House Intelligence Parrot: These Programs Are Not Secret…

… but it’s a grave danger for you to know about them.

Bob Minehart, a staffer for Democrats (presumably Dutch Ruppersberger) on the House Intelligence Committee, has put together a pair of talking point documents for members of the House to talk about the programs revealed by the Guardian last week. (I found out Minehart is the author by checking the documents’ metadata.) The talking points largely track what James Clapper released, though with a few differences that may come from Mike Rogers which I may return to.

The talking points claim the reporting on the programs have inaccuracies.

The articles referenced above contain numerous inaccuracies that imply the United States Government is spying on Americans. That is just plain false.

But the documents include a number of claims that are meaningless, given the underlying standards involved.

The FISA Court authorizes intelligence collection only after the Intelligence Community has proven its case, based on underlying facts and investigations.

The most pathetic part of these talking points, however, is the claim that these are not secret programs. Not the Section 215 dragnet of every Americans’ call data.

There is no secret program involved here – it is strictly authorized by a U.S. statute.

And not the direct access to Internet companies data with just a 51% certainty that the data collected is foreign.

There is no secret program involved – it is strictly authorized by a U.S. statute.

But in spite of this claim that massive dragnets deceitfully denied in Congressional hearings are not secret, the PRISM-related set still warns about what grave danger the leak of the information created.

The unauthorized disclosure of information about this critical legal tool puts our national security in grave danger, puts Americans at risk of terrorist and cyber attacks, and puts our military intelligence resources in danger of being revealed to our adversaries.

These are not secret programs, Dutch Ruppersberger wants you to know. But revealing them will kill us all.

NSA PRISM Slides: Notice Anything Unusual or Missing?

We haven’t seen (and likely will never see) all of the NSA slides former Booz Allen employee Edward Snowden shared with the Guardian-UK and the Washington Post. But the few that we have seen shared by these two news outlets tell us a lot — even content we might expect to see but don’t tells us something.

First, let’s compare what appears to be the title slide of the presentation — the Guardian’s version first, followed by the WaPo’s version. You’d think on the face of it they’d be the same, but they aren’t.

[NSA presentation, title slide via Guardian-UK]

[NSA presentation, title slide, via Guardian-UK]

[NSA presentation, title slide, via Washington Post]

[NSA presentation, title slide, via Washington Post]

Note the name of the preparer or presenter has been redacted on both versions; however, the Guardian retains the title of this person, “PRISM Collection Manager, S35333,” while the WaPo completely redacts both name and title.

This suggests there’s an entire department for this program requiring at least one manager. There are a number of folks who are plugging away at this without uttering a peep.

More importantly, they are working on collection — not exclusively on search.

The boldface reference to “The SIGAD Used Most in NSA Reporting” suggests there are more than the PRISM  in use as SIGINT Activity Designator tools. What’s not clear from this slide is whether PRISM is a subset of US-984XN or whether PRISM is one-for-one the same as US-984XN.

Regardless of whether PRISM is inside or all of US-984XN, the presentation addresses the program “used most” for reporting; can we conclude that reporting means the culled output of mass collection? Read more

Is the Section 215 Dragnet Limited to Terrorism Investigations?

Unlike PRISM, most public discussions about the Section 215 dragnet program suggest that it is tied to terrorism. It’s a claim, for example, that Charlie Savage makes in this story, which he traces back to this statement from Director of National Security James Clapper.

And indeed, that statement does claim the program is limited to terrorism investigations.

The collection is broad in scope because more narrow collection would limit our ability to screen for and identify terrorism-related communications. Acquiring this information allows us to make connections related to terrorist activities over time. The FISA Court specifically approved this method of collection as lawful, subject to stringent restrictions.

The information acquired has been part of an overall strategy to protect the nation from terrorist threats to the United States, as it may assist counterterrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities.


By order of the FISC, the Government is prohibited from indiscriminately sifting through the telephony metadata acquired under the program. All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling. The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization. Only specially cleared counterterrorism personnel specifically trained in the Court-approved procedures may even access the records.

All information that is acquired under this order is subject to strict restrictions on handling and is overseen by the Department of Justice and the FISA Court. Only a very small fraction of the records are ever reviewed because the vast majority of the data is not responsive to any terrorism-related query. [my emphasis]

Even assuming James “Least Untruthful Too Cute by Half” Clapper can be trusted on this point, consider a few things about this statement.

  • It was released after only the first Guardian release. Thus, it was almost certainly rushed. And while NSA has claimed they had identified Edward Snowden before he started publishing, it is possible they did not know precisely what he had taken (though it is equally possible they already knew).
  • Clapper avoids mentioning precisely what program he is referring to in this statement, not even mentioning the Section 215 authority directly (though he does mention the PATRIOT Act. The Executive Branch has a well-established history — on this and related programs precisely — in addressing just a subset of a program so as to try to hide larger parts of it.

In addition, recall that when DOJ Inspector General Glenn Fine referred to these secret programs in a 2008 report on the use of Section 215, he spoke in the plural and included two classified appendices to describe them. In 2011, Acting Assistant Attorney General Todd Hinnen referred only to programs, plural. Thus, there almost certainly are at least two secret programs, and Michael Hayden has claimed Obama has expanded the use of this authority, which might mean there are more than two.

Furthermore, compare Clapper’s statement from June 6 — which mentioned only terrorists — with how he explained the dragnet program to Andrea Mitchell on June 9.

ANDREA MITCHELL: At the same time, when Americans woke up and learned because of these leaks that every single telephone call in this United States, as well as elsewhere, but every call made by these telephone companies that they collect is archived, the numbers, just the numbers, and the duration of these calls. People were astounded by that. They had no idea. They felt invaded.

JAMES CLAPPER: I understand that. But first let me say that I and everyone in the intelligence community all– who are also citizens, who also care very deeply about our– our privacy and civil liberties, I certainly do. So let me say that at the outset. I think a lot of what people are– are reading and seeing in the media is a lot of hyper– hyperbole.
A metaphor I think might be helpful for people to understand this is to think of a huge library with literally millions of volumes of books in it, an electronic library. Seventy percent of those books are on bookcases in the United States, meaning that the bulk of the of the world’s infrastructure, communications infrastructure is in the United States.

There are no limitations on the customers who can use this library. Many and millions of innocent people doing min– millions of innocent things use this library, but there are also nefarious people who use it. Terrorists, drug cartels, human traffickers, criminals also take advantage of the same technology. So the task for us in the interest of preserving security and preserving civil liberties and privacy is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.

You think of the li– and by the way, all these books are arranged randomly. They’re not arranged by subject or topic matter. And they’re constantly changing. And so when we go into this library, first we have to have a library card, the people that actually do this work.

Which connotes their training and certification and recertification. So when we pull out a book, based on its essentially is– electronic Dewey Decimal System, which is zeroes and ones, we have to be very precise about which book we’re picking out. And if it’s one that belongs to the– was put in there by an American citizen or a U.S. person.

We ha– we are under strict court supervision and have to get stricter– and have to get permission to actually– actually look at that. So the notion that we’re trolling through everyone’s emails and voyeuristically reading them, or listening to everyone’s phone calls is on its face absurd. We couldn’t do it even if we wanted to. And I assure you, we don’t want to.

ANDREA MITCHELL: Why do you need every telephone number? Why is it such a broad vacuum cleaner approach?

JAMES CLAPPER: Well, you have to start someplace. If– and over the years that this program has operated, we have refined it and tried to– to make it ever more precise and more disciplined as to which– which things we take out of the library. But you have to be in the– in the– in the chamber in order to be able to pick and choose those things that we need in the interest of protecting the country and gleaning information on terrorists who are plotting to kill Americans, to destroy our economy, and destroy our way of life.

In speaking of the way in which the government uses this dragnet collection as a kind of Dewey Decimal system to identify communications it wants to go back and view, he doesn’t limit it to terrorists. Indeed, he doesn’t even limit it to those foreign intelligence uses the PATRIOT Act authorizes, like counterintelligence (though Obama’s roll-out of Transnational Crime Organization initiative in 2011 — which effectively started treating certain transnational crime networks just like terrorists — may suggest only those crime organizations are being targeted).

Given two more days of disclosures after his initial Section 215 statement, Clapper acknowledged that PRISM has been used (at a minimum) to pursue weapons proliferators and hackers in addition to terrorists. Then, the next day, he at least seemed to suggest that Section 215 collection is used to pinpoint not just terrorists, but also drug cartels and other criminal networks.

And as I’ll show in a follow-up post, it seems to have targeted far more than that.

Google Begs for Transparency

However annoying Googe’s recent software changes have been, it is true that they have been more aggressive about protecting privacy than most other companies. They fought a broad subpoena from DOJ for URLs and search returns in 2006. And it is often speculated they were the company that challenged and appealed a 2007 Protect America Act order. Moreover, their transparency reports really do provide at least a hint of how much data the government demands from it.

So I am encouraged by Google’s request to publish how much spying the government asks it to do.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

Google appreciates that you authorized the recent disclosure of general numbers for national security letters. There have been no adverse consequences arising from their publication, and in fact more companies are receiving your approval to do so as a result of Google’s initiative. Transparency here will likewise serve the public interest without harming national security.

Google is going to get hammered internationally if its customers aren’t reassured about this program. Moreover, Google likely is in a position to show that it is less enthusiastic about government spying than its competitors (cough, Microsoft). It it starts publishing this information, other providers will likely match its efforts, creating a market for at least some privacy protection.

The big corporations pushing from one side and the civil libertarians have managed to beat SOPA/PIPA and similar efforts. Perhaps that coalition can provide some check on government spying.

Section 702 Is Used for Terror, Proliferation, AND Hacking

The AP has a story about the way algorithms control Section 702, the legal program for which PRISM provides NSA analysts acces.

And while he also admits that Obama “had expanded the scope of the surveillance,” Michael Hayden makes this false claim (which he actually said on FNS).

Michael Hayden, who led both the NSA and CIA, said the government doesn’t touch the phone records unless an individual is connected to terrorism.

He described on “Fox News Sunday” how it works if a U.S. intelligence agent seized a cellphone at a terrorist hideout in Pakistan.

“It’s the first time you’ve ever had that cellphone number. You know it’s related to terrorism because of the pocket litter you’ve gotten in that operation,” Hayden said. “You simply ask that database, `Hey, any of you phone numbers in there ever talked to this phone number in Waziristan?'”

Here’s how I know this is absolutely false (aside from the language of Section 702 that clearly allows it to be used for foreign intelligence generally so long as it is targeted — which is one of those tricky words– at people not known to be in the US).

Director Clapper — who admittedly engages in least untruthfuls that are too cute by half — claimed this as one of the successes in Section 702.

Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States, including specific potential network computer attacks. This insight has led to successful efforts to mitigate these threats.

Don’t get me wrong. Using this kind of collection for foreign cyberattacks is entirely appropriate. Indeed, it is probably the very best use of the tool, since it’s it’s a lot easier to engage in cyberattacks — particularly if you’re overseas — using the Internet, whereas the most dangerous terrorists can and no doubt increasingly will find other means to communicate.

So it’s not that I object to using this program to target Chinese hackers. But as you consider the 51% standard that, according to Edward Snowden, NSA analysts have to meet, or if you consider how easily signals taken from any major US-based coverage can meet that 51% standard, understand that NSA is much more likely to make a “mistake” in its geographic screens for American hackers than for American Islamic extremists.

We’ve heard nothing but TERRA TERRA TERRA since these leaks first started. And every time you hear that, you might ask what it would mean if they also mean hacker.

Truck-sized Holes: Journalists Challenged by Technology Blindness

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

Note: The following piece was written just before news broke about Booz Allen Hamilton employee Edward Snowden. With this in mind, let’s look at the reporting we’ve see up to this point; problems with reporting to date may remain even with the new disclosures.

ZDNet bemoaned the failure of journalism in the wake of disclosures this past week regarding the National Security Administration’s surveillance program; they took issue in particular with the Washington Post’s June 7 report. The challenge to journalists at WaPo and other outlets, particularly those who do not have a strong grasp of information technology, can be seen in the reporting around access to social media systems.

Some outlets focused on “direct access.” Others reported on “access,” but were not clear about direct or indirect access.

Yet more reporting focused on awareness of the program and authorization or lack thereof on the part of the largest social media firms cited on the leaked NSA slides.

Journalists are not asking what “access” means in order to clarify what each corporation understands direct and indirect access to mean with regard to their systems.

Does “direct access” mean someone physically camped out on site within reach of the data center?

Does “direct access” mean someone with global administrative rights and capability offsite of the data center? Some might call this remote access, but without clarification, what is the truth?

I don’t know about you but I can drive a Mack truck through the gap between these two questions.

So which “direct access” have the social media firms not permitted? Which “direct access” has been taken without authorization of corporate management? ZDNet focuses carefully on authorization, noting the changes in Washington Post’s story with regard to “knowingly participated,” changed later to read “whose cooperation is essential PRISM operations.”

This begs the same questions with regard to any other form of access which is not direct. Note carefully that a key NSA slide is entitled, “Dates when PRISM Collection Began For Each Provider.” It doesn’t actually say “gained access,” direct or otherwise. Read more

Once Upon a Time the PRISM Companies Fought Retroactive Immunity

Screen shot 2013-06-09 at 8.30.08 AMSince the disclosure of the PRISM program, I have thought about a letter the industry group for some of the biggest and earliest PRISM participants — Google, Microsoft, and Yahoo — wrote to then House Judiciary Chair John Conyers during the 2008 debate on FISA Amendments Act. (The screen capture reflects a partial list of members from 2009.)

Remarkably, the letter strongly condemned the effort to grant companies that had broke the law under Bush’s illegal wiretap program immunity.

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact.

CCIA dismisses with contempt the manufactured hysteria that industry will not aid the United States Government when the law is clear. As a representative of industry, I find that suggestion insulting. To imply that our industry would refuse assistance under established law is an affront to the civic integrity of businesses that have consistently cooperated unquestioningly with legal requests for information. This also conflates the separate questions of blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support.

Therefore, CCIA urges you to reject S. 2248. America will be safer if the lines are bright. The perpetual promise of bestowing amnesty for any and all misdeeds committed in the name of security will condemn us to the uncertainty and dubious legalities of the past. Let that not be our future as well. [my emphasis]

Microsoft, Yahoo, and Google all joined PRISM within a year of the date of the February 29, 2008 letter (Microsoft had joined almost six months before, Google would join in January 2009).

Screen shot 2013-06-07 at 11.08.29 AMClearly, the demand that the companies that broke the law not receive retroactive immunity suggests none of the members had done so. It further suggests that those companies that did break the law — the telecoms, at a minimum — had done something the email providers wanted them held accountable for. This suggests, though doesn’t prove, that before PRISM, the government may have accessed emails from these providers by taking packets from telecom switches, rather than obtaining the data from the providers themselves.

Google had also fought a DOJ subpoena in 2006 for a million URLs and search terms, purportedly in the name of hunting child pornographers.

And those of us who follow this subject have always speculated (with some support from sources) that the plaintiff in a 2007 FISA Court challenge to a Protect America Act (the precursor to FISA Amendments Act) was an email provider.

All of those details suggest, at the very least, that email providers (unlike telecoms, which we know were voluntarily giving over data shortly after 9/11) fought government efforts to access their data.

But it also suggests that the email providers may have treated PRISM as a less worse alternative than the government accessing their data via other means (which is a threat the government used to get banks to turn over SWIFT data, too).

It seems likely the way the government “negotiates” getting data companies to willingly turn over their data is to steal it first.

Mike Rogers: As Confused about Telecom Surveillance as He Is about Drone Strikes

Congressman Mike Rogers, like most members of the ranking Gang of Four members of the Intelligence Committees, has long made obviously false claims about the drone program, such as that public reports of civilian casualties (which were being misreported in intelligence reports) were overstated.

That’s just one of the many reasons I was dubious about this report, claiming that, well … it’s not entirely clear what it claimed. Here’s the lead two paragraphs:

A secret U.S. intelligence program to collect emails that is at the heart of an uproar over government surveillance helped foil an Islamist militant plot to bomb the New York City subway system in 2009, U.S. government sources said on Friday.

The sources said Representative Mike Rogers, chairman of the House of Representatives Intelligence Committee, was talking about a plot hatched by Najibullah Zazi, an Afghan-born U.S. resident, when he said on Thursday that such surveillance had helped thwart a significant terrorist plot in recent years.

These paragraphs suggest that we found Najibullah Zazi — pretty clearly the most successful effort to prevent a known terrorist attack since 9/11 — because of one of the programs the Guardian (and WaPo) broke over the last few days.

Some paragraphs down, the piece explains the program in question was the “one that collected email data on foreign intelligence suspects.” Which is weird, because we’ve learned about a program to collect email data on everyone in the United States, not “foreign intelligence suspects.” And a program to collect a range of telecom content on known foreign intelligence suspects and their associates. Already, Reuters’ sources seemed confused.

The next paragraph describes the PRISM program by name.

The Washington Post and Britain’s Guardian newspaper on Thursday published top-secret information from inside NSA that described how the agency gathered masses of email data from prominent Internet firms, including Google, Facebook and Apple under the PRISM program.

And the rest of the report traces what former Agent and now FBI mouthpiece CBS pundit John Miller had to say.

All of that might lead you to believe this is a story reporting that we had foiled Zazi’s plot using PRISM, the program that involves the NSA accessing bulk data on everything these foreign targets were doing. But even that is problematic, since Zazi is a US person, whose communications are supposedly excluded from this program.

Then there are the problems with the actual content of this.

Read more