The [Emails Sent to] Clinton Story May End Up Being about Loyalty

I was surprised that this story voicing concerns that Clinton backers fear “old weaknesses stalk” her campaign (stalk!) didn’t mention one of the weaknesses from 2008 that bothered me the most: loyalty.

Don’t get me wrong. Loyalty is a good thing.

Except when loyalty to long-term friends drives your hiring decisions.

To me, Hillary’s failure in 2008 is best exemplified by her refusal to fire Mark Penn, even though he divided the campaign staff and made a lot of the decisions that let Obama beat her.

More recently, Hillary retained Sidney Blumenthal as an advisor even after the White House nixed him having an official role at State — a decision that lies behind some of the more controversial emails revealed as part of the email scandal.

Yet the WaPo article on potential Hillary stumbles doesn’t mention loyalty, not even in its discussion of the email scandal.

The e-mail issue has dampened Clinton’s support in New Hampshire, which holds the nation’s first primary, on Feb. 9. Sanders rose to a statistical tie there in the latest statewide poll, to the shock of some longtime Clinton backers. She is on safer ground in Iowa, which will hold the nation’s first presidential selection vote in the Feb. 1 caucuses.

Democrats in Washington fret that the e-mail liability is something Clinton brought on herself and has managed from a defensive crouch. The decision to operate a separate e-mail system parallel to the regular State Department system has resulted in an investigation that is now out of the control of Clinton and her campaign advisers.

Political strategists who have been through past such episodes note that an investigation like this can go in unexpected and damaging directions.

“I don’t think there’s a big smoking gun,” one Democrat said. “But it’s hard to explain why you had a private server, why you just now turned it over. . . .Shouldn’t you have had better judgment?”

As I have noted, everything we know about the email scandal confirms that any legal problems stem not from Hillary sitting down and transcribing the contents of a satellite-derived intelligence report into an unencrypted email, but from a staffer taking material he or she knew to be classified and including it in an email to Hillary. It’s not even clear that happened — the CIA has a nasty habit of claiming widely known facts are Top Secret, but that is the legal issue we’re discussing (go here to review my critique of Hillary’s over actions).

Both because they hate her, because she worked under a special status at State, and because there seems to be real reason to think she had a role in emails of question, the focus has now turned to Huma Abedin, currently Vice Chairwoman for Hillary’s campaign. This report on Abedin’s possible involvement emphasizes how closer Hillary and Abedin are.

Abedin, who’s been with Clinton for about two decades, started working for Clinton as a 19-year-old intern in the former first lady’s office.

At State and during the 2008 campaign she was considered Clinton’s “body woman,” never far from Clinton’s side and often seen watching her boss intently, ready to scramble to her aid at any minute. Top politicians, and even Bill Clinton, would phone her to reach Hillary, and emails released in recent months showed she enjoyed access to Clinton at her private home, too, dropping items off on her counter and instructing her how to dress and keeping her schedule.

In 2013, news broke that Abedin had been given a special government employee status, allowing her to be simultaneously on the payroll for the philanthropic Clinton Foundation and Teneo, a consulting firm founded by former Clinton White House adviser Doug Band. She previously had not disclosed the dual employment.

Abedin has said she stepped back from government work and became a contractor so she could be with her family and her newborn son. But since then, critics have questioned her about whether she had a conflict of interest while working at State and alongside close friends of the Clinton family.

There are a few other staffers whose names have been floated as potentially sending the emails with information deemed classified.

But if Abedin is among them, it poses the quintessential problem for Hillary: the possibility that dealing with this email problem would at the same time require distancing herself from a cherished associate. If someone like Abedin were involved in sending classified information, would Hillary do what she refused to do in 2008?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

What’s a Little (or a Lot) Cooperation Among Spies?

Screen Shot 2015-08-15 at 8.33.46 PMA key point in the ProPublica/NYT piece on AT&T’s close cooperation with the NSA (and, though not stated explicitly, other agencies) on spying is that AT&T was the telecom that helped NSA spy on the UN.

It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T.

If you read the underlying document, it actually shows that NSA had a traditional FISA order requiring the cooperation (remember, “agents of foreign powers,” as diplomats are, are among the legal wiretap targets under FISA, no matter what we might think about NSA spying on UN in our own country) — meaning whatever telecom serviced the UN legally had to turn over the data. And a big part of AT&T’s cooperation, in addition to technically improving data quality, involved filtering the data to help NSA avoid overload.

BLARNEY began intermittent enablement  of DNI traffic for TOPI assessment and feedback. This feedback is being used by the BLARNEY target development team to support an ongoing filtering and throttling of data volumes. While BLARNEY is authorized full-take access under the NSA FISA, collected data volumes would flood PINWALE allocations within hours without a robust filtering mechanism.

In other words, AT&T helped NSA, ironically, by helping it limit what data it took in. Arguably, that’s an analytical role (who builds the algorithms in the filter?), but it’s one that limits how much actually gets turned over to the government.

That doesn’t mean the cooperation was any less valued, nor does it mean it didn’t go beyond what AT&T was legally obliged to do under the FISA order. But it’s not evidence AT&T would wiretap a non-legal (private corporation) target as a favor for NSA. That evidence may exist, somewhere, but it’s not in this story, except insofar as it mentions Stellar Wind, where AT&T was doing such things.

To be fair, AT&T’s UN cooperation is actually emphasized in this story because it was a key data point in the worthwhile ProPublica piece explaining how they proved Fairview was AT&T.

In April 2012, an internal NSA newsletter boasted about a successful operation in which NSA spied on the United Nations headquarters in New York City with the help of its Fairview and Blarney programs. Blarney is a program that undertakes surveillance that is authorized by the Foreign Intelligence Surveillance Court.

FAIRVIEW and BLARNEY engineers collaborated to enable the delivery of 700Mbps of paired packet switched traffic (DNI) traffic from access to an OC192 ring serving the United Nations mission in New York … FAIRVIEW engineers and the partner worked to provide the correct mapping, and BLARNEY worked with the partner to correct data quality issues so the data could be handed off to BLARNEY engineers to enable processing of the DNI traffic.

We found historical records showing that AT&T was paid $1 million a year to operate the U.N.’s fiber optic provider in 2011 and 2012. A spokesman for the U.N. secretary general confirmed that the organization “has a current contract with AT&T” to operate the fiber optic network at the U.N. headquarters in New York.

That is, the UN story is important largely because there are public records proving that AT&T was the provider in question, not because it’s the most egregious example of AT&T’s solicitous relationship with the nation’s spies.

Also in that story proving how they determined Fairview was AT&T and Stormbrew included Verizon was the slide above, bragging that the Comprehensive National Cybersecurity Initiative 100% subsidized Verizon’s Breckenridge site at a new cable landing carrying traffic from China.

It’s not entirely clear what that means — it might just refer to the SCIF, power supply, and servers needed to run the TURMOIL (that is, passive filtering) deployments the NSA wanted to track international traffic with China. But as ProPublica lays out, the NSA was involved the entire time Verizon was planning this cable landing. Another document on CNCI shows that in FY2010 — while significantly less than AT&T’s Fairview — NSA was dumping over $100M into Stormbrew and five times as much money into “cyber” than on FISA (in spite of the fact that they admit they’re really doing all this cybering to catch attacks on the US, meaning it has to ostensibly be conducted under FISA, even if FISC had not yet and may never have approved a cyber certificate for upstream 702). And those numbers date to the year after the Breckenridge project was put on line, and at a time when Verizon was backing off an earlier closer relationship with the Feds.

How much did Verizon really get for that cable landing, what did they provide in exchange, and given that this was purpose-built to focus on Chinese hacking 6 years ago, why is China still eating our lunch via hacking? And if taxpayers are already subsidizing Verizon 100% for capital investments, why are we still paying our cell phone bills?

Particularly given the clear focus on cyber at this cable landing, I recall the emphasis on Department of Commerce when discussing the government’s partnership with industry in PPD-20, covering authorizations for various cyber activities, including offensive cyberwar (note the warning I gave for how Americans would start to care about this Snowden disclosure once our rivals, like China, retaliate). That is, the government has Commerce use carrots and sticks to get cooperation from corporations, especially on cybersecurity.

None of this changes the fact that AT&T has long been all too happy to spy on its customers for the government. It just points to how little we know about these relationships, and how much quid pro quo there really is. We know from PRISM discussions that the providers could negotiate how they accomplished an order (as AT&T likely could with the order to wiretap the UN), and that’s one measure of “cooperation.” But there’s a whole lot else to this kind of cooperation.

Update: Credo released a statement in response to the story.

As a telecom that can be compelled to participate in unconstitutional surveillance, we know how important it is to fight for our customers’ privacy and only hand over information related to private communications when required by law,” said CREDO Mobile Vice President Becky Bond. “It’s beyond disturbing though sadly not surprising what’s being reported about a secret government relationship with AT&T that NSA documents describe as ‘highly collaborative’ and a ‘partnership, not a contractual relationship,’

CREDO Mobile supports full repeal of the illegal surveillance state as the only way to protect Americans from illegal government spying,” Bond continued, “and we challenge AT&T to demonstrate concern for its customers’ constitutional rights by joining us in public support of repealing both the Patriot Act and FISA Amendments Act.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

AT&T Pulled Cell Location for Its “Mobility Cell Data”

ProPublica and NYT have an important story that confirms what we’ve long known — that AT&T, operating under the Fairview program — is all too happy to do business with the NSA. As part of the story, they note that in 2011, AT&T started providing cell data to NSA under the BR FISA program.

In 2011, AT&T began handing over 1.1 billion domestic cellphone calling records a day to the NSA after “a push to get this flow operational prior to the tenth anniversary of 9/11,” according to an internal agency newsletter. This revelation is striking because after Snowden disclosed the program of collecting the records of Americans’ phone calls, intelligence officials told reporters that, for technical reasons, it consisted mostly of landline phone records.

They base the claim on this document, which reads,

On 29 August, FAIRVIEW started delivering Mobility Business Records traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The intent of the Business Records FISA program is to detect previously unknown terrorist threats in the United States through the cell chaining of metadata. This new metadata flow is associated with a cell phone provider and will generate an estimated 1.1 billion cellular records a day in addition to the 700M records delivered currently under the BR FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a push to get this flow operational prior to the tenth anniversary of 9/11, and extensive coordination with external entities via our OGC (to include: FBI, DOJ, ODNI, and FISC) NSA received approval to initiate this dataflow on August 29, 2011. Analysts have already reported seeing BR Cellular records in the Counter Terrorism call-chaining database queries.

Though it provides important new context, that NSA started receiving mobile data on August 29, 2011 is not new news (though that it was getting it from AT&T is). The government released the notice it gave to the House Judiciary Committee that it was receiving that data in October 2013 under FOIA (indeed, this document is one I have pointed to to refute claims that the program didn’t collect cell data).

All that said, the notice, taken together with the context of the internal announcement, does explain more about why the NSA wasn’t getting as much cell data as they wanted.

In the case of Fairview and the collection started on August 29, 2011, the provider “remove[d] the cell [redacted] location information [redacted] before providing the CDRs to NSA.”

Before initiating the acquisition of mobility data, NSA undertook extensive testing to ensure strict compliance with the terms of the FISC Orders. The Court’s Orders are designed to protect the civil liberties and privacy interests of Americans. Following completion of testing, on 29 August 2011, NSA began to receive approximately [redacted] CDRs per day and enter these records into our BR FISA bulk metadata architecture.

[redacted] NSA requested that the [redacted] remove the cell [redacted] location information [redacted] before providing the CDRs to NSA. Consequently, NSA is not currently receiving this field as part of the data being acquired. [redacted]

As the NYT reported earlier this week, NSA had given Verizon Wireless a separate order for phone dragnet order in 2010. But the redaction in the notice to Congress on obtaining mobility data from a year later seems to address the problem with obtaining location information.

We know from the Congressional notice AT&T was willing to strip it. For a lot of reasons, it’s likely Verizon was unwilling to strip it.

This is one of the possible explanations I’ve posited for why NSA wasn’t getting cell data from Verizon, because any provider is only obliged to give business records they already have on hand, and it would be fairly easy to claim stripping the cell location data made it a new business record.

Which is another important piece of evidence for the case made against AT&T in the story. They were willing to play with records they were handing over to the government in ways not required by the law.

Though who knows if that remain(ed) the case? To get to the 30% figure quoted in all the pieces claiming NSA wasn’t getting cell data, you’d probably have to have AT&T excluded as well. So maybe after the Snowden releases, they, too, refused to do things they weren’t required to do by law (though because it had the Hemisphere database which could easily select records, that may have been harder to do).

Update: Adding that FISC took judicial notice of some magistrates’ rulings you needed more than a subpoena for location data in 2006, after Congress said you could only get what you could get with a subpoena in the 2006 PATRIOT Reauthorization. So it’s possible any squeamishness about location collection dates to that point, though we know FISC did still permit the government to get location data with 215 orders.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Along with Outdated Toothpaste and Caitlin Jenner Covers, Manning in Trouble for Reading Torture Report

As you’ve likely heard the authorities at Leavenworth have put Chelsea Manning in indefinite solitary confinement for — among other things — having an expired tube of toothpaste (and also sweeping some crumbs onto the floor).

She just posted the list of materials the authorities confiscated from her. They include the Caitlyn Jenner Vanity Fair issue and what I assume is the Cosmopolitan issue on Jenner.

But in addition, the government also confiscated Manning’s copy of the SSCI torture report.

Screen Shot 2015-08-14 at 1.50.50 PM

Because it is the American way to subject someone to torturous solitary confinement because she tried to read about the torture done to others before she was subjected to the same kind of forced nudity described in the report?

 

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

The SEKRIT Drones in Hillary’s [Staffers’] Emails

From the start of the Hillary Clinton email scandal, I’ve maintained that there are real reasons to be critical of her use of a private email.

There are big governance reasons to be concerned that Clinton has been in control of all her official emails, including that the emails will get destroyed or hidden from FOIA and Congressional requests.

But there’s also the question of whether whatever sensitive communications she had — potentially including classified information — were safe on a server run out of her Chappaqua home. While the State Department’s own emails have been notoriously unreliable — they have been compromised both in the WikiLeaks leak and in persistent hacks in recent years– if foreign adversaries learned of her private server (and remember, it’s very hard to hide metadata from someone who is looking), her communications would be even easier to compromise.

[snip]

[T]he system is also broken because it has been permitted to become a tool the powerful use to control their own image (and thereby accrue more power). After the years-long witch hunts under her spouse’s Presidency, Clinton might be forgiven for wanting to maintain complete control over her own communications (except for that whole bit about democratic accountability). But she is of course doing it to serve her own Presidential aspirations.

Not only are there real governance reasons it was wrong, but it was an own-goal given that she knew Republicans would pounce on anything that hints of corruption (even though most GOP presidential candidates have done the same thing). In the grand scheme of things, however, I’m most interested in fixing the email and accountability problem, because it has been a recurrent problem since Poppy Bush tried to destroy some PROFs notes to cover up the Iran-Contra scandal.

That said, much — though not all — of the reporting on it took a decidedly irresponsible turn when Intelligence Community Inspector General Charles McCullough revealed that two emails from the emails on Hillary’s server had been determined to contain Top Secret information. Such reporting was led by former NSA official John Schindler whose piece in the Daily Beast bore this headline.

Screen Shot 2015-08-14 at 8.40.08 AM

Schindler might be excused for a headline editors gave his piece to drive clicks and scandal — and indeed, in some parts of his article he was more disciplined in specifying whose emails these were — but he nevertheless used the formulation “Clinton’s emails” when claiming she had satellite-derived information on her servers.

Most seriously, the Inspector General assessed that Clinton’s emails included information that was highly classified—yet mislabeled as unclassified. Worse, the information in question should have been classified up to the level of “TOP SECRET//SI//TK//NOFORN,” according to the Inspector General’s report.

This left the suggestion that as Secretary of State Hillary Clinton sat down with some SIGINT reporting, transcribed it, and then sent it off to her staffers. That, in spite of repeated clarifications from official sources that Hillary was in no way a target of the FBI inquiry into this.

Dianne Feinstein clarified the point yesterday: the issue is that Hillary received emails that had information claimed to be classified, not that she sent them.

There has been a lot of press coverage recently of allegations regarding Secretary Clinton’s email. Unfortunately, much of the coverage has missed key points.

First, none of the emails alleged to contain classified information were written by Secretary Clinton.

The questions are whether she received emails with classified information in them, and if so, whether information in those emails should have been classified in the first place. Those questions have yet to be answered. However, it is clear that Secretary Clinton did not write emails containing classified information.

Again, nothing obviates all the blame that Hillary chose to rely on an unclassified email system, but it’s one thing if Hillary were sending Top Secret information across an unprotected server, and yet another thing if she received emails that might have been derived from Top Secret information, but were not marked as such or even evidently sourced from Top Secret information. Or even — given that some of the people and agencies in question aren’t entirely trustworthy when they make claims of secrecy — that publicly available information was deemed Top Secret.

At least according to the AP (in a story sourced to US officials, so potentially some people in DiFi’s immediate vicinity), that’s what happened.

The two emails on Hillary Rodham Clinton’s private server that an auditor deemed “top secret” include a discussion of a news article detailing a U.S. drone operation and a separate conversation that could point back to highly classified material in an improper manner or merely reflect information collected independently, U.S. officials who have reviewed the correspondence told The Associated Press.

[snip]

The drone exchange, the officials said, begins with a copy of a news article that discusses the CIA drone program that targets terrorists in Pakistan and elsewhere. While a secret program, it is well-known and often reported on. The copy makes reference to classified information, and a Clinton adviser follows up by dancing around a top secret in a way that could possibly be inferred as confirmation, they said. Several officials, however, described this claim as tenuous.

But a second email reviewed by Charles McCullough, the intelligence community inspector general, appears more suspect. Nothing in the message is “lifted” from classified documents, the officials said, though they differed on where the information in it was sourced. Some said it improperly points back to highly classified material, while others countered that it was a classic case of what the government calls “parallel reporting” — different people knowing the same thing through different means.

This is CIA claiming secrecy for its drone operations!!! The ongoing FOIAs about CIA’s acknowledged role in the drone war are evidence that even independent appellate judges don’t buy CIA’s claims that their drone activities are secret. Just yesterday, in fact, DC Judge Amit Mehta ordered DOJ to provide Jason Leopold more information about its legal analysis on CIA drone-killing Anwar al-Awlaki, information the CIA had claimed was classified. Indeed, Martha Lutz, the woman who likely reviewed the emails turned over, is fairly notorious for claiming things are classified that pretty obviously aren’t. It’s her job!

I’m all in favor of doing something to ensure all people in power don’t hide their official business on hidden email servers — right now, almost all people in power do do that.

But those who take CIA’s claims of drone secrecy seriously should be mocked, as should those who deliberately obscure the difference between receiving an unmarked email with information claimed to be classified and those who transcribe information from a properly marked classified document.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

On the Apple Back Door Rumors … Remember Lavabit

During the July 1 Senate Judiciary Committee hearing on back doors, Deputy Attorney General Sally Yates claimed that the government doesn’t want the government to have back doors into encrypted communications. Rather, they wanted corporations to retain the back doors to be able to access communications if the government had legal process to do so. (After 1:43.)

We’re not going to ask the companies for any keys to the data. Instead, what we’re going to ask is that the companies have an ability to access it and then with lawful process we be able to get the information. That’s very different from what some other countries — other repressive regimes — from the way that they’re trying to get access to the information.

The claim was bizarre enough, especially as she went on to talk about other countries not having the same lawful process we have (as if that makes a difference to software code).

More importantly, that’s not true.

Remember what happened with Lavabit, when the FBI was in search of what is presumed to be Edward Snowden’s email. Lavabit owner Ladar Levison had a discussion with FBI about whether it was technically feasible to put a pen register on the targeted account. After which the FBI got a court order to do it. Levison tried to get the government to let him write a script that would provide them access to just the targeted account or, barring that, provide for some kind of audit to ensure the government wasn’t obtaining other customer data.

The unsealed documents describe a meeting on June 28th between the F.B.I. and Levison at Levison’s home in Dallas. There, according to the documents, Levison told the F.B.I. that he would not comply with the pen-register order and wanted to speak to an attorney. As the U.S. Attorney for the Eastern District of Virginia, Neil MacBride, described it, “It was unclear whether Mr. Levison would not comply with the order because it was technically not feasible or difficult, or because it was not consistent with his business practice in providing secure, encrypted e-mail service for his customers.” The meeting must have gone poorly for the F.B.I. because McBride filed a motion to compel Lavabit to comply with the pen-register and trap-and-trace order that very same day.

Magistrate Judge Theresa Carroll Buchanan granted the motion, inserting in her own handwriting that Lavabit was subject to “the possibility of criminal contempt of Court” if it failed to comply. When Levison didn’t comply, the government issued a summons, “United States of America v. Ladar Levison,” ordering him to explain himself on July 16th. The newly unsealed documents reveal tense talks between Levison and the F.B.I. in July. Levison wanted additional assurances that any device installed in the Lavabit system would capture only narrowly targeted data, and no more. He refused to provide real-time access to Lavabit data; he refused to go to court unless the government paid for his travel; and he refused to work with the F.B.I.’s technology unless the government paid him for “developmental time and equipment.” He instead offered to write an intercept code for the account’s metadata—for thirty-five hundred dollars. He asked Judge Hilton whether there could be “some sort of external audit” to make sure that the government did not take additional data. (The government plan did not include any oversight to which Levison would have access, he said.)

Most important, he refused to turn over the S.S.L. encryption keys that scrambled the messages of Lavabit’s customers, and which prevent third parties from reading them even if they obtain the messages.

The discussions disintegrated because the FBI refused to let Levison do what Yates now says they want to do: ensure that providers can hand over the data tailored to meet a specific request. That’s when Levison tried to give FBI his key in what it claimed (even though it has done the same for FOIAs and/or criminal discovery) was in a type too small to read.

On August 1st, Lavabit’s counsel, Jesse Binnall, reiterated Levison’s proposal that the government engage Levison to extract the information from the account himself rather than force him to turn over the S.S.L. keys.

THE COURT: You want to do it in a way that the government has to trust you—
BINNALL: Yes, Your Honor.
THE COURT: —to come up with the right data.
BINNALL: That’s correct, Your Honor.
THE COURT: And you won’t trust the government. So why would the government trust you?
Ultimately, the court ordered Levison to turn over the encryption key within twenty-four hours. Had the government taken Levison up on his offer, he may have provided it with Snowden’s data. Instead, by demanding the keys that unlocked all of Lavabit, the government provoked Levison to make a last stand. According to the U.S. Attorney MacBride’s motion for sanctions,
At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the F.B.I. a printout of what he represented to be the encryption keys needed to operate the pen register. This printout, in what appears to be four-point type, consists of eleven pages of largely illegible characters. To make use of these keys, the F.B.I. would have to manually input all two thousand five hundred and sixty characters, and one incorrect keystroke in this laborious process would render the F.B.I. collection system incapable of collecting decrypted data.
The U.S. Attorneys’ office called Lavabit’s lawyer, who responded that Levison “thinks” he could have an electronic version of the keys produced by August 5th.

Levison came away from the debacle believing that the FBI didn’t understand what it was asking for when they asked for his keys.

One result of this newfound expertise, however, is that Levison believes there is a knowledge gap between the Department of Justice and law-enforcement agencies; the former did not grasp the implications of what the F.B.I. was asking for when it demanded his S.S.L. keys.

I raise all this because of the rumor — which Bruce Schneier inserted into his excerpt of this Nicholas Weaver post — that FBI is already fighting before FISC with Apple for a back door.

There’s a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly — and they’re losing. This might explain Apple CEO Tim Cook’s somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.

Weaver’s post describes how, because of the need to allow users to access their iMessage account from multiple devices (think desktop, laptop, iPad, and phone), Apple technically could give FBI a key.

In iMessage, each device has its own key, but its important that the sent messages also show up on all of Alice’s devices.  The process of Alice requesting her own keys also acts as a way for Alice’s phone to discover that there are new devices associated with Alice, effectively enabling Alice to check that her keys are correct and nobody has compromised her iCloud account to surreptitiously add another device.

But there remains a critical flaw: there is no user interface for Alice to discover (and therefore independently confirm) Bob’s keys.  Without this feature, there is no way for Alice to detect that an Apple keyserver gave her a different set of keys for Bob.  Without such an interface, iMessage is “backdoor enabled” by design: the keyserver itself provides the backdoor.

So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice.  Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future.

Admittedly, as heroic as Levison’s decision to shut down Lavabit rather than renege on a promise he made to his customers, Apple has a lot more to lose here strictly because of the scale involved. And in spite of the heated rhetoric, FBI likely still trusts Apple more than they trusted Levison.

Still, it’s worth noting that Yates’ claim that FBI doesn’t want keys to communications isn’t true — or at least wasn’t before her tenure at DAG. Because a provider, Levison, insisted on providing his customers what he had promised, the FBI grew so distrustful of him they did demand a key.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

BREAKING: What emptywheel Reported Two Years Ago

The NYT today:

The National Security Agency has used its bulk domestic phone records program to search for operatives from the government of Iran and “associated terrorist organizations” — not just Al Qaeda and its allies — according to a document obtained by The New York Times.

[snip]

The inclusion of Iran and allied terrorist groups — presumably the Shiite group Hezbollah — and the confirmation of the names of other participating companies add new details to public understanding of the once-secret program. The Bush administration created the program to try to find hidden terrorist cells on domestic soil after the attacks of Sept. 11, 2001, and government officials have justified it by using Al Qaeda as an example.

emptywheel, 15 months ago:

I want to post Dianne Feinstein’s statement about what Section 215 does because, well, it seems Iran is now a terrorist. (This is around 1:55)

The Section 215 Business Records provision was created in 2001 in the PATRIOT for tangible things: hotel records, credit card statements, etcetera. Things that are not phone or email communications. The FBI uses that authority as part of its terrorism investigations. The NSA only uses Section 215 for phone call records — not for Google searches or other things. Under Section 215, NSA collects phone records pursuant to a court record. It can only look at that data after a showing that there is a reasonable, articulable that a specific individual is involved in terrorism, actually related to al Qaeda or Iran. At that point, the database can be searched. But that search only provides metadata, of those phone numbers. Of things that are in the phone bill. That person, um [flips paper] So the vast majority of records in the database are never accessed, and are deleted after a period of five years. To look at, or use content, a court warrant must be obtained.

Is that a fair description, or can you correct it in any way?

Keith Alexander: That is correct, Senator. [underline/italics added]

Some time after this post Josh Gerstein reported on Keith Alexander confirming the Iran targeting.

The NYT today:

One document also reveals a new nugget that fills in a timeline about surveillance: a key date for a companion N.S.A. program that collected records about Americans’ emails and other Internet communications in bulk. The N.S.A. ended that program in 2011 and declassified its existence after the Snowden disclosures.

In 2009, the N.S.A. realized that there were problems with the Internet records program as well and turned it off. It then later obtained Judge Bates’s permission to turn it back on and expand it.

When the government declassified his ruling permitting the program to resume, the date was redacted. The report says it happened in July 2010.

emptywheel in November 2013:

I’ve seen a lot of outright errors in the reporting on the John Bates opinion authorizing the government to restart the Internet metadata program released on Monday.

Bates’ opinion was likely written in July 2010.

[snip]

It had to have been written after June 21, 2010 and probably dates to between June 21 and July 23, 2010, because page 92 footnote 78 cites Holder v. HLP (which was released on June 21), but uses a “WL” citation; by July 23 the “S. Ct.” citation was available. (h/t to Document Exploitation for this last observation).

So: it had to have been written between June 21, 2010 and October 3, 2011, but was almost certainly written sometime in the July 2010 timeframe.

The latter oversight is understandable, as this story — which has been cited in court filings — misread Claire Eagan’s discussions of earlier bulk opinions, which quoted several sentences of Bates’ earlier one (though it was not the among the stories that really botched the timing of the Bates opinion).

In September, the Obama administration declassified and released a lengthy opinion by Judge Claire Eagan of the surveillance court, written a month earlier and explaining why the panel had given legal blessing to the call log program. A largely overlooked passage of her ruling suggested that the court has also issued orders for at least two other types of bulk data collection.

Specifically, Judge Eagan noted that the court had previously examined the issue of what records are relevant to an investigation for the purpose of “bulk collections,” plural. There followed more than six lines that were censored in the publicly released version of her opinion.

There have been multiple pieces of evidence to confirm my earlier July 2010 deduction since.

The big news in the NYT story (though not necessarily the NYT documents, which I’ll return to) is that in 2010, Verizon Wireless also received phone dragnet orders. I’ll return to what that tells us too.

But the news that Iran was targeted under the phone dragnet was confirmed publicly — and reported here — in a prepared statement from the Senate Intelligence Chair and confirmed by the Director of National Security Agency a week after the first Snowden leak story.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Was the White House Involved in the Decision to Unapologize to Dianne Feinstein?

A must-read Jason Leopold piece on the fight between the Senate Intelligence Committee and CIA over the torture report reveals that John Brennan apologized about hacking the SSCI website — before he unapologized .

John Brennan was about to say he was sorry.

On July 28, 2014, the CIA director wrote a letter to senators Dianne Feinstein and Saxby Chambliss — the chairwoman of the Senate Intelligence Committee (SSCI) and the panel’s ranking Republican, respectively. In it, he admitted that the CIA’s penetration of the computer network used by committee staffers reviewing the agency’s torture program — a breach for which Feinstein and Chambliss had long demanded accountability — was improper and violated agreements the Intelligence Committee had made with the CIA.

[snip]

“I recently received a briefing on the [OIG’s] findings, and want to inform you that the investigation found support for your concern that CIA staff had improperly accessed the [Intelligence Committee] shared drive on the RDINet [an acronym for rendition, detention, and interrogation] when conducting a limited search for CIA privileged documents,” Brennan wrote. “In particular, the [OIG] judged that Agency officers’ access to the… shared drive was inconsistent with the common understanding reached in 2009 between the Committee and the Agency regarding access to RDINet. Consequently, I apologize for the actions of CIA officers…. I am committed to correcting the shortcomings that this report has revealed.”

But Brennan didn’t sign or send the apology letter.

Instead, four days later, he sent Feinstein and Chambliss a different letter — one without an apology or admission that the search of their computer network was improper.

Leopold includes the letter as an image in his story (and also at page 299 in the SCRIBD embed). The letter he did send appears at page 11 of the embed.

In addition to the dramatically different content, the later letter does not include — as the earlier one did — notice that carbon copies of the letter were sent to DNI James Clapper, White House Counsel Neil Eggleston, and CIA’s Inspector General David Buckley.

Screen Shot 2015-08-12 at 1.55.19 PM

You can see the earlier letter (see page 298) was sent by some emoticon-wielding (presumed) Assistant who explained — at 4:32 that same day — “Sending anyway, Just in case you need it soft copy for any reason. :)”

Screen Shot 2015-08-12 at 2.29.35 PM

 

It’s as if by that point the CIA had already decided to pursue a different option (which, if we can believe the CIA’s currently operative story to Leopold, was to apologize to Senator Feinstein in person rather than memorialize such an apology in writing).

But I wonder … given that they were going to include Eggleston on the original but saw no need to include him (and Clapper and Buckley) on the finalized letter … was the White House in the loop in the decision to unapologize?

As Leopold reminds in his story, Brennan looped Chief of Staff Denis McDonough in before the January searches of SSCI’s network, implicating (though insulated by two degrees of separation, if we believe the CIA’s story) the White House in the decision to spy on SSCI. Was the White House included in the decision on whether to apologize to Dianne Feinstein?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Mankiw’s Principles of Economics Part 8: A Country’s Standard of Living Depends on Its Ability to Produce Goods and Services

The introduction to this series is here.
Part 1 is here.
Part 2 is here.
Part 3 is here.
Part 4 is here.
Part 5 is here.
Part 6 is here.
Part 7 is here.

Mankiw’s eighth principle of economics is: a country’s standard of living depends on its ability to produce goods and services. He points out that there are vast differences between the average incomes of different countries. In the US, average income has increased about 2% per year adjusted for increases in the cost of living, he says, and doubles about every 35 years. The explanation for this change is productivity, defined as “the amount of goods and services produced from each unit of labor time.” The growth rate of a nation’s productivity determines the growth rate of its average income, he asserts. He dismisses other explanations, such as the prevalence of labor unions and minimum wage laws. He claims that US productivity dropped in the 1970s which accounts for the slow growth of average wages over that period. He concludes with this claim:

To boost living standards, policymakers need to raise productivity by ensuring that workers are well-educated, have the tools needed to produce goods and services, and have access to the best available technology.

This principle supports Philip Mirowski’s Sixth Commandment of Neoliberalism: Thou Shalt Become the Manager of Thyself. “Human beings [are reduced] to an arbitrary bundle of “investments,” skill sets, temporary alliances (family, sex, race), and fungible body parts.” The goal of the entrepreneur of you is to find some way to make yourself valuable enough to fill a slot in some corporate entity that will pay off on your investments. It also supports the Ninth Commandment, Thou Shalt Know that Inequality is Natural, because it tells the entrepreneur of you that if you fail, it’s your fault for being insufficiently productive. The problem is always the workers; and never the owners of capital for they can do no wrong. That comes from the Tenth Commandment, Thou Shalt Not Blame Corporations and Monopolies, especially for investing their capital in foreign countries so jobs are created there instead of in the US. After all, the free flow of capital is critical in Capitalism, as we learn in Mirowski’s discussion of Commandment 8: Thou Shalt Keep Thy Cronyism Cosmopolitan.

Mankiw’s explanation is intellectually dishonest. He only talks about average incomes, not median incomes, and not the incomes of the working people of the US. That enables him to paint a false picture of the economy, and of the role of productivity in increasing standards of living. The leading work on this issue was done by Larry Mishel at the Economic Policy Institute. His April 2012 paper, The Wedges Between Productivity And Median Compensation Growth is the seminal work on this issue. Here’s an updated chart showing the disparity between wages and productivity. For a discussion of the productivity measurement, see this 2014 Bureau of Labor Statistics paper. It’s important to note that Mishel is using the median wage growth for production/non-supervisory workers, not total labor compensation. With this statistic, we look at the actual experience of approximately 80% of workers.
Wage-Productivity gap 1

According to Mishel, the gap in the chart from 2000 to 2011 is the result of three factors (see Table 1):

1. Income inequality increased, with the great gains going to the top few percentiles and the rest stagnant or falling, accounting for 39% of the gap.
2. Income shifted from labor to capital, accounting for 45% of the gap.
3. Output prices diverged from consumer prices, accounting for 16% of the gap.

Dave Dayen discusses Mishel’s paper here, focusing on efforts of conservatives to discredit Mishel’s work. The only consideration that seems even questionable is 3, and Dayen’s discussion seems fair. He concludes with this:

If you believe the Lawrence/Yglesias argument, policies that raise wages are secondary to policies that raise productivity more generally. If you believe the Mishel argument, reconnecting wages to productivity becomes central. Rather than stressing the need to acquire more education and skills, you would support increasing the minimum wage and allowing for more union organizing to put leverage in the hands of labor over capital. You would support proper use of overtime laws to reduce wage theft, and paid family and medical leave to keep wages strong during times of family stress.

But if productivity gains just leak out to the wealthy through financial engineering, all the growth in the world won’t benefit the typical worker.

Mankiw doesn’t acknowledge the problems with his principle, problems which have been evident for a long time as the chart shows. The source of this principle is the neoclassical argument of William Stanley Jevons and John Bates Clark which I discuss in detail here and here. Mankiw is preaching from the Natural Law Bible without mentioning it. This is a perfect example of Keynes’ dismissive statement on these writers: “We have not read these authors; we should consider their arguments preposterous if they were to fall into our hands.“ Certainly this principle is preposterous both factually and theoretically.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Can (Should?) DHS Stave Off CISA?

Yesterday, DHS Secretary Jeh Johnson announced some shifts in the leadership of the National Cybersecurity and Communications Integration Center. The changes don’t amount to much — basically a change in reporting for Dr. Andy Ozment, who is already Assistant Secretary of the Office of Cybersecurity and Communications (though it’s worth noting that Ozment is one of the too-rare people high level in government cybersecurity positions with a technical background). Now, Ozment will report directly to Johnson.

But I am interested in the way DHS is making news, and when.

Last week, Al Franken released the response from DHS he got to some inquiries, notably about how the Cyber Information Sharing Act would affect efforts already underway to share data. Most reporting on it focused on privacy — that’s what Franken himself emphasized — but the letter itself provided far more detail on the information sharing already taking place through NCCIC.

The letter described five different means of sharing information currently in place.

  • In-person information sharing on the National Cybersecurity and Communications Integration Center (NCCIC) watch floor;
  • Bilateral sharing of cyber threat indicators, including via the Cyber Information Sharing and Collaboration Program (CISCP) and through automated sharing and receipt of cyber threat indicators;
  • As-needed information sharing via standing groups;
  • Broad dissemination of alerts and bulletins;
  • Strategic engagement and collaboration.

I was rather curious about the agencies with which NCCIC currently shares data.

  • US Northern Command
  • US Cyber Command
  • National Security Agency
  • Secret Service
  • Immigration and Customers Enforcement
  • Department of the Treasury
  • FBI
  • Department of Energy

This is a different list than the agencies that would automatically receive data under CISA — Commerce (which appears to serve a carrot-and-stick force in such issues) and the Office of Director of National Intelligence would not be on the list.

DHS also claimed to be “beginning to share ‘machine-readable’ cyber threat indicators and notes it will be expanding how many partners it will do so later this year.

Finally, as I noted earlier, DHS said it would take 6 months to implement the information sharing portal envisioned by CISA in place.

All of which is to say that DHS made a bid with this letter to Franken to say (as I interpreted), “we’re sharing data right now, but if CISA passes, not only will Americans get less protection, but it will stall cybersharing for 6 months.”

And now DHS is increasing the profile of its cyber staff.

I’d say all that was just bureaucratic wrangling — and it is that.

Except I think there is an opportunity, given the recess, the increasing calls for more substantive cyber legislation, and the inevitable roadblock once the Senate returns (particularly if, as is happening thus far, Ted Cruz is doing reasonably well or even poorly in the GOP Clown Show and has the incentive to cause headaches for Mitch McConnell in hopes of electoral gain) to present this as information sharing that is already advanced well beyond what CISA would do, and in a way that accomplishes what it is supposed to without the big downsides of CISA. That’s still an outside chance. But increasingly possible and — given how dumb CISA is — probably a better solution.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Emptywheel Twitterverse

bmaz @cody_k In fairness, barring injury, you are projected to have a very good year this year in the Pac-12.
7mreplyretweetfavorite
bmaz @KellyFlood3 Would like that!
4hreplyretweetfavorite
JimWhiteGNV @joanneleon It's floating laminate.
5hreplyretweetfavorite
bmaz @KellyFlood3 Hey, went to Mejico the other day. Fantastic food....and reasonably priced too. Like that place!
6hreplyretweetfavorite
bmaz @KellyFlood3 Meh, can live w/o that tree, but it ripped up a key water feed pip in the process. No water in house until tomorrow am.
6hreplyretweetfavorite
bmaz @shenebraskan This one is toast. Has a date with a chainsaw.
6hreplyretweetfavorite
emptywheel RT @samhusseini: Great summary: “@evakatrina: Bernie Sanders: We Need More #Saudi Intervention. Wait, *what*? http://t.co/dcSgow3KB9
6hreplyretweetfavorite
emptywheel @mczajko Not sure. Hopefully the latter.
6hreplyretweetfavorite
emptywheel RT @CostaSamaras: Probably should include this and other needed resiliency investments in the social cost of carbon estimates. https://t.c…
6hreplyretweetfavorite
emptywheel @BryanSmart One excuse for not prosecuting the banks is bc a lot of people would lose their job. Guess what? @Object_InSpace
6hreplyretweetfavorite
emptywheel @BryanSmart Sure. Just like helping Al Qaeda get money for terrorism is against law. Lynch didn't prosecute HSBC for that @Object_InSpace
6hreplyretweetfavorite
emptywheel RT @TiaRachel: @emptywheel When my mom was a kid & angry at her mother, she'd tear off all the 'do not remove' tags to get her in trouble.
6hreplyretweetfavorite
August 2015
S M T W T F S
« Jul    
 1
2345678
9101112131415
16171819202122
23242526272829
3031