The Internet Dragnet Was a Clusterfuck … and NSA Didn’t Care

Here’s my best description from last year of the mind-boggling fact that NSA conducted 25 spot checks between 2004 and 2009 and then did a several months’ long end-to-end review of the Internet dragnet in 2009 and found it to be in pretty good shape, only then to have someone discover that every single record received under the program had violated rules set in 2004.

Exhibit A is a comprehensive end-to-end report that the NSA conducted in late summer or early fall of 2009, which focused on the work the agency did in metadata collection and analysis to try and identify people emailing terrorist suspects.

The report described a number of violations that the NSA had cleaned up since the beginning of that year — including using automatic alerts that had not been authorized and giving the FBI and CIA direct access to a database of query results. It concluded the internet dragnet was in pretty good shape. “NSA has taken significant steps designed to eliminate the possibility of any future compliance issues,” the last line of the report read, “and to ensure that mechanisms are in place to detect and respond quickly if any were to occur.”

But just weeks later, the Department of Justice informed the FISA Court, which oversees the NSA program, that the NSA had been collecting impermissible categories of data — potentially including content — for all five years of the program’s existence.

The Justice Department said the violation had been discovered by NSA’s general counsel, which since a previous violation in 2004 had been required to do two spot checks of the data quarterly to make sure NSA had complied with FISC orders. But the general counsel had found the problem only after years of not finding it. The Justice Department later told the court that “virtually every” internet dragnet record “contains some metadata that was authorized for collection and some metadata that was not authorized for collection.” In other words, in the more than 25 checks the NSA’s general counsel should have done from 2004 to 2009, it never once found this unauthorized data.

The following year, Judge John Bates, then head of FISC, emphasized that the NSA had missed the unauthorized data in its comprehensive report. He noted “the extraordinary fact that NSA’s end-to-end review overlooked unauthorized acquisitions that were documented in virtually every record of what was acquired.” Bates went on, “[I]t must be added that those responsible for conducting oversight at NSA failed to do so effectively.”

Even after these details became public in 2014 (or perhaps because the intelligence community buried such disclosures in documents with dates obscured), commentators have generally given the NSA the benefit of the doubt in its good faith to operate its dragnet(s) under the rules set by the FISA Court.

But an IG Report from 2007 (PDF 24-56) released in Charlie Savage’s latest FOIA return should disabuse commentators of that opinion.

This is a report from early 2007, almost 3 years after the Stellar Wind Internet dragnet moved under FISA authority and close to 30 months after Judge Colleen Kollar-Kotelly ordered NSA to implement more oversight measures, including those spot checks. We know that rough date because the IG Report post-dates the January 8, 2007 initiation of the FISC-spying compartment and it reflects 10 dragnet order periods of up to 90 days apiece (see page 21). So the investigation in it should date to no later than February 8, 2007, with the final report finished somewhat later. It was completed by Brian McAndrew, who served as Acting Inspector General from the time Joel Brenner left in 2006 until George Ellard started in 2007 (but who also got asked to sign at least one document he couldn’t vouch for in 2002, again as Acting IG).

The IG Report is bizarre. It gives the NSA a passing grade on what it assessed.

The management controls designed by the Agency to govern the collection, dissemination, and data security of electronic communications metadata and U.S. person information obtained under the Order are adequate and in several aspects exceed the terms of the Order.

I believe that by giving a passing grade, the IG made it less likely his results would have to get reported (for example, to the Intelligence Oversight Board, which still wasn’t getting reporting on this program, and probably also to the Intelligence Committees, which didn’t start getting most documentation on this stuff until late 2008) in any but a routine manner, if even that. But the report also admits it did not assess “the effectiveness of management controls[, which] will be addressed in a subsequent report.” (The 2011 report examined here identified previous PRTT reports, including this one, and that subsequent report doesn’t appear in any obvious form.) Then, having given the NSA a passing grade but deferring the most important part of the review, the IG notes “additional controls are needed.”

And how.

As to the issue of the spot checks, mandated by the FISA Court and intended to prevent years of ongoing violations, the IG deems such checks “largely ineffective” because management hadn’t adopted a methodology for those spot checks. They appear to have just swooped in and checked queries already approved by an analyst’s supervisor, in what they called a superaudit.

Worse still, they didn’t write anything down.

As mandated by the Order, OGC periodically conducts random spot checks of the data collected [redaction] and monitors the audit log function. OGC does not, however document the data, scope, or results of the reviews. The purpose of the spot checks is to ensure that filters and other controls in place on the [redaction] are functioning as described by the Order and that only court authorized data is retained. [snip] Currently, an OGC attorney meets with the individuals responsible [redaction] and audit log functions, and reviews samples of the data to determine compliance with the Order. The attorney stated that she would formally document the reviews only if there were violations or other discrepancies of note. To date, OGC has found no violations or discrepancies.

So this IG review was done more than two years after Kollar-Kotelly had ordered these spot checks, during which period 18 spot checks should have been done. Yet at that point, NSA had no documentary evidence a single spot check had been done, just the say-so of the lawyer who claimed to have done them.

Keep in mind, too, that Oversight and Control were, at this point, implementing a new-and-improved spot-check process. That’s what the IG reviewed, the new-and-improved process, because (of course) reviewers couldn’t review the past process because there was no documentation of it. It’s the new-and-improved process that was inadequate to the task.

But that’s not the only problem the IG found in 2007. For example, the logs used in auditing did not accurately document what seed had been used for queries, which means you couldn’t review whether those queries really met the incredibly low bar of Reasonable Articulable Suspicion or that they were pre-approved.  Nor did they document how many hops out analysts chained, which means any given query could have sucked in a great deal of Americans (which might happen by the third or fourth hop) and thrown them into the corporate store for far more intrusive anlaysis. While the IG didn’t point this out directly, the management response made clear log files also didn’t document whether a seed was a US person and therefore entitled to a First Amendment review. In short, NSA didn’t capture any — any!!! — of the data that would have been necessary to assess minimal compliance with FISC orders.

NSA’s lawyers also didn’t have a solid list of everyone who had access to the databases (and therefore who needed to be trained or informed of changes to the FISC order). The Program Management Office had a list that it periodically compared to who was actually accessing the data (though as made clear later in the report, that included just the analysts). And NSA’s Office of General Counsel would also periodically review to ensure those accessing the data had the information they needed to do so legally. But “the attorney conducting the review relie[d] on memory to verify the accuracy and completeness of the list.” DOD in general is wonderfully neurotic about documenting any bit of training a given person has undergone, but with the people who had access to the Internet metadata documenting a great deal of Americans’ communication in the country, NSA chose just to work from memory.

And this non-existent manner of tracking those with database access extended to auditing as well. The IG reported that NSA also didn’t track all queries made, such as those made by “those that have the ability to query the PRTT data but are not on the PMO list or who are not analysts.” While the IG includes people who’ve been given new authorization to query the data in this discussion, it’s also talking about techs who access the data. It notes, for example, “two systems administrators, who have the ability to query PRTT data, were also omitted from the audit report logs.” The thing is, as part of the 2009 “reforms,” NSA got approval to exempt techs from audits. I’ve written a lot about this but will return to it, as there is increasing evidence that the techs have always had the ability — and continue to have the ability — to bypass limits on the program.

There are actually far more problems reported in this short report, including details proving that — as I’ve pointed out before — NSA’s training sucks.

But equally disturbing is the evidence that NSA really didn’t give a fuck about the fact they’d left a database of a significant amount of Americans’ communications metadata exposed to all sorts of control problems. The disinterest in fixing this problem dates back to 2004, when NSA first admitted to Kollar-Kotelly they were violating her orders. They did an IG report at the time (under the guidance of Joel Brenner), but it did “not make formal recommendations to management. Rather, the report summarize[d] key facts and evaluate[d] responsibility for the violation.” That’s unusual by itself: for audits to improve processes, they are supposed to provide recommendations and track whether those are implemented. Moreover, while the IG (who also claimed the clusterfuck in place in 2007 merited a passing grade) assessed that “management has taken steps to prevent recurrence of the violation,” it also noted that NSA never really fixed the monitoring and change control process identified as problems back in 2004. In other words, it found that NSA hadn’t fixed key problems IDed back in 2004.

As to this report? It did make recommendations and management even concurred with some of them, going so far as to agree to document (!!) their spot checks in the future. With others — such as the recommendation that shift supervisors should not be able to make their own RAS determinations — management didn’t concur, they just said they’d monitor those queries more closely in the future. As to the report as a whole, here’s what McAndrew had to say about management’s response to the report showing the PRTT program was a clusterfuck of vulnerabilities: “Because of extenuating circumstances, management was unable to provide complete responses to the draft report.”

So in 2007, NSA’s IG demonstrated that the oversight over a program giving NSA access to the Internet metadata of a good chunk of all Americans was laughably inadequate.

And NSA’s management didn’t even bother to give the report a full response.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

2011 Internet Dragnet Audit Didn’t Find Significant Violation Reported to IOB

This will be the second of three posts on the NSA IG’s failures to correct problems with the Internet (PRTT) dragnet. In the first, I showed how quickly NSA nuked the PRTT (or at least claimed to) after John Bates ruled, a second time, that NSA could not illegally wiretap the content of Americans’ communications. Here, I’ll examine another IG Report, completed earlier in 2011 and also liberated by Charlie Savage, that appears to show the PRTT dragnet was hunky dory just weeks before it became clear again that it was not.

The report (see PDF 4-23) must date to between March 15 and May 25, 2011. It was related to a series of reports on the phone dragnet (these reports appear to have been solicited by or encouraged by Reggie Walton in the wake of the 2009 dragnet problems) that Savage liberated earlier this year. It lists all those reports on pages A-2 to A-3. But it lists the final, summary report in that series, (ST-10-0004L), as a draft, dated March 15, 2011. The copy provided to Savage is the final, dated May 25, 2011 (see PDF 203).

The reason for doing this, the PRTT report, is curious. The report notes “we began this review in [redacted, would be some time in summer 2009] but suspended it when NSA allowed the PR/TT Order to expire.” That is, this was the report that got started, but then halted, when someone discovered that every single record the NSA had collected under the program included categories of information violating the rules set by FISC in 2004.

But then NSA started a review of the phone dragnet covering all the activity in 2010 (reflected in monthly reports in Savage’s earlier release). So the NSA decided to do a review of PRTT at the same time. But remember: the Internet dragnet was shut down until at least July 2010, when John Bates authorized its resumption, and it took some time to turn the dragnet back on. That means NSA conducted a review of a dragnet that was largely on hiatus or just resuming. During the review period, both the phone and Internet dragnet reflect few finalized reports based on either dragnet. Indeed, it appears likely that there were no phone dragnet disseminations in August 2010 (see 155). There are probably two explanations for that. It suggests that after Reggie Walton told NSA they had to start following the rules, the amount of intelligence they got from the dragnet appears to have gone down from both the phone and Internet dragnet. But there may be a reason for that: we know that in 2011 NSA was training analysts to re-run queries that came up in both FISA and EO 12333 searches using EO 12333, so the results could be disseminated more broadly. So it’s likely that a lot of what had been reports reporting FISA authorized data before 2009 (which didn’t always follow FISC’s rules) started getting disseminated as EO 12333 authorized reports afterward. Still, in the case of the Internet dragnet reviewed for this report, “the dissemination did not contain PR/TT-derived USP information” so they “did not formally test dissemination objectives” (see footnote 1). None of the reports on the US Internet dragnet reviewed in some period in 2010 included US person data.

So much for collecting all of Americans’ email records to catch Americans, I guess.

All that said, both the Internet and phone dragnet found that the dragnets had adequate controls to fulfill the requirements of the FISC orders, but did say (this is laid out in unredacted form more explicitly in the phone dragnet report) that the manual monitoring of dissemination would become unworkable if analysts started using the dragnet more. The phone dragnet reports also suggest they weren’t good at monitoring less formal disseminations (via email or conversation), and by the time of these summary reports, NSA was preparing ask FISC to change the rules on reporting of non-US person dissemination. Overall in spring 2011, NSA’s IG found, the process worked according to the rules, but in part only because it was so little used.

That’s the assessment of the PRTT dragnet as of sometime between March and May 2011, less than 9 months before they’d nuke the dragnet really quickly, based mostly off a review of what NSA was doing during a period when the dragnet was largely inactive.

Which is all very interesting, because sometime before June 30, 2011 there was a PRTT violation that got reported — in a far more extensive description than the actual shut down of the dragnet in 2009 — to Intelligence Oversight Board. (see PDF 10)

Screen shot 2015-11-21 at 12.55.36 PM

There’s no mention of reporting to Congress on this, which is interesting because PATRIOT Act was being reauthorized again during precisely this period, based off notice, dated February 2, 2011, that the compliance problems were largely solved.

So here’s what happened: After having had its IG investigation shut down in fall 2009 because NSA had never been in compliance with limits on the PRTT dragnet, NSA’s IG tried again during a period when the NSA wasn’t using it all that much. It gave NSA a clean bill of health no earlier than March 15, 2011. But by June 30, 2011, something significant enough to get reported in two full paragraphs to IOB happened.

It turns out things weren’t quote so hunky dory after all.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Big Game Trash Talk

The world is now one week post Paris attacks. War drums are being pounded, and the worst tendencies of American chicken hawks is in its full pageant grandeur. For being such an “exceptional” people, we sure have our head up our ass an awful lot. No, ISIS is not here to steal your baby or turn the south into a caliphate. Just stop and take a breath politicians. Even the “Reasonable Republican™”, John Kasich, wants to return the US Government to the Judeo-Christian crusades mentality. Get a grip.

Last weekend, it almost felt bad to focus on sporting games; this weekend it seems necessary to take the mind off the stupidity at hand. Locally, that comes in a rare afternoon game at Sun Devil Stadium between Arizona State and Arizona for the treasured Territorial Cup. Both teams are huge disappointments this year, especially the Sun Devils. Preseason, several experts thought ASU had a real shot at the College Football Playoff. That is down the tubes, as the Devils are at 5-5 and have fallen off the face of the map by poor play and atrocious coaching. But, hey, the winner today will be eligible for the Dung Fertilizer Bowl or whatever. Yay.

Iowa should roll to 11-0 easily over Purdue. But I think Michigan may have a tougher time against Penn State in Happy Valley; possible upset there. Ohio State is a 14.5 point favorite in the Big House against the visiting Spartans. Man, that is a lot of points, not sure about that. Northwestern at Wisconsin should be a nail biter even though the Badgers are highly favored, but go Fighting Journalists! The usual garbage ball will be on display in the Big-12 between TCU/Oklahoma and Baylor/Oklahoma State. Hard to be too in love with any of these teams, but both Oklahoma schools look to be the more solid.

For the second week in a row, the Cardinals are on NBC’s Sunday Night Football. Despite a couple of hiccups, the Cards took care of business, and the Squawks, last week in Seattle. This time they are home in the Big Toaster facing the Bengals. The Bengals are really good, although not invincible, as the Texans proved. Should be a great game, but too close to call. This is a little shocking, but I am pretty interested to see how Kirk Cousins and the Skins do in Carolina. Washington really seems to be jelling a little bit, but this is a stiff test. The other really big time matchup is the wounded Packers at the resurgent, and now NFC Norske leading Vikings. The Pack cannot lose four in a row can they?? The Eagles need to hold serve at home against an improving Tampa Bay squad, if they want any real shot at the playoffs. But they are down to Mark Sanchize at QB, is that enough?

It is a little early to talk NBA, but hollee shit, the Golden State Warriors are fun to watch and are kicking ass. Some war music for your Sabbath.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

The question of whether NSA can keep its Section 215 dragnet data past November 28 has been fully briefed for at least 10 days, but Judge Michael Mosman has not yet decided whether the NSA can keep it — at least not publicly. But given what the NSA IG Report on NSA’s destruction of the Internet dragnet says (liberated by Charlie Savage and available starting on PDF 60), we should assume the NSA may be hanging onto that data anyway.

This IG Report documents NSA’s very hasty decision to shut down the Internet dragnet and destroy all the data associated with it at the end of 2011, in the wake of John Bates’ October 3, 2011 opinion finding, for the second time, that if NSA knew it had collected US person content, it would be guilty of illegal wiretapping. And even with the redactions, it’s clear the IG isn’t entirely certain NSA really destroyed all those records.

The report adds yet more evidence to support the theory that the NSA shut down the PRTT program because it recognized it amounted to illegal wiretapping. The evidence to support that claim is laid out in the timeline and working notes below.

The report tells how, in early 2011, NSA started assessing whether the Internet dragnet was worth keeping under the form John Bates had approved in July 2010, which was more comprehensive and permissive than what got shut down around October 30, 2009. NSA would have had SPCMA running in big analytical departments by then, plus FAA, so they would have been obtaining these benefits over the PRTT dragnet already. Then, on a date that remains redacted, the Signals Intelligence Division asked to end the dragnet and destroy all the data. That date has to post-date September 10, 2011 (that’s roughly when the last dragnet order was approved), because SID was advising to not renew the order, meaning it happened entirely during the last authorization period. Given the redaction length it’s likely to be October (it appears too short to be September), but could be anytime before November 10. [Update: As late as October 17, SID was still working on a training program that covered PRTT, in addition to BRFISA, so it presumably post-dates that date.] That means that decision happened at virtually the same time or after, but not long after, John Bates raised the problem of wiretapping violations under FISA Section 1809(a)(2) again on October 3, 2011, just 15 months after having warned NSA about Section 1809(a)(2) violations with the PRTT dragnet.

The report explains why SID wanted to end the dragnet, though three of four explanations are redacted. If we assume bullets would be prioritized, the reason we’ve been given — that NSA could do what it needed to do with SPCMA and FAA — is only the third most important reason. The IG puts what seems like a non sequitur in the middle of that paragraph. “In addition, notwithstanding restrictions stemming from the FISC’s recent concerns regarding upstream collection, FAA §702 has emerged as another critical source for collection of Internet communications of foreign terrorists” (which seems to further support that the decision post-dated that ruling). Indeed, this is not only a non sequitur, it’s crazy. Everyone already knew FAA was useful. Which suggests it may not be a non sequitur at all, but instead something that follows off of the redacted discussions.

Given the length of the redacted date (it is one character longer than “9 December 2011”), we can say with some confidence that Keith Alexander approved the end and destruction of the dragnet between November 10 and 30 — during the same period the government was considering appealing Bates’ ruling, close to the day — November 22 — NSA submitted a motion arguing that Section 1809(a)(2)’s wiretapping rules don’t apply to it, and the day, a week later, it told John Bates it could not segregate the pre-October 31 dragnet data from post October 31 dragnet data.

Think how busy a time this already was for the legal and tech people, given the scramble to keep upstream 702 approved! And yet, at precisely the same time, they decided they should nuke the dragnet, and nuke it immediately, before the existing dragnet order expired, creating another headache for the legal and tech people. My apologies to the people who missed Thanksgiving dinner in 2011 dealing with both these headaches at once.

Not only did NSA nuke the dragnet, but they did it quickly. As I said, it appears Alexander approved nuking it November 10 or later. By December 9, it was gone.

At least, it was gone as far as the IG can tell. As far as the 5 parts of the dragnet (which appear to be the analyst facing side) that the technical repository people handled, that process started on December 2, with the IG reviewing the “before” state, and ended mostly on December 7, with final confirmation happening on December 9, the day NSA would otherwise have had to have new approval of the dragnet. As to the the intake side, those folks started destroying the dragnet before the IG could come by and check their before status:

However, S3 had completed its purge before we had the opportunity to observe. As a result we were able to review the [data acquisition database] purge procedures only for reasonableness; we were not able to do the before and after comparisons that we did for the TD systems and databases disclosed to us.

Poof! All gone, before the IG can even come over and take a look at what they actually had.

Importantly, the IG stresses that his team doesn’t have a way of proving the dragnet isn’t hidden somewhere in NSA’s servers.

It is important to note that we lack the necessary system accesses and technical resources to search NSA’s networks to independently verify that only the disclosed repositories stored PR/TT metadata.

That’s probably why the IG repeatedly says he is confirming purging of the data from all the “disclosed” databases (@nailbomb3 observed this point last night). Perhaps he’s just being lawyerly by including that caveat. Perhaps he remembers how he discovered in 2009 that every single record the NSA had received over the five year life of the dragnet had violated Colleen Kollar-Kotelly’s orders, even in spite of 25 spot checks. Perhaps the redacted explanations for eliminating the dragnet explain the urgency, and therefore raise some concerns. Perhaps he just rightly believes that when people don’t let you check their work — as NSA did not by refusing him access to NSA’s systems generally — there’s more likelihood of hanky panky.

But when NSA tells — say — the EFF, which was already several years into a lawsuit against the NSA for illegal collection of US person content from telecom switches, and which already had a 4- year old protection order covering the data relevant to that suit, that this data got purged in 2011?

Even NSA’s IG says he thinks it did but he can’t be sure.

But what we can be sure of is, after John Bates gave NSA a second warning that he would hold them responsible for wiretapping if they kept illegally collecting US person content, the entire Internet dragnet got nuked within 70 days — gone!!! — all before anyone would have to check in with John Bates again in connection with the December 9 reauthorization and tell him what was going on with the Internet dragnet.

Update: Added clarification language.

Update: The Q2 2011 IOB report (reporting on the period through June 30, 2011) shows a 2-paragraph long, entirely redacted violation (PDF 10), which represents a probably more substantive discussion than the systematic overcollection that shut down the system in 2009.

Continue reading

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

10 Goodies USA Freedom Act Gives the Intelligence Community

Since the Paris attack has turned much of our country into a shriveling pack of cowards, Republicans have ratcheted up claims that USA Freedom Act will make us less safe. Those claims tend to be so ignorant they claim the law — passed in June but not fully implemented until a week from Sunday — prevented the Intelligence Community from preventing the Paris attack. That would not be possible for two reasons. First, because the key provision hasn’t started yet (though some of the benefits for the IC have). And, because according to reports the network that carried out the Paris attack had no ties to the US, and therefore the dragnet couldn’t have shown anything useful.

All that said, I thought both the fear-mongering and the imminent changeover made it a good time to update (and in a few places, correct) this post, which laid out 10 things the IC gets out of USAF.

1. Inclusion of cell and (probably) some Internet “calls” in chaining system

Since early 2014, intelligence sources have been leaking that the phone dragnet misses 70% of US calls. That number is probably an exaggeration (and doesn’t account for what the NSA collects under significantly redundant collection under EO 12333). But there are probably several reasons for why the old dragnet had incomplete coverage. First, providers that only keep cell records with location data attached could not be obligated to turn over those records under the existing program (when AT&T started turning over cell records in 2011, it stripped location data for the NSA voluntarily, but no providers were obligated to do so). In a declaration submitted in Larry Klayman’s challenge to the phone dragnet, NSA makes it clear the ability to demand production in the form NSA wants is one big difference in the program (as is having facilities onsite, which probably mirrors the PRISM program).

Screen shot 2015-11-20 at 11.33.10 AM

In addition, USA Freedom is technology neutral; unlike phone dragnet orders, it does not limit collection to telephony calls, though it does limit collection to “phone companies,” which I presume includes handset makers Apple, Microsoft, and Google. This probably means the government will fill the gap in calls that has been growing of late, probably including VOIP and iMessage.

2. Addition of emergency provision for all Section 215 applications

Before USAF passed, there was a FISC-authorized emergency provision for the phone dragnet, but not the rest of Section 215 production. That was a problem, because the most common use of Section 215 is for more targeted (though it is unclear how targeted it really is) Internet production, and the application process for Section 215 can be slow. USAF made emergency application procedures available for all kinds of Section 215 applications.

3. Creation of parallel construction loophole under emergency provision

Not only does USAF extend emergency provision authority to all Section 215 applications, but it changes the status quo FISC created in a way that invites abuse. That’s because, even if the FISC finds an agency collected records improperly under the emergency provision, the government doesn’t have to destroy those records. It prohibits the use of “derivative” evidence in any proceeding, but there is abundant reason to believe the government still finds a way to parallel construct evidence even in other laws with such limitation on “derivative” evidence and so we should expect the same to happen here. The risk that the government will do this is not illusory; in the 18 months or so since FISC created this emergency provision, they’ve already had reason to explicitly remind the government that even under emergency collection, the government still can’t collect on Americans solely for First Amendment protected activities.

4. Chaining on “connections” rather than “calls,” which might be used to access unavailable smart phone data

Rather than chaining on calls made, USAF chains on “connections,” with Call Detail Record defined based on “session identifier.” This is probably intended to permit the government to obtain the call records of “correlated” identities, including things like all the records from a “Friends and Family” account. And while the House Report specifically prohibited some potentially troubling uses (like having providers chain on location information), in the era of smart phones and super cookies, the language of the bill leaves open the possibility of vastly expanded “connections.”

5. Elimination of pushback from providers

USAF gives providers two things they don’t get under existing Section 215: immunity and compensation. This will make it far less likely that providers will push back against even unreasonable requests. Given the parallel construction loophole in the emergency provisions and the potentially expansive uses of connection chaining, this is particularly worrisome.

6. Expansion of data sharing

Currently, chaining data obtained under the phone dragnet is fairly closely held. Only specially trained analysts at NSA may access the data returned from phone dragnet queries, and analysts must get a named manager to certify that the data is for a counterterrorism purpose to share outside that group of trained analysts. Under this new law, all the returned data will be shared — in full, apparently — with the NSA, CIA, and FBI. And the FBI is exempted from reporting on how many back door searches it does of this data.

Thus, this data, which would ostensibly be collected for a counterterrorism purpose, will apparently be available to FBI every time it does an assessment or opens up certain kinds of intelligence, even for non-counterterrorism purposes. Furthermore, because FBI’s data sharing rules are much more permissive than NSA’s, this data will be able to be shared more widely outside the federal government, including to localities. Thus, not only will it draw from far more data, but it will also share the data it obtains far more broadly.

7. Mooting of court challenges

As we’ve seen in both ACLU v. Clapper and Klayman v. Obama, USAF mooted court challenges to the dragnet, including ones that looked likely to rule the expansive “relevant to” based collections unconstitutional. In addition, the law may moot EFF’s First Unitarian Church v. NSA challenge to the dragnet, which of all the challenges is most likely to get at some of the underlying constitutional problems with the dragnet.

8. Addition of 72-hour spying provisions

In addition to the additional things the IC got related to its Section 215 spying, there are three unrelated things the House added. First, the law authorized the “emergency roamer” authority the IC has been asking for since 2013. It permits the government to continue spying on a legitimate non-US target if he enters the US for a 72-hour period, with Attorney General authorization. While in practice, the IC often misses these roamers until after this window, this will save the IC a lot of paperwork and bring down their violation numbers.

9. Expansion of proliferation-related spying

USAF also expanded the definition of “foreign power” under FISA to include not just those proliferating in weapons of mass destruction, but also those who “knowingly aid or abet” or “conspire” with those doing so. This will make it easier for the government to spy on more Iran-related targets (and similar such targets) in the US.

10. Lengthening of Material Support punishments

In perhaps the most gratuitous change, USAF lengthened the potential sentence for someone convicted of material support for terrorism — which, remember, may be no more than speech! — from 15 years to 20. I’m aware of no real need to do this (except, perhaps, to more easily coerce people to inform for the government). But it is clearly something someone in the IC wanted.

Let me be clear: some of these provisions (like permission to chain on Internet calls) will likely make the chaining function more useful and therefore more likely to prevent attacks, even if it will also expose more innocent people to expanded spying. Some of these provisions (like the roamer provision) are fairly reasonably written. Some (like the changes from status quo in the emergency provision) are hard to understand as anything but clear intent to break the law, particularly given IC intransigence about fixing obvious problems with the provision as written. I’m not claiming that all of these provisions are bad for civil liberties (though a number are very bad). But all of them are (or were, for those that have already gone into force) clear expansions on the authorities and capabilities the IC used to have.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

The Reasons to Shut Down the (Domestic) Internet Dragnet: Purpose and Dissemination Limits, Correlations, and Functionality

Charlie Savage has a story that confirms (he linked some of my earlier reporting) something I’ve long argued: NSA was willing to shut down the Internet dragnet in 2011 because it could do what it wanted using other authorities. In it, Savage points to an NSA IG Report on its purge of the PRTT data that he obtained via FOIA. The document includes four reasons the government shut the program down, just one of which was declassified (I’ll explain what is probably one of the still-classified reasons probably in a later post). It states that SPCMA and Section 702 can fulfill the requirements that the Internet dragnet was designed to meet. The government had made (and I had noted) a similar statement in a different FOIA for PRTT materials in 2014, though this passage makes it even more clear that SPCMA — DOD’s self-authorization to conduct analysis including US persons on data collected overseas — is what made the switch possible.

It’s actually clear there are several reasons why the current plan is better for the government than the previous dragnet, in ways that are instructive for the phone dragnet, both retrospectively for the USA F-ReDux debate and prospectively as hawks like Tom Cotton and Jeb Bush and Richard Burr try to resuscitate an expanded phone dragnet. Those are:

  • Purpose and dissemination limits
  • Correlations
  • Functionality

Purpose and dissemination limits

Both the domestic Internet and phone dragnet limited their use to counterterrorism. While I believe the Internet dragnet limits were not as stringent as the phone ones (at least in pre 2009 shutdown incarnation), they both required that the information only be disseminated for a counterterrorism purpose. The phone dragnet, at least, required someone sign off that’s why information from the dragnet was being disseminated.

Admittedly, when the FISC approved the use of the phone dragnet to target Iran, it was effectively authorizing its use for a counterproliferation purpose. But the government’s stated admissions — which are almost certainly not true — in the Shantia Hassanshahi case suggest the government would still pretend it was not using the phone dragnet for counterproliferation purposes. The government now claims it busted Iranian-American Hassanshahi for proliferating with Iran using a DEA database rather than the NSA one that technically would have permitted the search but not the dissemination, and yesterday Judge Rudolph Contreras ruled that was all kosher.

But as I noted in this SPCMA piece, the only requirement for accessing EO 12333 data to track Americans is a foreign intelligence purpose.

Additionally, in what would have been true from the start but was made clear in the roll-out, NSA could use this contact chaining for any foreign intelligence purpose. Unlike the PATRIOT-authorized dragnets, it wasn’t limited to al Qaeda and Iranian targets. NSA required only a valid foreign intelligence justification for using this data for analysis.

The primary new responsibility is the requirement:

  • to enter a foreign intelligence (FI) justification for making a query or starting a chain,[emphasis original]

Now, I don’t know whether or not NSA rolled out this program because of problems with the phone and Internet dragnets. But one source of the phone dragnet problems, at least, is that NSA integrated the PATRIOT-collected data with the EO 12333 collected data and applied the protections for the latter authorities to both (particularly with regards to dissemination). NSA basically just dumped the PATRIOT-authorized data in with EO 12333 data and treated it as such. Rolling out SPCMA would allow NSA to use US person data in a dragnet that met the less-restrictive minimization procedures.

That means the government can do chaining under SPCMA for terrorism, counterproliferation, Chinese spying, cyber, or counter-narcotic purposes, among others. I would bet quite a lot of money that when the government “shut down” the DEA dragnet in 2013, they made access rules to SPCMA chaining still more liberal, which is great for the DEA because SPCMA did far more than the DEA dragnet anyway.

So one thing that happened with the Internet dragnet is that it had initial limits on purpose and who could access it. Along the way, NSA cheated those open, by arguing that people in different function areas (like drug trafficking and hacking) might need to help out on counterterrorism. By the end, though, NSA surely realized it loved this dragnet approach and wanted to apply it to all NSA’s functional areas. A key part of the FISC’s decision that such dragnets were appropriate is the special need posed by counterterrorism; while I think they might well buy off on drug trafficking and counterproliferation and hacking and Chinese spying as other special needs, they had not done so before.

The other thing that happened is that, starting in 2008, the government started putting FBI in a more central role in this process, meaning FBI’s promiscuous sharing rules would apply to anything FBI touched first. That came with two benefits. First, the FBI can do back door searches on 702 data (NSA’s ability to do so is much more limited), and it does so even at the assessment level. This basically puts data collected under the guise of foreign intelligence at the fingertips of FBI Agents even when they’re just searching for informants or doing other pre-investigative things.

In addition, the minimization procedures permit the FBI (and CIA) to copy entire metadata databases.

FBI can “transfer some or all such metadata to other FBI electronic and data storage systems,” which seems to broaden access to it still further.

Users authorized to access FBI electronic and data storage systems that contain “metadata” may query such systems to find, extract, and analyze “metadata” pertaining to communications. The FBI may also use such metadata to analyze communications and may upload or transfer some or all such metadata to other FBI electronic and data storage systems for authorized foreign intelligence or law enforcement purposes.

In this same passage, the definition of metadata is curious.

For purposes of these procedures, “metadata” is dialing, routing, addressing, or signaling information associated with a communication, but does not include information concerning the substance, purport, or meaning of the communication.

I assume this uses the very broad definition John Bates rubber stamped in 2010, which included some kinds of content. Furthermore, the SMPs elsewhere tell us they’re pulling photographs (and, presumably, videos and the like). All those will also have metadata which, so long as it is not the meaning of a communication, presumably could be tracked as well (and I’m very curious whether FBI treats location data as metadata as well).

Whereas under the old Internet dragnet the data had to stay at NSA, this basically lets FBI copy entire swaths of metadata and integrate it into their existing databases. And, as noted, the definition of metadata may well be broader than even the broadened categories approved by John Bates in 2010 when he restarted the dragnet.

So one big improvement between the old domestic Internet dragnet and SPCMA (and 702 to a lesser degree, and I of course, improvement from a dragnet-loving perspective) is that the government can use it for any foreign intelligence purpose.

At several times during the USA F-ReDux debate, surveillance hawks tried to use the “reform” to expand the acceptable uses of the dragnet. I believe controls on the new system will be looser (especially with regards to emergency searches), but it is, ostensibly at least, limited to counterterrorism.

One way USA F-ReDux will be far more liberal, however, is in dissemination. It’s quite clear that the data returned from queries will go (at least) to FBI, as well as NSA, which means FBI will serve as a means to disseminate it promiscuously from there.


Another thing replacing the Internet dragnet with 702 access does it provide another way to correlate multiple identities, which is critically important when you’re trying to map networks and track all the communication happening within one. Under 702, the government can obtain not just Internet “call records” and the content of that Internet communication from providers, but also the kinds of thing they would obtain with a subpoena (and probably far more). As I’ve shown, here are the kinds of things you’d almost certainly get from Google (because that’s what you get with a few subpoenas) under 702 that you’d have to correlate using algorithms under the old Internet dragnet.

  • a primary gmail account
  • two secondary gmail accounts
  • a second name tied to one of those gmail accounts
  • a backup email (Yahoo) address
  • a backup phone (unknown provider) account
  • Google phone number
  • Google SMS number
  • a primary login IP
  • 4 other IP logins they were tracking
  • 3 credit card accounts
  • Respectively 40, 5, and 11 Google services tied to the primary and two secondary Google accounts, much of which would be treated as separate, correlated identifiers

Every single one of these data points provides a potentially new identity that the government can track on, whereas the old dragnet might only provide an email and IP address associated with one communication. The NSA has a great deal of ability to correlate those individual identifiers, but — as I suspect the Paris attack probably shows — that process can be thwarted somewhat by very good operational security (and by using providers, like Telegram, that won’t be as accessible to NSA collection).

This is an area where the new phone dragnet will be significantly better than the existing phone dragnet, which returns IMSI, IMEI, phone number, and a few other identifiers. But under the new system, providers will be asked to identify “connected” identities, which has some limits, but will nonetheless pull some of the same kind of data that would come back in a subpoena.


While replacing the domestic Internet dragnet with SPCMA provides additional data with which to do correlations, much of that might fall under the category of additional functionality. There are two obvious things that distinguish the old Internet dragnet from what NSA can do under SPCMA, though really the possibilities are endless.

The first of those is content scraping. As the Intercept recently described in a piece on the breathtaking extent of metadata collection, the NSA (and GCHQ) will scrape content for metadata, in addition to collecting metadata directly in transit. This will get you to different kinds of connection data. And particularly in the wake of John Bates’ October 3, 2011 opinion on upstream collection, doing so as part of a domestic dragnet would be prohibitive.

In addition, it’s clear that at least some of the experimental implementations on geolocation incorporated SPCMA data.

I’m particularly interested that one of NSA’s pilot co-traveler programs, CHALKFUN, works with SPCMA.

Chalkfun’s Co-Travel analytic computes the date, time, and network location of a mobile phone over a given time period, and then looks for other mobile phones that were seen in the same network locations around a one hour time window. When a selector was seen at the same location (e.g., VLR) during the time window, the algorithm will reduce processing time by choosing a few events to match over the time period. Chalkfun is SPCMA enabled1.

1 (S//SI//REL) SPCMA enables the analytic to chain “from,” “through,” or “to” communications metadata fields without regard to the nationality or location of the communicants, and users may view those same communications metadata fields in an unmasked form. [my emphasis]

Now, aside from what this says about the dragnet database generally (because this makes it clear there is location data in the EO 12333 data available under SPCMA, though that was already clear), it makes it clear there is a way to geolocate US persons — because the entire point of SPCMA is to be able to analyze data including US persons, without even any limits on their location (meaning they could be in the US).

That means, in addition to tracking who emails and talks with whom, SPCMA has permitted (and probably still does) permit NSA to track who is traveling with whom using location data.

Finally, one thing we know SPCMA allows is tracking on cookies. I’m of mixed opinion on whether the domestic Internet ever permitted this, but tracking cookies is not only nice for understanding someone’s browsing history, it’s probably critical for tracking who is hanging out in Internet forums, which is obviously key (or at least used to be) to tracking aspiring terrorists.

Most of these things shouldn’t be available via the new phone dragnet — indeed, the House explicitly prohibited not just the return of location data, but the use of it by providers to do analysis to find new identifiers (though that is something AT&T does now under Hemisphere). But I would suspect NSA either already plans or will decide to use things like Supercookies in the years ahead, and that’s clearly something Verizon, at least, does keep in the course of doing business.

All of which is to say it’s not just that the domestic Internet dragnet wasn’t all that useful in its current form (which is also true of the phone dragnet in its current form now), it’s also that the alternatives provided far more than the domestic Internet did.

Jim Comey recently said he expects to get more information under the new dragnet — and the apparent addition of another provider already suggests that the government will get more kinds of data (including all cell calls) from more kinds of providers (including VOIP). But there are also probably some functionalities that will work far better under the new system. When the hawks say they want a return of the dragnet, they actually want both things: mandates on providers to obtain richer data, but also the inclusion of all Americans.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Dianne Feinstein Inadvertently Calls to Expose America’s Critical Infrastructure to Hackers

For days now, surveillance hawks have been complaining that terrorists probably used encryption in their attack on Paris last Friday. That, in spite of the news that authorities used a phone one of the attackers threw in a trash can to identify a hideout in St. Denis (this phone in fact might have been encrypted and brute force decrypted, but given the absence of such a claim and the quick turnaround on it, most people have assumed both it and the pre-attack chats on it were not encrypted).

I suspect we’ll learn attackers did use encryption (and a great deal of operational security that has nothing to do with encryption) at some point in planning their attack — though the entire network appears to have been visible through metadata and other intelligence. Thus far, however, there’s only one way we know of that the terrorists used encryption leading up to the attack: when one of them paid for things like a hotel online, the processing of his credit card (which was in his own name) presumably took place over HTTPS (hat tip to William Ockham for first making that observation). So if we’re going to blindly demand we prohibit the encryption the attackers used, we’re going to commit ourselves to far far more hacking of online financial transactions.

I’m more interested in the concerns about terrorists’ claimed use of PlayStation 4. Three days before the attack, Belgium’s Interior Minister, said all countries were having problem with PlayStation 4s, which led to a frenzy mistakenly claiming the Paris terrorists had used it (there’s far more reason to believe they used Telegram).

One of those alternatives was highlighted on Nov. 11, when Belgium’s federal home affairs minister, Jan Jambon, said that a PlayStation 4 (PS4) console could be used by ISIS to communicate with their operatives abroad.

“PlayStation 4 is even more difficult to keep track of than WhatsApp,” said Jambon, referencing to the secure messaging platform.

Earlier this year, Reuters reported that a 14-year-old boy from Austria was sentenced to a two-year jail term after he downloaded instructions on bomb-building onto his Playstation games console, and was in contact with ISIS.

It remains unclear, however, how ISIS would have used PS4s, though options range from the relatively direct methods of sending messages to players or voice-chatting, to more elaborate methods cooked up by those who play games regularly. Players, for instance, can use their weapons during a game to send a spray of bullets onto a wall, spelling out whole sentences to each other.

This has DiFi complaining that Playstation is encrypted.

Even Playstation is encrypted. It’s very hard to get the data you need because it’s encrypted

Thus far, it’s not actually clear most communications on Playstation are encrypted (though players may be able to pass encrypted objects about); most people I’ve asked think the communications are not encrypted, though Sony isn’t telling. What is likely is that there’s not an easy way to collect metadata tracking the communications within games, which would make it hard to collect on whether or not some parts of the communications data are encrypted.

But at least one kind of data on Playstations — probably two — is encrypted: Credit cards and (probably) user data. That’s because 4 years ago, Playstation got badly hacked.

“The entire credit card table was encrypted and we have no evidence that credit card data was taken,” said Sony.

This is the slimmest amount of good news for PlayStation Network users, but it alone raises very serious concerns, since Sony has yet to provide any details on what sort of encryption has been used to protect that credit card information.

As a result, PlayStation Network users have absolutely no idea how safe their credit card information may be.

But the bad news keeps rolling in:

“The personal data table, which is a separate data set, was not encrypted,” Sony notes, “but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

A very sophisticated security system that ultimately failed, making it useless.

Why Sony failed to encrypt user account data is a question that security experts have already begun to ask. Along with politicians both in the United States and abroad.

Chances are Sony’s not going to have an answer that’s going to please anyone.

After one in a series of really embarrassing hacks, I assume Sony has locked things down more since. Three years after that Playstation hack, of course, Sony’s movie studio would be declared critical infrastructure after it also got hacked.

Here’s the thing: Sony is the kind of serially negligent company that we need to embrace good security if the US is going to keep itself secure. We should be saying, “Encrypt away, Sony! Please keep yourself safe because hackers love to hack you and they’ve had spectacular success doing so! Jolly good!”

But we can’t, at the same time, be complaining that Sony offers some level of encryption as if that makes the company a material supporter of terrorism. Sony is a perfect example of how you can’t have it both ways, secure against hackers but not against wiretappers.

Amid the uproar about terrorists maybe using encryption, the ways they may have — to secure online financial transactions and game player data — should be a warning about condemning encryption broadly.

Because next week, when hackers attack us, we’ll be wishing our companies had better encryption to keep us safe.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

How the Government Uses Location Data from Mobile Apps

Screen shot 2015-11-19 at 9.24.26 AMThe other day I looked at an exchange between Ron Wyden and Jim Comey that took place in January 2014, as well as the response FBI gave Wyden afterwards. I want to return to the reason I was originally interested in the exchange: because it reveals that FBI, in addition to obtaining cell location data directly from a phone company or a Stingray, will sometimes get location data from a mobile app provider.

I asked Magistrate Judge Stephen Smith from Houston whether he had seen any such requests — he’s one of a group of magistrates who have pushed for more transparency on these issues. He explained he had had several hybrid pen/trap/2703(d) requests for location and other data targeting WhatsApp accounts. And he had one fugitive probation violation case where the government asked for the location data of those in contact with the fugitive’s Snapchat account, based on the logic that he might be hiding out with one of the people who had interacted with him on Snapchat. The providers would basically be asked to to turn over the cell site location information they had obtained from the users’ phone along with other metadata about those interactions. To be clear, this is not location data the app provider generates, it would be the location data the phone company generates, which the app accesses in the normal course of operation.

The point of getting location data like this is not to evade standards for a particular jurisdiction on CSLI. Smith explained, “The FBI apparently considers CSLI from smart phone apps the same as CSLI from the phone companies, so the same legal authorities apply to both, the only difference being that the ‘target device’ identifier is a WhatsApp/Snapchat account number instead of a phone number.” So in jurisdictions where you can get location data with an order, that’s what it takes, in jurisdictions where you need a probable cause warrant, that’s what it will take. The map above, which ACLU makes a great effort to keep up to date here, shows how jurisdictions differ on the standards for retrospective and prospective location information, which is what (as far as we know) will dictate what it would take to get, say, CSLI data tied to WhatsApp interactions.

Rather than serving as a way to get around legal standards, the reason to get CSLI from the app provider rather than the phone company that originally produces it is to get location data from both sides of a conversation, rather than just the target phone. That is, the app provides valuable context to the location data that you wouldn’t get just from the target’s cell location data.

The fact that the government is getting location data from mobile app providers — and the fact that they comply with the same standard for CSLI obtained from phones in any given jurisdiction — may help to explain a puzzle some have been pondering for the last week or so: why Facebook’s transparency report shows a big spike in wiretap warrants last year.

[T]he latest government requests report from Facebook revealed an unexpected and dramatic rise in real-time interceptions, or wiretaps. In the first six months of 2015, US law enforcement agencies sent Facebook 201 wiretap requests (referred to as “Title III” in the report) for 279 users or accounts. In all of 2014, on the other hand, Facebook only received 9 requests for 16 users or accounts.

Based on my understanding of what is required, this access of location data via WhatsApp should appear in several different categories of Facebook’s transparency report, including 2703(d), trap and trace, emergency request, and search warrant. That may include wiretap warrants, because this is, after all, prospective interception, and not just of the target, but also of the people with whom the target communicates. That may be why Facebook told Motherboard “we are not able to speculate about the types of legal process law enforcement chooses to serve,” because it really would vary from jurisdiction to jurisdiction and possibly even judge to judge.

In any case, we can be sure such requests are happening both on the criminal and the intelligence side, and perhaps most productively under PRISM (which could capture foreign to domestic communications at a much lower standard of review). Which, again, is why any legislation covering location data should cover the act of obtaining location data, whether via the phone company, a Stingray, or a mobile app provider.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Brennan Was Probably Talking about the Telegram PRISM Gap as Much as Encryption

I noted the other day that at a pre-scheduled appearance Monday, Josh Rogin cued John Brennan to explain how the Paris attack happened without warning. In my opinion, the comment has been badly misreported as an indictment solely of Edward Snowden (though it is that) and encryption. I’ve put the entire exchange below but the key exchange was this:

And as I mentioned, there are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it. And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve. And in the past several years because of a number of unauthorized disclosures and a lot of handwringing over the government’s role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability collectively internationally to find these terrorists much more challenging. And I do hope that this is going to be a wake-up call, particularly in areas of Europe where I think there has been a misrepresentation of what the intelligence security services are doing by some quarters that are designed to undercut those capabilities.

Brennan talks about technology that makes it difficult technically and legally to uncover plots. Encryption is a technical problem — one the NSA has proven its ability to overcome — that might be called a legal one if you ignore that NSA has the ability to overcome the lack of a legal requirement to provide back doors. But I agree this passage speaks to encryption, if not other issues.

In the next sentence, though, he talks about inadvertent or intentional gaps created “particularly in Europe.” He talks about plural unauthorized disclosures — as I noted, Josh Rogin’s own disclosure that the US had broken AQAP’s online conferencing technique may have been more directly damaging than most of Snowden’s leaks —  and “handwringing.” Those have led to “policy and legal and other actions” that have made it harder to find terrorists. In the next sentence, Brennan again emphasizes that “particularly in areas of Europe,” there needs to be a “wake-up call” because “there has been a misrepresentation” of what the spooks are doing, which he suggests was deliberately “designed to undercut those capabilities.”

So the paragraph where he speaks of these problems, he twice emphasizes that Europe in particular needs to adjust its approach.

Last I checked, Europe didn’t pass USA Freedom Act (which would not, in any way, have restricted review of Parisian targeters). Some countries in Europe are more vigorously considering limits on encryption, but those would be just as ineffective as eliminating the code that’s already out there.

What Europe has done, however, is make it harder for our PRISM providers to share data back and forth between Europe (and with providers considering moving servers to Europe, it will raise new questions about the applicability of PRISM for that data). And Europe (not just Europe, but definitely including Europe) has created a market need for US tech companies to distance themselves from the government.

And in the case of Germany, politicians have been investigating how much its BND has done for NSA, and especially which impermissible German people and companies were targeted as part of the relationship. I noted that Brennan raised similar issues just days after the BND investigation turned scandalous in March, and recent revelations have raised new pressure on BND.

With that in mind, in particular, consider what one of the more responsible reports on Brennan’s speech, that of Shane Harris, focused on — terrorists’ use of Berlin headquartered social messaging app Telegram. If terrorists were using WhatsApp (which a lot of the fearmongering focused on), the metadata, at least, would be available via Facebook. But since Telegram is not a US company, it cannot be obliged under Section 702 of FISA, and that surely creates just the kind of gap Brennan was talking about.

Since Brennan’s speech, Telegram has started deleting the special channels set up by ISIS to communicate.

I’m sure Brennan is complaining about encryption and if he can get Congress to force domestic back doors, I’m sure he will (though ISIS reportedly shies away from Apple products, so forcing Apple to give up its encrypted iMessage won’t help track down ISIS). But his speech seemed focused much more intently on ways in which, in the aftermath of the Snowden leaks, Europeans have opportunistically localized data and, in the process, made that data far less accessible to the NSA. Brennan, as I made clear in March, definitely would prefer the Europeans rely on Americans for their SIGINT (and in the process agree to some inappropriate spying in their home country), and the gap created by terrorists’ reliance on Telegram is one way to exert pressure on that point.

Continue reading

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Why Does Saudi Arabia Want to Arrest One of Its Princes?

Morocco arrested a Saudi prince as he was attempting to leave Casablanca’s airport and fly to Paris on Thursday. The report on the arrest does not explain why he was arrested — unlike the Saudi prince arrested in the US in September for sexual assault or the Saudi prince arrested in Lebanon in October for having 2 tons of amphetamines in his private plane. Nor does it provide his name (again, unlike those other reports).

But it does say he was arrested on an Interpol warrant issued by Riyadh.

A prince from Saudi Arabia was arrested by Moroccan authorities at Mohammed V Airport in Casablanca on Thursday and placed in custody at the prison of Salé, according to Moroccan daily Al Massae’s weekend edition.

The Saudi prince was about to board a Casablanca-Paris flight when border police discovered that his identity matched that of a man wanted by Interpol office in Saudi Arabia for whom an international arrest warrant had been issued.

It’s unusual that Saudi Arabia arrests a member of the royal family, and when I read it I wondered whether it might be tied to recent calls for a coup. I think that’s still a possibility.

Equally likely, it relates to that massive drug bust in Lebanon last month. That would be interesting because that bust involved Captagon, a drug closely tied to ISIS.

They were allegedly “attempting to smuggle about two tons of Captagon pills and some cocaine”, a security source was quoted as saying.

Captagon is a brand name for the widely used amphetamine phenethylline.


It is the drug of choice for front-line fighters on both sides in the Syrian war, allowing a heightened state of alertness.

It is unclear where the pills allegedly found in Beirut were ultimately to be sold, although the plane was said to be heading back to Saudi Arabia.

In any case, I don’t have any theory on this arrest right now, but in retrospect wanted to note the arrest here.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Emptywheel Twitterverse

emptywheel @bmaz Great. You are now IN CHARGE of great political movement to change this, after dawdling for 14 years. @_JGR @Ali_Gharib @dangillmor
bmaz @emptywheel @_JGR @Ali_Gharib @dangillmor No, I am not, and the solution is to prefer common criminal charges+better exercise of discretion
emptywheel @bmaz Great. Find some political fix. @_JGR @Ali_Gharib @dangillmor
emptywheel @bmaz Yes. You are endorsing bias. I find that unacceptable, especially absent some remedy. @_JGR @Ali_Gharib @dangillmor
bmaz @emptywheel @_JGR @Ali_Gharib @dangillmor Never endorsed, simply think the solution is less "terrorism" cases, not more.
emptywheel @bmaz No. I mean for Kevin Harpham to spend his life in prison if some 20 yeard old entrapped by FBI will @_JGR @Ali_Gharib @dangillmor
emptywheel @bmaz I think you mean 2332a and b? My point is there is bias. You're endorsing it. That's fine. But own that @_JGR @Ali_Gharib @dangillmor
bmaz @emptywheel We need all the help we can get in the Pac this year. Pretty bleak. At this rate, we'll end up with a 4 loss USC as champion.
bmaz @emptywheel @_JGR @Ali_Gharib @dangillmor And again, we have had this same discussion for years. I am not buying your position, nor you mine
bmaz @emptywheel @_JGR @Ali_Gharib @dangillmor You want to expand it where does not fit simply to make your point. I consider that silly.
bmaz @emptywheel @_JGR @Ali_Gharib @dangillmor And even when do fit, my view is should be left to state charges in all but exceptional cases.
emptywheel @bmaz Anyway, I'm rooting for the fecking PacWhatever bc my dog's namesake plays for the Tree.
November 2015
« Oct