The Two OLC Still-Secret Memos Behind the Cross-Border Keyword Searches?

/1 Comment/in , , /by

Last week, Charlie Savage explained what this paragraph from the NSA’s targeting document means.

In addition, in those cases where NSA seeks to acquire communications about the target that are not to or from the target, SNA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country. In either event, NSA will direct surveillance at a party to the communication reasonably believed to be outside the United States.

Savage explained that it refers to the way the US snoops through almost all cross-border traffic for certain keywords.

To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.

[snip]

The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”

The official said the keyword and other terms were “very precise” to minimize the number of innocent American communications that were flagged by the program. At the same time, the official acknowledged that there had been times when changes by telecommunications providers or in the technology had led to inadvertent overcollection. The N.S.A. monitors for these problems, fixes them and reports such incidents to its overseers in the government, the official said.

In his post on Savage’s story (which I think misreads what Savage describes), Ben Wittes focused closely on the last paragraphs of the story.

But that leaves a big oddity with respect to the story. The end of Savage’s story reads as follows:

There has been no public disclosure of any ruling by the Foreign Intelligence Surveillance Court explaining its legal analysis of the 2008 FISA law and the Fourth Amendment as allowing “about the target” searches of Americans’ cross-border communications. But in 2009, the Justice Department’s Office of Legal Counsel signed off on a similar process for searching federal employees’ communications without a warrant to make sure none contain malicious computer code.

That opinion, by Steven G. Bradbury, who led the office in the Bush administration, may echo the still-secret legal analysis. He wrote that because that system, called EINSTEIN 2.0, scanned communications traffic “only for particular malicious computer code” and there was no authorization to acquire the content for unrelated purposes, it “imposes, at worst, a minimal burden upon legitimate privacy rights.”

The Bradbury opinion was echoed by a later Obama-era opinion by David Barron, and Bradbury later wrote an article about the issue. But here’s the thing: If my read is right and the rule Savage cites permits only acquisition of communications “about” potential targets only from folks reasonably believed themselves to be overseas, these opinions are of questionable relevance. Indeed, if my reading is correct, why is there a Fourth Amendment issue here at all? The Fourth Amendment, after all, does not generally have extraterritorial application. This may be a reason to suspect that the issue is more complicated than I’m suggesting here. It may also merely suggest that someone cited to Savage a memo that is of questionable relevance to the issue at hand.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

Remember, we do know of one OLC memo — dated January 8, 2010 — that pertains to the government obtaining international communications willingly from service providers. We learned about it in the context of the Exigent Letters IG Report, which first led observers to believe it pertained to phone records.

But we’ve subsequently learned this is the passage of ECPA the OLC interpreted creatively in secret.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Savage’s reference to the Bradbury opinion suggests all this happens at the packet stage, which may be one (arguably indefensible) way around the electronic communications dodge.

The FBI had not relied on the opinion as of 2010, when we first learned about it. But we also know that since then, the government stopped collecting Internet metadata using a Pen Regsiter/Trap and Trace order.

We know that Feingold and Wyden, with Dick Durbin, asked for a copy of the opinion themselves shortly after the IG Report revealed it. It’s possible that the former two asked for it to be declassified.

This is, frankly, all a wildarsed guess. But Wyden certainly thinks there are two problematic OLC memos out there pertaining to cybersecurity. And Savage seems to think this process parallels the means the government is using for cybersecurity. So it may be these are the opinions.

Share this entry

The Clapper Review: How to Fire 90% of SysAdmins?

/23 Comments/in , , , /by

Yesterday, I noted it took just 72 hours from Obama to turn an “independent” “outside” review of the government’s SIGINT programs into the James Clapper Review of James Clapper’s SIGINT Programs.

But many other commenters have focused on the changed description of the review’s mandate. In his speech on Friday, Obama said the review would study, “how we can maintain the trust of the people, how we can make sure that there absolutely is no abuse in terms of how these surveillance technologies are used, ask how surveillance impacts our foreign policy.”

On Monday, his instruction to James Clapper said the review would, “whether, in light of advancements in communications technologies, the United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust.”

Both addressed public trust. But Monday’s statement replaced a focus on “absolutely no abuse” with “risk of unauthorized disclosure.”

Now, I’m not certain, but I’m guessing we all totally misunderstood (by design) Obama’s promises on Friday.

The day before the President made those promises, after all, Keith Alexander made a different set of promises.

“What we’re in the process of doing – not fast enough – is reducing our system administrators by about 90 percent,” he said.

The remarks came as the agency is facing scrutiny after Snowden, who had been one of about 1,000 system administrators who help run the agency’s networks, leaked classified details about surveillance programs to the press.

Before the change, “what we’ve done is we’ve put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing,” Alexander said.

We already know that NSA’s plan to minimize the risk of unauthorized disclosure involves firing 900 SysAdmins (Bruce Schneier provides some necessary skepticism about the move). They probably believe that automating everything (including, presumably, the audit-free massaging of the metadata dragnet data before analysts get to it) will ensure there “absolutely is no abuse.”

And by turning the review intended to placate the civil libertarians into the review that will come up with the brilliant idea of putting HAL in charge of spying, the fired SysAdmins might just blame the civil libertarians.

So this review we all thought might improve privacy? Seems, instead, designed to find ways to fire more people faster.

Share this entry

Behind Legion of Doom: Breaking “Encrypted Electronic Communications between High Level Al Qaeda Leaders”

/10 Comments/in , , /by

[youtube]xY-wsEh6CZk[/youtube]

David Garteinstein-Ross, who did his own research into the Daily Beast Legion of Doom story, noted a couple of things via Twitter that I have been pointing to: the conference call behind the Legion of Doom scare wasn’t the first intercept, and Al Qaeda leaders on the conference call (which Eli Lake clarified wasn’t via telephone) assumed the call was secure.

3) There has been more than one intercept related to the plot. The report refers to a captured courier in addition to the conference call.

5) Many reactions to the report assume AQ completely broke OPSEC. The report states that AQ leaders assumed the call was secure.

And in the appearance above on MSNBC, he describes the conference call as,

Encrypted electronic communications between high level Al Qaeda leaders in which they were discussing this plot.

[snip]

This is encrypted communication. It’s hard to penetrate their communications. And if you make clear that we have, and which communications we’ve penetrated, then they’re simply going to adapt.

In general, that suggests that something the government got from the courier allowed them to break the encrypted conference call. And, if Gartenstein-Ross is accurately informed, that we did, in fact, break their encrypted communications.

While that doesn’t prove or disprove my outtamyarse guess that the Tor compromise had a connection to Legion of Doom, it does make it more likely.

It also means the leaks are that much more damaging, in that they would have ended the period when we had location data on operatives they didn’t realize had been exposed.

Share this entry

I Told You So, It’s about Cybersecurity Edition

/14 Comments/in , , , /by

When James “Least Untruthful” Clapper released the first version of PRISM success stories and the most impressive one involved thwarting specific cyberattacks, I noted that the NSA spying was about hackers as much as terrorists.

When  “Lying Keith” Alexander answered a question about hacking China from George Stephanopoulos by talking about terror, I warned that these programs were as much about cybersecurity as terror. “Packets in flight!”

When the Guardian noted that minimization procedures allowed the circulation of US person communications collected incidentally off foreign targets if they were “necessary to understand or assess a communications security vulnerability,” I suggested those procedures fit cybersecurity targets better than terror ones.

When Ron Wyden and Mark Udall caught Lying Keith (again) in a lie about minimization, I speculated that the big thing he was hiding was that encrypted communications are kept until they are decrypted.

When I compared minimization procedures with the letter of the law and discovered the NSA had secretly created for itself the ability to keep US person communications that pose a serious threat to property (rather than life or body), I suggested this better targeted cyber criminals than terrorists.

When Joel Brenner suggested Ron Wyden was being dishonorable for asking James Clapper a yes or no question in March 2013, I noted that Wyden’s question actually referred to lies Lying Alexander had told the previous year at DefCon that hid, in part, how hackers’ communications are treated.

When the Guardian happened to publish evidence the NSA considers encryption evidence of terrorism the same day that Keith Alexander spokes to a bunch of encrypters exclusively about terrorism, I suggested he might not want to talk to those people about how these programs are really used.

And when I showed how Lying Keith neglected his boss’ earlier emphasis on cyber in his speech to BlackHat in favor of terror times 27, I observed Lying Keith’s June exhortation that “we’ve got to have this debate with our country,” somehow didn’t extend to debating with hackers.

I told you it would come to this:

U.S. officials say NSA leaks may hamper cyber policy debate

Over two months after Edward Snowden’s first disclosures, the cyberwarriors are now admitting disclosures about how vast is NSA’s existing power — however hidden behind the impetus of terror terror terror — might lead Congress to question further empowering NSA to fight cyberwar.

I told you so. Read more

Share this entry

Maybe the Gimmick Is in the Timing of Legion of Doom?

/12 Comments/in , /by

In my first post on this Yemen scare — which I will henceforth call “Legion of Doom” in honor of the Daily Beast source’s use of the term — I suggested the big part of the plot might have already transpired.

There’s the increased drone activity in Yemen. Who knows! Maybe, like last year, the plot has already been rolled up and we’re just waiting to confirm one of the several recent drone strikes have taken out our target?

I made that suggestion because of evidence that the US rolled up UndieBomb 2.0 on April 20-24 of last year, and only then deployed a bunch of Air Marshals and fear-mongering about Ibrahim al-Asiri for the days leading up to the May 1 anniversary of Osama bin Laden’s killing. They eliminated the threat (which was minimal in any case, since the bomber was a British-Saudi-US mole), then rolled out fear-mongering about it, as if the threat still existed. Fairly clearly, the White House planned a big press conference on their operation once they killed Fahd al-Quso, and thus got furious when the AP managed to scoop their theater.

I increasingly think that may be the case. Whether or not there was ever a real threat, I suspect it may have partly passed before the big rollout of it last Friday (though the targeting of a top AQAP member, the presence of additional JSOC forces, or all the drone strikes may have increased the risk for Americans in Yemen).

Consider: back when Pentagon stenographer Barbara Starr was among the first to discuss the intercepts behind Legion of Doom, she suggested very fresh SIGINT chatter and a warning from President Abdo Rabi Mansour Hadi delivered on July 31 or August 1 had led the US to close a bunch of embassies (though even there, they waited a few days to start closing embassies).

Fresh intelligence led the United States to conclude that operatives of al Qaeda in the Arabian Peninsula were in the final stages of planning an attack against U.S. and Western targets, several U.S. officials told CNN.

The warning led the U.S. State Department to issue a global travel alert Friday, warning al Qaeda may launch attacks in the Middle East, North Africa and beyond in coming weeks. The U.S. government also was preparing to close 22 embassies and consulates in the region Sunday as a precaution.

The chatter among al Qaeda in the Arabian Peninsula operatives had gone on for weeks but increased in the last few days, the officials said.

Taken together with a warning from Yemeni officials, the United States took the extraordinary step of shutting down embassies and issuing travel warnings, said the officials, who spoke on condition of anonymity.

While the specific target is uncertain, U.S. officials are deeply worried about a possible attack against the U.S. Embassy in Yemen occurring through Tuesday, the officials said.

[snip]

Yemeni intelligence agencies alerted authorities of the threat two days ago, when the Yemeni president was in Washington, said the official, who spoke on condition of anonymity. [my emphasis]

And the original and an update to the NYT’s original story on Legion of Doom says the intercept between Zawahiri and Wuhayshi came sometime last week.

The intercepted conversations last week between Ayman al-Zawahri, who succeeded Osama bin Laden as the head of the global terrorist group, and Nasser al-Wuhayshi, the head of the Yemen-based Al Qaeda in the Arabian Peninsula, revealed what American intelligence officials and lawmakers have described as one of the most serious plots against American and Western interests since the attacks on Sept. 11, 2001.

But the latest AP version of the intercept call says it was picked up “several weeks ago.”

A U.S. intelligence official and a Mideast diplomat said al-Zawahri’s message was picked up several weeks ago and appeared to initially target Yemeni interests. The threat was expanded to include American or other Western sites abroad, officials said, indicating the target could be a single embassy, a number of posts or some other site. Lawmakers have said it was a massive plot in the final stages, but they have offered no specifics.

Perhaps the discrepancy comes from confusion about two different Zawahiri-Wuhayshi intercepts. In its conference call report, the Daily Beast reports that authorities picked up a communication, via courier, between Zawahiri and Wuhayshi “last month.”

An earlier communication between Zawahiri and Wuhayshi delivered through a courier was picked up last month, according to three U.S. intelligence officials.

That earlier conversation may simply have been Zawahiri naming Wuhayshi his deputy, but the role of a courier in the interception suggests they may have gotten far more intelligence — perhaps not just intelligence tipping the US off to whatever conference call protocol AQ was using, but also to the location of Wuhayshi and other figures.

Read more

Share this entry

The Ooga Booga* Continues to Wear Off

/8 Comments/in , , /by

Two and a half years ago, I noted how TSA head John Pistole pointed to a plot the FBI created while he was still its Deputy Director to justify the use of VIPR teams to stop people on non-aviation public transportation.

A couple of weeks back, I pointed to John Pistole’s testimony that directly justified the expansion of VIPR checkpoints to mass transport locations by pointing to a recent FBI-entrapment facilitated arrest.

Another recent case highlights the importance of mass transit security. On October 27, the Federal Bureau of Investigation (FBI) arrested a Pakistan-born naturalized U.S. citizen for attempting to assist others whom he believed to be members of al Qaida in planning multiple bombings at Metrorail stations in the Washington, D.C., area. During a sting operation, Farooque Ahmed allegedly conducted surveillance of the Arlington National Cemetery, Courthouse, and Pentagon City Metro stations, indicated that he would travel overseas for jihad, and agreed to donate $10,000 to terrorist causes. A federal grand jury in Alexandria, Virginia, returned a three-count indictment against Ahmed, charging him with attempting to provide material support to a designated terrorist organization, collecting information to assist in planning a terrorist attack on a transit facility, and attempting to provide material support to help carry out multiple bombings to cause mass casualties at D.C.-area Metrorail stations.

While the public was never in danger, Ahmed’s intentions provide a reminder of the terrorist attacks on other mass transit systems: Madrid in March 2004, London in July 2005, and Moscow earlier this year. Our ability to protect mass transit and other surface transportation venues from evolving threats of terrorism requires us to explore ways to improve the partnerships between TSA and state, local, tribal, and territorial law enforcement, and other mass transit stakeholders. These partnerships include measures such as Visible Intermodal Prevention and Response (VIPR) teams we have put in place with the support of the Congress. [my emphasis]

Now to be clear, as with Mohamed Mohamud’s alleged plot, Ahmed’s plot never existed except as it was performed by FBI undercover employees. In fact, at the time the FBI invented this plot, now TSA-head Pistole was the Deputy Director of FBI, so in some ways, Ahmed’s plot is Pistole’s plot. Nevertheless, Pistole had no problem pointing to a plot invented by his then-subordinates at the FBI to justify increased VIPR surveillance on “mass transit and other surface transportation venues.” As if the fake FBI plot represented a real threat.

Today, a NYT piece raises questions about VIPR’s efficacy (without, however, noting how TSA has pointed to FBI-generated plots to justify it).

T.S.A. and local law enforcement officials say the teams are a critical component of the nation’s counterterrorism efforts, but some members of Congress, auditors at the Department of Homeland Security and civil liberties groups are sounding alarms. The teams are also raising hackles among passengers who call them unnecessary and intrusive.

“Our mandate is to provide security and counterterrorism operations for all high-risk transportation targets, not just airports and aviation,” said John S. Pistole, the administrator of the agency. “The VIPR teams are a big part of that.”

Some in Congress, however, say the T.S.A. has not demonstrated that the teams are effective. Auditors at the Department of Homeland Security are asking questions about whether the teams are properly trained and deployed based on actual security threats.

It’d really be nice if NYT had named the “some” in Congress who had raised concerns. Read more

Share this entry

What If the Tor Takedown Relates to the Yemeni Alert?

/32 Comments/in , /by

Eli Lake and Josh Rogin reveal that the intercept between Ayman al-Zawahiri and Nasir al-Wuhayshi was actually a conference call between those two and affiliates all over the region.

The Daily Beast has learned that the discussion between the two al Qaeda leaders happened in a conference call that included the leaders or representatives of the top leadership of al Qaeda and its affiliates calling in from different locations, according to three U.S. officials familiar with the intelligence. All told, said one U.S. intelligence official, more than 20 al Qaeda operatives were on the call.

To be sure, the CIA had been tracking the threat posed by Wuhayshi for months. An earlier communication between Zawahiri and Wuhayshi delivered through a courier was picked up last month, according to three U.S. intelligence officials. But the conference call provided a new sense of urgency for the U.S. government, the sources said.

The fact that al Qaeda would be able to have such conference calls in this day and age is stunning. The fact that US and Yemeni sources would expose that they knew about it is equally mind-boggling.

But one thing would make it make more sense.

On Sunday, Tor users first discovered the FBI had compromised a bunch of onion sites and introduced malware into FireFox browsers accessing the system. Since then, we’ve learned the malware was in place by Friday, the day the US first announced this alert (though the exploit in FireFox has been known since June).

The owner of an Irish company, Freedom Hosting, has allegedly been providing turnkey hosting services for the Darknet, or Deep Web, which is “hidden” and only accessible through Tor .onion and the Firefox browser. The FBI reportedly called Eric Eoin Marques “the largest facilitator of child porn on the planet” and wants to extradite the 28-year-old man. About that time, Freedom Hosting went down; Tor users discovered that someone had used a Firefox zero-day to deliver drive-by-downloads to anyone who accessed a site hosted by Freedom Hosting. Ofir David, of Israeli cybersecurity firm Cyberhat, told Krebs on Security, “Whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”

If you’ve never visited the Hidden Wiki, then you should be fully aware that if you do, you will see things that can never be unseen. Freedom Hosting maintained servers for “TorMail, long considered the most secure anonymous email operation online,” wrote Daily Dot. “Major hacking and fraud forums such as HackBB; large money laundering operations; and the Hidden Wiki, which, until recently, was the de facto encyclopedia of the Dark Net; and virtually all of the most popular child pornography websites on the planet.”

But if you use Tor Browser Bundle with Firefox 17, you accessed a Freedom Hosting hidden service site since August 2, and you have JavaScript enabled, then experts suggest it’s likely your machine has been compromised. In fact, E Hacking News claimed that almost half of all Tor sites have been compromised by the FBI. [my emphasis]

So what if this takedown was only secondarily about child porn, and primarily about disabling a system al Qaeda has used to carry out fairly brazen centralized communications? Once the malware was in place, the communications between al Qaeda would be useless in any case (and I could see the government doing that to undermine the current planning efforts).

The timing would all line up — and it would explain (though not excuse) why the government is boasting about compromising the communications. And it would explain why Keith Alexander gave this speech at BlackHat.

terrorists … terrorism … terrorist attacks … counterterrorism … counterterrorism … terrorists … counterterrorism … terrorist organizations … terrorist activities … terrorist … terrorist activities … counterterrorism nexus … terrorist actor … terrorist? … terrorism … terrorist … terrorists … imminent terrorist attack … terrorist … terrorist-related actor … another terrorist … terrorist-related activities … terrorist activities … stopping terrorism … future terrorist attacks … terrorist plots … terrorist associations

[snip]

Sitting among you are people who mean us harm

Just one thing doesn’t make sense.

Once NSA/FBI compromised Tor, they’d have a way to identify the location of users. That might explain the uptick in drone strikes in Yemen in the last 12 days. But why would you both alert Tor users and — with this leak — Al Qaeda that you had broken the system and could ID their location? Why not roll up the network first, and then take down the Irish child porn guy who is the likely target?

I’m not sure I understand the Tor exploit well enough to say, but the timing does line up remarkably well.

Update: Some re-evaluation of what really happened with the exploit.

Researchers who claimed they found a link between the Internet addresses used as part of malware that attacked Freedom Hosting’s “hidden service” websites last week and the National Security Agency (NSA) have backed off substantially from their original assertions. After the findings were criticized by others who analyzed Domain Name System (DNS) and American Registry for Internet Numbers (ARIN) data associated with the addresses in question, Baneki Privacy Labs and Cryptocloud admitted that analysis of the ownership of the IP addresses was flawed. However, they believe the data that they used to make the connection between the address and the NSA may have changed between their first observation.

Update: On Twitter, Lake clarifies that this conference call was not telephone-based communications.

Share this entry

US Justice: A Rotting Tree of Poisonous Fruit?

/13 Comments/in , , , /by

Saturday, the NYT reported that other agencies within government struggle to get NSA to share its intelligence with them.

Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement complain that their attempts to exploit the security agency’s vast resources have often been turned down because their own investigations are not considered a high enough priority, current and former government officials say.

Of the 1,410 words in the article, 313 words are explicitly attributed to Tim Edgar, who used to work for ACLU but starting in 2006 worked first in the Office of Director of National Intelligence and then in the White House. Another 27 are attributed to “a former senior White House intelligence official,” the same description used to introduce Edgar in the article.

The article ends with Edgar expressing relief that NSA succeeded in withholding material (earlier he made a distinction between sharing raw data and intelligence reports) from agencies executing key foreign policy initiatives in the age of cyberwar and Transnational Criminal Organizations, and in so doing avoid a “nightmare scenario.”

As furious as the public criticism of the security agency’s programs has been in the two months since Mr. Snowden’s disclosures, “it could have been much, much worse, if we had let these other agencies loose and we had real abuses,” Mr. Edgar said. “That was the nightmare scenario we were worried about, and that hasn’t happened.”

Today, San Francisco Chronicle reminds that NSA does hand over evidence of serious criminal activities if it finds it while conducting foreign intelligence surveillance, and prosecutors often hide the source of that original intelligence.

Current and former federal officials say the NSA limits non-terrorism referrals to serious criminal activity inadvertently detected during domestic and foreign surveillance. The NSA referrals apparently have included cases of suspected human trafficking, sexual abuse and overseas bribery by U.S.-based corporations or foreign corporate rivals that violate the Foreign Corrupt Practices Act.

[snip]

“If the intelligence agency uncovers evidence of any crime ranging from sexual abuse to FCPA, they tend to turn that information over to the Department of Justice,” Litt told an audience at the Brookings Institution recently. “But the Department of Justice cannot task the intelligence community to do that.”

[snip]

“The problem you have is that in many, if not most cases, the NSA doesn’t tell DOJ prosecutors where or how they got the information, and won’t respond to any discovery requests,” said Haddon, the defense attorney. “It’s a rare day when you get to find out what the genesis of the ultimate investigation is.”

The former Justice Department official agreed: “A defense lawyer can try to follow the bouncing ball to see where the tip came from — but a prosecutor is not going to acknowledge that it came from intelligence.”

And (as bmaz already noted) Reuters reminds that the DEA has long had its own electronic surveillance capability, and it often hides the source of intelligence as well.

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin – not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence – information that could reveal entrapment, mistakes or biased witnesses.

As bmaz also noted, none of this was very secret or new. The FISA sharing is clearly permitted by the minimization procedures. Litigation on it 11 years ago suggested it may be even more abusive than laid out under the law. And bmaz has personally been bitching about the DEA stuff as long as I’ve known him.

These articles suggesting there may be more sharing than the NYT made out on Saturday, then, are primarily reminders that when the fruits of this intelligence get shared, the source of the intelligence often remains hidden from those it is used against.

Which brings me to this WSJ op-ed Edgar published last week. Read more

Share this entry

Shut Down CyberCommand — US CyberCommander Keith Alexander Doesn’t Think It’s Important

/13 Comments/in , , , /by

Back on March 12 — in the same hearing where he lied to Ron Wyden about whether the intelligence community collects data on millions of Americans — James Clapper also implied that “cyber” was the biggest threat to the United States.

So when it comes to the distinct threat areas, our statement this year leads with cyber. And it’s hard to overemphasize its significance. Increasingly, state and non-state actors are gaining and using cyber expertise. They apply cyber techniques and capabilities to achieve strategic objectives by gathering sensitive information from public- and private sector entities, controlling the content and flow of information, and challenging perceived adversaries in cyberspace.

That was the big takeaway from Clapper’s Worldwide Threat Assessment. Not that he had lied to Wyden, but that that cyber had become a bigger threat than terrorism.

How strange, then, that the US CyberCommander (and Director of National Security) Keith Alexander mentioned cyber threats just once when he keynoted BlackHat the other day.

But this information and the way our country has put it together is something that we should also put forward as an example for the rest of the world, because what comes out is we’re collecting everything. That is not true. What we’re doing is for foreign intelligence purposes to go after counterterrorism, counterproliferation, cyberattacks. And it’s focused. [my emphasis]

That was it.

The sole mention of the threat his boss had suggested was the biggest threat to the US less than 5 months earlier. “Counterterrorism, counterproliferation, cyberattacks. and it’s focused.”

The sole mention of the threat that his audience of computer security professionals are uniquely qualified to help with.

Compare that to his 27 mentions of “terror” (one — the one with the question mark — may have been a mistranscription):

terrorists … terrorism … terrorist attacks … counterterrorism … counterterrorism … terrorists … counterterrorism … terrorist organizations … terrorist activities … terrorist … terrorist activities … counterterrorism nexus … terrorist actor … terrorist? … terrorism … terrorist … terrorists … imminent terrorist attack … terrorist … terrorist-related actor … another terrorist … terrorist-related activities … terrorist activities … stopping terrorism … future terrorist attacks … terrorist plots … terrorist associations

That was the speech the US CyberCommander chose to deliver to one of the premiere group of cybersecurity professionals in the world.

Terror terror terror.

Sitting among you are people who mean us harm

… US CyberCommander Alexander also said.

Apparently, Alexander and Clapper’s previous intense focus on stopping hacktavists and cyberattacks and cybertheft and cyber espionage have all been preempted by the necessity of scaring people into accepting the various dragnets that NSA has deployed against Americans.

Which, I guess, shows us the true seriousness of the cyber threat.

To be fair to our CyberCommander, he told a slightly different story back on June 27, when he addressed the Armed Forces Communications and Electronics Association International Cyber Symposium.

Sure, he started by addressing Edwards Snowden’s leaks.

But then he talked about a debate he was prepared to have.

I do think it’s important to put that on the table, because as we go into cyber and look at–for cyber in the future, we’ve got to have this debate with our country. How are we going to protect the nation in cyberspace? And I think this is a debate that is going to have all the key elements of the executive branch–that’s DHS, FBI, DOD, Cyber Command, NSA and other partners–with our allies and with industry. We’ve got to figure how we’re going to work together.

How are we going to protect the nation in cyberspace? he asked a bunch of Military Intelligence Industrial Complex types.

At his cyber speech, Alexander also described his plan to build, train, and field one-third of the force by September 30 — something you might think he would have mentioned at BlackHat.

Not a hint of that.

Our US CyberCommander said — to a bunch of industry types — that we need to have a debate about how to protect the nation in cyberspace.

But then, a month later, with the group who are probably most fit to debate him on precisely those issues, he was all but silent.

Just terror terror terror.

Share this entry

On Same Day Alexander Tells BlackHat, “Their Intent Is to Find the Terrorist That Walks Among Us,” We See NSA Considers Encryption Evidence of Terrorism

/19 Comments/in , , , /by

Screen shot 2013-08-01 at 9.34.18 AM

Thirty minutes into his speech at BlackHat yesterday, Keith Alexander said,

Remember: their intent is not to go after our communications. Their intent is to find the terrorist walks among us.

He said that to a room full of computer security experts, the group of Americans probably most likely to encrypt their communications, even hiding their location data.

At about the same time Alexander made that claim, the Guardian posted the full slide deck from the XKeyscore program it reported yesterday.

How do I find a cell of terrorists that has no connection to known strong-selectors?

Answer: Look for anomalous events

Among other things, the slide considers this an anomalous event indicating a potential cell of terrorists:

  • Someone who is using encryption

Meanwhile, note something else about Alexander’s speech.

13:42 into his speech, Alexander admits the Section 702 collection (this is true of XKeyscore too — but not the Section 215 dragnet, except in its use on Iran) also supports counter-proliferation and cybersecurity.

That is the sole mention in the entire speech of anything besides terrorism. The rest of it focused exclusively on terror terror terror.

Except, of course, yesterday it became clear that the NSA considers encryption evidence of terrorism.

Increasingly, this infrastructure is focused intensively on cybersecurity, not terrorism. That’s logical; after all, that’s where the US is under increasing attack (in part in retaliation for attacks we’ve launched on others). But it’s high time the government stopped screaming terrorism to justify programs that increasing serve a cybersecurity purpose. Especially when addressing a convention full of computer security experts.

But maybe Alexander implicitly admits that. At 47:12, Alexander explains that the government needs to keep all this classified because (as he points into his audience),

Sitting among you are people who mean us harm.

(Note after 52:00 a heckler notes the government might consider BlackHat organizer Trey Ford a terrorist, which Alexander brushes off with a joke.)

It’s at that level, where the government considers legal hacker behavior evidence of terrorism, that all reassurances start to break down.

Update: fixed XKeystroke for XKeyscore–thanks to Myndrage. Also, Marc Ambinder reported on it in his book.

Update: NSA has now posted its transcript of Alexander’s speech. It is 12 pages long; in that he mentioned “terror” 27 times. He mentions “cyber” just once.

Share this entry