Posts

[Photo: National Security Agency via Wikimedia]

If a Tech Amicus Falls in the Woods but Rosemary Collyer Ignores It, Would It Matter?

Six senators (Ron Wyden, Pat Leahy, Al Franken, Martin Heinrich, Richard Blumenthal, and Mike Lee) have just written presiding FISA Court judge Rosemary Collyer, urging her to add a tech amicus — or even better, a full time technical staffer — to the FISA Court.

The letter makes no mention of Collyer’s recent consideration of the 702 reauthorization certificates, nor even of any specific questions the tech amicus might consider.

That’s unfortunate. In my opinion, the letter entirely dodges the real underlying issue, at least as it pertains to Collyer, which is her unwillingness to adequately challenge or review Executive branch assertions.

In her opinion reauthorizing Section 702, Collyer apparently never once considered appointing an amicus, even a legal one (who, under the USA Freedom structure, could have suggested bringing in a technical expert). She refused to do so in a reconsideration process that — because of persistent problems arising from technical issues — stretched over seven months.

I argued then that that means Collyer broke the law, violating USA Freedom Act’s requirement that the FISC at least consider appointing an amicus on matters raising novel or significant issues and, if choosing not to do so, explain that decision.

In any case, this opinion makes clear that what should have happened, years ago, is a careful discussion of how packet sniffing works, and where a packet collected by a backbone provider stops being metadata and starts being content, and all the kinds of data NSA might want to and does collect via domestic packet sniffing. (They collect far more under EO 12333.) As mentioned, some of that discussion may have taken place in advance of the 2004 and 2010 opinions approving upstream collection of Internet metadata (though, again, I’m now convinced NSA was always lying about what it would take to process that data). But there’s no evidence the discussion has ever happened when discussing the collection of upstream content. As a result, judges are still using made up terms like MCTs, rather than adopting terms that have real technical meaning.

For that reason, it’s particularly troubling Collyer didn’t use — didn’t even consider using, according to the available documentation — an amicus. As Collyer herself notes, upstream surveillance “has represented more than its share of the challenges in implementing Section 702” (and, I’d add, Internet metadata collection).

At a minimum, when NSA was pitching fixes to this, she should have stopped and said, “this sounds like a significant decision” and brought in amicus Amy Jeffress or Marc Zwillinger to help her think through whether this solution really fixes the problem. Even better, she should have brought in a technical expert who, at a minimum, could have explained to her that SCTs pose as big a problem as MCTs; Steve Bellovin — one of the authors of this paper that explores the content versus metadata issue in depth — was already cleared to serve as the Privacy and Civil Liberties Oversight Board’s technical expert, so presumably could easily have been brought into consult here.

That didn’t happen. And while the decision whether or not to appoint an amicus is at the court’s discretion, Collyer is obligated to explain why she didn’t choose to appoint one for anything that presents a significant interpretation of the law.

A court established under subsection (a) or (b), consistent with the requirement of subsection (c) and any other statutory requirement that the court act expeditiously or within a stated time–

(A) shall appoint an individual who has been designated under paragraph (1) to serve as amicus curiae to assist such court in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate;

For what it’s worth, my guess is that Collyer didn’t want to extend the 2015 certificates (as it was, she didn’t extend them as long as NSA had asked in January), so figured there wasn’t time. There are other aspects of this opinion that make it seem like she just gave up at the end. But that still doesn’t excuse her from explaining why she didn’t appoint one.

Instead, she wrote a shitty opinion that doesn’t appear to fully understand the issue and that defers, once again, the issue of what counts as content in a packet.

Without even considering an amicus, Collyer for the first time affirmatively approved the back door searches of content she knows will include entirely domestic communications, effectively affirmatively permitting the NSA to conduct warrantless searches of entirely domestic communications, and with those searches to use FISA for domestic surveillance. In approving those back door searches, Collyer did not conduct her own Fourth Amendment review of the practice.

Moreover, she adopted a claimed fix to a persistent problem — the collection of domestic communications via packet sniffing — without showing any inkling of testing whether the fix accomplished what it needed to. Significantly, in spite of 13 years of problems with packet sniffing collection under FISA, the court still has no public definition about where in a packet metadata ends and content begins, making her “abouts” fix — a fix that prohibits content sniffing without defining content — problematic at best.

I absolutely agree with these senators that the FISC should have its own technical experts.

But in Collyer’s case, the problem is larger than that. Collyer simply blew off USA Freedom Act’s obligation to consider an amicus entirely. Had she appointed Marc Zwillinger, I’m confident he would have raised concerns about the definition of content (as he did when he served as amicus on a PRTT application), whether or not he persuaded her to bring in a technical expert to further lay out the problems.

Collyer never availed herself of the expertise of Zwillinger or any other independent entity, though. And she did so in defiance of the intent of Congress, that she at least explain why she felt she didn’t need such outside expertise.

And she did so in an opinion that made it all too clear she really, really needed that help.

In my opinion, Collyer badly screwed up this year’s reauthorization certificates, kicking the problems created by upstream collection down the road, to remain a persistent FISA problem for years to come. But she did so by blowing off the clear requirement of law, not because she didn’t have technical expertise to rely on (though the technical expertise is probably necessary to finally resolve the issues raised by packet sniffing).

Yet no one but me — not even privacy advocates testifying before Congress — want to call her out for that.

Congress already told the FISA court they “shall” ask for help if they need it. Collyer demonstrably needed that help but refused to consider using it. That’s the real problem here.

I agree with these senators that FISC badly needs its own technical experts. But a technical amicus will do no good if, as Collyer did, a FISC judge fails to consult her amici.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Chris Wray’s DodgeBall and Trump’s Latest Threats

Though I lived-tweeted it, I never wrote up Christopher Wray’s confirmation hearing to become FBI Director. Given the implicit and explicit threats against prosecutorial independence Trump made in this interview, the Senate should hold off on Wray’s confirmation until it gets far more explicit answers to some key questions.

Trump assails judicial independence

The NYT interview is full of Trump’s attacks on prosecutorial independence.

It started when Trump suggested (perhaps at the prompting of Michael Schmidt) that Comey only briefed Trump on the Christopher Steele dossier so he could gain leverage over the President.

Later, Trump called Sessions’ recusal “unfair” to the President.

He then attacked Rod Rosenstein by suggesting the Deputy Attorney General (who, Ryan Reilly pointed out, is from Bethesda) must be a Democrat because he’s from Baltimore.

Note NYT goes off the record (note the dashed line) with Trump in his discussions about Rosenstein at least twice (including for his response to whether it was Sessions’ fault or Rosenstein’s that Mueller got appointed), and NYT’s reporters seemingly don’t think to point out to the President that he appeared to suggest he had no involvement in picking DOJ’s #2, which would seem to be crazy news if true.

Finally, Trump suggested (as he has elsewhere) Acting FBI Director Andrew McCabe is pro-Clinton.

Having attacked all the people who are currently or who have led the investigation into him (elsewhere in the interview, though, Trump claims he’s not under investigation), Trump then suggested that FBI Directors report directly to the President. In that context, he mentioned there’ll soon be a new FBI Director.

In other words, this mostly softball interview (though Peter Baker made repeated efforts to get Trump to explain the emails setting up the June 9, 2016 meeting) served as a largely unfettered opportunity for Trump to take aim at every major DOJ official and at the concept of all prosecutorial independence. And in that same interview, he intimated that the reporting requirements with Christopher Wray — who got nominated, ostensibly, because Comey usurped the chain of command requiring him to report to Loretta Lynch — would amount to Wray reporting directly to Trump.

Rosenstein does what he says Comey should be fired for

Close to the same time this interview was being released, Fox News released an “exclusive” interview with Rod Rosenstein, one of two guys who acceded to the firing of Jim Comey ostensibly because the FBI Director made inappropriate comments about an investigation. In it, the guy overseeing Mueller’s investigation into (in part) whether Trump’s firing of Comey amounted to obstruction of justice, Rosenstein suggested Comey acted improperly in releasing the memos that led to Mueller’s appointment.

And he had tough words when asked about Comey’s recent admission that he used a friend at Columbia University to get a memo he penned on a discussion with Trump leaked to The New York Times.

“As a general proposition, you have to understand the Department of Justice. We take confidentiality seriously, so when we have memoranda about our ongoing matters, we have an obligation to keep that confidential,” Rosenstein said.

Asked if he would prohibit releasing memos on a discussion with the president, he said, “As a general position, I think it is quite clear. It’s what we were taught, all of us as prosecutors and agents.”

While Rosenstein went on to defend his appointment of Mueller (and DOJ’s reinstatement of asset forfeitures), he appears to have no clue that he undermined his act even as he defended it.

Christopher Wray’s dodge ball

Which brings me to Wray’s confirmation hearing.

In fact, there were some bright spots in Christopher Wray’s confirmation hearing, mostly in its last dregs. For example, Dick Durbin noted that DOJ used to investigate white collar crime, but then stopped. Wray suggested DOJ had lost its stomach for such things, hinting that he might “rectify” that.

Similarly, with the last questions of the hearing Mazie Hirono got the most important question about the process of Wray’s hiring answered, getting Wray to explain that only appropriate people (Trump, Don McGahn, Reince Priebus, Mike Pence) were in his two White House interviews.

But much of the rest of the hearing alternated between Wray’s obviously well-rehearsed promises he would never be pressured to shut down an investigation, alternating with a series of dodged questions. Those dodges included:

  • What he did with the 2003 torture memo (dodge 1)
  • Whether 702 should have more protections (dodge 2)
  • Why did Trump fire Comey (dodge 3)
  • To what extent the Fourth Amendment applies to undocumented people in the US (dodge 4)
  • What we should do about junk science (dodge 5)
  • Whether Don Jr should have taken a meeting with someone promising Russian government help to get Trump elected (dodge 6)
  • Whether Lindsey Graham had fairly summarized the lies Don Jr told about his June 9, 2016 meeting (dodge 7)
  • Can the President fire Robert Mueller (dodge 8)
  • Whether it was a good idea to form a joint cyber group with Russia (dodge 9)
  • The role of tech in terrorist recruitment (dodge 9 the second)
  • Whether FBI Agents had lost faith in Comey (dodge 10)
  • Who was in his White House interview — though this was nailed down in a Hirono follow up (dodge 11)

Now, don’t get me wrong, this kind of dodge ball is par for the course for executive branch nominees in this era of partisan bickering — it’s the safest way for someone who wants a job to avoid pissing anyone off.

But at this time of crisis, we can’t afford the same old dodge ball confirmation hearing.

Moreover, two of the these dodges are inexcusable, in my opinion. First, his non-responses on 702. That’s true, first of all, because if and when he is confirmed, he will have to jump into the reauthorization process right away, and those who want basic reforms let Wray off the hook on an issue they could have gotten commitments on. I also find it inexcusable because Wray plead ignorance about 702 even though he played a key role in (not) giving defendants discovery on Stellar Wind, and otherwise was read into Stellar Wind after 2004, meaning he knows generally how PRISM works. He’s not ignorant of PRISM, and given how much I know about 702, he shouldn’t be ignorant of that, either.

But the big one — the absolutely inexcusable non answer that would lead me to vote against him — is his claim not to know the law about whether the President can fire Robert Mueller himself.

Oh, sure, as FBI Director, Wray won’t be in the loop in any firing. But by not answering a question the answer to which most people watching the hearing had at least looked up, Wray avoided going on the record on an issue that could immediately put him at odds with Trump, the guy who thinks Wray should report directly to him.

Add to that the Committee’s failure to ask Wray two other questions I find pertinent (and his answers on David Passaro’s prosecution either revealed cynical deceit about his opposition to torture or lack of awareness of what really happened with that prosecution).

The first question Wray should have been asked (and I thought would have been by Al Franken, who instead asked no questions) is the circumstances surrounding Wray’s briefing of John Ashcroft about the CIA Leak investigation in 2003, including details on Ashcroft’s close associate Karl Rove’s role in exposing Valerie Plame’s identity.

Sure, at some level, Wray was just briefing his boss back in 2003 when he gave Ashcroft details he probably shouldn’t have. The fault was Ashcroft’s, not Wray’s. But being willing to give an inappropriate briefing in 2003 is a near parallel to where Comey found himself, being questioned directly by Trump on a matter which Trump shouldn’t have had access to. And asking Wray to explain his past actions is a far, far better indication of how he would act in the (near) future than his rehearsed assurances he can’t be pressured.

The other question I’d have loved Wray to get asked (though this is more obscure) is how, as Assistant Attorney General for the Criminal Division under Bush, he implemented the July 22, 2002 Jay Bybee memo permitting the sharing of grand jury information directly with the President and his top advisors without notifying the district court of that sharing. I’d have asked Wray this question because it was something he would have several years of direct involvement with (potentially even with the Plame investigation!), and it would serve as a very good stand-in for his willingness to give the White House an inappropriate glimpse into investigations implicating the White House.

There are plenty more questions (about torture and the Chiquita settlement, especially) I’d have liked Wray to answer.

But in spite of Wray’s many rehearsed assurances he won’t spike any investigation at the command of Donald Trump, he dodged (and was not asked) key questions that would have made him prove that with both explanations of his past actions and commitments about future actions.

Given Trump’s direct assault on prosecutorial independence, an assault he launched while clearly looking forward to having Wray in place instead of McCabe, the Senate should go back and get answers. Trump has suggested he thinks Wray will be different than Sessions, Rosenstein, Comey, and McCabe. And before confirming Wray, the Senate should find out whether Trump has a reason to believe that.

Update: I did not realize that between the time I started this while you were all asleep and the time I woke up in middle of the night Oz time SJC voted Wray out unanimously, which is a testament to the absolute dearth of oversight in the Senate.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Jeff Sessions’ Narrow Recusal

Update: I was on Democracy Now on these issues today. Here’s the link.

As you know, after having two meetings with Russian Ambassador Sergey Kislyak that he did not reveal in response to specific questions posed as part of his confirmation process exposed, Attorney General Jeff Sessions recused from any investigation into the elections.

Contrary to much reporting on the recusal, it was nowhere near a complete recusal from matters pertaining to Trump’s administration and its’ ties to Russia. Here’s what Sessions said in his statement:

During the course of the confirmation proceedings on my nomination to be Attorney General, I advised the Senate Judiciary Committee that ‘[i]f a specific matter arose where I believed my impartiality might reasonably be questioned, I would consult with Department ethics officials regarding the most appropriate way to proceed.

During the course of the last several weeks, I have met with the relevant senior career Department officials to discuss whether I should recuse myself from any matters arising from the campaigns for President of the United States.

Having concluded those meetings today, I have decided to recuse myself from any existing or future investigations of any matters related in any way to the campaigns for President of the United States.

I have taken no actions regarding any such matters, to the extent they exist.

This announcement should not be interpreted as confirmation of the existence of any investigation or suggestive of the scope of any such investigation.

Consistent with the succession order for the Department of Justice, Acting Deputy Attorney General and U.S. Attorney for the Eastern District of Virginia Dana Boente shall act as and perform the functions of the Attorney General with respect to any matters from which I have recused myself to the extent they exist.

As I emphasized, the only thing he is recusing from is “existing or future investigations of any matters related in any way to the campaigns for President of the United States.”

There are two areas of concern regarding Trump’s ties that would not definitively be included in this recusal: Trump’s long-term ties to mobbed up businessmen with ties to Russia (a matter not known to be under investigation but which could raise concerns about compromise of Trump going forward), and discussions about policy that may involve quid pro quos (such as the unproven allegation, made in the Trump dossier, that Carter Page might take 19% in Rosneft in exchange for ending sanctions against Russia), that didn’t involve a pay-off in terms of the hacking. There are further allegations of Trump involvement in the hacking (a weak one against Paul Manafort and a much stronger one against Michael Cohen, both in the dossier), but that’s in no way the only concern raised about Trump’s ties with Russians.

The concern about the scope of Sessions’ recusal is underscored by the way in which he narrowly addressed his lies to the Senate. Here is his answer to Al Franken, which was a question about campaign surrogates, but did not ask about communications about the campaign.

FRANKEN: CNN has just published a story and I’m telling you this about a news story that’s just been published. I’m not expecting you to know whether or not it’s true or not. But CNN just published a story alleging that the intelligence community provided documents to the president-elect last week that included information that quote, “Russian operatives claimed to have compromising personal and financial information about Mr. Trump.” These documents also allegedly say quote, “There was a continuing exchange of information during the campaign between Trump’s surrogates and intermediaries for the Russian government.”

Now, again, I’m telling you this as it’s coming out, so you know. But if it’s true, it’s obviously extremely serious and if there is any evidence that anyone affiliated with the Trump campaign communicated with the Russian government in the course of this campaign, what will you do?

SESSIONS: Senator Franken, I’m not aware of any of those activities. I have been called a surrogate at a time or two in that campaign and I didn’t have — did not have communications with the Russians, and I’m unable to comment on it.

His press conference and a (surprisingly good) interview with Tucker Carlson underscores that he is just addressing questions about the election, not conversations with Russians generally (conversations that might address those other two concerns, especially that of influencing policy on things like Ukraine). In the interview, Sessions denied having conversations with Russians “on a continuing basis to advance any kind of campaign agenda” and said “I never had any conversations with the Russians about the campaign.”

By Sessions’ own admission, the conversation with Kislyak concerned Ukraine; he said Kislyak was pushing back on what the Ukrainian Ambassador had said just the day before, though Sessions claims he himself pushed back as well.

That’s important because they key policy issue on which there have been concerns about undue influence is Ukraine.

It is not illegal to have meetings with an Ambassador, where the Ambassador makes a case for policies his country supports — precisely what appears to have gone on in the meeting Sessions did not disclose. But the (thus far unproven) allegations involving other Trump officials go beyond that, without necessarily pertaining to the election. That’s why Sessions’ recusal is far too narrow to be meaningful.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

After We Help the Saudis Commit More War Crimes We’re Going to Mars!

mars-globe-valles-marineris-enhanced-br2This afternoon, the Senate had a debate on Chris Murphy and Rand Paul’s resolution to halt the sale of $1.5 billion in arms to the Saudis to use on their invasion of Yemen.

The debate was repulsive.

The opponents of the measure — led by Mitch McConnell, John McCain, and Lindsey Graham — had little to say about the well-being of Yemenis.

Lindsey even shrugged off both Saudi support for terrorism.

[shrugs] They have double dealing in the past of helping terrorist organizations.

And Saudi bombing of civilians.

They have dropped bombs on civilians. There’s no way to wage war without [shrugs again] mistakes being made.

But we had to help the Saudis kill Yemeni civilians, Lindsey argued, because Iran humiliated American sailors who entered Iranian waters, purportedly because of navigation errors.

That argument — one which expressed no interest in the well-being of Yemenis but instead pitched this as a battle for hegemony in the Middle East — held the day. By a vote of 71-27, the Senate voted to table the resolution.

If your Senators voted against tabling this amendment, please call to thank them:

Baldwin (D-WI)
Blumenthal (D-CT)
Booker (D-NJ)
Boxer (D-CA)
Cantwell (D-WA)
Durbin (D-IL)
Franken (D-MN)
Gillibrand (D-NY)
Heinrich (D-NM)
Heller (R-NV)
Hirono (D-HI)
Kirk (R-IL)
Klobuchar (D-MN)
Leahy (D-VT)
Lee (R-UT)
Markey (D-MA)
Murphy (D-CT)
Murray (D-WA)
Paul (R-KY)
Reid (D-NV)
Sanders (I-VT)
Schatz (D-HI)
Stabenow (D-MI)
Tester (D-MT)
Udall (D-NM)
Warren (D-MA)
Wyden (D-OR)

The creepiest thing, however, came just after the vote. Bill Nelson (D-Mission to Space) got up, not just to do a victory lap that the US would continue to support Saudi war crimes. But he also announced a resolution passed earlier, which funds NASA to send humans to Mars by 2030, with an eye to colonizing the red planet.

It was as if he was saying that proliferating arms and war crimes on this globe won’t matter so much because we can just go colonize another.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Surrogating the 2016 American Presidency

Tonight was the opening of the Democratic National Convention. It was a rather stunning difference from the scenes on the street yesterday and today, where there were minimal and well behaved cops in Philly as contrasted with the warrior cop oppressive stormtrooper presence in Cleveland. From my reporter friends from the Arizona Republic, the food is totally better in Philly too. Hey, armies move on food, and cheesesteaks rule.

Is everything coming up roses? Nope. There was the whole Debbie Wasserman Schultz thing. She was well advised by our friend David Dayen to stay away and excommunicate herself from the convention podium. But, crikey, the rest simply looks beautiful. Sanders supporters marching in the streets for change, mostly unfettered and unoppressed, other voices being heard, and all relative delegates meeting and co-existing in the halls. This ain’t the dysfunctional RNC bigoted shit show. That, in and of itself, would be worth this post. There is more.

Don’t let cable coverage and the relentless yammer of their panels of self interested toadies fool you, the few true camera pans at the RNC showed more than a few empty seats and a far smaller crowd (especially in the upper decks) than displayed tonight at the DNC.

The real tell, in difference, was in the quality of the speakers and presentation. The only lasting memory from the RNC’s opening night was the embarrassing plagiarism in Melania Trump’s speech. Honestly, my bet is that is not on her, but the understaffed and idiot handlers her narcissistic, yet bumbling, husband provided. That said, it was a res ipsa loquitur deal and, in the end, spoke for itself. What else do you remember from that night other than Tim Tebow did not appear? I got nuthin.

The first night of the DNC in Philly, however, came with a litany of decent and well presented folks presented to a full and energetic hall. Emphasis on full. The dynamics in staging and presentation were stark. As were the quality and mental coherence of the speakers. The first electric moment came when Sarah Silverman, who along with Al Franken, was doing a bit and intro to Paul Simon singing (a geriatric, albeit mesmerizing) Bridge Over Troubled Water. Silverman and Franken had to kill an extra 120 seconds or so and she blurted out some hard, and real, truth that her fellow Bernie Sanders supporters who refuse to help Clinton defeat Trump are flat out “being ridiculous”. Truer words have never been spoken.

But soon came Michelle Obama to the podium. I am not sure I have the words to describe how good Michelle was. As a convention speaker, a surrogate, a leader, a mother and as a First Lady embodying all of the above. Michelle Obama killed it. She blew the joint up. I don’t know how else to describe it, but if you did not witness it live, watch the video up at top. Just do it.

Frankly, at the conclusion of Michelle Obama’s speech, it was hard to see how the last two key speakers, Elizabeth Warren and Bernie Sanders, could possibly top the moment. Sadly, they could not. Liz Warren gave a great, and often in depth, speech. One that absolutely slayed Donald Trump in nearly every way. On its own, it would have been noteworthy. But sandwiched between the brilliance of Michelle Obama and Sanders, with his acolytes cheering and hers still reeling, it seemed good, but not great.

Bernie Sanders caught a little more fire, but mostly because of his yuuge contingent of supporters. And that is not just a good thing, it is a great thing. Sanders did everything, and more, he should have done in this speech by ginning up the classic points and issues his campaign, and its followers, were built on…and then transferring them to Clinton.

It did not work perfectly, but this will be a process up until the election date on November 8. Bernie went a long way, gracefully and patiently, tonight. And, while the cheering crowd appeared to be much more than just the “Sandernistas”, all of the hall seemed to get on board. That, along with Sarah Siverman telling holdout Bernie Busters to wake up and not be ridiculous, were giant steps in unifying support for Clinton over Trump.

Listen, I have been around the block a few times, and know I am supposed to lead with the headline. Sorry, this one worked up to it, and here it is. The RNC and Trump got their lousy bounce because the media, once again, cravenly portrayed what happened in Cleveland as normal, and tit for tat, with what is happening, and will happen, in Philadelphia. That is simply a ratings and craven click germinated lie. The difference is stark.

Nowhere is it more stark than in the picture painted as to the surrogates who will come out of the respective conventions to campaign for their respective candidate between now and November 8.

Um, let’s see, for the GOP we have Newt, Carson, Melania, Thiel, Flynn, Joe Arpaio and Chachi Baio. I excluded Ivanka because she might actually be competent. Seriously, that is basically it for Trump surrogates. From the whole convention. Even Clint Eastwood’s chair took a pass in this, the year of the Orange Faced Short Fingered Vulgarian Bigot.

Let’s compare that with what came out of the Democratic Convention’s first night. Sarah Silverman, Al Franken, Paul Simon, Eva Longoria, Corey Booker and, then, the big three…Michelle Obama, Liz Warren and Bernie Sanders. That is just the first night folks.

See a bit of a dichotomy in personality and credibility there?

Then picture that Clinton’s road warrior surrogates will include not just the above, but also Joe Biden, President Barack Obama and the Big Dog himself, Bill Clinton.

Elections are won in the trenches. Say what you will about Hillary Clinton, and I will probably join you on many negatives, but the Clintons do have a ground operation. And their surrogates are like the 1927 Yankees compared to the Bad News Bears for Trump and the RNC. How will Trump bolster his bench, by bringing in Roger Ailes to molest the women of America? Is there another ground plan for the Trump Juggalos?

Sure, Clinton can still muck it up and lose. She, and the DNC, have been beyond pathetic in how they have treated nearly half their party, and much of their activist base, during the primaries and aftermath. Not just ugly, but stupid. They deserve any hell they get for that, whether it comes from appropriately enraged Sanders supporters or from press reporting on hacks (THE RUSSIANS ARE COMING, THE RUSSIANS ARE COMING!!!)

Bottom line is this: Which set of surrogates would you think would do a better job spreading out over the country: Crazy Newt, Racist Flynn, Bigot Arpaio and Chachi, …. or Michelle Obama, Liz Warren, Bernie Sanders, Barack Obama and Joe Biden?

Think I will go with the latter, and I think they will reach a heck of a lot more voters who will actually engage than will the trite and petty bigots Trump will have on the public offer.

And the Dems have a laundry list of other quality surrogates who will stand up. Trump has apparent Klan worthy members like Jeff Sessions, felons like Don King and Mike Tyson, and people who seek to be them.

Who you gonna call when it comes time to vote?

Seems like an easy decision, especially when you consider that the next 30 to 35 years of ideological control of the Supreme Court hang in the balance.

Bmaz is a rather large saguaro cactus in the Southwestern Sonoran desert. A lover of the Constitution, law, family, sports, food and spirits. As you might imagine, a bit prickly occasionally. Bmaz has attended all three state universities in Arizona, with both undergraduate and graduate degrees from Arizona State University, and with significant post-graduate work (in physics and organic chemistry, go figure) at both the University of Colorado in Boulder and the University of Arizona. Married, with both a lovely child and a giant Sasquatch dog. Bmaz has been a participant on the internet since the early 2000’s, including active participation in the precursor to Emptywheel, The Next Hurrah. Formally joined the Emptywheel blog as an original contributing member at its founding in 2007. Bmaz grew up around politics, education, sports and, most significantly, cars; notably around Formula One racing and Concours de Elegance automobile restoration and showing. Currently lives in the Cactus Patch with his lovely wife and beast of a dog, and practices both criminal and civil trial law.

How the Purpose of the Data Sharing Portal Changed Over the OmniCISA Debate

Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.

Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.

I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.

With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.

With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.

While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.

[snip]

Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.

It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.

Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.

  1. CISA in Context: Privacy Protections and the Portal

  2. CISA in Context: The Voluntary Sharing Model and that “Other” Portal
  3. CISA in Context: Government Use and What Really Matters for Civil Liberties

Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.

So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?

Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?

At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.

Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.

Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.

Its concerns included:

  • Because companies could share with other agencies, the bill permitted sharing content with law enforcement. “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
  • The bill permitted companies to share more information than that permitted under the existing portal. “Unlike the President’s proposal, the Senate bill includes ‘any other attribute of a cybersecurity threat’ within its definition of cyber threat indicator.”
  • Because the bill required sharing in real time rather than in near-real time, it would mean DHS could not do all the privacy scrubs it was currently doing. “If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further.”
  • Sharing in real rather than near-real time also means participants might get overloaded with extraneous information (something that has made existing info-sharing regimes ineffective). “If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.”
  • The bill put the Attorney General, not DHS, in charge of setting the rules for the portal. “Since sharing cyber threat information with the private sector is primarily within DHS’s mission space, DHS should author the section 3 procedures, in coordination with other entities.”
  • The 90-day implementation timeline was too ambitious; according to DHS, the bill should provide for an 180-day implementation. “The 90-day timeline for DHS’s deployment of a process and capability to receive cyber threat indicators is too ambitious, in light of the need to fully evaluate the requirements pertaining to that capability once legislation passes and build and deploy the technology.”

As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.

Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.

All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.

Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.

Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.

In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.

Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.

At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.

This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.

Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).

Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.

Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.

Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.

Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.

Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,

From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.

But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.

[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.

[snip]

AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.

That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.

In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.

But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.

[snip]

That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.

To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.

And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.

Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Thursday Morning: Fast and Furious Edition

[image (modified): Adam Wilson via Flickr]

[image (modified): Adam Wilson via Flickr]

Insane amount of overseas news overnight. Clearly did not include me winning $1.5B Powerball lottery. Attacks in Jakarta and Turkey are no joke.

Let’s move on.

Some U.S. utilities’ still wide open to hacking
Dudes, how many times do you need to be told your cheese is still hanging out in the wind? Some heads should roll at this point. US government’s Industrial Control Systems Cyber Emergency Response Team’s Marty Edwards sounded pretty torqued about this situation at the S4 ICS Security Conference this week. I don’t blame him; if a utility gets hacked, it’s not like your grandmother’s PC getting held ransom. It means the public’s health and safety are at risk. Get on it.

Your cellphone is listening to your TV — and you
Bruce Schneier wrote about the Internet of Things’ expansive monitoring of consumers, citing the example of SilverPush — an application which listens to your television to determine your consumption habits. Bet some folks thought this was an app still in the offing. Nope. In use now, to determine current TV program listings and ratings. Listening-to-your-consumption apps have now been around for years.

Wonder if our pets can hear all this racket inaudible to humans? Will pet food companies embed ads shouting out to our pets?

But you may be able to hide from devices
…depending on whether you are using location-based services, and if you can use the app developed by Binghamton University. A paper on this technology was presented last month at the Institute of Electrical and Electronics Engineers (IEEE) GLOBECOM Conference, Symposium on Communication & Information System Security. The lead researcher explained the purpose of the app:

“With Facebook, Twitter, LinkedIn and others we provide a huge amount of data to the service providers everyday. In particular, we upload personal photos, location information, daily updates, to the Internet without any protection,” Guo said. “There is such a chance for tragedy if that information is used to in a bad way.”

The app isn’t yet available, but when it is, it should prevent personally identifying location-based data from being used by the wrong folks.

VW emissions scandal: Well, this is blunt
I think you can kiss the idea of nuance goodbye, gang.

“Volkswagen made a decision to cheat on emissions tests and then tried to cover it up,” said CARB chair Mary Nichols in a statement.
“They continued and compounded the lie, and when they were caught they tried to deny it. The result is thousands of tons of nitrogen oxide that have harmed the health of Californians.”

Yeah. That.

The last bits
Nest thermostats froze out consumers after a botched update. (Do you really need internet-mediated temperature controls?)
Phone numbers may become a thing of the past if Facebook has its way. (Um, hell no to the Facebook. Just no.)
Senator Al Franken quizzes Google about data collection and usage on K-12 students. (Hope he checks toy manufacturers like Mattel and VTech, too.)

That’s a wrap, hope your day passes at a comfortable speed.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

Why Is Congress Undercutting PCLOB?

As I noted last month, the Omnibus budget bill undercut the Privacy and Civil Liberties Oversight Board in two ways.

First, it affirmatively limited PCLOB’s ability to review covert actions. That effort dates to June, when Republicans responded to PCLOB Chair David Medine’s public op-ed about drone oversight by ensuring PCLOB couldn’t review the drone or any other covert program.

More immediately troublesome, last minute changes to OmniCISA eliminated a PCLOB review of the implementation of that new domestic cyber surveillance program, even though some form of that review had been included in all three bills that passed Congress. That measure may have always been planned, but given that it wasn’t in any underlying version of the bill, more likely dates to something that happened after CISA passed the Senate in October.

PCLOB just released its semi-annual report to Congress, which I wanted to consider in light of Congress’ efforts to rein in what already was a pretty tightly constrained mandate.

The report reveals several interesting details.

First, while the plan laid out in April had been to review one CIA and one NSA EO 12333 program, what happened instead is that PCLOB completed a review on two CIA EO 12333 programs, and in October turned towards one NSA EO 12333 program (the reporting period for this report extended from April 1 to September 30).

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations.

The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination.

That’s interesting for two reasons. First, it means there are two EO 12333 programs that have a significant impact on US persons, which is pretty alarming since CIA is not supposed to focus on Americans. It also means that the PCLOB could have conducted this study on covert operations between the time Congress first moved to prohibit it and the time that bill was signed into law. There’s no evidence that’s what happened, but the status report, while noting it had been prohibited from accessing information on covert actions, didn’t seem all that concerned about it.

Section 305 is a narrow exception to the Board’s statutory right of access to information limited to a specific category of matters, covert actions.

Certainly, it seems like PCLOB got cooperation from CIA, which would have been unlikely if CIA knew it could stall any review until the Intelligence Authorization passed.

But unless PCLOB was excessively critical of CIA’s EO 12333 programs, that’s probably not why Congress eliminated its oversight role in OmniCISA.

Mind you, it’s possible it was. Around the time the CIA review should have been wrapping up though also in response to the San Bernardino attack, PCLOB commissioner Rachel Brand (who was the lone opponent to review of EO 12333 programs in any case) wrote an op-ed suggesting public criticism and increased restrictions on intelligence agencies risked making the intelligence bureaucracy less effective (than it already is, I would add but she didn’t).

In response to the public outcry following the leaks, Congress enacted several provisions restricting intelligence programs. The president unilaterally imposed several more restrictions. Many of these may protect privacy. Some of them, if considered in isolation, might not seem a major imposition on intelligence gathering. But in fact none of them operate in isolation. Layering all of these restrictions on top of the myriad existing rules will at some point create an encrusted intelligence bureaucracy that is too slow, too cautious, and less effective. Some would say we have already reached that point. There is a fine line between enacting beneficial reforms and subjecting our intelligence agencies to death by a thousand cuts.

Still, that should have been separate from efforts focusing on cybersecurity.

There was, however, one thing PCLOB did this year that might more directly have led to Congress’ elimination of what would have been a legislatively mandated role in cybersecurity related privacy: its actions under EO 13636, which one of the EOs that set up a framework that OmniCISA partly fulfills. Under the EO, DHS and other departments working on information sharing to protect critical infrastructure were required to produce a yearly report on how such shared affected privacy and civil liberties.

The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

As PCLOB described in its report, “toward the end of the reporting period” (that is, around September), it was involved in interagency meetings discussing privacy.

The Board’s principal work on cybersecurity has centered on its role under E.O. 13636. The Order directs DHS to consult with the Board in developing a report assessing the privacy and civil liberties implications of cybersecurity information sharing and recommending ways to mitigate threats to privacy and civil liberties. At the beginning of the Reporting Period, DHS issued its second E.O. 13636 report. In response to the report, the Board wrote a letter to DHS commending DHS and the other reporting agencies for their early engagement, standardized report format, and improved reporting. Toward the end of the Reporting Period, the Board commenced its participation in its third annual consultation with DHS and other agencies reporting under the Order regarding privacy and civil liberties policies and practices through interagency meetings.

That would have come in the wake of the problems DHS identified, in a letter to Al Franken, with the current (and now codified into law) plan for information sharing under OmniCISA.

Since that time, Congress has moved first to let other agencies veto DHS’ privacy scrubs under OmniCISA and, in final execution, provided a way to create an entire bypass of DHS in the final bill before even allowing DHS as much time as it said it needed to set up the new sharing portal.

That is, it seems that the move to take PCLOB out of cybersecurity oversight accompanied increasingly urgent moves to take DHS out of privacy protection.

All this is just tea leaf reading, of course. But it sure seems that, in addition to the effort to ensure that PCLOB didn’t look too closely at CIA’s efforts to spy on — or drone kill — Americans, Congress has also decided to thwart PCLOB and DHS’ efforts to put some limits on how much cybersecurity efforts impinge on US person privacy.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Pro-Scrub Language Added to CISA Is Designed to Eliminate DHS’ Scrub

I’ve been comparing the Manager’s Amendment (MA) Richard Burr and Dianne Feinstein introduced Wednesday with the old bill.

A key change — one Burr and Feinstein have highlighted in their comments on the floor — is the integration of DHS even more centrally in the process of the data intake process. Just as one example, the MA adds the Secretary of Homeland Security to the process of setting up the procedures about information sharing.

Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in coordination with the heads of the appropriate Federal entities, develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government. [my emphasis]

That change is applied throughout.

But there’s one area where adding more DHS involvement appears to be just a show: where it permits DHS conduct a scrub of the data on intake (as Feinstein described, this was an attempt to integrate Tom Carper’s and Chris Coons’ amendments doing just that).

This is also an issue DHS raised in response to Al Franken’s concerns about how CISA would affect their current intake procedure.

To require sharing in “real time” and “not subject to any delay [or] modification” raises concerns relating to operational analysis and privacy.

First, it is important for the NCCIC to be able to apply a privacy scrub to incoming data, to ensure that personally identifiable information unrelated to a cyber threat has not been included. If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further. While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language as currently written would complicate efforts to do so. DHS needs to apply business rules, workflows and data labeling (potentially masking data depending on the receiver) to avoid this problem.

Second, customers may receive more information than they are capable of handling, and are likely to receive large amounts of unnecessary information. If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.

While the current Cybersecurity Information Sharing Act recognizes the need for policies and procedures governing automatic information sharing, those policies and procedures would not effectively mitigate these issues if the requirement to share “not subject to any delay [or] modification” remains.

To ensure automated information sharing works in practice, DHS recommends requiring cyber threat information received by DHS to be provided to other federal agencies in “as close to real time as practicable” and “in accordance with applicable policies and procedures.”

Effectively, DHS explained that if it was required to share data in real time, it would be unable to scrub out unnecessary and potentially burdensome data, and suggested that the “real time” requirement be changed to “as close to real time as practicable.”

But compare DHS’s concerns with the actual language added to the description of the information-sharing portal (the new language is in italics).

(3) REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall—

(A) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 104(c) through the real-time process described in subsection (c) of this section—

(i) are shared in an automated manner with all of the appropriate Federal entities;

(ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—

(I) agreed upon unanimously by all of the heads of the appropriate Federal entities;

(II) carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and

(III) uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and

This section permits one of the “appropriate Federal agencies” to veto such a scrub. Presumably, the language only exists in the bill because one of the “appropriate Federal agencies” has already vetoed the scrub. NSA (in the guise of “appropriate Federal agency” DOD) would be the one that would scare people, but such a veto would equally as likely to come from FBI (in the guise of “appropriate Federal agency” DOJ), and given Tom Cotton’s efforts to send this data even more quickly to FBI, that’s probably who vetoed it.

If you had any doubts the Intelligence Community is ordering up what it wants in this bill, the language permitting them a veto on privacy protections should alleviate you of those doubts.

On top of NSA and FBI’s veto authority, there’s an intentional logical problem here. DHS is one of the “appropriate Federal agencies,” but DHS is the entity that would presumably do the scrub. Yet if it can’t retain data before any other agency, it’s not clear how it could do a scrub.

In short, this seems designed to lead people to believe there might be a scrub (or rather, that under CISA, DHS would continue to do the privacy scrub they are currently doing, though they are just beginning to do it automatically) when, for several reasons, that also seems to be ruled out by the bill. And ruled out because one “appropriate Federal agency” (like I said, I suspect FBI) plans to veto such a plan.

So it has taken this Manager’s Amendment to explain why we need CISA: to make sure that DHS doesn’t do the privacy scrubs it is currently doing.

I’ll explain in a follow-up post why it would be so important to eliminate DHS’ current scrub on incoming data.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Consider CISA a Six-Month Distraction from Shoring Up Government Security

Most outlets that commented on DHS’ response to Al Franken’s questions about CISA focused on their concerns about privacy.

The authorization to share cyber threat indicators and defensive measures with “any other entity or the Federal Government,” “notwithstanding any other provision of law” could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers. (This concern is heightened by the expansive definitions of cyber threat indicators and defensive measures in the bill. Unlike the President’s proposal, the Senate bill includes “any other attribute of a cybersecurity threat” within its definition of cyber threat indicator and authorizes entities to employ defensive measures.)

[snip]

To require sharing in “real time” and “not subject to any delay [or] modification” raises concerns relating to operational analysis and privacy.

First, it is important for the NCCIC to be able to apply a privacy scrub to incoming data, to ensure that personally identifiable information unrelated to a cyber threat has not been included. If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further. While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language as currently written would complicate efforts to do so. DHS needs to apply business rules, workflows and data labeling (potentially masking data depending on the receiver) to avoid this problem.

None of those outlets noted that DOJ’s Inspector General cited privacy concerns among the reasons why private sector partners are reluctant to share data with FBI.

So the limited privacy protections in CISA are actually a real problem with it — one changes in a manager’s amendment (the most significant being a limit on uses of that data to cyber crimes rather than a broad range of felonies currently in the bill) don’t entirely address.

But I think this part of DHS’ response is far more important to the immediate debate.

Finally the 90-day timeline for DHS’s deployment of a process and capability to receive cyber threat indicators is too ambitious, in light of the need to fully evaluate the requirements pertaining to that capability once legislation passes and build and deploy the technology. At a minimum, the timeframe should be doubled to 180 days.

DHS says the bill is overly optimistic about how quickly a new cybersharing infrastructure can be put in place. I’m sympathetic with their complaint, too. After all, if it takes NSA 6 months to set up an info-sharing infrastructure for the new phone dragnet created by USA Freedom Act, why do we think DHS can do the reverse in half the time?

Especially when you consider DHS’ concerns about the complexity added because CISA permits private sector entities to share with any of a number of government agencies.

Equally important, if cyber threat indicators are distributed amongst multiple agencies rather than initially provided through one entity, the complexity–for both government and businesses–and inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult. This will limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents.

DHS recommends limiting the provision in the Cybersecurity Information Sharing Act regarding authorization to share information, notwithstanding any other provision of law, to sharing through the DHS capability housed in the NCCIC.

Admittedly, some of this might be attributed to bureaucratic turf wars — albeit turf wars that those who’d prefer DHS do a privacy scrub before FBI or NSA get the data ought to support. But DHS is also making a point about building complexity into a data sharing portal that recreates one that already exists that has less complexity (as well as some anonymizing and minimization that might be lost under the new system). That complexity is going to make the whole thing less secure, just as we’re coming to grips with how insecure government networks are. It’s not clear, at all, why a new portal needs to be created, one that is more complex and involves agencies like the Department of Energy — which is cybersprinting backwards on its own security — at the front end of that complexity, one that lacks some safeguards that are in the DHS’ current portal.

More importantly, that complexity, that recreation of something that already exists — that’s going to take six months of DHS’s time, when it should instead be focusing on shoring up government security in the wake of the OPM hack.

Until such time as Congress wants to give the agencies unlimited resources to focus on cyberdefense, it will face limited resources and with those limited resources some real choices about what should be the top priority. And while DHS didn’t say it, it sure seems to me that CISA would require reinventing some wheels, and making them more complex along the way, at a time when DHS (and everyone in government focused on cybersecurity) have better things to be doing.

Congress is already cranky that the Administration took a month two months to cybersprint middle distance run in the wake of the OPM hack. Why are they demanding DHS spend 6 more months recreating wheels before fixing core vulnerabilities?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.