Cybersecurity Archives - Page 75 of 88

Did OLC Rule Americans Have Voluntarily Allowed NSA to Collect Their Communications Domestically?

September 26, 2013/12 Comments/in Cybersecurity, FISA /by emptywheel

Some weeks ago, I waded into a discussion between Charlie Savage and Ben Wittes to suggest that a still-secret OLC opinion Ron Wyden mentioned back in January might serve as the basis for collecting US person communications at the phone switches.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

I suspect this opinion — whatever question it addresses — makes the case that Americans have given NSA voluntary permission to collect US person communications from certain (I’m not sure which ones) switches.

Whatever it says, though, Ron Wyden just asked for the opinion again.

Over the last few years I have written multiple letters to Attorney General Holder regarding a particular opinion from the Justice Department’s Office of Legal Counsel that interprets common commercial service agreements. I have said that I believe that this opinion is inconsistent with the public’s understanding of the law, and that it needs to be both withdrawn and declassified. Despite multiple follow-ups from my staff I still have not received a response to any of these letters. Can you tell me when I can expect a response?

The biggest reason public understanding of the law would matter, after all, is if OLC were interpreting it to reflect voluntary consent for collection of data that the public didn’t realize they had given. And we know NSA wants to — if it is not already — scan communications for malicious code in the name of cybersecurity on critical infrastructure networks the same way it is doing on government networks.

Remember, this is one of 4 questions Wyden would have asked had DiFi allowed an elected Senator to ask questions rather than an NSA apologist to appear. Wyden had apparently alerted Keith Alexander to what those questions were.

Heck, this is even a question aplogist Ben Wittes has expressed an interest in. For once it is his questions, in addition to members of Congress, that are not getting answered.

Say Hello To Our New Friends At Just Security

September 23, 2013/21 Comments/in Blogs Internet and New Media, Cybersecurity, Department of Justice, Drones, FISA, Gitmo Show Trials, Indefinite Detention, Law, PATRIOT, state secrets, Terrorism, Unitary Executive /by bmaz

We do a lot of things here at Emptywheel including occasionally, goofing off. But our primary focus has always been the intersection of security issues, law and politics. I think I can speak for Marcy and Jim, and I certainly do for myself, we would love it if that intersection were not so critical in today’s world. But, alas, it is absolutely critical and, for all the voices out there in the community, there are precious few that deep dive into the critical minutiae.

Today we welcome a new and important player in the field, the Just Security Blog. It has a truly all star and broad lineup of contributors (most all of whom are listed as “editors” of one fashion or another), including good friends such as Steve Vladeck, Daphne Eviatar, Hina Shamsi, Julian Sanchez, Sarah Knuckey and many other quality voices. It is an ambitious project, but one that, if the content already posted on their first day is any indication, will be quite well done. The home of Just Security is the New York University School of Law, so they will have ample resources and foundation from which to operate for the long run.

Ironically, it was little more than three years ago (September 1, 2010 actually) that the Lawfare Blog went live to much anticipation (well, at least from me). Whether you always agree with Ben Wittes, Bobby Chesney, Jack Goldsmith and their contributors or not, and I don’t always, they have done this field of interest a true service with their work product, and are a fantastic and constantly evolving resource. There is little question but that Just Security intends to occupy much of the same space, albeit it in a complimentary as opposed to confrontational manner. In fact, it was Ben Wittes who hosted the podcast with Steve Vladeck and Ryan Goodman that serves as the multi-media christening of Just Security.

Orin Kerr (who is also a must read at Volokh conspiracy), somewhat tongue in cheek, tweeted that the cage match war was on between Lawfare and Just Security. That was pretty funny actually, but Orin made a more serious point in his welcome post today, and a point that I think will greatly interest the readers of Emptywheel:

Whereas Lawfare tend to have a center or center-right ideological orientation, for the most part, Just Security‘s editorial board suggests that it will have a progressive/liberal/civil libertarian voice.

From my understanding, and my knowledge of the people involved, I believe that to be very much the case. And that is a very good thing for us here, and the greater discussion on so much of our work.

So, say hello to our new friends at Just Security, bookmark them and give them a read. Follow them on Twitter. You will be better informed for having done so.

In Wake of Revelations about Corruption and Coercion, OCC Wails about Bank Cybersecurity

September 19, 2013/11 Comments/in Cybersecurity, Financial Fraud, FISA /by emptywheel

Over 3 months ago, the Guardian revealed that the President reserved the right to declare “inherent right of self defense” to access private networks deemed part of our critical infrastructure in the name of cybersecurity.

2 weeks ago, the Guardian, ProPublica, and NYT reported that, to make it easier to spy on others, the NSA had “deliberately weakened the international encryption standards adopted by developers.”

Also 2 weeks ago, FP reported that “many corporate participants” in an NSA initiative to protect US critical infrastructure “say Alexander’s primary motive” in that initiative “has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies.”

And just this week, Spiegel provided details of how NSA conducts Man-in-the-Middle attacks — hacks — on financial giants like VISA and SWIFT.

Yet none of those revelations prevented Comptroller of the Currency Thomas Curry to give a fairly breathtaking speech yesterday about financial cybersecurity.

In it, a member of the Executive Branch that has made everyone less security by corrupting encryption said,

The growing sophistication and frequency of cyberattacks is a cause for concern, not only because of the potential for disruption, but also because of the potential for destruction of the systems and information that support our banks. These risks, if unchecked, could threaten the reputation of our financial institutions as well as public confidence in the system.

A member of a regime that is routinely hacking financial entities said,

The global nature of the Internet means they can conduct their activity from almost anywhere, including in countries with regimes that, at worst, sponsor attacks and, at a minimum, act as criminal havens by turning a blind eye toward criminal behavior.

And a member of the government that has hacked key third party providers like SWIFT and cooperated with third party telecoms to just steal data said,

Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system.

I recognize the cybersecurity threat to banks is real. I’d like to be protected against criminals trying to steal my money online and I endorse OCC including IT security among things bank inspectors review. I grant that Curry may well be operating in good faith when he says all these things. But when he talks about partnerships like this, he simply loses credibility.

Clearly, much of the responsibility for assessing cyber threats is housed in other agencies, from the Department of Homeland Security to the FBI to the National Security Agency. They are on the front lines, and they are the ones that are doing the most within government to identify, evaluate, and respond to threats in this area. However, we – the OCC, the FFIEC, and the other regulatory agencies individually – are working closely with them to strengthen the coordination and overall effectiveness of government’s approach to cybersecurity of critical infrastructure.

[snip]

But this is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country.

The banks’ regulators may believe he is in a position to lecture about collegiality in the face of threats. But since the government is one of the biggest of those threats, it doesn’t strike me as all that convincing.

NSA’s Corruption of Cryptography and Its Methods of Coercion

September 12, 2013/9 Comments/in Cybersecurity, FISA /by emptywheel

Just one more day to give as part of Emptywheel’s fundraising week.

I want to return to last week’s Edward Snowden related scoop (Guardian, ProPublica/NYT) that the NSA has corrupted cryptography. Remember, there are several reasons the story was important:

NSA lost the battle for the Clipper Chip and turned instead to achieve the same goals via means with less legal sanction
NSA broke some companies’ encryption by “surreptitiously stealing their encryption keys or altering their software or hardware”
NSA also worked to “deliberately weaken[] the international encryption standards adopted by developers”

One key result of this — as Rayne and Julian Sanchez have emphasized — is to make everyone more exposed to hackers.

This is a bit like publishing faulty medical research just to prevent a particular foreign dictator from being cured. It makes everyone on the Internet more vulnerable, increasing the chances that dissidents will be uncovered by despotic regimes and that corporations will fall victim to cybercriminals.

[snip]

Bear this in mind the next time you see people on Capitol Hill wringing their hands about the threat of a possible “Digital Pearl Harbor”—especially if they think the solution is to give more data and authority to the NSA. Because the agency is apparently perfectly happy to hand weapons to criminals and hostile governments, as long as it gets to keep spying too.

And since then, the NSA has responded to rampant cyberattacks and threats of them against targets it cares about by demanding yet more access to those targets’ data, as explained by Shane Harris in a Keith Alexander profile.

Under the Defense Industrial Base initiative, also known as the DIB, the NSA provides the companies with intelligence about the cyberthreats it’s tracking. In return, the companies report back about what they see on their networks and share intelligence with each other.

Pentagon officials say the program has helped stop some cyber-espionage. But many corporate participants say Alexander’s primary motive has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies — to make them the NSA’s digital scouts. What is billed as an information-sharing arrangement has sometimes seemed more like a one-way street, leading straight to the NSA’s headquarters at Fort Meade.

“We wanted companies to be able to share information with each other,” says the former administration official, “to create a picture about the threats against them. The NSA wanted the picture.”

After the DIB was up and running, Alexander proposed going further. “He wanted to create a wall around other sensitive institutions in America, to include financial institutions, and to install equipment to monitor their networks,” says the former administration official. “He wanted this to be running in every Wall Street bank.”

That aspect of the plan has never been fully implemented, largely due to legal concerns. If a company allowed the government to install monitoring equipment on its systems, a court could decide that the company was acting as an agent of the government. And if surveillance were conducted without a warrant or legitimate connection to an investigation, the company could be accused of violating the Fourth Amendment. Warrantless surveillance can be unconstitutional regardless of whether the NSA or Google or Goldman Sachs is doing it.

“That’s a subtle point, and that subtlety was often lost on NSA,” says the former administration official. “Alexander has ignored that Fourth Amendment concern.”

With all that as background, I want to return to a post I did months ago, laying out the methods the Presidential Policy Directive on Cyberwar envisioned for getting cooperation from private companies. It defines four kinds of access to private computer networks:

Network defense, which is what network owners do or USG (or contractors) do at their behest to protect key networks. I assume this like anti-virus software on steroids.
Cyber collection that, regardless of where it occurs, is done in secret. This is basically intelligence gathering about networks.
Nonintrusive Defensive Countermeausres, which is more active defensive attacks, but ones that can or are done with the permission of the network owners. This appears to be the subset of Defensive Cybereffects Operations that, because they don’t require non-consensual network access, present fewer concerns about blowback and legality.
Defensive Cybereffects Operations, which are the entire category of more active defensive attacks, though the use of the acronym DCEO appears to be limited to those defensive attacks that require non-consensual access to networks and therefore might cause problems. The implication is they’re generally targeted outside of the US, but if there is an imminent threat (that phrase again!) they can be targeted in the US.

In the area of cyberdefense or offense (remember, this is an overlapping part of NSA’s mission with cryptography) the government envisions collecting information (because cryptography overlaps with this mission, this might be included in that secret data collection) without a network owner’s consent, conducting defensive measures with a network owner’s consent, or conducting defensive measures without a network owner’s consent (the latter is only supposed to happen in the US with the President’s authorization).

Stupid Smartphones and Their Lying Lies

September 10, 2013/23 Comments/in Cybersecurity, Intelligence /by Rayne

[Apple iPhone 5c via TheVerge.com]

If you value emptywheel’s insights, donate the equivalent of a couple beers—and thanks for your readership and support.

My Twitter timelines across multiple accounts are buzzing with Apple iPhone 5s announcement news. Pardon me if I can’t get excited about the marvel that is iPhone’s new fingerprint-based biometric security.

Let’s reset all the hype:

There is no smartphone security available on the market we can trust absolutely to keep out the National Security Agency. No password or biometric security can assure the encryption contained in today’s smartphones as long as they are built on current National Institute of Standards and Technology (NIST) standards and/or the Trusted Computing Platform. The NSA has compromised these standards and TCP in several ways, weakening their effectiveness and ultimately allowing a backdoor through them for NSA use, bypassing any superficial security system.

There is nothing keeping the NSA from sharing whatever information they are gleaning from smartphones with other government agencies. Citizens may believe that information gleaned by the NSA ostensibly for counterterrorism may not be legally shared with other government agencies, but legality/illegality of such sharing does not mean it hasn’t and isn’t done. (Remember fusion centers, where government agencies were supposed to be able to share antiterrorism information? Perhaps these are merely window dressing on much broader sharing.)

There is no exception across the best known mobile operating systems to the vulnerability of smartphones to NSA’s domestic spying. Although Der Spiegel’s recent article specifically calls out iOS, Android, and Blackberry smartphones, Windows mobile OS is just as exposed. Think about it: if your desktop, laptop, and your netbook are all running the same Windows OS versions needing patches every month to fix vulnerabilities, the smartphone is equally wide open as these devices all use the same underlying code, and hardware built to the same NIST standards. Additionally, all Windows OS will contain the same Microsoft CryptoAPI believed to be weakened by the NSA.

If any of the smartphone manufacturers selling into the U.S. market say they are secure against NSA domestic spying, ask them to prove it. Go ahead and demand it — though it’s sure to be an exercise in futility. These firms will likely offer some non-denial denials and sputtering in place of a firm, “Yes, here’s proof” with a validated demonstration.

Oh, and the Touch ID fingerprint biometrics Apple announced today? You might think it protects not against the NSA but the crook on the street. But until Apple demonstrates they pass a gummy bear hackability test, don’t believe them.

And watch for smartphone thieves carrying tin snips.

NSA and Compromised Encryption: The Sword Cuts Both Ways

September 8, 2013/19 Comments/in Cybersecurity, Intelligence /by Rayne

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

If you want fresh and weedy perspectives you won’t find in corporate-owned media, please donate!

A friendly handshake is offered;
Names are swapped after entry;
The entrant delivers a present;
The present is unboxed with a secret key…

And * BOOM *

Payload delivered.

This is cyber weapon Stuxnet‘s operations sequence. At two points in the sequence its identity is masked — at the initial step, when identity is faked by a certificate, and at the third step, when the contents are revealed as something other than expected.

The toxic payload is encrypted and cannot be read until after the handshake, the name swap, and then decrypted when already deep inside the computer.

In the wake of the co-reported story on the National Security Agency’s efforts to crack computer and network encryption systems, the NSA claims they are only doing what they must to protect the country from terrorists, criminals, and cyber attacks generated by individuals, groups, and nation-state actors.

Defense, though, is but one side of the NSA’s sword; it has two lethal edges.

While use of encryption tools may prevent unauthorized access to communications, or allow malicious code to be blocked, the same tools can be used to obstruct legitimate users or shut down entire communications systems.

Encryption APIs (ex: Microsoft CryptoAPI embedded in Windows operating systems) are often used by higher level applications — for example, a random number generator within the API used to create unique keys for access can also be used to create random names or select random event outcomes like a roll of the dice.

In Stuxnet alone we have evidence of encryption-decryption used as cyber warfare, the application planned/written/supported in some way by our own government. This use was Pandora’s Box opened without real forethought to the long-term repercussions, including unintended consequences.

We know with certainty that the repercussions weren’t fully considered, given the idiocy with which members of Congress have bewailed leaks about Stuxnet, in spite of the fact the weapon uncloaked itself and pointed fingers in doing so.

One of the unconsidered/ignored/unintended consequences of using weaponry requiring encryption-decryption is that the blade can cut in the other direction.

Imagine someone within the intelligence community “detonating” a cyber weapon built in the very same fashion as Stuxnet.

A knock at the door with a handshake;
Door open, package shoved in, treated as expected goods;
Encrypted content decrypted.

And then every single desktop computer, laptop, netbook, tablet, and smartphone relying on the same standardized, industry-wide encryption tools “detonates,” obstructing all useful information activities from personal and business work to telecommunications. Read more →

3 Tech Issues the Non-Technologist NSA Technical Committee Needs to Address

August 28, 2013/32 Comments/in Cybersecurity, FISA /by emptywheel

A number of people are asking why I’m so shocked that President Obama appointed no technologists for his NSA Review Committee.

Here are three issues that should be central to the Committee’s discussions that are, in significant part, technology questions. There are more. But for each of these questions, the discussion should not be whether the Intelligence Community thinks the current solution is the best or only one, but whether it is an appropriate choice given privacy implications and other concerns.

Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata
Whether the NSA can avoid collecting Multiple Communication Transactions as part of upstream collection
How to oversee unaudited actions of technical personnel

There are just three really obvious issues that should be reviewed by the committee. And for all of them, it would be really useful for someone with the technical background to challenge NSA’s claims to be on the committee.

Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata

One of the most contentious NSA practices — at least as far as most Americans go — is the collection of all US person phone metadata for the Section 215 dragnet. Yet even Keith Alexander has admitted — here in an exchange with Adam Schiff in a House Intelligence Committee hearing on June 18 — that it would be feasible to do it via other means, though perhaps not as easy.

REP. SCHIFF: General Alexander, I want to ask you — I raised this in closed session, but I’d like to raise it publicly as well — what are the prospects for changing the program such that, rather than the government acquiring the vast amounts of metadata, the telecommunications companies retain the metadata, and then only on those 300 or so occasions where it needs to be queried, you’re querying the telecommunications providers for whether they have those business records related to a reasonable, articulable suspicion of a foreign terrorist connection?

Read more →

The No-Technologist Technology Review Panel

August 27, 2013/15 Comments/in Cybersecurity, FISA /by emptywheel

In addition to the four people ABC earlier reported would be part of Obama’s Committee to Learn to Trust the Dragnet, Obama added … another law professor, Geoffrey Stone. (Stone is [see update], along with Swire, a worthwhile member. But not a technologist.)

What’s fucking crazy about the committee is it has zero technologists to review a topic that is highly technical. Obama implicitly admits as much! He sells this committee for their “immense experience in national security, intelligence, oversight, privacy and civil liberties.” National security, intelligence, oversight, privacy, civil liberties. No technology.

On August 9, President Obama called for a high-level group of experts to review our intelligence and communications technologies. Today the President met with the members of this group: Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire.

These individuals bring to the task immense experience in national security, intelligence, oversight, privacy and civil liberties. The Review Group will bring a range of experience and perspectives to bear to advise the President on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.

The President thanked the Members of the Group for taking on this important task and looks forward to hearing from them as their work proceeds. Within 60 days of beginning their work, the Review Group will brief their interim findings to the President through the Director of National Intelligence, and the Review Group will provide a final report and recommendations to the President. [my emphasis]

So in spite of the fact that the White House highlights technology in its mandate, that didn’t lead them to find even a single technologist.

Also: Cass Sunstein.

Also: the Committee does, in fact, report its findings through James Clapper, the guy whose programs they will review, they guy who lied to Congress.

At least the White House isn’t promising — as Obama originally did — that it will be an “outside” “independent” committee.

Update: Egads. I take back what I said about Stone, who said this in June.

[W]hat should Edward Snowden have done? Probably, he should have presented his concerns to senior, responsible members of Congress. But the one thing he most certainly should not have done is to decide on the basis of his own ill-informed, arrogant and amateurish judgment that he knows better than everyone else in government how best to serve the national interest. The rule of law matters, and no one gave Edward Snowden the authority to make that decision for the nation. His conduct was more than unacceptable; it was criminal.

Laura Poitras Chips at the Terrorism Lie

August 26, 2013/11 Comments/in Cybersecurity, Terrorism /by emptywheel

Laura Poitras has another piece in Spiegel laying out NSA’s spying on diplomats — this time focusing on how NSA acquired blueprints of the new EU building in NYC to facilitate tapping it all.

To a significant degree, Poitras lays out how the NSA does what other countries at least try to do as well. While the US has certain advantages in conducting such spying (like having the UN headquartered in NYC and dominating telecom infrastructure), in principle it is assumed spy agents will spy on senior people from other countries.

But a key point of Poitras’ piece is that top officials — up to and including President Obama — have led the American people to believe all this spying focuses only terrorism. Indeed, she points to a line of the speech Obama gave a few weeks back that suggested terrorism was the only reason the government conducted this dragnet (this is the full quote — Poitras breaks up the quote into two; I think it is slightly more ambiguous but at the same time more assertive like this).

I think the main thing I want to emphasize is I don’t have an interest and the people at the NSA don’t have an interest in doing anything other than making sure that where we can prevent a terrorist attack, where we can get information ahead of time, that we’re able to carry out that critical task. We do not have an interest in doing anything other than that.

This was a response to a journalists’ question, not part of Obama’s prepared speech. Nevertheless, the President stood up publicly and claimed that the NSA does not “have an interest in doing anything other than … prevent[ing] a terrorist attack.”

That is a false statement.

Had Obama said preventing terrorism was one of several primary goal, the reported sole focus of the US person phone records dragnet, had he said that he and the NSA have other interests, it might be a fair comment. But it is not the case that the only interest of the NSA is to find advance intelligence on potential terrorist attacks.

And, as Poitras also points out, Obama made these comments in an effort to make people trust the dragnet. The comment came in direct response to a question about trust.

I wanted to ask you about your evolution on the surveillance issues. I mean, part of what you’re talking about today is restoring the public trust. And the public has seen you evolve from when you were in the U.S. Senate to now. And even as recently as June, you said that the process was such that people should be comfortable with it, and now you’re saying you’re making these reforms and people should be comfortable with those. So why should the public trust you on this issue, and why did you change your position multiple times?

And it came in a speech where Obama talked about trust a number of times, including offering his asinine dishwashing metaphor.

Q Can you understand, though, why some people might not trust what you’re saying right now about wanting to —

THE PRESIDENT: No, I can’t.

Q — that they should be comfortable with the process?

THE PRESIDENT: Well, the fact that I said that the programs are operating in a way that prevents abuse, that continues to be true, without the reforms. The question is how do I make the American people more comfortable.

If I tell Michelle that I did the dishes — now, granted, in the White House I don’t do the dishes that much — (laughter) — but back in the day — and she’s a little skeptical, well, I’d like her to trust me, but maybe I need to bring her back and show her the dishes and not just have her take my word for it.

And so the program is — I am comfortable that the program currently is not being abused. I’m comfortable that if the American people examined exactly what was taking place, how it was being used, what the safeguards were, that they would say, you know what, these folks are following the law and doing what they say they’re doing.

But it is absolutely true that with the expansion of technology — this is an area that’s moving very quickly — with the revelations that have depleted public trust, that if there are some additional things that we can do to build that trust back up, then we should do them. [my emphasis]

Obama suggests Snowden’s revelations — and not his, James Clapper’s, and Keith Alexander’s lies about the programs — have chipped away at trust. In a press conference in which Obama falsely claimed this was solely about terrorism.

If Obama and everyone else want to start rebuilding credibility, they need to stop lying, and get rid of the more substantive liars like Clapper and Alexander. But they also need to square with the American people about what this dragnet is for. Congress has repeatedly rejected internet-based surveillance to protect Hollywood IP and to socialize the private cybersecurity risk of corporate owners of critical infrastructure. Even Congress doesn’t approve the use of this technology for some applications.

And until the government stops pretending this is exclusively about terrorism, and stops pretending that terrorism is an existential threat or even the country’s greatest one, it will continue to lose credibility.

Keith Alexander’s Dinner Theater

August 23, 2013/8 Comments/in Cybersecurity, FISA, PATRIOT /by emptywheel

A bunch of people have been discussing Stanford Professor Jennifer Granick’s account of a dinner she had with NSA Director and CyberComander Keith Alexander. The main storyline describes how, three weeks ago, Lying Keith promised Granick that seeing the Primary Order for the Section 215 dragnet would make her more comfortable with the program.

It didn’t work out how Lying Keith might have liked.

I had a chance to read the Primary Order the next day, and rather than reassure, it raised substantial concerns. First, it did not set forth any legal basis for the phone record collection, which Christopher Sprigman and I have argued is illegal. Second, it confirmed that the FISA court does not monitor compliance with its limitations on the collection program, a problem that, according to a former FISA court judge, is endemic to NSA surveillance programs.

If that weren’t already enough, seeing the FISA Court order released earlier this week, with its revelation that — at least until 2009 — the safeguards on the dragnet program never functioned at all, really ruined Alexander’s efforts to make her feel better.

I remembered our conversation about the Primary Order yesterday while reading the newly declassified FISA court opinion that tangentially raised the phone records surveillance program. According to the court in 2011, NSA was flagrantly disregarding the dictates of the Primary Order anyway:

[T]he Court concluded that its authorization of NSA’s bulk acquisition of telephone call detail records … in the so-called “big business records” matter “ha[d] been premised on a flawed depiction of how the NSA uses [the acquired] metadata” and that “[t]his misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions and despite a government-devised and Court-mandated oversight regime.” … Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying. The Court concluded that this requirement has been “so frequently and systemically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively.” (Footnote 14)

How does a good man sit across you from the dinner table and assure you the government is properly constrained, when in reality it lies and disregards even the most anemic purported safeguards?

Granick is far more polite than I am — because my conclusion here would be “a good man doesn’t spin you like this.”

But there’s one further bit of spin she doesn’t mention explicitly. Alexander — as he has done repeatedly since Snowden’s documents started leaking — pretended this was all about terrorism.

I have no doubt that Gen. Alexander loves this country as much as I do, or that his primary motivation is to protect our nation from terrorist attacks. “Never again,” he said over dinner.

[snip]

The General seemed convinced that if only I knew what he knew, I would agree with him. He urged me to visit Pakistan, so that I would better understand the dangers America faces. I responded that one of my longest-standing friends has relatives there and visits regularly, maybe she would take me. I did not miss his point, and he did not miss mine.

I’m not saying this isn’t, partly, about terrorism. But if that’s all he’s doing, Alexander can roll up his CyberCommand, all the programs targeting Iran, and more generalized cyberdefense: the things that, until these leaks, were considered more urgent issues. Once again, Alexander wants to use terror terror terror to justify a dragnet that (for the content side) targets far more broadly than just terror.

I asked Granick about this, and she said Alexander said “surprisingly little” about cybersecurity — perhaps just a comment about the applying the rules of armed conflict to cyberwar.

As with his audience at BlackHat, Alexander here was talking to someone that Stanford considers an expert on cybercrime and cybersecurity. All differences of opinion about the phone dragnet aside, he should have spent his dinner with Granick discussing ways to accomplish the objectives of cybersecurity most effectively.

[A]s we go into cyber and look at–for cyber in the future, we’ve got to have this debate with our country. How are we going to protect the nation in cyberspace?

… Alexander claimed when speaking to a group that stood to get rich off of cybersecurity.

And yet, once again, when presented an opportunity to have that debate with one of the experts he needs to win over, Alexander cowered from the debate.