Compensating the Dragnet

/7 Comments/in , /by

The first and second primary orders approving the phone dragnet, written by Malcolm Howard, included this paragraph.

(2) NSA shall compensate [redacted] for reasonable expenses in providing such tangible things;

The third primary order, written by Frederick Scullin, had no such paragraph.

There’s a likely explanation for the disappearance of the paragraph. The Section 215 statute does not provide for compensating providers.

I have no idea whether this means the telecom providers aren’t getting compensated (unlikely) or whether they’re getting compensated in some other fashion (my bet).

But Congress’ failure to include any compensation for responding to a Section 215 order is one more indication that they didn’t believe they were signing off on daily production of “substantially all” of providers’ metadata.

That raises another question, however. If Congress did not envision paying providers to comply with a Section 215 order, were they paid? If so, with what funds? Who approved such spending?

Update: The Verizon secondary order from April doesn’t reflect any compensation.

Share this entry

Obama’s Dragnet: Policeman of the Whole World

/7 Comments/in , , /by

And don’t let anybody make you think that God chose America as his divine, messianic force to be a sort of policeman of the whole world. God has a way of standing before the nations with judgment, and it seems that I can hear God saying to America, “You’re too arrogant! And if you don’t change your ways, I will rise up and break the backbone of your power, and I’ll place it in the hands of a nation that doesn’t even know my name. Be still and know that I’m God.”

–Martin Luther King, “It’s A Dark Day In Our Nation

As I noted the other day, in his speech on the dragnet, President Obama acknowledged that our unique technical surveillance capabilities demands more humility, not less.

But America’s capabilities are unique. And the power of new technologies means that there are fewer and fewer technical constraints on what we can do. That places a special obligation on us to ask tough questions about what we should do.

Yet that concern about our unique technical capabilities quickly transformed into exceptionalism — a concern about how distrust stemming from our dragnet hubris would corrode our “leadership” position in the world.

Instead, we have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals – and our Constitution – require. We need to do so not only because it is right, but because the challenges posed by threats like terrorism, proliferation, and cyber-attacks are not going away any time soon, and for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.

And that, in turn, became our role in protecting “our friends and allies as well.”

Our capabilities help protect not only our own nation, but our friends and allies as well. Our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy too. And the leaders of our close friends and allies deserve to know that if I want to learn what they think about an issue, I will pick up the phone and call them, rather than turning to surveillance. In other words, just as we balance security and privacy at home, our global leadership demands that we balance our security requirements against our need to maintain trust and cooperation among people and leaders around the world.

This includes protecting them not just from terrorism and hackers, but from crime — including the crime of violating US sanctions.

In terms of our bulk collection of signals intelligence, U.S. intelligence agencies will only use such data to meet specific security requirements: counter-intelligence; counter-terrorism; counter-proliferation; cyber-security; force protection for our troops and allies; and combating transnational crime, including sanctions evasion.

Of course, a number of countries (much of Latin America) object to the way we fight crime (drug cartels) in their countries. But our pursuit of our own national security has literally turned us into the world’s policeman. Which Obama repeats again — our leadership role requires us to use our dragnet to fight terrorists and crime.

We will appoint a senior official at the White House to implement the new privacy safeguards that I have announced today. I will devote the resources to centralize and improve the process we use to handle foreign requests for legal assistance, keeping our high standards for privacy while helping foreign partners fight crime and terrorism.

How ironic, how prescient, that King spoke our arrogance breaking the backbone of our power. Not only does it threaten to break the ideological backbone of our hegemony — replacing our liberties with our policing — but it quite literally threatens to balkanize the communication backbone we’ve exploited to become that policeman.

President Obama seems to understand what a crisis this poses to our leadership. He does not, yet, understand that that leadership was not supposed to be policing the world.

Share this entry

Yes, Verizon, We Can Hear You Now

/14 Comments/in , /by

Screen shot 2014-01-20 at 3.20.11 AMApparently, James Clapper does not believe the information in the screenshot to the right to be classified. The name, Verizon, was left unredacted in one of the Primary Orders released last Friday (the one dated January 20, 2011). (h/t Michael)

The paragraph is boilerplate that appears, in some form, in all the Primary Orders for the phone dragnet. I had always thought the word behind the redaction was something like “the telecoms.”

Screen shot 2014-01-20 at 3.24.16 AMIt wasn’t. It appears that this Primary Order, which applies to all providers for the dragnet, applies only to Verizon.

That appears to suggest that, at least in January 2011, Verizon was the only dragnet provider.

(See below for an updated explanation: they just broke out Verizon into it’s own paragraph to limit any collection from their foreign metadata. I assume the earlier paragraph applies to the other providers.)

Now, I’m not sure what this means (I’ve got some theories, but I’m still mulling them), but it may explain why NSA Review Group member Geoffrey Stone has claimed the government get substantially less than 75% of all US traffic, but DOJ keeps telling courts that they get the whole haystack of phone records in the US. Verizon’s traffic, by itself, doesn’t constitute 75% of US traffic. But its circuits would have access to far more than just Verizon traffic. (A whistleblower has described  a wide-open Verizon circuit at Quantico.)

stormbrew-01Remember, contrary to the “Business Records” moniker, the records the NSA collects are not real billing records for much of the telecom traffic; no one has to bill for local calls for land lines, after all. So at least some of what the government obtains must be created for it. But it’s possible that Verizon strips some portion of the nation’s call metadata as it traverses its backbones.

Furthermore, if Verizon provides all this data, it explains why the providers are balking it retaining the dragnet data themselves. Not only would Verizon have to store far more than they currently do (they don’t store as much as AT&T), but it would have to fiddle with the dragnet data of other carriers, including performing the data integrity role that gives direct access to raw data.

In any case, if Verizon is still the sole provider of this dragnet data, it means it may be easier to force the end of its collection.

Update: Okay, I think I have an explanation for this now.

Up until at least March 5, 2009, all the telecoms were addressed in one paragraph starting, “the Custodian of Records.” Starting on May 29, 2009, that’s split out into two paragraphs, with the original Custodian of Records paragraph and the one we know to be specific to Verizon. We don’t have the following order, dated July 8, 2009, but we know that order shut down production from one provider because it was also producing foreign-to-foreign data; that production was restarted on September 3, 2009.

So what appears to have happened is in the End to End review, they realized that Verizon was also turning over foreign data (perhaps from Vodaphone?); this apparently was a big problem, but I’m not sure why. So they appear to have recognized they had to specify that they didn’t want (I’m guessing) Verizon’s foreign call data, at least not this way.

I assume the other paragraph names AT&T and TMobile or something like that after all.

Share this entry

The Tech Back Door in Obama’s New Spying Policy

/29 Comments/in /by

I haven’t had time to do a full post on the Presidential Policy Directive Obama rolled out with his speech the other day (besides pointing out how Obama sets it up to be disappeared when inconvenient). But Bart Gelllman noted something I had also noticed (in addition to noting that Obama embraced Big Data in his speech — his whole story is wroth reading).

In another significant footnote, Obama said the limits he ordered “shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.” Signals intelligence development, or “sigdev” in NSA parlance, is the discovery of untapped communication flows and the invention of new surveillance methods to exploit them.

For example, NSA Director Keith Alexander revealed last summer that his agency had collected location data from mobile phones in the United States.

Here’s the language in question.

Consistent with this historical practice, this d irective articulates principles to guide why, whether, when, and how the United States conducts signals intelligence activities for authorized foreign intelligence and counterintelligence purposes. 3
3 Unless otherwise specified, this directive shall apply to signals intelligence activities conducted in order to collect communications or information about communications, except that it shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.

This is something we’re seeing throughout the NSA programs (and we’re not seeing any real auditing or checks on this activity) as I have been noting with respect to the data integrity analysts who have access to the phone dragnet. The NSA uses real data to develop its new toys. And while there are some limits on the finished intelligence products that can be produced from such development, there doesn’t seem to be any protection for the data that gets used.

You’d think, in the wake of a rather powerful demonstration of the power of techs, there’d be some awareness of how dangerous creating such exceptions for the techs. But you’d be wrong.

One more note: Obama explicitly imposes these limits only on communications data, not on things like bank data or pressure cooker purchase data. A reporter actually asked the White House, rather persistently, about all this Section 215 (or NSL) collection, and they basically admitted they’re not going to provide the same protections (judicial review of queries) because no one is talking about it.

Which tells you what they’re really concerned about.

Share this entry

The Phone Metadata Program Metadata

/4 Comments/in , /by

ODNI released a bunch of the remaining phone dragnet primary orders (and amendments) here. I will have more to say about this later. Of particular note, though, they seem to be withholding the BR 09-15 primary order, which was right in the middle of PATRIOT reauthorization, when NSA kept disseminating results in violation of Reggie Walton’s orders.

  1. Howard, Malcolm BR 06-05 (5/24/06)
  2. Howard, Malcolm BR 06-08 (8/18/06)
  3. Scullin, Frederick, BR 06-12 (11/15/06)
  4. Broomfield, Robert, BR 07-04 (2/02/07)
  5. Gorton, Nathaniel, BR 07-10 (5/03/07)
  6. Gorton, Nathaniel, BR 07-14 (7/23/07)
  7. Vinson, Roger, BR 07-16 (10/18/07)
  8. Howard, Malcolm, BR 08-01 (1/?/08)
  9. Kollar-Kotelly, Colleen, BR 08-04 (4/3/08)
  10. Zagel, James, BR 08-07 (6/26/08)
  11. Zagel, James, BR 08-08 (8/19/08) [or 9/19/08]
  12. Walton, Reggie, BR 08-13 (12/12/08)
  13. Walton, Reggie, BR 09-01 (3/5/09)
  14. Walton, Reggie, BR 09-06 (5/29/09)
  15. Walton, Reggie (?) BR 09-09 (7/8/09) [see also]
  16. Walton, Reggie, BR 09-13 (9/3/09)
  17. Walton, Reggie (?) BR 09-15 (10/30/09) [See also]
  18. Walton, Reggie (?) BR 09-19 [see also]
  19. Walton, Reggie, BR 10-10 (2/26/10)
  20. Walton, Reggie, BR 10-17 (5/14/10)
  21. Walton, Reggie, BR 10-49 (8/04/10)
  22. Walton, Reggie, BR 10-70 (10/29/10)
  23. Bates, John, BR, 11-07 (1/20/11)
  24. Feldman, Martin, BR 11-57 (4/13/11)
  25. Bates, John, BR 11-107 (6/22/11)
  26. ~9/20/11?
  27. BR-11-191 [see also]
  28. ~1/29/12?
  29. ~4/29/12?
  30. ~7/28/12?
  31. ~10/26/12?
  32. ~1/25/13?
  33. Vinson, Roger, BR 13-80, (4/25/13)
  34. Eagan, Claire, BR 13-109, (7/18/13)
  35. McLaughlin, Mary, BR 13-158 (10/11/13)
  36. 1/3/14

1/19: Updated to add the 7/9/09 order and BR 09-19.

1/20: There is one more missing primary order. In an NSA declaration dated November 12, SID Director Theresa Shea said there had been 34 approvals. As shown above, the McLaughlin order is the 33rd of identified orders.

1/26: I think I’ve corrected all the date errors I originally hate (the date stamp is not all that accurate). For the 2011-2013 dates, I’ve worked backwards of the 4/25/13 order.

Share this entry

The Misplaced Enthusiasm for Obama’s 2-Hop “Change”

/9 Comments/in , /by

I’m seeing a lot of enthusiasm about President Obama’s promise to limit the NSA to 2 hops on its phone dragnet.

Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of three.

But it’s not that big of a limit.

As far back as 2011, the NSA had standardized on 2-hops, only permitting a 3rd with special approval. (See page 13.)

While the BR Order permits contact chaining for up to three hops, NSA has decided to limit contact chaining to only two hops away from the RAS-approved identifier without prior approval from your Division management to chain the third hop.

So in effect, Obama has replaced the NSA’s internal directive limiting the hops to 2 with his own directive (which can be pixie dusted with no notice) limiting the hops to 2.

Also, can anyone explain what the word “pursue” means in Obama’s promise?

The concerns about the dragnet arise, in large part, from other things: the audit-free access of the data integrity analysts, the opacity of whether they do what they claim they do (which has as much impact on the extent of the spying as the number of hops), and what they do with it afterwards. Not to mention the sheer hubris of even creating that database of every American’s phone-based relationships.

Don’t get me wrong: given a choice, I’d take 2-hops over 3 (or 4, as could be kluged until 2009).

But it is largely a continuation of the dragnet in its current form, not any end to the dragnet itself.

Share this entry

Obama’s Presidential Policy Directive: Pixie Dust 2.0

/18 Comments/in , /by

Back when John Yoo was finding ways to authorize President Bush’s illegal wiretap program — especially spying on Americans who were not agents of a foreign power — he changed the meaning of certain limits in EO 12333 without rewriting EO 12333. The President didn’t have to change EO 12333 to reflect actual practice, Yoo determined (relying on an Iran-Contra precedent), because ignoring EO 12333 amounted to modifying it.

An executive order cannot limit a President. There is no constitutional requirement for a President to issue a new executive order whenever he wishes to depart from the terms of a previous executive order. Rather than violate an executive order, the President has instead modified or waived it.

I call this pixie-dusting, where the Executive makes his own orders and directives disappear in secret.

Poof!

The use of pixie-dust — so recently used to justify spying on people while pretending not to spy on them — ought to give you pause when you read this passage from President Obama’s Presidential Policy Directive limiting US spying overseas (or, frankly, everything he said today, which all consists of the Executive exercising its prerogative to change and oversee Executive actions, but in no way includes any teeth to sustain such changes).

Nothing in this directive shall be construed to prevent me from exercising my constitutional authority, including as Commander in Chief, Chief Executive, and in the conduct of foreign affairs, as well as my statutory authority. Consistent with this principle, a recipient of this directive may at any time recommend to me, through the APNSA, a change to the policies and procedures contained in this directive.

Effectively Obama is laying out his prerogative to pixie dust this PPD.

And while the President admittedly would always have such prerogative, he didn’t include such a paragraph in his cyberwar PPD (which, of course, wasn’t meant to be public).

This PPD was designed to be ignored.

And I suspect our friends and adversaries know that.

Share this entry

Obama’s Speech, Annotated Version

/30 Comments/in /by

Obama’s speech as written is below, with my comments (no indent) included.

At the dawn of our Republic, a small, secret surveillance committee borne out of the “The Sons of Liberty” was established in Boston. The group’s members included Paul Revere, and at night they would patrol the streets, reporting back any signs that the British were preparing raids against America’s early Patriots.

As I noted, raising Paul Revere is a really problematic analogy, because had the Brits done metadata analysis on Revere the way the government does on people who might also be called dissidents, we would still be eating kidney pie and hailing Queen Elizabeth.

Throughout American history, intelligence has helped secure our country and our freedoms. In the Civil War, Union balloon reconnaissance tracked the size of Confederate armies by counting the number of camp fires. In World War II, code-breaking gave us insight into Japanese war plans, and when Patton marched across Europe, intercepted communications helped save the lives of his troops. After the war, the rise of the Iron Curtain and nuclear weapons only increased the need for sustained intelligence-gathering. And so, in the early days of the Cold War, President Truman created the National Security Agency to give us insight into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.

Note that Obama presumes a war footing, even while 2 of the 3 primary foreign intelligence objectives he discussed (and others, as I’ll note) have nothing to do with war.

Note that this history lesson does not explain what higher purpose the wars — and therefore the intelligence — served. That’s important, because at the end of his speech he says it served to defend the Constitution, when in fact it was defending what we now call “the Homeland.”

Throughout this evolution, we benefited from both our Constitution and traditions of limited government. U.S. intelligence agencies were anchored in our system of checks and balances – with oversight from elected leaders, and protections for ordinary citizens.

So here the Constitution becomes not what we defend, but a limit we use when fighting wars.

Meanwhile, totalitarian states like East Germany offered a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers, and persecuted people for what they said in the privacy of their own homes.

A nod to Angela Merkel. Also, I’d be curious how many Muslims the Obama Administration has not just persecuted, but prosecuted, for what they said in the privacy of their own homes?

In fact even the United States proved not to be immune to the abuse of surveillance. In the 1960s, government spied on civil rights leaders and critics of the Vietnam War. Partly in response to these revelations, additional laws were established in the 1970s to ensure that our intelligence capabilities could not be misused against our citizens. In the long, twilight struggle against Communism, we had been reminded that the very liberties that we sought to preserve could not be sacrificed at the altar of national security.

As I note relentlessly, according to the NSA itself, it had 3 different “present examples” of such abuses in 2009. This is not the distant past. It’s just the as-yet undisclosed immediate past.

If the fall of the Soviet Union left America without a competing superpower, emerging threats from terrorist groups, and the proliferation of weapons of mass destruction placed new – and, in some ways more complicated – demands on our intelligence agencies.

Note that throughout this passage, Obama only mentions 2 of the 3 main targets we use Section 702 for: terrorism and counterproliferation, making not mention of cybersecurity. That allows him to rationalize what he gets very close to admitting is domestic spying using the prior example of terrorism, even while cybersecurity was already an issue in 2011.

Globalization and the Internet made these threats more acute, as technology erased borders and empowered individuals to project great violence, as well as great good. Moreover, these new threats raised new legal and policy questions. For while few doubted the legitimacy of spying on hostile states, our framework of laws was not fully adapted to prevent terrorist attacks by individuals acting on their own, or acting in small, ideologically driven groups rather than on behalf of a foreign power.
The horror of September 11th brought these issues to the fore. Across the political spectrum, Americans recognized that we had to adapt to a world in which a bomb could be built in a basement, and our electric grid could be shut down by operators an ocean away.

See how quickly he inserts cybersecurity into the terrorism framework?

We were shaken by the signs we had missed leading up to the attacks – how the hijackers had made phone calls to known extremists, and travelled to suspicious places.

No mention of the information sharing of data collected that didn’t occur.

So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack.

It is hard to overstate the transformation America’s intelligence community had to go through after 9/11. Our agencies suddenly needed to do far more than the traditional mission of monitoring hostile powers and gathering information for policymakers – instead, they were asked to identify and target plotters in some of the most remote parts of the world, and to anticipate the actions of networks that, by their very nature, cannot be easily penetrated with spies or informants.

And it is a testimony to the hard work and dedication of the men and women in our intelligence community that over the past decade, we made enormous strides in fulfilling this mission. Today, new capabilities allow intelligence agencies to track who a terrorist is in contact with, and follow the trail of his travel or funding.

And again, Obama focuses on terrorism, when precisely the same tactics (and then some) are used against cybertargets.

New laws allow information to be collected and shared more quickly between federal agencies, and state and local law enforcement.

Does Obama’s mention of “state and local law enforcement agencies” in conjunction with nods to the PATRIOT Act make you more comfortable about all this data sharing of bulk data?

Read more

Share this entry

First Impressions, Obama’s Speech

/16 Comments/in /by

I will write far more on the President’s speech and new Directive. But here are some early thoughts.

Obama used the example of Paul Revere as an example of the importance of intelligence over the life of “our country.” Of course, Paul Revere is actually a better example that, if the Brits had done metadata analysis akin to what he preserved today, we would still be eating Kidney pies under British rule.

Obama made no mention, at all, of NSA’s weakening encryption and hoarding zero days. None.

With the sole exception of consulting with Congress on how to resolve the Section 215 dragnet (something that will happen during next year’s PATRIOT Act Reauthorization if not before) these changes are all Executive Branch self-limitations. Even the role of a FISC advocate fell by the wayside. In other words, while Obama did call for some useful changes (limiting the gag order on NSLs, adding limits on the way back door searches can be used for criminal investigations), they’re all self-limitations that can’t be enforced or overseen.

At one point, Obama justified our dragnet by saying we have special responsibilities as the only Superpower. Now, China is getting big enough they might object to that whole claim. More importantly, it demonstrates the degree to which a presumption of exceptionalism underlies our entire approach to spying.

See below for speech as written.

Read more

Share this entry

Things Barack Obama Doesn’t Consider “Abuse”

/7 Comments/in , /by

Unauthorized suspected terroristsPresident Obama will shortly give a speech in which he’ll make cosmetic changes to the NSA dragnet, but will continue, in many ways, the accessing of personal data from Americans with no probable cause.

As part of his cosmetic effort, he will also say there has been no evidence of abuse in these programs. That means he does not consider any of the following abuse:

  • The NSA spied on the porn and phone sex habits of ideological opponents, including those with no significant ties to extremists, and including a US person.
  • According to the NSA in 2009, it had a program similar to Project Minaret — the tracking of anti-war opponents in the 1970s — in which it spied on people in the US in the guise of counterterrorism without approval. We still don’t have details of this abuse.
  • When the NSA got FISC approval for the Internet (2004) and phone (2006) dragnets, NSA did not turn off features of Bush’s illegal program that did not comply with the FISC authorization. These abuses continued until 2009 (one of them, the collection of Internet metadata that qualified as content, continued even after 2004 identification of those abuses).
  • Even after the FISC spent 9 months reining in some of this abuse, the NSA continued to ignore limits on disseminating US person data. Similarly, the NSA and FBI never complied with PATRIOT Act requirements to develop minimization procedures for the Section 215 program (in part, probably, because NSA’s role in the phone dragnet would violate any compliant minimization procedures).
  • The NSA has twice — in 2009 and 2011 — admitted to collecting US person content in the United States in bulk after having done so for years. It tried to claim (and still claims publicly in spite of legal rulings to the contrary) this US person content did not count as intentionally-collected US person content (FISC disagreed both times), and has succeeded in continuing some of it by refusing to count it, so it can claim it doesn’t know it is happening.
  • As recently as spring 2012, 9% of the NSA’s violations involved analysts breaking standard operating procedures they know. NSA doesn’t report these as willful violations, however, because they’ve deemed any rule-breaking in pursuit of “the mission” not to be willful violations.
  • In 2008, Congress passed a law allowing bulk collection of foreign-targeted content in the US, Section 702, to end the NSA’s practice of stealing Internet company data from telecom cables. Yet in spite of having a legal way to acquire such data, the NSA (through GCHQ) continues to steal data from some of the same companies, this time overseas, from their own cables. Arguably this is a violation of Section 702 of FISA.
  • NSA may intentionally collect US person content (including Internet metadata that legally qualifies as content) overseas (it won’t count this data, so we don’t know how systematic it is). If it does, it may be a violation of Section 703 of FISA.

Rather than discussing any of these violations, the NSA has waved around a few cases of LOVEINT (most, if not all, of which have not been prosecuted) as part of a successful ploy to distract from much more systemic abuses of its authority, affecting far more Americans.

But there has been abuse, even beyond practices (like back door searches) that gut the Fourth Amendment or (like NSA’s approach to encryption) that hurt Americans’ security.

President Obama will spend a lot of time saying there have been no abuses. He’s wrong.

Share this entry