Last week, a bunch of House Judiciary Committee members set James Clapper a letter stating that before the Committee deals with Section 702 reauthorization next year, they’d like:
They asked for those numbers by May 6.
In response, Clapper is humming and hawing about “several options” for disclosing how many Americans get spied on under Section 702.
Clapper said that “any methodology we come up with will not be completely satisfactory to all parties.”
“If we could have made such an estimate and if such an estimate were easy to do — explainable without compromise — we would’ve done it a long time ago,” he said.
We just learned there is, however, one number that should be easy-peasy to make public (and one I’m frankly alarmed the HJC members didn’t mention, as they should have known about it for some time): the number of back door searches FBI conducts on Section 702 data for reasons other than national security.
As I noted the other day, in response to FISC amicus (and former Eric Holder counsel) Amy Jeffress’ argument that FBI’s back door searches of Section 702 are unconstitutional, Thomas Hogan required FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” As I noted, that’s an easily gamed number — I’m sure FBI treats a lot of criminal matters as national security ones, and FBI has the ability to see if there is 702 data without looking at it, permitting it to see if the same data is available under another authority.
Nevertheless, DOJ must have an exact number of reports they’ve submitted in response to this reporting requirement, which has been in place for over four months.
That’s not to say HJC shouldn’t insist on getting estimates for all the other numbers they’re seeking. But they should also demand that this number — the number of times FBI is using a foreign intelligence exception for criminal prosecutions that should be subject to a probable cause standard — be made public.
I have written numerous times about the timing of authorization for FBI to do back door searches. There’s a passage of the November 6, 2015 FISC opinion finding those searches to be constitutional that some have taken to clearly date the authority. But I believe the (unredacted sections of the) passage are being misread.
As Judge Thomas Hogan describes, “Queries by FBI personnel of Section 702-acquired data…
As the unredacted parts of the section make clear, queries for both foreign intelligence information or evidence of a crime “have been explicitly permitted by the FBI Minimization Procedures since 2009.” [my emphasis] The footnote goes onto describe how Minimization Procedures approved by Attorney General Mukasey on October 22, 2008 and submitted on some redacted date were approved by an opinion issued on April 7, 2009.
Already, that’s a curious set of details. If the minimization procedures were approved in October 2008, normally they’d be submitted close to right away, though it’s not clear that that happened. But why bother, given that FISC had just approved FAA certifications on September 4 (this timing resembles what had happened earlier that year, when the government significantly changed the program within days of getting certificates approved)? In any case, James Clapper’s censors want to hide what those dates were. One likely reason they might have done so would be to hide the dates from defendants, including a few of the ones challenging 702. Another would be to obscure how the approval process went after passage of FISA Amendments Act, specifically given that the FISA Court of Review finalized its Yahoo opinion in August of that year, in which it relied on DOJ’s promise that “there is no database” of incidentally collected US person information.
But two other things suggest that’s not the end of the story. First, the use of “explicitly” suggests there may have been a period before FISC approved the minimization procedures when such a practice was approved but perhaps not explicitly. Perhaps that simply refers to that lag period, between the time Mukasey approved those minimization procedures and the time FISC approved them.
But then there’s that redacted paragraph (the next footnote, 25, starts after it). Hogan adds something to his discussion beyond his description of the explicit approval of those minimization procedures.
As I have pointed out, Mukasey (writing with then Director of National Intelligence Mike McConnell, who would also have to approve any PRISM minimization procedures) made it clear in response to a Russ Feingold amendment of FISA Amendments Act in February of 2008 that they intended to spy in Americans under PRISM.
So it sure seems likely the Administration at the very least had FBI back door searches planned, if not already in the works, well before FISC approved the minimization procedures in 2009. That’s probably what Hogan explained in that paragraph, but James Clapper apparently believes it would be legally inconvenient to mention that.
A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.
Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2
2 See Foreign Intelligence Surveillance Act and the Patriot Act.
As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.
Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,
Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.
The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.
In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.
Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.
In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.
What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.
Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.
Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.
“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”
All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.
Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.
Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.
Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.
This year we will be mindful of water. We take it for granted every time we turn on the faucet. Yet our brethren go without in nearby Flint, in spite of water’s essential nature to life. I’ll donate the money I would have spent on 46 days of meat-based meals to Flint’s United Way Water Fund and the Food Bank of Eastern Michigan, as both organizations are helping distribute water and filters to Flint residents. Last night’s Boil Water order issued because of a water main break only underlines the difficulties Flint’s residents will face until the entire water system is replaced.
Dept of Duh: Director of National Intelligence says Internet of Things can be used to spy
NO! Say it isn’t so! Like it never occurred to us that any device attached to the internet, including the growing number of WiFi-enabled household appliances, might be used to spy on us.
Volkswagen recalls cars — and not because of emissions
VW didn’t need more trouble; this time, it’s not the German car makers’ fault. 680,000 VW-branded vehicles are being recalled because of Takata-made airbags which may be defective. TAKE NOTE: Mercedes-Benz models were also recalled yesterday.
Toyota, Honda, Acura, BMW, Nissan, Subaru, GM, Ford, Chrysler, and Daimler also issued recalls over the last two years for the very same reason — defective Takata-made airbags. See this article for a running timeline of events related to the recalls as well as a list of affected vehicles (to date).
Attacking the grid? Try a squirrel first – hacking is much harder
A honeypot mimicking an energy management system demonstrated the challenge to hackers trying to crash a power grid. Dewan Chowdhury, MalCrawler’s founder, spoke at Kaspersky Lab security Analyst Summit about the knowledge set needed to attack energy systems:
“It’s extremely difficult. You’ can’t just be a NSA or FSB hacker; you need an electrical engineer on board to weaponize attacks and figure out what’s going on … When it comes to weaponization, you need a power substation engineering who knows what needs to be done and tested.”
After reading about Chowdhury’s presentation, I have two caveats. The first is the notion that an “electrical engineer” or a “power substation engineer” is required. Many non-degreed workers like electricians and technicians are familiar with computers, networks, and SCADA equipment. The second is this bit:
The groups had access to the HMI, which would allow them to manipulate the grid, but Chinese, U.S., and Russian groups, he said, stick to a gentlemen’s agreement and leave the grid alone. Middle Eastern actors, however, will try to perform control actions to sabotage the grid.
A “gentlemen’s agreement”? When do the gloves come off? When one of these actors align with a Middle Eastern actor?
Global disaster — how would you respond?
In case a mess of squirrels are deployed to take down the world’s power grids, one might need to know how to deal with the inevitable meltdown of services. Johns Hopkins Center for Civilian Biodefense Strategies modeled a global disaster in 2013 by way of a simulation game. The results were predictable:
What they discovered was that the country was ill prepared to cope. Within two weeks there would be enormous civilian casualties, a catastrophic breakdown in essential institutions, and mass civil unrest. Food supplies, electricity and transport infrastructures would all collapse.
International security scholar Dr. Nafeez Ahmed was asked how people should respond; he offered a nifty guide, outlined in six points.
But disaster isn’t always global, and current cases show our gross inability to respond to limited disasters. Flint, for example, already struggles with running water, item number three on Dr. Ahmed’s list. Conveniently, Flint doesn’t necessarily rely on government or law enforcement (item number four) because neither responded appropriately to the ongoing water crisis. What remains to be seen is whether Flint will muster long-term self-sufficiency (item number six) as government and law enforcement continue to let them down.
“Don’t necessarily trust the government or law enforcement” in global disaster, indeed.
Today was Global Threat day, when James Clapper testifies before various committees in Congress and Ron Wyden asks uncomfortable questions (today, directed exclusively at John Brennan). I’ll have a few posts about the hearings (in Senate Armed Services and Senate Intelligence Committees) and Clapper’s testimony, the SASC version of which is here.
One interesting detail in Clapper’s testimony comes in the several paragraph section on Infrastructure within a larger section on “Protecting Information Resources.” Here’s how the testimony describes the Juniper hack.
A major US network equipment manufacturer acknowledged last December that someone repeatedly gained access to its network to change source code in order to make its products’ default encryption breakable. The intruders also introduced a default password to enable undetected access to some target networks worldwide.
There’s no discussion of how many Federal agencies use Juniper’s VPN, nor of how this must have exposed US businesses (unless the NSA clued them into the problem). And definitely no discussion of the assumption that NSA initially asked for the back door that someone else subsequently exploited.
More importantly, there’s no discussion of the cost of this hack, which I find interesting given that it may be an own goal.
Two and a half years ago, I first started pointing to the evidence that several of the guys on the Osama bin Laden operation took trophy photos.
[O]n February 15, 2013, DOJ informed Judicial Watch that CIA had found 7 more photos responsive to their FOIA. That happened just 4 days after Esquire published a splashy story about the guy who claimed to have been the SEAL who actually killed OBL. The current version includes this line.
In the compound, I thought about getting my camera, and I knew we needed to take pictures and ID him.
I had made the connection at the time, and I have a distinct suspicion the language was slightly different in the original (Esquire was making factual corrections along the way but the original is not on Internet Archive), making it clear that the Shooter and possibly others did take pictures, though perhaps not for operational purposes.
What kind of amped up warrior who had just helped kill the bogeyman could resist taking souvenir pictures? Could you blame them, if so?
In any case, I suspected at the time that the reason CIA “located” new photos was because they read about another set of photos in the possession in one of the guys who participated in the op, if not shot the lethal bullet. The ambiguity in the description of McRaven’s order seems to support that.
That is, what SOCOM and CIA appear to be protecting are — in significant part — the personal photos taken by the guys who did the operation.
The Intercept has a story describing how Matt Bissonnette — the guy who wrote No Easy Day — is under continued investigation as a result of having done just that.
It appears the government went after Bissonnette after he published his book, and demanded a cut of his profits and that he turn over a hard drive that had an “unauthorized” picture of OBL.
The retired SEAL voluntarily provided investigators with a copy of his hard drive as part of an agreement not to prosecute him for unlawfully possessing classified material, according to the two people familiar with the deal.
Luskin said that he had negotiated a deal in 2014 with the Pentagon and the Justice Department to hand over to the government some of the millions of dollars in book profits Bissonnette had received.
He would not confirm Bissonnette’s possession of the bin Laden photo or whether any investigation still remains open.
But once DOJ got Bissonnette’s hard drive — which according to the Intercept was technically turned over voluntarily (meaning there’d be no warrant to limit the scope of what the government could do with it), they found evidence he may have had side deals associated with his procurement role for the team.
During their search of his hard drive, investigators subsequently found emails and records dealing with Bissonnette’s work as a consultant while he was on active duty at SEAL Team 6. Those records, which were not part of the non-prosecution agreement, led to the widening probe. Federal investigators then became interested in whether Bissonnette’s business ventures with companies that supply military equipment — including companies whose products were used by SEAL Team 6 — were helped by his role in the elite unit’s procurement process, according to one of the people familiar with the case.
Element Group, a company Bissonnette helped set up in Virginia Beach about five years ago, is among the companies NCIS is said to be investigating. According to a former SEAL Team 6 operator familiar with Element Group’s business arrangements, the firm, which has since been shut down, designed prototypes for, and advised, private companies that make sporting and tactical equipment.
According to several former SEAL Team operators familiar with the company, Element Group also did business with at least one Defense Department contractor that sold equipment to SEAL Team 6. The defense contractor, Atlantic Diving Supply, or ADS, has military supply and equipment contracts with SEAL Team 6, according to several former SEAL Team 6 operators, as well as other parts of the departments of Defense and Homeland Security. Federal investigators have been looking into the business relationship between Element Group and ADS.
I don’t defend Bissonnette if his side deals were corrupt. But this is bullshit on several levels.
Of course, many people, including me, have noted that Bissonnette’s book was an attempt to push back on the information asymmetry — and with it, propaganda — that the government uses classification to pull off.
Prosecuting Bissonnette would require admitting that the government used its unilateral authority over the nation’s secrets to tell a fiction–not an egregious one, but still one that served a significant political objective.
Now there are probably legal ways around that problem (they could prosecute Bissonnette for revealing obscure details that no one really cares about, for example). But probably not political ways around it, because at best, it would seem like retaliation for exposing the Administration’s fluffing of the facts.
It appears that Bissonnette has shown that the Administration used its control over secrecy as a political tool, not just an operational one, and to prosecute him, they’d have to make that point even more clear.
In addition, as I noted in a series of posts, DOD did a lot of things that arguably violate classification laws to hide those trophy photos by retroactively classifying them and sending them over to CIA where they’d be further hidden from Judicial Watch and other FOIAs that had already been filed.
[I]f the photos were classified after their FOIA, they would have had to have been classified on a photo by photo basis by the Director of CIA, Deputy Director, or a Senior Agency Official in charge of classifications, the CIA responded by saying that, after the CIA got the photos (which by all appearances happened after the FOIA), they were derivatively classified in accordance with the SAO’s guidance.
CIA doesn’t say whether that official reviewed the photos individually or not. Nor does it explain who wrote “TOP SECRET” on them, without adding all the other required classification markers.
And note how the CIA claims these photos “were always considered to be classified” by them — but not necessarily by SOCOM, which originally had the photos. But they don’t even claim they were always considered to be Top Secret.
If I’m right about the DOD’s efforts to avoid its obligation under FOIA, then it basically went after Bissonnette for improperly handling classified information while it was doing the same thing (albeit to withhold previously unclassified information). Plus, if these photos were unauthorized, classifying them to hide them would amount to classification to hide misconduct.
Finally, whatever the ethical conflicts with Bissonnette’s side deals (they remain under investigation and it’s not clear there was a conflict, in which case this feels like DOJ’s pursuit of NSA whistleblowers Bill Binney et al for their effort to start a business), they’re being investigated at a time when the Intelligence Community has just eliminated some measures designed to facilitate oversight of precisely this kind of conflict. I sure take from that that the powers that be in our IC want to continue to engage in the kind of conflicted business deals that Bissonnette is being investigated for.
Here’s the irony though: I noted James Clapper had pushed that conflict change through, in part because it is so much work to ride herd on conflicts, even while accepting a requirement that his office increase its surveillance of line personnel. I concluded that Clapper has some really funny ideas about insider threats, finding abusive incompetents trading on their position to be less of a problem than leakers.
Clapper’s perfectly willing to expand his bureaucracy to look for leakers, but not to weed out the dangerously incompetent people ordering potential leakers around.
Bissonnette’s problem, I guess, is he was allegedly both, someone who shared information that undercut official propaganda, and someone who traded on his position.
Had he just done the latter everything would have been fine, I guess.
As I noted in an update to this post, over the last several months, the Brennan Center has led an effort among privacy organizations to get the Intelligence Community to provide the transparency over its Section 702 surveillance that it dodged under the USA Freedom Act. On October 29, 2015, it send James Clapper a letter asking for:
On December 23, Privacy Officer Alex Joel responded on behalf of Clapper, largely dodging the requests but offering to have a meeting at which he could further dodge the request. Then yesterday, Brennan replied, calling out some of those dodges and posing new questions in advance of any meeting.
While the reply asks some worthwhile new questions, I wanted to look at some underlying background to the response Joel and ODNI gave.
In response to Brennan’s request for the number of US persons sucked up in 702, Joel points back to the PCLOB 702 report (which was far more cautious than the earlier 215 report) and its report on the status of recommendations from January 2015 and basically says, “we’re still working on that.” Brennan deemed the response non-responsive and noted that the IC is still working on 4 of PCLOB’s 5 recommendations 18 months after they issued it.
I would add one important caveat to that: PCLOB’s fifth recommendation was that the government provide,
the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals.
We’ve just learned — through curiously timed ODNI declassification — that the numbers FBI gives to Congress on 702 dissemination are dodgy, or at least were dodgy in 2012, in part because they had been interpreting what constituted US person information very narrowly. For whatever reason, PCLOB didn’t include FBI in this recommendation, but they should be included, especially given the issues of notice to defendants dealt with below.
More importantly, there’s something to remember, as the IC dawdles in its response to this recommendation. In 2010, John Bates issued a ruling stating that knowingly collecting US person content constituted an illegal wiretap under 50 USC 1809(a). Importantly, he said that if the government didn’t know it was conducting electronic surveillance, that was okay, but it shouldn’t go out of its way to remain ignorant that it was doing so.
When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.
The following year, Bates held that when it collected entirely domestic communications via upstream Section 702 collection, that collection was intentional (and therefore electronic surveillance), not incidental, though Clapper’s lawyer Bob Litt likes to obfuscate on this point. The important takeaway, though, is that the IC can illegally collect US person data so long as it avoids getting affirmative knowledge it is doing so, but it can’t be too obvious in its efforts to remain deliberately ignorant.
I’d say 18 months begins to look like willful ignorance.
Brennan asked for solid numbers on back door searches, and Joel pointed to PCLOB’s recommendations that pertain to updated minimization procedures, a totally different topic.
And even there Joel was disingenuous in a way that the Brennan letter did not note.
Joel asserts that “with the recent reauthorization of the 702 Certification … this recommendation 2 [has] been implemented.” The recommendation included both additional clarity in FBI’s minimization procedures as well as further limits on what non-national security crimes FBI can use 702 data for.
Back in February 2015, Bob Litt revealed the latter information, what FBI could use 702 data for:
crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.
But after Litt made that disclosure, and either after or during the process of negotiating new 702 certificates, the ODNI released updated minimization procedures. But they where the MPs for 2014, not 2015! (See this post for a discussion of new disclosures in those documents.) Joel’s answer makes clear that FBI’s minimization procedures were updated significantly in the 2015 application beyond what they had been in 2014 (because that’s the only way they could have not fulfilled that recommendation last January but have since done so).
In other words, Joel answers Brennan’s question by boasting about fulfilling PCLOB’s recommendations, but not Brennan’s answer. But even there, if ODNI had just released the current FBI MPs, rather than year-old ones, part of Brennan’s questions would be answered — that is, what the current practice is.
I think the recent new disclosures about the limits on FBI’s very limited disclosure reporting (at least until 2012) provide some additional explanation for why FBI doesn’t count its back door searches. We know:
In other words, there is a great deal of room to launder where data comes from, particularly if it has been used for metadata link analysis as an interim step. To try to count the specifically Section 702 queries, even just of content, though all the more so of metadata, would require revealing these overlaps, which FBI surely doesn’t want to do.
All that’s also background to Brennan’s request for information about notice to defendants. Joel pretty much repeated DOJ’s unhelpful line, though he did direct Brennan to this OLC memo on notice to those who lose clearance. Not only does that memo reserve the right to deem something otherwise subject to FISA’s notice requirements privileged, it also cites from a 1978 House report excluding those mentioned in, but not a party to, electronic surveillance from notice.
[A]s explained in a FISA House Report, “[t]he term specifically does not include persons, not parties to a communication, who may be mentioned or talked about by others.”
That, of course, coincides with one of the categories of people that it appears FBI was not counting in FISA dissemination reports until at least 2012 (and, of course, metadata does not count as electronic surveillance).
All of which is to say this appears to hint at the scope of how FBI has collected and identified people using 702 derived data that nevertheless don’t get 702 notice.
None of that excuses ODNI for refusing to respond to these obvious questions. But it does seem to indicate that the heart of FBI’s silence about its own 702 practices has a lot to do with its ability to arbitrage the multiple authorities it uses to spy.
According to Medium, Crackas With Attitude just hacked James Clapper and his wife.
One of the group’s hackers, who’s known as “Cracka,” contacted me on Monday, claiming to have broken into a series of accounts connected to Clapper, including his home telephone and internet, his personal email, and his wife’s Yahoo email. While in control of Clapper’s Verizon FiOS account, Cracka claimed to have changed the settings so that every call to his house number would get forwarded to the Free Palestine Movement.
The hacker also sent me a list of call logs to Clapper’s home number. In the log, there was a number listed as belonging to Vonna Heaton, an executive at Ball Aerospace and a former senior executive at the National Geospatial-Intelligence Agency. When I called that number, the woman who picked up identified as Vonna Heaton. When I told her who I was, she declined to answer any questions.
Viscerally, I’m laughing my ass off that Verizon (among others) has shared Clapper’s metadata without his authority. “Not wittingly,” they might say if he asks them about that. But I recognize that it’s actually not a good thing for someone in such a sensitive position to have his metadata exposed (I mean, to the extent that it wasn’t already exposed in the OPM hack).
I would also find some amusement if Clapper ends up being the first public victim of OmniCISA’s regulatory immunity for corporations.
Yahoo and Verizon can self-report this cyber intrusion to DHS, and if they do then the government can’t initiate regulatory action against them for giving inadequate protection from hacking for the Director of National Intelligence’s data.
And whether or not Clapper is the first victim of OmniCISA’s regulatory immunity, he is among the first Americans that the passage of OmniCISA failed to protect from hacking.
This is going to be a weedy post in which I look at a key detail revealed by 2010 NSA Inspector General reviews of the Section 215 phone dragnet. The document was liberated by Charlie Savage last year.
At issue is the government’s description, in the period after the Snowden leaks, of what kind of searches it did on the Section 215 phone dragnet. The searches the government did on Section 215 dragnet data are critical to understanding a number of things: the reasons the parallel Internet dragnet probably got shut down in 2011, the squeals from people like Marco Rubio about things the government lost in shutting down the dragnet, and the likely scope of collection under USA Freedom Act.
Throughout the discussion of the phone dragnet, the administration claimed it was used for “contact chaining” — that is, exclusively to show who was within 3 (and starting in 2014, 2) degrees of separation, by phone calls [or texts, see update] made, from a suspected terrorist associate.
Here’s how the administration’s white paper on the program described it in 2013.
This telephony metadata is important to the Government because, by analyzing it, the Government can determine whether known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities within the United States. The program is carefully limited to this purpose: it is not lawful for anyone to query the bulk telephony metadata for any purpose other than counterterrorism, and Court-imposed rules strictly limit all such queries.
Though some claims to Congress and the press were even more definitive that this was just about contact chaining.
The documents on the 2009 violations released under FOIA made it clear that, historically at least, querying wasn’t limited to contact chaining. Almost every reference in these documents to the scope of the program includes a redaction after “contact chaining” in the description of the allowable queries. Here’s one of many from the government’s first response to Reggie Walton’s questions about the program.
The redaction is probably something like “pattern analysis.”
Because the NSA was basically treating all Section 215 data according to the rules governing EO 12333 in 2009 (indeed, at the beginning of this period, analysts couldn’t distinguish the source of the two authorizations), it subjected the data to a number of processes that did not fit under the authorization in the FISC orders — things like counts of all contacts and automatic chaining on identifiers believed to be the same user as one deemed to have met the Reasonable Articulable Standard. The End to End report finished in summer 2009 described one after another of these processes being shut down (though making it clear it wanted to resume them once it obtained FISC authorization). But even in these discussions, that redaction after “contact chaining” remained.
Even in spite of this persistent redaction, the public claims this was about contact chaining gave the impression that the pattern analysis not specifically authorized by the dragnet orders also got shut down.
The IG Reports that Savage liberated gives a better sense of precisely what the NSA was doing after it cleared up all its violations in 2009.
The Reports were ordered up by the FISC and covered an entire year of production (there was a counterpart of the Internet dragnet side, which was largely useless since so much of that dragnet got shut down around October 30, 2009 and remained shut down during this review period).
The show several things:
It’s the last item of interest here.
The first thing to understand about the phone dragnet data is it could be queried two places: the analyst front-end (the name of which is always redacted), and a “Transaction Database” that got replaced with something else in 2011. (336)
Basically, when the NSA did intake on data received from the telecoms, it would create a table of each and every record (which is I guess where the “transaction” name came from), while also making sure the telecoms didn’t send illegal data like credit card information.
Doing queries in the Transaction Database bypassed search restrictions. The March 2010 audit discovered a tech had done a query in the Transaction Database using a selector the RAS approval (meaning NSA had determined there was reasonable articulable suspicion that the selector had some tie to designated terrorist groups and/or Iran) of which had expired. The response to that violation, which NSA didn’t agree was a violation, was to move that tech function into a different department at NSA, away from the analyst function, which would do nothing to limit such restriction free queries, but would put a wall between analysts and techs, making it harder for analysts to ask techs to perform queries they would be unable to do.
Because the direct queries done for data integrity purposes were not subject to auditing under the phone dragnet orders, the monthly reports distinguished between those and analyst queries, the latter of which were audited to be sure they were RAS approved. But as the April 2010 report and subsequent audits showed, analysts also would do an “ident lookup.” (83)
The report provided this classified/Five Eyes description of “ident lookups.”
The Emphatic Access Restriction was a tool implemented in 2009 to ensure that analysts only did queries on RAS-approved selectors. What this detail reveals is that, rather than consulting a running list somewhere to see whether a selector was RAS approved, analysts would instead try to query, and if the query failed, that’s how they would learn the selector was not RAS approved.
We can’t be sure, but that suggests RAS approval went beyond simple one-to-one matching of identifiers. It’s possible an ident lookup needed to query the database to see if the data showed a given selector (say, a SIM card) matched another selector (say, a phone number) which had been RAS approved. It might go even further, given that NSA had automatically done searches on “correlated” numbers (that is, on a second phone number deemed to belong to the same person as the approved primary number that had been RAS approved). At least, that’s something NSA had done until 2009 and said it wanted to resume.
In other words, the fact that an ident lookup query queried the data and not just a list of approved selectors suggests it did more than just cross-check the RAS approval list: at some level it must tested the multiple selectors associated with one user to see if the underlying selectors were, by dint of the user himself being approved, themselves approved.
Indent lookups appear fairly often in these IG reports. Less frequent is an entirely redacted kind of query such as described but redacted in the September 2010 report. (166)
The footnote description of that query is classified Top Secret NOFORN and entirely redacted.
I have no idea what that query would be, but it’s clear it is done on the analyst facing interface, and only on RAS approved selectors.
The timing of this third query is interesting. Such queries appear in the September and October 2010 audits. That was a period when, in the wake of the July 2010 John Bates approval to resume the Internet dragnet, they were aligning the two programs again (or perhaps even more closely than they had been in 2009). It also appears after a new selector tracking tool got introduced in June 2010. That said, I’m unaware of anything in the phone dragnet orders that would have expanded the kinds of queries permitted on the phone dragnet data.
We know they had used the phone dragnet until 2009 to track burner phones (that is, matching calling patterns of selectors unknown to have a connection to determine which was a user’s new phone). We know that in November 2012, FISC approved an automated query process, though NSA never managed to implement it technically before Obama decided to shut down the dragnet. We also know that in 2014 they started admitting they were also doing “connection” chaining (which may be burner phone matching or may be matching of selectors). All are changes that might relate to more extensive non-chain querying.
We also don’t know whether this kind of query persisted from 2010 until last year, when the dragnet got shut down. I think it possible that the reasons they shut down the Internet dragnet in 2011 may have implicated the phone dragnet.
The point, though, is that at least by 2010, NSA was doing non-chain queries of the entire dragnet dataset that it considered to be approved under the phone dragnet orders. That suggests by that point, NSA was using the bulk set as a set already (or, more accurately, again, after the 2009 violations) by September 2010.
Last March James Clapper explained the need to retain records for a period of time, he justified it by saying you needed the historical data to discern patterns.
Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?
Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.
This would be consistent with the efforts to use the bulk dataset to find burner identities, at a minimum. It would also be consistent with Marco Rubio et al’s squeals about needing the historical data. And it would be consistent with the invocation of the National Academy of Sciences report on bulk data (though not on the phone dragnet), which NSA’s General Counsel raised in a Lawfare post today.
In other words, contrary to public suggestions, it appears NSA was using the phone dragnet to conduct pattern analysis that required the bulk dataset. That’s not surprising, though it is something the NSA suggested they weren’t doing.
They surely are still doing that on the larger EO 12333 dataset, along with a lot more complex kinds of analysis. But it seems some, like Rubio, either think we need to return to such bulk pattern analysis, or has used the San Bernardino attack to call to resume more intrusive spying.
Update: One of the other things the IG Reports make clear is that NSA was (unsurprisingly) collecting records of non-simultaneous telephone transactions. That became an issue when, in 2011, NSA started to age-off 5 year old data, because they would have some communication chains that reflected communications that were more than 5 years old but which were obtained less than 5 years before.
My guess is this reflects texting chains that continued across days or weeks.
Back when I reviewed the goodies the House Intelligence Committee had given James Clapper in this year’s Intelligence Authorization, I noted the bill eliminated this report on potential conflicts in outside employment (see clause u).
The Director of National Intelligence shall annually submit to the congressional intelligence committees a report describing all outside employment for officers and employees of elements of the intelligence community that was authorized by the head of an element of the intelligence community during the preceding calendar year.
That change — which will make it harder for people to track the kinds of conflicts of interest a number of top NSA officials recently got caught with — survived in the Omnibus into which the Intelligence Authorization got integrated. Which probably means we’ll be seeing more spooks getting paid by contractors on the side.
Yesterday, WaPo described a reporting requirement that had been in the Senate Intelligence Authorization, but got watered down in the Omnibus: a report on promotions revealing whether those being promoted were “unfit or unqualified.”
Under a provision drafted by the Senate Intelligence Committee this year, intelligence agencies would have been required to regularly provide names of those being promoted to top positions and disclose any “significant and credible information to suggest that the individual is unfit or unqualified.”
More recently, a top CIA manager who had been removed from his job for abusive treatment of subordinates was reinstated this year as deputy chief for counterintelligence at the Counterterrorism Center.
U.S. officials offered multiple explanations for Clapper’s objections. Several said that his main concern was the bureaucratic workload that would be generated by legislation requiring so much detail about potentially hundreds of senior employees across the U.S. intelligence community.
But others said that U.S. spy chiefs chafed at the idea of subjecting their top officials to such congressional scrutiny and went so far as to warn that candidates for certain jobs would probably withdraw.
Lawmakers were told that “some intelligence personnel would be reluctant to seek promotions out of concern that information about them would be presented to the Hill,” said a U.S. official involved in the discussions.
So he balked and Congress watered down the requirement. Here’s what remains of the measure:
(a) DIRECTIVE REQUIRED.—The Director of National Intelligence shall issue a directive containing a written policy for the timely notification to the congressional intelligence committees of the identities of individuals occupying senior level positions within the intelligence community.
The fine print on the requirement probably provides ways for Clapper to squish out of it in many cases by invoking covert status (which, in turn, likely means CIA will expand its current practice of pretending top managers are covert to protect them from scrutiny) or otherwise claiming senior people are not sufficiently senior to require notice.
So rather than preventing the CIA and other agencies from promoting abusive incompetents, the measure will likely lead to them being hidden further behind CIA’s secrecy.
Which is interesting, especially given another Intel Authorization measure that survived in the Omnibus, that I earlier described as an effort to make sure spooks and those in sensitive positions aren’t joining EFF or similar organizations.
The committee description of this section explains it will require DNI to do more checks on spooks (actually spooks and “sensitive” positions, which isn’t full clearance).
Section 306 directs the Director of National Intelligence (DNI) to develop and implement a plan for eliminating the backlog of overdue periodic investigations, and further requires the DNI to direct each agency to implement a program to provide enhanced security review to individuals determined eligible for access to classified information or eligible to hold a sensitive position.
These enhanced personnel security programs will integrate information relevant and appropriate for determining an individual’s suitability for access to classified information; be conducted at least 2 times every 5 years; and commence not later than 5 years after the date of enactment of the Fiscal Year 2016 Intelligence Authorization Act, or the elimination of the backlog of overdue periodic investigations, whichever occurs first.
Among the things ODNI will use to investigate its spooks are social media, commercial data sources, and credit reports. Among the things it is supposed to track is “change in ideology.” I’m guessing they’ll do special checks for EFF stickers and hoodies, which Snowden is known to have worn without much notice from NSA.
Remember, one complaint Clapper had about the gutted requirement he identify the abusive incompetents being promoted at intelligence agencies is the added bureaucracy of tracking just those being promoted in management ranks. But he apparently had no problem with a requirement that ODNI track the social media of everyone at all agencies to make sure they’re going to keep secrets and don’t harbor any “ideology” changes like support for the Bill of Rights.
That is, Clapper’s perfectly willing to expand his bureaucracy to look for leakers, but not to weed out the dangerously incompetent people ordering potential leakers around.
Apparently, to James Clapper, people who might leak about those unfit for management are more dangerous insider threats than having entire centers run by people unfit for management.