The No-Technologist Technology Review Panel

/15 Comments/in , /by

In addition to the four people ABC earlier reported would be part of Obama’s Committee to Learn to Trust the Dragnet, Obama added … another law professor, Geoffrey Stone. (Stone is [see update], along with Swire, a worthwhile member. But not a technologist.)

What’s fucking crazy about the committee is it has zero technologists to review a topic that is highly technical. Obama implicitly admits as much! He sells this committee for their “immense experience in national security, intelligence, oversight, privacy and civil liberties.” National security, intelligence, oversight, privacy, civil liberties. No technology.

On August 9, President Obama called for a high-level group of experts to review our intelligence and communications technologies. Today the President met with the members of this group: Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire.

These individuals bring to the task immense experience in national security, intelligence, oversight, privacy and civil liberties. The Review Group will bring a range of experience and perspectives to bear to advise the President on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.

The President thanked the Members of the Group for taking on this important task and looks forward to hearing from them as their work proceeds. Within 60 days of beginning their work, the Review Group will brief their interim findings to the President through the Director of National Intelligence, and the Review Group will provide a final report and recommendations to the President. [my emphasis]

So in spite of the fact that the White House highlights technology in its mandate, that didn’t lead them to find even a single technologist.

Also: Cass Sunstein.

Also: the Committee does, in fact, report its findings through James Clapper, the guy whose programs they will review, they guy who lied to Congress.

At least the White House isn’t promising — as Obama originally did — that it will be an “outside” “independent” committee.

Update: Egads. I take back what I said about Stone, who said this in June.

[W]hat should Edward Snowden have done? Probably, he should have presented his concerns to senior, responsible members of Congress. But the one thing he most certainly should not have done is to decide on the basis of his own ill-informed, arrogant and amateurish judgment that he knows better than everyone else in government how best to serve the national interest. The rule of law matters, and no one gave Edward Snowden the authority to make that decision for the nation. His conduct was more than unacceptable; it was criminal.

Share this entry

FISC Judges Should Threaten NSA with Criminal Prosecution More Often

/6 Comments/in /by

This James Bamford description of NSA efforts to avoid criminal prosecution in a 1975 investigation convinced me to point to evidence that then FISA Chief Judge John Bates — who is normally fairly deferential to the Executive Branch — cowed the government with threats of criminal prosecution.

The story starts in the October 3, 2011 opinion. After having laid out how the government was collecting US person data from the switches, Bates noted that the government wanted to keep on doing so.

The government’s submissions make clear not only that the NSA has been acquiring Internet transactions since before the Court’s approval of the first Section 702 certification in 2008,15 but also that NSA seeks to continue the collection of Internet transactions.

Noting that this collection had been going on longer than the 3 years the government had been using Section 702 of the FISA Amendments Act to justify its collection likely references a time when the NSA — led by Keith Alexander as far back as 2005 — was collecting that US person information with no legal sanction whatsoever as part of Dick Cheney’s illegal program.

Then, in footnote 15, Bates notes that sharing such illegally collected information is a crime.

The government’s revelations regarding the scope of NSA’s upstream collection implicate 50 U.S.C. § 1809(a), which makes it a crime (1) to “engage[] in electronic surveillance under color of law except as authorized” by statute or (2) to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. See [redacted] (concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its “upstream collection”). The Court will address Section 1809(a) and related issues in a separate order. [my emphasis]

Now, I’m particularly interested in the redacted text, because it appears some FISC judge has had to issue this threat in a past (still-redacted) opinion. That threat may have applied to this same upstream collection, but from the time before the government pointed to FAA to justify it (again, Alexander’s tenure would overlap into that illegal period).

Read more

Share this entry

Update on Lavabit

/19 Comments/in /by

I’ve been trying to keep an eye on the public information about the government’s demand on Lavabit. And in a new interview with Ars Technica, Ladar Levison basically gives us a multiple choice guess on what the request was: either altering the source code or turning over the private key securing his HTTPS certificate.

Levison said he has always known Lavabit safeguards could be bypassed if government agents took drastic measures, or as he put it, “if the government was willing to sacrifice the privacy of many to conduct surveillance on the few.” For instance, if he was forced to change the code used when a user logs in, his system could capture the plain-text password needed to decrypt stored e-mails. Similarly, if he was ever forced to turn over the private encryption key securing his site’s HTTPS certificate, government agents tapping a connection could observe the password as a user was entering it. But it was only in the past few weeks that he became convinced those risks were realistic.

“I don’t know if I’m off my rocker, but 10 years ago, I think it would have been unheard of for the government to demand source code or to make a change to your source code or to demand your SSL key,” Levison told Ars. “What I’ve learned recently makes me think that’s not as crazy an assumption as I thought.”

I and others have suggested this (whichever of these options this demand took) is basically CALEA II — FBI’s repeated demands that it have a back door into anything — before its time.

But Congress has not yet authorized CALEA II. So why did the (presumably) FISA Court approve this demand?

Share this entry

As with Manning Leak, Snowden Leak Reveals DOD Doesn’t Protect Security

/16 Comments/in , /by

MSNBC has an update to the continuing saga of “Omigod the NSA has inadequate security.” It explains why the “thin client” system the NSA had (one source calls it 2003 technology) made it so easy for Edward Snowden to take what he wanted.

In a “thin client” system, each remote computer is essentially a glorified monitor, with most of the computing power in the central server. The individual computers tend to be assigned to specific individuals, and access for most users can be limited to specific types of files based on a user profile.

But Snowden was not most users.

[snip]

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.

The story goes on to note that being in Hawaii would have allowed Snowden to access Fort Meade’s computers well after most users were gone.

I’m particularly interested in the assertion that Snowden could pose as any other user with access to NSAnet.

Any other user. Presumably, that includes at least Cybercommander Keith Alexander’s aides.

In a world in which the NSA is increasingly an offensive organization, certain figures within NSA would be engaged in some very interesting communications and compartments, I’d imagine.

Ah well. The US won’t learn. They’ll continue to neglect these holes until someone publicly demonstrates their negligence, all the while leaving them open for whatever paid agents of foreign governments choose to exploit them.

Share this entry

Are the Brits Trying to Protect British Telecom?

/18 Comments/in /by

In addition to her latest stories describing the generalized spying the NSA and GCHQ engage in, Laura Poitras today also tells her side of the David Miranda story. In it, she reveals the hard drives destroyed at the Guardian included details on Tempora.

Included on those drives were documents detailing GCHQ’s massive domestic spying program called “Tempora.”

This program deploys NSA’s XKeyscore “DeepDive” internet buffer technology which slows down the internet to allow GCHQ to spy on global communications, including those of UK citizens. Tempora relies on the “corporate partnership” of UK telecoms, including British Telecommunications and Vodafone. Revealing the secret partnerships between spy agencies and telecoms entrusted with the private communications of citizens is journalism, not terrorism.

It seems she’s trying to suggest that the Brits are trying to protect this program, specifically. Which would protect not just a spying technique (collecting data off the switches), but also the involvement of BT and Vodafone.

Remember, that weird Independent story from last week (which Snowden made clear did not come from him) also included details about BT and Vodaphone’s roles in this spying.

The Government also demanded that the paper not publish details of how UK telecoms firms, including BT and Vodafone, were secretly collaborating with GCHQ to intercept the vast majority of all internet traffic entering the country. The paper had details of the highly controversial and secret programme for over a month. But it only published information on the scheme – which involved paying the companies to tap into fibre-optic cables entering Britain – after the allegations appeared in the German newspaper Süddeutsche Zeitung.

It makes sense. Even in the US, even in the materials released so far, both the Guardian and Washington Post have protected the role that AT&T and Verizon play in this process.

The Independent story also mentioned a secret British spying base in the Middle East that played a role in Tempora.

One of the areas of concern in Whitehall is that details of the Middle East spying base which could identify its location could enter the public domain.

The data-gathering operation is part of a £1bn internet project still being assembled by GCHQ. It is part of the surveillance and monitoring system, code-named “Tempora”, whose wider aim is the global interception of digital communications, such as emails and text messages.

[snip]

The Middle East station was set up under a warrant signed by the then Foreign Secretary David Miliband, authorising GCHQ to monitor and store for analysis data passing through the network of fibre-optic cables that link up the internet around the world.

That part of the story made me remember Reprieve’s claims from earlier this year that British Telecom played a role in drone targeting in Djibouti.

BT’s slogan used to be ‘it’s good to talk’, but when it comes to contracts with the US military ‘it’s best to keep your mouth shut’ might be more appropriate.

Earlier this year Reprieve obtained evidence that BT had been awarded a contract worth over $23 million by the US Defense Information Systems Agency to provide communications infrastructure connecting US-run RAF Croughton in Northamptonshire with the secretive Camp Lemonnier in Djibouti.

Read more

Share this entry

How the NCTC Gets Its NSA Data

/8 Comments/in /by

I’m working on a more substantive post on the Section 702 Semiannual Compliance Assessment released last week as part of the I Con dump.

But for the moment, I want to point to a passage that begins to answer a question I asked two months ago: how does the data from NSA’s programs get to the National Counterterrorism Center, which then crunches that data and sends it out to other parts of government.

A footnote of the Assessment notes,

The other agency involved in implementing Section 702 is the National Counterterrorism Center (NCTC), which has a limited role, as reflected in the recently approved “Minimization Procedures Used by NCTC in connection with Information Acquired by the FBI pursuant to Section 702 of FISA, as amended.” Under these limited minimization procedures, NCTC is not authorized to receive unminimized Section 702 data. Rather, these procedures recognize that, in light of NCTC’s statutory counterterrorism role and mission, NCTC has been provided access to certain FBI systems containing minimized Section 702 information, and prescribe how NCTC is to treat that information. For example, because NCTC is not a law enforcement agency, it may not receive disseminations of Section 702 information that is evidence of a crime, but which has no foreign intelligence value; accordingly, NCTC’s minimization procedures require in situations in which NCTC personnel discover purely law enforcement information with no foreign intelligence value in the course of reviewing minimized foreign intelligence information that the NCTC personnel either purge that information (if the information has been ingested into NCTC systems) or not use, retain, or disseminate the information (if the information has been viewed in FBI systems). No incidents of noncompliance with the NCTC minimization procedures were identified during this reporting period. The joint oversight team will be assessing NCTC’s compliance with its minimization procedures in the next reporting period.

This passage has some good news, and some bad news.

The good news is that NCTC gets no unminimized collection, which CIA and FBI do. We have no idea what FBI’s minimization procedures  (which does the minimization before NCTC gets it) look like — though elsewhere this Assessment makes it clear that most initial distributions of data from FBI come with US person identity hidden. But at least most US person data will be protected when NCTC gets it.

The bad news is that this is a recent development. It probably post-dates 2011, as John Bates makes no mention of NCTC’s minimization procedures in his October 3, 2011. And the reference to the compliance team reviewing this in the next Assessment (which would cover December 2012 through May 2013) suggests the minimization procedures may be very recent. What has happened with this data in the past?

And explain to me how, if NCTC “may not” receive that US person data that has been referred to FBI because it is evidence of a non-terrorist crime, its minimization procedures explain what to do if they happen to discover such data in their possession. Perhaps the problem is in processing that takes place at FBI (in that such information isn’t adequately segregated), not at NCTC?

Remember, much of the analysis that happens at NCTC can affect US person’s lives, but (unlike much of FBI’s work) doesn’t get reviewed by a court. The data that gets to them might well be particularly sensitive.

Share this entry

The Google/Yahoo Problem: Fruit of the Poison MCT?

/14 Comments/in /by

OK, this will be my last post (at least today) to attempt to understand why some Internet providers incurred so many costs associated with the response to the FISA Court’s October 3, 2011 decision that the government had improperly collected US person data as part of Multiple Communication Transactions.

For the moment, I’m going to bracket the question of whether Google and Yahoo are included in upstream providers (though I think it more likely for Google than Yahoo). Footnote 3 in the October 3 opinion seems to distinguish upstream collection from collection from Internet service providers. Though note the entirely redacted sentence in that footnote that may modify that easy distinction.

But let’s consider how the violative data might be used. We know from the conference call the I Cons had the other day (you can listen along here) that this is primarily about getting email inboxes.

An intelligence official who would not be identified publicly described the problem to reporters during a conference call on Wednesday.

“If you have a webmail email account, like Gmail or Hotmail, you know that if you open up your email program, you will get a screenshot of some number of emails that are sitting in your inbox, the official said.

“Those are all transmitted across the internet as one communication. For technological reasons, the NSA was not capable of breaking those down, and still is not capable, of breaking those down into their individual [email] components.”

If one of those emails contained a reference to a foreign person believed to be outside the US – in the subject line, the sender or the recipient, for instance – then the NSA would collect the entire screenshot “that’s popping up on your screen at the time,” the official continued.

Now, whether or not this collection comes from the telecoms or the Internet companies themselves, it effectively serves as an index of Internet communications deemed interesting based on the participants or because the email talks about an approved selector.

But it may be that this upstream collection serves primarily to identify which content the government wants to collect.

In his November 30, 2011 opinion, Bates emphasized (see page 10) the limits on what analysts could do with properly segregated upstream MCTs in the future.

An analyst seeking to use (e.g., in a FISA application, in an intelligence report, or in a Section 702 targeting decision) a discrete communication within an Internet transaction that contains multiple discrete communications must document each of the determinations. [my emphasis]

Then, the September 25, 2012 opinion describes how, using threats that he would declare the previous collection a crime under 1809(a)(2), which prohibits the “disclosure” of any information collected illegally, Judge John Bates got the government purge that previous collection and any reports generated from it.

The government informed the Court in October 2011 that although the amended NSA procedures do not by their terms apply to information acquired before October 31, NSA would apply portions of the procedures to the past upstream collection, including certain limitations on the use or disclosure of such information.

That effort, according to Bates, did not begin until “late in 2011.”

But here’s the thing: the government would have “disclosed” this information to email providers if it had used any of the violative MCTs to target emails in their custody — the Section 702 targeting decisions Bates was explicitly concerned about.

So presumably, once Bates made it clear he considered 1809 violations real problems in November 2011, the government would have had to modify any certifications authorizing collection on email addresses identified through the violative upstream collection (regardless of source).

I don’t yet understand why, in adjusting to a series of modified certifications, the providers would incur millions of dollars of costs. But I think expunging poison fruit targeting orders from the certifications would have taken some time and multiple changed certifications.

Update: Footnote 24 in the October 3, 2011 opinion provides more clarity on whether PRISM collection includes MCTs; it doesn’t.

In addition to its upstream collection, NSA acquires discrete Internet communications from Internet service providers such as [redacted] Aug. 16 Submission at 2; Aug. 30 Submission at 11; see also Sept. 7 2011 Hearing Tr. at 75-77. NSA refers to this non-upstream collection as its “PRISM collection.” Aug. 30 Submission at 11. The Court understands that NSA does not acquire Internet transactions” through its PRISM collection. See Aug Submission at 1.

Share this entry

Upstream Internet Collection and Minimization Procedures

/4 Comments/in /by

new-prism-slide-001-460x345As I noted in this post, the Guardian’s report on the aftermath of the October 3, 2011 FISA Court decision seemed to suggest that Google and Yahoo content was collected as upstream collection, not from their servers.

Changes made in the minimization procedures seem to support that.

In section 3(c), which covers Destruction of Raw Data, the old procedures treat all communications the same:

Communications and other information … will be reviewed for retention in accordance with the standards set forth in these procedures.

But the new minimization procedures have to break out that section into two categories to comply with the new restrictions imposed by the FISA Court. There’s the category of data that will be treated under the old rules:

Telephony communications, Internet communications acquired by or with the assistance of the Federal Bureau of Investigation from Internet Service Providers, and other discrete forms of information…

And then there’s the category that will be subjected to the new rules:

Internet transactions acquired through NSA’s upstream collection techniques …

Now, this doesn’t confirm that Google and Yahoo are providing “upstream” data, but if they’re not, it means the only data they’re providing to the NSA is done through FBI requests (perhaps parallel to FBI’s Section 215 request for telephone metadata that gets promptly delivered to the NSA; this could refer to the old Pen Register/Trap and Trace Internet collection, but October 31, 2011 is awfully late in 2011 for eliminating that collection and if it is, why is it still in the minimization procedures?). Except all the discussions surrounding PRISM suggests that data is turned over directly to the NSA, which would mean it is considered upstream collection.

One more note: the old procedures have a phrase in this section and section 3(b)(1) that suggests NSA knew they were collecting US person data back in 2009 when the procedures were written.

The communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications.

That sentence is removed from the new procedures, suggesting this “limitations on NSA’s ability to filter communications” collection is precisely the Internet transaction collection at issue. And the only reason they’d have to specifically allow themselves to retain it before (since all foreign person data can be retained) is if they knew it included US person data.

Update: Correction: The sentence above gets translated to, “The Internet transactions that may be retained include those that were acquired because of limitations on NSA’s ability to filter communications.” So it is in there.

But the November 30, 2011 FISC opinion (see footnote 6) makes it clear that this is–and was–US person data.

The Court understands this sentence to refer only to Internet transactions that contain wholly domestic communications but that are not recognized as such by NSA.

So if that language was in minimization procedures going back to at least 2009, doesn’t that mean the government knew it was collecting that US person data?

Update: Note that footnote 24 of the October 3, 2011 opinion seems to make it clear that the Internet collection is not upstream at all, and doesn’t include MCTs.

In addition to its upstream collection, NSA acquires discrete Internet communications from Internet service providers such as [redacted] Aug. 16 Submission at 2; Aug. 30 Submission at 11; see also Sept. 7 2011 Hearing Tr. at 75-77. NSA refers to this non-upstream collection as its “PRISM collection.” Aug. 30 Submission at 11. The Court understands that NSA does not acquire Internet transactions” through its PRISM collection. See Aug Submission at 1.

Share this entry

More Contractor Problems — And FISC Disclosure Problems?

/1 Comment/in /by

In the updated minimization procedures approved in 2011, the NSA added language making clear that the procedures applied to everyone doing analysis for NSA.

For the purposes of these procedures, the terms “National Security Agency” and “NSA personnel” refer to any employees of the National Security Agency/Central Security Service (“NSA/CSS” or “NSA”) and any other personnel engaged in Signals Intelligence (SIGINT) operations authorized pursuant to section 702 of the Act if such operations are executed under the direction, authority, or control of the Director, NSA/Chief, CSS (DIRNSA).

It told the FISA Court it needed this language to make it clear that militarily-deployed NSA personnel also had to abide by them.

The government has added language to Section 1 to make explicit that the procedures apply not only to NSA employees, but also to any other persons engaged in Section 702-related activities that are conducted under the direction, authority or control of the Director of the NSA. NSA Minimization Procedures at 1. According to the government, this new language is intended to clarify that Central Security Service personnel conducting signals intelligence operations authorized by Section 702 are bound by the procedures, even when they are deployed with a military unit and subject to the military chain of command.

But to me both these passages rang alarms about contractors. Did they have to include this language, I wondered, because contractors in the past had claimed not to be bound by the same rules NSA’s direct employees were?

Lo and behold the Bloomberg piece reporting that NSA’s IG undercounts deliberate violations by roughly 299 a year includes this:

The actions, said a second U.S. official briefed on them, were the work of overzealous NSA employees or contractors eager to prevent any encore to the Sept. 11, 2001, terrorist attacks.

It sure seems that at least some of the worst violations — the ones even NSA’s IG will call intentional — were committed by contractors. Which suggests I may be right about the inclusion of that language to make it clear it applies to contractors.

If that’s the case, then why did NSA tell the FISA Court this new language was about militarily-deployed NSA employees, and not about contractors?

 

Share this entry

NSA’s Inspector General Appears to Be Disappearing 299 Deliberate Violations a Year

/17 Comments/in , /by

Bloomberg is getting a lot of attention for reporting the results of a still-classified (and unleaked) NSA Inspector General audit showing that NSA averages one rule violation a year.

Some National Security Agency analysts deliberately ignored restrictions on their authority to spy on Americans multiple times in the past decade, contradicting Obama administration officials’ and lawmakers’ statements that no willful violations occurred.

[snip]

The incidents, chronicled in a new report by the NSA’s inspector general, provide more evidence that U.S. agencies sometimes have violated legal and administrative restrictions on domestic spying, and may add to the pressure to bolster laws that govern intelligence activities.

The inspector general documented an average of one case per year over 10 years of intentionally inappropriate actions by people with access to the NSA’s vast electronic surveillance systems, according to an official familiar with the findings. The incidents were minor, the official said, speaking on the condition of anonymity to discuss classified intelligence. [my emphasis]

Now, perhaps the IG is using the rule laid out by Barton Gellman saying that intentionally inappropriate action that serves “the mission” isn’t an intentionally inappropriate action.

If they are performing the mission that the NSA wants them to perform, and nevertheless overstep their legal authority, make unauthorized interceptions or searches or retentions or sharing of secret information, that is not abuse, that’s a mistake.

But this seems to be another example of NSA’s funny math.

Because the NSA’s own internal count of such violations suggests there would be closer to 300 such violations a year (counting just those deemed a lack of due diligence). The 772 violations for the S2 Directorate in the first quarter of 2011 represented 89% of all NSA’s violations that quarter; if their 68 due diligence violations represented 89% of all due diligence violations (S2’s rate for due diligence violations is lower than the two other categories broken out), you’d expect 76 each quarter, or just over 300 a year.

So whereas the NSA is telling itself that there are 300 examples a year where someone doesn’t follow rules — not because they don’t know them (those are training violations) or because they make a data entry error (those are human error), but something else — it is telling Congress there is just one example a year.

Poof! Magic math.

Update: If Kimberly Dozier got it too, it’s an official leak.

They apparently don’t fire people who use all these spy tools to spy on their exes.

Two U.S. officials said one analyst was disciplined in years past for using NSA resources to track a former spouse. The officials spoke on condition of anonymity because they were not authorized to speak publicly.

Share this entry