Posts

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Surveillance Whack-a-Mole, Section 215 to Section 702 Edition

As it happens, I and others covered the report that NSA purportedly has not restarted its use of the Section 215 CDR program in the wake of finding serious over-collection on the same day that I Con the Record released another Semiannual report on 702, the one completed in October 2018, which covers December 2016 to May 2017.

In my post on the Section 215 CDR claim, I suggested that function probably hasn’t shut down, but likely moved instead to a different authority, probably EO 12333.

The NSA almost never gives up a function they like. Instead, they make sure they don’t have any adverse court rulings telling them they’ve broken the law, and move the function some place else. Given that the government withdrew several applications last year after FISC threatened to appoint an amicus, and given that the government now has broadened 12333 sharing, they may have just moved something legally problematic somewhere else.

In Ellen Nakashima’s report on the 215 CDR shutdown, she suggested that NSA may not longer need the 215 CDR function because “terrorists” (this program was never just about terrorists) increasingly use secure apps which “don’t always create metadata.”

But these days, terrorists generally are not coordinating via phone calls or standard text messages, but communicate by using secure apps that don’t always create metadata trails, analysts said.

That is, the suggestion is that because “terrorists” are using encrypted apps like Signal and WhatsApp rather than AT&T or Verizon’s own SMS apps, getting the latter via the CDR program is not as useful.

But perhaps that explains the over-collection issue behind all this.

From the start of the USA Freedom Act debate, I have noted that the definition used in the law — session identifier — did not match the intent of most members of Congress: that is, to track telephony contacts. Telephony contacts are just an increasingly minimal subset of the session identifiers than any mobile phone user will generate. And in the age of super-cookies, providers increasingly track these other session identifiers. If providers collect it, spooks and law enforcement will try to use it, and the expanded universe of session identifiers is no exception.

One of several likely explanations for the over-collection that led the government to destroy all its records last year is that the FISA Court wrote something that distinguished between the two (basically, establishing a precedent that made fudging the issue legally problematic), leading NSA to “discover” the over-collection and quickly start deleting records before any overseer found the proof that it was no accident.

At least, that same pattern has happened numerous times before.

Anyway, back to surveillance whack-a-mole.

When this has happened in the past, the NSA didn’t actually shut down the function. It instead moved it to another authority, preferably one with less court oversight. Of particular note, when NSA shut down the PRTT dragnet in 2011, it moved some of that function to EO 12333 (NSA had resumed a practice shut down during the Stellar Wind shutdown allowing the agency to chain on Americans) and Section 702.

That’s why I want to point to something in the most recent Section 702 Semiannual Report (which, remember, reflects really dated reviews of Section 702 use. On top of being really dated, the report is, as all of these are, heavily redacted and largely boilerplate. Nevertheless, a close read of it (I do think I’m the only one who actually reads these!) can point to trends that can sometimes help identify problems on the same timeline that NSA’s Inspector General does.

And this most recent Semiannual report, from the period mid-way into implementation of the new USAF CDR function, has this passage (which — I believe — includes a typo).

This passage is not reporting a decrease, as the last clause of the paragraph claims; it is reporting an increase in the number of times Section 702 data appears in serialized (that is, finished) reports. The typo appears to be the result of retaining the claim that this is “the first and only decrease of for these ten reporting periods” from the prior report.

What is likely true of this passage, however, is that it is reporting a new trend: “expanded use of Section 702” for some function.

There are several likely candidates for the time period (early 2017). The increasing use of the 2014 exception, the ongoing shift of the old PRTT function (obtaining email metadata) are two.

But another would be to use 702 — such that it is technically feasible — to obtain what metadata exists for encrypted apps. Notably, during precisely this period, Facebook was moving to more closely integrate WhatsApp with its platform generally. And this would give it access (but not content) of chats. Since then, it has probably become easier for Verizon and AT&T to identify who is using Signal by matching the individual keys generated for each contact (just as an example, you can set Verizon to show this or not, meaning they’ve got visibility onto it one way or another). Using 702 to get encrypted app metadata would only give you one degree of separation from a foreign target. But you’d get it with far less oversight than NSA undergoes with Section 215.

Here’s the dirty secret about FISA. It is far easier for NSA to use Section 702 to get content and metadata than it is for NSA to use Section 215 to get just session identifiers.

Section 702 couldn’t replace all of what Section 215 — if it were collecting on the session identifiers associated with encrypted chat apps — gets. But what it could get might be far more voluminous than the 500 million session identifiers collected in 2017.

Update: Bobby Chesney — who seems to know more than he’s letting on — weighs in on the news here.

Congress Should Revert to Section 702 as Passed in 2008, If That’s What the Spooks Want!

Congress is passing a continuing resolution with an extension of Section 702 today, giving Congress one month to figure out how it will reauthorize the surveillance program.

But the Intelligence Community is making one more bid to talk Congress into passing some bill today. The same Intelligence Community that has opposed bills that offer even lip service reforms — most notably the House Judiciary Committee bill — insist that anything else than a new authorization will make the country less safe.

Reauthorizing Section 702 before it expires is vital to keeping the nation safe. Let us be clear: if Congress fails to act, vital intelligence collection on international terrorists and other foreign adversaries will be lost. The country will be less secure.

And (again, from an IC that has refused to engage with the HJC bill) the IC wants its reauthorization now, without the short term extension, because short term extension don’t provide certainty.

We also believe it is important that Congress reauthorize Section 702 before it expires on December 31, 2017.  Although the current Section 702 certifications do not expire until April 2018, the Intelligence Community would need to start winding down its Section 702 program well in advance of that date.  Winding down such a valuable program would force agencies to divert resources away from addressing foreign threats. Short-term extensions are not the long-term answer either, as they fail to provide certainty, and will create needless and wasteful operational complications. We urge Congress, therefore, to act quickly to reauthorize Section 702 in a manner that preserves the effectiveness of this critical national security law before it expires.

Where the release gets truly inexcusable, however, is how they flip their demand that this reauthorization codify certain dubious practices and not limit other ones. Congress is not required to make changes, the spooks say, without telling you that even the SSCI bill makes at least one reform, and most of the bills on the floor today make more serious ones. Those are the bills the IC prevented from passing.

To be clear – Congress is not required to make any changes to Section 702. The Intelligence Community conducts and uses 702 collection in a manner that protects the privacy and civil liberties of individuals.

The spooks pretend, as they have before, that the Ninth Circuit approved back door searches, which it didn’t.

Every single court that has reviewed Section 702 and queries of its data has found it to be constitutional.

They then take their emphasis on the word targeting a step further than normal to avoid telling you that their “targeted surveillance” of location-obscuring servers like Tor and VPNs actually collects on US persons, and the “oversight’ of that collection allows entirely domestic communications collected via such “targeted” collection to be used in criminal cases.

The Intelligence Community’s use of Section 702, which permits targeted surveillance only of foreign persons located outside the United States, is subject to extensive oversight and incorporates substantial protections to protect the privacy and civil liberties of individuals.

Here, the spooks don’t acknowledge how much has changed in between the various passage of these bills.

In short, we believe Congress got it right in 2008 when it passed Section 702 and in 2012 when Congress reauthorized it.

Consider: if the 702 on the table today were 702 as it existed in 2008, Congress would pass it gladly. That’s because no backdoor searches were permitted (though FBI was already doing them), to say nothing of the 2014 exception that permits the collection of US person location-obscured communications. And upstream “about” collection wasn’t affirmatively permitted either.

In other words, if Congress could have Section 702 as it passed in 2008, it’d be a vast improvement from a privacy perspective than the program as it exists right now (and also wouldn’t include a counterproliferation certificate or approval to target cybersecurity targets).

Note, too, the spooks don’t admit that most of Congress didn’t know about backdoor and other kinds of US person searches in 2012.

All that said, even after saying that Congress had it right in 2008, the spooks return to the coded demands that Congress not do a single thing to limit the spying on Americans that has gotten added to the program since 2008.

Nevertheless, the Intelligence Community continues to be open to reasonable reforms to Section 702 to further enhance the already-substantial privacy protections contained in the law, but we simply cannot support legislation that would impede the operational efficacy of this vital authority.

There were many “reasonable reforms to … further enhance the already-substantial privacy protections contained in the law.” Those were the bills the IC refused to let pass, which is why we’re here on one of the last legislative days of the year, punting this legislation for a month.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

FBI Imagines Using Assessments to Recruit US Engineers for Insight onto Spying in Semiconductor Industry

For something else, I’m reviewing the section of the FBI Domestic Investigations and Operations Guide on assessments made available in unredacted form to the Intercept. Of particular interest are the scenarios the DIOG uses to explain whether an Agent would or could use an assessment to collect information without opening a preliminary investigation. One way the FBI uses assessments is to identify potential informants. As one of the scenarios for when it might do so, it uses the example of trying to find out about a particular country X’s targeting of engineers and high tech workers involved in the production of semiconductor chips. For an engineer who travels frequently to country X, the FBI might either target him, or try to recruit him. (see page 117)

This is important for two reasons. First, the FBI is permitted to search FBI’s own databases to conduct this assessment. That would include information collected via Section 702. So when people talk about the risks of back door searches, it could mean a completely innocent engineer getting targeted for recruitment as an informant.

The other reason this is important is because it is precisely what appears to have happened with Professor Xiaoxing Xi, who was falsely accused of sharing semiconductor technology with China. After Xi and his attorney Peter Zeidenberg explained to the FBI that they had badly misunderstood the technology they were looking at, the case against Xi was dismissed.

In fact, Xi claims in a lawsuit against the government that the emails on which was the case was built were improperly searched using Section 702 or EO 12333.

On information and belief, both before and after obtaining the FISA orders, defendant Haugen and/or Doe(s) caused the interception of Professor Xi’s communications, including his emails, text messages, and/or phone calls, without obtaining a warrant from any court. In conducting this surveillance, the defendants may have relied on the purported authority of Section 702 of FISA or Executive Order 12333. Although neither Section 702 nor Executive Order 12333 permits the government to “target” Americans directly, the government nonetheless relies on these authorities to obtain without a warrant the communications of Americans who are in contact with individuals abroad, as Professor Xi was with his family and in the course of his scientific and academic work.

On information and belief, defendant Haugen and/or defendant Does searched law enforcement databases for communications of Professor Xi that the government had intercepted without a warrant, including his private communications intercepted under Section 702 of FISA and Executive Order 12333, and examined, retained, and/or used such communications.

[snip]

The actions of defendants Haugen and/or Doe(s) in searching law enforcement databases for, examining, retaining, and using Professor Xi’s communications, including his emails, text messages, and/or phone calls, that were obtained without a warrant, and without notice to Professor Xi, violated Professor Xi’s clearly established constitutional rights against unlawful search and seizure and his right to privacy under the Fourth Amendment.

Given how closely this scenario matches his own case, I’d say the chances his emails were first identified via a back door search are quite high. Note, too, that Temple University, where he works, has its email provided by Google, meaning these emails might be available on via PRISM.

Of additional interest, the one description of sensitive potential Confidential Human Sources that the officially released DIOG redacts which is revealed in the Intercept copy is academic personnel. (see page 112)

So they will recruit professors like Professor Xi as informants — they would just require special approval to do so.

Two Lessons of the Robin Raphel Case

If you haven’t already, you should read this long story on how longtime US diplomat Robin Raphel came to have her life turned upside down based on a frivolous espionage investigation. The piece has earned a lot of praise both for the reporting that went into it and the writing.

I want to point to a few lessons from the piece.

The “Tip”

As the piece explains, Raphel served for decades in Pakistan and South Asia generally, developing a lot of close ties there (she also did a stint in Iraq at the beginning of the war).

Over the years, she was one of the few remaining people who would get out of US compounds to go meet with Pakistanis directly. Precisely because she was engaging directly (or collecting human intelligence, in the view of the spooks), she would be captured in a great deal of intercepts targeting her interlocutors, meaning anything that appeared amiss would elicit attention from the NSA analysts reviewing the intercepts.

The NSA regularly swept up Pakistani communications “to, from or about” senior U.S. officials working in the country. Some American officials would appear in Pakistani intercepts as often as once a week. What Raphel didn’t realize was that her desire to engage with foreign officials, the very skill set her supervisors encouraged, had put a target on her back.

By the time Raphel returned to Pakistan under the Obama Administration, the NSA included Pakistan’s ruling party by name in the Section 702 foreign government certificate, which provides some indication of how much NSA was vacuuming up.

As far back as the 1990s, intelligence agencies deemed Raphel to be too sympathetic to Pakistani views, a view which continued when she returned to Pakistan under Obama.

In 2013, FBI received a “tip” purportedly implicating Raphel based off intercepts targeted at Pakistanis.

In February 2013, according to law-enforcement officials, the FBI received information that made its agents think Raphel might be a Pakistani mole.

The tip came in the form of intercepted communications that suggested Raphel had shared sensitive inside information without authorization. Two officials said this included information collected on wiretaps of Pakistani officials in the U.S.

The description of this tip suggests Raphel was talking with Pakistanis located in the US. Even there, there is room for ambiguity; it could also suggest (but probably doesn’t) that the wiretaps, not the Pakistani officials, were in the US.

 

The article also suggests Raphel’s conversations with a Pakistani woman named Maleeha Lodhi were among the most interesting to spies. When Raphel was Assistant Secretary of South Asian Affairs in the mid-1990s, Lodhi was Ambassador to the US, but she had been a journalist before and returned to journalism after that post; she is now Pakistan’s representative to the UN.

[Lodhi] had returned to the news business, writing a regular column and appearing as a commentator on Pakistani television. American officials said they had no doubt that Lodhi was more than an ordinary journalist, however.

In her six years in Washington as Pakistan’s ambassador, Lodhi had earned a reputation as a reliable source for what Pakistani officials were thinking, and in particular, as a trusted conduit for relaying messages to Pakistan’s senior military leadership in Rawalpindi, U.S. officials said. She was, in State Department parlance, an “influencer.” One reason U.S. officials trusted her: The NSA had long been monitoring her communications.

In other words, the NSA was targeting a journalist’s communications. The story presents conflicting viewpoints about how much of Lodhi’s information got back to the Pakistani government, with US sources insinuating that because she shared a lot of information with the Pakistani government, she wasn’t really a journalist. To a great degree that’s just a rationalization.Not only does the same kind of information sharing between journalists and government officials happen here. But the US targeted Lodhi not because she was deemed a threat, but because she was a good source of information. I suspect WSJ’s sources shared those competing claims in an attempt to obscure, from both Congress and FISA Court observers, how broadly the NSA targets off foreign government 702 certificates, such that it can include journalists with close ties but no formal relationship with a foreign government.

Moreover, the two versions of the basis of the tip on Raphel — Pakistani officials in the US versus Lodhi — may also serve to obscure what authority she first got targeted under. That is, if she was targeted under Section 702 but the government didn’t tell her that, then WSJ’s sources would have reason to invent a traditional FISA source of her targeting.

WSJ’s sources are probably also engaging in misdirection with the details offered in this passage.

Investigators began what they call “circling the target,” which means examining the parts of Raphel’s life they could explore without subpoenas or warrants. Sitting in their cubicles on the fourth floor of the FBI’s Washington Field Office, a modern sandstone-colored building on the edge of Chinatown, the agents began to map her network of contacts and search for signs of disloyalty.

One of the first things they looked at was her “metadata”—the electronic traces of who she called or emailed, and also when and for how long. Her metadata showed she was in frequent contact with a host of Pakistan officials that didn’t seem to match what the FBI believed was her rank and role.

After all, the NSA would have already had every bit of metadata reflecting a conversation between Raphel and a targeted official, and the story makes it clear elsewhere a great many of Raphel’s interlocutors were targeted. Indeed, in court filings, the NSA has made it clear that it prioritizes intercepts that reflect a conversation with an American. So the NSA analysts who first alerted the FBI to Raphel’s conversations would have based that alert, in significant part, on precisely that kind of metadata analysis. Sure, the FBI would recollect that metadata, laundering the original source, but the government would have already have analyzed a great deal of it before tipping Raphel to FBI.

Spooks making claims about classified information

Across decades, because NSA and then FBI were collecting intercepts of Raphel’s conversations, she fell afoul of spooks who claimed information she learned on her own could only have come from intelligence agencies and therefore must be classified.

This actually happened twice, with the first time happening almost two decades before she was targeted personally. The first time came in the mid-1990s.

Not long after the amendment passed, Deputy Secretary of State Strobe Talbott sent an aide to Raphel’s office with a disturbing message.

According to officials, the aide told Raphel U.S. spy agencies had intercepted communications in which Pakistani officials suggested that Raphel had revealed sensitive information to them about what the U.S. knew about Pakistan’s nuclear work. U.S. intelligence officials said the information was classified and the disclosure wasn’t authorized.

Raphel denied disclosing too much. She consulted with top officials at the State Department’s internal intelligence branch, who recommended she ask Diplomatic Security—the security and law enforcement arm of the State Department—to investigate the matter.

Diplomatic Security agents interviewed Raphel about the alleged disclosures. They found no evidence of wrongdoing and took no disciplinary action against her.

The story suggests this 1990s incident arose, at least in part, out of animus on the part of spooks over her close ties and seeming empathy with the Pakistanis. The inquiry into her communications led her to keep records of her conversations, which she then took home with her when she first retired from State in 2004. When the FBI did a sneak and peek warrant on her home, they found these records and considered them mishandled classified information.

The CIA increasingly claimed readily available information belonged exclusively to them after Cameron Munter started objecting to drone strikes.

After Cameron Munter took over as the U.S. ambassador to Pakistan in 2010, the competing forces of intelligence and diplomacy began to collide. When Munter pushed the CIA to be more “judicious” in its drone strikes in the tribal areas, the CIA’s station chief responded by telling diplomats not to discuss the drone program even in private meetings with senior Pakistani officials. If asked, he told them, they should change the subject.

Senior diplomats in Islamabad knew this was impossible. The drone program came up all the time. There was no way to avoid the topic.

Raphel didn’t know the key details because her Top Secret clearance didn’t include access to the “compartment” that covered the covert program. When her Pakistani contacts complained about the strikes, Raphel told them what other diplomats would say—that the U.S. wouldn’t need to do so many if the Pakistani army did more to rein in militants in the tribal areas, according to people she spoke with.

Unsurprisingly, drone strikes were one of the topics that the FBI latched onto in her conversations with Lodhi, along with rumors of a coup and discussions of negotiations with the Taliban. Raphel was learning of such information independent of spy sources, yet because it replicated the information learned via spy sources, they claimed it was highly classified.

As the agents listened to the back-and-forth, they would check with U.S. intelligence officials to see if the topics which Raphel discussed with Lodhi— drones, coups and reconciliation talks with the Taliban—were classified. They were repeatedly told that yes, they were.

[snip]

During her visit, Raphel was in regular phone contact with Lodhi, who invited her to come to her home library to talk privately over tea. Officials briefed on the investigation said the information they exchanged during the trip about the prospects of a coup was similar to what U.S. spy agencies were picking up—the same kind of information that intelligence officials were putting in the President’s Daily Brief.

This is, of course, the same thing that happened with some, though not all, of Hillary’s emails (and unsurprisingly, some of Raphel’s communications were shared via aides with Hillary): the CIA claimed that they owned such information, and as such, any discussion outside of secure channels must be evidence of sharing classified information. In both cases, the information was readily available elsewhere.

Particularly when exacerbated by turf sensitivities and jealousy over Raphel’s access to top Pakistani officials, however, this can be a lethal combination. The CIA gets to criminalize officials for sharing information it deems its exclusive purview, even if those officials discovered the information independently.

The WSJ tells a story about the double edged sword of America’s dragnet: the degree to which it can implicate honest people because it captures so much, as well as the gaps in knowledge that result from overdependence on SIGINT.

Is There a 702 Certificate for Transnational Crime Organizations?

Update, 9/8/15: We’ve subsequently learned that in 2015, the third certificate in 2011 was a vaguely defined “foreign government” one, which has been used very broadly (and lied about by the government on multiple occasions). NSA was contemplating a cyber certificate in 2012, but Bates’ 2011 decision may have made the terms of that difficult. 

I joked yesterday that James Clapper did no more than cut and paste to accomplish President Obama’s order of providing a list of acceptable bulk collection. But I’d like to note something about the list of permissible uses of bulk collection.

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.

For months, I have been noting hints that the use of Section 702 — which is one of several kinds of domestic bulk collection — is limited by the number of certifications approved by FISC, which might be limited by FISC’s assessment of whether such certifications establish a certain level of “special need.”

In 2011, it seems clear from John Bates’ opinion on the government’s Section 702 applications, there were 3 certifications.

Screen shot 2013-12-19 at 7.10.00 AM

If there are just 3 certifications, then it seems clear they cover counterterrorism, counterproliferation, and cybersecurity (which is consistent with both ODNI’s public descriptions of Section 702 and the Presidential Review Group’s limits on it), 3 of 6 of the permitted uses of bulk collection.

Furthermore, there’s some history (you’ll have to take my word for this for now, but the evidence derives in part from reports on the use of National Security Letters) of lumping in Counterintelligence and Cybersecurity, because the most useful CI application of bulk collection would target technical exploits used for spying. So if that happens with 702 collection, then 4 of the 6 permissible applications would be covered by existing known certifications.

Threats against Armed Forces would, for the most part, be overseas, suggesting the bulk collection on it would be too. (Though it appears Bush’s illegal program used the excuse of force protection to spy on Iraqi-related targets, potentially even in the US, until the hospital confrontation stopped it.)

Which leaves just transnational crime threats — against which President Obama rolled out a parallel sanctions regime to terrorism in 2011 (though there had long been a regime against drug traffickers) — as the sole bulk collection that might apply in the US that doesn’t have certifications we know about.

Given that at least drug cartels have a far more viable — and deathly — operation in the United States than al Qaeda, I can’t think of any reason why the Administration wouldn’t have applied for a certification targeting TCOs, too (one of Treasury’s designated TCO targets — Russian and East European mobs — would have some overlap with the cyber function, and one — Yakuza — just doesn’t seem like a big threat to the US at all).

And last year’s Semiannual Compliance Assessment may support the argument that there are more than 3 certificates. In its description of the review process for 702 compliance, the report lays out review dates by certifications. Here’s the NSA review schedule:

Screen Shot 2014-02-11 at 9.49.59 AM

This seems to show 4 lines of certifications, one each in August and December, but two in October. Perhaps they re-review one of the certifications (counterterrorism, most likely). But if not, it would seem to suggest there’s now a 4th certification.

Here’s the FBI review schedule (which apparently requires a lot more manual review).

Screen Shot 2014-02-11 at 12.30.28 PM

Given that this requires manual review, I wouldn’t be surprised if they repeated the counterterrorism certifications review (and we don’t know whether all the NSA certifications would be used by FBI). But the redactions would at least allow for the possibility that there is a 4th certification, in addition to the 3 we know about.

Perhaps Obama rolled out TCOs as a 4th certification as he rolled out his new Treasury initiative on it (which would be after the applications laid out by Bates).

Of course, we don’t know. But I think two things are safe to say. First, the use of 702 is tied to certifications by topic. And the public statement about permissible use of bulk collection, it would seem to envision the possibility of a 4th certification covering TCOs, and with it, drug cartels.

3 Certifications — Terror, Proliferation, and Cyber — and Stealing from Google

Screen shot 2013-12-19 at 7.10.00 AMFor months, I have been suggesting that the government only uses Section 702 of FISA, under which it collects data directly from US Internet providers and conducts some upstream content from telecom providers, for three purposes:

  • Counterterrorism
  • Counterproliferation
  • Cyber

I have said so based on two things: many points in documents — such as the second page from John Bates’ October 3, 2011 opinion on 702, above — make it clear there are 3 sets of certifications for 702 collection. And other explainer documents released by the government talk about those three topics (though they always stop short of saying the government collects on only those 3 topics).

The NSA Review Group report released yesterday continues this pattern in perhaps more explicit form.

[S]ection 702 authorized the FISC to approve annual certifications submitted by the Attorney General and the Director of National Intelligence (DNI) that identify certain categories of foreign intelligence targets whose communications may be collected, subject to FISC-approved targeting and minimization procedures. The categories of targets specified by these certifications typically consist of, for example, international terrorists and individuals involved in the proliferation of weapons of mass destruction.

If I’m right, it explains one of the issues driving overseas collection and, almost certainly, rising tensions with the Internet companies.

I suggested, for example, that this might explain why NSA felt the need to steal data from Google’s own fiber overseas.

I wonder whether the types of targets they’re pursuing have anything to do with this. For a variety of reasons, I’ve come to suspect NSA only uses Section 702 for three kinds of targets.

  • Terrorists
  • Arms proliferators
  • Hackers and other cyber-attackers

According to the plain letter of Section 702 there shouldn’t be this limitation; Section 702 should be available for any foreign intelligence purpose. But it’s possible that some of the FISC rulings — perhaps even the 2007-8 one pertaining to Yahoo (which the government is in the process of declassifying as we speak) — rely on a special needs exception to the Fourth Amendment tied to these three types of threats (with the assumption being that other foreign intelligence targets don’t infiltrate the US like these do).

Which would make this passage one of the most revealing of the WaPo piece.

One weekly report on MUSCULAR says the British operators of the site allow the NSA to contribute 100,000 “selectors,” or search terms. That is more than twice the number in use in the PRISM program, but even 100,000 cannot easily account for the millions of records that are said to be sent back to Fort Meade each day.

Given that NSA is using twice as many selectors, it is likely the NSA is searching on content outside whatever parameters that FISC sets for it, perhaps on completely unrelated topics altogether. This may well be foreign intelligence, but it may not be content the FISC has deemed worthy of this kind of intrusive search.

That is, if NSA can only collect 3 topics domestically, but has other collection requirements it must fulfill — such as financial intelligence on whether the economy is going to crash, which FISC would have very good reasons not to approve as a special need for US collection — then they might collect it overseas (and in the Google case, they do it with the help of GCHQ). But as Google moved to encryption by default, NSA would have been forced to find new ways to collect it.

Which might explain why they found a way to steal data in motion (on Google’s cables, though).

Here’s the thing, though. As I’ll note in a piece coming out later today, the Review also emphasizes that EO 12333 should only be available for collection not covered by FISA. With Section 702, FISA covers all collection from US Internet providers. So FISC’s refusal to approve (or DOJ’s reluctance to ask for approval) to collect on other topics should foreclose that collection entirely. The government should not be able to collect some topics under 702 here, then steal on other topics overseas.

But it appears that’s what it’s doing.

Read more

Shorter Rupp: We Inform Members at Briefings They Can’t Attend Because They’re Too Busy

Since it became clear Mike Rogers had chosen not to pass on the Administration’s notice of phone dragnet problems, I’ve been wondering if he did the same with any notice about the FISA Amendments Act upstream problems.

In response to a query from Politico, Rogers and his counterpart Dutch Ruppersberger seem to suggest they did not pass on the notice.

Moreover, the House leaders who held the keys to the report did not loudly broadcast its existence to the rest of the chamber. The chairman of the Intelligence Committee, Rogers, and the panel’s ranking Democrat, Dutch Ruppersberger of Maryland, declined to say whether they even had sent a letter in 2012 informing members there had been a critical document to view. Hill sources say they don’t recall anything of the sort.

More telling still, though, is Rupp’s justification for providing briefings instead of the actual white paper.

Party leaders did hold unclassified and classified briefings on FISA, but they occurred just days before the House’s September 2012 vote to reauthorize the law. The Republican briefing, for example, occurred only two days before the House approved the FISA Amendments Act, according to an invite obtained by POLITICO. Yet nowhere in the message, sent Sept. 7, 2012, is any mention of the White House white paper on FISA oversight — the document that detailed how the agency had erred in collecting U.S. communications.

Committee leaders, though, stress they acted appropriately. “Members were notified of the contents of the white paper through the briefing,” Ruppersberger told POLITICO. “We felt that a briefing was an appropriate way to notify members of this important issue so that they would have the opportunity to get all of their questions answered immediately.”

The congressman continued: “Some members chose to take advantage of a briefing and some did not. We thought offering a briefing shortly before the vote was held would work best with members’ busy schedules and keep the issue fresh in their minds as they cast their vote.” [my emphasis]

In his explanation, Rupp explains that members have busy schedules.

And his accommodation for those busy schedules was to require members who want to be informed on issues they didn’t receive notice of adjust their busy schedule to show up at one of two briefings, rather than go to a SCIF to read a document during whatever time is most convenient for them. Indeed, I’ve heard from members that that’s part of the problem with briefings — they require people to drop all their other important issues and cater to Rogers’ and Rupp’s schedules, instead. All to learn about issues not identified in the meeting notice.

I’d add two points to the Politico piece. First, while it notes that the notice pitched the 2011 compliance problems as an example of functional oversight, there’s another problem with it. It doesn’t appear to reveal that some agency (probably FBI) already did, and the NSA newly started searching on incidentally collected US person data. Thus, it left out one of the most crucial aspects of the 2011 opinion, that it permitted the access to US person communications without a warrant.

And then a persnickety issue. Politico makes this claim.

The Washington Post first revealed that lapse in PATRIOT Act oversight in August, which at the time Rogers acknowledged “very few members” had taken advantage of any related briefing opportunities.

As the reporter admitted he knew, the WaPo did not, in fact, “first” reveal the earlier failure to pass on the notice. The WaPo reporting followed my own and the Guardian’s, as well as several other sites. The whole issue of “first” is stupid, but why use it, particularly if you know it is factually inaccurate?

Did NSA Interpret Adverse FISC Fourth Amendment Ruling as Permission to Search American Contacts?

Finally! The backdoor!

The Guardian today confirms what Ron Wyden and, before him, Russ Feingold have warned about for years. In a glossary updated in June 2012, the NSA claims that minimization rules “approved” on October 3, 2011 “now allow for use of certain United States person names and identifiers as query terms.”

A secret glossary document provided to operatives in the NSA’s Special Source Operations division – which runs the Prism program and large-scale cable intercepts through corporate partnerships with technology companies – details an update to the “minimization” procedures that govern how the agency must handle the communications of US persons. That group is defined as both American citizens and foreigners located in the US.

“While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data,” the glossary states, “analysts may NOT/NOT [not repeat not] implement any USP [US persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence].”

The term “identifiers” is NSA jargon for information relating to an individual, such as telephone number, email address, IP address and username as well as their name.

The document – which is undated, though metadata suggests this version was last updated in June 2012 – does not say whether the oversight process it mentions has been established or whether any searches against US person names have taken place.

The Guardian goes on to quote Ron Wyden confirming that this is the back door he’s been warning about for years.

Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.

But the Guardian is missing one critical part of this story.

The FISC Court didn’t just “approve” minimization procedures on October 3, 2011. In fact, that was the day that it declared that part of the program — precisely pertaining to minimization procedures — violated the Fourth Amendment.

So where the glossary says minimization procedures approved on that date “now allow” for querying US person data, it almost certainly means that on October 3, 2011, the FISC court ruled the querying the government had already been doing violated the Fourth Amendment, and sent it away to generate “an effective oversight process,” even while approving the idea in general.

And note that FISC didn’t, apparently, require that ODNI/DOJ come back to the FISC to approve that new “effective oversight process.”

Consider one more thing.

As I have repeatedly highlighted, the Senate Intelligence Committee (and the Senate Judiciary Committee, though there’s no equivalent report) considered whether to regulate precisely this issue last year when extending the FISA Amendments Act.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. The Department of Justice and Intelligence Community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures and do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.

But in spite of Ron Wyden and Mark Udall’s best efforts — and, it now appears, in spite of FISC concerns about precisely this issue — the Senate Intelligence Committee chose not to do so.

This strongly suggests that the concerns FISC had about the Fourth Amendment directly pertained to this backdoor search. But if that’s the case, it also suggests that none of NSA’s overseers — not the Intelligence Committees, not ODNI/DOJ, and not FISC — have bothered to actually close that back door.

The Evil Empire

Screen shot 2013-07-11 at 2.39.09 PM
The Guardian has its latest scoop on NSA spying, describing the extent to which Microsoft helps the government spy on its customers. This bullet list is just some of what the article reveals.

  • Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
  • The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;
  • The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
  • Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;
  • Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio;
  • Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

But I’m as interested in some of the details about the cooperation as the impact of that cooperation.

For example, the story describes that this cooperation takes place through the Special Source Operations unit.

The latest documents come from the NSA’s Special Source Operations (SSO) division, described by Snowden as the “crown jewel” of the agency. It is responsible for all programs aimed at US communications systems through corporate partnerships such as Prism.

But we saw that when NSA approached (presumably) Microsoft in 2002, it did not approach via SSO; it used a more formal approach through counsel.

In addition, note how Skype increased cooperation in the months before Microsoft purchased it for what was then considered a hugely inflated price, and what is now being called (in other legal jurisdictions) so dominant that it doesn’t have to cooperate with others.

One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” it says.

Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.

According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.

The NSA was able to start tasking Skype communications the following day, and collection began on 6 February. “Feedback indicated that a collected Skype call was very clear and the metadata looked complete,” the document stated, praising the co-operation between NSA teams and the FBI. “Collaborative teamwork was the key to the successful addition of another provider to the Prism system.”

While this isn’t as obvious as Verizon’s MCI purchase — which for the first time led that carrier to hand over Internet data — it does seem that those companies that cooperate with the NSA end up taking over their rivals.

 

Remember, the Department of Commerce plays some kind of role in ensuring that companies cooperate in protecting our critical infrastructure.

As of 2:30, Microsoft stock is at a high on the day.

In These Times We Can’t Blindly Trust Government to Respect Freedom of Association

One of my friends, who works in a strategic role at American Federation of Teachers, is Iranian-American. I asked him a few weeks ago whom he called in Iran; if I remember correctly (I’ve been asking a lot of Iranian-Americans whom they call in Iran) he said it was mostly his grandmother, who’s not a member of the Republican Guard or even close. Still, according to the statement that Dianne Feinstein had confirmed by NSA Director Keith Alexander, calls “related to Iran” are fair game for queries of the dragnet database of all Americans’ phone metadata.

Chances are slim that my friend’s calls to his grandmother are among the 300 identifiers the NSA queried last year, unless (as is possible) they monitored all calls to Iran. But nothing in the program seems to prohibit it, particularly given the government’s absurdly broad definitions of “related to” for issues of surveillance and its bizarre adoption of a terrorist program to surveil another nation-state. And if someone chose to query on my friend’s calls to his grandmother, using the two-degrees-of-separation query they have used in the past would give the government — not always the best friend of teachers unions — a pretty interesting picture of whom the AFT was partnering with and what it had planned.

In other words, nothing in the law or the known minimization rules of the Business Records provision would seem to protect some of the AFT’s organizational secrets just because they happen to employ someone whose grandmother is in Iran. That’s not the only obvious way labor discussions might come under scrutiny; Colombian human rights organizers with tangential ties to FARC is just one other one.

When I read labor organizer Louis Nayman’s “defense of PRISM,” it became clear he’s not aware of many details of the programs he defended. Just as an example, Nayman misstated this claim:

According to NSA officials, the surveillance in question has prevented at least 50 planned terror attacks against Americans, including bombings of the New York City subway system and the New York Stock Exchange. While such assertions from government officials are difficult to verify independently, the lack of attacks during the long stretch between 9/11 and the Boston Marathon bombings speaks for itself.

Keith Alexander didn’t say NSA’s use of Section 702 and Section 215 have thwarted 50 planned attacks against Americans; those 50 were in the US and overseas. He said only around 10 of those plots were in the United States. That works out to be less than 20% of the attacks thwarted in the US just between January 2009 and October 2012 (though these programs have existed for a much longer period of time, so the percentage must be even lower). And there are problems with three of the four cases publicly claimed by the government — from false positives and more important tips in the Najibullah Zazi case, missing details of the belated arrest of David Headley, to bogus claims that Khalid Ouazzan ever planned to attack NYSE. The sole story that has stood up to scrutiny is some guys who tried to send less than $10,000 to al-Shabaab.

While that doesn’t mean the NSA surveillance programs played no role, it does mean that the government’s assertions of efficacy (at least as it pertains to terrorism) have proven to be overblown.

Yet from that, Nayman concludes these programs have “been effective in keeping us safe” (given Nayman’s conflation of US and overseas, I wonder how families of the 166 Indians Headley had a hand in killing feel about that) and defends giving the government legal access (whether they’ve used it or not) to — among other things — metadata identifying the strategic partners of labor unions with little question.

And details about the success of the program are not the only statements made by top National Security officials that have proven inaccurate or overblown. That’s why Nayman would be far better off relying on Mark Udall and Ron Wyden as sources for whether or not the government can read US person emails without probable cause than misstating what HBO Director David Simon has said (Simon said that entirely domestic communications require probable cause, which is generally but not always true). And not just because the Senators are actually read into these programs. After the Senators noted that Keith Alexander had “portray[ed] protections for Americans’ privacy as being significantly stronger than they actually are” — specifically as it relates to what the government can do with US person communications collected “incidentally” to a target — Alexander withdrew his claims.

Nayman says, “As people who believe in government, we cannot simply assume that officials are abusing their lawfully granted responsibility and authority to defend our people from violence and harm.” I would respond that neither should we simply assume they’re not abusing their authority, particularly given evidence those officials have repeatedly misled us in the past.

Nayman then admits, “We should do all we can to assure proper oversight any time a surveillance program of any size and scope is launched.” But a big part of the problem with these programs is that the government has either not implemented or refused such oversight. Some holes in the oversight of the program are:

  • NSA has not said whether queries of the metadata dragnet database are electronically  recorded; both SWIFT and a similar phone metadata program queries have been either sometimes or always oral, making them impossible to audit
  • Read more