Posts

The Gaping Holes in the SSCI Voting Security Report: Vendors and Mitch McConnell

The Senate Intelligence Committee released a 6-page report, titled “Russian Targeting of Election Infrastructure During the 2016 Election: Summary of Initial Findings and Recommendations,” on how to secure elections last night.

While it is carefully hedged (noting that states may have missed forensic evidence and new evidence may become available), it confirms that “cyber actors affiliated with the Russian Government” conducted the operation and that no “vote tallies were manipulated or [] voter registration information was deleted or modified.” It says the intrusions were “part of a larger campaign to prepare to undermine confidence in the voting process,” but in its admission that, “the Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action,” doesn’t explain that the reason Russia would have decided against action was because Trump won.

The report is laudable for the care with which it describes the various levels of intrusion: scan, malicious access attempts, and successful access attempts. As it concludes, in a small number of states (which must be six or fewer), hackers could have changed registration data, but could not have changed vote totals.

In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.

Among its recommendations, the report suggests that,

Election experts, security officials, cybersecurity experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.

This would avoid shitty NBC reporting that falsely leads voters to believe over 20 states were successfully hacked.

Ultimately, though, this report offers weak suggestions, using the word “should” 18 times, never once calling on Congress to fulfill some of its recommendations (such as providing resources to states), and simply suggesting that the Executive warn of consequences for further attacks.

U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.

Predictably (especially coming from a Chair whose own reelection in 2016 is due, in part, to his party’s abuse of North Carolina’s administration of elections, the report affirms the importance of states remaining in charge.

States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

I guess Richard Burr would like the Federal government to give his colleagues more money to disenfranchise brown people.

But it’s not just in its weak suggestions that the report falls short. There are two significant silences that discredit the report as a whole: Mitch McConnell, and vendors.

For example, in a long section discussing laying out why DHS’ warnings in 2016 were insufficient, the report complains that the October 7, 2016 statement was not adequate warning.

DHS’s notifications in the summer of 2016 and the public statement by DHS and the ODNI in October 2016 were not sufficient warning.

The report remains utterly silent about Mitch McConnell’s refusal to back a more forceful statement (and, as I’ve noted, Burr and fellow Trump advisor Devin Nunes himself never joined any statement about the attacks).

In other words, while this report talks about gaps and is happy to blame DHS, it doesn’t consider the past and proposed role of top members of Congress.

The other big gap in this report has to do with the vendors on which our election system relies. To be sure, the report does, twice, acknowledge the importance of private sector companies in counting our vote, first when it describes that the vendors would are enticing targets that might need to be bound by more than voluntary guidelines.

Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target or malicious cyber actors. State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for Security, abiding by those guidelines is currently voluntary.

As a solution, it said that state and local officials should perform risk assessments for election infrastructure vendors, not that they should do so themselves (or be held to any mandated standards).

Perform risk assessments for any current or potential third-party vendors to ensure they are meeting the necessary cyber security standards in protecting their election systems.

Not all  states and almost no local officials are going to have the ability to do this risk assessment, and there’s no reason why it should be done over and over again across the country.

That’s particularly true given the fact that (as the report addresses the vulnerability posed by, but provides no remedy) the election vendor market has gotten increasingly concentrated.

Voting systems across the United States are outdated, and many do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation. In addition, the number of vendors selling machines is shrinking, raising concerns about supply chain vulnerability.

The report also suggests that DHS educate vendors.

DHS should work with vendors to educate them about the potential vulnerabilities of both voting machines and the supply chains.

But in a report that acknowledges the key role played by vendors in administering our elections, the report remains silent about Russian efforts to compromise them in 2016. Indeed, in its accounting of how many states were affected, the report admits its numbers don’t include vendors.

In addition, the numbers do not include any potential attacks on third-party vendors.

And yet — thanks in large part to Reality Winner — we know Russia did target vendors. Not only did they target them, but they appear to have succeeded, and succeeded in a way that may have affected the vote in North Carolina, Burr’s state.

In short, the report leaves a key aspect of known Russian efforts to target the vote completely unexamined, and it doesn’t consider the many ways that by compromising vendors in ways beyond cyberattacks might affect the vote.

Perhaps the report is silent about vendors precisely because of Winner’s pending case, to avoid publicly mentioning in unclassified form the attacks that the document she is accused of leaking. Or perhaps the committee just did an inadequate job of reviewing what happened in 2016.

Whichever it is, it’s unacceptable.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner: The Cost of Mounting a Defense Arguing the Government Overclassifies

In this Democracy Now appearance, Reality Winner’s mom, Billie Winner-Davis, suggested that, whereas her case had originally been due to go to trial next month, it now looks like it will stretch into 2019.

We do not have a trial date at this point. The trial was originally scheduled for October, and then it was pushed to March. But as of right now, we do not have a new trial date. So we don’t know when she will be—face the jury. What I’m being told is that it will be late 2018, if not early February 2019.

Earlier this week the two sides submitted a proposed schedule that shows even that may be optimistic. Because Winner’s defense wants to use classified information to argue the document she is accused of releasing is not national defense information, it has to go through the onerous Classified Information Procedures Act process (see this for a description of the CIPA process) to get that information approved for use in a trial. If I’m doing the math correctly, most optimistically the proposed schedule looks like this:

  • March 30, 2018: Defense submits all proposed subpoenas
  • April 30: Deadline for discovery, including remainder of government’s CIPA Section 4
  • June 14: Government’s Rule 16 expert disclosures
  • July 14: Defendant’s Rule 16 expert disclosures, if they already have clearance (former ISOO head, Bill Leonard, who is already serving as expert witness already has clearance)
  • July 29: Defendant’s amended CIPA 5 notice
  • August 13: Government’s supplemental Rule 16 expert disclosures due, government’s objections to adequacy of defendant’s CIPA 5 notice
  • September 10: Government’ CIPA 6(a) motion
  • October 1: Defendant’s response to government’s CIPA 6(a) motion
  • October 15: Government’s reply to CIPA 6(a) motion
  • October 21: CIPA hearing (this is where the two sides argue about what classified information the defense needs to make her case)

At this point, there would either be 42 days to argue about CIPA 6(c) motion (where the government proposes unclassified substitutes). If that happens, it will be 90 days until trial, meaning it would start March 1. If it doesn’t, then the trial would skip that 42 day process and presumably drop into very early 2019).

  • Early January 2019 or March 1: Trial start

Again, this is a joint proposal, meaning the defense is on board with the long delay. Either they think they can win a graymail attempt (meaning the judge agrees they should get the classified information but the government refuses to provide adequate substitutes and so is forced to dismiss the case) or they believe they can make a case (with the help of Leonard) on the NDI claims generally. They may also anticipate that other events — the Mueller investigation, the congressional investigations into the Russian hack, state investigations, or more journalism — may make it clear how absurd it is to try Winner for information that has become publicly available as we have a public discussion about what the Russians did in 2016.

But if not, because (unlike most other people save Hal Martin recently charged under the Espionage Act) she will have been in jail for 19 months assuming an early January 2019 trial, or 21 months assuming a March 2019 trial. Winner is charged with one count of willful retention and dissemination of National Defense Information.

By comparison, Jeffrey Sterling, who was found guilty on nine counts, including five unauthorized disclosure counts, was sentenced to 42 months (the government had been asking for nine years, but Leonie Brinkema seemed to have reservations about the evidence behind a number of the guilty verdicts, and the sentencing came in the wake of the David Petraeus sweetheart two years of probation plea deal). Admittedly, the government piled on the charges in that case, whereas here they charged as one count things they might have charged as several (by charging both the leaks to The Intercept and WaPo, for example, or by charging her for not telling the full truth to the FBI). Nevertheless, Sterling was accused of exposing a critically sensitive program and an intelligence asset, whereas Winner is charged with leaking one document in an environment where very similar information is being leaked or released by multiple government sources.

Stephen Jin-Woo Kim, who pled guilty to one count of disseminating NDI pertaining to CIA resources in North Korea, was sentenced to 13 months.

This is the no-win situation Winner is in, trying to challenge her conviction after having been denied bail. Because of the way we deal with classified information, she’ll have served a likely full sentence by the time she gets to trial.

It still may be worth it. After all, if she wins at trial, she’ll avoid a record as a felon.

But the larger battle seems to be one about the ridiculousness of our classification system. As Leonard said (see PDF 99-100) in his declaration to explain why he was providing his services pro bono in this case, he believes the kind of overclassification of information that may be at issue here amounts to degrading the entire classification system.

My motivation for becoming involved in this case. was my concern for the integrity of the classification system. I strongly believe that classification is a critical national security tool and that the responsibilities of cleared individuals to properly protect classified information are profound. At the same time, government agencies have equally profound responsibilities and in this regard, I have long witnessed the over•classification of rnfonnation within the Executive Branch due to the failure of agencies to fulfill these responsibilities. In this way, the actions of agencies can actually undermine the integrity of the classification system in that to be effective, it must be used with precision. As Justice Potter Stewart said in the Pentagon Papers case, “when everything is classified, then nothing is classified … ”

[snip]

My involvement in [two prior prosecutions, that of Steven Rosen and Thomas Drake] confirmed for me the importance~ especially in criminal prosecutions, of not allowing representatives of the Executive Branch to simply assert that certain information is classified or closely held or potentially damaging if disclosed.

That is, Winner might prove a point: that this kind of information should be more accessible to the public.

But along the way she will have paid a very costly price.

Update, March 15: After two hearings, Magistrate Brian Epps cut two months off this schedule, setting Winner’s trial date for October 15. That will mean she will have been in jail over 16 months by the time of her trial.

Reality Winner Seeks to Use Trump’s Denials of Russian Hacking in Her Defense

Last week, Reality Winner had a hearing on her bid to get her interview with the FBI thrown out because they didn’t issue her a Miranda warning (Kevin Gosztola covered and discussed it on Democracy Now). Given the precedents on Miranda, I think that bid is unlikely to succeed.

But there is a tack her defense is taking that, as far as I’ve seen, has gotten no notice, one that is far more interesting. Winner is seeking to use Trump’s comments denying that the Russians hacked the election to argue the document she is accused of leaking to The Intercept isn’t actually National Defense Information, the standard the government has to prove to secure an Espionage conviction.

In her discovery requests, Winner asked for three (entirely redacted) categories of documents “reflecting statements made by high-ranking governmental officials regarding information contained in the document,” all of which were denied (see PDF 87).

A discovery appeal submitted in January (but only released on February 13) makes clear that Winner’s defense attorneys are going to argue that the intelligence in the report she is accused of leaking cannot be National Defense Information because the President’s statements would be taken to suggest the intelligence is not true.

However, high-ranking government officials, including the President of the United States, have made statements undermining and/or contradicting that contention. 44 That, is of great import because, if the information in the Document is inaccurate (as the President and other high-ranking officials have said), it cannot be NDI. While the defense may seek to capture some of this information in the public domain, 45 it cannot capture statements made privately by these high-ranking officials.

Bill Leonard, the former head of the federal classification authority, ISOO, who has served as expert witness on two other cases involving Espionage charges, laid out the logic of the argument this way (PDF 102-3)

[T]here are governmental actors, including high-level governmental actors (such as the President of the United States), that have made conflicting and/or contradicting statements in comparison to the Government’s position here. In other words, these high-level governmental officials have made statements undermining the veracity of the information contained in the Document, which would impact whether the Document actually contains “national defense information” because, if inaccurate, the Government’s contention that its disclosure could harm the national security of the United States would be severely undermined. Indeed, the President is the highest level of authority in our classification system and has virtually unrestricted access to information in our intelligence system. He is, therefore, in the best position to know the particulars of any piece of intelligence, including its sensitivity and its veracity. Consequently, records reflecting statements made by high-ranking governmental officials, including and in particular, the President of the United States, relating to the information contained in the Document (including statements contradicting the truth or veracity of the information at issue) are highly relevant and are critical to the determination of whether or not it is closely held and/or whether or not its disclosure would potentially damage the national security.

There are a number of other challenges the government is facing with this case (not least that — as I’ve pointed out — similar information has been leaked to the press without any apparent prosecution arising from it).

But Trump’s self-interested denials are the most interesting. After all, he cannot admit that Russia affected the election, because he has staked so much on the claim that that will lessen his legitimacy (not to mention any risk such an admission exposes him to in the Mueller investigation). As Leonard notes, the entire classification system is built on presidential authority, and if he says something isn’t true, it will seriously undermine any claim a prosecutor can make at trial that Winner leaked true National Defense Information.

Effectively, some prosecutor will be in a position of having to point out what we all know, that the President is a liar. Given Trump’s propensity towards rage-induced firings, I imagine the government would like to avoid this pickle.

The Russian Metadata in the Shadow Brokers Dump

When I first noted, back in April, that there was metadata in one of the Shadow Brokers dumps, I suggested two possible motives for the doxing of several NSA hackers. First (assuming Russia had a role in the operation), to retaliate against US indictments of Russian hackers, including several believed to be tied to the DNC hack.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

But leaving the metadata in the documents might also make the investigation more difficult.

[F]our days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

With that in mind, I want to look at a Brian Krebs piece that makes several uncharacteristic errors to get around to suggesting a Russian-American might have been the guy who leaked the files in question.

He sets out to read the metadata I noted (but did not analyze in detail, because why make the dox worse?) in April to identify who the engineer was that had NSA files discovered because he was running Kaspersky on his home machine.

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

He links to the WSJ and cites, but doesn’t link, this NYT story on the Kaspersky related breach.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

Then he turns to NYT’s magnum opus on Shadow Brokers to substantiate the claim the government has investigations into three NSA personnel, two of whom were related to TAO.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

[snip]

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

He then turns to the Shadow Brokers’ released metadata to — he claims — identify the two “unnamed” NSA employees and the contractor referenced in The Times’ reporter.”

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting?

From there, he points to a guy that few reports that analyzed the people identified in the metadata had discussed, A Russian! Krebs decides that because this guy is Russian he’s likely to run Kaspersky and so he must be the guy who lost these files.

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Krebs further suggests Sidelnikov must be the culprit for losing his files in the Kaspersky incident because the guy who first pointed him to this metadata, a pentester named Mike Poor, said a database expert like Sidelnikov shouldn’t have access to operational files.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

There are numerous problems with Krebs’ analysis — which I pointed out this morning but which he blew off with a really snotty tweet.

First, the NYT story he cites but doesn’t link to notes specifically that the Kaspersky related breach is unrelated to the Shadow Brokers leak, something that I also  pointed out was logically obvious given how long the NSA claimed Hal Martin was behind the Shadow Brokers leak after the government was known to be investigating the Kaspersky related guy.

It does not appear to be related to a devastating leak of N.S.A. hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online.

Krebs also misreads the magnum opus NYT story. The very paragraph he quotes from reads like this:

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

That is, there aren’t “two unnamed NSA employees and [a] contractor referenced in The Times’ reporting.” The paragraph he refers to names two of the targets: Hal Martin (the other TAO employee) and Reality Winner. Which leaves just the Kaspersky related guy.

Krebs seemed unaware of the WaPo versions of the story, which include this one where Ellen Nakashima (who was the first to identify this guy last year) described the engineer as a Vietnamese born US citizen. Not a Russian-American, a Vietnamese-American.

Mystery solved Scoob! All without even looking at the Shadow Brokers’ metadata. There’s one more part of the Krebs story which is weird — that he takes the same non-response he got from the known NSA guys doxed by Shadow Brokers from Sidelnikov as somehow indicative of anything, even while if he had been “arrested” as Krebs’ headline mistakenly suggests, then you’d think his phone might not be working at all.

There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to.

But the reason I went through the trouble of pointing out the errors is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia”?

Update: After the Vietnamese-American’s guilty plea got announced, Krebs unpublished his doxing post.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

In Discussion of Unmasking Admiral Rogers Gets Closer to Admitting Types of Section 702 Cybersecurity Use

Last Friday, Director of National Intelligence Dan Coats, Director of NSA Mike Rogers, and FBI Director Christopher Wray did an event at Heritage Foundation explaining why we need Section 702 and pretending that we need it without reasonable reforms. I attended Wray’s talk — and even got my question on cybersecurity asked, which he largely dodged (I’ll have more about two troubling things Wray said later). But I missed Rogers’ talk and am just now catching up on it.

In it, he describes a use of Section 702 that goes further than NSA usually does to describe how the authority is used in cybersecurity.

So what are some examples where we’ll unmask? Companies. Cybersecurity. So we’ll report that US company 1 was hacked by the following country, here’s how they got in, here’s where they are, here’s what they’re doing. Part of our responsibility on the US government side is the duty to warn. So how do you warn US company 1 if you don’t even know who US company 1 is? So one of the reasons we do unmasking is, so for example we can take protective to ensure this information is provided to the appropriate individuals.

What Rogers describes is an active hack, by a nation-state (which suggests that rule may not have changed since the 2015 report based off 2012 Snowden documents that said NSA could only use 702 against nation-state hackers). The description is not necessarily limited to emails, the type of data NSA likes to pretend it collects in upstream (though it could involve phishing). And the description even includes what is going on at the victim company.

Rogers explains that the NSA would unmask that information so as to be able to warn the victim — something that (via the FBI) happened with the DNC, but something which didn’t happen with a number of other election related hacks.

Of course, Reality Winner is facing prison for having made this clear. The FISA-derived report she is accused of leaking shows how the masking works in practice.

In the case of VR Systems, the targeted company described, it’s not entirely clear whether NSA (though FBI) warned them directly or simply warned the states that used it. But warnings, complete with their name, were issued. And then leaked to the press, presumably by people who aren’t facing prison time.

In any case, this is a thin description of NSA’s use of 702 on cybersecurity investigations. But more detail in unclassified public than has previously been released.

 

702 Reauthorization: The Anti-Leak Package

As part of the draft Section 702 Reauthorization released this week, the House Judiciary Committee included what I’ll call the anti-leak package. They’re not actually presented in the same Title, but I want to consider them as a group as a way to consider whether they’ll do anything to make leaking less useful than internal whistleblowing.

The package consists of three things:

  • Increased penalties for improperly handling classified information
  • New protections for FBI whistleblowers and contractor whistleblowers
  • A GAO report on whether classification works

Increased penalties for improperly handling classified information

The first part of the package changes 18 USC 1924, which criminalizes unauthorized retention of classified documents, to make knowingly retaining classified information a felony, while creating a new misdemeanor for negligently retaining classified information.

SEC. 302. PENALTIES FOR UNAUTHORIZED REMOVAL AND RETENTION OF CLASSIFIED DOCUMENTS OR MATERIAL.

Section 1924 of title 18, United States Code, is amended—

(1) in subsection (a), by striking ‘‘one year’’ and inserting ‘‘five years’’;

(2) by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; and 13 (3) by inserting after subsection (a) the following new subsection (b):

(b) Whoever, being an officer, employee, contractor, or consultant of the United States, and, by virtue of his office, employment, position, or contract, becomes possessed of documents or materials containing classified information of the United States, negligently removes such documents or materials without authority and knowingly retains such documents or materials at an unauthorized location shall be fined under this title or imprisoned for not more than one year, or both.

I think this was done to make what Hillary Clinton did a clear felony, so Republicans can squawk about it, rather than solving any real problem.

Which is a pity. Because those who want to write new laws criminalizing the retention and leaking of classified information (something I’m not advocating, but I understand the sentiment), it might be useful to write laws that address the problems we’re actually seeing.

For example, the Espionage Act should be rewritten to make it clear it only applies to real Espionage — the secret sharing of “national defense information” (which should be better defined) with an adversary for some kind of personal benefit. By all means, create something else that applies to the Edward Snowdens and Chelsea Mannings of the world, if you feel the need to. But in that law, do something to ensure that the David Petraeuses of the world — who leaked information to get laid and tell nice stories about himself — don’t get a wrist slap, while people who at least believe their acts to be benefitting the country face life imprisonment.

The degree to which the Espionage statute specifically, and leak prosecutions generally, have become the means to pursue arbitrary retaliation against people who don’t hew a party line undermines the legitimacy of the classification system, which (in my opinion, as someone who has covered most recent leak prosecutions) just leads to more leaking.

In related news, one of the reasons why magistrate Brian Epps Cobb denied Reality Winner bail yesterday is because she admires Snowden and Assange.

In addition, this week’s news that an NSA TAO hacker brought files home and used them on his machine running Kaspersky, thereby alerting Russia to them, suggests the need to consider the impact of even negligent improper handling, because it can have an impact akin to that of Snowden if it is compromised.

Finally, there should be some controls over abuse of Original Classification Authority, both in Prepublication Reviews, to prevent the selective censorship of important stories. And there should be some recognition that OCAs are often not the only source of information (which is one of the problems with the Hillary emails — her staffers were reporting widely known facts that the CIA later claimed a monopoly on, thereby making the information “classified”).

Perhaps the GAO review, below, can go some distance to making this happen.

New protections for contractor whistleblowers

There’s a section that extends the (still inadequate) whistleblower protections of the National Security Act to contractors, while adding protection (just for contractors!) for the reporting of “evidence of another employee or contractor employee accessing or sharing classified information without authorization.” It also adds additional reporting vehicles for FBI contractors (to DOJ or FBI’s Office of Professional Responsibility, to FBI’s Inspection Division, or to the Office of Special Counsel).

The bill also adds contractors to those you can’t retaliate against by stripping of security clearance if they’ve made a protected disclosure.

Contractor is defined as “an employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor, of a covered intelligence community element.”

As I said, this is just the protection extended to intelligence community employees, with enforcement by the President, the same guy who orders up the illegal activities (such as torture or domestic spying) of the IC.

Plus, I’m not sure the language protects against two other problems that have happened with contractors. First, the loss of a contract, which doesn’t seem to be included in the definition of personnel decisions. So an agency could retaliate not by denying a promotion, but simply denying a contract. And, for similar reasons, I’m not sure the language prevents a contractor from retaliating against one of their employees directly, particularly if they’re threatened with losing work.

As I said, I’m not sure on this. I await analysis from the people who work whistleblower issues all the time.

That said, while this is an important improvement that will extend the same inadequate protection that IC employees get to IC contractors, I think it doesn’t necessarily protect against some known kinds of retaliation.

A GAO report on whether classification works

Perhaps most interestingly, the bill asks GAO to conduct on a story on why we’re having so much leakage.

SEC. 303. COMPTROLLER GENERAL STUDY ON UNAUTHORIZED DISCLOSURES AND THE CLASSIFICATION SYSTEM.

(a) STUDY.—The Comptroller General of the United States shall conduct a study of the unauthorized disclosure of classified information and the classification system of the United States.

(b) MATTERS INCLUDED.—The study under subsection (a) shall address the following:

(1) Insider threat risks to the unauthorized disclosure of classified information.

(2) The effect of modern technology on the unauthorized disclosure of classified information, including with respect to—

(A) using cloud storage for classified information; and

(B) any technological means to prevent or detect such unauthorized disclosure.

(3) The effect of overclassification on the unauthorized disclosure of classified information.

(4) Any ways to improve the classification system of the United States, including with respect to changing the levels of classification used in such system.

(5) How to improve the authorized sharing of classified information, including with respect to sensitive compartmented information.

(6) The value of polygraph tests in determining who is authorized to access classified information.

(7) Whether each element of the intelligence community (as defined in section (4) of the National Security Act of 1947 (50 U.S.C. 3003(4))—

(A) applies uniform standards in determining who is authorized to access classified information; and

(B) provides proper training with respect to the handling of classified information.

(c) COOPERATION.—The heads of the intelligence community shall provide to the Comptroller General information the Comptroller General determines necessary to carry out the study under subsection (a).

(d) REPORT.—Not later than 180 days after the date of the enactment of this Act, the Comptroller General shall submit to the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on the Judiciary and the Select Committee on Intelligence of the Senate a report containing the study under subsection (a). (e) FORM.—The report under subsection (d) shall be submitted in unclassified form, but may include a classified annex.

I really like the idea of doing such a report (though am not sure GAO can get it done in just 6 months, especially since I’m sure some agencies will filibuster any cooperation). And what a novelty, to finally consider whether polygraphs actually do what they’re claimed to do (rather than get people to confess to dirt that can later be used against them or leaked to China in an OPM hack).

As mentioned above, a really thorough such study should also look specifically at the Prepublication Review process, which is one of the most notorious forms of arbitrary use of classification.

It should also try to quantify how much classification does (abusively) hide mismanagement or law-breaking, especially in the FOIA process.

A truly thorough study would have to include leaks by members of Congress, up to and including the Gang of Four — but that’s never going to happen and so that means of leakage will remain untouched.

A study should also not only review recent leak prosecutions, with a particularly focus on the selectivity with which they’ve been taken, but compare leak prosecutions with the efficacy of internal measures (like stripping someone of clearance), which ODNI has been using more in recent years, at least before Reality Winner.

And a study should do a macro review of the initiatives put in place since Chelsea Manning’s leaks, to review overall compliance (we know NSA and CIA had not fully complied as of last year), and to measure whether those initiatives have done any good.

Finally, for the classified version, the report should include a full measure of how much internal spying is being targeted at government employees and contractors in various CI programs, and whether those are overseen adequately (they’re absolutely not).

Will this all do any good?

As I said, I’m the one lumping these together into a package, not the bill’s authors. I did so, though, to better weigh whether this will do any good — whether we’ll move the balance on necessary discussions for democracy being weighed against genuine need to protect secrets. I think an actual assessment is worthwhile.

But ultimately, I suspect our leak problem stems, in large part, from the degree to which classification (and clearances and leak prosecutions) have all been designed to give the Executive Branch unfettered ability to run an arbitrary system of secrets that does as much to serve nexuses of power as it does to keep the country safe.  Secrets, in DC, have become the coin of power, not the necessary tool to ensure a vibrant and secure democracy.

And I’m not sure this effort will do much to change that.

In Reality Winner Case, Government Warns of Recruitment by Media Outlets that “Procure the Unauthorized Disclosure of Classified Info”

As I’ve reported recently Reality Winner has claimed both that her interview with the FBI was not consensual and that she should be released on bail like people who’ve leaked more sensitive documents, including David Petraeus. Significantly, Winner made claims about her interview and DOJ’s lack of related accusations to suggest the leak of the single document to the Intercept is all they’ve got on her.

The government responded to Winner’s claims — in their response to her request for bail — with a whole new set of claims not included in other documents (on top of making fairly ridiculous claims to suggest Winner should be detained when those who had access — and in the case of David Petraeus, leaked — far more classified information were not).

In the response itself, they raise issues that are fair and significant. But they all seem designed to suggest that Winner must be treated more harshly than Petraeus because she’s more likely to be “recruited” by “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.”

At the same time, the Defendant is an attractive candidate for recruitment by well-funded foreign intelligence services and non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.

Consider how the government treats different media outlets.

The Washington Post

First, the government’s description of Winner’s phone searches suggest Winner sent the document to a “print news outlet” in addition to the Intercept, and kept looking at both to see if they published the document.

  • On May 9, the Defendant searched for the secure mailing address of a Print News Outlet, viewed a document called “How to Share Documents and News Tips with [Print News Outlet] Journalists” on the Print News Outlet’s website, searched for an Online News Outlet and “secure drop,” and viewed the Online News Outlet’s page containing instructions for the anonymous transmission of leaked information.
  • On May 12, a few days after she mailed the leaked document, the Defendant searched online for the Print News Outlet referenced on May 9, as well as the Online News Outlet to which she transmitted the leaked document, and viewed the homepages of both publications.
  • On May 13, the Defendant searched for the Print News Outlet, viewed its homepage, and then searched “[IC component] leak” and “[IC component] leak [Foreign Country]” on multiple occasions.
  • On May 14, the Defendant searched for and viewed the Print News Outlet’s homepage, and then searched within the Print News Outlet’s website for the name of the relevant IC component. She also searched for and viewed the Online News Outlet’s homepage.
  • On May 22, the Defendant viewed both the Print News and Online News Outlets’ websites, and she searched for the name of the relevant IC component within both websites.

The Washington Post’s “confidential tips” page comes up on a search for “How to Share Documents and News Tips” (though the page does not now have that name). That suggests Winner shared a copy of this document with the WaPo as well as the Intercept. But the focus in these materials on a completed crime is exclusively focused on the Intercept (which also is not named).

The interview transcript released with this filing does not, apparently, discuss Winner’s leak to what appears to be the WaPo, aside from asking if she sent the leaked document anywhere else, to which she said “no.” The agents interviewing her tipped her that the document had been sent to an online news source that she “subscribes” to. So FBI may not have mentioned WaPo because WaPo did nothing with the story — or at least nothing with a source who then informed the government, which is how the Intercept got exposed — meaning the FBI did not yet know about it. Or perhaps the FBI was just far more interested in the fact that Winner leaked to the Intercept.

Wikileaks and Anonymous

The filing does its most significant damage in repeating Winner’s support for WikiLeaks, Edward Snowden, and Anonymous. According to the filing, at the same time she was looking for clearance jobs in November 2016 (at the end of her deployment), she was researching anonymous and Wikileaks.

The Defendant’s duplicity is starkly illustrated by the fact that she researched opportunities to access classified information (multiple searches for jobs requiring a security clearance on ClearanceJobs.com) at the same time in November 2016 that she searched for information about anti-secrecy organizations (Anonymous and Wikileaks).

And in March, she told her sister she was “on Assange’s [and Snowden’s] side.”

On March 7, 2017, the Defendant searched for online information about Vault 7, Wikileaks’s alleged compromise of classified government information. Later on March 7, 2017, the Defendant engaged in the following Facebook chat with her sister in which she expressed her delight at the impact of the alleged compromise reported by Wikileaks:

SISTER: OMG that Vault 7 stuff is scary too

WINNER: It’s so awesome though. They just crippled the program.

SISTER: So you’re on Assange’s side

WINNER: Yes. And Snowden

It’s not just that Winner is reading Wikileaks and Snowden-leaked documents (which the government would be happy to use to villainize a leaker in any case). She’s cheering the destruction of CIA (and by association, NSA) capabilities. Which is not something the more prolific leaker David Petraeus did.

The curious declassification of an FBI interview about leaking

Before I get into how these materials treat the Intercept, let me take a detour to talk about the declassification of Winner’s interview which, because it discusses her work at NSA, includes a lot of information that must be classified.

As a number of outlets noted (I believe Politico reported it first), when the transcript of her FBI interview was first released, it included Winner’s social security number and date of birth — a no-no for PACER documents. It included her home computer password. It also revealed Winner worked on collection targeting Iranian Aerospace Forces Group, a remarkable disclosure given that the government says Winner can’t be released because she’ll be targeted by foreign governments (in addition to “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information”); they’ve just put a bullseye on her back for Iran. It also reveals she used to work for a drone mission. It includes the code name and the street name of her NSA location.

For either privacy and security reasons, those are remarkable disclosures.

Now consider what they did redact.

There’s a reference to Russian hacking (or the election), and Winner’s description of something akin to that. There’s a few more references, perhaps on the election, again redacted.

Perhaps the most interesting (and understandable) redaction is her explanation for why she thought the collection points on Russian hackers were already compromised.

[sigh] I had figured that, uhm, [half line redacted] that it didn’t matter anyway. Uhm honestly, uh, I just figured that whatever we were using had already been compromised, and this report was just going to be like a – one drop in the bucket.

All of which is to say the classification decisions here are pretty random.

Which is all the more interesting given the fact that the document has no declassification notes, describing who declassified it and for what purpose. If I’m Winner’s lawyers, I’m on the phone with former ISOO head Bill Leonard (who has served as an expert witness in past leak cases), asking him to testify that in a case about mishandling classified information, the government didn’t handle this document in rigorous fashion.

The Intercept: hiding the name, the motive, and a few more details

Which brings me to the decisions about redactions on parts of the transcript that pertain to the Intercept.

It hides the Intercept’s name, but also several references to her motive, including one very long description (on PDF 69)

More interesting, it redacts details about how she mailed it to the Intercept.

And redacts another passage where she describes how she found the address to send it to the Intercept — the actual details of which are included in the passage on her phone searches, above.

It redacts another passage asking whether she included anything in the envelope to the Intercept.

All of which is to say that in submissions that claim Winner is a particular risk because she might be “recruited” by NGOs and “media outlets that advocate and procure the unauthorized disclosure of classified information,” it is still hiding key details about Winner’s descriptions of her actions with respect to the Intercept.

After reading this transcript, I’m actually surprised the government hasn’t (yet) taken a harsher approach, perhaps charging her for a leak to the WaPo or for lying, initially, to the FBI (not charging her for lying to the FBI is one way, I guess, where she is getting the treatment David Petraeus got).

That may suggest they’re entertaining going after the Intercept here, for “recruiting” Reality Winner — a replay of the tactic they tried with Chelsea Manning years ago, only this time with an Attorney General and a Congress rushing to invent new categories of non-state hostile intelligence services to criminalize some kinds of publishing.

Government Decides Reality Winner Leaked Just One Document After All

Back in June, I noted that one of the reasons the government convinced a judge to deny Reality Winner bail was that she had leaked documents, plural.

There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents. [my emphasis]

I showed that Winner actually leaked two documents to the Intercept.

Curiously, it appears the prosecutor in this case, Jennifer Solari, has changed her mind. Attached to a motion to reconsider bail, Winner’s lawyers have noted that weeks after claiming Winner had to be jailed because she told her mom she had stolen multiple documents, Solari listened to the transcript and decided Winner only referred to a document, singular.

The following is new evidence that was not available at the time of the initial detention hearing (and could not have reasonably been available given the mere three days between the initial appearance and detention hearing), all of which have a material bearing on the issue of release. • While repeatedly alleging that Ms. Winner disclosed numerous “documents” at the initial detention hearing—a fact that the Court specifically noted in its findings to support detention the Government has, via email to this Court, retracted those assertions. The Government now alleges there was only one document, rather than numerous documents, at issue. [See Exhibit A (email correspondence from Assistant United States Attorney Jennifer Solari to defense counsel and the Court dated June 29, 2017); Doc. 29 p. 105; see also Doc. 72].

In her email informing the defense of this, Solari explained,

Before the hearing, I had only heard a portion of the call in which the defendant asked her mother to “play that angle” regarding the alleged circumstances of her FBI interview. I proffered information about the other jail calls based upon verbal summaries I was provided by the FBI just before the hearing. Now that I’ve heard the recordings myself, I’d like to clarify some of the information for the court and counsel.

Solari goes on to suggest that another correction — regarding why Winner had her mom transfer money — came from an inference the FBI agent made.

I’m glad Solari corrected these issues — prosecutors often double down in such instances. I’d certainly scrutinize the other claims made by the FBI agents in the case after this.

Apparently, the government also left other details out of its story when painting Winter as an opsec genius to deny her bail. For example, in addition to pointing out how many people use Tor, her lawyers revealed that she had used it to access Wikileaks once.

The Government failed to explain, however, that Ms. Winner told the Government during her interrogation on June 3, 2017, that she used Tor once for looking at WikiLeaks.

It also notes that the superseding indictment still just charges Winner for the one document.

Finally, it compares her treatment with all of the other alleged leakers who got bail (including David Petraeus).

It’s unclear whether this will win her release. But it certainly suggests the government overstated her threat in her bail hearing.

How to Read the DHS Targeted States Information

Yesterday, DHS informed the states that had their registration databases targeted by Russian hackers last year. There has been an outright panic about the news since states started revealing they got notice, so I thought it worthwhile to describe what we should take away from the notice and subsequent reporting:

  • “Most” of the 21 targeted states were not successfully hacked
  • Some targeted states were successfully hacked
  • Not all swing states were targeted, not all targeted states are swing states
  • These hacks generally do not involve vote tallying
  • These hacks do not involve hacking voting machines
  • These hacks do not involve other voter suppression methods — whether by GOP or Russians
  • Notice needs to improve

The AP has done good work tracking down which states got notice they were targeted, identifying the 21 targeted states. Those targeted states were:

  1. Alabama
  2. Alaska
  3. Arizona
  4. California
  5. Colorado
  6. Connecticut
  7. Delaware
  8. Florida
  9. Illinois
  10. Iowa
  11. Maryland
  12. Minnesota
  13. North Dakota
  14. Ohio
  15. Oklahoma
  16. Oregon
  17. Pennsylvania
  18. Texas
  19. Virginia
  20. Washington
  21. Wisconsin

 

“Most” of the 21 targeted states were not successfully hacked

This list of 21 states does not mean that Russians successfully hacked 21 states. All it means is Russians probed 21 states. And the AP says “most” were not successful. WI, WA, and MN have said the attacks on them were not successful.

Thus, for “most” of these states, the impact is the same as the reports that Russians were attempting, unsuccessfully, to phish engineers in the energy industry: it is cause for concern, but unless new intelligence becomes available, it means that for those “most” states these probes could not affect the election.

Some targeted states were successfully probed

Of course, by saying that “most” attacks were not successful, you’re admitting that “some” were. We only know IL and AZ to have successfully been breached.

This means this story may not be done yet: reporters, especially state based ones, are going to have to get their voting officials to provide details about the attacks and it may take some FOIA work.

Mind you, a successful hack still doesn’t mean that the election was affected (as I believe to be the understanding with respect to AZ, though there is more dispute about IL). It might be that the hackers just succeeded in getting into the database. It may be that they succeeded only in downloading the voter registration database — which in many states, is readily available, and which is nowhere near the most interesting available data for targeting in any case.

In my opinion, the most effective way to affect the outcome of the election via voter registration databases is not to download and use it for targeting, but instead, to alter the database, selectively eliminating or voiding the registration of voters in targeted precincts (which of course means the hackers would need to come in with some notion of targets). Even changing addresses would have the effect of creating lines at the polls.

Altering the database would have the same effect as an existing GOP tactic does. In many states, GOP secretaries of state very aggressively purge infrequent voters. Particularly for transient voters (especially students, but poorer voters are also more likely to move from year to year), a voter may not get notice they’ve been purged. This has the effect of ensuring that the purged voter cannot vote, and also has the effect of slowing the voting process for voters who are registered.  In other words, that’s the big risk here — that hackers will do things to make it impossible for some voters to vote, and harder for others to do so.

Not all swing states were targeted, not all targeted states are swing states

The list of targeted states is very curious. Some targeted states are obvious swing states — WI, PA, FL, and VA were four of the five states where the election was decided. But MI is not on there, and NC, another close state, is not either.

In addition, a lot of these states are solidly red, like AL and OK. A lot of them are equally solidly blue, like CA and CT. So if the Russians had a grand scheme here, it was not (just) to flip swing states.

These hacks generally do not involve vote tallying

DHS has said that these hacks do not involve vote tallying. That means these disclosed probes, even assuming they were successful, are not going to explain what may seem to be abnormalities in particular states’ tallies.

These hacks do not involve hacking voting machines

Nor do these hacks involve hacking voting machines (which is covered, in any case, by the denial that it involves vote tallying).

Yes, voting machines are incredibly vulnerable. Yes, it would be child’s play for a hacker — Russian or American — to hack individual voting machines. With limited exceptions, there been no real assessment of whether individual machines got hacked (though it’d generally be easier to affect a local race that way than the presidential).

These hacks do not involve other voter suppression methods — whether by GOP or Russians

This list of 21 targeted states does not represent the known universe of Russian voting-related hacking.

It does not, for example, include the targeting of voting infrastructure contractors, such as VR Systems (which Reality Winner faces prison for disclosing). There’s good reason to at least suspect that the VR Systems hack may have affected NC’s outcome by causing the most Democratic counties to shift to paper voting books, resulting in confusion and delays in those counties that didn’t exist in more Republican ones.

And they don’t include any Russian social media-related support or suppression, which we’re getting closer to having proof of right now.

Importantly, don’t forget that we know Republicans were engaging in all these techniques as well, with far better funding. Russians didn’t need to hack WI and NC given how much organized suppression of voters of color took place. Republican secretaries of state had the power to purge voters on trumped up excuses without engaging in any hacking.

Do not let the focus on Russian tampering distract from the far more effective Republican suppression.

Notice needs to be improved

Finally, the other big story about this is that some states only got notice they were targeted yesterday, some even after having partnered with DHS to assess their voting infrastructure.

DHS has used classification, in part, to justify this silence, which is an issue the Intelligence Committees are trying to address in next year’s authorization. But that’s particularly hard to justify that many of these same states have run elections since.

Mind you, we’re likely to see this debate move to the next level — to demanding that state officials disclose full details about their state’s infrastructure to citizens.

In any case, if we’re to be able to use democratic pressure to ensure the infrastructure of democracy gets better protected, we’re going to need more notice.

Twitter Asked to Tell Reality Winner the FBI Had Obtained Her Social Media Activity

Last week, the Augusta Chronicle reported that the government had unsealed notice that it had obtained access to Reality Winner’s phone and social media metadata. Altogether, the government obtained metadata from her AT&T cell phone, two Google accounts, her Facebook and Instagram accounts, and her Twitter account. Of those providers, it appears that only Twitter asked to tell Winner the government had obtained that information. The government obtained the 2703(d) order on June 13. On June 26, Twitter asked the FBI to rescind the non-disclosure order. In response, FBI got a 180-day deadline on lifting the gag; then on August 31, the FBI asked the court to unseal the order for Twitter, as well as the other providers.

The applications all include this language on Winner’s use of Tor, and more details about using a thumb drive with a computer last November.

During the search of her home, agents found spiral-bound notebooks in which the defendant had written information about setting up a single-use “burner” email account, downloading the TOR darkweb browser at its highest security setting, and unlocking a cell phone to enable the removal and replacement of its SIM card. Agents also learned, and the defendant admitted, that the defendant had inserted a thumb drive into a classified computer in November 2016, while on active duty with the U.S. Air Force and holding a Top Secret/SCI clearance. The defendant claimed to have thrown the thumb drive away in November 2016, and agents have not located the thumb drive.

Given that the FBI applied for and eventually unsealed the orders in all these cases, it provides a good way to compare what the FBI asks for from each provider — which gives you a sense of how the FBI actually uses these metadata requests to get a comprehensive picture of all the aliases, including IP addresses, someone might use. The MAC and IP addresses, in particular, would be very valuable to identify any of her otherwise unidentified device and Internet usage. Note, too, that AT&T gets asked to share all details of wire communications sent using the phone — so any information, including cell tower location, an app shares with AT&T would be included in that. AT&T, of course, tends to interpret surveillance requests broadly.

Though note: the prosecutor here pretty obviously cut and paste from the Google request for the social media companies, given that she copied over the Google language on cookies in her Twitter request.

AT&T

AT&T Corporation is required to disclose the following records and other information, if available, to the United States for each Account listed in Part I of this Attachment, for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses. Electronic Serial Numbers (“ESN”), Mobile Electronic Identity Numbers (“MEIN”), Mobile Equipment Identifier (“MEID”), Mobile Identification Numbers (“MIN”), Subscriber Identity Modules (“SIM”), Mobile Subscriber Integrated Services Digital Network Number (“MSISDN”), International Mobile Subscriber Identifiers (“IMSl”), or International Mobile Equipment Identities (“IMEI”));
7. Other subscriber numbers or identities (including the registration Internet Protocol (“IP”) address); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to wire and electronic communications sent from or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers), and including information regarding the cell towers and sectors through which the communications were sent or received.

Records of any accounts registered with the same email address, phone number(s), or method(s) of payment as the account listed in Part I.

Google

Google is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1, 2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers);
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part 1; and Records of any accounts that are linked to either of the accounts listed in Part 1 by machine cookies (meaning all Google user IDs that logged into any Google account by the same machine as either of the accounts in Part

Facebook/Instagram

Facebook, Inc. is required to disclose tbe following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”),
for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Intemet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Intemet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Intemet Protocol addresses;
2. Information about each communication sent or received by tbe Account, including tbe date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers). Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part I; and
3. Records of any accounts that are linked to either of the accounts listed in Part I by machine cookies (meaning all Facebook/Instagram user IDs that logged into any Facebook/Instagram account by the same machine as either of the accounts in Part I).

Twitter

Twitter, Inc. is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1,2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers).
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address the account listed in Part I; and
4. Records of any accounts that are linked to the account listed in Part I by machine cookies (meaning all Google [sic] user IDs that logged into any Google [sic] account by the same machine as the account in Part I).