Posts

The Predictable Result of Asymmetry in Terrorism Policing: Andrew McCabe’s Demise

I recently finished Andrew McCabe’s book.

It is very effective at what I imagine its intended purposes are. It provides some fascinating new details about the genesis of the Russian investigation. It offers a great introduction in how the FBI (at its best) can work. It gives a self-congratulatory version of McCabe’s career, including key events like the Najibullah Zazi and Boston Marathon investigations; even if McCabe had wanted to tell fully honest stories about those investigations, I’m sure the less flattering details wouldn’t have passed FBI’s publication review.

The book also says satisfyingly mean things about Trump, Jeff Sessions, and (more obliquely) Rod Rosenstein. (I think McCabe’s book release significantly explains the rumors reported as fact that Mueller’s report was imminent some weeks ago; that claim served, in part, to once again eliminate any pressure to fire Rosenstein immediately).

The latter of two, of course, implemented McCabe’s firing. McCabe’s excuse for lying to the Inspector General, which led to his firing, is one of the least convincing parts of the book (he admits he can’t say more because of his continued legal jeopardy, but he does raise it). That’s true, in part, because McCabe only deals with one of the conversations in question; there were a number of them. But he also excuses his chief lie because he was frazzled about learning of the Strzok-Page texts in the same conversation. I can understand that, but elsewhere, one of his digs against Rosenstein is how overwhelmed the Deputy Attorney General was in the wake of the Jim Comey firing. McCabe suggests, in that context, that because he had dealt with big stressful issues (like the Boston Marathon attack), he wasn’t similarly rattled. Which is why I find it disingenuous to use being frazzled for not being fully truthful to the Inspector General. Plus, virtually all defendants prosecuted for lying to the FBI (including George Papadopoulos, but not Mike Flynn, who is a very accomplished liar) are frazzled when they tell those lies; it’s a tactic the FBI uses to catch people unguarded.

I was most frustrated, however, by something that has become increasingly important in recent days: McCabe’s utter lack of awareness (at least in the book) of the import of the asymmetric focus on Islamic terrorism across his career.

After moving to counterterrorism in the mid-00s from working organized crime, McCabe became an utterly central player in the war on Islamic terror, founding the High Value Interrogation Group, and then leading the CT and National Security Divisions of FBI. He was a key player in investigations — like Zazi — that the FBI is rightly proud of.

But McCabe normalizes the choices made after 9/11 to pursue Islamic terrorism as a distinct danger. He (of course) whitewashes Jim Comey’s decision to retain the Internet dragnet in 2004 under an indefensible use of the PATRIOT Act. He argues that it is politically impossible to survive a failure to prevent an attack even though he managed the Boston Marathon attack, where FBI and NSA had some warning of Tamerlan Tsarnaev’s danger, but nevertheless got very little criticism as a result. Most remarkably, McCabe talks about Kevin Harpham’s attempted attack on the Martin Luther King Day parade, mentions as an aside that this was (obviously) not an Islamic terror attack, but offers no reflection on how Harpham’s attack undermines much of what he presents, unquestioningly, as a greater risk from Islamic terrorism (here’s a story on how Barack Obama did not get briefed on Harpham, a decision that may well have involved McCabe).

Granted, McCabe’s blind spots (at least in the book) are typical of people who have spent their lives reinforcing this asymmetry. You see it, too, in this utterly nonsensical paragraph in a largely ridiculous piece from Joshua Geltzer, Mary McCord, and Nick Rasmussen — all likewise accomplished players in the War on Just One Kind of Terrorism — at Lawfare.

The phrases “international terrorism” (think of the Islamic State and al-Qaeda) and “domestic terrorism” (think of the Oklahoma City bombing and the October 2018 shooting at a Pittsburgh synagogue) have often been a source of confusion to those not steeped in counterterrorism. The Islamic State has its roots internationally, but what makes it such a threat to Americans is, in part, its ability to influence domestic actors like Omar Mateen to kill Americans in domestic locations like Orlando, Florida. The group may be “international,” but its attackers and attacks can be, and have been, domestic—to tragic effect.

This paragraph, in a piece that admits the focus of their career has been wrong (and neglects to mention that Christchurch terrorist Brenton Tarrant named Donald Trump, along with Anders Behring Breivik, as an inspiration), suggests that the reason international terrorism is “such a threat” is because it can inspire domestic actors. The logic inherent to that paragraph is that terrorism carried out by “domestic terrorists,” inspired by a domestic white supremacist ideology is any less dangerous than terrorism carried out by people inspired by what is treated as an international ideology. International terrorism is worse than domestic terrorism, these experts argue, because it can lead to domestic terrorism.

Dead is dead. And given the significant number of white supremacists who have had experience in the military and greater tolerance for their training, white supremacists have the potential of being far more effective, as individuals, at killing than US-based Islamic terrorists.

One thing the Lawfare piece studiously avoids acknowledging is that what it calls “domestic” terrorism (the racist ideology of which they never describe) is an ideology significantly exported by the United States. Even in a piece that rightly calls for an equal focus on both white supremacist terrorism and Islamic terrorism, it ducks labeling the ideology in question. And while this WaPo piece does label the ideology in question, it bizarrely calls an attack in New Zealand carried out by an Australian a “domestic” attack.

The WaPo piece describes one problem with the asymmetric treatment of different kinds of terrorism: that governments don’t share intelligence about international violent racist ideology. In fact, in the US, such intelligence gets treated differently, if the FBI’s failure to track the networks around Frazier Glenn Miller and Eric Rudolph is any indication.

Ironically, that’s one reason that McCabe’s failure to track white supremacist terrorism in the same way he tracked Islamic terrorism led to his demise. While the network behind the election year operation that helped elect Trump involves a lot of Russians, it also clearly involves a lot of white supremacists like Nigel Farage (and David Duke), a network Russia exploited. Additionally, as I have argued (and at least one study backs) white supremacist networks provided the real fire behind the attacks on Clinton; Russia’s information operations had the effect of throwing more fuel on a blazing bonfire.

The other problem with the US government’s asymmetric treatment of terrorism is legitimacy. Labeling Islamic terrorism “foreign” and pursuing material support cases based partly on speech has had the effect of criminalizing some speech that criticizes US foreign policy, even well-deserved criticism about the effect of US killing of Muslims. By contrast, white supremacist speech, even that which  more aggressively advocates violence is treated as speech. Yes, deplatforming has begun to change that.

But we’re still not at a place where those who incite white supremacist violence are held accountable for it.

That’s how it was possible for a man to kick off a campaign by inventing lies about Mexican immigrants and how the entire Republican party, up to and including the new supposedly sane Attorney General, are permitted to pursue counterproductive policies solely so they can appear to demonize brown people.

Irrespective of the merit or not in the finding that Andrew McCabe lacked candor with the IG, he got treated the way he did because a man whose entire political career is based off feeding white resentment needed to appear to be a victim of Andrew McCabe. That act, by itself, was not about Trump’s white supremacist ideology. But it is a structure of power that is white supremacist (exacerbated by Trump’s narcissism).

We have a President Trump in significant part because this country has tolerated and even rewarded white supremacist ideology, institutionally ignoring that it poses as much of a risk as violent Islamic ideology. It would be really useful if people like Andrew McCabe spend some time publicly accounting for that fact.

The white supremacy that brought us the Trump presidency would not be possible if we had treated violent white supremacist terror as terror for the last twenty years.

The Government’s Classified Briefing to HJC: A New Certificate?

As I noted, after years of legislating Section 702 of the FISA Amendments Act in public, yesterday the House Judiciary Committee had a closed hearing on it, which raises all sorts of questions about what has changed.

The agencies presenting to the committee did provide an unclassified statement for the record that is mostly stuff we know (one of the most interesting details is that it considers upstream telephony collection to be a different kind of collection than upstream Internet collection). But it does provide 3 examples of things that it would explain to the committee in classified session. One is utterly predictable: examples of counterterrorism intelligence obtained under Section 702.

Section 702 collection is a major contributor to NSA’s counterterrorism reporting and on other topics as well. Since its enactment in 2008, the number of signals intelligence reports issued by NSA based at least in part on Section 702 collection has grown exponentially. CIA and FBI state that they have acquired highly valuable and often unique intelligence through Section 702 collection. Numerous real-life examples that demonstrate the broad range of important information that the Intelligence Community has obtained can be provided to the Committee in a classified setting. While these examples which identify specific targets and operations must remain classified, the following declassified example provides just one instance of the many contributions Section 702 has made to our national security.

Of course, the IC shouldn’t be permitted to present such things in secret, as so many of their cases have been shown to be bogus (or not provided 702 notice) in the past. It is now down to one unclassified case — Najibullah Zazi — where they used 702, and that wasn’t even all that central (which may be why they never did get 702 notice).

The other two are more interesting. They include:

  • What certificates the government has approved: “The Government will describe in a classified setting the certification or certifications under which the Government is currently acquiring foreign intelligence information.”
  • The contributions of Section 702 data to other kinds of foreign intelligence collection: “The Board further acknowledged the Section 702 program’s value in acquiring other foreign intelligence information, examples of which can be provided in a classified setting.”

Recall, as late as 2011, the IC was known to have 3 certificates a counterterrorism certificate, a counterproliferation one, and a foreign government one, which serves as a grab bag. Because it was so obvious the IC was using Section 702 for cybersecurity, I mistakenly claimed they had a cyber certificate, but as late as 2012, they had not yet obtained one. Perhaps the IC needed classified session to explain all this.

But how weird would it be to brief HJC on a Section 702 cyber certificate while DHS and DOJ are implementing OmniCISA, which will enable upstream searches for cyber signatures within the US? Perhaps that’s what they were doing, but it would be interesting timing.

Which makes me wonder, again, about whether there’s another kind of certificate, perhaps one targeted at Tor?

In any case, there is something significant about the set of certificates the IC has or is asking for (probably the former, given that it makes a big show here of releasing the documents tied to the 2014 certification process, but not those tied to the 2015 certification process).

I’m sure that’s not the only thing the IC wanted to brief HJC on in secret. But it does appear to be one thing they did brief in secret. (Side note: I have reason to believe the IC did not tell the truth, even within the IC, about what certificates they got at the beginning of the PRISM process, so at least this would suggest they’re now being more forthcoming.)

Mike Rogers Wanted to Drone Kill an American Citizen for Training with al Qaeda?

There has been some good commentary on NYT’s story on Administration debates over killing Mohanad Mahmoud al-Farekh, the American citizen who was captured and charged in federal court on April 2, after the Administration considered but then decided against drone-killing him. Both David Cole and Brett Max Kaufman ask raise some important points and questions. Of particular note, they ask what the fuck Mike Rogers was doing pushing DOD and CIA to kill a US citizen.

Yet neither of those pieces gets to something I’m puzzling over. Al-Farekh was charged in EDNY (Loretta Lynch’s district), but he was only charged with conspiracy to commit material support for terrorism, a charge that carries a 15 year maximum sentence. Basically, he is accused of conspiring with Ferid Imam who in turn trained Najibullah Zazi and his co-conspirators for their planned 2009 attack on the NY Subway system.

In approximately 2007, Farekh, an individual named Ferid Imam and a third co-conspirator departed Canada for Pakistan with the intention of fighting against American forces.  They did not inform their families of their plan before departing, but called a friend in Canada upon arrival to let him know that he should not expect to hear from them again because they intended to become martyrs.  According to public testimony in previous criminal trials in the Eastern District of New York, in approximately September 2008, Ferid Imam provided weapons and other military-type training at an al-Qaeda training camp in Pakistan to three individuals – Najibullah Zazi, Zarein Ahmedzay and Adis Medunjanin – who intended to return to the United States to conduct a suicide attack on the New York City subway system.  Zazi and Ahmedzay pleaded guilty pursuant to cooperation agreements and have yet to be sentenced; Medunjanin was convicted after trial and sentenced to life imprisonment.  Ferid Imam has also been indicted for his role in the plot.

But the evidence laid out in the complaint is rather thin, basically amounting to the second-hand reports that al-Farekh, like Zazi and his friends, traveled to Pakistan for terrorist training.

Were we really going to kill this dude with a drone because he got terrorist training in Pakistan? That’s it?

Now, it’s quite possible the government is just charging him with the crimes the evidence for which they can introduce in a trial — though note that the government got a FISC warrant to collect on him (though it’s possible this is drone-based collection, and so sensitive enough they wouldn’t want to use it at trial).

Drones spotted him several times in the early months of 2013, and spy agencies used a warrant issued by the Federal Intelligence Surveillance Court to monitor his communications.

It’s equally possible that al-Farekh will be indicted on further charges, a more central role in plotting attacks out of the tribal lands of Pakistan. Similarly, it’s possible that al-Farekh’s High Value Interrogation Group interrogation — reported as well in this WaPo story — provided valuable intelligence on other militants that will have nothing to do with his own trial.

Still, both the earlier WaPo story (written in part by Adam Goldman, who wrote the book on the Zazi case) and the NYT story hint that the claims made about al-Farekh’s activities in 2013 have proven to be overblown. The WaPo doesn’t provide much detail.

Officials said there were questions about how prominent a role Farekh played in al-Qaeda.

The NYT provides more.

But the Justice Department, particularly Attorney General Eric H. Holder Jr., was skeptical of the intelligence dossier on Mr. Farekh, questioning whether he posed an imminent threat to the United States and whether he was as significant a player in Al Qaeda as the Pentagon and the C.I.A. described.

[snip]

Once in Pakistan, Mr. Farekh appears to have worked his way up the ranks of Al Qaeda, his ascent aided by marrying the daughter of a top Qaeda leader.

American officials said he became one of the terrorist network’s planners for operations outside Pakistan, a position that included work on the production and distribution of roadside bombs used against American troops in Afghanistan.

Some published reports have said that Mr. Farekh held the third-highest position in Al Qaeda, but Americans officials said the reports were exaggerated.

His level in the Qaeda hierarchy remains a matter of some dispute. Several American officials said that the criminal complaint against him underplayed his significance inside the terrorist group, but that the complaint — based on the testimony of several cooperating witnesses — was based only on what federal prosecutors believed they could prove during a trial.

This, then — along with the explicit connection with the Awlaki case, based as it was, at least at first, on Umar Farouk Abdulmutallab’s interrogation and all the reasons to doubt it — seems the big takeaway. We almost killed this dude, but now all we can prove is that he trained in Pakistan.

Ironically, Philip Mudd argues for the NYT that we can’t capture these people because we’d have to rely on our intelligence partners.

But many counterterrorism specialists say capturing terrorism suspects often hinges on unreliable allies. “It’s a gamble to rely on a partner service to pick up the target,” said Philip Mudd, a former senior F.B.I. and C.I.A. official.

Of course, these are often the same people we rely on for targeting intelligence, including against both Awlaki and al-Farekh. What does it say that we’d believe targeting information from allies, but not trust them to help us arrest the guys they apparently implicate?

Whatever that says, the story thus far (it could change) is that al-Farekh was almost killed on inadequate evidence because CIA and DOD were champing at the bit. That ought to be the big takeaway.

 

FBI Field Offices Don’t See the Point in Racial Profiling

As I noted earlier, I’m reading the 9/11 Follow-Up Report just completed for FBI. And while there are some interesting insights in it, in general I think the analysis of the report itself is pretty horrible (which is funny because the report says FBI needs more analysts). I’ll have more specific details on that later, but I wanted to point to what the report says about FBI not adopting “Central Strategic Coordinating Components” or CSCCs, which are basically analysts in each Field Office that are supposed to do “domain awareness” for the Field Office. That means they’re supposed to get to know the neighborhood to anticipate any problems that might come up. (As far as I know, no one has ever thought of doing a domain awareness for Wall Street, in spite of all the new threats that pop up there over and over.)

As the report makes clear, every Field Office is supposed to have someone doing this. But, as documents obtained by ACLU under FOIA have shown, it often amounts to racial profiling, whether that be Muslims or Latinos or something else. And, at least given the NYPD example, where their domain awareness program never found any plot (and didn’t find two plots covered by this FBI report, notably the Najibullah Zazi attack), there’s no evidence I know of that they actually help to prevent crimes.

Yet rather than analyzing whether this concept serves any purpose whatsoever, it instead says, “it’s corporate policy, no one is doing it well, so it needs to improve.” (Note, most of the named people interviewed for the report are not FBI agents, and many come from CIA or another intelligence agency; John Brennan, who almost certainly had a role in setting up NYPD on the Hudson, for example, was interviewed.)

What I find particularly remarkable is what the report found in the field.

According to one anecdote, 20% of analysts (not even Field Agents!) understand the point of this. And even in offices where they do understand, the Field Agents won’t do their part by going and filling in the blanks analysts identify.

Call me crazy. But maybe the people responding to actual crimes believe they learn enough in that process — and are plenty busy enough trying to catch criminals — that they don’t see the point of racially profiling people like NYPD does? Maybe they believe the ongoing threats are where the past ones of have been, and there’s no need to spend their time investigating where there aren’t crimes in case there ever are in the future?

I don’t know. But I think the Field Agents might be onto something.

Update, 3/27: Adding, there seems to be a logic problem with this too. Another big push for the FBI — a more understandable one, but not without risks of its own — is that FBI partner much more closely with local cops. If the local cops are doing their job well, wouldn’t they provide the “domain awareness” FBI needs? This is actually a point a senior FBI manager noted in discussing its relationship with ODNI (see page 92). Admittedly, a lot of cops are occupiers rather than local stewards of safety, but that’s a separate problem.

Update, 3/27: The report returns to domain awareness again, pointing to that as the one thing that can differentiate between a domestic security agency and an intelligence agency.

As the FBI began its transformation into a national security organization, at the heart of that transformation was the concept of domain awareness. Domain awareness reflected the realization that the FBI could not be reactive and wait for cases to develop, it had to proactively seek to understand its environment. From the Review Commission’s perspective, that means that domain analysis, which attempts to capture what is known and identify gaps for further collection, is at the heart of the FBI’s transformation into a domestic intelligence agency, and it needs to be a process informed by everything the USIC has to offer. This includes all information from local sources—law enforcement, colleges and universities, and prisons—to which other parts of the USIC do not have access. Robust domain analysis will allow the FBI to harness its considerable skill at collection and source development in support of identifying new threats in addition to collecting against known threats. A failure to achieve that goal will leave the US with a domestic security service rather than a domestic intelligence agency, and with a vulnerability to homegrown threats that fall outside the purview of our foreign intelligence establishment.316


(U) CSCCs are responsible for the FBI’s domain awareness and analysis. Each field office is required to establish a CSCC. The groups are comprised of small groups of intelligence analysts who are tasked to produce foundational documents such as Domain Intelligence Notes (DINs) and Threat Mitigation Strategies (TMSs). They also expose information gaps and guide special agents’ planned or incidental collection efforts. Effective CSCCs are critical to ensuring that field office efforts are threat-based and intelligence-driven.

(U) But during its field office visits, the Review Commission observed an uneven application of the CSCC concept and that many field offices struggled with effectively operating its CSCC. In the majority of the field offices the Review Commission visited, the CSCCs were not performing their intended functions. 215 Many of the intelligence analysts who were initially assigned to the CSCC had been moved to operational squads to provide tactical support to case agents, leaving the CSCC understaffed and unable to fulfill its primary mission.216 In some field offices, CSCC analysts were so involved in tactical support that their DINs and TMSs languished until the SAC accounted for them in the office’s mid and year-end reviews.217

(U) A centerpiece of the FBI’s intelligence framework is domain analysis, which entails the ability to understand what is happening in a given area of operations using all available sources of data. Accordingly, domain management is the FBI’s systematic process to develop strategic awareness in order to: identify and prioritize threats, vulnerabilities, and intelligence gaps; contribute to the efficient allocation of resources and operational decisions; discover new opportunities for collection; and set tripwires to provide advance warning.218 The Review Commission strongly believes that the field offices must prioritize collection opportunities to identify, develop, and pursue new intelligence leads in concert with their ongoing investigations.

(U) In many field offices we visited there was only one intelligence analyst left on the CSCC to conduct domain analysis for the field office and even then they spent much of their time mapping existing incidents and/or efforts. There was no observable forward looking aspect to the work. From the Review Commission’s observations, even when the DINs and TMSs are produced they are not generally valued at the field office-level as parts of a comprehensive intelligence collection plan (e.g., the plan that establishes the field’s baseline knowledge, identifies intelligence gaps, and informs the field’s strategy to mitigate new threats).219 In one field office we were told that an analyst had produced a comprehensive collection plan but it was ignored by the special agents who would have to implement it.220 We attribute this to a special agent-driven culture that still does not necessarily understand the value of filling intelligence collection requirements and, therefore, renders this overall mission a lower priority than it should be. It can also be attributed to the lack of sufficient leadership to hold field office personnel accountable for intelligence as well as criminal responsibilities.

 

215 (U) Some offices demonstrated a much higher comprehension of the CSCC concept and value and consequently provided higher levels of resources to facilitate mission success. The Review Commission would like to commend, however, the one field office that acknowledged that it was struggling with creating an effective CSCC and planned to visit another field office that is believed to be doing a better job so as to learn how others are operating a CSCC and perhaps identify best practices to bring back and implement. Memorandum for the Record, July 28, 2014.

216 (U) One intelligence analyst speculated the CSCC concept was widely misunderstood across the FBI because the benefit to special agents is unclear. The intelligence analyst also estimated that approximately 20 percent of analysts understood the meaning and purpose of the CSCC. Memorandum for the Record, September 17, 2014.

217 (U) Memorandum for the Record, August 14, 2014.

218 (U) Federal Bureau of Intelligence, Directorate of Intelligence, Intelligence Program Corporate Policy Directive and Policy Implementation Guide, May 2, 2013: 62.

219 (U) Memorandum for the Record, September 19, 2014.

220 (U) Memorandum for the Record, July 29, 2014.

PCLOB Ignores Glaring Section 702 Non-Compliance: Notice to Defendants

I will have far more to say about PCLOB once I finish my working thread. But there’s one glaring flaw in the report’s claim that the government complies with the statute.

Based on the information that the Board has reviewed, the government’s PRISM collection complies with the structural requirements of the statute.

But here’s the report’s discussion of what happens with aggrieved persons — those prosecuted based in information derived from Section 702 information.

Further, FISA provides special protections in connection with legal proceedings, under which an aggrieved person — a term that includes non-U.S. persons — is required to be notified prior to the disclosure or use of any Section 702–related information in any federal or state court.447 The aggrieved person may then move to suppress the evidence on the grounds that it was unlawfully acquired and/or was not in conformity with the authorizing Section 702 certification.448 Determinations regarding whether the Section 702 acquisition was lawful and authorized are made by a United States District Court, which has the authority to suppress any evidence that was unlawfully obtained or derived.449 

But for 5 years after the passage of the law, the government never once gave defendants notice they were aggrieved under Section 702. It lied to the Supreme Court about not having done so. And even while it has since given a limited number of defendants — like Mohamed Osman Mohamud — notice, there are others — David Headley, Najibullah Zazi and Adis Medunjanin, and Khalid Ouazzani — who are known to be aggrieved under Section 702 who have never received notice. Finally, there is the case of the Qazi brothers, which seems to be a case where the government is parallel constructing right in the face of the magistrate.

PCLOB said that the government is generally in compliance with the statute. And yet, it made no mention of known, fairly egregious violations of the statute.

That suggests the report as a whole may be flawed.

NSA’s Latest Claim: It Only Gets 30% of “Substantially All” the Hay in the Haystack

SIGINT and 215In December 2007, the FBI began intercepting MOALIN’s cell phone.

FBI search warrant affidavit seeking (among other things) additional cell phones, October 29, 2010

Yesterday, Siobhan Gorman reported that NSA’s “phone-data program” collects 20% or less of the phone data in the US. She explains that the program doesn’t collect cell phone data, and so has covered a decreasing percentage of US calls over the last several years.

The National Security Agency’s phone-data program, which has been at the center of controversy over the NSA’s surveillance operations, collects information from about 20% or less of all U.S. calls—much less than previously described by lawmakers.

The program had been described as collecting records on virtually every phone call placed in the U.S., but in fact, it doesn’t cover records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, according to several people familiar with the program.

Ellen Nakashima’s report places the percentage between 20 and 30%, echoing Gorman’s claim about limits on cell data.

The actual percentage of records gathered is somewhere between 20 and 30 percent and reflects Americans’ increasing turn away from the use of land lines to cellphones. Officials also have faced technical challenges in preparing the NSA database to handle large amounts of new records without taking in data such as cell tower locations that are not authorized for collection.

[snip]

The bulk collection began largely as a land-line program, focusing on carriers such as AT&T and Verizon Business Network Services. At least two large wireless companies are not covered — Verizon Wireless and T-Mobile U.S., which was first reported by the Wall Street Journal.

Industry officials have speculated that partial foreign ownership has made the NSA reluctant to issue orders to those carriers. But U.S. officials said that was not a reason.

“They’re doing business in the United States; they’re required to comply with U.S. law,” said one senior U.S. official. “A court order is a court order.”

Rather, the official said, the drop in collection stems from several factors.

Apart from the decline in land-line use, the agency has struggled to prepare its database to handle vast amounts of cellphone data, current and former officials say. For instance, cellphone records may contain geolocation data, which the NSA is not permitted to receive.

These reports offer a more credible explanation than Geoffrey Stone’s multiple claims to this effect about why the program misses data. So they may be true.

But I think they instead point to the legal range of authorities NSA uses to collect phone records, not to what records they actually have in their possession.

These reports are commenting (though without specifying, or even seeming to be aware they need to specify) on what the government claims it collects under Section 215. These reports are not commenting on what NSA collects under all authorities.

In this post I will show why I believe these reports to be credible only in a very narrow sense. In a follow-up post I will point to the legal issues that underlie the Administration’s conflicting claims about what it collects.

Read more

The Government Plays Connect-the-Dots Differently than They Say

In my continuing obsession to understand precisely how the government really uses the dragnet, consider this post, in which NSA Review Group member Geoffrey Stone conducts (IMO) inadequate analysis to conclude the phone dragnet is probably unconstitutional.

In it, he provides this description of how the government uses the phone dragnet:

In 2012, the NSA queried a total of 288 phone numbers. Based on these queries, the NSA found 16 instances in which a suspect phone number was directly or indirectly in touch with another phone number that the NSA independently suspected of being associated with terrorist activity. In such cases, the NSA turns the information over to the FBI for further investigation.

In terms of the “connect the dots” metaphor, the purpose of the program is not so much to discover new “dots” but to determine if there are connections between two or more already suspect “dots.” For example, if a phone number belonging to a terrorist suspect in Pakistan is found to have called a phone number in the United States that the government independently suspects belongs to a person involved in possible terrorist activity, alarm bells (figuratively) go off very loudly, alerting the government to the need for immediate attention. [my emphasis]

I don’t think this can be an accurate description of how the dragnet works.

It is close to what happened with Adis Medunjanin. As the FBI was honing in on Najibullah Zazi, the NSA did a query and found a new cell phone for Medunjanin, though they already knew Medunjanin was a likely accomplice of Zazi’s through via travel records. The government says they were particularly interested in this phone because it was in contact with other extremists. Thus, they found a brand new phone number, but one that ended up being associated with both a suspect (Medunjanin) and other suspects (the other people that phone was in contact with).

But that cell phone for Medunajnin was a brand new number to the NSA, at least according to their reports.

The claim may still be true if they used burner matching to identify Medunjanin as a match to the other phone record they had on him. But it seems this process would have to involve additional information about Medunjanin at some point — at the very least, the match of those travel documents to that phone number, if not his identity.

In other words, this only seems to make sense if they had Medunjanin’s “identity” in some form or another, belying their claims not to have identities while they’re contact chaining.

The description is potentially more problematic with Basaaly Moalin. In his case, the stated explanation for what happened is they found his number on a second-degree search, sent it to the FBI, and the FBI learned he was the guy who had previously been investigated in 2003.

The problem might be alleviated in two ways: first, if the hawala through which Moalin was sending money to Ayro, was also tied to a suspect number. That’s a distinct possibility: but the question is, how does that identity as a suspect number get communicated to NSA? If NSA already had it, doesn’t it mean they’ve got more suspect numbers sitting somewhere than have been RAS approved?

The other possibility is that Moalin himself was still identified as a suspect number from the investigation back in 2003 — that an investigation that turned up no evidence might still, during the era of the illegal program, have gotten someone nominated as a suspect number under Cheney’s program, and they never purged the system entirely (which would seem to be supported by the 2009 problems, which showed they hadn’t turned off the illegal program features).

Either of these possibilities, of course, would raise new concerns about the NSA program.

But the description would also raise real issues, both about the honesty of witnesses and the potential efficacy of the system. If the NSA only triggers on people who’ve got ties to a second suspect number (which is entirely different than what they’ve been saying) then it could not possibly alert the government to a fully compartmented lone actor (someone like, say, Faisal Shahzad). That is, it would only find people who were engaged in the kind of elaborate planning seen before the government dismantled al Qaeda, but would not find the kind of individual extremists we’ve seen almost exclusively (with the exception of Zazi) for years.

This would answer the question of whether the NSA is finding the right numbers, in that it would be less likely to find someone innocent. It also might explain why the program didn’t find Shahzad. But it would also mean it does (as presented) far less than the NSA has been saying it does.

I don’t actually believe that, but that is what it would suggest.

The Purpose(s) of the Dragnet, Revisited

As I noted the other day, one basis Judge Richard Leon used to find that the dragnet was likely unconstitutional was that it wasn’t all that useful. But I was particularly interested in the evidence he points to to establish that (see page 61 of his ruling), because it and the underlying basis for it reveal far more about how the government uses the dragnet than we’ve seen.

Leon points to the three cases in which the phone dragnet was supposed to be useful, which he gets from the declaration of FBI Acting Assistant Director Robert Holley. Holley claims the dragnet was useful in the Khalid Ouazzani, David Headley, and Najibullah Zazi cases (though Holley does not mention Ouazzani by name), using the following language.

In January 2009, using authorized collection under Section 702 of the Foreign Intelligence Surveillance Act to monitor the communications of an extremist overseas with ties to al-Qa’ida, NSA discovered a connection with an individual based in Kansas City. NSA tipped the information to the FBI, which during the course of its investigation discovered that there had been a plot in its early stages to attack the New York Stock Exchange. After further investigation, NSA queried the telephony metadata to ensure that all potential connections were identified, which assisted the FBI in running down leads.

[snip]

At the time of his arrest, Headley and his colleagues, at the behest of al-Qa’ida, were plotting to attack the Danish newspaper that published cartoons depicting the Prophet Mohammed. Headley was later charged with support for terrorism based on his involvement in the planning and reconnaissance for the 2008 hotel attack in Mumbai. Collection against foreign terrorists and telephony metadata analysis were utilized in tandem with FBI law enforcement authorities to establish Headley’s foreign ties and them in context with his U.S. based planning efforts.

[snip]

NSA received Zazi’s telephone number from the FBI and ran it against the Section 215 telephony metadata, identifying and passing additional leads back to the FBI for investigation. One of these leads revealed a previously unknown number  for co-conspirator Adis Medunjanin and corroborated his connection to Zazi as well as to other U.S.-based extremists.

First, note what’s missing? Any mention of Basaaly Moalin, the only defendant for which the government claims the phone dragnet was critical to his identification. Holley may have left Moalin out because of the timing: DOJ submitted his declaration on November 12, the day before the hearing on Moalin’s bid for a new trial and two days before Jeffrey Miller’s ruling rejecting that. Did DOJ think they might lose that argument, and so left it out out of fear it would make them more likely to lose this one (Leon does acknowledge Miller’s ruling in his own). Or was the case just so dated they chose not to mention it?

Whatever the reason, they’re left describing three cases in which even Keith Alexander admits the dragnet was at best only helpful.

But note the other thing: Up until now, the government has only described how the dragnet was useful in the Zazi case. While in its propaganda about 54 plots or maybe just terrorist events thwarted, it has implicitly suggested that only those with a US-nexus could involve the dragnet, I know of no other instance where they made it clear that they sort of used it in the Headley and Ouazzani cases (I’m going to check the declarations in the parallel suits later).

In both cases, it appears, the government only used it after the fact (which is how they used it in the Boston Marathon attack, which bizarrely also goes unmentioned).

Read more

Did DOJ Prosecute Basaaly Moalin Just to Have a Section 215 “Success”?

At yesterday’s Senate Judiciary Committee hearing on the dragnet, the government’s numbers supporting the value of the dragnet got even worse. At one point, Pat Leahy asserted that the phone dragnet had only been useful in one case (in the last hearing, there had been a debate over whether it had been critical in one or two cases).

Leahy (after 1:09:40): We’ve already established that Section 215 was uniquely valuable in just one terrorism case, not the 54 that have been talked about before.

In a follow up some minutes later, Keith Alexander laid out numbers that explain how the Administration had presented that 1 case as 12 in previous claims.

Alexander (at 1:21:30): As you correctly stated, there was one unique case under 215 where the metadata helped. There were 7 others where it contributed. And 4 where it didn’t find anything of value, and we were able to tell the FBI that.

That is, to publicly claim that the phone dragnet has been useful in 12 cases, the Administration included 7 cases where — as with the Najibullah Zazi case — it proved to be a tool that provided non-critical information available by other means, and 4 cases where it was useful only because it didn’t show any results.

To fluff their numbers, the Administration has been counting cases where the phone dragnet didn’t show results as showing results of no results.

With sketchy numbers like that, it’s high time for a closer examination of the details — and the timing — of the Basaaly Moalin prosecution, the only case (Alexander now agrees) where the phone dragnet has been critical.

As a reminder, Moalin was first identified via the dragnet — probably on a second hop away from Somali warlord Aden Ayro — in October 2007.  They used that and probably whatever tip they used to investigate him in 2003 to get a FISA warrant by December 20, 2007. Only 2 months later, February 26, 2008, was al-Shabaab listed as a foreign terrorist organization. Ayro was killed on May 1, 2008, though the government kept the tap on Moalin through December 2008, during which period they collected evidence of Moalin donating money (maybe 3 times as much as he gave to al-Shabaab-related people) to a range of people who had nothing to do with al-Shabaab. A CIPA stipulation presented at the trial revealed that during this period after the inculpatory conversations, Moalin’s tribe and Shabaab split and Moalin’s collections supported other entities in Somalia.

1. Money collected for the Ayr sub-clan was given to individuals including Abukar Suyare (Abukar Mohamed) and Fare Yare, who were associated with the Ilays charity.

2. Money collected by the men in Guracewl on behalf of the Ayr sub-clan was given to a group that was not as-Shabaab. [sic]

3. There was a dispute between al-Shabaab, the Ayr clan and Ilays over the administration pf [sic] of Galgaduud regions.

4. Members of the Ilays charity and the Ayr sub-clan, including Abukar Suryare, were opposed to the al-Shabaab and were Ayrow’s enemies.

On April 8, 2009, FBI would search the hawala used to send money based entirely on Moalin’s case. Yet on April 23, 2009, according to a document referenced but not provided to Moalin’s defense, the FBI concluded that Moalin not only no longer expressed support for al-Shabaab, but that he had only ever supported it because of tribal loyalties, not support for terrorism.

The San Diego FIG assesses that Moalin, who belongs to the Hawiye tribe/Habr Gedir clan/Ayr subclan, is the most significant al-Shabaab fundraiser in the San Diego Area of Operations (AOR). Although Moalin has previously expressed support for al-Shabaab, he is likely more attentive to Ayr subclan issues and is not ideologically driven to support al-Shabaab. The San Deigo FIG assesses that Moalin likely supported now deceased senior al-Shabaab leader Aden Hashi Ayrow due to Ayrow’s tribal affiliation with the Hawiye tribe/Habr Gedir clan/Ayr subclan rather than his position in al-Shabaab. Moalin has also worked diligently to support Ayr issues to promote his own status with Habr Gedir elders. The San Diego FIG assesses, based on reporting that Moalin has provided direction regarding financial accounts to be used when transferring funds overseas that he also serves as a controller for the US-based al-Shabaab fundraising network.

The intercepts on which the prosecution was based support this. They show that Moalin’s conversations with Ayro and others focused on fighting the (American-backed) Ethiopian invaders of his region, not anything outside of Somalia.

Read more

John Bates Intervened in the Phone Dragnet Problems

Yesterday, I Con the Record released more records in response to the ACLU FOIA for records on the Section 215 program (though once again, they didn’t mention the FOIA).

Three of the documents provide more data points for a notable progression I laid out in this post, in which Reggie Walton appears to have shut down some collection from one telecom on July 9, 2009, reapproved it (including retroactively) on September 3, 2009, just in time for the Intelligence Community to claim Section 215 collection was central to the Najibullah Zazi investigation.

First, a July 2, 2009 notice to Walton provided the End-to-End review “for the Court’s information.” It had been completed on June 25 and provided to the Intelligence and Judiciary Committees on June 30. It was also included in the formal DOJ filing to Walton on August 19, which left the impression that DOJ had held it for two months before sharing it with the court. But this notice makes it clear Walton received a copy with only a slight delay (and the day before they delivered the first weekly report he had demanded). It also makes it clear he had gotten it, and probably read it, before whatever action he took on July 9. What may be the problematic collection (see page 15-16) apparently got reported to FISC before May 29 (no mention of a formal notice is included, though it seems to be addressed in the May 29 order). But there are other violations (such as the sharing described on page 17 that may involve Homeland Security) that appear to have been newly disclosed with this report.

In a second document — a September 10 notice to just the Senate Intelligence Committee (?!) that Judge Walton had reauthorized the bulk collection program on September 3 — reveals that on August 4, FISC Chief Judge John Bates had written Eric Holder a letter raising concerns. The notice portrays a September 1 demonstration for Walton, Bates, and Judge Thomas Hogan (who I believe was the only other FISC judge from the DC Circuit at the time) apparently at NSA as a response to Bates’ concerns. But the description of the demonstration also notes that,

The information was presented in the context of a current operation that concerns a potential threat to the U.S. homeland.

Remember, this was before (by 2 days) the Zazi investigation started. So this must reference something else, though it certainly didn’t sound all that urgent.

In any case, while it is unclear who got Bates involved (after all, it could have been the Administration, complaining that some of its production had been cut off), it is noteworthy he was involved, which provides a little more background to the frustration he expressed in his October 3, 2011 opinion accusing the government of signifiant misrepresentations on 3 occasions.

Finally, on October 21, in what must have been part of the PATRIOT Act reauthorization push, National Counterterrorism Center’s Michael Leiter and the NSA’s Assistant Deputy Director for Counterterrorism addressed the House Intelligence Committee. Along with their case for the program and a heavily glossed description of the problems with it (which they indicate had already been noticed in some form to the Committee), they described how tips from the dragnet “have contributed directly to the following specific cases,” plural. It includes an entirely unredacted description of the dragnet’s role in the Zazi investigation (without, for example, disclosing FBI already knew of Adis Medunjanin through travel documents to Pakistan where he and Zazi trained with terrorists). And it includes a shorter description of what must be at least one other case, which is entirely redacted. It’s possible, after all, that that second “success” (which is so credible we can’t know about it) is the ongoing threat referred to in the September 10 notice, which NSA used to scare FISC into reauthorizing the dragnet.

One more detail about the notice to HPSCI. It fails to mention that, less than 3 weeks after he reauthorized the dragnet, Walton learned — from DOJ, not NSA — of further information sharing violations. In other words, the HPSCI witnesses falsely portrayed the problems as fixed, when there were pending violations still being discussed between NSA and FISC.

There’s nothing enormous in these revelations, but they do add to the understanding of how grave FISC took these violations to be, and how partial was Congressional briefing on them.  Read more