Posts

Without Integrity: The Debunking of the Metadata Debunkers

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

When people have asked me if I’ve gotten a lot of pushback since I revealed that I provided information to the FBI on a matter that became part of the Mueller inquiry, I’ve said that I’m mostly surprised by how little I’ve gotten. While I’ve had a few alarms with respect to my website or device security (which I might attribute to Russians), I’ve had almost no pushback from Republicans accusing me of gunning for the President, not even after I suggested my testimony probably changed the import of publicly available information that implicated the President.

The exception has been a group of Assange loyalists close to Adam Carter — a group of people who have spent a great deal of time trying to undermine the public case implicating Russia in the attack. I have been shocked by the persistence with which Carter loyalists flooded my timeline at certain times in recent weeks, even though nothing I’ve said publicly would indicate Carter’s efforts were put in any great danger because I went to the FBI sometime last year.

Today, Duncan Campbell released a long story on the guy behind the pseudonym Adam Carter, Tim Leonard.

Before I look at it, two comments. First, contrary to some guesses, Leonard is not the person I went to the FBI about. Second, I think there are still details in this story that are not correct (though are far closer than other work thus far); one value of Leonard’s effort was to get some people (including me!) to work through assumptions, something people are still not doing enough on this story.

Campbell’s is an important and successful effort to push back against disinformation (and to get Bill Binney and Ray McGovern to back off their support for it). It does the following:

  • Affirmatively IDs Leonard, demonstrates that he used the facilities of his employer to do some of this work, and shows how he falsely blamed a former co-worker for some of the work
  • Shows how Leonard serially adopted ever new theories, but never the one almost every expert had backed, that Russia had done the hack
  • Shows the co-travelers, including the far right, that Leonard embraced in his efforts to discredit the dominant explanation
  • Tracks some of the false identities Leonard adopted along the way (I believe, given the data in the story, he has adopted false IDs on this site as well)

This work is particularly valuable because it demonstrates how early — by May 2016 — Leonard focused attacks on Clinton before coming out with his debunking site.

As US election campaigns ramped up in May 2016, Leonard’s Defianet email address, [email protected], was used to create a new Twitter account, @with_integrity. The name, he said, was a parody of Clinton’s campaign slogan, “I’m with Hillary”. The profile displayed a WikiLeaks avatar.

For 10 days in 2016, @with_integrity trolled and attacked the Democratic Convention, accusing the Democrats of collusion, conspiracy, cheating, corruption, rigging elections and sabotage.

On 22 July 2016, @with_integrity tweeted a link to the Russian propaganda and news channel, RT, claiming that primary elections had been rigged. On 26 July, as delegates voted, @with_integrity tweeted a new RT attack on Hillary Clinton.

After Clinton was nominated, @with_integrity followed the Russian trolls’ path in supporting Donald Trump, retweeting Trump slogans, including #CrookedHillary, #LockHerUp, #MakeAmericaGreatAgain and #VoteOnlyTrump, and a third link to a “special episode” on RT.

But the core of Campbell’s debunking (and the basis of his success at persuading Binney and McGovern, to the extent he did) pertains to the Forensicator effort to claim that certain files released in September 2016 proved that Russia couldn’t have done the hack because they had been copied in the Eastern time zone. Campbell shows that shows that the data behind the Forensicator effort had been adopted uncritically by Leonard and his allies, and that the most obvious conclusion based on the evidence is that hackers manipulated the timestamps of these files, and only these files.

The team that created Forensicator, including Leonard, gave away that they were not the real authors of the analysis when they inaccurately copied a Linux “Bash” script they had been sent, breaking it. This suggested that they did not write, understand, or test the script before they published. Someone else had sent the script, together with the fake conclusion they wanted discovered and published – that DNC stolen files had been copied in the US Eastern Time zone on 5 July 2016, five days before DNC employee Seth Rich was killed.

Uncritical reporters failed to spot that the Forensicator blog gave no evidence for its conclusion, which was that the data analysed was evidence of theft by local copying happening within the eastern US. The Forensicator report avoided pointing out that the time stamps examined were present only in the special London group of documents, and not in tens of thousands of other DNC files published by WikiLeaks or Guccifer 2.0.

The files were manipulated using an unusual method of file packing, forensic checks show. Because of computer clock settings, the packing operations appeared to have created “evidence” that the stolen files had been copied in the US Eastern Time zone, which includes Washington.

US Eastern Standard Time (EST) is normally five hours behind Coordinated Universal Time (UTC) – better known in Britain as Greenwich Mean Time (GMT). In summer months, clocks are set forward, placing the US Eastern Daylight Time (EDT) four hours behind UTC. The difference between a time zone and UTC is the offset. It is trivially easy for any computer user to change their time, date and time zone offset, using standard controls.

The files released in London, we found, had first been processed in this way to show timestamps for 5 July 2016. Some 13 groups had then been compressed using WinRAR 4.2. Nine additional files were compressed using 7zip. The archive, called 7dc58-ngp-van.7z, was published in this format, as a single file of 680MB.

This dual compression method was unique to the London documents. It was not used in other file dumps released by Guccifer 2.0, WikiLeaks or other publishers of stolen DNC material. The special method used two different file compression systems, 7zip and WinRAR, and required using a four-year-old, superseded version of WinRAR to obtain the required result. The way the Russians did it, the two compression operations appeared to overlap within a single 20-minute period. The tampering may have been done on 1 September, a week before the London conference.

[snip]

The obvious, simple explanation was that hackers were manipulating computer clock settings. The observed changes would have taken seconds.

In response to Campbell’s piece, Leonard has complained that Campbell doxed him rather than debunk the evidence.

He doesn’t actually tackle what he’s framing as disinformation and instead tries to attack character and tries to dox people rather than discredit or debunk the evidence/research published. You don’t tackle disinfo with smears/distortion/character attacks yet this is what DC did.

This is where I get a little cranky — probably crankier than I otherwise would have been if Leonards fans hadn’t flooded my timelines in recent weeks.

Campbell is actually wrong when he claims that “uncritical reporters” didn’t point out that this file was a unique file. I noted this file was a proxy file back in October, and that before you got into the analysis of its forensics, you first had to account for the provenance of it. I also noted WikiLeaks’ role in sharing the file with the Trump campaign here. In this post, I noted that the files in question weren’t DNC files (nor were the earliest Guccifer 2.0 ones), so the entire exercise said absolutely nothing about who hacked the DNC, purportedly the central project of Leonard and his ilk. And all that’s before I noted, over and over, that copying of files in the US would not prove a damn thing (as the GRU’s use of staging servers in AZ and IL make clear).

I raise these posts not to challenge Campbell’s reporting, but instead to challenge Leonard’s complaint. He has claimed for over a year now that he would respond to legitimate responses to his theories. And while I vaguely recall him making a half-hearted attempt at it on his site, I can’t find it.

Even before you get into the evidence of a concerted disinformation campaign — one that paralleled if it wasn’t coordinated with at least WikiLeaks if not the Russians’ — you’ve got to be arguing facts that might address the questions you claim to. And Leonard quickly strayed from that purported effort, never to return again.

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

Throwing H2O on the Pompeo to State Move

I could be totally wrong, but I don’t think the reported plan for Rex Tillerson to step down, to be replaced by Mike Pompeo, who in turn will be replaced by Tom Cotton (or maybe Admiral Robert Harward because Republicans can’t afford to defend an Arkansas Senate seat), will really happen.

The White House has developed a plan to force out Secretary of State Rex W. Tillerson, whose relationship with President Trump has been strained, and replace him with Mike Pompeo, the C.I.A. director, perhaps within the next several weeks, senior administration officials said on Thursday.

Mr. Pompeo would be replaced at the C.I.A. by Senator Tom Cotton, a Republican from Arkansas who has been a key ally of the president on national security matters, according to the White House plan. Mr. Cotton has signaled that he would accept the job if offered, said the officials, who insisted on anonymity to discuss sensitive deliberations before decisions are announced.

I say that for two reasons.

First, because of all the evidence that Mike Flynn is working on a plea deal. Particularly given that Mueller has decided he doesn’t need any more evidence of Flynn’s corrupt dealings with Turkey, I suspect his leverage over Flynn has gone well beyond just those crimes (which, in turn, is why I suspect Flynn has decided to flip).

I think that when the plea deal against Flynn is rolled out, it will be associated with some fairly alarming allegations against him and others, allegations that will dramatically change how willing Republicans are to run interference for Trump in Congress.

If I’m right about that, it will make it almost impossible for Pompeo to be confirmed as Secretary of State. Already, Senate Foreign Relations Committee Chair Bob Corker, who’d oversee the confirmation, is sending signals he’s not interested in seeing Pompeo replace Tillerson.

“I could barely pick Pompeo out of a lineup” Sen. Bob Corker (R-Tenn.), chairman of the Senate Foreign Relations Committee, said Thursday morning.

Already, Pompeo’s cheerleading of Wikileaks during the election should have been disqualifying for the position of CIA Director. That’s even more true now that Pompeo himself has deemed them a non-state hostile intelligence service.

Add in the fact that Pompeo met with Bill Binney to hear the skeptics’ version of the DNC hack, and the fact that Pompeo falsely suggested that the Intelligence Community had determined Russia hadn’t affected the election. Finally, add in the evidence that Pompeo has helped Trump obstruct the investigation and his role spying on CIA’s own investigation into it, and there’s just far too much smoke tying Pompeo to the Russian operation.

All that will become toxic once Mike Flynn’s plea deal is rolled out, I believe.

So between Corker and Marco Rubio, who both treat Russia’s hack of the election with real seriousness (remember, too, that Rubio himself was targeted), I don’t see how Pompeo could get out of the committee.

But there’s another reason I don’t think this will happen. I suspect it — like earlier threats to replace Jeff Sessions — is just an attempt to get Tillerson to hew the Administration line on policy. The NYT cites Tillerson’s difference of opinion on both North Korea and Iran.

Mr. Trump and Mr. Tillerson have been at odds over a host of major issues, including the Iran nuclear deal, the confrontation with North Korea and a clash between Arab allies. The secretary was reported to have privately called Mr. Trump a “moron” and the president publicly criticized Mr. Tillerson for “wasting his time” with a diplomatic outreach to North Korea

It’s Iran that’s the big issue, particularly as Jared frantically tries to finish his “peace” “plan” before he gets arrested himself. The fact that Trump has floated Cotton as Pompeo’s replacement is strong support for the notion that this is about forcing Tillerson to accept the Administration lies about Iran and the nuclear deal: because Cotton, more than anyone else, has been willing to lie to oppose the deal.

Trump is basically saying that unless Tillerson will adopt the lies the Administration needs to start a war with Iran, then he will be ousted.

But Tillerson’s claim that he doesn’t need to replace all the people who’ve left state because he thinks a lot of domestic issues will be solved soon seems to reflect that he’s parroting the Administration line now.

Obviously, there’s no telling what will happen, because Trump is completely unpredictable.

But he also likes to use threats to get people to comply.

Update: CNN now reporting I’m correct.

About the Timing of the Binney Meeting

The Intercept is reporting that, on Trump’s orders, Mike Pompeo met with Bill Binney on October 24 to understand his theory arguing that the DNC hack was in fact a leak.

In an interview with The Intercept, Binney said Pompeo told him that President Donald Trump had urged the CIA director to meet with Binney to discuss his assessment that the DNC data theft was an inside job. During their hour-long meeting at CIA headquarters, Pompeo said Trump told him that if Pompeo “want[ed] to know the facts, he should talk to me,” Binney said.

[snip]

Binney said that Pompeo asked whether he would be willing to meet with NSA and FBI officials to further discuss his analysis of the DNC data theft. Binney agreed and said Pompeo said he would contact him when he had arranged the meetings.

I’ve got a few comments about this.

First, I’m particularly intrigued in the timing. on Twitter, Jim Sciutto said Trump had been pushing for Pompeo to meet with Binney for several weeks.

Pompeo took the meeting at the urging of President Trump over weeks. Pompeo told Binney: “The president told me I should talk to you”

I’ve been told the meeting was set up by October 14, which means Trump has been pushing for this meeting for over a month. That dates it to around the same time as reports that Chief of Staff John Kelly was preventing Dana Rohrabacher from meeting Trump to pass on Julian Assange’s claims explaining how the emails he received didn’t come from Russia, though that scheme went back further, to mid-August.

Effectively, though, that means Trump has been trying to find some way to magnify theories that argue culprits besides Russia did the hack. The guy who begged Russia to hack Hillary’s emails in the middle of last summer is looking for some alternative narrative to push, and it’s not clear whether he cares what that narrative is.

Though, as I noted in my post on these theories, now that we know the files Guccifer 2.0 leaked were from Podesta and as-yet unidentified sources, it makes all the arguments focusing on Guccifer beside the point (and disrupts Craig Murray’s claims).

On top of a lot of other implications of this, it shifts the entire debate about whether Guccifer 2.0 was WikiLeaks’ source, which has always focused on whether the documents leaked on July 22 came from Guccifer 2.0. Regardless of what you might conclude about that, it shifts the question to whether the Podesta emails WikiLeaks posted came from Guccifer 2.0, because those are the ones where there’s clear overlap. Russia’s role in hacking Podesta has always been easier to show than its role in hacking the DNC.

It also shifts the focus away from whether FBI obtained enough details from the DNC server via the forensic image it received from Crowdstrike to adequately assess the culprit. Both the DNC and Hillary (as well as the DCCC) servers are important. Though those that squawk about this always seem to miss that FBI, via FireEyedisagreed with Crowdstrike on a key point: the degree to which the two separate sets of hackers coordinated in targeted servers; I’ve been told by someone with independent knowledge that the FBI read is the correct one, so FBI certainly did their own assessment of the forensics and may have obtained more accurate results than Crowdstrike (I’ve noted elsewhere that public IC statements make it clear that not all public reports on the Russian hacks are correct).

In other words, given that the files that Guccifer 2.0 first leaked actually preempted WikiLeaks’ release of those files by four months, what you’d need to show about the DNC file leaks is something entirely different than what has been shown.

Binney and the other skeptics aren’t even arguing the right issue anymore.

Moreover, there’s a newly public detail that may moot two key strands of the argument. Last week the WSJ (here’s the Reuters version) reported that DOJ is thinking of charging 6 Russian officials in the hack of the DNC. I get it. People are skeptical that the FBI has any better data than the NSA (though I know others, outside of the FBI, believe they’ve pinpointed hackers by name). But as part of that story,  they described the four districts where the investigation into the hack (as distinct from Mueller’s investigation into the election tampering) live.

The U.S. Justice Department has gathered enough evidence to charge six members of the Russian government in the hacking of Democratic National Committee computers before the 2016 U.S. presidential election, the Wall Street Journal reported on Thursday, citing people familiar with the investigation.

Federal agents and prosecutors in Washington, Philadelphia, Pittsburgh and San Francisco have been cooperating on the DNC investigation and prosecutors could bring the case to court next year, it said.

[snip]

The hacking investigation, conducted by cybersecurity experts, predates the appointment in May of federal special counsel Robert Mueller to oversee the probe of alleged Russian meddling in the 2016 election and possible collusion with President Donald Trump’s campaign.

Mueller and the Justice Department agreed to allow the technical cyber investigation to continue under the original team of agents and prosecutors, the Journal said.

I’m not sure the report is 100% accurate; for example, I know of a non-political witness in the election-related hack being interviewed by Mueller’s people.

But it includes a little-noticed detail that I know to be accurate — and important to rebut the claim that the copying speed claimed by Forensicator requires a conclusion incompatible with Russia carrying out the hack. Part of the investigation is in Philadelphia.

When Reuters first reported a tripartite structure of the investigation in February, it included San Francisco (the Guccifer 2.0 investigation), Pittsburgh (the Russian side, probably focused on known APTs), and DC (the counterintelligence side — though that would significantly be Mueller’s investigation).

Philadelphia was not included. I only know a bit about the Philadelphia side of the investigation, but I do know that part of the investigation is located there because of a server in the district. So one way or another, we know that the FBI is conducting an investigation in an Eastern city as part of the hacking investigation based on the use of a server in the district. That doesn’t necessarily mean they’re investigating Russians. But it means even if you account for a server in the eastern time zone, you still have FBI preparing to charge Russians for the hack.

Which brings us to the last line of the Intercept article.

Binney said that since their meeting, he has not heard from Pompeo about scheduling follow-up meetings with the NSA and FBI.

Granted, it has only been two weeks. But in that time, not even Pompeo’s prodding has made the FBI (more likely) or the NSA (which still has bad blood with Binney) remotely curious about these theories.

Dana Rohrabacher Brokering Deal for Man Publishing a CIA Exploit Every Week

Yesterday, right wing hack Charles Johnson brokered a three hour meeting between Dana Rohrabacher and Julian Assange. At the meeting, Assange apparently explained his proof that Russia was not behind the hack of the DNC. In a statement, Rohrabacher promises to deliver what he learned directly to President Trump.

Wikileaks founder Julian Assange on Wednesday told Rep. Dana Rohrabacher that Russia was not behind leaks of emails during last year’s presidential election campaign that damaged Hillary Clinton’s candidacy and exposed the inner workings of the Democratic National Committee.

The California congressman spent some three hours with the Australian-born fugitive, now living under the protection of the Ecuadorian embassy in the British capital.

Assange’s claim contradicts the widely accepted assessment of the U.S. intelligence community that the thousands of leaked emails, which indicated the Democratic National Committee rigged the nomination process against Sen. Bernie Sanders in favor of Clinton, were the result of hacking by the Russian government or persons connected to the Kremlin.

Assange, said Rohrabacher, “emphatically stated that the Russians were not involved in the hacking or disclosure of those emails.” Rohrabacher, who chairs the House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats, is the only U.S. congressman to have visited the controversial figure.

The conversation ranged over many topics, said Rohrabacher, including the status of Wikileaks, which Assange maintains is vital to keeping Americans informed on matters hidden by their traditional media. The congressman plans to divulge more of what he found directly to President Trump.

I’m utterly fascinated that Assange has taken this step, and by the timing of it.

It comes not long after Rod Wheeler’s lawsuit alleging that Fox News and the White House worked together to invent a story that murdered DNC staffer Seth Rich was in contact with WikiLeaks. Both that story and this one have been promoted aggressively by Sean Hannity.

It comes in the wake of the VIPS letter that — as I’ve begun to show — in no way proves what it claims to prove about the DNC hack.

It comes just after a very long profile by the New Yorker’s Raffi Khatchadourian, who has previously written more sympathetic pieces about Assange. I have a few quibbles with the logic behind a few of the arguments Khatchadourian makes, but he makes a case — doing analysis on what documents got released where that no one else has yet publicly done (and about which numerous people have made erroneous claims in the past) — that Assange’s claims he wasn’t working with Russia no longer hold up.

But his protestations that there were no connections between his publications and Russia were untenable.

[snip]

Whatever one thinks of Assange’s election disclosures, accepting his contention that they shared no ties with the two Russian fronts requires willful blindness. Guccifer 2.0’s handlers predicted the WikiLeaks D.N.C. release. They demonstrated inside knowledge that Assange was struggling to get it out on time. And they proved, incontrovertibly, that they had privileged access to D.N.C. documents that appeared nowhere else publicly, other than in WikiLeaks publications. The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.) All the D.N.C. documents that Guccifer 2.0 released appeared to come from those same two departments.

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published.

The Assange-Rohrabacher meeting also follows a NYT story revealing that the author of a piece of malware named in the IC’s first Joint Analysis Report of the DNC hack, Profexor, has been cooperating with the FBI. The derivative reports on this have overstated the connection Profexor might have to the DNC hack (as opposed to APT 28, presumed to be associated with Russia’s military intelligence GRU).

A member of Ukraine’s Parliament with close ties to the security services, Anton Gerashchenko, said that the interaction was online or by phone and that the Ukrainian programmer had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking.

Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. “He was a freelancer and now he is a valuable witness,” Mr. Gerashchenko said.

It is not clear whether the specific malware the programmer created was used to hack the D.N.C. servers, but it was identified in other Russian hacking efforts in the United States.

But Profexor presumably is describing to the FBI how he came to sell customized access to his tool to hackers working for Russia and who those hackers were.

In other words, this bid by Assange to send information to Trump via someone protected by the Constitution’s Speech and Debate Clause, but who is also suspected — even by his Republican colleagues! — of being on Russia’s payroll, comes at a very interesting time, as outlets present more evidence undermining Assange’s claims to have no tie to Russia.

Coming as it does as other evidence is coming to light, this effort is a bit of a Hail Mary by Assange: as soon as Trump publicizes his claims (which he’ll probably do during tomorrow’s shit-and-tweet) and they get publicly discredited, Assange (and Trump) will have little else to fall back on. They will have exposed their own claims, and provided the material others can use to attack Trump’s attempts to rebut the Russia hack claims. Perhaps Assange’s claims will be hard to rebut; but by making them public, finally, they will be revealed such that they can be rebutted.

I’m just as interested in the reporting on this, though, which was first pushed out through right wing outlets Daily Caller and John Solomon.

The story is presented exclusively in terms of Assange’s role in the DNC hack, which is admittedly the area where Assange’s interests and Trump’s coincide.

Yet not even the neutral LAT’s coverage of the meeting, which even quotes CIA Director and former Wikileaks fan Mike Pompeo,mentions the more immediate reason why Assange might need a deal from the United States. Virtually every week since March, Wikileaks has released a CIA exploit. While some of those exploits were interesting and the individual exploits are surely useful for security firms, at this point the Vault 7 project looks less like transparency and more like an organized effort to burn the CIA. Which makes it utterly remarkable a sitting member of Congress is going to go to the president to lobby him to make a deal with Assange, to say nothing of Assange’s argument that Wikileaks should get a White House press pass as part of the deal.

Dana Rohrabacher is perhaps even as we speak lobbying to help a guy who has published a CIA hack of the week. And that part of the meeting is barely getting notice.

Or Maybe America Post-9/11 Inspires More Disillusionment?

Michael Hayden thinks he has an explanation for all the whistleblowers. It’s those damn millennials.

How do you make sure every one of [the people who have clearance] was and remains a loyal American or a loyal member of British security services and so on. Beyond that, Catty, there’s another dynamic at work here. In order to do this kind of stuff, we have to recruit from a certain demographic, and I don’t mean to judge them at all, but this group of millennials and related groups simply have different understandings of the words loyalty and secrecy and transparency than certainly my generation did. And so we bring these folks into the agency, good Americans all, I can only assume, but again, culturally they have different instincts than the people who made the decision to hire them.

The reason Chelsea Manning and Edward Snowden leaked vast troves of documents, according to Hayden, is because they’re young and not as loyal as people like him.

That may be true, to a point. Both Manning and Snowden seem to have a cosmopolitanism that a lot of Americans — those Americans raised during the Cold War — don’t have. We live in a globe now, just just America, and it’s possible Manning and Snowden felt some loyalty to humankind, rather than just America.

But there’s another problem with Hayden’s claim. There have been a number of whistleblowers who are of his generation. Consider all the intelligence people who’ve joined VIPS in response to idiotic foreign policy, after all.

Or consider an even more interesting example: Bill Binney. Binney was, during the Cold War, one of the most aggressive spies out there. He has said to me, repeatedly, that he’s the guy who invented Collect it all (though he, of course, wanted privacy protections for Americans). But when his approach came to be rolled out against Americans as part of the War on Terror that Hayden pursued with little self-reflection, Binney balked, quit the NSA, and started complaining that his program had been repurposed to target everyone.

Now, Binney didn’t bring a trove of documents with him. But he’s definitely animated by some of the same things that animated Manning and Snowden.

And Binney is two years older than Hayden.

There are a lot of things that motivate whistleblowers, and Daniel Ellsberg (who is 14 years older than Hayden) has said repeatedly that Snowden is just like he was.

But I do think one thing that has happened is that during the Cold War, for good or ill, Americans believed that they were the force of good. That belief is a lot harder to sustain in this day and age, for a range of reasons (not least the warrantless wiretapping and torture that Hayden facilitated). So just maybe the values remain the same, but America has changed?

The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

In Newly Released IG Reports, Administration Redacted Discussion of the Bill Binney Option

One of the most fascinating aspects of the IG Reports Charlie Savage just liberated is how they redacted the NSA IG Report, a draft of which Edward Snowden already got released.

Consider the following redactions.

NSA redacts the discussion that shows they were already spying

Starting at PDF 146, the entire section describing what Michael Hayden did in the days immediately after 9/11 is redacted. Here’s what is included in the Snowden version.

(TS//SV/NF) On 14 September 2001, three days after terrorist attacks in the United States, General Hayden approved the targeting of terrorist-associated foreign telephone numbers on communication links between the United States and foreign countries where terrorists were known to be operating. Only specified, pre-approved numbers were allowed to be tasked for collection against U.S.-originating links. He authorized this collection at Special Collection Service and Foreign Satellite sites with access to links between the United States and countries of interest, including Afghanistan. According to the Deputy General Counsel, General Hayden determined by 26 September that any Afghan telephone number in contact with a U.S. telephone number on or after 26 September was presumed to be of foreign intelligence value and could be disseminated to the FBI.

(TS//SV/NF) NSA OGC said General Haydens action was a lawful exercise of his power under Executive Order (E.O.) 12333, United States Intelligence Activities, as amended. The targeting of communication links with one end in the United States was a more aggressive use of E.O. 12333 authority than that exercised by former Directors. General Hayden was  operating in a unique environment in which it was a widely held belief that additional terrorist attacks on U.S. soil were imminent. General Hayden said this was a tactical decision.

(U//FOUO) On 2 October 2001, General Hayden briefed the House Permanent Select Committee on Intelligence (HPSCI) on this decision and later informed members of the Senate Select Committee on Intelligence (SSCI) by telephone. He had also informed DCI George Tenet.

(TS) At the same time NSA was assessing collection gaps and increasing efforts against terrorist targets immediately after the 11 September attacks, it was responding to Department of Defense (DoD), Director of Central Intelligence Community Management Staff questions about its ability to counter the new threat.

We can tell the discussion in the released version is different, even though it is entirely redacted. That’s because the discussion is longer, appears to include two footnotes, and has some indentations that don’t appear in the Snowden version.

But as it is, the discussion is legally dangerous for the Executive, because it either shows that NSA used the 15-day window permitted under FISA (which would make the Yoo memos all the more problematic), or conducted this spying without any authorization. (There are also “doth protest too much” discussions of how the NSA never spied on Americans before this that we know to be false, so I suspect that’s part of the problem.)

NSA redacts the Cheney paragraph

The final report redacts a discussion (PDF 148-149) titled, “Vice President Asked What Other Authorities NSA Needed.” Some related discussion appears in the Snowden version, but clearly not the entire discussion.

Mr. Tenet relayed that the Vice President wanted to know if NSA could be doing more. General Hayden replied that nothing else could be done within existing NSA authorities. In a follow-up telephone conversation, Mr. Tenet asked General Hayden what could be done if he had additional authorities. General Hayden said that these discussions were not documented.

Though it’s possible — perhaps even probable — that what the NSA draft depicts as NSA identifying its own needs is actually Hayden getting people to identify the needs Cheney had already identified for him.

In any case, the final IG report complains that none of this was documented, which suggests there was far more of interest that actually went on in these discussions.

NSA Redacts the Binney Option

Perhaps most interesting, the NSA redacts almost all of whatever became of this discussion.

Among other things, NSA considered how to tweak transit collection-the collection of communications transiting through but not originating or terminating in the United States. NSA personnel also resurfaced a concept proposed in 1999 to address the Millennium Threat. NSA proposed that it would perform contact chaining on metadata it had collected. Analysts would chain through masked U.S. telephone numbers to discover foreign connections to those numbers, without specifying, even for analysts, the U.S. number involved. In December 1999, the Department of Justice (DoJ), Office of intelligence Policy Review (OIPR) told NSA that the proposal fell within one of the FISA definitions of electronic surveillance and, therefore, was not permissible when applied to metadata associated with presumed U.S. persons (i.e., U.S. telephone numbers not approved for targeting by the FISC).

Though PDF 150 appears to have a footnote that would modify that discussion (but that doesn’t appear in the Snowden version).

According to NSA OGC, DoJ has since agreed with NSA that simply processing communications metadata in this manner does not constitute electronic surveillance under the FISA.

This footnote may refer to the SPCMA decision in 2007 to 2008. Except that’s not what Binney et al proposed back in 1999. On the contrary: SPCMA permits NSA to chain through unmasked US person metadata, whereas Binney had proposed permitting only chaining through masked US person identifiers.

Which suggests the George Ellard may have been misrepresenting what was possible in this sensitive IG Report designed for Congress.

But that would make it easier to come to this conclusion, one not included in the Snowden version:

Under its authorities, NSA had no other options for the timely collection of communications of suspected terrorists when one end of those communications was in the United States and the communications could only be collected from a wire or cable in the United States.

No wonder they redacted the Binney discussion.

Richard Burr Prepares to Capitalize on Refusing to Exercise Intelligence Oversight

In James Risen’s new book, he provides new details on what happened to the NSA whistleblowers — Bill Binney, Kurt Wiebe, Ed Loomis, Thomas Drake — who tried to stop President Bush’s illegal wiretap program, adding to what Jane Mayer wrote in 2011. He pays particular attention to the effort Diane Roark made, as a staffer overseeing NSA on the House Intelligence Committee, to alert people that the Agency was conducting illegal spying on Americans.

As part of that, Risen describes an effort Roark made to inform another Congressman of the program, one who had not been briefed: Richard Burr.

Despite the warning from (HPSCI’s Republican Staff Director Tim) Sample not to talk with anyone else on the committee about the program, she privately warned Chris Barton, the committee’s new general counsel, that “there was an NSA program of questionable legality and that it was going to blow up in their faces.” In early 2002, Roark also quietly arranged a meeting between Binney, Loomis, and Wiebe and Richard Burr, a North  Carolina Republican on the House Intelligence Committee. Binney told Burr everything they had learned about the NSA wiretapping program, but Burr hardly said a word in response. Burr never followed up on the matter with Roark, and there is no evidence he ever took any action to investigate the NSA program.

I’m not actually surprised that Burr learned the Intelligence Community was engaging in illegal behavior and did nothing. From what we’ve seen in his response to torture, he has served entirely to help CIA cover up the program and protect the torturers. Indeed, in his treatment of John Brennan’s confirmation, he made efforts to ensure Brennan would have to protect the torturers too.

So it’s no surprise that Burr heard details of an illegal program and ignored them.

Still, it’s worth highlighting this detail because, if Democrats do lose the Senate as they are likely to do in November, Richard Burr will most likely become Senate Intelligence Committee Chair. While Dianne Feinstein may be a badly flawed Chair overseeing the IC, Burr will be a nightmare, unloosing them to do whatever they’re ordered.

That’s the kind of career advancement that comes to a guy who remains silent about wrongdoing.

How FISA Dockets (Appear To) Work and Why Snowden Likely Got Few or No PayPal Documents

Because Bill Binney made an observation about the high docket number of the phone dragnet order released this year, Sibel Edmonds has decided that Glenn Greenwald is hiding a bunch of Edward Snowden documents to protect Pierre Omidyar showing PayPal cooperated with NSA.

Here’s what Binney said, according to him.

Unfortunately, Sibel attributes some of her words to me. I do not know that PAYPAL is involved – only that financial data is being used by NSA. And, based on the “BR” number 13/80 on the Verizon court order to give records to NSA, I estimated that this program involved 78 companies. These would include: telecom’s, internet service providers, banks/finance/credit cards, travel, plus others. So, there’s a lot of business data being collected by NSA and the FBI. In the future, if I am to be quoted, I will have to I will have to insist on a pre-publication review. [my emphasis]

Now, like Peter Kofod, I don’t doubt that PayPal gives a ton of data to the national security state (more on what probably happens below).

But Binney’s comment appears to be based on a misunderstanding of how the FISA docket numbering works (though not one that changes his observation that “there’s a lot of business data being collected by NSA and the FBI”): that each docket pertains to a different company.

Given the filings we’ve seen from voluminous years — particularly 2009 — it is clear that DOJ uses one docket for all providers on a particular order. For example, 3 of the 4 docket numbers used for the phone dragnet in 2009 were 08-13, 09-06, and 09-13. For the entire 3 month period the primary order covers, all the orders and correspondence related to that primary order bears the original docket number. Even in the case where Judge Walton cut off and then resumed production (see 09-13 above) from just one provider got handled in that docketing system. The now public FISC docket appears to continue this practice, with BR 13-109 and BR 13-158 including all the correspondence on a particular order (in addition, there are the Misc dockets for lawsuits, and the 2007 docket tied to Protect America Act for the Yahoo challenge).

And over the years, the list of providers included on the dockets appears to have gotten much longer. Here’s the redacted list of providers from the original 2006 order:

Screen shot 2013-12-13 at 7.51.09 PM

Here’s the redacted list of providers from the most recent order:

Screen shot 2013-12-13 at 7.54.25 PM

 

The additional providers are probably smaller providers, as well as VOIP providers.

So just 4 and on rare occasions 5 of the Section 215 (“BR”) docket numbers in any given year (and, for the life of the program, just 4 of the PR/TT docket numbers) covered all the providers.

But that may, in fact, mean far more companies are getting Section 215 orders, even bulk orders. As I laid out in this post, the numbers of Section 215 orders have gone up in the last several years (Julian Sanchez has speculated that previously some of this collection was done via National Security Letter, which is a pretty good bet).

Section 215 orders

And as they’ve gone up, the FISA Court has been modifying far more orders — it modified 86% of the orders in 2011. It has been modifying orders to add minimization procedures (it modified 176 orders in 2011 to add minimization requirements). Given that you only need to have significant minimization procedures if you’re getting a lot of innocent people’s data, and given that these orders would also be on a 90-day cycle, that may mean there were 44 bulk collection programs in 2011.

But, as Binney said, that’s going to include a lot of different kinds of companies. We know they’ve used Section 215 to collect precursor chemical purchase records. They likely cover credit cards records, other financial records, gun purchases, health and medical records, and other computer records. There have even been questions about using Section 215 to collect URL search terms.

PayPal is one possible or even likely recipient of these, but only one out of a bunch. Read more