Posts

Hillary’s Bold Plan to Financially Penalize Recidivist Super-Predators

/7 Comments/in , /by

The other day Hillary promised she would appoint Attorneys General like Eric Holder and Loretta Lynch. “I will appoint an Attorney General who will continue the courageous work of Eric Holder and Loretta Lynch.” Given that the comments came at an Al Sharpton event, I assumed the comment meant to invoke Holder and Lynch’s efforts to reform criminal justice and, presumably, their even more laudable support for civil rights.

Nevertheless, it was a disturbing comment, given that Holder and Lynch have also both coddled the bankers who crashed our economy. Indeed, when Hillary tries to defend her huge donations from bankers, she always points to Obama’s even huger ones, and insists that there’s no evidence he was influenced by them. But the Obama DOJ record on bank crime is itself the counter to Hillary’s claim those donations didn’t influence the President.

But then, last night, Hillary said something even more outrageous, which I take to be a solid promise to her funders they’ll continue to get special treatment before the law. Amid a comment shifting from Too Big to Fail into the serial settlements the banks have signed for their crimes, Hillary took the bold step of calling for financial penalties for the people directing that crime.

CLINTON: Dana, let me add here that there are two ways to at this under Dodd-Frank, which is after all the law we passed under President Obama, and I’m proud that Barney Frank, one of the authors, has endorsed me because what I have said continuously is, yes, sometimes the government may have to order certain actions. Sometime the government can permit the institution themselves to take those actions. That has to be the judgement of the regulators.

But, there’s another element to this. I believe strongly that executives of any of these organizations should be financially penalized if there is a settlement.

(APPLAUSE)

CLINTON: They should have to pay up through compensation or bonuses because we have to go after not just the big giant institution, we have got to go after the people who are making the decisions in the institutions.

Granted, under Holder and Lynch, those courageous Attorneys General Hillary would model her own pick on, the banksters haven’t even been asked to do this much.

But the fact that Hillary thought a great punishment for those harming the country with their serial crime wave is to fine them is a testament that she doesn’t even see the underlying crimes.

This is behavior that has continued over years, often after previous settlements. If anyone can be called a super-predator, it’s the bankers who toy with millions of people’s livelihoods and savings to make a buck. If there were a Three Strikes law for bankers most of these guys would be looking at life imprisonment.

And yet Hillary’s bold plan is not to incarcerate them, but instead to take a little bit of their money.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

/2 Comments/in , /by

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

In Exchange about Clinton Email Investigation, Lynch Forcefully Reminds She Is FBI’s Boss

/8 Comments/in /by

There’s one last exchange in Wednesday’s Senate Judiciary Committee hearing with Attorney General Loretta Lynch that deserves closer focus. It came during John Cornyn’s round of questioning.

He structured his questions quite interestingly. He started by using the example of the Apple All Writs Act order to emphasize that FBI can’t do anything without DOJ’s approval and involvement. “I just want to make sure people understand the respective roles of different agencies within the law enforcement community — the FBI and the DOJ.”

He then turned to an unrelated subject — mental health, particularly as it relates to gun crime — ending that topic with a hope he and Lynch could work together.

Then he came back to the respective roles of the FBI and DOJ. “So let me get back to the role of the FBI and the Department of Justice.”

He did so in the context of Hillary’s email scandal. He started by reminding that Hillary had deleted 30,000 emails rather than turning them over to State for FOIA review. Cornyn then raised reports that the government had offered Bryan Pagliano immunity (Chuck Grassley argued elsewhere in the hearing that that should make it easy for Congress to demand his testimony, as the WSJ has also argued). “It’s true, isn’t it, that immunity can’t be granted by the FBI alone, it requires the Department of Justice to approve that immunity.”

Lynch filibustered, talking about different types of immunities, ultimately ceding that lawyers must be involved. She refused to answer a question directly about whether they had approved that grant of immunity. Which is when Cornyn moved onto trying to get the Attorney General to admit that she would have the final decision on whether to charge anyone in the email scandal.

Cornyn: Let me give you a hypothetical. If the FBI were to make a referral to the Department of Justice to pursue a case by way of an indictment and to convene a grand jury for that purpose, the Department of Justice is not required to do so by law, are they?

Lynch: It would not be an operation of law, it would be an operation of our procedures, which is we work closely with our law enforcement partners–

Cornyn: Prosecutorial discretion–

Lynch: –it would also be consulting with the Agents on all relevant factors of the investigation, and coming to a conclusion.

Cornyn: But you would have to make to the decision, or someone else working under you in the Department of Justice?

Lynch: It’s done in conjunction with the Agents. It’s not something that we would want to cut them out of the process. That has not been an effective way of prosecuting in my experience.

Cornyn: Yeah, I’m not suggesting that you would cut them out. I’m just saying, as you said earlier, you and the FBI would do that together, correct? Just like the Apple case?

Lynch: We handle matters together of all types.

Cornyn: If the FBI were to make a referral to the Department of Justice to pursue criminal charges against Mr. Pagliano or anyone else who may have been involved in this affair, does the ultimate decision whether to proceed to court, to ask for the convening of a grand jury, and to seek an indictment, does that rest with you, or someone who works for you at the Department of Justice?

Lynch: So Senator with respect to Mr. Pagliani [sic] or anyone who has been identified as a potential witness in any case, I’m not able to comment on the specifics of that matter and so I’m not able to provide you–

Cornyn: I’m not asking you to comment on the specifics of the matter, I’m asking about what the standard operating procedure is, and it seems pretty straightforward. The FBI does a criminal investigation, but then refers the charges to the Department of Justice, including US Attorneys, perhaps in more celebrated cases goes higher up the food chain. But my simple question is doesn’t the buck stop with you, in terms of whether to proceed, to seek an indictment, to convene a grand jury, and to prosecute a case referred to you by the FBI?

Lynch: There’s many levels of review, at many stages of the case, and so I would not necessarily be involved in every decision as to every prosecutorial step to make.

Cornyn: It would be you or somebody who works for you, correct?

Lynch: Everyone in the Department of Justice works for me, including the FBI, sir.

Cornyn: I’m confident of that.

Grassley: Senator Schumer.

Schumer: Well done, Attorney General, well done.

I’m not entirely sure what to make of this: whether Cornyn was setting this up for the future, or whether he was trying to lay out Lynch’s responsibility for a decision already made. But given the reports that FBI Agents think someone should be charged (whether because of the evidence or because Hillary is Hillary), it sure felt like Cornyn was trying to pressure Lynch for her role in decisions already discussed. Indeed, I wonder whether Cornyn was responding to direct entreaties from someone at the FBI, possibly quite high up at the FBI, about Lynch’s role in this case.

Whatever he was trying to do, it may lead to some folks in the FBI getting a stern talking to from their boss, Loretta Lynch.

FBI Can’t Have Whistleblower Protection Because It Would Encourage Too Many Complaints

/4 Comments/in , /by

The Department of Justice is undercutting Chuck Grassley’s efforts to provide FBI employees whistleblower protection. That became clear in an exchange (2:42) on Wednesday.

The exchange disclosed two objections DOJ has raised to Grassley’s FBI Whistleblower Protect Act. First, as Attorney General Loretta Lynch revealed, DOJ is worried that permitting FBI Agents to report crimes or waste through their chain of command would risk exposing intelligence programs.

What I would say is that as we work through this issue, please know that, again, any concerns that the Department raises are not out of a disagreement with the point of view of the protection of whistleblowers but again, just making sure that the FBI’s intelligence are also protected at the same time.

I suspect (though am looking for guidance) that the problem may be that the bill permits whistleblowers to go to any member of Congress, rather than just ones on the Intelligence Committees. It’s also possible that DOJ worries whistleblowers will be able to go to someone senior to them, but not read into a given program.

Still, coming from an agency that doesn’t adequately report things like its National Security Letter usage to Congress, which has changed its reporting to the Intelligence Oversight Board so as to exempt more activities, and can’t even count its usage of other intelligence programs, it seems like a tremendous problem that DOJ doesn’t want FBI whistleblowers to have protection because it might expose what FBI is doing on intelligence.

That’s sort of the point!

Especially given Grassley’s other point: apparently, DOJ is opposed to the bill because it will elicit too many complaints.

One of the issues that your department has raised is that allowing FBI employees to report wrong-doing to their chain of command could lead to too many complaints. You know? What’s wrong with too many complaints? … Seems to me you’d invite every wrong doing to get reported to somebody so it could get corrected.

Apparently, DOJ knows there are so many problems FBI employees would like to complain about that things would grind to a halt if they were actually permitted to complain.

This is the FBI! Not only a bureau that has tremendous power over people, but also one with a well-documented history of abuse. It should be the first entity that has whistleblower protection, not the last!

Grassley raised two more points. First, in April 2014, DOJ promised to issue new guidelines on whistleblowing for FBI, clarifying who employees could go to. That hasn’t been done yet.

FBI has, however, created a video about whistleblowing which is, according to what Grassley said, pretty crappy. He’s asking for both those things as well.

Friday Morning: Lovely

/6 Comments/in , , /by

We made it to Friday! Yay! And that means another jazz genre. This week it’s shibuya-kei, a sub-genre/fusion born of Japanese jazz. Our sample today is by Kenji Ozawa. Note how damned perky it is, blending jazz elements with pop and synthpop. Its cuteness might also be described as kawaii, but that’s a whole ‘nother topic.

Some other shibuya-kei artists you might want to try are Paris Match (Metro), Aira Mitsuki (Butterly), Maki Nomiya (Shibuya-kei Standards), Takako Minekawa (Plash), and Kensuke Shiina (Luv Bungalow).

Get your mellow on and jazz your Friday up.

Urgent: Update Adobe Flash immediately if you apply patches manually
Go to this Security Bulletin link at Adobe for details. The update fixes 23 vulnerabilities, one or more of which are being used in exploits now though information about attacks are not being disclosed yet. And yes, this past Tuesday was Patch Tuesday, but either this zero-day problem in Flash was not known then, or a solution had not yet been completed, or…whatever. Just make sure you check all your updates, with this Adobe Flash patch at the top of the list.

USDOJ doing its PR thing on #AppleVsFBI
After reports this week that FBI director James Comey was a political liability in the case against Apple, U.S. Attorney General Loretta Lynch appeared on Stephen Colbert’s The Late Show to make the case for Apple writing code as requested by USDOJ. She said,

“First of all, we’re not asking for a backdoor, nor are we asking anyone to turn anything on to spy on anyone. We’re asking them to do what their customer wants. The real owner of the phone is the county, the employer, of one of the terrorists who is dead,”

Right. And my iPhone-owning kid wants a ham sandwich — will Apple write an app on demand for that, just because my kid’s the owner of the iPhone?

Look, nearly all software is licensed — the San Bernardino shooter’s iPhone may be property of the county that employed him, but the iOS software is property of Apple. Maybe Lynch needs a ham sandwich, too, a little boost in blood sugar to grok this point.

Volkswagen’s Terrible, No Good, Very Bad Week continues

  • Looks like VW’s U.S. CEO Michael Horn bailed out because he butted heads with the Holzkopfs in German leadership (Jalopnik)
  • By butting heads, that is to say, Horn dislikes the idea of jail time (Forbes) — though naming executives is pro forma on such lawsuits, if Horn was only in his role for roughly 18 months and this fraud goes back 8-9 years, AND Germany’s executive team disagreed with Horn’s proposal for U.S. dealers and vehicle owners, he’s reasonably twitchy about sticking around.
  • VW updated its emissions standards defeat code after its existence was revealed (Forbes) — wanna’ bet it was a software patch?

Stray cats and dogs

  • White House wants +20M more Americans on broadband (DailyDot) — Under ConnectALL initiative, a new subsidy program will help low income citizens get online with broadband access.
  • Pew Research study shows 15% of Americans still not online (Pew Research Center) — Rural, low income, minority, elderly are most likely not to have internet access; they’re the same target group as proposed federal ConnectALL program.
  • But good luck with broadband speed or cable TV content if HBO-TWC-Charter continue to scuffle over the TWC-Charter merger (AdAge) — Yet another example of the fundamental conflict between content makers and internet providers; internet providers should focus on the quality of their internet service, not on the content in the ‘series of tubes’ they supply.`

And just for giggles, note the Irish economy has expanded at fastest rate since 2000. Gee, I wonder what would happen to the Irish economy if major tech companies like Apple moved to Ireland?

I’m out of here — have a great weekend!

The Play on the Scalia Replacement: Remember the Lame Duck

/60 Comments/in /by

Within minutes after the public announcement of Antonin Scalia’s death, Senator Mike Lee’s flack Conn Carroll started predicting Obama would have zero chance of successfully naming a successor. After Carroll, one after another actual Senator followed that sentiment, including Chuck Grassley and Mitch McConnell, both of whom would have the ability to stall any Obama nominee. From that point, the GOP was pretty much committed, they said, to preventing any Obama nominee from being confirmed.

That led to a bunch of bad comparisons — between judges like Robert Bork who was rejected and Miguel Estrada who never got a vote — and simply going a year without acting on a President’s nominee. Even the comparison with Anthony Kennedy (who was nominated in November after two other nominees, including Bork, failed) is inapt, as he was nominated earlier than any Obama pick would be (though in a sense that fetishizes the year that would pass without a nominee).

I, like bmaz, believe Obama will pick someone fairly centrist, probably someone who has been recently confirmed by big margins.  I agree the most likely nominee will be Sri Srinivasan, who in 2013 was confirmed to the DC Circuit with a 97-0 vote — though I’m also mindful of the wisdom (given the GOP unanimity about obstructing this nominee) of picking someone who drive Democratic turnout — an African-American woman, for example. Though I highly doubt Obama will nominate Loretta Lynch, as some have suggested, not least because the fight over releasing data on HSBC’s continued money laundering will draw more attention as it moves toward appeal, which might focus attention on her role in administering the wrist slap in the face of egregious drug cartel and terrorist supporting money laundering.

After some reflection, some conservatives have suggested that the GOP would have been better served if they had simply not managed to pass Obama’s nominee, rather than making such a big stink about it.

I think that ignores how much both parties look forward to using this nominee to drive turnout — and regardless of who the respective nominees are, the GOP have a much bigger challenge in getting enough voters to turn out to elect a GOP president in November, so I’m sure they’re quite happy to have an issue that (they presumably hope) might flip some conservative Latino votes — though one likely outcome of an extended 8-member court is that the Fifth Circuit’s ruling staying Obama’s immigration orders will be upheld after a 4-4 tie on the court, which might have the opposite effect.

Furthermore, I think it ignores one other factor. Srinivasan has been predicted to be Obama’s most likely SCOTUS appointment for almost 3 years (few people consider how such predictions might have influenced Ruth Bader Ginsburg’s decision not to retire). The Republicans probably presume he’s the most likely candidate as well.

The presumption Srinivasan — or someone similar — would be the nominee easily justifies the GOP’s immediate promise they won’t confirm a nominee. That’s because they need to explain why someone they just overwhelmingly confirmed, someone who faced more opposition from the left than the right, suddenly became unacceptable.

More importantly, I presume the GOP wants to keep open the possibility of confirming Srinivasan or whatever centrist Obama appoints during the Lame Duck. Here’s why:

Barring any replay of Bush v. Gore, both sides will know on November 9 who would get to pick Scalia’s replacement if Obama’s pick failed. Both sides will also know the makeup of the Senate. Because of the demographic issues I mentioned earlier, the likely Democratic nominee, Hillary Clinton, is most likely to win. That’s not to say I think she’s necessarily the strongest candidate — even ignoring the potential the email scandal will taint close advisors like Huma Abedin or Jake Sullivan, I think it likely the economy will be crashing by November in a way that would favor Trump if he were the GOP nominee facing Hillary. But I think electoral demographics suggest the GOP will have a harder time winning this year, particularly after a year of Trump branding the GOP with bigotry.

Plus (ignoring my suspicion the economy will be crashing by November), we’re likely to have a more Democratic Senate after November. Harry Reid is the only retiring Democrat where the replacement race is currently perceived to be toss-up, whereas Marco Rubio, Mark Kirk, Kelly Ayotte, and Ron Johnson are all deemed to be likely toss-ups, if not Dem-favorable. It’s still most likely the GOP will have a slight majority, but a smaller one, in the Senate, one where people like Susan Collins could make more of a difference. But it is likely to be more Democratic.

If Hillary wins (the most likely outcome) and Democrats win the Senate (unlikely, but feasible), then the Republicans will have good reason to want to confirm an Obama nominee perceived to be centrist. Whereas Srinivasan looks far worse than Scalia to the Republicans, he would all of a sudden look far preferable to a Hillary choice with the time to wait out the Senate. The GOP would have time between November 9 and the Christmas break to confirm whatever Obama nominee has been languishing.

In other words, I think the GOP have provided a way to stall someone (like Srinivasan) they have recently confirmed, while leaving the possibility of confirming that person if November makes it likely the next nominee will be more liberal.

One more thing: Commentary on this process has presumed that McConnell and Grassley (and Obama) learned of Scalia’s death when we all did. I would hope that Obama, at least, got word well before that, particularly given the involvement of at least the US Marshals and according to some reports the FBI. But I also wouldn’t leave out the possibility that one of the 39 other still unidentified guests at the ranch this weekend gave the Republican leadership a heads up as soon as a hearse showed up. So it’s possible that what looked like quick knee-jerk response on the part of Republican leadership was instead more considered, along the lines I’ve just laid out.

How the Purpose of the Data Sharing Portal Changed Over the OmniCISA Debate

/2 Comments/in /by

Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.

Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.

I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.

With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.

With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.

While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.

[snip]

Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.

It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.

Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.

  1. CISA in Context: Privacy Protections and the Portal

  2. CISA in Context: The Voluntary Sharing Model and that “Other” Portal

  3. CISA in Context: Government Use and What Really Matters for Civil Liberties

Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.

So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?

Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?

At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.

Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.

Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.

Its concerns included:

  • Because companies could share with other agencies, the bill permitted sharing content with law enforcement. “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
  • The bill permitted companies to share more information than that permitted under the existing portal. “Unlike the President’s proposal, the Senate bill includes ‘any other attribute of a cybersecurity threat’ within its definition of cyber threat indicator.”
  • Because the bill required sharing in real time rather than in near-real time, it would mean DHS could not do all the privacy scrubs it was currently doing. “If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further.”
  • Sharing in real rather than near-real time also means participants might get overloaded with extraneous information (something that has made existing info-sharing regimes ineffective). “If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.”
  • The bill put the Attorney General, not DHS, in charge of setting the rules for the portal. “Since sharing cyber threat information with the private sector is primarily within DHS’s mission space, DHS should author the section 3 procedures, in coordination with other entities.”
  • The 90-day implementation timeline was too ambitious; according to DHS, the bill should provide for an 180-day implementation. “The 90-day timeline for DHS’s deployment of a process and capability to receive cyber threat indicators is too ambitious, in light of the need to fully evaluate the requirements pertaining to that capability once legislation passes and build and deploy the technology.”

As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.

Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.

All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.

Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.

Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.

In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.

Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.

At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.

This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.

Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).

Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.

Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.

Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.

Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.

Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,

From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.

But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.

[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.

[snip]

AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.

That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.

In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.

But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.

[snip]

That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.

To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.

And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.

Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.

Loretta Lynch’s Hot and Cold Running Data-Sharing

/24 Comments/in , , , /by

[See update below: Lynch says she didn’t mean how these statements came out.]

It’s bad enough that Attorney General Loretta Lynch refuses to force police to keep records on how many people they kill.

In a conversation with NBC journalist Chuck Todd on a range of criminal justice issues, Lynch said on Thursday that she does not support a federal mandate to report people killed by police.

“One of the things we are focusing on at the Department of Justice is not trying to reach down from Washington and dictate to every local department how they should handle the minutia of record keeping, but we are stressing to them that these records must be kept,” she said at the Washington Ideas Forum, hosted by AtlanticLIVE and the Aspen Institute.

It’s her reasoning I find really troubling.

Lynch said the Justice Department does “encourage” local departments to maintain records on police shootings but that improving police-community relations is more important. She noted that the small size of the average police department could make record-keeping difficult.

“The statistics are important, but the real issues are: ‘what steps are we all taking to connect communities … with police and back with government?’” she said.

It’s all well and good to say communities and their cops just need to get along.

But cops are claiming a Ferguson Effect that statistically doesn’t exist and the NYT is reprinting the claim only because the cops say so.

Here’s what the crime story said: “Among some experts and rank-and-file officers, the notion that less aggressive policing has emboldened criminals — known as the “Ferguson effect” in some circles — is a popular theory for the uptick in violence.” A paragraph later, the story continues: “Others doubt the theory or say data has not emerged to prove it.” Two experts are quoted, and the story moves on from there.

Bill Michtom of Portland, Ore., wrote to me about it, calling it a “classic example of false equivalence.” Ta-Nehisi Coates called the suggestion of a Ferguson effect “utterly baseless” in a piece for The Atlantic, noting that one of the experts quoted said that the rise in violent crime in St. Louis had begun before the large protests last year over a white police officer’s fatal shooting of an unarmed black teenager.

One of the story’s reporters, Monica Davey, and the national editor, Alison Mitchell, strongly disagree that this is false equivalence or that it was misleading to readers. In fact, they told me, it would be wrong of The Times not to report something that some police officers are identifying as part of their mind-set.

Ms. Davey, who agrees that false balance is infuriating and must be avoided, said in an email that this example simply doesn’t fit the description. For one thing, she said, there is no established truth here: “The question about the validity of this theory simply has not been definitively answered in the way that the earth’s shape has.” And, she said, “police officers must be given some credence in assessing whether they themselves feel that they are behaving differently now — the essence of what some of them have called the ‘Ferguson effect.’ ”

Or, as Ms. Mitchell puts it: “We have the police suggesting that police are pulling back — should we not report that?”

My view is that the introduction of this explosive idea didn’t serve readers well because, in this context, it was mentioned briefly, sourced vaguely, and then countered by disagreement. If police officers are indeed pulling back from their duties, and are willing to be identified and quoted, and if there’s evidence to back it up, that would be worth a full exploration in a separate article. But this glancing treatment could easily have left readers baffled, at the very least.

Things aren’t going to improve so long as cops can just make shit up, in spite of data to the contrary.

Just as importantly, since 9/11, the mandate throughout the Federal government — and especially for FBI — has been to share information promiscuously, including down to local police departments. Some of that information includes untested leads; some of it includes cyber and terrorist threat assessments.

If Lynch is telling us these local police departments don’t have the ability to handle reporting back and forth from the federal government, than the rest of the info sharing should stop too, because it could violate Americans’ privacy and/or expose intelligence streams.

But we all know that’s not going to happen.

Which means Lynch is supporting an asymmetrical reporting system that can’t be used for oversight of the larger system.

Update: Lynch says her statements last week weren’t what she was trying to say.

The point I was trying to make at that conference related to our overall view of how we deal with police departments as part of our practice of enforcing consent decrees, or working with them and I was trying to make the point that we also have to focus on building community trust which is a very individual – very local – practice.  Unfortunately, my comments gave the misperception that we were changing our view in some way about the importance of this data – nothing could be further from the truth.  This data is not only vital – we are working closely with law enforcement to develop national consistent standards for collecting this kind of information.

More from her statement:

“The department’s position and the administration’s position has consistently been that we need to have national, consistent data,” said Attorney General Lynch.  “This information is useful because it helps us see trends, it helps us promote accountability and transparency,” said Attorney General Lynch.  “We’re also going further in developing standards for publishing information about deaths in custody as well, because transparency and accountability are helped by this kind of national data.”

Why Did the Feds Take Down RentBoy?

/7 Comments/in /by

Yesterday, federal officers (overwhelmingly Department of Homeland Security, not FBI) busted the 7 people who run RentBoy.com, the largest online portal for male escorts. In doing so, they put 10,000 sex workers out of business — or pushed them into more dangerous means of meeting customers.

This is the second time the Feds have taken down a sex worker portal. In June 2014, Feds took down RedBook, which included links to ads but also had a lot of chat rooms. At one level, then, that bust was even more of an assault on First Amendment rights, but the operators were also indicted on money laundering charges (and FBI found profiles of people under 18 posting advertisements, which it used to ratchet up the pressure). Thus far, at least, there’s no indication of additional charges against RentBoy’s operators, even though two outlets yesterday claimed there were money laundering charges involved. Though as I’ll explain, I wouldn’t be surprised to see immigration charges, I bet the government will charge the money laundering they’ve already leaked to the press, and I fully expect once the government wades through the servers they seized yesterday, they’ll come up with a list of advertisers who were also underage.

The bust leaves me with several questions. As Conor Friedersdorf asks, why is this a priority of law enforcement? Aren’t there more pressing crimes — like bank money laundering — to pursue, or more dangerous forms of sex trafficking?

Some potential answers may lie in some observations from the complaint.

Where did this come from?

RentBoy has been operating happily since 1997. So why did the Feds choose to take it down yesterday?

One hint about where this inquiry may have come from is on page 19-20 of the complaint, after all the salacious descriptions of slang for kinds of sex and discussions of a few escorts’ profiles that have been highlighted in other reporting on this. RentBoy twice applied for an H1B for its accountant, Marco Soto Decker.

In September 2010 and March 2013, EASY RENT SYSTEMS, INC. applied to the United States Department of Homeland Security, Citizenship and Immigration Services for an H1-B non-immigrant work visa on behalf of SOTO DECKER. The application identified that EASY RENT SYSTEMS, INC. runs RENTBOY.COM which “revolutionized the escorting industry by moving it online and away from agencies and disreputable bars.” The application also said that SOTO DECKER had been operating as the accountant from July 2012, a position that reported directly to JEFFREY HURANT and which required him to prepare all financial statements and to strategically analyze, manipulate, and interpret financial data “in order to develop strategies and make recommendations critical for the CEO to utilize in his work to successfully mange and grow the company.”

In connection with the application, EASY RENT SYSTEMS, INC. also submitted a job offer letter addressed to SOTO DECKER dated July 20, 2012, which identified the duties and responsibilities of the position. Among those duties was meeting with market, IT, sales, and customer service staff to review monthly expenses and see revenue and expenses optimization; supervising the company’s daily e-commerce transactions; managing the entire accounting, budgeting and reconciliation process for the company’s events, including the HOOKIES [an awards ceremony RentBoy puts on].

The application also included some of EASY RENT SYSTEM, INC.’s books and records. Among the expenses identified was a listing for “Viagra — Sean.” In addition, the application included numerous articles about RENTBOY.COM. Man of those articles identified unambiguously that the escorts advertising on RENTBOY.COM were having sex with their customers in exchange for money.

In other words, RentBoy’s parent company twice applied to DHS for an H1B visa for its accountant, the more recent application of which DOJ alleges included clear evidence the company was buying Viagra for an employee and reporting on the company made it clear that RentBoy sold sex.

Note, the complaint didn’t tell us what happened with those applications. That there were two of them suggests Soto Decker may have either gotten it renewed (I need to double check but I believe it is still the case you can get two H1Bs for a total of 6 years, then you have to go home to your home country for a period) or been denied in the first application. Assuming he got the H1B would also suggest that immigration authorities not only agreed with Easy Rent that Soto Decker was a skilled employee (there’s no reason to doubt that) but also that the company could find no Americans to do an accounting job. Immigration authorities are very lenient with those H1B determinations, but they almost certainly could have refused that visa back in 2013.

Still, that application to DHS in March 2013 was almost 30 months ago, and there’s just one sign I saw of active investigation since in the complaint. That detail appears on page 14.

HURANT was present at the 2015 HOOKIES, where he provided an undercover agent a card with the RENTBOY.COM name on one side. On the opposite side the card says “Jeffrey Davids, Principal.” It also lists his email address as “[email protected].” HURANT was asked by the undercover agent how the Hookies awards started. HURANT responded “Have you ever had sex with anyone and it was so good you had to tell someone? That’s what it’s all about!”

In other words, in March 2013, Easy Rent submitted an H1B application that may have given DHS an opening to start this investigation. Two years later, they had an undercover officer attend the Hookies and get RentBoy’s CEO to say some damning things.

That timeline — if it indeed shows the span of the investigation — is interesting for several reasons.

First, it would suggest the investigation was started while Loretta Lynch was still US Attorney in Eastern District of NY (more on that in a sec). If this investigation started in 2013, it means Lynch, now the Attorney General, may well have been the one ultimately overseeing the investigation.

Second, the investigation — with an undercover officer attending awards ceremonies and who knows what else — was active after the time the head of RedBook pled guilty in December 2014. DOJ had a proof of concept in that earlier bust.

Finally, as a reader noted, the investigation had already started before the time, in July, when a RentBoy escort exposed his discussions with Tim Geithner’s brother, David, at Gawker. That is, this investigation is not retaliation for a RentBoy escort embarrassing the family member of a very powerful New Yorker. But the bust did happen after that. (And if I were that escort, I’d be very worried about what evidence that DHS seized yesterday might be used in a blackmail case against me.)

One more note on timing: One of the employees busted yesterday, Diana Milagros Mattos, left Easy Rent in June, in spite of being its highest commissioned sales agent. There’s no explanation of why she left. I find that worth noting.

Why was this charged in EDNY?

I always ask this question, but you have to ask it. Why was this charged in the Eastern District of NY, when RentBoy is headquartered in Manhattan, in the Southern District, and only one of the employees appears to live in EDNY (though the complaint reviews three profiles whose owners live in Brooklyn)? When asked yesterday, one of the Feds apparently simply said, “the Internet is everywhere.” But that response raises more questions than it answers.

I raise this not just for the Loretta Lynch connection, but also because by virtue of JFK airport’s location in EDNY, where many defendants get flown into, the district has developed a slew of precedents having to do with asserting a fairly aggressive jurisdiction overseas. Again, it’s possible this whole thing started from an immigration inquiry. But I wonder whether there’s some more to it, especially since RentBoy has facilities in England.

In other words, is this just the first step in a larger, more international crackdown?

What other investigative means did they use?

As noted, someone leaked to several outlets yesterday this case involved money laundering, but there’s no hint of that in this complaint or even that they used investigative methods to prove it. While RentBoy’s ISP, Cogent Communications, is mentioned in an aside — in the context of how communications with the ISP described Soto Decker’s responsibilities — there’s no mention of any orders for traffic logs or other electronic service provider records. Still, it’s fairly clear the Feds do have some records from Cogent they aren’t yet telling us about.

Then there’s the means by which the agent who wrote this, Susan Ruiz, identified aliases of some of the employees. In footnote after footnote, she says she compared the defendant’s driver’s license picture with an online picture and decided they were the same person. Neither those aliases nor the means by which she identified them are critical at this point. But I would suggest she almost certainly used more reliable means to connect the identities of these people. That could just be an insider’s testimony, but it could also include traffic logs connecting certain computers with the online profiles using those aliases.

In other words, I suspect they’ve got electronic records they don’t want to tell us about, even as simply as records obtained from Cogent using a subpoena.

Why didn’t they bust DaddysReviews.com?

As the complaint makes clear, RentBoy has clear warnings against advertising sex and prices (which will be one of the defenses the accused will use). It bills itself as an escort site that will not permit the selling of sex.

To prove that the profiles the complaint describes in depth involve prostitution, it relies heavily on DaddysReviews.com, which is a review site that not only describes completed acts of sex, but the price paid for that sex.

I’m going to ask people who know the industry better than I about this. But I do wonder why DHS and DOJ chose to bust the site that doesn’t explicitly tie sex to payment, but didn’t bust the one that does.

Update: One suggestion on this question is that DaddysReviews wouldn’t be prosecuted because they don’t take money.

Our Definitions of National Security Crimes Are Fucked

/9 Comments/in , /by

I realized something the other day.

For the purposes of hacking, a theater (or at least any mall it was attached to) might count as critical infrastructure that would deem it a National Security target, just as Sony Pictures was deemed critical infrastructure for sanction and retaliation purposes after it got hacked.

But if a mentally ill misogynist with a public track record of supporting right wing hate shoots up a movie showing, it would not be considered a national security target. Given his death, DOJ won’t be faced with the challenge of naming John Russell Houser’s crime, but they would have even less ability to punish Houser for his motivation and ties to other haters than they had with Dylann Roof.

DOJ had no such problem with Joseph Buddenberg and Nicole Kissane, who got charged with terrorism (under the Animal Enterprise Terrorism Act) yesterday because they freed some minks. And a bobcat.

So shooting African Americans worshipping in church is not terrorism, but freeing a bobcat is.

Meanwhile, most of the 204 mass shootings — averaging one a day — that happened this year have passed unremarked.

I laid out some of the problems with the disparity between Muslim terrorism and white supremacist terrorism (to say nothing of bobcat-freeing “terrorism”) the other day.

“This should in no way signify that this particular murder or any federal crime is of any lesser significance.” [than terrorism, Loretta Lynch claimed while announcing the Hate Crime charges against Roof

Except it is, by all appearances.

When asked, Lynch refused to comment on how DOJ is allocating resources, but reporting on the increase in terrorism analysts since 9/11 suggests the FBI has dedicated large amounts of new resources to fighting Islamic terrorism, domestically and abroad. In addition, there are a number of spying tools that are tied solely to international terrorism — but DOJ has managed to define, in secret, domestic terrorism espoused by Muslims in the U.S. as international terrorism. That means FBI has far more tools to dedicate to finding tweets posted by Muslims, and fewer to find the manifesto Roof wrote speaking of having ”the bravery to take it to the real world” against blacks and even Jews.

Perhaps most importantly, because of vastly expanded post-9/11 information sharing, local law enforcement offices have been deputized in the hunt for Muslim terrorists, receiving intelligence obtained through those additional spying tools and sharing tips back up with the FBI. By contrast, as one after another confrontation makes clear — most recently the video of a white Texas trooper escalating a traffic stop with African American woman Sandra Bland that ultimately ended in her death, purportedly by suicide — too many white local cops tend to prey on African Americans themselves rather than  the police who target African Americans for their race.

[snip]

Finally, the FBI has an incentive to call Roof’s attack something different, as it makes a big deal of its success in preventing “terrorist” attacks. If the Charleston attack was terrorism, it means FBI missed a terrorist plotting while tracking a bunch of Muslims who might not have acted without FBI incitement. That would be all the worse as the FBI might have stopped Roof during the background check conducted before he bought the murder weapon, if not for some confusion on a prior charge.

[snip]

I’m certainly not saying we should expand the already over-broad domestic dragnet to include white supremacists espousing ugly speech (but neither should hateful speech from Muslims be sufficient for a material support for terrorism charge, as it currently is). Yet as one after another white cop kills or leads to the death of unarmed African Americans, we have to ensure that we call like crimes by like names to emphasize the importance of protecting all Americans. DOJ under Eric Holder was superb at policing civil rights violations, and there’s no reason to believe that will change under DOJ’s second African American Attorney General, Loretta Lynch.

But hate crimes brought with the assistance of DOJ’s Civil Rights division (as these were) are not the same as terrorist crimes brought by national security prosecutors, nor are they as easy to prosecute. If our nation can’t keep African Americans worshipping in church safe, than we’re not delivering national security.

But I’d add to that. If we’re discussing mass killings with guns (remember, earlier this year Richard Burr tried to include commission of a violent crime while in possession of a gun among the definitions of terrorism) then it suggests far different solutions than just calling terrorism terrorism.

What if we focused all our energy on interceding before crazy men — of all sorts — shoot up public spaces rather than just one select group?

What if our definitions of national security started with a measure of impact rather than a picture of global threat?