How HPSCI’s Staffers Used Miscitations to Turn Edward Snowden into a Lying Flunkie

I want to take a close look at this paragraph (from PDF 7) of the House Intelligence report on Snowden, to show how they’re (mis)using information.

In its first claim, HPSCI says Snowden was “by his own account,” a “poor student.” It cites this Greenwald and Poitras intro to Snowden, which says something different: “By his own admission, he was not a stellar student.”

The next claim says he dropped out of high school in his sophmore year and then took community college classes, which relies on this report, which in turn cites the public schools as well as the Guardian story.

1991-1998: Snowden attends schools in the Anne Arundel County Public School System in Maryland from the elementary level to high school, where he dropped out his sophomore year. He’ll later say he earned his GED. (Source: Anne Arundel County Public Schools, The Guardian)

1999-2005: Snowden takes a variety of classes from Anne Arundel Community College in Arnold, Maryland. He does not take any cyber security or computer science classes, however, and he never earns a certificate or degree. (Source: Anne Arundel Community College)

Note, the committee has said it didn’t do an investigation because of the ongoing criminal investigation into Snowden. But there is no reason they couldn’t have called Anne Arundel County Public Schools rather than relying on an ABC piece; it wouldn’t have required a long distance call!

The third claim is that Snowden hoped the (community college) classes would permit him to earn a GED, “but nothing the Committee found indicates he did so.” That’s not sourced. Again, it doesn’t say whether or not they called Maryland.

This is what Bart Gellman said in September about Snowden’s claim to have gotten a GED.

I do not know how the committee could get this one wrong in good faith. According to the official Maryland State Department of Education test report, which I have reviewed, Snowden sat for the high school equivalency test on May 4, 2004. He needed a score of 2250 to pass. He scored 3550. His Diploma No. 269403 was dated June 2, 2004, the same month he would have graduated had he returned to Arundel High School after losing his sophomore year to mononucleosis. In the interim, he took courses at Anne Arundel Community College.

The fourth claim is that Snowden told TAO he did have a GED, claiming to have received it on 6/21/2001 from “Maryland High School.”

Finally, the report says that Snowden stated that he did not have a degree of any type, citing this NYT profile rather than citing the forum itself or even the Ars Technica article that first reported it. It is absolutely true that Snowden said he didn’t have a high school diploma, but in context, Snowden was responding to someone focused primarily on a college degree.

Visigothan: No college degree.

Over 10 years work experience in my field

No communicable or other diseases

Not a religious wackjob

I think I’m good on everything except the college degree.

TheTrueHOOHA: First off, the degree thing is crap, at least domestically. If you really have ten years of solid, provable IT experience (and given that you say you’re 25, I think it’d probably be best to underestimate), you CAN get a very well paying IT job. You just need to be either actively looking now or get the fuck out of California. I have no degree, nor even a high school diploma, but I’m making much more than what they’re paying you even though I’m only claiming six years of experience. It’s tough to “break in,” but once you land a “real” position, you’re made.

Now, unless the forum has changed over the years (in which case the date could be wrong), the NYT miscited Snowden, claiming he said “I don’t have a degree of ANY type. I don’t even have a high school diploma,” when in fact the forum itself says he said, “I have no degree, nor even a high school diploma.” Moreover, in context, Snowden is distinguishing between a “degree” and a “diploma,” which may suggest he’s thinking of the actual class work versus the (GED) degree.

That claim is modified by this footnote, citing an unnamed “associate” — is this Pulitzer Prize winning Bart Gellman they’re talking about? — describing that Snowden did get a GED in 2004. [Update: Indeed it is! HPSCI hid how credible the source for this was and what he based if off of!!]

But having acknowledged that there are official records they could consult but have not, they instead just present the admittedly conflicting claims made in secondary sources (assuming they got the dates correct, but there are dates that are absolutely incorrect elsewhere in this report). There’s no actual attempt to contact local schools to get to the bottom of it all.

And yet, they then use these conflicting claims (based on inaccurate citations) to claim, in the summary, that Snowden is a “serial exaggerator.”

To make that claim with respect to his high school education, you would actually have had to do the work to ascertain the truth. The report made no effort to do so.

DISTANTFISH and Correlations

For some time, I’ve been trying to track how the NSA does correlations, as a 2008 FISA Court opinion that almost certainly approves correlation has been withheld from release. By “correlation,” NSA means that matching of known strong identifiers of a particular traffic. All such identifiers need to be tracked to track a target (indeed, France was not able to prevent the Bataclan attack because they had lost track of one of the key attackers).

One of the SIDToday newsletters the Intercept released today describes how a key tool to correlate identities, DISTANTFISH, works.

Here’s how it describes DISTANTFISH’s two functions:

(S//SI) PSC works by processing application layer protocols to extract certain metadata fields that work as strong selectors for the client of the current application. These selectors are usually login names, client e-mail addresses, user numbers, and other unique metadata. If a selector is found to be that of a known terrorist, that session, as well as all others generated by the terrorist, is forwarded to NSA for analysis. The DISTANTFISH association algorithms are the primary way of determining which sessions the terrorist generated when the access is traditional passive collection. The collection of all user sessions is called the Aggregate Session and can be achieved by other methods, especially active efforts.

(S//SI) However, PSC assumes that the strong selectors for a terrorist are known. The second objective for DISTANTFISH is to associate all strong selectors for SIGINT targets and store them in a database. Intelligence analysts use the database to discover new identities to add to the selectors for that terrorist. Work on this database has begun, but much work remains.

And here’s how it worked to collect all the web activity of a particular target in Iraq in 2004.

(S//SI) Project DISTANTFISH was created to target terrorist traffic on the Internet by providing two important services. First, it provides a database for discovering account identities for known terrorists to use as strong selectors (i.e. login names, e-mail addresses, or other elements that can be associated with a particular individual). Second, it provides information on which the same user generated computer sessions. Thus, if one session contains a strong selector for a terrorist, then all sessions can be collected. At the heart of this capability is an association service that can track an individual computer by the way it generates packets.

(S//SI) From this association service, the DISTANTFISH team members were able to determine that the terrorist generated 107 computer sessions over eleven minutes, thus separating this traffic from that of the other 16 people in the web café. As most of the supporting software is still under development, the data was manually examined resulting in the discovery of two additional MSN Messenger accounts and two Yahoo web mail accounts that the terrorist used, but that NSA had been unaware of. Since terrorists often abandon accounts for new ones, having a complete picture of the accounts used is critical for targeting the terrorists’ traffic.

Remember, the USA Freedom Act requires “phone” companies, broadly defined, to turn over “session identifiers” under the guise of call records. Any such session identifier can be used to correlate identities in this fashion. I have long argued that is the point of USAF: to get tech companies to do correlations with a near perfect degree of accuracy rather than (in fact, in addition to) having the NSA correlate the IDs.

One Thing Edward Snowden Is Not a Fucking Idiot About

Gizmodo’s Matt Novak is outraged that fucking idiot Edward Snowden told a conference some stupid things. I agree that this was a pretty stupid comment.

Snowden also addressed his tweet from October 21st in which he said that, “There may never be a safer election in which to vote for a third option.” Snowden told us that he more or less stands by his tweet and that anything else “freezes us into a dynamic of ‘you must always choose between two bad options’” which is a “fundamentally un-American idea.”

The thing that really outraged Novak, however, is that Snowden said technical means are more important than policy as a way to protect liberty.

What got me so riled up about Snowden’s talk? He firmly believes that technology is more important than policy as a way to protect our liberties. Snowden contends that he held this belief when Obama was in office and he still believes this today, as Donald Trump is just two months away from entering the White House. But it doesn’t make him right, no matter who’s in office.

“If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far. And if history is any guide, they are the least effective means of seeing change we want to see,” Snowden said on stage in Oakland from Russia, completely oblivious to how history might actually be used as a guide.

Snowden spoke about how important it is for individuals to act in the name of liberty. He continually downplayed the role of policy in enacting change and trotted out some libertarian garbage about laws being far less important than the encryption of electronic devices for the protection of freedoms around the world.

“Law is simply letters on a page,” Snowden said. It’s a phrase that’s still ringing in my ears, as a shockingly obtuse rejection of civilized society and how real change happens in the world.

How do we advance the cause of liberty around the world? Encrypt your devices, according to Snowden. Okay, now what? Well, Snowden’s tapped out of ideas if you get beyond “use Signal.”

Novak went on to recite big legislation — notably, the Civil Rights and Voting Rights Acts — that has been critical to advancing the cause of liberty with the boundaries of the US. I agree that they have.

That said, I’m all but certain I spend more time working on surveillance policy than Novak. I’m no shrug in the work to improve surveillance policy.

But there are several things about surveillance that are different. First (as Snowden pointed out), “Technology knows no jurisdiction.” One aspect of the government’s dragnet is that it spies on Americans with data collected overseas under EO 12333. And Congress has been very reluctant to — and frankly pretty ineffective at — legislating surveillance that takes place outside the relatively narrow (geographic and legal) boundaries of FISA. Without at least reinterpretation of Supreme Court precedent, it’s not clear how much Congress can legislate the spying currently conducted under EO 12333.

Either we need to come up with a way to leverage other jurisdictions so as to limit surveillance overseas (which will require technology in any case, because the NSA is better at spying than any other jurisdiction out there), or we need to find some way to make it harder for the government to spy on us by doing it overseas. The latter approach involves leveraging technology.

And all that assumes the Trump Administration won’t use the very same approach the Bush Administration did: to simply blow off the clear letter of the law and conduct the spying domestically anyway. At least now, it would be somewhat harder to do because Google has adopted end-to-end encryption and Signal exists (we’re still fighting policy battles over terms under which Google can be coerced into turning over our data, but Signal has limited the amount to which it can be coerced in the same way because of its technological choices).

The other important point is, especially going forward, it will be difficult to work on policy without using those technological tools. “Use Signal” may not be sufficient to protecting liberties. But it is increasingly necessary to it.

It may be that Novak is aware of all that. Nothing in his article, however, reflects any such awareness.

Edward Snowden may be a fucking idiot about some things. But anyone who imagines we can protect liberties by focusing exclusively on policy is definitely a fucking idiot.

NSA Conducts FISA Section 704 Collection Using Transit Collection

Please consider donating to support this work. It’s going to be a long four years. 

The Intercept has a fascinating new story confirming what many people already intuited: AT&T’s spooky building at 33 Thomas Street is a key NSA collection point, and the NSA has equipment inside the building (it’s almost certainly not just NSA; this is probably also where AT&T collects much of their Hemisphere database and it likely includes AT&T’s special service center for FBI NSLs).

The Intercept released a bunch of documents with the story, including this one on FAIRVIEW.

It shows that FISA Section 704/705a are among the authorities used with FAIRVIEW, ostensibly collected under “Transit” authority, but with the collection done at TITANPOINT (which is the code name for 33 Thomas Street).


As I explain in this post, there are three authorities in the FISA Amendments Act that are supposed to cover US persons: 703 (spying with the help of domestic partners on Americans who are overseas), 704 (spying on Americans who are overseas, using methods for which they would have an expectation of privacy), and 705, which is a hybrid.

But Snowden documents — and this IG Report — make it clear only 704 and 705b are used.

Screen Shot 2016-05-13 at 3.38.08 AM

Unsurprisingly, the disclosure standards are higher for 703 — the authority they don’t use — than they are for 704. In other words, they’re using the authority to spy on Americans overseas that is weaker. Go figure.

But here’s the other problem. 704/705b are two different authorities and — as reflected in Intelligence Oversight Board reports — they are treated as such. Which means they are using 704 to spy on targets that are overseas, not just defaulting to 705b hybrid orders (which would require the person to be in the US some of the time).

But they are doing it within the US, using the fiction that the collection is only “transiting” the US (that is, transiting from one foreign country to another). This seems to indicate the NSA is conducting electronic surveillance on US persons located overseas — which seems clearly to fall under 703 — but doing it under 704 by claiming traffic transiting the US isn’t really collection in the US. Correction: Because the person is located overseas, it doesn’t count as electronic surveillance. In any case, this seems to be effectively a way around the intent of 703.

In Latest Russian Plot, WikiLeaks Reveals Hillary Opposes ISDS

Among the emails released as part of the Podesta leaks yesterday, WikiLeaks released this one showing that, almost a year before she was making the same argument in debates with Bernie Sanders, Hillary was opposed to Investor State Dispute Settlement that is part of the Trans Pacific Partnership. (h/t Matt Stoller) ISDS is the means by which corporations have used trade agreements to operate above the domestic laws of party countries (if you haven’t read this three part series from BuzzFeed to learn about the more exotic ways business are profiting off of ISDS).

The email also appears to echo her later public concern that she had changed her mind on TPP because of KORUS.

After our last talk with HRC, we revised our letter to oppose ISDS and include her caution about South Korea.

Sure, other Podesta emails show Hillary supporting a broad region of free trade (and labor) in the Americas. But this more recent email confirms that the views she expressed in debate were more than just an attempt to counter Bernie’s anti-trade platform.

Whether or not this is newsworthy enough to justify the WL dump, it is noteworthy in light of NYT’s rather bizarre article from some weeks back suggesting that WL always sides with Putin’s goals. As I noted, the article made a really strained effort to claim that WL exposed TPP materials because it served Putin’s interests. Now, here, WL is is releasing information that makes Hillary look better on precisely that issue.

That doesn’t advance the presumed narrative of helping Trump defeat Hillary!

Then, as I noted yesterday, in spite of all the huff and puff from Kurt Eichenwald, the release of a Sid Blumenthal email used by Trump is another case where the WL release, as released, doesn’t feed the presumed goals of Putin.

Which brings me to this Shane Harris piece, which describes four different NatSec sources revealing there’s still a good deal of debate about WL’s ties to Russia.

Military and intelligence officials are convinced that WikiLeaks is an ongoing threat to U.S. national security and privacy owing to its leaks of classified documents and emails. But its precise relationship with Russia has been a subject of internal debate. Some do see the group as being in cahoots with the Kremlin. But others find that WikiLeaks is acting mainly as the beneficiary of stolen documents, not unlike a journalistic organization.

There are some funny aspects to this story. Nothing in it considers the significant evidence that WL is (and has reason to be) affirmatively anti-Hillary, which means its interests may align with Russia, even if it doesn’t take orders from Russia.

It also suggests that if the spooks can prove some tie between WL and Russia, they can spy on it as an agent of foreign power.

But those facts don’t mean WikiLeaks isn’t acting at Russia’s behest. And that’s not a trivial matter. If the United States were to determine that WikiLeaks is an agent of a foreign power, as defined in U.S. law, it could allow intelligence and law enforcement agencies to spy on the group—as they do on the Russian government. The U.S. can also bring criminal charges against foreign agents.

WL has been intimately involved in two separate charges cases of leaking-as-espionage in the US, Chelsea Manning and Edward Snowden. The government has repeatedly told courts that it has National Security/Criminal investigations, plural, into WikiLeaks, and when pressed for details about how and whether the government is collecting on supporters and readers of WikiLeaks, the government has in part hidden those details under a b3 FOIA exemption, meaning a statute prevents disclosing it, while extraordinarily refusing to reveal what statute that is. We certainly know that FBI has used multiple informants to spy on WL and used a variety of collection methods against Jacob Appelbaum, including (according to Appelbaum) physical tails.

So there’s not only no doubt that the US government believes it can spy on WikiLeaks (which is, after all, headed by a foreigner and not a US organization), but that it already does, and has been doing for at least six years.

Perhaps Harris’ sources really mean they’ve never found a way to indict Julian Assange before, but if they can claim he’s working for Putin, then maybe they’ll overcome past problems of indicting him because it would criminalize journalism. If that’s the case, it may be shading analysis of WL, because the government would badly like a reason to shut down WL (as the comments about the direct threat to the US in the story back up).

As I’ve said before, the role of WL in this and prior leak events is a pretty complex one, one that if approached too rashly (or too sloppily) could have ramifications for other publishers. While a lot of people are rushing to collapse this (in spite of what sounds like a continuing absence of directly incriminating evidence) into a nation-state conflict, things like this TPP email suggest it’s not that simple.

The Yahoo Scan: On Facilities and FISA

There are now two competing explanations for what Yahoo was asked by the government to do last year.

Individual FISA order or 702 directive?

NYT (including Charlie Savage, who FOIAed all the FISC opinions and then wrote a book about them) explains Yahoo got an individual FISA order to search for a “signature” that the FBI had convinced the FISA Court was associated with a state-sponsored terrorist group.

A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, several people familiar with the matter said on Wednesday.

Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.

To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.

With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature.

Reuters — in a story emphasizing the upcoming debate about reauthorization — says that the order was a Section 702 order.

The collection in question was specifically authorized by a warrant issued by the secret Foreign Intelligence Surveillance Court, said the two government sources, who requested anonymity to speak freely.

Yahoo’s request came under the Foreign Intelligence Surveillance Act, the sources said. The two sources said the request was issued under a provision of the law known as Section 702, which will expire on Dec. 31, 2017, unless lawmakers act to renew it.

The FISA Court warrant related specifically to Yahoo, but it is possible similar such orders have been issued to other telecom and internet companies, the sources said.

Yet it also reports that both Intelligence Committees are investigating more about this request (which tells you something about Reuters’ potential sources and how much the spooks’ overseers actually know about this).

The intelligence committees of both houses of Congress, which are given oversight of U.S. spy agencies, are now investigating the exact nature of the Yahoo order, sources said.

For what it’s worth, at least until 2012, I think NSA and FBI might have been able to request this scan under 702; there are a bunch of court decisions, including one associated with what got reported as an upstream violation in 2012, that we haven’t seen on this point though. But particularly given Reuters’ discussion of a “warrant” — which is more often used with traditional FISA — I suspect NYT is correct on this.

“Hard” and “soft,” and “upstream,” “about,” and “PRISM” are confusing the debate

The source of the confusion seems to stem from two separate sets of vocabulary that are unhelpful in understanding how FISA works.

The first set has to do with “hard” and “soft” selectors, language used in XKeyscore, which basically conducts boolean searches of buffered Internet traffic. Hard selectors are name, email, or phone identifiers associated with a specific person. Soft selectors are characteristics that can range from geographic location to specific code — so a search might ask for users of the encryption tool Mujahadeen Secrets in Syria, for example, which will return a bunch of people whose identities may not be known but whose activities warrant interest. Soft selectors can include searches on what counts as “content,” but they also search on what counts as metadata.

I think the hard/soft distinction is misleading because — as far as I know — FISA has always operated on single selectors, not boolean searches. NSA isn’t asking providers — whether they’re phone companies or Internet providers — to go find people who are in interesting places and use interesting crypto (though AT&T may be an exception to this rule). Rather, they’re asking for communications obtained by searching on specific selectors.

To be sure, for each target, there will be a range of selectors, often a huge number of them. Even for one person, as I have noted, NSA and FBI probably know of at least a hundred selectors. One Google subpoena response I examined, for examined, included 15 “hard” identifiers for just one person (and multiply that by any major Internet service a person used). For a targeted organization like “Russian GRU hackers,” the NSA will probably have still more. But — again, as far as we know — FISA providers are asked to return data based off known selectors. But as I’ll show below, they’ve been asked to return data off selectors that would count as both hard and soft under XKeyscore.

The other set of confusing vocabulary comes from public debates about FISA (including PCLOB’s report on Section 702). Some debates have made a distinction between “upstream” and “PRISM.” Upstream is when NSA gives the telecoms a selector to collect information from scans conducted at switches, but it fundamentally refers to how something is collected, not who does it (and it’s possible there are backbone providers we haven’t thought of who also participate). PRISM is when NSA/FBI give Internet providers selectors to return activity on; it’s a description of from whom the information is collected. But even there, a PRISM provider will provide far more than just the email associated with a given selector.

Sometimes “upstream” collection is referred to as “about” collection. That’s misleading. “About” collection — that is, communications that contain a selector in what counts as content areas of the communication — is a subset of upstream collection. But what is really happening is that when the telecoms sniff packets to find a given selector, they need to sniff both the header and content to get all the communications they’re after, which is what PCLOB is saying here.

With regard to the NSA’s acquisition of “about” communications, the Board concludes that the practice is largely an inevitable byproduct of the government’s efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate “about” communications from its collection without also eliminating a significant portion of the “to/from” communications that it seeks. The Board includes a recommendation to better assess “about” collection and a recommendation to ensure that upstream collection as a whole does not unnecessarily collect domestic communications.

One hazard of using “about” to refer to “upstream” collection is it leads people to forget that the NSA needs to use upstream collection to comprehensively collect non-PRISM Internet traffic, even when working just from “hard” selectors like email addresses. Some of this collection (as the PCLOB passage above makes clear) is just looking for any emails involving a target, not emails talking “about” that target. But at least according to PCLOB, because of the way this collection is done, even if NSA is only searching for a hard selector email, it will get “about” traffic.

As you can see, however, this language is already going to be insufficient to discuss the Yahoo request, which is effectively an “upstream” search on a PRISM providers’ content (though I’m not clear whether it happens at the packet level or not). We also don’t yet know whether the signature involved counts as content, but the filters Yahoo adapted for the process clearly scan the content.

Public discussions have hidden how 702 includes non-email selectors

But the bigger problem with this discussion is that people are confused about what FISA permits the government to search on.

One huge shortcoming of the PCLOB report — one I pointed out at the time — is that it pretended that Section 702 was not used for cybersecurity. That’s unfortunate because cybersecurity is the area where Section 702 most obviously includes non-email selectors, what would be called “soft” selectors in XKeyscore. When I first confirmed that NSA was using 702 for cybersecurity back when I briefly worked at the Intercept, it was based off the search on a cyber “signature,” not an email. The target was a (state-sanctioned) hacker, but the search was not for the hacker’s email, but for his tools.

Here’s how PCLOB briefly alluded to this activity.

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

The Semiannual reports are one place where the government has officially admitted that it searches on more than just email addresses.

Section 702 authorizes the targeting of non-United States persons reasonably believed to be located outside the United States. This targeting is effectuated by tasking communication facilities (also referred to as “selectors”), including but not limited to telephone numbers and electronic communications accounts, to Section 702 electronic communication service providers. [my emphasis]

As I said, the Snowden documents confirm that NSA has searched on malware signatures. Given the obvious application and the non-denials I have gotten from various quarters, I would bet a great deal of money that NSA has also searched on some signature associated with AQAP’s Inspire magazine, effectively allowing it to track anyone who downloads (or decrypts) the magazine.

In a series of tweets yesterday, Snowden confirmed that the scope is even more broad.

In practical terms, this means anything you can convince FISC to stamp. At NSA, I saw live examples of the following:

The usual suspects (emails, IPs, usernames, etc), but also cryptographic hashes that identify known files (MD5/SHA1), sub-strings from base-64 encoded email attachments (derived from things like embedded corporate logos), and any uncommon artifacts arising from a target’s tooling, for example if their app transmits a UUID (like a registration code or serial).

The possibilities here are basically limitless, and we can’t infer the specific nature of the string without more info.

The point is, “upstream” collection — whether done at a telecom switch or a tech server — can (and will, so long as FISC will authorize it) search on any string that will return the communications of interest, with “communications” extending to include “cyberattacks conducted by disembodied code.”

To understand FISA collection, then, it is best to think in terms of selectors or facilities that will return a desired target. Here’s some language from an Semiannual report that explains the distinction between target and facility (and why the classified numbers in the report are undoubtedly much larger than the unclassified 92,000 “target” number we’re given to explain the scope of FISA collection).

The provided number of facilities on average subject to acquisition during the reporting period remains classified and is different from the unclassified estimated number of targets affected by Section 702 released on June 26, 2014, by ODNI in its 2013 Transparency Report: Statistical Transparency Report Regarding Use of National Security Authorities (hereafter the 2013 Transparency Report). The classified number provided in the table above estimates the number of facilities subject to Section 702 acquisition, whereas the unclassified number provided in the 2013 Transparency Report estimates the number of targets affected by Section 702 (89,138). As noted in the 2013 Transparency Report, the “number of 702 ‘targets’ reflects an estimate of the number of known users of particular facilities (sometimes referred to as selectors) subject to intelligence collection under those Certifications.” Furthermore, the classified number of facilities in the table above accounts for the number of facilities subject to Section 702 acquisition during the current six month reporting period (e.g., June 1, 2013 – November 30, 2013), whereas the 2013 Transparency Report estimates the number of targets affected by Section 702 during the calendar year 2013.

As explained above, for any given target, there may be a slew of selectors or facilities that NSA can collect on (though they probably only collect on a limited selection of all the selectors they know; they use the other selectors to make sure they can find all the online activity of someone). The government tracks this internally by counting how many average selectors or facilities are targeted in a given day. These numbers will get more interesting, by the way, once the numbers incorporate USA Freedom Act compliance, which (in my opinion) significantly serves to require providers to provide all known selectors, that is, to even further expand the universe of known selectors.

A history of the word “facility”

But to understand the background to the Yahoo thing, it is absolutely necessary to understand how the word “facility” has evolved within FISC (and we only have access to some of this). As far as we know, the meaning of the word started to change in 2004 when Coleen Kollar-Kotelly approved the installation of “Pen Registers” (really, packet sniffers) at switches to accomplish with the Internet dragnet what Stellar Wind had been doing (that is, the collection of Internet metadata in bulk), based on the logic that al Qaeda was using those facilities to communicate. Her ruling changed the definition of facility from meaning an individual user (a phone number or email address) to many users including the target. When Kollar-Kotelly first approved it, she required the government to tell her which specific switches they were going to target — that is, which switches were likely to carry traffic from target countries like Yemen and Afghanistan. But when John Bates reauthorized the Internet dragnet in 2010, he let the government decide on a rolling basis which facilities it would collect metadata from.

Thus, starting in 2004 and expanded in 2010, “facility” — the things targeted under FISA — no longer were required to tie to an individual user or even a location exclusively used by targeted users.

When Kollar-Kotelly authorized the Internet dragnet, she distinguished what she was approving, which did not require probable cause, from content surveillance, where probable cause was required. That is, she tried to imagine that the differing standards of surveillance would prevent her order from being expanded to the collection of content. But in 2007, when FISC was looking for a way to authorize Stellar Wind collection — which was the collection on accounts identified through metadata analysis — Roger Vinson, piggybacking Kollar-Kotelly’s decision on top of the Roving Wiretap provision, did just that. That’s where “upstream” content collection got approved. From this point forward, the probable cause tied to a wiretap target was freed from a known identity, and instead could be tied to probable cause that the facility itself was used by a target.

There are several steps between how we got from there to the Yahoo order that we don’t have full visibility on (which is why PCLOB should have insisted on having that discussion publicly). There’s nothing in the public record that shows John Bates knew NSA was searching on non-email or Internet messaging strings by the time he wrote his 2011 opinion deeming any collection of a communication with a given selector in it to be intentional collection. But he — or FISC institutionally — would have learned that fact within the next year, when NSA and FBI tried to obtain a cyber certificate. (That may be what the 2012 upstream violation pertained to; see this post and this post for some of what Congress may have learned in 2012.) Nor is there anything in the 2012 Congressional debate that shows Congress was told about that fact.

One thing is clear from NSA’s internal cyber certificate discussions: by 2011, NSA was already relying on this broader sense of “facility” to refer to a signature of any kind that could be associated with a targeted user.

The point, however, is that sometime in the wake of the 2011 John Bates opinion on upstream, FISC must have learned more about how NSA was really using the term. It’s not clear how much of Congress has been told.

The leap from that — scanning on telephone switches for a given target’s known “facility” — to the Yahoo scan is not that far. In his 2010 opinion reauthorizing the Internet dragnet, Bates watered down the distinction between content and metadata by stripping protection for content-as-metadata that is also used for routing purposes. There may be some legal language authorizing the progression from packets to actual emails (though there’s nothing that is unredacted in any Bates opinion that leads me to believe he fully understood the distinction). In any case, FISCR has already been blowing up the distinction between content and metadata, so it’s not clear that the Yahoo request was that far out of the norm for what FISC has approved.

Which is not to say that the Yahoo scan would withstand scrutiny in a real court unaware of the FISC precedents (including the ones we haven’t yet seen). It’s just to say we started down this path 12 years ago, and the concept of “facilities” has evolved such that a search for a non-email signature counts as acceptable to the FISC.

If a facility is not a user, then how do you determine foreignness?

[Update: I realize this discussion is, given the increasing certainty that the Yahoo scan was done under an individual FISA order, irrelevant for the Yahoo case, because FBI has been cleared to collect on signatures in the US. But the issue is still an important one when discussing “facilities” that have been divorced from a geographically located user.]

There’s one final thing we don’t have visibility on.

When Kollar-Kotelly started down this path, she focused on facilities that were foreign-facing. That is, there was a high likelihood messages transiting those switches were one-side foreign, and therefore targetable, certainly for a PRTT. But as I noted, that foreign-facing distinction got badly watered down in 2010. And Yahoo’s entire universe of emails would not be particularly foreign focused (though a lot of foreigners use Yahoo).

The question is, if NSA or FBI is targeting a facility that is not tied to a given user, but is instead tied to an organization that is located overseas, how does the government determine foreignness on a signature? NSA’s General Counsel would permit analysts to collect on but not target metadata of, say, bots in the US based on the assumption that the ultimate source of the bot was overseas. If the signature that FBI searches on derives from overseas — as in the case where Inspire magazine is produced overseas — does that by itself deem a communication involving that signature to be “located” overseas, and therefore targetable.

I suspect that may be why NYT’s sources emphasized that the target of the Yahoo search was a state-sponsored terrorist organization, rather than just a terrorist organization, because by definition that state would be overseas. But I also suspect that a lot of the recent troubles at NSA pertaining to “roving” selectors stems from the ambiguity that arises when you start targeting selectors that are not by definition geographically bounded.

The way the government targets facilities is constitutionally problematic in any case. But this question of foreignness seems to present both statutory and constitutional problems.

HPSCI: We Must Spy Like Snowden To Prevent Another Snowden

I was going to write about this funny part of the HPSCI report anyway, but it makes a nice follow-up to my post on Snowden and cosmopolitanism, on the importance of upholding American values to keeping the servants of hegemon working to serve it.

As part of its attack on Edward Snowden released yesterday, the House Intelligence Committee accused Snowden of attacking his colleagues’ privacy.

To gather the files he took with him when he left the country for Hong Kong, Snowden infringed on the privacy of thousands of government employees and contractors. He obtained his colleagues’ security credentials through misleading means, abused his access as a systems administrator to search his co-workers’ personal drives, and removed the personally identifiable information of thousands of IC employees and contractors.

I have no doubt that many — most, perhaps — of Snowden’s colleagues feel like he violated their privacy, especially as their identities are now in the possession of a number of journalists. So I don’t make light of that, or the earnestness with which HPSCI’s sources presumably made this complaint (though IC employee privacy is one of the things all journalists who have reported these stories have redacted, to the best of my knowledge).

But it’s a funny claim for several reasons. Even ignoring that what the NSA does day in and day out is search people’s personal communications (including millions of innocent people), this kind of broad access is the definition of a SysAdmin.

HPSCI apparently never had a problem with techs getting direct access to our dragnet metadata, as they had and (now working in pairs) still have, for those of us two degrees away from a suspect.

Plus, HPSCI has never done anything publicly to help the 21 million clearance holders whose PII China now holds. Is it possible they’re more angry at Snowden than they are at China’s hackers, who have more ill-intent than Snowden?

But here’s the other reason this complaint is laugh-out-loud funny. HPSCI closes its report this way:

Finally, the Committee remains concerned that more than three years after the start of the unauthorized disclosures, NSA and the IC as a whole, have not done enough to minimize the risk of another massive unauthorized disclosure. Although it is impossible to reduce the change of another Snowden to zero, more work can and should be done to improve the security of the people and the computer networks that keep America’s most closely held secrets. For instance, a recent DOD Inspector General report directed by the Committee had yet to effectively implement its post-Snowden security improvements. The Committee has taken actions to improve IC information security in the Intelligence Authorization Acts for Fiscal Years 2014, 2015, 2016, and 2017, and looks forward to working with the IC to continue to improve security.

First, that timeline — showing an effort to improve network security in each year following the Snowden leaks — is completely disingenuous. It neglects to mention that the Intel Committees have actually been trying for longer than that. In the wake of the Manning leaks, it became clear that DOD’s networks were sieve-like. Congress tried to require network monitoring in the 2012 Intelligence Authorization. But the Administration responded by insisting 2013 — 3 years after Manning’s leaks — was too soon to plug all the holes in DOD’s networks. One reason Snowden succeeded in downloading all those files is because the network monitoring hadn’t been rolled out in Hawaii yet.

So HPSCI is trying to pretend Intel Committee past efforts didn’t actually precede Snowden by several years, but those efforts failed to stop Snowden.

The other reason I find this paragraph — which appears just four paragraphs after it attacks Snowden for the invasion of his colleagues’ privacy — so funny is that in the 2014 Intelligence Authorization (that is, the first one after the Snowden leaks), HPSCI codified an insider threat program, requiring the Director of National Intelligence to,

ensure that the background of each employee or officer of an element of the intelligence community, each contractor to an element of the intelligence community, and each individual employee of such a contractor who has been determined to be eligible for access to classified information is monitored on a continual basis under standards developed by the Director, including with respect to the frequency of evaluation, during the period of eligibility of such employee or officer of an element of the intelligence community, such contractor, or such individual employee to such a contractor to determine whether such employee or officer of an element of the intelligence community, such contractor, and such individual employee of such a contractor continues to meet the requirements for eligibility for access to classified information;

This insider threat program searches IC employees hard drives (one of Snowden’s sins).

Then, the following year, HPSCI got even more serious, mandating that the Director of National Intelligence look into credit reports, commercially available data, and social media accounts to hunt down insider threats, including by watching for changes in ideology like those Snowden exhibited, developing an outspoken concern about the Fourth Amendment.

I mean, on one hand, this isn’t funny at all — and I imagine that Snowden’s former colleagues blame him that they have gone from having almost no privacy as cleared employees to having none. This is what people like Carrie Cordero mean when they regret the loss of trust at the agency.

But as I have pointed out in the past, if someone like Snowden — who at least claims to have had good intentions — can walk away with the crown jewels, we should presume some much more malicious and/or greedy people have as well.

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

The Intelligence world has gotten itself into a pickle, at once demanding that a great deal of information be shared broadly, while trying to hide what information that includes, even from American citizens. It aspires to be at once an enormous fire hose and a leak-proof faucet. That is the inherent impossibility of letting the secret world grow so far beyond management — trying to make a fire hose leak proof.

Some people in the IC get that — I believe this is one of the reasons James Clapper has pushed to rein in classification, for example.

But HPSCI, the folks overseeing the fire hose? They don’t appear to realize that they’re trying to replicate and expand Snowden’s privacy violations, even as they condemn them.

A Cosmopolitan Defense of Snowden

A bunch of human rights groups have started a campaign calling on President Obama to pardon Edward Snowden, to coincide with the release of the Snowden movie today.

With regards to Snowden’s fate, I believe — as I have from the start — that US interest would have been and would be best served if a safe asylum for Snowden were arranged in a friendly country. I had said France at the time, but now Germany would be the obvious location. Obama is not going to pardon Snowden, and Presidents Hillary or Trump are far less likely to do so, not least because if a president pardoned Snowden it would be an invitation for a metaphorical or literal assassination attempt. But I also think it would have always served US interests to keep Snowden out of a place like Russia. That ship has already sailed, but I still think we insist on making it impossible for him to leave Russia (by pressuring allies like Germany that might otherwise have considered asylum) largely out of self-destructive motives, an urge to prove our power that often overrides our interests.

That’s all background to recommending you read this post from Jack Goldsmith arguing against pardon for Snowden. While I disagree with big parts of it, it is the most interesting piece I’ve seen on the Snowden pardon question, for or against.

Like me, Goldsmith believes there’s no chance Snowden will get a pardon, even while admitting that Snowden’s disclosures brought worthwhile transparency to the Intelligence Community. Unlike me, he opposes a pardon, in part, because of the damage Snowden did, a point I’ll bracket for the moment.

More interestingly, Goldsmith argues that a pardon should be judged on whether Snowden’s claimed justification matches what he actually did.

Another difficulty in determining whether a pardon is warranted for Snowden’s crimes is that the proper criteria for a pardon are elusive.  Oliver Wendell Holmes once declared that a pardon “is the determination of the ultimate authority that the public welfare will be better served by inflicting less” than what the criminal law specified.  But how to measure or assess the elusive public welfare?  The Constitution delegates that task exclusively to the President, who can use whatever criteria he chooses.  Many disagreements about whether a pardon is appropriate are at bottom disagreements about what these criteria should be.  Some will question whether Snowden should be pardoned even if his harms were trivial and the benefits he achieved were great.  Indeed, presidents don’t usually grant pardons because a crime brought benefits.  My own view is that in this unusual context, it is best to examine the appropriateness of a pardon in the first instance through an instrumental lens, and also to ask how well Snowden’s stated justification for his crimes matches up with the crimes he actually committed.

Goldsmith goes on to engage in what I consider a narrowly bracketed discussion of Snowden’s leaks about violations of US law (for example, he, as everyone always does, ignores NSA double dipping on Google and Yahoo servers overseas), claiming to assess whether they were violations of the Constitution, but in fact explicitly weighing whether they were a violation of the law.

His exposure of the 702 programs (PRISM and upstream collection) is harder to justify on these grounds, because these programs were clearly authorized by public law and have not sparked nearly the same criticism, pushback, or reform.

After substituting law for Constitution, the former OLC head (the guy who approved of much of Stellar Wind by claiming FISA exclusivity didn’t really mean FISA exclusivity) makes what is effectively an Article II argument — one nowhere nearly as breathtaking as Goldsmith’s Stellar Wind one. Most of Snowden’s leaks can’t be unconstitutional, Goldsmith argues, because they took place overseas and were targeted at non-US persons.

What I do not get, and what I have never seen Snowden or anyone explain, is how his oath to the U.S. Constitution justified the theft and disclosure of the vast number of documents that had nothing to do with operations inside the United States or U.S. persons.  (Every one of the arguments I read for Snowden’s pardon yesterday focused on his domestic U.S. revelations and ignored or downplayed that the vast majority of revelations that did not involve U.S. territory or citizens.)  To take just a few of hundreds of examples, why did his oath to the Constitution justify disclosure that NSA had developed MonsterMind, a program to respond to cyberattacks automatically; or that it had set up data centers in China to insert malware into Chinese computers and had penetrated Huawei in China; or that it was spying (with details about how) in many other foreign nations, on Bin Laden associate Hassam Ghul’s wife, on the UN Secretary General,  and on the Islamic State; or that it cooperates with intelligence services in Sweden and Norway to spy on Russia?; and so on, and so on.  These and other similar disclosures (see here for many more) concern standard intelligence operations in support of national security or foreign policy missions that do not violate the U.S. Constitution or laws, and that did extraordinary harm to those missions.  The losses of intelligence that resulted are not small things, since intelligence information, and especially SIGINT, is a core element of American strength and success (and not just, as many seem to think, related to counterterrorism).  It doesn’t matter that leaks in this context sparked modest reforms (e.g., PPD 28).  The Constitution clearly permits foreign intelligence surveillance, and our elected representatives wanted these obviously lawful practices to remain secret.

Having laid out a (compared to his Stellar Wind defense) fairly uncontroversial argument about the current interpretation of the Constitution reserving wiretapping of non-Americans to the President (though my understanding of the actual wiretapping in the Keith decision, of Americans in Africa, would say Presidents can’t wiretap Americans overseas without more process than Americans’ communications collected under bulk collection overseas currently get), Goldsmith goes onto make his most important point.

The real defense of Snowden stems not from our own Constitution, but from a moral and ethical defense of American values.

What might be the moral and ethical case for disclosing U.S. intelligence techniques against other countries and institutions?  (I will be ignore possible cosmopolitan impulses for Snowden’s theft and leaks, which I think damage the case for a pardon for violations of U.S. law.)  I think the most charitable moral/ethical case for leaking details of electronic intelligence operations abroad, including against our adversaries, is that these operations were harming the Internet, were hypocritical, were contrary to American values, and the like, and Snowden’s disclosures were designed to save the Internet and restore American values.  This is not a crazy view; I know many smart and admirable people who hold it, and I believe it is ethically and morally coherent.

This is a remarkable paragraph. First, it defines what is, I think, the best defense of Snowden. American values and public claims badly conflict with what we were and still are doing on the Internet. I’d add, that this argument also works to defend Chelsea Manning’s leaks: she decided to leak when she was asked to assist Iraqi torture in the name of Iraqi liberation, a dramatic conflict of US stated values with our ugly reality.

But the paragraph is also interesting for the way Goldsmith, almost as an aside, “ignore[s] possible cosmopolitan impulses for Snowden’s theft and leaks, which I think damage the case for a pardon for violations of U.S. law.” I take this to argue that if you’re leaking to serve some universal notion of greater good — some sense of world citizenship — then you can’t very well ask to be pardoned by US law. Perhaps, in that case, you can only ask to be pardoned by universal or at least international law. I’ll come back to this.

Goldsmith contrasts the moral and ethical case based on American values with his own, a moral and ethical one that justifies US spying to serve US interests in a complex and dangerous world.

But it is also not a crazy view, and it is also ethically and morally coherent, to think that U.S. electronic intelligence operations abroad were entirely lawful and legitimate efforts to serve U.S. interests in a complex and dangerous world, and that Snowden’s revelations violated his secrecy pledges and U.S. criminal law and did enormous harm to important American interests and values.

For the record, I think Snowden has said some of US spying does serve US interests in a complex and dangerous world. But from that view, the old defender of Article II argues that a President — the guy or gal who by definition is the only one can decide to pardon Snowden — must always adhere to the latter (Goldsmith’s) moral and ethical stance.

Unfortunately for Snowden’s pardon gambit,  President Obama, and any one who sits in the Oval Office charged with responsibility for American success around the globe, will (and should) embrace the second moral/ethical perspective, and will not (and should not) countenance the first moral/ethical perspective, which I take to be Snowden’s.

Goldsmith then ends where I began, with a more polite explanation that any president that pardoned Snowden would be inviting metaphorical or literal assassination. He also suggests the precedent would lead to more leaks. But that seems to ignore 1) that Snowden leaked even after seeing what they did to Manning (that is, deterrence doesn’t necessarily work) 2) the Petraeus precedent has already exposed the classification system as one giant load of poo.

Anyway, by my reading, Goldsmith argues that this debate pits those motivated out of American values versus those motivated out of perceived American interests, and that any President must necessarily operate from the latter.

I’m interested in that because I think the former motivation really does explain a goodly number of the leakers and whistleblowers I know. People a generation older than me, I think, may have been true believers in the fight against the Evil Empire during the Cold War, only to realize we risk becoming the Evil Empire they spent their life fighting. Every time I see Bill Binney, he makes morbid cracks about how he was the guy who invented “Collect it all,” back when he was fighting Russia. People a generation younger than me — Snowden, Manning, and likely a lot more — more often responded out of defense of all that is great in America after 9/11, only to find that that we have not adhered to that greatness in prosecuting the war on terror. These are gross generalizations. But I think the conflict is real among a lot of people, and it’s one that will always fight increasingly diligent efforts to tamp down dissent.

That said, I want to note something else Goldsmith did, while making his aside that anyone making a cosmopolitan defense of Snowden cannot ask for a pardon under US law (a view I find fairly persuasive, which may be why I think a reasonable outcome is for Snowden to live out his life in Germany). In making that aside, Goldsmith effectively dismissed the possibility that living US values rather than interests might be both cosmopolitan and in our national interest.

I’ve talked about this repeatedly — the degree to which Snowden’s disclosures (and, to a lesser extent, Manning’s) served to expose some lies that are critical to American hegemony. Our hegemonic position relies — according to people like Goldsmith and, perhaps in reality, though the evidence is mixed — on our global dragnet, which in turn serves our global military presence. But it has also relied on an ideology, every bit as important as ideology was during the Cold War, that espoused democracy and market capitalism and, underscoring both of those, a belief in the worth of every individual (and by extension, individual nation) to compete on equal terms. Without that ideology, we’re just a garden variety empire, which is a lot harder to sustain because it requires more costly (in terms of dollars and bodies) coercion rather than persuasion.

And Snowden’s leaks showed we used our preferential position astride the world’s telecommunications network and our claim to serve freedom of expression to serve as the hegemon. Hell, the aftermath of that shows it even more! Country after country has backed off giving Snowden asylum — the proper cosmopolitan resolution — because the US retains enough raw power and/or access to the fruits of the dragnet to persuade countries that’s not in their “interest.”

This is an issue that has gotten far too little attention in the wake of the Snowden leaks: to what degree is the cost of the Snowden leaks measured in terms of exposing to the subjects of our hegemon facts that their leaders already knew (either because they were and are willing co-participants in the spying or knowledgeable adversaries engaged in equally ambitious but less effective surveillance)? I don’t doubt there are individual programs that have been compromised, though thus far the IC has badly hurt its case by making claims (such as that Al Qaeda only adopted encryption in response to Snowden, or that Snowden taught terrorists how to use burner phones) that are easily falsifiable. But a big part of the leaks are about the degree to which the US can (and does passively in many cases via bulk collection) spy on everyone.

But to me, the big cost has been in terms of exposing America’s hegemonic ideology as the fiction that ideologies always become if they aren’t from the start.

Note, I fully accept that that may be an unacceptable cost. America’s hegemony was already weakening; I believe Snowden’s disclosures simply accelerated that. It is absolutely possible that the weakening of US hegemony will create a vacuum of power that will leave chaos. That chaos may, may have already, led to a desire for strongmen in response. There were outside factors playing into all of this. The Iraq War did far more to rot America’s hegemonic virtue than Edward Snowden’s leaks ever could have. And it’s not clear that an empire based on oil can provide the leadership we need to fight climate change, which will increasingly be the source of chaos. But I accept that it is possible Snowden accelerated a process that may lead to horrible outcomes.

Here’s the thing, though: this younger generation of leakers — of dissident servants of the hegemon — don’t need to be cured of a lifetime of ideology. It may take, as it did with Manning, no more than critical assessment of some flyers confiscated by our so-called partners in liberation for the ideology cementing our hegemonic authority to crumble.

Our hegemony depends on the ideology of our values. That seems to both have been the trigger for and may justify the cosmopolitan interest in exposing our hypocrisy. And whether or not Americans should give a shit about the freedom of non-American subjects of the hegemon, to the extent that servants of that ideology here find the hypocrisy unsustainable, we’re likely to have more Mannings and more Snowdens.

Our global dragnet may very well serve the ethics of those who serve presidentially-defined American interests. As such, Snowden’s leaks are surely seen as unforgivable damage.

But it is also possible that American hegemony is only — was only — sustainable to the degree that we made sure that global dragnet was limited by the values that have always been critical to the ideology underlying our hegemony.

Thursday: Hotter than Hell

Have a little indie synthpop if your day isn’t hot enough. The artist Dua Lipa lives in London; she originally moved to the United Kingdom in the 1990s with her parents who are Kosovar-Albanian. Imagine a UK to which artists like Lipa cannot easily immigrate.

Money, money, money

  • HSBC’s global head of Forex trading in London arrested at JFK on Tuesday (Bloomberg) — Mark Johnson was picked up before his flight by the feds; his counterpart, Stuart Scott, HSBC’s former head of currency trading in Europe, has also been charged with Johnson for conspiracy to manipulate currency based on insider information. The transaction on which the case is based took place in 2011, earning HSBC $8 million on a $3.1 billion deal. Gee, I wonder if these guys worked the pre- and post-Brexit fall of the pound.
  • Mastercard snaps up UK’s VocaLink for $920M (Businesswire) — Should probably keep a tally of UK businesses bought while pound is still down from pre-referendum highs. VocaLink gives Mastercard huge reach in payroll and household bill processing across UK and access to a substantive majority of UK consumer data.
  • Subzero bond yields: who’d have predicted this? (Bloomberg) — Analysis of overall trends this year, including flights to safety and their effect on the market. Still trying to wrap my head around subzero bond yields; does this make sense to pay for safekeeping without expectation of increase in value at the end? What might this do to consumption and growth?

Daily dose of cyber

  • Forbidden Research: fixing “leaky” cellphones (MIT Media Lab) — Electrical engineer/hacker Andrew “bunnie” Huang and NSA whistleblower Edward Snowden published a paper presented at today’s MIT’s Forbidden Research event, outlining their work countering surveillance abuse by law enforcement. Journalists in particular are targets for surveillance; their cellphones “leak” all kinds of information about them and their location which airplane mode does not shield. Huang and Snowden propose a method for monitoring radio transmissions by a cellphone, including GPS, and a means for killing the transmissions. Abstract here, and the paper itself here. Very straightforward reads even for the non- to low-tech audience.
  • Dead man’s prints brought back from the dead (Fusion) — Law enforcement approached a Michigan State University professor Anil Jain and his PhD student Sunpreet Arora and asked them to recreate a dead man’s fingerprints in order to unlock his phone. There are few details disclosed about the case — not even which law enforcement agency made the ask — but the phone belonged to a murder victim and may contain information about his murderer. Or so the story says.
  • UK’s largest internet provider suffers two days of massive outages (TechRadar) — Outages have been blamed on power failures, but no additional information offered on reasons for power loss. Coincidentally, a C1 solar flare which began on July 17 caused radio disruption and aurora over the last 15-24 hours — might have made the situation worse.
  • France’s National Data Protection Commission says Microsoft Windows 10 operating system gathers too much personal data (Libération + BetaNews) — Surprised La Commission nationale de l’informatique et des libertés (CNIL) haven’t cuffed up Microsoft sooner given every version of Windows “phoned home” within information about its users and devices when patching and updating. Why is it Windows 10 in particular doesn’t comply with their Data Protection Act — is it the sniffing of users’ navigation data? Microsoft responded to CNIL’s complaint, not denying the claim but only saying it will work with CNIL on a solution. Right, then.

Tonight’s dinner and a movie: Jujubes and Ghostbusters. Yum. Stay cool, look after elderly neighbors and pets who need a reprieve from the heat.

Shaping Traffic and Spying on Americans

Screen Shot 2016-06-29 at 8.07.56 AMAt the Intercept earlier this week, Peter Maass described an interview he had with a former NSA hacker he calls Lamb of God — this is the guy who did the presentation boasting “I hunt SysAdmins.” On the interview, I agree with Bruce Schneier that it would have been nice to hear more from Lamb of God’s side of things.

But the Intercept posted a number of documents that should have been posted long, long ago, covering how the NSA “shapes” Internet traffic and how it identifies those using Tor and other anonymizers.

I’m particularly interested in the presentations on shaping traffic — which is summarized in the hand-written document to the right and laid out in more detail in this presentation.

Both describe how the NSA will force Internet traffic to cross switches where it has collection capabilities. We’ve known they do this. Beyond just the logic of it, some descriptions of NSA’s hacking include descriptions of tracking traffic to places where a particular account can be hacked.

But the acknowledgement that they do this and discussions of how they do so is worth closer attention.

That’s true, first of all, because of wider discussions of cable maps. In discussing the various ways to make Internet traffic cross switches to which the NSA has access, Lamb of God facetiously (as is his style) suggests you could bomb or cut all the cable lines that feed links to which the NSA doesn’t have access.

Screen Shot 2016-07-01 at 9.13.22 AM

Lamb of God dismisses this possibility as “fun to think about, but not very reasonable.”

But we know that cable lines do get cut. Back in 2008, for example, there were a slew of cables coming into the Middle East that got cut at one time (though that may have been designed to cut Internet communication more generally). Then there’s the time in 2012 when NSA tried to insert an exploit into a Syrian route, only to knock out almost all of the country’s Internet traffic.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

Again, we’ve known this happened, which is why it would have been nice to have this presentation three years ago, if only to explain the concept to those who don’t factor it into considerations of how the NSA works.

The other reason this is important is because of the possibility the NSA could deliberately shape traffic to take it out of FISA-controlled domestic space and into EO 12333-governed international space, a possibility envisioned in a 2015 paper. The slides from the paper present the same techniques laid out in the NSA presentation as hypothetical. And, as their more accessible write up explains, the NSA’s denials about this practice don’t actually address their underlying argument, which is that 1) the technology would make this easy, 2) the legal regime is outdated and thereby tolerates such loopholes, and 3) the parts of declassified versions of USSID-18 that might address it are all redacted.

In the paper, we reveal known and new legal and technical loopholes that enable internet traffic shaping by intelligence authorities to circumvent constitutional safeguards for Americans. The paper is in some ways a classic exercise in threat modeling, but what’s rather new is our combination of descriptive legal analysis with methods from computer science. Thus, we’re able to identify interdependent legal and technical loopholes, mostly in internet routing. We’ll definitely be pursuing similar projects in the future and hope we get other folks to adopt such multidisciplinary methods too.

As to the media coverage, the CBS News piece contains some outstanding reporting and an official NSA statement that seeks – but fails – to debunk our analysis:

However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News.

“Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.

The NSA statement sidetracks our analysis by re-framing the issue to construct a legal situation that conveniently evades the main argument of our paper. Notice how the NSA concentrates on the legality of targeting U.S. persons, while we argue that these loopholes exist when i) surveillance is conducted abroad and ii) when the authorities do not “intentionally target a U.S. person.” The NSA statement, however, only talks about situations in which U.S. persons are “targeted” in the legal sense.

As we describe at length in our paper, there are several situations in which authorities don’t intentionally target a U.S. person according to the legal definition, but the internet traffic of many Americans can in fact be affected.

Once you’re collecting in bulk overseas, you have access to US person communications with a far lower bar than you do under the FISA regime (which is what John Napier Tye strongly suggested he had seen).

This is one of the reasons I think the NSA’s decision not to answer obvious questions about where FISA ends and EO 12333 begins, in the context of concerns Snowden raised at precisely the time he was learning about this traffic shaping, to be very newsworthy. Using traffic shaping to access US person content even if it’s only in bulk (in the same way that hacking Google cables overseas) clearly bypasses the FISA regime. We don’t know that they do this intentionally for US traffic. But we do know it would be technically trivial for the NSA to pull off, and we do know that multiple NSA documents make it clear they were playing in that gray area at least until 2013 (and probably 2014, when Tye came forward).

The traffic shaping paper ultimately tries to point out how our legal regime fails to account for obvious technical possibilities, technical possibilities we know NSA exploits, at least overseas. Particularly as ODNI threatens to permit the sharing EO 12333 data more broadly — along with access to back door searches — this possibility needs to be more broadly discussed.