Keith Alexander’s Secret Lie: Retention and Distribution of Domestic Encrypted and Hacking Communications?

/19 Comments/in , , /by

As I noted in my last two posts, Keith Alexander has admitted that the classified lie Mark Udall and Ron Wyden accused him of telling “could have more precisely described the requirements of collection under FISA Amendments Act.”

He then goes onto repeat the many claims about Section 702, which are different forms of saying that it may not collect information on someone knowingly in the US.

Which leads me to suspect that the lie Udall and Wyden described is that the program can retain and distribute domestic communications, which are defined as “communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition.”

The minimization procedures actually describe four kinds of domestic communications that can be distributed with written NSA Director determination. Three of those — significant foreign intelligence information, evidence of a crime imminently being committed, and threat of serious harm to life or property — were generally known. But there is a fourth which I think is probably huge collection:

Section 5(3)

The communication is reasonably believed to contain technical data base information, as defined in Section 2(i), or information necessary to understand or assess a communications security vulnerability. Such communication may be provided to the FBI and/or disseminated to other elements of the United States Government. Such communications may be returned for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement. Sufficient duration may vary with the nature of the exploitation.

a. In the context of a cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any time period during which encrypted material is subject to, or of us in, cryptanalysis.

b. In the case of communications that are not enciphered or otherwise thought to contain secret meaning, sufficient duration is five years unless the Signal Intelligence Director, NSA, determines in writing that retention for a longer period is required to respond to authorized foreign intelligence or counterintelligence requirements,

Technical data base information, according to the definitions, “means information retained for cryptanalytic, traffic analytic, or signal exploitation purposes.”

In other words, hacking.

Encrypted communications and evidence of hacking have secretly been included in a law purportedly about foreign intelligence collection. And they can keep that information as long as it takes, exempting it from normal minimization requirements.

To be clear, the government still has to get the communication believing (according to its 51% rule) that it has one foreign component. But if Keith Alexander says so, NSA can keep it, forever, even after it finds out it is a domestic communication.

Update: Here’s the July 2012 letter to Clapper. Here’s Clapper’s August 2012 response — the good bits of which are all classified.

Share this entry

Aaron Swartz, Plea Leveraging & The Bordenkircher Problem

/64 Comments/in , , , , , /by

CryingJusticeAs Netroots Nation 2013 begins, I want to emphasize one of the best panels (If I do say so) of the event. It is titled: Beyond Aaron’s Law: Reining in Prosecutorial Overreach, and will be hosted by Marcy Wheeler. Joining Marcy will be Aaron Swartz’s attorney, Elliot R. Peters, of Keker & Van Nest LLP in San Francisco, Shayana Kadidal of the Center for Constitutional Rights in New York, and Professor Jonathan Simon of Boalt Hall at Berkeley. The panel goes off at 3:00 pm Saturday June 22.

As a lead in to the panel discussion, I want to address a topic that struck me from the first moment of the tragic loss of Aaron Swartz, the pernicious effect of the late 70’s Supreme Court case of Bordenkircher v. Hayes.

Paul Hayes was a defendant on a rather minor (involved $88.30), but still felonious, bad check charge in Kentucky. But Hayes had a bad prior criminal history with two felony priors. The prosecutor offered Hayes a stipulated five year plea, but flat out threatened Hayes that if he didn’t accept the offer, the prosecution would charge and prosecute under Kentucky’s habitual criminal (three strike) law. Hayes balked, went to trial and was subsequently convicted and sentenced to life in prison under the habitual offender enhancement charge. It was a prosecutorial blackmail threat to coerce a plea, and the prosecutor delivered on his threat.

Hayes appealed to every court imaginable on the theory of “vindictive prosecution” with the prosecutorial blackmail as the underlying premise. Effectively, the argument was if overly harsh charging and punishment is the penalty for a defendant exercising his right to trial, then such constitutes prosecutorial vindictiveness and degrades, if not guts, the defendant’s constitutionally protected right to trial.

Every appellate court along the way declined Hayes’ appeal until the 6th Circuit. The 6th, however, came up with a surprising decision, granting Hayes relief, but under a slightly different theory. The 6th held that if the prosecutor had originally charged Hayes with the habitual offender charge, and then offered to drop it if Hayes pled guilty, that would have been perfectly acceptable; but using it like a bludgeon in plea negotiations once the case was charged was impermissibly vindictive, and therefore unconstitutional.

Then, from the 6th Circuit, the case finally made its way to the Supreme Court of the United States. By that time, Hayes had long been in prison and the prison warden, Bordenkircher, was the nominal appellee in the caption of the case. The Supreme Court, distinguishing another seminal vindictive prosecution case, Blackledge v. Perry, reversed the 6th Circuit and reinstated Hayes’ life sentence.

Blackledge v. Perry is a famous case known in criminal defense circles as the “upping the ante case”. Blackledge was convicted of a misdemeanor and appealed, which in North Carolina at the time meant he would get a new trial in a higher court. The state retaliated by filing the charge as a felony in the higher court, thus “upping the ante”. The Supreme Court in Blackledge held that to Read more

Share this entry

Government Spying: Why You Can’t ‘Just Trust Us’

/33 Comments/in , , , , , , , , /by

imagesOkay you Wheelhouse mopes, Marcy, Jim and I are all in San Jose at Netroots. Not sure the jail in this here town is big enough to hold us all. Marcy already put up two posts earlier today, but posting may be a bit spotty, we shall see. I have an important one that will probably go up tomorrow morning on the Aaron Swartz case.

At any rate, to give some extra fodder here, and because Ms. Wheeler is terminally lame at noticing our own blog when she writes articles elsewhere, I am hereby placing you on notice that she has a great article that went up late yesterday at The Nation titled:

Government Spying: Why You Can’t ‘Just Trust Us’

Go read it, you will be glad you did! Other than that, use this as an open thread for Trash Talk (GO SPURS!), and anything and everything else you want to yammer about.

Share this entry

Minimization in the Age of Cyberwar

/29 Comments/in , /by

I’d like to compare how the NSA talking point document released yesterday compares with a document Glenn Greenwald has or has seen, with respect to minimization under Section 702 (PRISM/FAA) collection. Remember PRISM allows the government to access Internet communications with little review of individual targeting decisions, and any American communications accessed with that foreign target communication is also viewed.

The NSA document says US person communications can only be disseminated (this includes getting shared with FBI) if it is necessary to understand the communication, and evidence of crime, or indicates a threat of death.

The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm.

The Guardian document (which they did not publish) says US person communications — and note, these are entirely domestic communications — can be disseminated in two slightly different cases and a third unrelated one. The unrelated one permits US person communications to be disseminated if it contains “information necessary to understand or assess a communications security vulnerability.”

One typical example is a document submitted by the NSA in July 2009. In its first paragraph, it purports to set forth “minimization procedures” that “apply to the acquisition, retention, use, and dissemination of non-publicly available information concerning unconsenting United States persons that is acquired by targeting non-United States persons reasonably believed to be located outside the United States in accordance with section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended.”

That document provides that “communications of or concerning United States persons that may be related to the authorized purpose of the acquisition may be forwarded to analytic personnel responsible for producing intelligence information from the collected data.” It also states that “such communications or information” – those from US citizens – “may be retained and disseminated” if it meets the guidelines set forth in the NSA’s procedures.

Those guidelines specifically address what the NSA does with what it calls “domestic communications”, defined as “communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition”. The NSA expressly claims the right to store and even disseminate such domestic communication if: (1) “it is reasonably believed to contain significant foreign intelligence information”; (2) “the communication does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed”; or (3) “the communication is reasonably believed to contain technical data base information, as defined in Section 2(i), or information necessary to understand or assess a communications security vulnerability.” [my emphasis]

Now, this is not an apple to apple comparison. Indeed, this could very well be an apples to small rubber child’s ball comparison.

The NSA document purports to describe minimization as it occurs today. The Guardian one dates to July 2009, so may be out of date, for starters.

And by design, the NSA timeline focuses on terrorism examples because TERROR TERROR TERROR is very convincing to people who don’t want to think. Based on the mention of a “communications security vulnerability,” the Guardian one seems to be a 702 order describing minimization for a cybersecurity order.

If that’s true, though, it suggests two things. First, that hacking has been equated to terrorism as a crime adequate to disseminate US person communications with no warrant.

And this is where the difference in the standard on foreign intelligence gets interesting: the NSA document claims that only communications necessary to understand foreign intelligence merits dissemination. The Guardian document only need be “reasonably believed to contain significant foreign intelligence information” (though admittedly, that may be the language used in the first instance).

But again, this minimization order is 4 years old. The other day the WaPo suggested that the NSA has changed how they collect Internet metadata (which may be what that other clause “technical data base information, as defined in Section 2(i)” in the minimization order refers to. It may be they’re conducting their cybersecurity dragnet via other means, perhaps even as a way to maintain this lower standard of minimization.

The government is clearly planning to engage in far more intrusive collection in the name of cyberwar than described in discussions about Section 702 (and at the end of the hearing yesterday, Mike Rogers alluded to keeping the programs in place, with their permissive standards, for other reasons, which I took to mean cybersecurity). And that is bound to treat far more Americans as targets of foreign-type collection.

Share this entry

Terrorist Hobgoblins Bite the Intelligence Community in Its Efficacy Ass

/36 Comments/in , , , /by

I just finished watching the House Intelligence Committee hearing on the NSA programs revealed by Edward Snowden. I’ll have a lot more to say about the content of the revelations in the next few days. But first, a general observation.

Since the initial Snowden revelations, the Intelligence Community and other Administration surrogates have been trying to minimize our understanding of the scope of their surveillance and use traditional fearmongering to justify the programs by focusing on the importance of the Section 702 collection to stopping terrorism. While James Clapper’s office has made it clear that Section 702 goes beyond counterterrorism by revealing that its  successes include counterproliferation and cybersecurity successes, as well as counterterrorism ones, the focus has nevertheless been on TERROR TERROR TERROR.

Today’s hearing was really the culmination of that process, when Keith Alexander boasted up upwards of 50 terrorist plots — about 40 of which were overseas — that Section 702 has prevented.

Of the four plots the government has revealed — David Headley, Najibullah Zazi, as well as these two today

Mr. Joyce described a plot to blow up the New York Stock Exchange by a Kansas City man, whom the agency was able to identify because he was in contact with “an extremist” in Yemen who was under surveillance. Mr. Joyce also talked about a San Diego man who planned to send financial support to a terrorist group in Somalia, and who was identified because the N.S.A. flagged his phone number as suspicious through its database of all domestic phone call logs, which was brought to light by Mr. Snowden’s disclosures.

… the government has either overblown the importance of these programs and their success or are fairly minor plots.

None of the four may be as uniquely worthwhile as the cyberattack described by Clapper’s office a week ago, which it has not, however, fleshed out.

Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States, including specific potential network computer attacks. This insight has led to successful efforts to mitigate these threats.

That is, the government might–might!–be able to make a far better case for the value of these programs in discussing their role in preventing cyberattacks rather than preventing terrorist plots.

And yet it hasn’t done so, even as it pushes one after another attempt to legislate internet access in the name of protecting Intellectual Property and critical infrastructure.

Given the increasing focus on cybersecurity — and the already dishonest claims people like Mike Rogers have made about the means to accomplish that focus — this is the discussion we need to be having, rather than digging up terror plots first developed in 2004 that never happened. But in the same way the government shied away from conducting an honest discussion with us in 2001 and again in 2006 about these programs, it is refusing to conduct an honest discussion about cybersecurity today.

And, ironically, that refusal is preventing them from describing the value of a program that surely contributes more to countering cyberattacks than terror attacks at this point.

Share this entry

The Truth: The NSA Has Been Working on Domestic Spying for Ten-Plus Years

/15 Comments/in , /by

[graphic: Electronic Frontier Foundation via Flickr]

[graphic: Electronic Frontier Foundation via Flickr]

The yapping of national security conservatives, whether self-identified as Republicans or Democrats, obscures the truth when they denigrate Edward Snowden’s flight to Hong Kong and subsequent attempts at whistleblowing.

The truth is this:

•  Others before Snowden tried to go through so-called chain of command or proper channels to complain about the National Security Agency’s domestic spying, or to refuse the NSA’s efforts to co-opt them or their business. These efforts did not work.

•  They were obstructed, harassed, or punished for their efforts. It did not matter whether they were insiders or outsiders, whistleblowers or plaintiffs, the results were the same for:

•  William Binney,
•  Thomas Drake,
•  Mark Klein,
•  Thomas Tamm,
•  Russell Tice,
•  and J. Kirk Wiebe,
•  as well as Joseph Nacchio.

•  The effort to spy on Americans, violating their privacy and taking their communications content, has been underway since before the Bush administration. (Yes, you read that right: BEFORE the Bush administration.)

•  Three presidents have either failed to stop it or encouraged it (Yes, including Bill Clinton with regard to ECHELON).

•  The program has been growing in physical size for more than a decade.

One document in particular [PDF] described the challenge of the NSA , from which this excerpt is drawn: Read more

Share this entry

Seeing Through the Blizzard to Utah: How Much Space Does Metadata Need

/17 Comments/in , , /by

In the blizzard of half-truths, dissembling, and prevarications about the nature of the National Security Agency’s surveillance programs, it’s easy to lose sight of the obvious. In this case, the obvious is about one million square feet in size.

First, a few other large scale objects for comparison:

[photo: DeveloperTutorials.com]

[photo: DeveloperTutorials.com]

Here’s Google’s data center in The Dalles, Oregon; note the size of cars in proportion to the size of the buildings on this campus. You’ll find cars are the best tool for estimating approximate physical scale of this and the following examples.

[photo: DataCenterKnowledge.com]

[photo: DataCenterKnowledge.com]

This is Apple’s data center in Maiden, North Carolina. Again, compare the automobiles against the building in the photo for scale.

[photo: DataCenterKnowledge.com]

[photo: DataCenterKnowledge.com]

Microsoft has a data center in Dublin, Ireland. It’s a little harder to estimate physical size in this photo. A key difference is the height of the facility, as if development was limited in footprint.  Read more

Share this entry

DOD, in 2015, after Next Big Leak: No More Removable Media

/21 Comments/in /by

In 2008, DOD’s computers in Iraq were infected with malware introduced via a thumb drive.

The order went out: no more removable media.

In 2009-10, Bradley Manning downloaded entire databased onto a Lady Gaga CD.

The order went out: no more removable media.

And now this:

Former National Security Agency contract employee Edward Snowden used a computer thumb drive to smuggle highly classified documents out of an NSA facility in Hawaii, using a portable digital device supposedly barred inside the cyber spying agency, U.S. officials said.

Investigators “know how many documents he downloaded and what server he took them from,” said one official who would not be named while speaking about the ongoing investigation.

Snowden worked as a system administrator, a technical job that gave him wide access to NSA computer networks and presumably a keen understanding of how those networks are monitored for unauthorized downloads.

“Of course, there are always exceptions” to the thumb drive ban, a former NSA official said, particularly for network administrators. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”

There are always exceptions to the removable media ban, it seems.

Share this entry

NSA PRISM Slides: Notice Anything Unusual or Missing?

/76 Comments/in , , /by

We haven’t seen (and likely will never see) all of the NSA slides former Booz Allen employee Edward Snowden shared with the Guardian-UK and the Washington Post. But the few that we have seen shared by these two news outlets tell us a lot — even content we might expect to see but don’t tells us something.

First, let’s compare what appears to be the title slide of the presentation — the Guardian’s version first, followed by the WaPo’s version. You’d think on the face of it they’d be the same, but they aren’t.

[NSA presentation, title slide via Guardian-UK]

[NSA presentation, title slide, via Guardian-UK]

[NSA presentation, title slide, via Washington Post]

[NSA presentation, title slide, via Washington Post]

Note the name of the preparer or presenter has been redacted on both versions; however, the Guardian retains the title of this person, “PRISM Collection Manager, S35333,” while the WaPo completely redacts both name and title.

This suggests there’s an entire department for this program requiring at least one manager. There are a number of folks who are plugging away at this without uttering a peep.

More importantly, they are working on collection — not exclusively on search.

The boldface reference to “The SIGAD Used Most in NSA Reporting” suggests there are more than the PRISM  in use as SIGINT Activity Designator tools. What’s not clear from this slide is whether PRISM is a subset of US-984XN or whether PRISM is one-for-one the same as US-984XN.

Regardless of whether PRISM is inside or all of US-984XN, the presentation addresses the program “used most” for reporting; can we conclude that reporting means the culled output of mass collection? Read more

Share this entry

Truck-sized Holes: Journalists Challenged by Technology Blindness

/14 Comments/in , /by

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

Note: The following piece was written just before news broke about Booz Allen Hamilton employee Edward Snowden. With this in mind, let’s look at the reporting we’ve see up to this point; problems with reporting to date may remain even with the new disclosures.

ZDNet bemoaned the failure of journalism in the wake of disclosures this past week regarding the National Security Administration’s surveillance program; they took issue in particular with the Washington Post’s June 7 report. The challenge to journalists at WaPo and other outlets, particularly those who do not have a strong grasp of information technology, can be seen in the reporting around access to social media systems.

Some outlets focused on “direct access.” Others reported on “access,” but were not clear about direct or indirect access.

Yet more reporting focused on awareness of the program and authorization or lack thereof on the part of the largest social media firms cited on the leaked NSA slides.

Journalists are not asking what “access” means in order to clarify what each corporation understands direct and indirect access to mean with regard to their systems.

Does “direct access” mean someone physically camped out on site within reach of the data center?

Does “direct access” mean someone with global administrative rights and capability offsite of the data center? Some might call this remote access, but without clarification, what is the truth?

I don’t know about you but I can drive a Mack truck through the gap between these two questions.

So which “direct access” have the social media firms not permitted? Which “direct access” has been taken without authorization of corporate management? ZDNet focuses carefully on authorization, noting the changes in Washington Post’s story with regard to “knowingly participated,” changed later to read “whose cooperation is essential PRISM operations.”

This begs the same questions with regard to any other form of access which is not direct. Note carefully that a key NSA slide is entitled, “Dates when PRISM Collection Began For Each Provider.” It doesn’t actually say “gained access,” direct or otherwise. Read more

Share this entry