Posts

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

If the documents relating to Yahoo’s challenge of Protect America Act released last month are accurate reflections of the documents actually submitted to the FISC and FISCR, then the government submitted a misleading document on June 5, 2008 that was central to FISCR’s ultimate ruling.

As I laid out here in 2009, FISCR relied on the the requirement  in EO 12333 that the Attorney General determine there is probable cause a wiretapping technique used in the US is directed against a foreign power to judge the Protect America Act met probable cause requirements.

The procedures incorporated through section 2.5 of Executive Order 12333, made applicable to the surveillances through the certifications and directives, serve to allay the probable cause concern.

The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power.

44 Fed. Reg. at 59,951 (emphasis supplied). Thus, in order for the government to act upon the certifications, the AG first had to make a determination that probable cause existed to believe that the targeted person is a foreign power or an agent of a foreign power. Moreover, this determination was not made in a vacuum. The AG’s decision was informed by the contents of an application made pursuant to Department of Defense (DOD) regulations. See DOD, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, DOD 5240.1-R, Proc. 5, Pt. 2.C.  (Dec. 1982).

Yahoo didn’t buy this argument. It had a number of problems with it, notably that nothing prevented the government from changing Executive Orders.

While Executive Order 12333 (if not repealed), provides some additional protections, it is still not enough.

[snip]

Thus, to the extent that it is even appropriate to examine the protections in the Executive Order that are not statutorily required, the scales of the reasonableness determination sway but do not tip towards reasonableness.

Yahoo made that argument on May 29, 2008.

Sadly, Yahoo appears not to have noticed the best argument that Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.

But the government appears to have intentionally withheld further evidence about how easily it could change EO 12333 — and in fact had, right in the middle of the litigation.

This is the copy of the Classified Annex to EO 12333 that (at least according to the ODNI release) the government submitted to FISCR in a classified appendix on June 5, 2008 (that is, after Yahoo had already argued that an EO, and the protections it affords, might change). It is a copy of the original Classified Appendix signed by Ed Meese in 1988.

As I have shown, Michael Hayden modified NSA/CSS Policy 1-23 on March 11, 2004, which includes and incorporates EO 12333, the day after the hospital confrontation. The content of the Classified Annex released in 2013 appears to be identical, in its unredacted bits, to the original as released in 1988 (see below for a list of the different things redacted in each version). So the actual content of what the government presented may (or may not be) a faithful representation of the Classified Appendix as it currently existed.

But the version of NSA/CSS Policy 1-23 released last year (starting at page 110) provides this modification history:

This Policy 1-23 supersedes Directive 10-30, dated 20 September 1990, and Change One thereto, dated June 1998. The Associate Director for Policy endorsed an administrative update, effective 27 December 2007 to make minor adjustments to this policy. This 29 May 2009 administrative update includes changes due to the FISA Amendments Act of 2008 and in core training requirements.

That is, Michael Hayden’s March 11, 2004 modification of the Policy changed to the Directive as existed before 2 changes made under Clinton.

Just as importantly, the modification history reflects “an administrative update” making “minor adjustments to this policy” effective December 27, 2007 — a month and a half after this challenge started.

By presenting the original Classified Appendix — to which Hayden had apparently reverted in 2004 — rather than the up-to-date Policy, the government was presenting what they were currently using. But they hid the fact that they had made changes to it right in the middle of this litigation. A fact that would have made it clear that Courts can’t rely on Executive Orders to protect the rights of Americans, especially when they include Classified Annexes hidden within Procedures.

In its language relying on EO 12333, FISCR specifically pointed to DOD 5240.1-R. The Classified Annex to EO 12333 is required under compliance with part of that that complies with the August 27, 2007 PAA compliance.

That is, this Classified Annex is a part of the Russian dolls of interlocking directives and orders that implement EO 12333.

And they were changing, even as this litigation was moving forward.

Only, the government appears to have hidden that information from the FISCR.

Update: Clarified that NSA/CSS Policy 1-23 is what got changed.

Update: Hahaha. The copy of DOD 5240.1 R which the government submitted on December 11, 2007, still bears the cover sheet labeling it as an Annex to NSA/CSS Directive 10-30. Which of course had been superseded in 2004.

Note how they cut off the date to hide that it was 1990?

Note how they cut off the date to hide that it was 1990?

Read more

Every Senator Who Supports USA Freedom May Be Affirmatively Ratifying a Financial Dragnet

Now that I’ve finally got around to reading the so-called transparency provisions in Patrick Leahy’s USA Freedom Act, I understand that one purpose of the bill, from James Clapper’s perspective, is to get Congress to ratify some kind of financial dragnet conducted under Section 215.

As I’ve laid out in detail before, there’s absolutely no reason to believe USA Freedom Act does anything to affect non-communications collection programs.

That’s because the definition of “specific selection term” permits (corporate) persons to be used as a selector, so long as they aren’t communications companies. So Visa, Western Union, and Bank of America could all be used as the selector; Amazon could be for anything not cloud or communications-related. Even if the government obtained all the records from these companies — as reports say it does with Western Union, at least — that would not be considered “bulk” because the government defines “bulk” as collection without a selector. Here, the selector would be the company.

And as I just figured out yesterday, the bill requires absolutely no individualized reporting on traditional Section 215 orders that don’t obtain communications. Here’s what the bill requires DNI to report on traditional 215 collection.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

The bill defines “individuals whose communications were collected” this way:

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—
(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or
(B)(i) who was a subscriber or customer of an electronic communication service or remote computing service; and
(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

Thus, the 215 reporting only requires the DNI to provide individualized reporting on communications related orders. It requires no individualized reporting at all on actual tangible things (in the tangible things provision!). A dragnet order collecting every American’s Visa bill would be reported as 1 order targeting the 4 or so terrorist groups specifically named in the primary order. It would not show that the order produced the records of 310 million Americans.

I’m guessing this is not a mistake, which is why I’m so certain there’s a financial dragnet the government is trying to hide.

Under the bill, of course, Visa and Western Union could decide they wanted to issue a privacy report. But I’m guessing if it would show 310 million to 310,000,500 of its customers’ privacy was being compromised, they would be unlikely to do that.

So the bill would permit the collection of all of Visa’s records (assuming the government could or has convinced the FISC to rubber stamp that, of course), and it would hide the extent of that collection because DNI is not required to report individualized collection numbers.

But it’s not just the language in the bill that amounts to ratification of such a dragnet.

As the government has argued over and over and over, every time Congress passes Section 215’s “relevant to” language unchanged, it serves as a ratification of the FISA Court’s crazy interpretation of it to mean “all.” That argument was pretty dodgy for reauthorizations that happened before Edward Snowden came along (though its dodginess did not prevent Clare Eagan, Mary McLaughlin, and William Pauley from buying it). But it is not dodgy now: Senators need to know that after they pass this bill, the government will argue to courts that it ratifies the legal interpretations publicly known about the program.

While the bill changes a great deal of language in Section 215, it still includes the “relevant to” language that now means “all.” So every Senator who votes for USAF will make it clear to judges that it is the intent of Congress for “relevant to” to mean “all.”

And it’s not just that! In voting for USAF, Senators would be ratifying all the other legal interpretations about dragnets that have been publicly released since Snowden’s leaks started.

That includes the horrible John Bates opinion from February 19, 2013 that authorized the government to use Section 215 to investigate Americans for their First Amendment protected activities so long as the larger investigation is targeted at people whose activities aren’t protected under the First Amendment. So Senators would be making it clear to judges their intent is to allow the government to conduct investigations into Americans for their speech or politics or religion in some cases (which cases those are is not entirely clear).

That also includes the John Bates opinion from November 23, 2010 that concluded that, “the Right to Financial Privacy Act, … does not preclude the issuance of an order requiring the production of financial records to the Federal Bureau of Investigation (FBI) pursuant to the FISA business records provision.” Given that Senators know (or should — and certainly have the ability to — know) about this before they support USAF, judges would be correct in concluding that it was the intent of Congress to permit the government to collect financial records under Section 215.

So Senators supporting this bill must realize that supporting the bill means they are supporting the following:

  • The interpretation of “relevant to” to permit the government to collect all of a given kind of record in the name of a standing FBI terrorism investigation.
  • The use of non-communication company corporate person names, like Visa or Western Union, as the selector “limiting” collection.
  • The use of Section 215 to collect financial records.
  • Not requiring the government to report how many Americans get sucked up in any financial (or any non-communications) dragnet.

That is, Senators supporting this bill are not only supporting a possible financial dragnet, but they are helping the government hide the existence of it.

I can’t tell you what the dragnet entails. Perhaps it’s “only” the Western Union tracking reported by both the NYT and WSJ. Perhaps James Cole’s two discussions of being able to collect credit card records under this provision means they are. Though when Leahy asked him if they could collect credit card records to track fertilizer purchases, Cole suggested they might not need everyone’s credit cards to do that.

Leahy: But if our phone records are relevant, why wouldn’t our credit card records? Wouldn’t you like to know if somebody’s buying, um, what is the fertilizer used in bombs?

Cole: I may not need to collect everybody’s credit card records in order to do that.

[snip]

If somebody’s buying things that could be used to make bombs of course we would like to know that but we may not need to do it in this fashion.

We don’t know what the financial dragnet is. But we know that it is permitted — and deliberately hidden — under this bill.

Below the rule I’ve put the names of the 18 Senators who have thus far co-sponsored this bill. If one happens to be your Senator, it might be a good time to urge them to reconsider that support.


Patrick Leahy (202) 224-4242

Mike Lee (202) 224-5444

Dick Durbin (202) 224-2152

Dean Heller (202) 224-6244

Al Franken (202) 224-5641

Ted Cruz (202) 224-5922

Richard Blumenthal (202) 224-2823

Tom Udall (202) 224-6621

Chris Coons (202) 224-5042

Martin Heinrich (202) 224-5521

Ed Markey (202) 224-2742

Mazie Hirono (202) 224-6361

Amy Klobuchar (202) 224-3244

Sheldon Whitehouse (202) 224-2921

Chuck Schumer (202) 224-6542

Bernie Sanders (202) 224-5141

Cory Booker (202) 224-3224

Bob Menendez (202) 224-4744

Sherrod Brown (202) 224-2315

 

 

USA Freedumber Will Not Get Better in the “Prosecutors” Committee

Having been badly outmaneuvered on USA Freedumber — what was sold as reform but is in my opinion an expansion of spying in several ways — in the House, civil liberties groups are promising a real fight in the Senate.

“This is going to be the fight of the summer,” vowed Gabe Rottman, legislative counsel with the American Civil Liberties Union.

If advocates are able to change the House bill’s language to prohibit NSA agents from collecting large quantities of data, “then that’s a win,” he added.

“The bill still is not ideal even with those changes, but that would be an improvement,” Rottman said.

[snip]

“We were of course very disappointed at the weakening of the bill,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute. “Right now we really are turning our attention to the Senate to make sure that doesn’t happen again.”

[snip]

One factor working in the reformers’ favor is the strong support of Senate Judiciary Chairman Patrick Leahy (D-Vt.).

Unlike House Judiciary Chairman Bob Goodlatte (R-Va.), who only came to support the bill after negotiations to produce a manager’s amendment, Leahy was the lead Senate sponsor of the USA Freedom Act.

The fact that Leahy controls the committee gavel means he should be able to guide the bill through when it comes up for discussion next month, advocates said.

“The fact that he is the chairman and it’s his bill and this is an issue that he has been passionate about for many years” is comforting, Greene said.

I hope they prove me wrong. But claims this will get better in the Senate seem to ignore the recent history of the Senate Judiciary Committee’s involvement in surveillance bills, not to mention the likely vote counts.

It is true Pat Leahy wants real reform. And he has a few allies on SJC. But in recent years, every surveillance-related bill that came through SJC has been watered down when Dianne Feinstein offered an alternative (which Leahy sometimes adopted as a manager’s amendment, perhaps realizing he didn’t have the votes). After DiFi offered reform, Sheldon Whitehouse (who a number of less sophisticated SJC members look to as a guide on these issues) enthusiastically embraced it, and everyone fell into line. Often, a Republican comes in and offers a “bipartisan reform” (meaning conservative Republicans joining with the Deep State) that further guts the bill.

This is how the Administration (shacking up with Jeff Sessions) defeated an effort to rein in Section 215 and Pen Registers in 2009.

This is how DiFi defeated an effort to close the backdoor loophole in 2012.

As this was happening in 2009, Russ Feingold called out SJC for acting as if it were the “Prosecutors Committee,” rather than the Judiciary Committee.

(Note, in both of those cases as well as on the original passage of Section 702, I understood fairly clearly what the efforts to stymie reform would do, up to 4 years before those programs were publicly revealed; I’ve got a pretty good record on this front!)

And if you don’t believe this is going to happen again, tell me why this whip count is wrong:

Screen shot 2014-05-26 at 5.18.49 PM

If my read here is right, the best case scenario — short of convincing Sheldon Whitehouse some of what the government wants to do is unconstitutional, which John Bates has already ruled that it is — is relying on people like Ted Cruz (whose posturing on civil liberties is often no more than that) and Jeff Flake (who was great on these issues in the House but has been silent and absent throughout this entire debate). And that’s all to reach a 9-9 tie in SJC.

Which shouldn’t be surprising. Had Leahy had the votes to move USA Freedom Act through SJC, he would have done so in October.

That was the entire point of starting in the House: because there was such a large number of people (albeit, for the  most part without gavels) supporting real reform in the House. But because reformers (starting with John Conyers and Jerry Nadler) uncritically accepted a bad compromise and then let it be gutted, that leverage was squandered.

Right now, we’re looking at a bill that outsources an expanded phone dragnet to the telecoms (with some advantages and some drawbacks), but along the way resets other programs to what they were before the FISC reined them in from 2009 to 2011. That’s the starting point. With a vote count that leaves us susceptible to further corruption of the bill along the way.

Edward Snowden risked his freedom to try to rein in the dragnet, and instead, as of right now it looks like Congress will expand it.

Update: I’ve moved Richard Blumenthal into the “pro reform” category based on this statement after the passage of USA Freedumber. Thanks to Katherine Hawkins for alerting me to the statement.

Obama’s Presidential Policy Directive: Pixie Dust 2.0

Back when John Yoo was finding ways to authorize President Bush’s illegal wiretap program — especially spying on Americans who were not agents of a foreign power — he changed the meaning of certain limits in EO 12333 without rewriting EO 12333. The President didn’t have to change EO 12333 to reflect actual practice, Yoo determined (relying on an Iran-Contra precedent), because ignoring EO 12333 amounted to modifying it.

An executive order cannot limit a President. There is no constitutional requirement for a President to issue a new executive order whenever he wishes to depart from the terms of a previous executive order. Rather than violate an executive order, the President has instead modified or waived it.

I call this pixie-dusting, where the Executive makes his own orders and directives disappear in secret.

Poof!

The use of pixie-dust — so recently used to justify spying on people while pretending not to spy on them — ought to give you pause when you read this passage from President Obama’s Presidential Policy Directive limiting US spying overseas (or, frankly, everything he said today, which all consists of the Executive exercising its prerogative to change and oversee Executive actions, but in no way includes any teeth to sustain such changes).

Nothing in this directive shall be construed to prevent me from exercising my constitutional authority, including as Commander in Chief, Chief Executive, and in the conduct of foreign affairs, as well as my statutory authority. Consistent with this principle, a recipient of this directive may at any time recommend to me, through the APNSA, a change to the policies and procedures contained in this directive.

Effectively Obama is laying out his prerogative to pixie dust this PPD.

And while the President admittedly would always have such prerogative, he didn’t include such a paragraph in his cyberwar PPD (which, of course, wasn’t meant to be public).

This PPD was designed to be ignored.

And I suspect our friends and adversaries know that.

Obviously Bogus Clapper Exoneration Attempt 4.0

[youtube]QwiUVUJmGjs[/youtube]

Wyden: Does the NSA collect any type of data, at all, on millions, or hundreds of millions of Americans?

Clapper: No sir.

Wyden: It does not?

Clapper: There are cases where they could inadvertently, perhaps, uh, collect, but not wittingly. [After 6:38]

Almost immediately after the first Edward Snowden leaks proved James Clapper lied when he told Ron Wyden the NSA doesn’t collect data of any kind on millions of Americans, Clapper explained that he meant the NSA didn’t vicariously pore through Americans’ emails.

“What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails. I stand by that,” Clapper told National Journal in a telephone interview.

That is, his first response was about reading emails in a certain smarmy fashion; he did not apparently deny collecting them.

Then, with a bit more time to think up an excuse, he admitted to Andrea Mitchell that he had been “too cute by half” but didn’t really explain what semantic excuse he had invented for himself.

First– as I said, I have great respect for Senator Wyden. I thought, though in retrospect, I was asked– “When are you going to start– stop beating your wife” kind of question, which is meaning not– answerable necessarily by a simple yes or no. So I responded in what I thought was the most truthful, or least untruthful manner by saying no.

[snip]

And this has to do with of course somewhat of a semantic, perhaps some would say too– too cute by half. But it is– there are honest differences on the semantics of what– when someone says “collection” to me, that has a specific meaning, which may have a different meaning to him. [my emphasis]

Nevertheless, the implication, less than a week after Snowden’s first revelations, was that collecting Americans’ metadata doesn’t count until you access it, which seems to address the phone dragnet data (though would apply to incidentally collected US person data as well).

Perhaps because his Mitchell answer only increased the mockery, Clapper thought up a new answer, one he sent Senate Intelligence Committee Chair Dianne Feinstein 3 months after he lied to her committee.

I have thought long and hard to re-create what went through my mind at the time. Read more

Sheldon Whitehouse: We Can’t Unilaterally Disarm, Even to Keep America Competitive

I have to say, the Senate Judiciary Committee hearing on the dragnet was a bust.

Pat Leahy was fired up — and even blew off a Keith Alexander attempt to liken the Internet to a library with stories of the library card he got when he was 4. While generally favoring the dragnet, Chuck Grassley at least asked decent questions. But because of a conflict with a briefing on the Iran deal, Al Franken was the only other Senator to show up for the first panel. And the government witnesses — Keith Alexander, Robert Litt, and James Cole — focused on the phone dragnet disclosed over 6 months ago, rather than newer disclosures like back door searches and the Internet dragnet, which moved overseas. Litt even suggested — in response to a question from Leahy — that they might still be able to conduct the dragnet if they could bamboozle the FISA Court on relevance, again (see Spencer on that). As a result, no one discussed the systemic legal abuses of the Internet dragnet or NSA’s seeming attempt to evade oversight and data sharing limits by moving their dragnet overseas.

Things went downhill when Leahy left for the Iran briefing and Sheldon Whitehouse presided over the second panel, with the Computer & Communications Industry Association’s Edward Black, CATO’s Julian Sanchez, and Georgetown professor (and former DOJ official) Carrie Cordero. Sanchez hit some key points on the why Internet metadata is not actually like phone pen registers. Cordero acknowledged that metadata was very powerful but then asserted that the metadata of the phone-based relationships of every American was not.

And Black tried to make the case that the spying is killing America.

Or, more specifically, his industry’s little but significant corner of America, the Internet. While only some of this was in his opening statement, Black made the case that the Internet plays a critical role in America’s competitiveness.

While these are critical issues, it is important that the Committee also concern itself with the fact that the behavior of the NSA, combined with the global environment in which this summer’s revelations were released, may well pose an existential threat to the Internet as we know it today, and, consequently, to many vital U.S. interests, including the U.S. economy.

[snip]

The U.S. government has even taken notice. A recent comprehensive re- port from the U.S. International Trade Commission (ITC) noted, “digital trade continues to grow both in the U.S. economy and globally” and that a “further increase in digital trade is probable, with the U.S. in the lead.” In fact, the re- port also shows, U.S. digital exports have exceeded imports and that surplus has continually widened since 2007.

[snip]

As a result, the economic security risks posed by NSA surveillance, and the international political reaction to it, should not be subjugated to traditional national security arguments, as our global competitiveness is essential to long-term American security. It is no accident that the official National Security Strategy of the United States includes increasing exports as a major component of our national defense strategy.

Then he laid out all the ways that NSA’s spying has damaged that vital part of the American economy: by damaging trust, especially among non-American users not granted to the protections Americans purportedly get, and by raising suspicion of encryption.

Black then talked about the importance of the Internet to soft power. He spoke about this generally, but also focused on the way that NSA spying was threatening America’s dominant position in Internet governance, which (for better and worse, IMO) has made the Internet the medium of exchange it is.

The U.S. government position of supporting the multi-stakeholder model of Internet governance has been compromised. We have heard increased calls for the ITU or the United Nations in general to seize Internet governance functions from organizations that are perceived to be too closely associated with the U.S. government, such as the Internet Corporation for Assigned Names and Numbers (ICANN).

And he pointed to proposals to alter the architecture of the Internet to minimize the preferential access the US currently has.

Let’s be honest, Black is a lobbyist, and he’s pitching his industry best as he can. I get that. Yet even still, he’s not admitting that these governance and architecture issues really don’t provide neutrality — though US stewardship may be the least-worst option, it provides the US a big advantage.

What Black hinted at (but couldn’t say without freaking out foreign users even more) is that our stewardship of the Internet is not just one of the few bright spots in our economy, but also a keystone to our power internationally. And it gives us huge spying advantages (not everyone trying to erode our control of the Internet’s international governance is being cynical — Edward Snowden has made it clear we have abused our position).

Which is why Whitehouse’s response was so disingenuous. He badgered Black, interrupting him consistently. He asked him to compare our spying with that of totalitarian governments, which Black responded was an unfair comparison. And Whitehouse didn’t let Black point out that American advantages actually do mean we spy more than others, because we can.

Basically, Whitehouse suggested that, in the era of Big Data,  if we didn’t do as much spying as we could — and to hell with what it did to our preferential position on the Internet — it would amount to unilaterally disarming in the face of Chinese and Russian challenges.

If we were to pass law that prevented us from operating in Big Data, would be unilaterally disarming.

Whitehouse followed this hubris up with several questions that Sanchez might have gladly answered but Black might have had less leeway to answer, such as whether a court had ever found these programs to be unconstitutional. (The answer is yes, John Bates found upstream collection to be unconstitutional, he found the Internet dragnet as conducted for 5 years to be illegal wiretapping, and in the Yahoo litigation in 2007, Yahoo never learned what the minimization procedures were, and therefore never had the opportunity to make the case.) Black suggested, correctly, I think, that Whitehouse’s position meant we were just in an arms race to be the Biggest Brother.

I get it. Whitehouse is one of those who believelike Keith Alexander (whose firing Whitehouse has bizarrely not demanded, given his stated concerns about the failure to protect our data during Alexander’s tenure) that the Chinese are plundering the US like a colony.

Not only does this stance seem to evince no awareness of how America used data theft to build itself as a country (and how America’s hardline IP stance will kill people, making America more enemies). But it ignores the role of the Internet in jobs and competition and trade in ideas and goods.

Sheldon Whitehouse, from a state suffering economically almost as much as Michigan, seems anxious to piss away what competitive advantages non-defense America has to conduct spying that hasn’t really produced results (and has made our networks less secure as a result — precisely the problem Whitehouse claims to be so concerned about). That’s an ugly kind of American hubris that doesn’t serve this country, even if you adopt the most jingoistic nationalism imaginable.

He should know better than this. But in today’s hearing, he seemed intent on silencing the Internet industry so he didn’t learn better.

Update: Fixed the Black quotation.

Update: Jack Goldsmith pushes back against the American double standards on spying and stealing here.

Under Keith Alexander’s Guard, America Can Be Plundered Like a Colony

Admittedly, Keith Alexander made things very easy on himself in this article on “Defending America in Cyberspace” by not mentioning the way DOD (or our ally, Israel) let StuxNet go free, not only exposing the attack on Iran, but also providing a map and code that others can use on us.

That reckless mistake and its potential consequences remains unmentioned, however, in the piece in which Alexander claims that his team has found and is implementing the magic formula for defending the country in cyberspace.

We have learned through two decades of trial and error that operationalizing our cyberdefenses by linking them to intelligence and information-assurance capabilities is not only the best but also the only viable response to growing threats.

We know how to defend the country, Alexander says. It involves creating security holes, then using them to find out who will attack us, all while living on the network and watching what private citizens are also doing.

But then Alexander utterly contradicts the claim that his team has found the successful formula by describing the sheer scale of successful attacks against the US, suggesting it rivals the plunder of the Mongols and the colonies (though curiously, not slavery).

Three times over the previous millennium, military revolutions allowed forces to conquer huge territories and forcibly transfer riches from losers to winners (namely, in the Mongol conquests of China, Russia and Baghdad; the Spanish conquests of the Americas; and the European empires in the nineteenth century). Remote cyberexploitation now facilitates the systematic pillaging of a rival state without military conquest and the ruin of the losing power. We have seen a staggering list of intrusions into major corporations in our communications, financial, information-technology, defense and natural-resource sectors. The intellectual property exfiltrated to date can be counted in the tens to hundreds of thousands of terabytes. We are witnessing another great shift of wealth by means of cybertheft, and this blunts our technological and innovative edge. Yet we can neither prevent major attacks nor stop wholesale theft of intellectual capital because we rely on architecture built for availability, functionality and ease of use—with security bolted on as an afterthought.

This repeats a claim he and others have made repeatedly, though after having been proven wrong about past claims about the scale of financial wealth transfer, he seems to have shifted to measuring the plunder that has occurred on his watch in terabytes, not dollars. Our country — which he has served in a key defense role for 8 years — has been plundered like a colony (I don’t buy this, mind you — I find the analogy downright offensive. But it is the argument he’s making).

In much of the rest of his paper, Alexander explains his future plans, which we should follow, he tells us, because he has been so successful that our country has been plundered like a colony.

I wonder. Might the most sane response to this paper be to, at a minimum, question what success looks like? At a minimum, might we discuss publicly some alternatives? And if being plundered like a colony is not our goal, perhaps we should consider whether what Alexander presents as the “only viable response” really is?

Study Shows Cybertheft Really Isn’t the Greatest Transfer of Wealth in History

I’ve long mocked the claim — often wielded by people like Sheldon Whitehouse and Keith Alexander — that cybertheft is the greatest transfer of wealth in history. Sure, cybertheft might be big. But bigger than colonization? Bigger than slavery?

But a new study shows that it is just a fraction of what cyber-boosters have been claiming: $25 to $100 billion rather than a $1 trillion.

The study does still show it is costly — leading to the lost of 508,000 jobs a year. And the study didn’t account for something else I often harp on: the unknown role of Chinese hacking into weapons programs in degrading the effectiveness of those programs.

Still unknown, for example, are the unseen costs of military cybertheft, said Mr. Lewis. “A lot of the cost overruns in some of our big programs are because they had to rewrite the code after the Chinese got in—and the real damage won’t appear until we see how weapons actually perform,” he said.

The study also did not calculate the effect of cybertheft on American competitiveness, which seems like a significant issue.

Ultimately, though, this is a problem that should be fought without the bluster. It is real. It is a threat, in large part, to private companies that don’t pay their fair share in taxes. How we combat that problem should account for those factors.

NSA’s Querying of US Person Data, Take Two

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

Joshua Foust tries to refute this post and in doing so proves once again he doesn’t understand the meaning of “target” under Section 702.

Out of courtesy to him, I’m going to rewrite this post to help him understand it. The issue is not whether the US can “target” a US person without a warrant. They can’t. The issue is what the US does with US person data they collect incidentally off a legal target (which must be a foreigner overseas collected for a legitimate intelligence purpose).

At issue is this sentence in the Mark Udall/Ron Wyden letter to Keith Alexander.

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.

The passage says that the claim, “any inadvertently acquired communication of or concerning a US person must be promptly destroyed” is “somewhat misleading,” for two reasons:

  1. It implies that the NSA has the ability to determine how many American communications it has collected under section 702
  2. It implies that the law does not allow the NSA to deliberately search for the records of particular Americans

Now, before I get into bullet point 2, which is the one in question, note that this entire passage is talking about “inadvertently acquired communication of or concerning a US person.” This is not information on someone who has been targeted. It discusses what happens to information collected along with the communications of those who’ve been targeted (say, by emailing the target). Therefore, this entire passage is irrelevant to the issue of what happens with the targeted person’s communication. The Udall/Wyden claim is not about targeting in the least; it is about incidental collection.

Okay, bullet point 2: Udall and Wyden claim that Alexander’s fact sheet is misleading because it implies the law does not allow the NSA to deliberately search for the records of particular Americans. They could be wrong, but their claim is that it is misleading for Alexander to suggest that the law does not allow the NSA to deliberately search for the records of particular Americans. That means they believe the law does allow the NSA to deliberately search for the records of particular Americans, otherwise they wouldn’t think his statement was misleading.

Now, if it were just Udall and Wyden making this claim, it’d be a he-said/he-said. But  pointed out that this claim is not new at all. It’s not even one limited to Udall and Wyden. In the FAA report released by Dianne Feinstein last year, it said,

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

First, the report describes a debate the committee had:

The Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained.

The committee debated two things:

  1. Whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited.
  2. Whether querying information collected under Section 702 to find communications of a particular United States person should be more robustly constrained.

Bullet point 1 makes it clear they were debating whether they should prohibit this activity. If they had to consider that, it means that it is not prohibited (which is precisely what Udall and Wyden say–that the law allows it). Bullet point 2 says they also considered whether they should “more robustly constrain” it, which suggests (though does not prove) that it is going on now, otherwise there’d be nothing to constrain.

The IC IGs won’t tell us how much of this goes on–they claim they have no way of counting it, which ought to alarm you, because it says they’re not actually tracking it via some kind of auditing function.

I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Now, as I already laid out, what we’re talking about is not targeting a US person–focusing collection on that person. What we’re talking about is what you can do with the US person data collected “incidentally” with the communications collected of that targeted person. That information–as the minimization guidelines describe–is lawfully collected. The big question is what you can do with it once you have collected it, and in many but not all cases there are restrictions against circulating that information before you’ve hidden the identity of the US person in question.

The last part of the passage from the SSCI says,

With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

Again, some amount of US person data is collected under Section 702 along with the data of the targeted person (if it weren’t, they wouldn’t need minimization procedures). It is lawfully collected. The question is what you’re allowed to do with it. And as part of the debate the committee had about whether they were going to “prohibit” or “more robustly constrain” the querying of US person data that was lawfully collected as incidental data, SSCI describes the Intelligence Community (which includes, in part, the NSA, the CIA, and the FBI) providing several reasons why it might need to conduct queries of this data. And the committee agreed that these reasons were “legitimate foreign intelligence needs.”

The minimization procedures from 2009, at least, require destruction of US person data if it is “clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information).” (3(b)(1)) What is not immediately destroyed may be kept for up to 5 years. But it only destroys the stuff that is “clearly not relevant,” not data that might be relevant to the purpose of the investigation.

Now, while the language is not exact, the SSCI report’s description of data that has a “legitimate foreign intelligence” surely includes “foreign intelligence information.” This is kind of backwards (which may be part of complaint from Udall and Wyden), but unless the information is clearly not relevant — and the intelligence community says some of this data has legitimate intelligence purposes — then it is retained. This is probably why Udall and Wyden think Alexander’s “must be promptly destroyed” is misleading, because if the IC thinks they might need to query it because it would serve a legitimate foreign intelligence purpose, then it is not.

So who makes this decision whether to keep the data? “NSA analyst(s) will determine whether it … is reasonably believed to contain foreign intelligence information.” (3(b)(4)) The NSA, not FBI or CIA.

And this data cannot just be retained. It can also be “forwarded to analytic personnel responsible for producing intelligence information from the collected data.” (3(b)(2))

Now, in most cases, that information must be anonymized (which is what Kurt Eichenwald discusses here, which Foust cites). But it has always been the case there are exceptions to that rule. Some exceptions are if:

  • The Director of NSA specifically determines, in writing, that the communication is reasonably believed to contain significant foreign intelligence information. (5(1)) In that case the information goes to the FBI. [Update: This distribution is permitted with domestic communication–that is, US to US person.]
  • A recipient requiring the identity of such person for the performance of official duties needs the identity of the United States person to understand foreign intelligence information or assess its importance. (6(b)(2) This sometimes, but not always, happens after an initial distribution.

There are actually a slew more exceptions but these two should suffice. Again, these rules on distribution (except as they affect technical data base information, which might be relevant here, but not necessary) are not new with FAA. They’ve long been in place.

Again, this is all about what happens to incidentally collected data, not the data of the person actually targeted. Which is why these two passages are irrelevant to the entire point (the second of which Foust thought I was leaving out because it hurt my point).

As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause.

[snip]

The Department of Justice and Intelligence Community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures and do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.

What they say is that the government is prohibited from targeting a US person without a warrant and that any other things done with incidentally collected data must be conducted in strict compliance with applicable guidelines, which are the minimization procedures I just reviewed (though again, those are from 2009 so they may have changed somewhat). The passage very clearly envisions making queries of the data and very clearly considers such queries to be distinct from the targeting of a US person.

And the minimization procedures make it clear that if data is not “clearly not foreign intelligence,” (that is, if it might be foreign intelligence, as this queried data is, according to the IC) then it is retained, at least through the initial (NSA-conducted) review. Where it can be queried, so long as the other minimization procedures are met.

One final thing. Foust is actually wrong when he suggests the IC asked for new authority (in any case, the only conclusion would be that they got it). Rather, in both the SSCI and the Senate Judiciary Committee, Senators tried to limit this authority. In SJC, Mike Lee,  Dick Durbin, and Chris Coons submitted an amendment to (among other things) prohibit,

the searching of the contents of communications acquired under this section [702] in an effort to find communications of a particular United States person…

…Except with an emergency authorization.

Dianne Feinstein fought the amendment by arguing such a prohibition would have made it harder to find Nidal Hasan (whom we didn’t find anyway, and whose communications with Anwar al-Awlaki may well have been traditional FISA collection). But at one level that makes sense.

Sheldon Whitehouse said that such a restriction would “kill this program.”

I may not like what Whitehouse stated. But I do trust his judgement about how central to this program is access to US person communications.

That doesn’t say how much of this stuff goes on (though it does seem to suggest it does). But it does say we ought to at least track it.

Obama’s Stubbornness and the Risk of Snowden

At the outset of this post, let me lay out my following assumptions (I can’t prove these points, but I suspect them):

  • The documents released so far by Guardian and WaPo — information on the Section 215 program, PRISM, and the PPD on cyberwar — have done negligible damage to our security (indeed, even Sheldon Whitehouse, a big defender of these programs, said the government should have been transparent about them earlier)
  • China already knew the content of Edward Snowden’s public revelations about our hacking into Chinese networks (we know China’s compromises of us, so it is unlikely China, which is more successful and aggressive at hacking than we are, doesn’t know our compromises of it); the revelations on this front so far have served primarily to even out the playing field on mutual accusations of hacking
  • Snowden personally (and his laptops) have information that China and Russia could both find of more use, particularly given that some of our programs targeting them were run out of HI
  • Snowden may also have things that might be of use to others, such as organized crime (If I were planning on longevity and had access, for example, I would take some zero day exploits when I left the NSA, though the street value of them would diminish once NSA had inventoried what I took)
  • The reporting I’ve seen has not confirmed reports that either China or Russia has debriefed Snowden or scanned his computers (indeed, this report on China’s involvement in his departure from Hong Kong suggests they did not talk with him directly)
  • Julian Assange knows where Snowden is, leading to the possibility he has escaped Russia to a country that has not yet been named in reports of Snowden’s escape (named countries have included Venezuela, Cuba, Ecuador, and Iceland)

All of that is a roundabout way of saying that Snowden could do great damage to the US, but may not have yet, and certainly hadn’t by the time he first revealed himself in Hong Kong.

If that’s right, then it seems the Obama approach has been precisely the wrong approach in limiting potential damage to national security. The best way to limit damage, for example, would be to get Snowden to a safe place where our greatest adversaries can’t get to him, where we could make an eternal stink about his asylum there, but still rest easy knowing he wasn’t leaking further secrets. Indeed, if he were exiled in some place like France, we’d likely have more influence over what he was allowed to do than if he gets to Ecuador, for example.

The most likely approach to lead to further damage, however, is to charge him with Espionage. This not only raises the specter of the treatment we’ve given Bradley Manning — giving Snowden Denise Lind’s judgement that Manning’s rights were violated to include in any asylum application — but also easily falls under what states can call political crimes, which permits them to ignore extradition requests. That is, we appear to be pursuing the approach that could lead to greater damage.

By contrast, letting Snowden get someplace safe is perfectly equivalent to letting the CIA off for torture (or, for that matter, James Clapper off for lying to Congress). It’s a violation of rule of law, but it also serves to minimize the tremendous damage the spooks might do to retaliate. Obama has chosen this path already when the criminals were his criminals; he clearly doesn’t have the least bit of compunction of setting aside rule of law for pragmatic reasons. But in Snowden’s case, he seems to be pursuing a strategy that not only might increase the likelihood of damage, but also lets China and Russia retaliate for perceived slights along the way.

All this is just an observation. I believe Obama’s relentless attacks on whistleblowers and his ruthless enforcement of information asymmetry have actually raised the risk of something like this. And he seems to be prioritizing proving the power of the US (which has, thus far, only proved our diminishing influence) over limiting damage Snowden might do.

Update: This fearmongering WaPo article nevertheless quotes a former senior US official admitting that what Snowden has released so far wouldn’t help China or Russia.

A former senior U.S. official said that the material that has leaked publicly would be of limited use to China or Russia but that if Snowden also stole files that outline U.S. cyber-penetration efforts, the damage of any disclosure would be multiplied.