The McCain (Cornyn) amendment to the Judiciary Appropriations bill that would let them get Electronic Communication Transaction Records with a National Security Letter just narrowly failed to get cloture, with Dan Sullivan flipping his vote to yes near the end but Mike Crapo, a likely no vote, not voting. The final vote was 59-37.
The floor debate leading up to the vote featured a few notable exchanges. Richard Burr was an absolutely douchebag, saying Ron “Wyden is consistently against providing LE the tools it needs to defend the American people.” He did so in a speech admitting that, “My colleague says this wouldn’t stop SB or Orlando. He’s 100% correct.”
Burr also insisted that we can’t let the Lone Wolf provision, which allegedly has never been used, expire. It was extended just last year and doesn’t expire until 2019.
More interesting though was the debate between Burr and Leahy over whether the FBI can’t obtain ECTRs because of a typo in the law as passed in 1993. Leahy basically described that Congress had affirmatively decided not to include ECTRs in NSLs (implicit in this, Congress also did not decide to include it in the 2001 expansion). Burr claimed that Congress meant to include it but didn’t in some kind of oversight.
Here’s how Mazie Hirono and Martin Heinrich described the debate in the report on the Intelligence Authorization, which has a version of the ECTR change.
The FBI has compared expanding these authorities to fixing a “typo” in the Electronic Communications Privacy Act (ECPA).
However, during consideration of ECPA reform legislation in 1993, the House Judiciary Committee said in its committee report that “Exempt from the judicial scrutiny normally
required for compulsory process, the national security letter is an extraordinary device. New applications are disfavored.”
The House Judiciary Committee report also makes clear that the bill’s changes to Section 2709(b) of ECPA were a “modification of the language originally proposed by the
This does not support claims that the removal of the ECTR language was a “typo.”
Burr effectively argued that because law enforcement wanted ECTRs to be included back in 1993, they were meant to be included, and Congress’ exclusion of them was just a typo.
In short, a member of the Senate just argued that if Congress affirmatively decides not to capitulate to every demand of law enforcement, it must be considered a “typo” and not legally binding law.
For the moment, the Senate voted down making itself a “typo,” but Mitch McConnell filed a motion to reconsider, meaning he can bring the vote back up as soon as he arm twists one more vote.
The Intercept’s Jenna McLaughlin liberated a copy of the Senate Intelligence Committee’s Intelligence Authorization for 2017 which was passed out of committee a few weeks back. There are two really shitty things — a move to enable FBI to get Electronic Communications Transaction Records with NSLs again (which I’ll return to) and a move to further muck up attempts to close Gitmo.
But there are a remarkable number of non-stupid things in the bill.
I’m particularly interested in this language.
Unless I’m completely misreading it, this section would require the Director of NSA to be a separate person from the head of CyberCommand. It would require Admiral Mike Rogers’ current dual hat to be split.
Correction: DIRNSA and CyberCom would only need to be split if CyberCom gets elevated to be a full combatant command.
That’s a recommendation the President’s own Review Group made back in 2013, only to have the President pre-empt PRG’s recommendation before they could publicize it. It would also likely have some impact on NSA’s decision, earlier this year, to combine the Information Assurance Directorate — NSA’s defensive organization — in with its offensive mission.
Frankly, I think our entire cybersecurity approach deserves a more open debate. The IC has done a pretty crummy job at defending us from attacks, and it’s not clear what purpose their secrecy about that serves.
But I am intrigued that SSCI seems to think NSA should retain its defensive capability, independent of all its offensive ones.
I once made a list of all the evidence of torture the CIA or others in the Executive Branch destroyed.
I thought it time to start cataloging them, to keep them all straight.
- Before May 2003: 15 of 92 torture tapes erased or damaged
- Early 2003: Dunlavey’s paper trail “lost”
- Before August 2004: John Yoo and Patrick Philbin’s torture memo emails deleted
- June 2005: most copies of Philip Zelikow’s dissent to the May 2005 CAT memo destroyed
- November 8-9, 2005: 92 torture tapes destroyed
- July 2007 (probably): 10 documents from OLC SCIF disappear
- December 19, 2007: Fire breaks out in Cheney’s office
(I put in the Cheney fire because it happened right after DOJ started investigating the torture tape destruction.)
Since that time, there have been at least two more:
But apparently, last summer, CIA’s Inspector General destroyed something else: both his disk-based and server based copies of the Torture Report.
But last August, a chagrined Christopher R. Sharpley, the CIA’s acting inspector general, alerted the Senate intelligence panel that his office’s copy of the report had vanished. According to sources familiar with Sharpley’s account, he explained it this way: When it received its disk, the inspector general’s office uploaded the contents onto its internal classified computer system and destroyed the disk in what Sharpley described as “the normal course of business.” Meanwhile someone in the IG office interpreted the Justice Department’s instructions not to open the file to mean it should be deleted from the server — so that both the original and the copy were gone.
At some point, it is not clear when, after being informed by CIA general counsel Caroline Krass that the Justice Department wanted all copies of the document preserved, officials in the inspector general’s office undertook a search to find its copy of the report. They discovered, “S***, we don’t have one,” said one of the sources briefed on Sharpley’s account.
Sharpley was apologetic about the destruction and promised to ask CIA director Brennan for another copy. But as of last week, he seems not to have received it; after Yahoo News began asking about the matter, he called intelligence committee staffers to ask if he could get a new copy from them.
Sharpley also told Senate committee aides he had reported the destruction of the disk to the CIA’s general counsel’s office, and Krass passed that information along to the Justice Department. But there is no record in court filings that department lawyers ever informed the judge overseeing the case that the inspector general’s office had destroyed its copy of the report.
Two key parts of this story: Sharpley appears to have no idea who decided to nuke the report off the IG server. Hmmmm.
And DOJ has been suppressing this detail in filings in the FOIAs for the Torture Report itself (which may be what led Dianne Feinstein to make an issue of it last week).
Click through if you want a really depressing list of all the ways Richard Burr is trying to disappear the report.
I guess I shouldn’t be surprised that the entire report got disappeared. But destroying the whole thing is rather impressive.
Update: Katherine Hawkins reminds of of another one: the hood Manadel al-Jamadi wore when he suffocated to death while being tortured disappeared under circumstances the CIA IG considered non-credible.
A version of Richard Burr and Dianne Feinstein’s ill-considered encryption bill has been released here. They’re calling it the “Compliance with Court Orders Act of 2016,” but I think I’ll refer to it as the Cuckoo bill. This will be a working thread.
(2) Note the bill starts by suggesting economic prosperity relies on breaking encryption. There are many reasons that’s not true, most obviously that it will put US products at a disadvantage in other countries.
(2) Note this only applies to “providers of communications services and products (including software).” Does it apply to financial companies? Because they’re encrypting data between themselves that should be accessible to law enforcement. Does it apply to car companies? IoT companies?
(2) Note they mention “judicial order” and “court order” here. It’s clear (and becomes clearer later) that this includes orders that aren’t warrants, so FISA orders. Which suggests they’re having a problem with encryption under FISA too.
(3) The Cuckoo Bill builds in compensation. That’s one way companies could fight this: to make sure it would take a lot to render data intelligible.
(4) I suspect this license language would expand to do scary things with other “licensing” products.
(4) Note that they’ve expanded the definition of metadata to include “switching, processing, and transmitting” data. I bet that has already been done in secret somewhere.
(5) The language on destination and switching suggests they’re trying to include location data in metadata.
(6) Note the “order or warrant” language.
(6) The covered entity might include banks and cars, though not obviously so.
(8) An odd use of “original form” in decrypted definition.
(9) Wow, they even want to require entities to have to provide decrypted data in motion.
Here’s what Senate Intelligence Chair Richard Burr and House Intelligence Ranking Member Adam Schiff had to say about a briefing on the San Bernardino attack they attended on December 10.
Lawmakers on Thursday said there was no evidence yet that the two suspected shooters used encryption to hide from authorities in the lead-up to last week’s San Bernardino, Calif., terror attack that killed 14 people.
“We don’t know whether it played a part in this attack,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) told reporters following a closed-door briefing with federal officials on the shootings.
But that hasn’t ruled out the possibility, Burr and others cautioned.
“That’s obviously one issue were very interested in,” House Intelligence Committee ranking member Adam Schiff (D-Calif.) said. “To what degree were either encrypted devices or communications a part of the impediment of the investigation, either while the events were taking place or to our investigation now?”
The recent terror attacks in San Bernardino and Paris have shed an intense spotlight on encryption.
While no evidence has been uncovered that either plot was hatched via secure communications platforms, lawmakers and federal officials have used the incidents to resurface an argument that law enforcement should have guaranteed access to encrypted data.
On December 10, we should assume from these comments, the Congressmen privy to the country’s most secret intelligence and law enforcement information, were told nothing about a key source of evidence in the San Bernardino attack being encrypted. Schiff made it quite clear the members of Congress in the briefing were quite interested in that question, but nothing they heard in the briefing alerted them to a known trove of evidence being hidden by encryption.
That’s an important benchmark because of details the FBI provided in response to a questions from Ars Tecnica’s Cyrus Farivar. As had been made clear in the warrant, FBI seized the phone on December 3. But the statement also reveals that FBI asked the County to reset Farook’s Apple ID password on December 6. That means they were already working on that phone several days before the briefing to the Intelligence Committee members (it’s unclear whether that briefing was just for the Gang of Four or for both Intelligence Committees).
While, given what Tim Cook described last night, the FBI had not yet asked for Apple’s assistance by that point, the FBI had to have known what they were dealing with by December 6 — an iPhone 5C running iOS9. Therefore, they would have known the phone was encrypted by default (and couldn’t be open with a fingerprint).
Yet even four days later, they were not sufficiently interested in that phone they had to have known to be encrypted to tell Congress it held key data.
Update: Wow, this, from Apple’s motion to vacate the order, makes this all the more damning.
In response to a question Senate Intelligence Committee Chair Richard Burr posed during his committee’s Global Threat hearing yesterday, Jim Comey admitted that “going dark” is “overwhelmingly … a problem that local law enforcement sees” as they try to prosecute even things as mundane as a car accident.
Burr: Can you, for the American people, set a percentage of how much of that is terrorism and how much of that fear is law enforcement and prosecutions that take place in every town in America every day?
Comey: Yeah I’d say this problem we call going dark, which as Director Clapper mentioned, is the growing use of encryption, both to lock devices when they sit there and to cover communications as they move over fiber optic cables is actually overwhelmingly affecting law enforcement. Because it affects cops and prosecutors and sheriffs and detectives trying to make murder cases, car accident cases, kidnapping cases, drug cases. It has an impact on our national security work, but overwhelmingly this is a problem that local law enforcement sees.
Much later in the hearing Burr — whose committee oversees the intelligence but not the law enforcement function of FBI, which functions are overseen by the Senate Judiciary Committee — returned to the issue of encryption. Indeed, he seemed to back Comey’s point — that local law enforcement is facing a bigger problem with encryption than intelligence agencies — by describing District Attorneys from big cities and small towns complaining to him about encryption.
I’ve had more District Attorneys come to me that I have the individuals at this table. The District Attorneys have come to me because they’re beginning to get to a situation where they can’t prosecute cases. This is town by town, city by city, county by county, and state by state. And it ranges from Cy Vance in New York to a rural town of 2,000 in North Carolina.
Of course, the needs and concerns of these District Attorneys are the Senate Judiciary Committee’s job to oversee, not Burr’s. But he managed to make it his issue by calling those local law enforcement officials “those who complete the complement of our intelligence community” in promising to take up the issue (though he did make clear he was not speaking for the committee in his determination on the issue).
One of the responsibilities of this committee is to make sure that those of you at at the table and those that comp — complete the complement of our intelligence community have the tools through how we authorize that you need. [sic]
Burr raised ISIS wannabes and earlier in the hearing Comey revealed the FBI still hadn’t been able to crack one of a number of phones owned by the perpetrators of the San Bernardino attack. And it is important for the FBI to understand whether the San Bernardino attack was directed by people in Saudi Arabia or Pakistan that Tashfeen Malik associated with before coming to this country planning to engage in Jihad.
But only an hour before Jim Comey got done explaining that the real urgency here is to investigate drug cases and car accident cases, not that terrorist attack.
The balance between security, intelligence collection, and law enforcement is going to look different if you’re weighing drug investigations against the personal privacy of millions than if you’re discussing terrorist communications, largely behind closed doors.
Yet Richard Burr is not above pretending this about terrorism when it’s really about local law enforcement.
Way at the end of yesterday’s Senate Intelligence Committee Global Threats hearing, Tom Cotton asked his second leading question permitting an intelligence agency head to ask for surveillance, this time asking Admiral Mike Rogers whether he still wanted Section 702 (the first invited Jim Comey to ask for access to Electronic Communications Transactions Records with National Security Letters, as Chuck Grassley had asked before; Comey was just as disingenuous in his response as the last time he asked).
Curiously, Cotton offered Rogers the opportunity to ask for Section 702 to be passed unchanged. Cotton noted that in 2012, James Clapper had asked for a straight reauthorization of Section 702.
Do you believe that Congress should pass a straight reauthorization of Section 702?
But Rogers (as he often does) didn’t answer that question. Instead, he simply asserted that he needed it.
I do believe we need to continue 702.
At this point, SSCI Chair Richard Burr piped up and noted the committee would soon start the preparation process for passing Section 702, “from the standpoint of the education that we need to do in educating and having Admiral Rogers bring us up to speed on the usefulness and any tweaks that may have to be made.”
Note this discussion comes in the wake of a description of some of the changes made in last year’s certification in this year’s PCLOB status report. That report notes that last year’s certification process approved the following changes:
As the status report implicitly notes, the government has released minimization procedures for all four agencies using Section 702 (in addition to NSA, CIA, and FBI, NCTC has minimization procedures), but it did so by releasing the now-outdated 2014 minimization procedures as the 2015 ones were being authorized. At some point, I expect we’ll see DEA minimization procedures, given that the shutdown of its own dragnet would lead it to rely more on NSA ones, but that’s just a wildarseguess.
According to Medium, Crackas With Attitude just hacked James Clapper and his wife.
One of the group’s hackers, who’s known as “Cracka,” contacted me on Monday, claiming to have broken into a series of accounts connected to Clapper, including his home telephone and internet, his personal email, and his wife’s Yahoo email. While in control of Clapper’s Verizon FiOS account, Cracka claimed to have changed the settings so that every call to his house number would get forwarded to the Free Palestine Movement.
The hacker also sent me a list of call logs to Clapper’s home number. In the log, there was a number listed as belonging to Vonna Heaton, an executive at Ball Aerospace and a former senior executive at the National Geospatial-Intelligence Agency. When I called that number, the woman who picked up identified as Vonna Heaton. When I told her who I was, she declined to answer any questions.
Viscerally, I’m laughing my ass off that Verizon (among others) has shared Clapper’s metadata without his authority. “Not wittingly,” they might say if he asks them about that. But I recognize that it’s actually not a good thing for someone in such a sensitive position to have his metadata exposed (I mean, to the extent that it wasn’t already exposed in the OPM hack).
I would also find some amusement if Clapper ends up being the first public victim of OmniCISA’s regulatory immunity for corporations.
Yahoo and Verizon can self-report this cyber intrusion to DHS, and if they do then the government can’t initiate regulatory action against them for giving inadequate protection from hacking for the Director of National Intelligence’s data.
And whether or not Clapper is the first victim of OmniCISA’s regulatory immunity, he is among the first Americans that the passage of OmniCISA failed to protect from hacking.
Richard Burr has apparently stated publicly that he’s looking into not Marco Rubio’s serial leaking of classified information, but Ted Cruz’s alleged disclosure of classified information at least night’s debate. That’s particularly curious given that Rubio has gotten privileged access to this information on the Senate Intelligence Committee, whereas Cruz has not.
I assume Burr is thinking of this passage, in which Cruz explained how the USA Freedom Act phone program adds to the tools the intelligence community gets.
It strengthened the tools of national security and law enforcement to go after terrorists. It gave us greater tools and we are seeing those tools work right now in San Bernardino.
And in particular, what it did is the prior program only covered a relatively narrow slice of phone calls. When you had a terrorist, you could only search a relatively narrow slice of numbers, primarily land lines.
The USA Freedom Act expands that so now we have cell phones, now we have Internet phones, now we have the phones that terrorists are likely to use and the focus of law enforcement is on targeting the bad guys.
And the reason is simple. What he knows is that the old program covered 20 percent to 30 percent of phone numbers to search for terrorists. The new program covers nearly 100 percent. That gives us greater ability to stop acts of terrorism, and he knows that that’s the case.
Shortly thereafter, Rubio said,
RUBIO: Let me be very careful when answering this, because I don’t think national television in front of 15 million people is the place to discuss classified information.
Of course, that means Burr — who has the most privileged access to this information — just confirmed for ISIS and anyone else who wants to know (like, say, American citizens) that the IC is targeting “Internet phones” as well as the the more limited set of call records the Section 215 phone dragnet used to incorporate, and in doing so getting closer to 100% of “calls” (which includes texting and messaging) in the US.
I’m not sure why Burr would give OpSec tips to our adversaries, all to score political points against Cruz. Obviously, his tolerance for Rubio’s serial leaks, which effectively confirmed the very same information, shows this isn’t about protecting sources and methods.
Maybe it’s time to boot Burr, in addition to Rubio, from SSCI before he continues to leak classified information?
A penny dropped for me, earlier this week, when Marco Rubio revealed that authorities are asking “a large number of companies” for “phone records.” Then, yesterday, he made it clear that these companies don’t fall under FCC’s definition of “phone” companies, because they’re not subject to that regulator’s 18 month retention requirement.
His comments clear up a few things that have been uncertain since February 2014, when some credulous reporters started reporting that the Section 215 phone dragnet — though they didn’t know enough to call it that — got only 20 to 30% of “all US calls.”
The claim came not long after Judge Richard Leon had declared the 215 phone dragnet to be unconstitutional. It also came just as the President’s Review Group (scoped to include all of the government’s surveillance) and PCLOB (scoped to include only the 215 phone dragnet) were recommending the government come up with a better approach to the phone dragnet.
The report clearly did several things. First, it provided a way for the government to try to undermine the standing claim of other plaintiffs challenging the phone dragnet, by leaving the possibility their records were among the claimed 70% that was not collected. It gave a public excuse the Intelligence Community could use to explain why PRG and PCLOB showed the dragnet to be mostly useless. And it laid the ground work to use “reform” to fix the problems that had, at least since 2009, made the phone dragnet largely useless.
It did not, however, admit the truth about what the 215 phone dragnet really was: just a small part of the far vaster dragnet. The dragnet as a whole aspires to capture a complete record of communications and other metadata indicating relationships (with a focus on locales of concern) that would, in turn, offer the ability to visualize the networks of the world, and not just for terrorism. At first, when the Bush Administration moved the Internet (in 2004) and phone (in 2006) dragnets under FISC authority, NSA ignored FISC’s more stringent rules and instead treated all the data with much more lax EO 12333 rules(see this post for some historical background). When FISC forced the NSA to start following the rules in 2009, however, it meant NSA could no longer do as much with the data collected in the US. So from that point forward, it became even more of a gap-filler than it had been, offering a thinner network map of the US, one the NSA could not subject to as many kinds of analysis. As part of the reforms imposed in 2009, NSA had to start tracking where it got any piece of data and what authority’s rules it had to follow; in response, NSA trained analysts to try to use EO 12333 collected data for their queries, so as to apply the more permissive rules.
That, by itself, makes it clear that EO 12333 and Section 215 (and PRTT) data was significantly redundant. For every international phone call (or at least those to countries of terrorism interest, as the PATRIOT authorities were supposed to be restricted to terrorism and Iran), there might be two or more copies of any given phone call, one collected from a provider domestically, and one collected via a range of means overseas (in fact, the phone dragnet orders make it clear the same providers were also providing international collection not subject to 215). If you don’t believe me on this point, Mike Lee spelled it out last week. Not only might NSA get additional data with the international call — such as location data — but it could subject that data to more interesting analysis, such as co-location. Thus, once the distinction between EO 12333 and PATRIOT data became formalized in 2009 (years after it should have been) the PATRIOT data served primarily to get a thinner network map of the data they could only collect domestically.
Because the government didn’t want to admit they had a dragnet, they never tried to legislate fixes for it such that it would be more comprehensive in terms of reach or more permissive in terms of analysis.
So that’s a big part of why four beat journalists got that leak in February 2014, at virtually the same time President Obama decided to replace the 215 phone dragnet with something else.
The problem was, the government never admitted the extent of what they wanted to do with the dragnet. It wasn’t just telephony-carried voice calls they wanted to map, it was all communications a person might make from their phone, which increasingly means a smart phone. It wasn’t just call-chaining they wanted to do, it was connection chaining, linking identities, potentially using far more intrusive technological analysis.
Some of that was clear with the initial IC effort at “reform.” Significantly, it didn’t ask for Call Detail Records, understood to include either phone or Internet or both, but instead “records created as a result of communications of an individual or facility.” That language would have permitted the government to get backbone providers to collect all addressing records, regardless if it counted as content. The bill also permitted the use of such tools for all purposes, not just counterterrorism. In effect, this bill would have completed the dragnet, permitting the IC to conduct EO 12333 collection and analysis on records collected in the US, for any “intelligence” purpose.
But there was enough support for real reform, demonstrated most vividly in the votes on Amash-Conyers in July 2013, that whatever got passed had to look like real reform, so that effort was killed.
So we got the USA F-ReDux model, swapping more targeted collection (of communications, but not other kinds of records, which can still be collected in bulk) for the ability to require providers to hand over the data in usable form. This meant the government could get what it wanted, but it might have to work really hard to do so, as the communications provider market is so fragmented.
The GOP recognized, at least in the weeks before the passage of the bill, that this would be the case. I believe that Richard Burr’s claimed “mistake” in claiming there was an Internet dragnet was instead an effort to create legislative intent supporting an Internet dragnet. After that failed, Burr introduced a last minute bill using John Bates’ Dialing, Routing, Addressing, and Signaling language, meaning it would enable the government to bulk collect packet communications off switches again, along with EO 12333 minimization rules. That failed (in part because of Mitch McConnell’s parliamentary screw ups).
But now the IC is left with a law that does what it said it wanted (plus some, as it definitely gets non-telephony “phone” “calls”), rather than one that does what it wanted, which was to re-establish the full dragnet it had in the US at various times in the past.
I would expect they won’t stop trying for the latter, though.
Indeed, I suspect that’s the real reason Marco Rubio has been permitted to keep complaining about the dragnet’s shortcomings.