to people appears many times empty leaving the whole list incompleted [sic] on many parts. no other file on the same folder makes mention about this list or its purpose.”

While it’s not immediately clear what the FBI is doing with the Apple UDIDs and detailed information on device owners, Gizmodo pointed out that the acronym “NCFTA” could stand for the National Cyber-Forensics & Training Alliance, a nonprofit that acts as an information-sharing gateway between private industry and law enforcement.

These are unique identifiers for things like iPhones and iPads that have long presented the risk of tying someone’s identity to an individual device.

There are multiple ways FBI could have collected this information–either using an NSL or Section 215 request or an insecure transmissions to an ad or game server. And no one knows how the FBI was using it. Whatever you think about Anonymous, we may finally learn more about how the government is tracking geolocation.

But here’s one other concern. Assuming that’s an official FBI database, not only the FBI has it, but also the National Counterterrorism Center. And they’ve got access to whatever federal databases they want to cross-check with existing counterterrorism databases. And one of the few checks we have on the use of our data in this way is a Privacy Act SCOTUS just watered down.

This is a massive amount of data the government likely has no good excuse for having collected, much less used. But it’s likely just one tip of a very big iceberg.

DOD to Give Penguin the WikiLeaks Treatment?

/22 Comments/in , , , , /by

As a number of outlets have reported, DOD has written a threatening letter to Matt Bissonnette, the Navy SEAL whose memoir comes out next week.

But I think they’re misunderstanding part of the nature of the threat (though Mark Zaid, a lawyer who has represented a lot of spooks in cases like this one, alludes to it here, which I’ll return to). Here are, in my opinion, the two most important parts of the letter. First, DOD’s General Counsel Jeh Johnson addressed it to Penguin’s General Counsel as the custodian for the pseudonymous writer he makes clear he knows the real identity of elsewhere in the letter.

Mr. “Mark Owen”

c/o Alexander Gigante, Esquire

General Counsel

Penguin Putnam, Inc.

That, by itself, is not a big deal. But it does mean Johnson knows Penguin’s GC will read this letter.

More importantly, here’s how Johnson ended the letter:

I write to formally advise you of your material breach and violation of your agreements, and to inform you that the Department is considering pursuing against you, and all those acting in concert with you, all remedies legally available to us in light of this situation. [my emphasis]

That is, DOD is also considering legal remedies against “those acting in concert” with Bissonnette.

As far as we know, the only people acting in concert with Bissonnette are at Penguin’s imprint of Dutton. Thus, as much as this is a threat to Bissonnette, it’s also a threat to Penguin.

Which would make sense because–as Zaid points out–the government has been trying to push the application of the Espionage Act to those sharing classified information since the AIPAC trial.

Mark Zaid, a lawyer who has represented a variety of former military and intelligence officials in disclosure and leak cases, said the Johnson letter looked like a signal that the Pentagon was “contemplating a test case against the publisher or media for disclosing classified information.”

Read more

image_print