Jim Comey

1 2 3 13

Jim Comey, Poker Face, and the Scope of the Clinton Investigation(s)

Screen Shot 2016-07-07 at 10.11.04 PMI write this post reluctantly, because I really wish the Hillary investigations would be good and over. But I don’t think they are.

After having watched five and a half hours of the Clinton investigation hearing today, I’ve got new clarity about what the FBI has been doing for the last year. That leads me to believe that this week’s announcement that DOJ will not charge Clinton is simply a pause in the Clinton investigation(s). I believe an investigation will resume shortly (if one is not already ongoing), though that resumed investigation will also end with no charges — for different reasons than this week’s declination.

First, understand how this all came about. After the existence of Hillary’s server became known, State’s IG Steve Linick started an investigation into it, largely focused on whether Hillary (and other Secretaries of State) complied with Federal Records Act obligations. In parallel, as intelligence agencies came to complain about State’s redactions of emails released in FOIA response, the Intelligence Committee Inspector General Charles McCullough intervened in the redaction process and referred Clinton to the FBI regarding whether any classified information had been improperly handed. As reported, State will now resume investigating the classification habits of Hillary and her aides, which will likely lead to several of them losing clearance.

The FBI investigation that ended yesterday only pertained to that referral about classified information. Indeed, over the course of the hearing, Comey revealed that it was narrowly focused, examining the behavior of only Clinton and four or five of her close aides. And it only pertained to that question about mishandling classified information. That’s what the declination was based on: Comey and others’ determination that when Hillary set up her home-brew server, she did not intend to mishandle classified information.

This caused some consternation, early on in the hearing, because Republicans familiar with Clinton aides’ sworn testimony to the committee investigating the email server and Benghazi were confused how Comey could say that Hillary was not cleared to have her own server, but aides had testified to the contrary. But Comey explained it very clearly, and repeatedly. While FBI considered the statements of Clinton aides, they did not review their sworn statements to Congress for truth.

That’s important because the committee was largely asking a different question: whether Clinton used her server to avoid oversight, Federal Record Act requirements, the Benghazi investigation, and FOIA. That’s a question the FBI did not review at all. This all became crystal clear in the last minutes of the Comey testimony.

Chaffetz: Was there any evidence of Hillary Clinton attempting to avoid compliance with the Freedom of Information Act?

Comey: That was not the subject of our criminal investigation so I can’t answer that sitting here.

Chaffetz: It’s a violation of law, is it not?

Comey: Yes, my understanding is there are civil statutes that apply to that. I don’t know of a crimin–

Chaffetz: Let’s put some boundaries on this a little bit — what you didn’t look at. You didn’t look at whether or not there was an intention or reality of non-compliance with the Freedom of Information Act.

Comey: Correct.

Having started down this path, Chaffetz basically confirms what Comey had said a number of times throughout the hearing, that FBI didn’t scrutinize the veracity of testimony to the committee because the committee did not make a perjury referral.

Chaffetz: You did not look at testimony that Hillary Clinton gave in the United States Congress, both the House and the Senate?

Comey: To see whether it was perjurious in some respect?

Chaffetz: Yes.

Comey: No we did not.

[snip]

Comey: Again, I can confirm this but I don’t think we got a referral from Congressional committees, a perjury referral.

Chaffetz: No. It was the Inspector General that initiated this.

Now, let me jump to the punch and predict that OGR will refer at least Hillary’s aides, and maybe Hillary herself, to FBI for lying to Congress. They might even have merit in doing so, as Comey has already said her public claims about being permitted to have her own email (which she repeated to the committee) were not true. Plus, there’s further evidence that Hillary used her own server precisely to maintain control over them (that is, to avoid FOIA).

That said, there are two reasons why Hillary and her aides won’t be prosecuted for lying to Congress: James Clapper and Scott Bloch.

Clapper you all know about. The Director of National Intelligence — unlike Clinton — was not under oath when he spectacularly lied to Ron Wyden. Nor was he referred to DOJ for prosecution. But that recent lie will make FBI hesitate.

DOJ will hesitate even more given the history of Scott Bloch. bmaz has written a slew of posts about this but the short version is that the former Office of Special Counsel lied to this very committee and wiped his hard drive to obscure that fact. He ultimately pled guilty, but when the magistrate handling the case pointed out that the plea carried a minimum one month sentence, Bloch and DOJ went nuts and tried to withdraw his plea. bmaz and a bunch of whistleblowers who had been poorly treated by Bloch went nuts in turn. All to no avail. After DOJ claimed there were secret facts that no one understood, the court agreed to sentence Bloch to just one day in jail.

In other words, to keep one of their own out of jail, DOJ made expansive claims about how unimportant lying to Congress is. Even assuming DOJ would ignore their own recent historical claims about the frivolity of lying to Congress, Hillary’s lawyers could use that precedent to argue that lying to Congress has, effectively, been decriminalized (unilaterally by the Executive Branch!).

So FBI will investigate it. Comey might even refer, this time, for prosecution, because the evidence is actually far stronger that Hillary used her own server to avoid oversight (and that she was less than forthcoming about that to Congress). But that, too, won’t be prosecuted because you basically can’t prosecute lying to Congress after the Bloch case.

Which brings me to the funniest part of this exchange with Chaffetz (which, coming as it did in the last minutes of the hearing, has escaped most notice).

Chaffetz: Did you look at the Clinton Foundation?

Comey: I’m not going to comment on the existence or non-existence of any other investigation.

Chaffetz: Was the Clinton Foundation tied into this investigation?

Comey: I’m not going to answer that.

Understand: Comey had already commented on the existence or non-existence of other investigations, commenting at length on the non-investigation of questions pertaining to FOIA and FRA, even describing how many people (four to five) were subjects of this investigation. Comment on non-existence of investigation, comment on non-existence of investigation, comment on non-existence of investigation.

And for what it’s worth, the Clinton Foundation probably couldn’t have been part of the scope of this, given that this was only focused on four to five people (note, a Clinton Foundation investigation would better explain why FBI gave Brian Pagliano immunity, another topic on which Comey would not comment).

But when asked about the Clinton Foundation, he claimed he couldn’t say. All of a sudden, refusal to comment on existence or non-existence of investigation.

Now, I’m just going to say I don’t think anything will come of that, because I doubt FBI would clear Hillary on one issue but not the related one (plus, given SCOTUS’ ruling in the Bob McDonnell case, it probably became impossible to prosecute any Clinton Foundation violations). But Comey’s answer does make it clear that FBI considers questions about improperly handling classified information, avoiding FOIA and other oversight, lying about avoiding FOIA, and deals made with the Clinton Foundation to be different things.

I think that doesn’t change that Hillary won’t be indicted. But I do think she will continue to be investigated in conjunction with questions about what she did and said to avoid FOIA and other oversight.

Update: This post has been tweaked.

Some Legislative Responses to Clinton’s Email Scandal

The Republicans have reverted to their natural “Benghazi witchhunt” form in the wake of Jim Comey’s announcement Tuesday that Hillary Clinton and her aides should not be charged, with Comey scheduled to testify before the House Oversight Committee at 10 AM.

Paul Ryan wrote a letter asking James Clapper to withhold classified briefings from Hillary. And the House Intelligence Committee is even considering a bill to prevent people who have mishandled classified information from getting clearances.

In light of the FBI’s findings, a congressional staffer told The Daily Beast that the House Intelligence Committee is considering legislation that could block security clearances for people who have been found to have mishandled classified information in the past.

It’s not clear how many of Clinton’s aides still have their government security clearances, but such a measure could make it more difficult for them to be renewed, should they come back to serve in a Clinton administration.

“The idea would be to make sure that these rules apply to a very wide range of people in the executive branch,” the staffer said. (Clinton herself would not need a clearance were she to become president.)

It’s nice to see the same Republicans who didn’t make a peep when David Petraeus kept — and still has — his clearance for doing worse than Hillary has finally getting religion on security clearances.

But this circus isn’t really going to make us better governed or safer.

So here are some fixes Congress should consider:

Add some teeth to the Federal/Presidential Records Acts

As I noted on Pacifica, Hillary’s real crime was trying to retain maximal control over her records as Secretary of State — probably best understood as an understandable effort to withhold anything potentially personal combined with a disinterest in full transparency. That effort backfired spectacularly, though, because as a result all of her emails have been released.

Still, every single Administration has had at least a minor email scandal going back to Poppy Bush destroying PROFS notes pertaining to Iran-Contra.

And yet none of those email scandals has ever amounted to anything, and many of them have led to the loss of records that would otherwise be subject to archiving and (for agency employees) FOIA.

So let’s add some teeth to these laws — and lets mandate and fund more rational archiving of covered records. And while we’re at it, let’s ensure that encrypted smart phone apps, like Signal, which diplomats in the field should be using to solve some of the communication problems identified in this Clinton scandal, will actually get archived.

Fix the Espionage Act (and the Computer Fraud and Abuse Act)

Steve Vladeck makes the case for this:

Congress has only amended the Espionage Act in detail on a handful of occasions and not significantly since 1950. All the while, critics have emerged from all corners—the academy, the courts, and within the government—urging Congress to clarify the myriad questions raised by the statute’s vague and overlapping terms, or to simply scrap it and start over. As the CIA’s general counsel told Congress in 1979, the uncertainty surrounding the Espionage Act presented “the worst of both worlds”:

On the one hand the laws stand idle and are not enforced at least in part because their meaning is so obscure, and on the other hand it is likely that the very obscurity of these laws serves to deter perfectly legitimate expression and debate by persons who must be as unsure of their liabilities as I am unsure of their obligations.

In other words, the Espionage Act is at once too broad and not broad enough—and gives the government too much and too little discretion in cases in which individuals mishandle national security secrets, maliciously or otherwise.

To underscore this point, the provision that the government has used to go after those who shared classified information with individuals not entitled to receive it (including Petraeus, Drake, and Manning), codified at 18 U.S.C. § 793(d), makes it a crime if:

Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted … to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the officer or employee of the United States entitled to receive it …

This provision is stunningly broad, and it’s easy to see how, at least as a matter of statutory interpretation, it covers leaking—when government employees (“lawfully having possession” of classified information) share that information with “any person not entitled to receive it.” But note how this doesn’t easily apply to Clinton’s case, as her communications, however unsecured, were generally with staffers who were“entitled to receive” classified information.

Instead, the provision folks have pointed to in her case is the even more strangely worded § 793(f), which makes it a crime for:

Whoever, being entrusted with or having lawful possession or control of [any of the items mentioned in § 793(d)], (1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or (2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed … fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer …

Obviously, it’s easy to equate Clinton’s “extreme carelessness” with the statute’s “gross negligence.” But look closer: Did Clinton’s carelessness, however extreme, “[permit] … [classified information] to be removed from its proper place of custody or delivered to anyone in violation of [her] trust”? What does that even mean in the context of intangible information discussed over email? The short answer is nobody knows: This provision has virtually never been used at least partly because no one is really sure what it prohibits. It certainly appears to be focused on government employees who dispossess the government of classified material (like a courier who leaves a satchel full of secret documents in a public place). But how much further does it go?

There’s an easy answer here, and it’s to not use Clinton as a test case for an unprecedented prosecution pursuant to an underutilized criminal provision, even if some of us think what she did was a greater sin than the conduct of some who have been charged under the statute. The better way forward is for Congress to do something it’s refused to do for more than 60 years: carefully and comprehensively modernize the Espionage Act, and clarify exactly when it is, and is not, a crime to mishandle classified national security secrets.

Sadly, if Congress were to legislate the Espionage Act now, they might codify the attacks on whistleblowers. But they should not. They should distinguish between selling information to our adversaries and making information public. They should also make it clear that intent matters — because in the key circuit, covering the CIA, the Pentagon, and many contractors, intent hasn’t mattered since the John Kiriakou case.

Eliminate the arbitrariness of the clearance system

But part of that should also involve eliminating the arbitrary nature of the classification system.

I’ve often pointed to how, in the Jeffrey Sterling case, the only evidence he would mishandle classified information was his retention of 30-year old instructions on how to dial a rotary phone, something far less dangerous than what Hillary did.

Equally outrageous, though, is that four of the witnesses who may have testified against Sterling, probably including Bob S who was the key witness, have also mishandled classified information in the past. Those people not only didn’t get prosecuted, but they were permitted to serve as witnesses against Sterling without their own indiscretions being submitted as evidence. As far as we know, none lost their security clearance. Similarly, David Petraeus hasn’t lost his security clearance. But Ashkan Soltani was denied one and therefore can’t work at the White House countering cyberattacks.

Look, the classification system is broken, both because information is over-classified and because maintaining the boundaries between classified and unclassified is too unwieldy. That broken system is then magnified as people’s access to high-paying jobs are subjected to arbitrary review of security clearances. That’s only getting worse as the Intelligence Community ratchets up the Insider Threat program (rather than, say, technical means) to forestall another Manning or Snowden.

The IC has made some progress in recent years in shrinking the universe of people who have security clearances, and the IC is even making moves toward fixing classification. But the clearance system needs to be more transparent to those within it and more just.

Limit the President’s arbitrary authority over classification

Finally, Congress should try to put bounds to the currently arbitrary and unlimited authority Presidents claim over classified information.

As a reminder, the Executive Branch routinely cites the Navy v. Egan precedent to claim unlimited authority over the classified system. They did so when someone (it’s still unclear whether it was Bush or Cheney) authorized Scooter Libby to leak classified information — probably including Valerie Plame’s identity — to Judy Miller. And they did so when telling Vaughn Walker could not require the government to give al Haramain’s lawyers clearance to review the illegal wiretap log they had already seen before handing it over to the court.

And these claims affect Congress’ ability to do their job. The White House used CIA as cover to withhold a great deal of documents implicating the Bush White House in authorizing torture. Then, the White House backed CIA’s efforts to hide unclassified information, like the already-published identities of its torture-approving lawyers, with the release of the Torture Report summary. In his very last congressional speech, Carl Levin complained that he was never able to declassify a document on the Iraq War claims that Mohammed Atta met with a top Iraqi intelligence official in Prague.

This issue will resurface when Hillary, who I presume will still win this election, nominates some of the people involved in this scandal to serve in her White House. While she can nominate implicated aides — Jake Sullivan, Huma Abedin, and Cheryl Mills — for White House positions that require no confirmation (which is what Obama did with John Brennan, who was at that point still tainted by his role in torture), as soon as she names Sullivan to be National Security Advisor, as expected, Congress will complain that he should not have clearance.

She can do so — George Bush did the equivalent (remember he appointed John Poindexter, whose prosecution in relation to the Iran-Contra scandal was overturned on a technicality, to run the Total Information Awareness program).

There’s a very good question whether she should be permitted to do so. Even ignoring the question of whether Sullivan would appropriately treat classified information, it sets a horrible example for clearance holders who would lose their clearances.

But as far as things stand, she could. And that’s a problem.

To be fair, legislating on this issue is dicey, precisely because it will set off a constitutional challenge. But it should happen, if only because the Executive’s claims about Navy v. Egan go beyond what SCOTUS actually said.

Mandate and fund improved communication system

Update, after I posted MK reminded me I meant to include this.

If Congress is serious about this, then they will mandate and fund State to fix their decades-long communications problems.

But they won’t do that. Even 4 years after the Benghazi attack they’ve done little to improve security at State facilities.

Update: One thing that came up in today’s Comey hearing is that the FBI does not routinely tape non-custodial interviews (and fudges even with custodial interviews, even though DOJ passed a policy requiring it). That’s one more thing Congress could legislate! They could pass a simple law requiring FBI to start taping interviews.

“Only Facts Matter:” Jim Comey Is Not the Master Bureaucrat of Integrity His PR Sells Him As

Since Jim Comey’s showy press conference yesterday, the press has rehashed Jim Comey’s carefully cultivated image as a Boy Scout, with outlet after outlet replaying the story of how he ran up some hospital steps once.

Sadly, even DOJ beat journalists seem unable to point out that that image has been carefully cultivated over years. Comey is a PR master.

But as I have written on several occasions, the story is more complicated. That’s true, first of all, because the 2004 hospital confrontation, in which Comey and a bunch of other DOJ officials threatened to quit and therefore allegedly shut down some illegal wiretap programs, did not end in March 2004. On the contrary, for the main unlawful program we know about — the Internet dragnet — that confrontation ended in July 2004 when, after some serious arm-twisting, DOJ got FISC presiding judge Colleen Kollar-Kotelly to authorize substantially the same Internet dragnet they refused to authorize themselves.  The arguments they used to pull that off are fairly breath-taking.

The hospital confrontation only served to hide illegal surveillance under a new rock

First, they told Kollar-Kotelly she had to reauthorize the dragnet because terrorists wanted to plan an election year plot; as I note below, that claim was largely based on a fabrication.

Then, they argued that the standard for approval of a bulk Pen Register/Trap and Trace order was the same (arguably lower) as any other PRTT order focused on an individual. Kollar-Kotelly, DOJ argued, had no discretion over whether or how to approve this.

DOJ told Kollar-Kotelly she had no authority to do anything but approve their expansive plan to collect Internet data from telecom switches. “[T]he Court ‘shall’ authorize a pen register … if an application brought before it complies with the requirements of the statute.” Even though, by collecting Internet metadata in bulk, the government would take away FISC’s authority to review whether the targets were agents of a foreign power, DOJ argued she had no authority to determine whether this bulk data — which she deemed an “enormous” amount — was “relevant” to the FBI’s investigations into terrorism.

And that meaning — which the government expanded even further in 2006 to claim the phone records of every single American were “relevant” to the FBI’s standing terrorism investigations — “requires no stretching of the ordinary meaning of the terms of the statute at all,” they claimed, in apparent seriousness.

DOJ further argued that’s the way the FISA court — which Congress created in 1978 to provide real judicial review while permitting the executive to keep its foreign spying secret — is supposed to work. Having FISC rubber-stamp the program they themselves had refused to authorize “promotes both of the twin goals of FISA,” DOJ argued, “facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.”

Their claim this involved oversight is especially rich given that DOJ and FISC argued then — and continued to argue at least through 2010 when John Bates would reauthorize and expand this dragnet — that the FISC had no authority to impose minimization procedures for bulk collected data, which has historically been the sole way FISC exercises any oversight. Then, during the period of the very first dragnet order, NSA “discovered” it was violating standards Kollar-Kotelly imposed on the collection (effectively, violating the minimization procedures). But in spite of the fact that she then imposed more requirements, including twice quarterly spot checks on the collection, those violations continued unabated until NSA’s Inspector General finally started, on Reggie Walton’s order, an (aborted) real review of the collection in 2009. At that point, OGC all of a sudden “discovered” that their twice-quarterly spot checks had failed to notice that every single record NSA had collected during that 5 year period had violated FISC standards.

In short, the program was never, ever, in legal compliance. That was the solution Comey achieved to the unlawful program he got shut down.

DOJ’s — Jim Comey’s — efforts to undercut FISC not only led to other really problematic FISC decisions based on this precedent (including, but not limited to, the phone dragnet in 2006 and upstream collection in 2007), but also gave illegal collection the patina of legality solely by making someone else authorize a program she couldn’t oversee.

DOJ deliberately bypassed Congress because they knew it wouldn’t approve the surveillance

Along with radically changing the nature of FISC in the wake of the hospital confrontation, DOJ — Jim Comey — affirmatively bypassed Congress because they didn’t want to tell America it was spying on them in bulk.

DOJ pointed to language showing Congress intended pen registers to apply to the Internet; they pointed to the absence of language prohibiting a pen register from being used to collect data from more than a single user, as if that’s the same as collecting from masses of people and as if that proved congressional intent to wiretap everyone.

And then they dismissed any potential constitutional conflict involved in such broad rereadings of statutes passed by Congress. “In almost all cases of potential constitutional conflict, if a statute is construed to restrict the executive, the executive has the option of seeking additional clarifying legislation from Congress,” the heroes of the hospital confrontation admitted. The White House had, in fact, consulted Majority Leader Tom DeLay about doing just that, but he warned it would be too difficult to get new legislation. So two months later, DOJ argued Congress’ prerogative as an independent branch of government would just have to give way to secrecy. “In this case, by contrast, the Government cannot pursue that route because seeking legislation would inevitably compromise the secrecy of the collection program the Government wishes to undertake.”

This was a pretty big assault on separation of powers, and not one justified by the efficacy of the program or the needs of the collection.

While I won’t go into it here, this is all about the best known part of the Stellar Wind program that was not so much “shut down” as “dumped into someone else’s legal lap.” There’s another aspect of Stellar Wind — one I don’t yet fully understand — that Comey reauthorized on his own, one that has gotten no reporting. I hope to return to this.

Comey’s DOJ lets itself be manhandled into reauthorizing torture and surveillance

There’s an intimately related effort Comey gets some credit for which in fact led to fairly horrible conclusions: torture. Jack Goldsmith, with Comey’s backing, also withdrew the shoddy John Yoo memo authorizing waterboarding and other torture (Goldsmith also prevented Yoo from retroactively authorizing more techniques).

But on July 2, 2004 — two weeks before Goldsmith left — the intelligence community found another detainee it just had to torture, Janat Gul, based on already questioned claims he wanted to plan an election year attack. They had a Principal’s Committee meeting to discuss what to do. After Jim Comey and John Bellinger left the meeting, the PC agreed to engage in torture again (though not waterboarding). Five days later Goldsmith wrote to ensure the IC knew this meant they had to follow the guidelines laid out under the original Yoo memo. By September, after Gul and some associates had been tortured extensively — each time with Dan Levin writing what I’m sure he imagined to be a soundly reviewed approval for the torture — Levin had approved waterboarding again, along with the techniques Goldsmith had prevented Yoo from retroactively and unilaterally authorizing. OLC repeatedly promised a more fulsome memo laying out the approval offered, ostensibly in reaction to an immediate need, in 2004. Jim Comey initiated that process in fall and December 2004. But in the end, the technique memos completed by Steven Bradbury in May 2005 authorized both waterboarding, as well as all the other conditions (primarily techniques use in combination) Comey seems to have tried to have set to make them impossible to use again. Comey resigned right before these memos were finalized, so it’s possible he made another — failed — attempt to prevent the illegal program by threatening to quit; he did, however, stick around for another three months before he moved onto his sinecures at Lockheed and Bridgewater.

Here’s the tragic thing about this unsuccessful effort to impose order on the torture program: it, like the Iraq War itself, was based on a fabricator.

CIA came to Comey and others, said, “this guy wants to attack the presidential elections so we need a dragnet and torture,” to which DOJ said okay.

The CIA in March 2004 received reporting from a source the torture report calls “Asset Y,” who said a known Al-Qaeda associate in Pakistan, Janat Gul — whom CIA at the time believed was a key facilitator — had set up a meeting between Asset Y and Al-Qaeda’s finance chief, and was helping plan attacks inside the United States timed to coincide with the November 2004 elections. According to the report, CIA officers immediately expressed doubts about the veracity of the information they’d been given by Asset Y. A senior CIA officer called the report “vague” and “worthless in terms of actionable intelligence.” He noted that Al Qaeda had already issued a statement “emphasizing a lack of desire to strike before the U.S. election” and suggested that since Al-Qaeda was aware that “threat reporting causes panic in Washington” and inevitably results in leaks, planting a false claim of an election season attack would be a good way for the network to test whether Asset Y was working for its enemies. Another officer, assigned to the group hunting Osama bin Laden, also expressed doubts.

[snip]

Nevertheless, the CIA took seriously Asset Y’s claim that Gul was involved in an election plot and moved quickly to gain custody of him after his arrest by Pakistan in June 2004. Even before CIA rendered Gul to its custody, Tenet started lobbying to get torture techniques reapproved for his interrogation.

On June 29, Tenet wrote National Security Adviser Condoleezza Rice seeking approval to once again use some of the techniques whose use he suspended less than four weeks earlier, in the hope of gathering information on the election season plot. “Given the magnitude of the danger posed by the pre-election plot and Gul’s almost certain knowledge of any intelligence about that plot” Tenet wrote, relying on Asset Y’s claims, “I request the fastest possible resolution of the above issues.”

[snip]

Soon after the reauthorization of the torture and the Internet dragnet, the CIA realized ASSET Y’s story wasn’t true. By September, an officer involved in Janat Gul’s interrogation observed, “we lack credible information that ties him to pre-election threat information or direct operational planning against the United States, at home or abroad.” In October, CIA reassessed ASSET Y, and found him to be deceptive. When pressured, ASSET Y admitted had had made up the story of a meeting set up by Gul. ASSET Y blamed his CIA handler for pressuring him for intelligence, leading him to lie about the meeting.

By 2005, CIA had concluded that ASSET Y was a fabricator, and Janat Gul was a “rather poorly educated village man [who is] quite lazy [who] was looking to make some easy money for little work and he was easily persuaded to move people and run errands for folks on our target list” (though the Agency wasn’t always forthright about the judgment to DOJ).

During Comey’s entire effort — to put order to the dragnet, to put order to the torture — he was in fact being led by the nose by the CIA, once again using the report of a fabricator to authorize actions the US had no business engaging in.

If that were all, I’d consider this a tragic story: poor Jim Comey trying to ensure the US does good, only to be undermined by the dishonest folks at the CIA, using asymmetric information again to ensure their ass gets covered legally.

Jim Comey refuses to review what he did in 2004 and 2005

But here’s the part that, in my opinion, makes being snookered by the CIA unforgivable. Thus far, Comey has refused to read the full Torture Report to learn how badly he got snookered, even though he promised Dianne Feinstein to do so in his confirmation process.

I am specifically intrigued by Comey’s apparent lack of curiosity about the full report because of his actions in 2005.

As these posts lay out (one, two), Comey was involved in the drafting of 2 new OLC memos in May 2005 (though he may have been ignorant about the third). The lies CIA told OLC in 2004 and then told OLC again in 2005 covering the same torture were among the worst, according to Mark Udall. Comey even tried to hold up the memo long enough to do fact gathering that would allow them to tie the Combined memo more closely to the detainee whose treatment the memo was apparently supposed to retroactively reauthorize. But Alberto Gonzales’ Chief of Staff Ted Ullyot told him that would not be possible.

Pat [Philbin] explained to me (as he had to [Steven Bradbury and Ted Ullyot]) that we couldn’t make the change I thought necessary by Friday [April 29]. I told him to go back to them and reiterate that fact and the fact that I would oppose any opinion that was not significantly reshaped (which would involve fact gathering that we could not complete by Friday).

[snip]

[Ullyot] mentioned at one point that OLC didn’t feel like it would accede to my request to make the opinion focused on one person because they don’t give retrospective advice. I said I understood that, but that the treatment of that person had been the subject of oral advice, which OLC would simply be confirming in writing, something they do quite often.

At the end, he said that he just wanted me to know that it appeared the second opinion would go [Friday] and that he wanted to make sure I knew that and wanted to confirm that I felt I had been heard.

Presuming that memo really was meant to codify the oral authorization DOJ had given CIA (which might pertain to Hassan Ghul or another detainee tortured in 2004), then further details of the detainee’s torture would be available in the full report. Wouldn’t Comey be interested in those details now?

But then, so would details of Janat Gul’s torture, whose torture was retroactively authorized in an OLC memo Comey himself bought off on. Maybe Comey has good reason not to want to know what else is in the report.

Sure, he may be doing so to prevent Jason Leopold from liberating the report via FOIA. But in doing so, he is also refusing to examine his own actions, his own willingness to reauthorize the dragnet and torture he had just shut down in the service of a lie. He is refusing to consider whether the deals he made with the devil in 2004 were unsound.

Even here, I might just consider this a tragic story, of a morally just man bested by bureaucratic forces both more sinister and dishonest than Comey.

Except for Comey’s Manichean view of the world.

His world is separated into the Good Guys who should have access to encryption and the Bad Guys who should not, the loyal people like Hillary who can be “extremely careless in their handling of very sensitive, highly classified information” with no legal consequences and the disloyal people like Thomas Drake who get prosecuted for doing the very same things.

That’s not the world where self-proclaimed Boy Scout Jim Comey assents to the reauthorization of torture and dragnets based on a fabrication with no repercussions or even soul-searching.

I mean, I get it. There is no place for Boy Scouts in the top ranks of our national security state. I get that you’re going to lose bureaucratic fights to really immoral causes and manipulative spooks. I get you’re sometimes going to get the so-called trade-off between liberty and security wrong, especially when you get lied to.

But given that reality, there is no place for pretend Boy Scouts. There is no place to pretend your world is as easy as running up some hospital steps, victory!, we’ve vanquished presidential abuses so let’s go dismantle separation of powers! That’s just naive, but in the service of the FBI Director, it legitimizes a really unjust — morally-rather-than-legally-based — method of policing.

Comey seems to believe his self-created myth at this point, and that’s a very dangerous spot for a guy deigning to be the investigator and prosecutor of who is loyal and who disloyal.

Update: Matthew Miller wrote up his criticism of Comey’s abuse of power here.

Update: Here’s an interview I did for Pacifica on the email question generally.

FBI Still Not Counting How Often Encryption Hinders Their Investigations

The annual wiretap report is out. The headline number is that wiretaps have gone up, and judges still don’t deny any wiretap applications.

The number of federal and state wiretaps reported in 2015 increased 17 percent from 2014.   A total of 4,148 wiretaps were reported as authorized in 2015, with 1,403 authorized by federal judges and 2,745 authorized by state judges.  Compared to the applications approved during 2014, the number approved by federal judges increased 10 percent in 2015, and the number approved by state judges increased 21 percent.  No wiretap applications were reported as denied in 2015.

The press has focused more attention on the still very small number of times encryption thwarts a wiretap.

The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to 7 in 2015.  In all of these wiretaps, officials were unable to decipher the plain text of the messages.  Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.  Encryption was also reported for one federal wiretap that was conducted during a previous year, but reported to the AO for the first time in 2015.  Officials were not able to decipher the plain text of the communications in that intercept.

Discussing the number — which doesn’t include data at rest — on Twitter got me to look at something that is perhaps more interesting.

Back in July 2015, 7 months into the period reported on today, Deputy Attorney General Sally Yates and FBI Director Jim Comey testified in a “Going Dark” hearing. Over the course of the hearing, they admitted that they simply don’t have the numbers to show how big a problem encryption is for their investigations, and they appeared to promise to start counting that number.

Around January 26, 2016 (that’s the date shown for document creation in the PDF) — significantly, right as FBI was prepping to go after Syed Rizwan Farook’s phone, but before it had done so — Comey and Yates finally answered the Questions for the Record submitted after the hearing. After claiming, in a response to a Grassley question on smart phones, “the data on the majority of the devices seized in the United States may no longer be accessible to law enforcement even with a court order or search warrant,” Comey then explained that they do not have the kind of statistical information Cy Vance claims to keep on phones they can’t access, explaining (over five months after promising to track such things),

As with the “data-in-motion” problem, the FBI is working on improving enterprise-wide quantitative data collection to better explain the “data-at-rest” problem.”

[snip]

As noted above, the FBI is currently working on improving enterprise-wide quantitative data collection to better understand and explain the “data at rest” problem. This process includes adopting new business processes to help track when devices are encountered that cannot be decrypted, and when we believe leads have been lost or investigations impeded because of our inability to obtain data.

[snip]

We agree that the FBI must institute better methods to measure these challenges when they occur.

[snip]

The FBI is working to identify new mechanisms to better capture and convey the challenges encountered with lawful access to both data-in-motion and data-at =-rest.

Grassley specifically asked Yates about the Wiretap report. She admitted that DOJ was still not collecting the information it promised to back in July.

The Wiretap Report only reflects the number of criminal applications that are sought, and not the many instances in which an investigator is dissuaded from pursuing a court order by the knowledge that the information obtained will be encrypted and unreadable. That is, the Wiretap Report does not include statistics on cases in which the investigator does not pursue an interception order because the provider has asserted that an intercept solution does not exist. Obtaining a wiretap order in criminal investigations is extremely resource-intensive as it requires a huge investment in agent and attorney time, and the review process is extensive. It is not prudent for agents and prosecutors to devote resources to this task if they know in advance the targeted communications cannot be intercepted. The Wiretap Report, which applies solely to approved wiretaps, records only those extremely rare instances where agents and prosecutors obtain a wiretap order and are surprised when encryption prevents the court-ordered interception. It is also important to note that the Wiretap Report does not include data for wiretaps authorized as part of national security investigations.

These two answers lay out why the numbers in the Wiretap Report are of limited value in assessing how big a problem encryption is.

But they also lay out how negligent DOJ has been in responding to the clear request from SJC back in July 2015.

Discrepancies between Past Versions of Mateen’s Calls and the “Transcript”

As promised, DOJ has censored the transcript of Omar Mateen’s calls with authorities the night of his attack. There is a discrepancy between Jim Comey’s earlier version of the calls and what appears in today’s “transcript.” Here’s what Comey said a week ago.

It is also not entirely clear at this point just what terrorist group he aspired to support; although, he made clear his affinity, at the time of the attack, for ISIL, and generally, leading up to the attack, for radical Islamist groups. He made 911 calls from the club, during the attack, at about 2:30 in the morning, Sunday morning. There were three different calls. He called and he hung up. He called again and spoke briefly with the dispatcher, and then he hung up, and then the dispatcher called him back again and they spoke briefly. There were three total calls.

During the calls he said he was doing this for the leader of ISIL, who he named and pledged loyalty to, but he also appeared to claim solidarity with the perpetrators of the Boston Marathon bombing, and solidarity with a Florida man who died as a suicide bomber in Syria for al Nusra Front, a group in conflict with Islamic State. The bombers at the Boston Marathon and the suicide bomber from Florida were not inspired by ISIL, which adds a little bit to the confusion about his motives.

And here’s what FBI says the censored “transcript” says.

The following is based on Orlando Police Department (OPD) radio communication (times are approximate):

  • 2:02 a.m.: OPD call transmitted multiple shots fired at Pulse nightclub.
  • 2:04 a.m.: Additional OPD officers arrived on scene.
  • 2:08 a.m.: Officers from various law enforcement agencies made entrance to Pulse and engaged the shooter.
  • 2:18 a.m.: OPD S.W.A.T. (Special Weapons & Tactics) initiated a full call-out.
  • 2:35 a.m.: Shooter contacted a 911 operator from inside Pulse. The call lasted approximately 50 seconds, the details of which are set out below:

Orlando Police Dispatcher (OD)
Shooter (OM)

OD: Emergency 911, this is being recorded.
OM: In the name of God the Merciful, the beneficial [in Arabic]
OD: What?
OM: Praise be to God, and prayers as well as peace be upon the prophet of God [in Arabic]. I let you know, I’m in Orlando and I did the shootings.
OD: What’s your name?
OM: My name is I pledge of allegiance to [omitted].
OD: Ok, What’s your name?
OM: I pledge allegiance to [omitted] may God protect him [in Arabic], on behalf of [omitted].
OD: Alright, where are you at?
OM: In Orlando.
OD: Where in Orlando?
[End of call.]

(Shortly thereafter, the shooter engaged in three conversations with OPD’s Crisis Negotiation Team.)

  • 2:48 a.m.: First crisis negotiation call occurred lasting approximately nine minutes.
  • 3:03 a.m.: Second crisis negotiation call occurred lasting approximately 16 minutes.
  • 3:24 a.m.: Third crisis negotiation call occurred lasting approximately three minutes.

In these calls, the shooter, who identified himself as an Islamic soldier, told the crisis negotiator that he was the person who pledged his allegiance to [omitted], and told the negotiator to tell America to stop bombing Syria and Iraq and that is why he was “out here right now.” When the crisis negotiator asked the shooter what he had done, the shooter stated, “No, you already know what I did.” The shooter continued, stating, “There is some vehicle outside that has some bombs, just to let you know. You people are gonna get it, and I’m gonna ignite it if they try to do anything stupid.” Later in the call with the crisis negotiator, the shooter stated that he had a vest, and further described it as the kind they “used in France.” The shooter later stated, “In the next few days, you’re going to see more of this type of action going on.” The shooter hung up and multiple attempts to get in touch with him were unsuccessful.

In Comey’s original version, there were just 3 calls, and only with the dispatcher, two of which included actual conversation. Now, there are 4 total calls, only one with the dispatcher (and no mention of the hang-up). I’d say the difference stemmed from confusion and a conflation, last week,  of all calls with authorities, but there seems to be a counting discrepancy I’d like resolved.

Predictably, the FBI censored details that should have led them to raise questions about Mateen’s invocation of ISIS. It made no mention of what Comey did: that Mateen also invoked al-Nusra and the Tsarnaev brothers (presumably in the calls to the crisis negotiation team), which doesn’t make sense. So rather than elucidating, this “transcript” actually covers over one of the problems with FBI’s reaction.

As noted, there’s also a (more explicable) discrepancy between this “transcript” and what survivor Patience Carter has said (7:16 and following). She said that Mateen said he wanted the US to stop bombing “his country,” which reports on this have interpreted to mean Afghanistan. Given the unbelievable amount of stress she must have been under, I would expect discrepancies in any case. But since she doesn’t specify precisely what he said that she interpreted to mean, “his country,” I don’t think this is a significant discrepancy.

Update: FBI and DOJ have now released the name Abu Bakr al-Baghdadi (calling it the “complete” transcript), but not the other things that would make them look bad.

DOJ Thinks Releasing Omar Mateen’s ISIS Allegiance Claims It Released Last Week Will Revictimize the Victims

Yesterday, NPR reported that people investigating the Orlando mass shootings increasingly believe his attack may have had nothing to do with ISIS.

In fact, intelligence officials and investigators say they’re “becoming increasingly convinced that the motive for this attack had very little — or maybe nothing — to do with ISIS.”

Speaking on Weekend Edition Saturday, Dina says that al-Qaida and ISIS-inspired attacks tend to follow a different pattern. She explains:

“We know that during the attack the gunman posted messages on Facebook saying he was doing this on behalf of ISIS. But officials have yet to find any of the precursors usually associated with radicalization. They’ve interviewed dozens of people who either knew him or had contact with Mateen.

“And they say that they’ve yet to find any indication that he became noticeably more religious, which is one of the indicators of radicalization. He still was going to the same mosque. The way he dressed didn’t change. His relationship with his family didn’t change in any way. And these are all typically warning signs that parents and friends and educators are told to look for if they’re worried that someone they’re close to is radicalizing.”

She adds “this isn’t science,” but so far the signs of radicalization aren’t there, which has led investigators to wonder whether the 29-year-old invoked the name of ISIS to garner more publicity for his deadly attack.

I’ve been suggesting not only that Mateen was likely motivated for other reasons — but that FBI likely missed those cues because they were evaluating him for one and only one kind of threat, an Islamic terrorist rather than an angry violent man threat.

[I]t seems that when a Muslim guy invents a terrorist tie explicitly saying he wants the FBI to come after him in response so he can martyr himself protecting a particular image of his life — “He said he hoped that law enforcement would raid his apartment and assault his wife and child so that he could martyr himself” — the Bureau might think a little more critically about what is going on.

Instead, it appears, the FBI assessed Mateen for one and only one thing: whether his bogus claims of ties to terrorist organizations were real. There have been a slew of articles, such as this one or this one, wondering why the FBI didn’t “identify” Mateen as a “real” terrorist in its two investigations of him. But it appears the FBI was assessing only whether he was likely to commit violence because of–and with the support of–an Islamic terrorist group. It appears they weren’t assessing whether he was, like the overwhelming majority of men who commit mass shootings in this country, really screwed up, expressing it in violent ways, and seeking attention with such actions.

It is true that Islamic extremists want to attack this country. It is also true that far, far more Americans die when men carry out mass killings because they’re fucked up and begging for attention. If you’re Muslim, the easiest way to get attention right now is to say that word, “ISIS,” because it’s a guarantee law enforcement and politicians will give that killing more due then they might give the next disturbed mass shooter.

Of course, the apparent fact that investigators have now come to agree with me means that those who started screaming ISIS right away — and, importantly, leaking and officially revealing news that Mateen claimed affiliation with ISIS (and other conflicting terrorist groups) on his 911 call — means the people who rushed out the ISIS explanation in fact did ISIS’ propaganda work for them, giving them credit for a mass killing that was really your garden variety mass killing conducted by an angry man.

Which is why this is so batshit. After blowing off Florida’s open record laws for a week, DOJ will finally release his 911 transcripts. But, according to Loretta Lynch, they’re going to edit out the references to ISIS so as to avoid “revictimizing” the victims.

A week after the worst mass shooting in U.S. history, Attorney General Loretta Lynch said a portion of Orlando shooter Omar Mateen‘s calls with hostage negotiators will be released Monday.

“We’ll be releasing a partial transcript of the calls between the killer and the hostage negotiators so people can, in fact, see the type of interaction that was had there,” Lynch told ABC News’ Jonathan Karl on “This Week” Sunday.

The Attorney General says she’ll travel to Orlando on Tuesday to get an on-the-ground perspective on the investigation.

“I say partial because we’re not going to be, for example, broadcasting his pledges of allegiance. We are trying not to re-victimize those who went through that horror,” she added. “We’re trying to get as much information about this investigation out as possible, and we want people to provide information that they have to us.”

If releasing these claims of affiliation would “revictimize” the victims, then releasing them in the first place served to victimize them. So the much better approach would be to release the full transcripts and admit the Department fucked up, both in its assessment of a potential mass killer, and in rushing to blame ISIS in the first place. Not to mention that this will just feed conspiracy theories.

If DOJ fucked up — and the claim this could revictimize people is tacit admission it seriously fucked up — then admit that and make it right. Pay the political consequences of admitting that our obsessive focus on terrorism has distracted us from the more general, and therefore more lethal, problem with mass killings. Don’t try to pretend there’s a good reason for suppressing the very same claims you made a big deal of a week ago.

If DOJ now believes the claims served to do nothing more than give Mateen’s rampage more attention — and it was a key part of generating that attention — then it needs to come clean.

Update: One more point on this. Releasing the full transcript would reveal how non-credible the ISIS claim was, appearing as it did with a claim of affiliation with al-Nusra, which would make it even clearer that FBI shouldn’t have started telling everyone about the ISIS claim.

Update: Here’s the transcript from Meet the Press.

LORETTA LYNCH:

Yes, I’ll be going to Orlando on Tuesday to continue my briefings in the case. Actually though what we are announcing tomorrow is that the F.B.I. is releasing a partial transcript of the killer’s calls with law enforcement from inside the club. These are the calls with the Orlando P.D. negotiating team who were trying to ascertain who he was, where he was, and why he was doing this, all the while the rescue operations were continuing. That’ll be coming out tomorrow and I’ll be headed to Orlando on Tuesday.

CHUCK TODD:

Including the hostage negotiation part of this?

LORETTA LYNCH:

Yes. It will be primarily a partial transcript of his calls with the hostage negotiators.

CHUCK TODD:

You say partial. What’s being left out?

LORETTA LYNCH:

Well, what we’re not going to do is further proclaim this individual’s pledges of allegiance to terrorist groups and further his propaganda.

CHUCK TODD:

So we’re not going to hear him talk about those things?

LORETTA LYNCH:

We will hear him talk about some of those things, but we’re not going to hear him make his ascertains of allegiance and that. This will not be audio. This will be a printed transcript. But it will begin to capture the back and forth between him and the negotiators. We’re trying to get as much information about this investigation out as possible. As you know, because the killer is dead, we have a bit more leeway there. And so we will be producing that information tomorrow.

 

Why Did FBI’s Multiple Informants Fail to Catch Omar Mateen in a Sting?

One detail of the FBI’s 2013 investigation into Omar Mateen that seems to be getting inadequate attention is that they used multiple informants with him, per Jim Comey’s press conference on Monday:

Our investigation involved introducing confidential sources to him, recording conversations with him, following him, reviewing transactional records from his communications, and searching all government holdings for any possible connections, any possible derogatory information. We then interviewed him twice. [my emphasis]

Normally, when the FBI identifies a Muslim mouthing off about joining ISIS, they throw one or more informants at him, develop his trust, then have him press a button or buy a plane ticket to Syria, which they use to arrest the guy.

That didn’t happen here. While they did record the conversations between these informants and Mateen, they never got him to do something they could arrest him for.

And I suspect we won’t get answers why they didn’t, though it seems an absolutely critical question for assessing how the FBI investigates terrorism. If FBI’s chosen method of using informants only works with the dopes and not the real threats, all it does is juice the FBI’s prosecution numbers, without keeping us safe. Alternately, it’s possible FBI assumes certain things about a potential “Islamic” threat, which turned out to be wrong in this case.

I can think of several possible reasons why FBI’s informants might not have worked the way they normally do (these are speculative):

  • Mateen was just not serious about terrorism in 2013, but something since then (perhaps the decline in his marriage, perhaps the US launching yet another war against Muslims in the Middle East) led him to embrace it in 2016
  • Mateen, who went to cop school, recognized the informants for what they were
  • The prominent reporting on FBI’s investigations into Ibragim Todashev and their infiltration of his circle of friends (the FBI’s investigation would have lasted from July 2013 until May 2014) made Mateen vigilant enough to resist the informants’ appeals
  • The informants tried to entice Mateen via Islamic ideology and not homophobic self-hatred (that is, they used the wrong trigger)
  • The process of being investigated — and interviewed 3 times — actually further pissed off Mateen, leading him closer to violence

Again, these are all speculative. We can’t know without more detail why the FBI’s typical use of informants failed this time.

But we deserve answers to the question, because if the Muslim community is going to be riddled with informants, they had better be serving some purpose other than selective surveillance of a minority group.

John Cornyn Wants to Pass Law Letting FBI Collect Information on Omar Mateen It Already Collected

The bodies from Sunday’s Orlando massacre are not yet buried, but that hasn’t stopped John Cornyn from trying to use their deaths to expand surveillance that would not have stopped the attack.

Cornyn told reporters yesterday he will use the attack to push to include Electronic Communications Transaction Records in the things FBI can obtain with a National Security Letter.

Senator John Cornyn of Texas, the No. 2 Senate Republican, pointed to a longstanding request by the FBI to expand the scope of electronic records — such as web browsing history — agents could sweep up from companies in terrorism investigations without obtaining a court order.

“They could go and get additional information, like metadata, who he’s e-mailing, the websites he’s accessing. Not content,” Cornyn told reporters Monday.

[snip]

Legislation dealing with the FBI’s surveillance powers — something that has been requested by FBI Director James Comey — could come to the Senate floor as soon as this week as part of a debate on the spending bill that funds law enforcement.

“This was the No. 1 legislative priority of the FBI according to James Comey, and those sort of additional surveillance tools could have provided the FBI more information, which would have allowed them to identify this guy as the threat that he obviously was,” Cornyn said.

In his push for new authorities, Cornyn actually claimed that if the FBI had obtained Omar Mateen’s ECTRs, it “could have provided the FBI more information” which would have “allowed” the FBI to “identify this guy as the threat that he obviously was.”

But even the article quotes (but does not unpack) Jim Comey explaining why Cornyn’s claim that ECTRs would have helped the FBI identify Mateen as a threat is complete bullshit: because FBI obtained his ECTRs.

Our investigation involved introducing confidential sources to him, recording conversations with him, following him, reviewing transactional records from his communications, and searching all government holdings for any possible connections, any possible derogatory information. We then interviewed him twice.

John Cornyn wants to give FBI the authority to obtain what they obtained (presumably via a subpoena), promising that obtaining the same records via a parallel authority somehow would have tipped the FBI that he was a threat when the very same ECTRs didn’t do so obtained via subpoena.

The claim is so stupid I can only assume former judge, TX Attorney General, and longtime Senate Judiciary Committee member has no fucking clue what he’s talking about.

And based on that position of authority, Cornyn wants us to believe we need to pass this law?

Notorious “FOIA Terrorist” Jason Leopold “Saves” FBI Over $300,000

Last week, Jim Comey suggested the FBI paid more for the vulnerability that helped it break into Syen Rizwan Farook’s phone than he will be paid for the 7 years he’ll remain at FBI. The WSJ then did this math.

Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.

His annual salary is about $180,000 a year, so that comes to $1.26 million or more.

“[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’

Over 600 outlets covered that story, claiming — without further confirmation — that FBI paid over $1 million for the hack, with many accounts settling on $1.3 million.

I noted at the time that 1) Jim Comey has a history of telling untruths when convenient and 2) he had an incentive to exaggerate the cost of this exploit, because it would pressure Congress to pass a bill, like the horrible Burr-Feinstein bill, that would force Apple and other providers to help law enforcement crack phones less expensively. I envisioned this kind of exchange at a Congressional hearing:

Credulous Congressperson: Wow. $1M. That’s a lot.

Comey: Yes, you’ll need to triple our budget or help me find a cheaper way.

Lonely sane Congressperson: But, uh, if we kill security won’t that be more expensive?

Comey: Let me tell you abt time I ran up some steps.

I then mused that, because Comey had officially acknowledged paying that kind of figure, it would make it a lot easier to FOIA the exact amount. By the time I tweeted that thought, of course, Jason Leopold had already submitted a FOIA for the amount.

Sure enough, the outcome I figured has already happened: without offering an explanation for the discrepancy, Mark Hosenball reported today that the figure was actually under $1 million, and FBI will be able to use it on other phones.

The FBI paid under $1 million for the technique used to unlock the iPhone used by one of the San Bernardino shooters – a figure smaller than the $1.3 million the agency’s chief initially indicated the hack cost, several U.S. government sources said on Thursday.

The Federal Bureau of Investigation will be able to use the technique to unlock other iPhone 5C models running iOS 9 – the specifications of the shooter’s phone – without additional payment to the contractor who provided it, these people added.

Just one FOIA submission later (and, probably, the calls of a bunch of outraged members of Congress wondering why FBI paid $1.3 million for a hack they claimed, in explaining why they would not submit the hack to the Vulnerabilities Equity Process that might require them to share it with Apple nine months after Apple patched it, they didn’t understand at all), and all of a sudden this hack is at least $300,000 less expensive (and I’m betting a lot more than that).

You see how effective a little aggressive FOIAing is at reining in waste, fraud, and abuse?

A pity it can’t reverse the impact of all those credulous reports repeating Comey’s claim.

FBI Has Been Not Counting Encryption’s Impact on Investigations for Over a Decade

During the first of a series of hearings in the last year in which Jim Comey (at this particular hearing, backed by Deputy Attorney General Sally Yates) pushed for back doors, they were forced to admit they didn’t actually have numbers proving encryption was a big problem for their investigations because they simply weren’t tracking that number.

On the issue on which Comey — and his co-witness at the SJC hearing, Deputy Attorney General Sally Yates — should have been experts, they were not. Over an hour and a quarter into the SJC hearing, Al Franken asked for actual data demonstrating how big of a problem encryption really is. Yates replied that the government doesn’t track this data because once an agency discovers they’re targeting a device with unbreakable encryption, they use other means of targeting. (Which seems to suggest the agencies have other means to pursue the targets, but Yates didn’t acknowledge that.) So the agencies simply don’t count how many times they run into encryption problems. “I don’t have good enough numbers yet,” Comey admitted when asked again at the later hearing about why FBI can’t demonstrate this need with real data.

In point of fact, a recent wiretap report shows that in the criminal context, at least, federal agencies do count such incidences, sometimes. But they don’t report the numbers in a timely fashion (5 of the 8 encrypted federal wiretaps reported in 2014 were from earlier years that were only then being reported), and agencies were eventually able to break most of the encrypted lines (also 5 of 8). Moreover, those 8 encrypted lines represented only 0.6 percent of all their wiretaps (8 of 1279). Reporting for encrypted state wiretaps were similarly tiny. Those numbers don’t reflect FISA wiretaps. But there, FBI often partners with NSA, which has even greater ability to crack encryption.

In any case, rather than documenting the instances where encryption thwarted the FBI, Comey instead asks us to just trust him.

Which is important background to an ancillary detail in this NYT story on how FBI tried a work-around for PGP in 2003 — its first attempt to do so — to go after some animal rights activists (AKA “eco-terrorists).

In early 2003, F.B.I. agents hit a roadblock in a secret investigation, called Operation Trail Mix. For months, agents had been intercepting phone calls and emails belonging to members of an animal welfare group that was believed to be sabotaging operations of a company that was using animals to test drugs. But encryption software had made the emails unreadable.

So investigators tried something new. They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

[snip]

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

DOJ didn’t include this encounter with encryption in the wiretap reports that mandate such reporting.

It is also unclear why the Justice Department, which is required to report every time it comes across encryption in a criminal wiretap case, did not do so in 2002 or 2003. The Justice Department and F.B.I. did not comment Wednesday.

It didn’t count that encounter with crypto even though FBI was discussing — as Bob Litt would 13 years later — exploiting fears of “terrorism” to get Congress to pass a law requiring back doors.

“The current terrorism prevention context may present the best opportunity to bring up the encryption issue,” an F.B.I. official said in a December 2002 email. A month later, a draft bill, called Patriot Act 2, revealed that the Justice Department was considering outlawing the use of encryption to conceal criminal activity. The bill did not pass.

Now, it may be that, as remained the case until last year, FBI simply doesn’t record that they encountered encryption and instead tries to get the information some other way. But by all appearances, encryption was tied to that wiretap.

Which suggests another option: that FBI isn’t tracking how often it encounters encryption because it doesn’t want to disclose that it is actually finding a way around it.

That’d be consistent with what they’ve permitted providers to report in their transparency reports. Right now, providers are not permitted to report on new collection (say, collection reflecting the compromise of Skype) for two years after it starts. The logic is that the government is effectively giving itself a two year window of exclusive exploitation before it will permit reporting that might lead people to figure out something new has been subjected to PRISM or other collection.

Why would we expect FBI to treat its own transparency any differently?

Update: This post has been updated to include more of the NYT article and a discussion of how encryption transparency may match provider transparency.

1 2 3 13