Posts

Section 702 Is Used for Terror, Proliferation, AND Hacking

The AP has a story about the way algorithms control Section 702, the legal program for which PRISM provides NSA analysts acces.

And while he also admits that Obama “had expanded the scope of the surveillance,” Michael Hayden makes this false claim (which he actually said on FNS).

Michael Hayden, who led both the NSA and CIA, said the government doesn’t touch the phone records unless an individual is connected to terrorism.

He described on “Fox News Sunday” how it works if a U.S. intelligence agent seized a cellphone at a terrorist hideout in Pakistan.

“It’s the first time you’ve ever had that cellphone number. You know it’s related to terrorism because of the pocket litter you’ve gotten in that operation,” Hayden said. “You simply ask that database, `Hey, any of you phone numbers in there ever talked to this phone number in Waziristan?'”

Here’s how I know this is absolutely false (aside from the language of Section 702 that clearly allows it to be used for foreign intelligence generally so long as it is targeted — which is one of those tricky words– at people not known to be in the US).

Director Clapper — who admittedly engages in least untruthfuls that are too cute by half — claimed this as one of the successes in Section 702.

Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States, including specific potential network computer attacks. This insight has led to successful efforts to mitigate these threats.

Don’t get me wrong. Using this kind of collection for foreign cyberattacks is entirely appropriate. Indeed, it is probably the very best use of the tool, since it’s it’s a lot easier to engage in cyberattacks — particularly if you’re overseas — using the Internet, whereas the most dangerous terrorists can and no doubt increasingly will find other means to communicate.

So it’s not that I object to using this program to target Chinese hackers. But as you consider the 51% standard that, according to Edward Snowden, NSA analysts have to meet, or if you consider how easily signals taken from any major US-based coverage can meet that 51% standard, understand that NSA is much more likely to make a “mistake” in its geographic screens for American hackers than for American Islamic extremists.

We’ve heard nothing but TERRA TERRA TERRA since these leaks first started. And every time you hear that, you might ask what it would mean if they also mean hacker.

Truck-sized Holes: Journalists Challenged by Technology Blindness

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

Note: The following piece was written just before news broke about Booz Allen Hamilton employee Edward Snowden. With this in mind, let’s look at the reporting we’ve see up to this point; problems with reporting to date may remain even with the new disclosures.

ZDNet bemoaned the failure of journalism in the wake of disclosures this past week regarding the National Security Administration’s surveillance program; they took issue in particular with the Washington Post’s June 7 report. The challenge to journalists at WaPo and other outlets, particularly those who do not have a strong grasp of information technology, can be seen in the reporting around access to social media systems.

Some outlets focused on “direct access.” Others reported on “access,” but were not clear about direct or indirect access.

Yet more reporting focused on awareness of the program and authorization or lack thereof on the part of the largest social media firms cited on the leaked NSA slides.

Journalists are not asking what “access” means in order to clarify what each corporation understands direct and indirect access to mean with regard to their systems.

Does “direct access” mean someone physically camped out on site within reach of the data center?

Does “direct access” mean someone with global administrative rights and capability offsite of the data center? Some might call this remote access, but without clarification, what is the truth?

I don’t know about you but I can drive a Mack truck through the gap between these two questions.

So which “direct access” have the social media firms not permitted? Which “direct access” has been taken without authorization of corporate management? ZDNet focuses carefully on authorization, noting the changes in Washington Post’s story with regard to “knowingly participated,” changed later to read “whose cooperation is essential PRISM operations.”

This begs the same questions with regard to any other form of access which is not direct. Note carefully that a key NSA slide is entitled, “Dates when PRISM Collection Began For Each Provider.” It doesn’t actually say “gained access,” direct or otherwise. Read more

Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.

Date

NSA/Business

Cyber Attacks

11-SEP-2007

Access to MSFT servers acquired

15-NOV-2007

Stuxnet 0.5 discovered in wild

XX-DEC-2007

File name of Flame’s main component observed

12-MAR-2008

Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.

11-JAN-2009

Stuxnet 0.5 “ends” calls home

14-JAN-2009

Access to Google servers acquired

Mid-2009

Operation Aurora attacks begin; dozens of large corporations confirming they were targets.

03-JUN-2009

Access to Facebook servers acquired

22-JUN-2009

Date Stuxnet version 1.001 compiled

04-JUL-2009

Stuxnet 0.5 terminates infection process

07-DEC-2009

Access to PalTalk servers acquired

XX-DEC-2009

Operation Aurora attacks continue through Dec 2009

12-JAN-2010

Google discloses existence of Operation Aurora, said attacks began in mid-December 2009

13-JAN-2010

Iranian physicist killed by motorcycle bomb

XX-FEB-2010

Flame operating in wild

10-MAR-2010

Date Stuxnet version 1.100 compiled

14-APR-2010

Date Stuxnet version 1.101 compiled

15-JUL-2010

Langner first heard about Stuxnet

19-SEP-2010

DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”

24-SEP-2010

Access to YouTube servers acquired

29-NOV-2010

Iranian scientist killed by car bomb

06-FEB-2011

Access to Skype servers acquired

07-FEB-2011

AOL announces agreement to buy HuffingtonPost

31-MAR-2011

Access to AOL servers acquired

01-SEP-2011

Duqu worm discovered

XX-MAY-2012

Flame identified

08-JUN-2012

Date on/about “suicide” command issued to Flame-infected machines

24-JUN-2012

Stuxnet versions 1.X terminate infection processes

XX-OCT-2012

Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?

Section 215 Order Reveals Secrecy Only Serves to Prevent Court Challenge

Last March, when Hank Johnson asked him a poorly worded question about what NSA was doing with its data center in Utah, NSA head Keith Alexander kept saying the NSA had no power to collect in the US.

Johnson: “NSA’s signals intercepts include eavesdropping on domestic phone calls and inspection of domestic emails.” Is that true?

Alexander: No, not in that context. I think what he’s trying to raise is are we gathering all the information on the United States? No, that is not correct.

Johnson: What judicial consent is required for NSA to intercept communications and information involving American citizens?

Alexander: Within the United States, that would be the FBI lead.  If it was foreign actor in the United States the FBI would still have the lead and could work that with the NSA or other intelligence agencies as authorized. But to conduct that kind of collection in the United States it would have to go through a court order and a court would have to authorize it. We’re not authorized to do it nor do we do it.

As I noted at the time, Alexander didn’t actually deny it happens. He just said the FBI would have that authority in the US.

Alexander never denies that such capabilities exist. Rather, he says that FBI would intercept communications–with a court order–and FBI would search for certain content–with a warrant.

I even pointed to the great deal of circumstantial evidence that the FBI uses Section 215 to do bulk collection.

We know several things about the government’s collection in the US. First, the telecoms own the equipment–they’re the ones that do the intercepts, not FBI or NSA. Second, the FBI can and does get bulk data information from telecoms and other businesses using Section 215 of the PATRIOT Act.

I will have more to say about this later–until then, read this post and this post as background.

There is a great deal of circumstantial information to suggest that after the 2004 hospital confrontation–which was in part a response to Congress prohibiting any DOD use of data mining on Americans–chunks of the illegal wiretap program came to be authorized under Section 215 of the PATRIOT Act, which authorizes FBI data collection.

There’s nothing General Alexander said in this non-denial denial that would conflict with the notion that FBI collects data the telecoms intercept using Section 215 of the PATRIOT Act.

The Guardian’s publication of a 215 Order collecting metadata from all of Verizon Network Business Services customers proves that I was correct. It proves that Alexander’s obviously false non-denial was just that: a dodge of the truth.

Indeed, the order also shows that FBI’s role is simply to provide legal cover by submitting the 215 request, but NSA gets the data.

The (anonymous, of course) Administration response to last night’s disclosure is to claim it is no big deal.

An administration official called the phone data a “critical tool in protecting the nation from terrorist threats to the United States.”

“It allows counter terrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States,” the official added.

[snip]

“The order reprinted in the article does not allow the Government to listen in on anyone’s telephone calls, said the administration official Thursday defending the decision. “The information acquired does not include the content of any communications or the name of any subscriber. It relates exclusively to metadata, such as a telephone number or the length of a call.”

Note: congratulations to The Hill’s Meghashyam Mali, who actually repeated this anonymous person’s claim that 1) the program allows the government to ID terrorists but 2) the 215 Order does not return the ID of any subscriber, as if doing so constituted journalism. (Note: Marc Ambinder just posts the talking points, without noting how internally contradictory they are–I’ll return to them shortly.)

Here’s the question, though: if this program is no big deal, as the Administration and some members of Congress are already claiming in damage control, then why has the Administration been making thin non-denial denials about it for years? If it is so uncontroversial, why is it secret?

Is there anything about the order that tips people off to whom, precisely, is being targeted? Does it explain how good (or bad) NSA’s data analysis tools are?

No. The collection is so broad, it could never provide hints of who is being investigated.

The WaPo suggests this order is just regular, routine collection, that quarterly 215 order sent to Verizon NBS. But even if, as I wondered last night, it’s triggered to a specific investigation, is there anything in there that tells people what or who is being investigated?

No.

There is nothing operational about this Section 215 order that needs to be secret. Nothing. A TS/SCI classification for zero operational reason.

The secrecy has been entirely about preventing American citizens from knowing how their privacy had been violated. It serves the same purpose as Alexander’s obviously dishonest answer.

And the most important reason to keep this secret comes from this claim, from the Administration’s LOL talking points.

As we have publicly stated before, all three branches of government are involved in reviewing and authorizing intelligence collection under the Foreign Intelligence Surveillance Act. Congress passed that act and is regularly and fully briefed on how it is used, and the Foreign Intelligence Surveillance Court authorizes such collection.

The Administration wants you to believe that “all three branches” of government have signed off on this program (never mind that last year FISC did find part of this 215 collection illegal — that’s secret too).

But our court system is set up to be an antagonistic one, with both sides represented before a judge. The government has managed to avoid such antagonistic scrutiny of its data collection and mining programs — even in the al-Haramain case, where the charity had proof they had been the target of illegal, unwarranted surveillance — by ensuring no one could ever get standing to challenge the program in court. Most recently in Clapper v. Amnesty, SCOTUS held that the plaintiffs were just speculating when they argued they had changed their habits out of the assumption that they had been wiretapped.

This order might just provide someone standing. Any of Verizon’s business customers can now prove that their call data is, as we speak, being collected and turned over to the NSA. (Though I expect lots of bogus language about the difference between “collection” and “analysis.”)

That is what all the secrecy has been about. Undercutting separation of powers to ensure that the constitutionality of this program can never be challenged by American citizens.

It’s no big deal, says the Administration. But it’s sufficiently big of a deal that they have to short-circuit the most basic principle of our Constitution.

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

•  Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

•  Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Read more

Ron Wyden: Liar, Liar, Alexander Pants on Fire

Ron Wyden, Dianne Feinstein, and a few other Senators are conducting what constitutes “a debate” on the FISA Amendments Act extension.

The highlight of the debate, thus far, came when DiFi promised to wave a classified letter answering some of Ron Wyden’s questions around in front of the TV. Mind you, she has not yet fulfilled that promise. But she made the promise, so I am glued to the screen waiting for her to embody the ridiculous nature of this so-called debate by waving her letter in lieu of telling us what it actually says.

Aside from that excitement, however, the high point of the debate has come from Ron Wyden, repeatedly suggesting NSA head General Keith Alexander is a liar.

At issue was a speech Alexander made in July at the DefCon hackers conference. He made two claims that Wyden and Mark Udall questioned in an October letter.

Specifically, you said:

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrayed privacy protections for Americans’ communications as being stronger than they actually are. We urge you to correct this statement, so that Congress and the public can have a debate over the renewal of this law that is informed by at least some accurate information about the impact it has had on Americans’ privacy.

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false.” We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark. Specifically we ask that you please answer the following questions:

  • The intelligence community has stated repeatedly that it is not possible to provide even a rough estimate of how many American communications have been collected under the FISA Amendments Act, and has even declined to estimate the scale of this collection. Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, or at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?
  • Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

Alexander replied to Wyden and Udall on November 13. In it, he responded to the first Wyden/Udall question by claiming he was speaking about a foreign intelligence context.

I noted at the outset that NSA has a foreign intelligence mission, and my subsequent reference focused on the type of circumstance in which U.S. person information may be disseminated when this foreign intelligence requirement is not met (e.g., when there is evidence of a crime).

He went on to rehearse the legal requirements for minimization, which only applies to information not deemed “foreign intelligence information.” That is, he basically admitted that information deemed to be foreign intelligence information can be shared.

Alexander answered the second Wyden/Udall question by dodging.

Second, my response did not refer to or address whether it is possible to identify the number of U.S. person communications that may be lawfully but incidentally intercepted pursuant to foreign intelligence collection directed against non-U.S. persons located outside the United States as authorized under FAA 702.

In your letter, you asked for unclassified answers to several questions that you feel are important to allow the public to better understand my remarks delivered at the conference. While I appreciate your desire to have responses to these questions on the public record, they directly relate to operational activities and complete answers would necessarily include classified information essential to our ability to collect foreign intelligence.

Wyden referred to these letters at least twice in his various speeches in this “debate.” And while he has been careful to suggest that Alexander may have just misspoke, he has repeatedly made it clear that Alexander lied when he said US person data could not be shared.

I don’t know why General Alexander described minimization as he did. But why did it take Udall and I to make big push to correct?

The implication, it seems, is that the government has simply deemed all the US person information they collect to be foreign intelligence (indeed, elsewhere Jeff Merkley talked about how the “relevant to an investigation” standard makes all conceivable information context for foreign intelligence), meaning minimization requirements are largely meaningless.

In response to Alexander’s claims on hundreds of millions of dossiers, Wyden noted, over and over again, that in spite of NSA’s refusal to answer the question of how many Americans’ data has been collected, Alexander did not in his response–and has not since–denied that NSA keeps hundreds of millions of dossiers on people.

Director of NSA would not provide public answer on whether NSA keeps hundreds of millions of dossiers on people.

Clearly, Alexanders denial that NSA keeps dossiers (which itself stems from claims former NSA coder William Binney made) is simply a word game about the meaning of dossier. NSA doesn’t have dossiers, you see. It has information on hundreds of millions of Americans.

Information–that Wyden makes clear–is not subject to the plain meaning of minimization requirements.

When Overseers Become Talking Heads

The entire Benghazi pseudo-scandal can reportedly be traced back to House Intelligence Committee Ranking Member Dutch Ruppersberger’s request for talking points he could use to respond to journalists.

Three days after the lethal attack on the American Mission in Benghazi, Libya, Representative C. A. Dutch Ruppersberger of Maryland, the top Democrat on the House Intelligence Committee, asked intelligence agencies to write up some unclassified talking points on the episode. Reporters were besieging him and other legislators for comment, and he did not want to misstate facts or disclose classified information.

More than 10 weeks later, the four pallid sentences that intelligence analysts cautiously delivered are the unlikely center of a quintessential Washington drama, in which a genuine tragedy has been fed into the meat grinder of election-year politics.

Before I get too far, remember that Ruppersberger (D-NSA) is one of the geniuses who believe the way to stem leaks is to prevent intelligence professionals from giving background briefings. Remember, too, that the talking points that have caused so much trouble were almost certainly tweaked to protect the intercepts Ruppersberger’s constituent, the NSA, had collected. Nevertheless, this guy, who presumably supports the principle of not telling militants we’ve got their phone tapped, and who thinks people with a more developed understanding of sensitivities around intelligence should not be able to brief the press directly, had to have his talking points so he could talk to the press himself.

Ruppersberger’s inconsistency on this point reminded me that after the super secret drone killing of some American citizens last year, the Gang of Four all weighed in to assure Americans that Anwar al-Awlaki’s death was “legitimate” because there had been “a process.” The Gang’s loquacity contrasted sharply with the Administration’s silence on the very same issue, one reiterated since in the Administration’s Glomar claims about topics the Gang of Four feels welcome to discuss. That contrast is all the more troubling given that Ruppersberger admitted that the Gang of Four does not know who is on the Kill List (and therefore didn’t really know whether the killing of Samir Khan was “legitimate”).

It’s all very neat. Not only does the Gang of Four enjoy immunity from prosecution under the Speech or Debate Clause. But they were–and presumably are–serving as journalistic sources on topics about which they aren’t (though legally should be) fully informed.

Last week Julian Sanchez and Mike Masnick rehashed an earlier version of this, when the Bush Administration armed the Intelligence Committees with talking points that would reinforce their lies that the Terrorist Surveillance Program constituted the entirety of the illegal wiretap program.

Note what that does to the whole question of “legitimacy.” The Gang of Four only knows what Administration and agency officials tell them.  Yet, even in spite of potential and real limits to their knowledge of a program (and a history of deliberately misleading briefings on such topics), they will weigh in and declare something “legitimate.”

We have a problem in this country with the way our intelligence community communicates publicly (see Dan Drezner and Nada Bakos addressing different aspects of this problem.)

But the solution clearly is not the one the national security establishment increasingly appears to be adopting: to turn the four men and women who purportedly exercise the only oversight of the most sensitive programs into talking heads. That process almost certainly ensures incomplete briefing of these “overseers.” Worse, still, it guarantees a kind of complicity that makes the overseers-turned-talking-heads useless for oversight.

WIth their push to limit background briefings, the Gang of Four have raised their own stock as journalistic sources. But they’ve also further gutted the inadequate oversight we’ve got over intelligence.

Michael Hayden, Privacy and Counterterrorism Frugality Champion

Of 1,423 words in an article questioning whether deficit hawkery might cut the domestic spying budget, Scott Shane devotes over a sixth–roughly 260–describing what former NSA and CIA Director Michael Hayden thinks about the balances between funding and security.

Remarkably, none of those 260 words disclose that Hayden works for Michael Chertoff’s consulting group, which profits off of big domestic spying. This, in an article that cites Chertoff’s electronic border fence among the expensive counterterrorism duds that were subsequently shut down (Shane mentions “puffer” machines as well, but not the Rapiscan machines that Chertoff’s group lobbied for, which are now being withdrawn as well).

And then there’s a passage of Shane’s article that touches on topics in which Hayden’s own past actions deserve disclosure.

Like other intelligence officials after 2001, Mr. Hayden was whipsawed by public wrath: first, for failing to prevent the Sept. 11 attacks, and then, a few years later, for having permitted the National Security Agency to eavesdrop on terrorism suspects in the United States without court approval.

Perhaps, as a result, he often says that the American people need to instruct the government on where to draw the line. He told an audience at the University of Michigan last month, for instance, that while a plot on the scale of the Sept. 11 attacks was highly unlikely, smaller terrorist strikes, like the shootings by an Army psychiatrist at Fort Hood in Texas in 2009, could not always be stopped.

“I can actually work to make this less likely than it is today,” Mr. Hayden said. “But the question I have for you is: What of your privacy, what of your convenience, what of your commerce do you want to give up?”

To be fair, Shane counters Hayden’s claims by noting that “secrecy … makes it tough for any citizen to assess counterterrorism programs.”

But he doesn’t mention one of the biggest examples where Hayden–where anyone–chose both the most expensive and most privacy invasive technology: the wiretap program Hayden outsourced to SAIC rather than use in-house solutions.

As Thomas Drake has made clear, by outsourcing to SAIC, Hayden spent 300 times as much as he would have with the in-house solution.

One of them was Lieutenant General Michael Hayden, the head of the agency: he wanted to transform the agency and launched a massive modernization program, code named: “Trailblazer.” It was supposed to do what Thin Thread did, and more.

Trailblazer would be the NSA’s biggest project. Hayden’s philosophy was to let private industry do the job. Enormous deals were signed with defense contractors. [Bill] Binney’s Thin Thread program cost $3 million; Trailblazer would run more than $1 billion and take years to develop.

“Do you have any idea why General Hayden decided to go with Trailblazer as opposed to Thin Thread, which already existed?” Pelley asked.

[snip]

Asked to elaborate, Drake said, “Careers are built on projects and programs. The bigger, the better their career.” [my emphasis]

Along the way, Hayden repeatedly blew off Congressional staffer Diane Roark’s inquiries about privacy protection.

When Binney heard the rumors, he was convinced that the new domestic-surveillance program employed components of ThinThread: a bastardized version, stripped of privacy controls. “It was my brainchild,” he said. “But they removed the protections, the anonymization process. When you remove that, you can target anyone.” He said that although he was not “read in” to the new secret surveillance program, “my people were brought in, and they told me, ‘Can you believe they’re doing this? They’re getting billing records on U.S. citizens! They’re putting pen registers’ ”—logs of dialled phone numbers—“ ‘on everyone in the country!’ ”

[snip]

[Former HPSCI staffer Diane Roark] asked Hayden why the N.S.A. had chosen not to include privacy protections for Americans. She says that he “kept not answering. Finally, he mumbled, and looked down, and said, ‘We didn’t need them. We had the power.’ He didn’t even look me in the eye. I was flabbergasted.” She asked him directly if the government was getting warrants for domestic surveillance, and he admitted that it was not. [my emphasis]

So it’s not just disclosure of all the ways Hayden has and does profit off of continued bloated domestic surveillance that Shane owes his readers: he also should refute Hayden’s claims about the relationship between cost, privacy, and efficacy.

Michael Hayden’s SAIC-NSA boondoggle is one case where secrecy no longer hides how much money was wasted for unnecessary privacy violations.

Yet somehow, that spectacular example of the unnecessary waste in domestic spying doesn’t make it into the 260 words granted to Hayden to argue we need continued inflated spending.

If Everything NSA Does is “Auditable,” Why Can’t NSA Tell Us How Many Americans They’ve Spied On?

NSA Director Keith Alexander just said this to the hackers at DefCon (while wearing an absolutely ridiculous hacker costume):

“We get oversight by Congress, both intel committees and their congressional members and their staffs,” he continued, “so everything we do is auditable by them, by the FISA court … and by the administration. And everything we do is accountable to them…. We are overseen by everybody. And I will tell you that those who would want to weave the story that we have millions or hundreds of millions of dossiers on people is absolutely false.”

But a month ago, Alexander’s Inspector General told Ron Wyden that an estimate of the number of people inside the United States who have had their communications collected or reviewed under the FISA Amendments Act “was beyond the capacity of his office.” Of note, the IG and NSA leadership–that is, presumably Alexander himself–claimed such a review would “violate the privacy of U.S. persons.”

I look forward to Ron Wyden’s response to Alexander’s seeming reversal on that earlier letter with claims of this unlimited auditability.

NSA Director Keith Alexander: The FBI Does the Domestic Collection

Congressman Hank Johnson asked NSA Director Keith Alexander about James Bamford’s Wired article describing the data storage and analysis center in UT. Unfortunately, rather than ask Alexander about these activities–storage and analysis–Johnson asked Alexander about data collection. Here are excerpts of the exchange:

Johnson: Does NSA have the ability to identify Cheney bashers based on the content of their emails?

Alexander: No. Can I explain? NSA does not have the ability to do that in the United States. In the United States we would have to go through an FBI process–a warrant–to serve it to somebody to actually get it.

Johnson: But you do have the capability to do it?

Alexander: Not in the United States. We’re not authorized to collect nor do we have the equipment in the United States.

Johnson: “NSA’s signals intercepts include eavesdropping on domestic phone calls and inspection of domestic emails.” Is that true?

Alexander: No, not in that context. I think what he’s trying to raise is are we gathering all the information on the United States? No, that is not correct.

Johnson: What judicial consent is required for NSA to intercept communications and information involving American citizens?

Alexander: Within the United States, that would be the FBI lead.  If it was foreign actor in the United States the FBI would still have the lead and could work that with the NSA or other intelligence agencies as authorized. But to conduct that kind of collection in the United States it would have to go through a court order and a court would have to authorize it. We’re not authorized to do it nor do we do it.

Note that Alexander never denies that such capabilities exist. Rather, he says that FBI would intercept communications–with a court order–and FBI would search for certain content–with a warrant.

Also note, all of Alexander’s responses were in the present tense: he doesn’t say the NSA hasn’t done these things. Only that the NSA is not now authorized to do them and does not do them.

We know several things about the government’s collection in the US. First, the telecoms own the equipment–they’re the ones that do the intercepts, not FBI or NSA. Second, the FBI can and does get bulk data information from telecoms and other businesses using Section 215 of the PATRIOT Act.

I will have more to say about this later–until then, read this post and this post as background.

There is a great deal of circumstantial information to suggest that after the 2004 hospital confrontation–which was in part a response to Congress prohibiting any DOD use of data mining on Americans–chunks of the illegal wiretap program came to be authorized under Section 215 of the PATRIOT Act, which authorizes FBI data collection.

There’s nothing General Alexander said in this non-denial denial that would conflict with the notion that FBI collects data the telecoms intercept using Section 215 of the PATRIOT Act.