Posts

The Empire’s New Clothes

Jay Rosen likes to talk about the Snowden effect — the events that have followed on Edward Snowden’s leaks that lead to more public knowledge.

This is surely a superb example of it. Someone has leaked the US Redlines — US negotiating goals aiming to curtail the German-British proposal to recognize an international right to privacy in electronic communications — to Colum Lynch. Lynch writes,

Publicly, U.S. representatives say they’re open to an affirmation of privacy rights. “The United States takes very seriously our international legal obligations, including those under the International Covenant on Civil and Political Rights,” Kurtis Cooper, a spokesman for the U.S. mission to the United Nations, said in an email. “We have been actively and constructively negotiating to ensure that the resolution promotes human rights and is consistent with those obligations.”

But privately, American diplomats are pushing hard to kill a provision of the Brazilian and German draft which states that “extraterritorial surveillance” and mass interception of communications, personal information, and metadata may constitute a violation of human rights. The United States and its allies, according to diplomats, outside observers, and documents, contend that the Covenant on Civil and Political Rights does not apply to foreign espionage.

The Redlines set three goals:

  • Clarify that references to privacy rights are referring explicitly to States’ obligations under ICCPR and remove suggestion that such obligations apply extra-territorially.
  • Clarify that the focus of the resolution is on “unlawful” or “illegal” surveillance and interception of communications.
  • Clarify that violations of privacy rights to not necessarily violate freedom of expression.

The Redlines, along with a basic understanding of the degree to which the US dominates global telecommunications networks, make it clear how important retaining this advantage is to the American Empire. After all, a limit on extraterritorial spying primarily limits the US and its partners, because no one else has the ability to operate extraterritorially at such scale. And assuming the US can limit the application of privacy to nation-states, then limiting the resolution would exempt all the extraterritorial dragnet that would otherwise be in violation. I’m perhaps most intrigued by US insistence that massive dragnets don’t violate freedom of expression, because while that’s obviously false, the US already depends on that false claim to conduct its dragnet domestically.

This is, then, in addition to being a perfect example of the Snowden effect, it’s also a perfect example of what Henry Farrell and Martha Finnemore have described in their essay on American hypocrisy and what I elaborated on here.

US hegemony rests on a lot of things: the dollar exchange, our superlative military, our ideological lip service to democracy and human rights.

But for the moment, it also rests on the globalized communication system in which we have a huge competitive advantage. That is, one reason we are the world’s hegemon is because the rest of the world communicates through us — literally, in terms of telecommunications infrastructure, linguistically, in English, and in terms of telecommunications governance.

Aggressively hacking the rest of the world endangers that, both because of what it does to our ideological claims, but just as importantly, because it provides rivals with the concrete incentive to dismantle that global infrastructure.

We’re opting to retain the ability to spy on everyone else, all using the increasingly flaccid claim of terrorism, all while pretending that simply endorsing this basic principle of human rights won’t devastate one tool of our Empire.

But as the leak of these Redlines makes clear, we clearly do believe it would undermine the Empire.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

A couple of us were joking on Twitter the other day that the June-July 2010 John Bates opinion released the other day — in which he yelled mightily about illegal collection that had persisted for 5 years but then rubber stamped the government’s plan to vastly expand metadata collection — ought to lead to the term “Bates stamp” to take on new meaning, a rubber stamp by a FISC judge.

(I’m working on a separate post that shows the timing of all this, but for the moment, you’ll have to trust me that Bates’ opinion was written some time around July 2010.)

Bates did, however, sort of kind of rein in the government’s actions, spending the last 17 pages of his opinion explaining how 50 USC 1809(a) prohibited him from allowing the government to use metadata it had collected for years in violation of the court’s rules.

Basically, Bates argued that the government would be guilty of illegal wiretaps under FISA if it used the illegally collected information. I believe the illegal collection involved taking metadata that counted as content and/or didn’t count as addressing information.

The government, in a submission and a reply to him, argued that was not the case. It made several arguments: first, it claimed their collection wasn’t “intentional” and therefore distributing it would not count as an illegal wiretap.

Insofar as the government contends that Section 1809(a)(2) reaches only “intentional violations of the Court’s orders,” or “willful” as opposed to intentional conduct, see Memorandum of Law at 74 n. 37, the Court disagrees. The plain language of the statute requires proof that the person in question “intentionally” disclosed or used information “knowing or with reason to know” the information was obtained in the manner described.

It also argued that the Pen Register statute allowed the Court to override the wiretap prohibitions.

The government argues that the opening phrase of 50 U.S.C. § 1842(a) vests the Court with authority to enter an order rendering Section 1809(a)(2) inapplicable. See Memorandum of Law at 74 n. 37.

It argued that because the Court could limit what the government could do with the data, it could also expand it.

The government next contends that because the Court has, in its prior orders, regulated access to and use of previously accumulated metadata, it follows that the Court may not authorize NSA to access and use all previously collected information, including information that was acquired outside the scope of prior authorizations, so long as the information “is within the scope of the [PR/TT] statute and the Constitution.” Memorandum of Law at 73.

It then argued that the Court’s own rules allowed it to authorize access to the data.

The government further contends that Rule 10(c) of the Rules of this Court gives the Court discretion to authorize access to and use of the overcollected information. Memorandum of Law at 73.

Finally, Article II argued that Article III had inherent authority to ignore the law. (!)

Finally, insofar as the government suggests that the Court has an inherent authority to permit the use and disclosure of all unauthorized collection without regard to Section 1809, see Memorandum of Law at 73-74 & n.37, the Court again must disagree.

Read more

DiFi Fake FISA Fix Explicitly Allows Contractors to Conduct Suspicionless Searches on US Person Data

The Senate Intelligence Committee has released its report on DiFi’s Fake FISA Fix. The report makes it clearer than ever that this is not at all an improvement, but rather an attempt to use the Snowden leaks as an opportunity to make the spying programs explicitly worse, which I’ll explain at more length later.

Just as an example, however, take a look at what they do with back door searches. As I explained here, the bill describes new reporting for a tiny fraction of back door searches, those that search on a US identifier as content, presumably to trick people in thinking that does anything for the vast majority of back door searches on US identifiers as metadata (DiFi’s staffers all but admitted that, anonymously, here). Thus, it provides new reports for a tiny fraction of this practice, while endorsing the vast majority of such searches — and the far more intrusive ones — to go on with no reporting requirements. And since I laid that out, NSA General Counsel Raj De and DNI General Counsel Robert Litt made it clear that NSA does not currently require even Reasonable Articulable Suspicion to search any content collected incidentally.

Here’s what the report adds to that, explicitly.

The Committee believes that, to the greatest extent practicable, all queries conducted to the authorities established under this section should be performed by Federal employees. Nonetheless, the Committee acknowledges that it may be necessary in some cases to use contractors to perform such queries. By using the term “government personnel” the Committee does not intend to prohibit such contractor use.

The NSA just had a contractor walk off with unbelievable amounts of data.

And the Senate Intelligence Committee’s response to that is to explicitly give contractors the authority to conduct suspicionless searches through vast quantity of data to access and read the content of US person data, with no reporting requirements.

I guess when they named this the “intelligence” committee they were just making an elaborate joke.

(Note: Snoopdidoo had some more observations on the report in comments to this thread.)

In the Middle of Spying Scandal, Scotland Yard Gives Up on Another One

I’ll be honest. I’ve been thinking about Gareth Williams — the GCHQ spy found dead in a duffle bag in his safe house — since the Snowden leaks started. With each new disclosure, especially about GCHQ (though remember that Williams also worked with NSA closely on busting the liquids plot), I’ve wondered, “Is this the new spying effort that got Williams expertly killed?”

Which is why I find it so interesting that Scotland Yard chose today to announce — to much incredulity on both sides of the Atlantic — that he killed himself by accident.

His spy background and the fact that expensive, unworn women’s clothes were found at his flat provoked a wide range of “weird and wonderful” theories, London Police Deputy Assistant Commissioner Martin Hewitt said, but further investigations now suggested it was more likely he had not been murdered.

“Most probably, it was an accident,” Hewitt told reporters. “I’m convinced that Gareth’s death was in no way linked to his work.”

[snip]

Hewitt denied suggestions Britain’s spies had simply staged an elaborate cover-up.

“I do not believe I have had the wool pulled over my eyes.”

Just as an example, would any of the OPEC countries NSA and GCHQ hacked have reason to be particularly sensitive about it? There were past allegations Russian organized crime did him in — and I pointed out that those claims resembled an application of Gauss which reported tracked Lebanese bank data. Did some other financial institution catch him stealing their data? Did he catch someone stealing other data?

In any case, Williams’ death is a reminder that it wasn’t so outlandish when Snowden suggested he might be murdered for having leaked intelligence.

Tapping the Oil Industry

Remember when it was outrageous that the Iranians had (allegedly) hacked Aramco? In addition to wiping hard drives (though in ways that left the computers recoverable), they also took and threatened to release documents.

In news that I earlier predicted, NSA and GCHQ have hacked OPEC, including Saudi Arabia’s OPEC Minister (though NSA managed to detask him when he came to the US).

Spiegel doesn’t provide much detail of what they’ve gotten — just a tantalizing overview, particularly given the likelihood that the speculation claim pertains to the skyrocketing prices in 2008, which (among other things) the Saudis used to get us into a new security cooperation agreement.

None of this is surprising. But as we try to fearmonger new wars based on one party hacking another, it’s probably safe to assume we got there first.

It stated that OPEC officials were trying to cast the blame for high oil prices on speculators. A look at files in the OPEC legal department revealed how the organization was preparing itself for an antitrust suit in the United States. And a review of the section reserved for the OPEC secretary general documented that the Saudis were using underhanded tactics, even within the organization. According to the NSA analysts, Riyadh had tried to keep an increase in oil production a secret for as long as possible.

Our TCA with Saudi Arabia (and the fact that we (Booz, in fact!) are now providing it with cybersecurity) may well be one reason it is no longer a top NSA target.

OPEC appears in the “National Intelligence Priorities Framework,” which the White House issues to the US intelligence community. Although the organization is still listed as an intelligence target in the April 2013 list, it is no longer a high-priority target.

Who needs to hack when you’re in charge of cybersecurity?

And guess which company has a lot of that business? Edward Snowden’s former employer, Booz.

William Webster Meets Edward Snowden, IRTPA, Roving Wiretaps, and the Phone Dragnet

For a post on back-door searches, I’m re-reading the William Webster report on whether the FBI could have anticipated Nidal Hasan’s attack. In the light of the Edward Snowden disclosure, I’m finding there are a number of passages that read very differently (so expect this to be a series of posts).

As you read this, remember two things about Webster’s report. First, FBI and NSA’s failure to find Umar Farouk Abdulmutallab in spite of texts he sent to Anwar al-Awlaki was probably prominent on the Webster team’s mind as they completed this (and surely factors significantly in the classified version of the SSCI report on the UndieBomb). So some of the comments in the Webster report probably don’t apply directly to the circumstances of Nidal Hasan, but to that (and Webster notes that some of the topics he addresses he does because they’re central to counterterrorism approaches). And the Webster report is perhaps the most masterful example of an unclassified document that hides highly classified background.

All that said, in a section immediately following Webster’s description of Section 215, Webster discusses how Roving Wiretaps, Section 6001 of IRTPA, and Section 215 were all reauthorized in 2011.

When FISA was passed in 1978, the likely targets of counterterrorism surveillance were agents of an organized terrorist group like the Red Brigades, the Irish Republican Army, or the Palestinian terrorist organizations of that era. Given the increasing fluidity in the membership and organization of international terrorists, the FBI may not be able to ascertain a foreign terrorist’s affiliation with an international organization. Section 6001 of the Intelligence Reform and Terrorist Prevention Act of 2004 (IRTPA) allows the government to conduct surveillance on a non-U.S. person who “engages in international terrorism or activities in preparation therefor” without demonstrating an affiliation to a particular international terrorist organization. Pub. L. 108-458, § 6001, 118 Stat. 3638, 3742 (2004).

Sections 206 and 215 of the PATRIOT Act and Section 6001 of IRTPA were scheduled to “sunset” on December 31, 2009. In May 2011, after an interim extension, Congress extended the provisions until June 1, 2015, without amendment. [my emphasis]

I find this interesting, first of all, because it doesn’t mention the Pen Register and Lone Wolf language that also got reauthorized in 2011 (suggesting he lumped these three together for a specific reason). And because it puts the language, “engages in international terrorism or activities in preparation therefor” together with roving wiretaps (“continuous electronic surveillance as a target moves from one device to another”), and Section 215, which we now know includes the phone dragnet.

As we’ve seen, DiFi’s Fake FISA Fix includes the language from IRTPA, on “preparation therefor,” which I thought was an expansion of potential targets but which I presume now is what they’ve been using all along. While I don’t recall either the White Paper nor Claire Eagan’s language using that language, I’m wondering whether some underlying opinion does.

Now consider how the roving wiretap goes with this. One reason — probably the biggest reason — they need all phone records in the US is so they can use it to find targets as they move from one burner cell phone to another. Indeed, one passage from DiFi’s Fake FISA Fix seems specifically designed to authorize this kind of search.

(C) to or from any selector reasonably linked to the selector used to perform the query, in accordance with the court approved minimization procedures required under subsection (g).

That language “reasonably linked” surely invokes the process of using algorithms to match calling patterns to calling patterns to find a target’s new phone. And note this is the only query that mentions minimization procedures, so the Court must have imposed certain rules about how you treat a new “burner” phone ID until such time as you’ve proven it actually is linked to the first one.

What’s interesting, though, is that the Webster report also lumps roving wiretaps in with this. What’s at issue in Nidal Hasan’s case was effectively roving electronic communication; he emailed Awlaki from several different email addresses and one of the problems FBI had was in pulling up Hasan’s communications under both identities (you can see how this relates to the back door loophole). But the inclusion of roving wiretaps here seems to suggest the possibility that a court has used the existing of roving wiretap approval for the use of the phone dragnet to find burner phones (which shouldn’t have been an issue in the Nidal Hasan case but probably was for Abdulmutallab).

One more comment? The notion that identifying an Al Qaeda target is any harder than identifying an IRA-affiliate is utter nonsense. If anything, US-based IRA affiliates were harder to identify because they were completely and utterly socially acceptable. But I guess such myths are important for people advocating more dragnet.

It Was Verizon, with the Fiber Cable, Under the Atlantic

Egads. Nate is right. The SZ report is old — from August. Folks were chatting about it, I think, in conjunction with the new attention on the 12333 collection overseas, which is why I pointed to it. Thanks for pointing it out.

Remember when former Verizon COO John Stratton accused the Internet companies of “grandstanding” for objecting to having their data stolen?

In a media briefing in Tokyo, Stratton, the former chief operating officer of Verizon Wireless, said the company is “compelled” to abide by the law in each country that it operates in, and accused companies such as Microsoft, Google, and Yahoo of playing up to their customers’ indignation at the information contained in the continuing Snowden leak saga.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

Stratton said the larger issue that failed to be addressed in the actions of the companies is of keeping security and liberty in balance.

“There is another question that needs to be kept in the balance, which is a question of civil liberty and the rights of the individual citizen in the context of that broader set of protections that the government seeks to create in its society.”

Grandstand this, baby:

On Friday Germany’s Süddeutsche newspaper published the most highly sensitive aspect of this operation – the names of the commercial companies working secretly with GCHQ, and giving the agency access to their customers’ private communications. The paper said it had seen a copy of an internal GCHQ powerpoint presentation from 2009 discussing Tempora.

The document identified for the first time which telecoms companies are working with GCHQ’s “special source” team. It gives top secret codenames for each firm, with BT (“Remedy”), Verizon Business (“Dacron”), and Vodafone Cable (“Gerontic”). The other firms include Global Crossing (“Pinnage”), Level 3 (“Little”), Viatel (“Vitreous”) and Interoute (“Streetcar”). The companies refused to comment on any specifics relating to Tempora, but several noted they were obliged to comply with UK and EU law.

Not that we didn’t already know this. Mostly, I’m just surprised AT&T is not included in this list.

NSA Apologists Now Blaming Snowden for NSA’s Own Cyberdefense Failures

Read this claim about NSA spying, but don’t laugh.

“None of what the U.S. is doing is benefiting American business.”

Did you manage not laughing at the notion that the US is spending $70 billion a year on spying and none of it — not one little bit of it! — benefits American businesses?

Didn’t think so.

That quote, from Mandiant Chief Security Officer Richard Bejtlich, is just one of the utter absurdities built into this Kurt Eichenwald piece attempting to blame Edward Snowden for our failure to stop Chinese hacking of us.

Here’s the logic.

In May, [Tom] Donilon flew to Beijing to meet senior government officials there and set the framework for a summit between Obama and Chinese President Xi Jinping; Donilon and other American officials made it clear they would demand that hacking be a prime topic of conversation. By finally taking the step of putting public – and, most likely, international – pressure on the Chinese to rein in their cyber tactics, the administration believed it was about to take a critical step in taming one of the biggest threats to America’s economic security.

But it didn’t happen. The administration’s attempt to curb China’s assault on American business and government was crippled – perhaps forever, experts say – by a then-unknown National Security Agency contractor named Edward Snowden.

Snowden’s clandestine efforts to disclose thousands of classified documents about NSA surveillance emerged as the push against Chinese hacking intensified. He reached out to reporters after the public revelations about China’s surveillance of the Times‘s computers and the years of hacking by Unit 61398 into networks used by American businesses and government agencies. On May 24, in an email from Hong Kong, Snowden informed a Washington Post reporter to whom he had given documents that the paper had 72 hours to publish them or he would take them elsewhere; had the Post complied, its story about American computer spying would have run on the day Donilon landed in Beijing to push for Chinese hacking to be on the agenda for the presidential summit.

The first report based on Snowden’s documents finally appeared in The Guardian on June 5, two days before the Obama-Xi meeting, revealing the existence of a top-secret NSA program that swept up untold amounts of data on phone calls and Internet activity. When Obama raised the topic of hacking, administration officials say, Xi again denied that China engaged in such actions, then cited The Guardian report as proof that America should not be lecturing Beijing about abusive surveillance. [my emphasis]

Let’s review what Eichenwald has done here.

First, he has taken the Administration at its word that publicly shaming China, and then negotiating with them, would have slowed their cybertheft.

Next, he has insinuated — though not provided evidence — that both Snowden’s initial leaks and the timing of their release (which, after all, took place at different times) were all intentionally rather than coincidentally linked to the US effort to rein in Chinese hacking, and done at the direction of Snowden (that may be the case, but he hasn’t presented it, and if that were Snowden’s real intent, you would think he would have leaked specifics about our attacks on China weeks before he did).

He has highlighted an email (did he somehow get the content of an Edward Snowden email to Barton Gellman? Because I can’t imagine Gellman sharing this.) threatening to take his documents somewhere else, without thinking through what it means that he already had gone somewhere else or considering other reasons (he was holed in a hotel room, for example) why Snowden might have had some urgency for publishing. [Update: Here’s where that claim came from.]

And then he has Xi’s comments on America’s own hacking, which Eichenwald suggests was a response to the Section 215 and PRISM disclosures–“top-secret NSA program that swept up untold amounts of data on phone calls and Internet activity”

With me so far?

Curiously, Eichenwald makes no mention of the document that might actually bolster his case and which almost certainly was the reference Xi intended: the Presidential Policy Directive on cyberwar, which was released just hours before Obama’s meetings with Xi started in CA.

But that would require painting a very different picture of what the US does in cyberspace than this one. Read more

Dianne Feinstein Opens the Tech Back Door to the Dragnet Database Even Wider

I’ve been writing for months about the great big loophole providing access to the phone dragnet database.

Basically, the NSA needs someone to massage the dragnet data before analysts do queries on it, to take out high frequency call numbers (telemarketers and pizza joints), and probably to take out certain protected numbers, like those of Members of Congress. (Note, that the NSA has to do this demonstrates not only that all their haystack claims are false, but also leaves the possibility they’ll remove numbers that actually do have intelligence value.)

The problem of course, is that this means there is routine access to the database of all phone-based relationships in the United States that does not undergo normal oversight. We know this is a problem because we know NSA has found big chunks of this data in places where it doesn’t belong, as it discovered on February 16, 2012 when it found over 3,000 call records that had been stashed and kept longer than the 5 years permitted by the FISA Court.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

The bill the Intelligence Committee passed out of committee yesterday not only codifies this practice, but exempts this practice from the explicit limits placed on other uses of this database.

Here’s how it describes this access.

(D) LIMITED ACCESS TO DATA.—Access to information retained in accordance with the procedures described in subparagraph (C) shall be prohibited, except for access—

[snip]

(iii) as may be necessary for technical assurance, data management or compliance purposes, or for the purpose of narrowing the results of queries, in which case no information produced pursuant to the order may be accessed, used, or disclosed for any other purpose, unless the information is responsive to a query authorized under paragraph (3).

Note, I’ve never seen this access described in a way that would include “narrowing the results of queries” before. I’m actually very curious why a tech would need to directly access the database, presumably after a query has already been run, to narrow it. Isn’t that contrary to the entire haystack theory?

In any case, the rest of the bill relevant to the phone dragnet effectively exempts this access from almost all of the oversight it codifies.

The requirement for a written record of the Reasonable Articulable Suspicion and identity of the person making the query does not apply (see 2 A and B). Since no record is made, the FISA Court doesn’t review these queries (6A) and these queries don’t get included in the public reporting (b)(3)(C)(i). I don’t see where the bill requires any record-keeping of this access.

The requirement that the data be kept secure specifically doesn’t apply.

SECURITY PROCEDURES FOR ACQUIRED DATA.—Information acquired pursuant to such an order (other than information properly returned in response to a query under subparagraph (D)(iii)) shall be retained by the Government in accordance with security procedures approved by the court in a manner designed to ensure that only authorized personnel will have access to the information in the manner prescribed by this section and the court’s order. [my emphasis]

And the requirement that personnel accessing the database for these purposes (4) be limited and specially trained doesn’t apply.

A court order issued pursuant to an application made under subsection (a), and subject to the requirements of this subsection, shall impose strict, reasonable limits, consistent with operational needs, on the number of Government personnel authorized to make a determination or perform a query pursuant to paragraph (1)(D)(i).

The only limit that appears to apply to the queries from this data management access of the database is the 5 year destruction.

Now, I think the FISA Court made tentative bids to limit some of the activities in 2009. But this language seems to undermine some of the controls the Court has placed on this access (including audits).

In short, in a purported bid to raise confidence about the NSA creating a database of every phone-based relationship in the United States, the Intelligence Committee has actually codified a loosening of access to the database outside the central purpose of it. It permits a range of people to access the database for vaguely defined purposes, it permits them to move that data onto less secure areas of the network, and it doesn’t appear to require record-keeping of the practice.

But what could go wrong with permitting tech personnel — people like Edward Snowden — access to data with less oversight than that imposed on analysts?

Update: Added the language from the 2012 violation to show how clueless the NSA was about finding this data just lying around and its inability to determine where it came from.

Civil Libertarians to Dianne Feinstein: We Told You So

The moment when Dianne Feinstein should have called for a comprehensive review of NSA’s programs was no later than August 18, when she admitted the Senate Intelligence Committee doesn’t get briefed on violations that occur under Executive Order 12333, even though they constitute the bulk of violations.

The committee does not receive the same number of official reports on other NSA surveillance activities directed abroad that are conducted pursuant to legal authorities outside of FISA (specifically Executive Order 12333), but I intend to add to the committee’s focus on those activities.

The committee has been notified—and has held briefings and hearings—in cases where there have been significant FISA compliance issues. In all such cases, the incidents have been addressed by ending or adapting the activity.

[snip]

I believe, however, that the committee can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate. This should include more routine trips to NSA by committee staff and committee hearings at which all compliance issues can be fully discussed.

While at the time she bought the NSA’s roamer myth, it was already clear the NSA was spying on US persons via its bulk collection “overseas,” including via some of the more troubling violations. She should have further gotten concerned when both Keith Alexander and James Clapper dodged questions about upstream violations. But then, she was too busy reading factually inaccurate statements about the same collections.

Back in the day, though, making sure the NSA wasn’t using Article II to evade oversight used to be one of her chief concerns.

Nevertheless, it took the disclosures of spying on Angela Merkel — and, no doubt, the embarrassment of her party’s President, and perhaps growing support for a real investigation — to really rile her up.

It is abundantly clear that a total review of all intelligence programs is necessary so that members of the Senate Intelligence Committee are fully informed as to what is actually being carried out by the intelligence community.

Unlike NSA’s collection of phone records under a court order, it is clear to me that certain surveillance activities have been in effect for more than a decade and that the Senate Intelligence Committee was not satisfactorily informed. Therefore our oversight needs to be strengthened and increased.

With respect to NSA collection of intelligence on leaders of U.S. allies—including France, Spain, Mexico and Germany—let me state unequivocally: I am totally opposed.

Unless the United States is engaged in hostilities against a country or there is an emergency need for this type of surveillance, I do not believe the United States should be collecting phone calls or emails of friendly presidents and prime ministers. The president should be required to approve any collection of this sort.

It is my understanding that President Obama was not aware Chancellor Merkel’s communications were being collected since 2002. That is a big problem.

The White House has informed me that collection on our allies will not continue, which I support. But as far as I’m concerned, Congress needs to know exactly what our intelligence community is doing. To that end, the committee will initiate a major review into all intelligence collection programs. [my emphasis]

I welcome this review — by all accounts the torture review conducted under her supervision is more thorough than anything else we’ve seen.

But … ah, the torture review.

There’s one other reason DiFi should have been quicker to respond to questions Edward Snowden — whom she called a traitor — raised.

In December she finished a 6,000 page report, one key finding of which was that the CIA lied to her community.

Why did she think NSA would be any different?