Posts

Keith Alexander’s “Packets in Flight” Turn Hackers into Terrorists

Keith Alexander showed up to chat with a typically solicitous George Stephanopoulos yesterday. The interview demonstrates something I’ll be increasingly obsessed with in upcoming weeks.

The government is using the limited success of NSA’s counterterrorism spying to justify programs that increasingly serve a cybersecurity function — a function Congress has not enthusiastically endorsed.

The interview starts with Alexander ignoring Steph’s first question (why we didn’t find Snowden) and instead teeing up 9/11 and terror terror terror.

And when you think about what our mission is, I want to jump into that, because I think it reflect on the question you’re asking.

You know, my first responsibility to the American people is to defend this nation. And when you think about it, defending the nation, let’s look back at 9/11 and what happened.

The intel community failed to connect the dots in 9/11. And much of what we’ve done since then were to give us the capabilities — and this is the business record FISA, what’s sometimes called Section 215 and the FAA 702 — two capabilities that help us connect the dots.

The reason I bring that up is that these are two of the most important things from my perspective that helps us understand what terrorists are trying to do. And if you think about that, what Snowden has revealed has caused irreversible and significant damage to our country and to our allies.

When — on Friday, we pushed a Congress over 50 cases where these contributed to the understanding and, in many cases, disruptions of terrorist plots.

Steph persists with his original question and gets Alexander to repeat that they’ve “changed the passwords” at NSA to prevent others from leaking.

Steph then asks Alexander about Snowden’s leaks of details on our hacking of China (note, no one seems to be interested in this article, which is just as revealing about our hacking of China as Snowden’s revelations).

Note how, even here, Alexander says our intelligence collection in China is about terrorism.

STEPHANOPOULOS: In the statement that Hong Kong put out this morning, explaining why they allowed Snowden to leave, they also say they’ve written to the United States government requesting clarification on the reports, based on Snowden’s information, that the United States government attacked (ph) computer systems in Hong Kong.

He said that the NSA does all kinds of things like hack Chinese cell phone companies to steal all of your SMS data.

Is that true?

ALEXANDER: Well, we have interest in those who collect on us as an intelligence agency. But to say that we’re willfully just collecting all sorts of data would give you the impression that we’re just trying to canvas the whole world.

The fact is what we’re trying to do is get the information our nation needs, the foreign intelligence, that primary mission, in this case and the case that Snowden has brought up is in defending this nation from a terrorist attack.

Alexander then shifts the issue and suggests we’re collecting on China because it is collecting on us.

Now we have other intelligence interests just like other nations do. That’s what you’d expect us to do. We do that right. Our main interest: who’s collecting on us?

Alexander next goes on to answer Steph’s question about whether we broke Hong Kong law by saying this hacking doesn’t break our law. Read more

The CNET “Bombshell” and the Four Surveillance Programs

CNET is getting a lot of attention for its report that NSA, “has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.”

In general, I’m just going to outsource my analysis of what the exchange means to Julian Sanchez (I hope he doesn’t charge me as much as Mike McConnell’s Booz Allen Hamilton for outsourced analysis).

What seems more likely is that Nadler is saying analysts sifting through metadata have the discretion to determine (on the basis of what they’re seeing in the metadata) that a particular phone number or e-mail account satisfies the conditions of one of the broad authorizations for electronic surveillance under §702 of the FISA Amendments Act.

[snip]

The analyst must believe that one end of the communication is outside the United States, and flag that account or phone line for collection. Note that even if the real target is the domestic phone number, an analyst working from the metadatabase wouldn’t have a name, just a number.  That means there’s no “particular, known US person,” which ensures that the §702 ban on “reverse targeting” is, pretty much by definition, not violated.

None of that would be too surprising in principle: That’s the whole point of §702!

That is, what Nadler may have learned that the same analysts who have access to the phone metadata may also have authority to issue directives to companies for phone content collection. If so, it would be entirely feasible for the same analyst to learn, via the metadata database, that a suspect phone number is in contact with the US and for her to submit a request for actual content to the providers, without having to first get a FISA order covering the US person callers directly. Since she was still “targeting” the original overseas phone number, she would be able to get the US person content without a specific order.

Screen shot 2013-06-16 at 11.50.59 AMI just want to point to a part of this exchange that everyone is ignoring (but that I pointed out while live tweeting this).

Mueller: I’m not certain it’s the same–I’m not certain it’s an answer to the same question.

Mueller didn’t deny the NSA can get access to US person phone content without a warrant. He just suggested that Nadler might be conflating two different programs or questions.

And that’s one of the things to remember about this discussion. Among many other methods of shielding parts of the programs, the government is thus far discussing primarily the two programs identified by the Guardian: the phone metadata collection (which the WaPo reports is called MAINWAY) and the Internet content access (PRISM).

Read more

Russ Feingold: Yahoo Didn’t Get the Info Needed to Challenge the Constitutionality of PRISM

The NYT has a story that solves a question some of us have long been asking: Which company challenged a Protect America Act order in 2007, only to lose at the district and circuit level?

The answer: Yahoo.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

But the NYT doesn’t explain something that Russ Feingold pointed out when the FISA Court of Review opinion was made public in 2009 (and therefore after implementation of FISA Amendments Act): the government didn’t (and still didn’t, under the PAA’s successor, the FISA Amendments Act, Feingold seems to suggests) give Yahoo some of the most important information it needed to challenge the constitutionality of the program.

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access. The court upheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process. The court concluded that “[t]he record supports the government. Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.” However, the company did not have access to all relevant information, including problems related to the implementation of the PAA. Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

In the absence of specific complaints from the company, the court relied on the good faith of the government. As the court concluded, “[w]ithout something more than a purely speculative set of imaginings, we cannot infer that the purpose of the directives (and, thus, of the surveillance) is other than their stated purpose… The petitioner suggests that, by placing discretion entirely in the hands of the Executive Branch without prior judicial involvement, the procedures cede to that Branch overly broad power that invites abuse. But this is little more than a lament about the risk that government officials will not operate in good faith.” One example of the court’s deference to the government concerns minimization procedures, which require the government to limit the dissemination of information about Americans that it collects in the course of its surveillance. Because the company did not raise concerns about minimization, the court “s[aw] no reason to question the adequacy of the minimization protocol.” And yet, the existence of adequate minimization procedures, as applied in this case, was central to the court’s constitutional analysis. [bold original, underline mine]

This post — which again, applies to PAA, though seems to be valid for the way the government has conducted FAA — explains why.

The court’s ruling makes it clear that PAA (and by association, FAA) by itself is not Constitutional. By itself, a PAA or FAA order lacks both probable cause and particularity.

The programs get probable cause from Executive Order 12333 (the one that John Yoo has been known to change without notice), from an Attorney General assertion that he has probable cause that the target of his surveillance is associated with a foreign power.

And the programs get particularity (which is mandated from a prior decision from the court, possibly the 2002 one on information sharing) from a set of procedures (the descriptor was redacted in the unsealed opinion, but particularly given what Feingold said, it’s likely these are the minimization procedures both PAA and FAA required the government to attest to) that give it particularity. The court decision makes it clear the government only submitted those — even in this case, even to a secret court — ex parte.

The petitioner’s arguments about particularity and prior judicial review are defeated by the way in which the statute has been applied. When combined with the PAA’s other protections, the [redacted] procedures and the procedures incorporated through the Executive Order are constitutionally sufficient compensation for any encroachments.

The [redacted] procedures [redacted] are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. [redacted] Although the PAA itself does not mandate a showing of particularity, see 50 USC 1805b(b), this pre-surveillance procedure strikes us as analogous to and in conformity with the particularity showing contemplated by Sealed Case.

In other words, even the court ruling makes it clear that Yahoo saw only generalized descriptions of these procedures that were critical to its finding the order itself (but not the PAA in isolation from them) was constitutional.

Incidentally, while Feingold suggests the company (Yahoo) had to rely on the government’s good faith, to a significant extent, so does the court. During both the PAA and FAA battles, the government successfully fought efforts to give the FISA Court authority to review the implementation of minimization procedures.

The NYT story suggests that the ruling which found the program violated the Fourth Amendment pertained to FAA.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

I’m not positive that applies to FAA, as distinct from the 215 dragnet or the two working in tandem.

But other reporting on PRISM has made one thing clear: the providers are still operating in the dark. The WaPo reported from an Inspector General’s report (I wonder whether this is the one that was held up until after FAA renewal last year?) that they don’t even have visibility into individual queries, much less what happens to the data once the government has obtained it.

But because the program is so highly classified, only a few people at most at each company would legally be allowed to know about PRISM, let alone the details of its operations.

[snip]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [my emphasis]

This gets to the heart of the reason why Administration claims that “the Courts” have approved this program are false. In a signature case where an Internet provider challenged it — which ultimately led the other providers to concede they would have to comply — the government withheld some of the most important information pertaining to constitutionality from the plaintiff.

The government likes to claim this is constitutional, but that legal claim has always relied on preventing the providers and, to some extent, the FISA Court itself from seeing everything it was doing.

Sheldon Whitehouse: Cybertheft Is [May Be] Biggest Transfer of Wealth in History

In an attempt to scare Congress into passing the cybersecurity legislation they failed to pass last year, Sheldon Whitehouse scheduled a hearing on cybersecurity today. In the hearing — and in this op-ed he penned with Lindsey Graham — he repeated a claim he has made before: cybertheft may be the biggest “illicit” transfer of wealth in history.

Almost every facet of American life is threatened when intruders exploit our cyber-vulnerabilities. And the risk is not from China alone. Foreign governments such as Iran and terrorist groups such as al-Qaida seek to worm into national infrastructure and threaten catastrophe here at home. Foreign agents raid companies, stealing plans, formulas and designs. Foreign criminal networks take money out of banks, defraud consumers with scams and sell illicit goods and products, cheating U.S. manufacturers. It may be the greatest illicit transfer of wealth in history. [my emphasis]

I think in the hearing itself, Whitehouse wasn’t as careful to always use that word “might.”

The greatest illicit transfer of wealth in history.

Don’t get me wrong: cyberattacks of all sorts are a real threat. They cost consumers a great deal of inconvenience and, at times, lots of money. They cost defense contractors far more (though of course, some of that is built into our model of defense). They cost sloppy companies as well.

But the biggest illicit transfer of wealth in history?

Ignore recent unpunished giant transfers of wealth in the wake of the financial crisis, which the Senate Judiciary Committee has largely ignored.

I guess the reason I find this so stunning is all the obviously huge transfers of wealth it ignores that were part of slavery and colonization.

Were those licit?

Those were, like Chinese or Iranian or Russian cyberattacks on the US, examples of states (and private entities) taking advantage of vulnerabilities elsewhere. They were certainly considered legitimate at the time, because Europeans got to write the history of colonization, and because they made up claptrap about “civilization” to justify it. But from a distance they look more like the kind of exploitation states often engage in if they’ve got an obvious advantage over another state or organization.

All that’s not to say Montezuma shouldn’t have resisted the Spaniards. That’s not to say we shouldn’t defend against cyberattacks.

But what really makes the US so vulnerable to cyberattacks are 1) that we’re so reliant on the Internet and 2) we’re so reliant on intellectual property (indeed, the very claim that cybertheft is the biggest transfer of wealth relies on a certain understanding of IP as wealth that itself depends on a legal infrastructure that is contingent on our relative world power). And also that so much of our critical infrastructure and IP holders are in private hands and therefore much harder to demand diligence from. That is, our vulnerability to cyberattacks is in part a fragility of our own bases for power (a vulnerability that will probably end up being less lethal than the fact that the immune systems of indigenous peoples hadn’t been exposed to European diseases).

Also, this entire discussion — which danced around the question of an international regime that might limit such attacks — completely ignored the StuxNet attack, the fact that a nation as vulnerable as we are pushed the limits of the offensive capability first. One of the witnesses (I think FBI Assistant Director Jonathan Demarast) even suggested that if our government were chartered to attack the private sector (cough, Echelon) of other countries we’d be damn good at it too — as if our attacks on the public infrastructure of Iran doesn’t count.

I get the value of a good fear campaign (I wish Whitehouse would fearmonger more in his regular addresses on climate change). But there’s fearmongering and there’s absurdity. And I think suggesting that cybertheft is worse than the stealing of entire continents is the latter.

Dick Durbin: The Targeted Killing Memo Is Like the Torture and Illegal Wiretap Memos

It took transcribing the debate in the July 19 Senate Judiciary Committee hearing for me to realize it, but Democrats are running very serious interference to keep the Anwar al-Awlaki targeted killing memo secret. Not only did Dianne Feinstein basically roll John Cornyn, telling him she’d introduce language that would accomplish his goal of getting all the oversight committees the memo when, if hers passes, it will only, maybe, get the Intelligence Committee the memo.  Not only did the Democrats vote on a party line vote to table John Cornyn’s amendment to require the Administration to share it–in classified or unclassified form–with the Judiciary and Armed Services Committees. Not only did Pat Leahy get pretty snippy with Cornyn for offering–and asking to speak on–the Amendment.

Most stunning, though, is Dick Durbin’s comment on it.

Durbin: Thank you Mr. Chairman. My staff briefed me of this on the way in, and I asked the basic question, “would I ask this of a Republican President? Of course. And I did ask it, in a different context, of the previous President, when it came to questions of interrogation, torture, and surveillance. I might say to the Senator from Texas I had no support from the other side of the table when I made that request. But I do believe it is a valid inquiry and I would join the Senator from Texas and any who wish in sending a letter to the Attorney General asking for this specific information on a bipartisan basis. And certainly we can raise it the next time the Attorney General appears before us. I do have to say that I’m going to vote to table because I think that as flawed as this [the FAA extension] may be without the Lee Amendment which I think would help it, I do believe we need to pass this and  bringing in these other matters are going to jeopardize it. But I think it is a legitimate question to be asked of Presidents of either party, and I will join you in a letter to this President and his Attorney General for that purpose. [my emphasis]

This partisan retort (one Leahy repeated) says, in part, that the Democrats aren’t going to cooperate with Cornyn’s effort to get the memo because Cornyn didn’t cooperate with Durbin’s efforts to get the torture and illegal wiretap memos. Durbin and Leahy are right: Cornyn and the rest of the Republican party did obstruct their efforts.

That doesn’t make obstructing Cornyn’s effort right, of course, particularly given that Durbin purports to support Cornyn’s intent.

But remember, Republicans obstructed the release of the torture and illegal wiretap memos because, well, they showed the Executive had broken the law. When we all got to see the torture memos, they made it clear CIA had lied to DOJ to get authorization for torture, had exceeded the authorizations given to them, had engaged in previously unimagined amounts of torture, and had ignored legal precedent to justify it all.

And while we’ve only ever seen part of Jack Goldsmith’s illegal wiretap memo (after the Bush Administration purportedly fixed the data mining and other illegal problems with it) and a teeny fragment of an earlier John Yoo memo, those showed that Yoo relied on gutting the Fourth Amendment, there is an additional secret memo on information sharing, they were hiding their flouting of the exclusivity provision, and–possibly–the illegal wiretap program violated an earlier decision from the FISA Court of Review. We also learned, through some Sheldon Whitehouse persistence, that these memos revealed the President had been pixie dusting Executive Orders and claiming the right to interpret the law for the Executive Branch.

The Republicans had good reason to want to help Bush bury these memos, because they showed breathtaking efforts on the part of the Bush Administration to evade the law.

And that’s the fight that Dick Durbin analogized this one to.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

In the Senate Judiciary Committee’s markup of the FISA Amendments Act, Mike Lee, Dick Durbin, and Chris Chris Coons just tried, unsuccessfully, to require the government to get a warrant before it searched US person communications collected via the targeting of non-US person under the FISA Amendments Act. It was, as Dianne Feinstein said, not dissimilar from an amendment Ron Wyden and Mark Udall had tried to pass when FAA was marked up before the Senate Intelligence Committee.

The debate revealed new confirmation that the government is wiretapping American citizens in the guise of foreign surveillance.

DiFi argued that the amendment would have impeded the government to pursue Nidal Hassan by delaying the time when they could have reviewed his communication (presumably with Anwar al-Awlaki). Of course, the amendment included an emergency provision that would have permitted such a search after the effect.

More telling, though, was Whitehouse’s response. He referred back to his time using warrants as a US Attorney, and said that requiring a warrant to access the US person communication would “kill this program,” and that to think warrants “fundamentally misapprehends the way in which this program operates.”

Now, I’d be more sympathetic to Whitehouse here if, back when this bill was originally argued, his amendments requiring FISC oversight of minimization after the fact had passed. They didn’t. To make things worse, though Leahy repeatedly talked about Inspector General reporting overdue on this program, Congress is not going to wait for these reports before they extend the program for another three years, at least. So Whitehouse’s assurances that we can trust minimization to protect US person privacy seems badly misplaced.

In any case, this represents an admission, as strong as any we’ve seen, that this program is entirely about collecting the US person communication of those who communicate with people (DiFi used the term “person of interest,” which I had not heard before) overseas.

Update: Updated to explain this came in a markup hearing. Thanks to Peterr for pointing out my oversight on that point.

Udall Amendment Fails 37-61

In the battle of two wrong sides, the Democrats lost, with the Udall Amendment failing 37-61. The vote is interesting, first of all, as a read of Obama’s ability to sustain a veto. Right now, the militarists do not have a two-thirds majority to override.

Also of interest are some of the Democrats voting against the Udall Amendment, most notably Sheldon Whitehouse.

Rand Paul and Mark Kirk are the only two Republicans to vote in favor of Udall.

I’ll have a more complete discussion of the vote count shortly.

Update: Here’s the roll call. The Dems voting against are:

  • Casey
  • Conrad
  • Hagan*
  • Inouye
  • Kohl
  • Landrieu
  • Levin*
  • Lieberman*
  • Manchin*
  • McCaskill*
  • Menendez
  • Bad Nelson*
  • Pryor
  • Reed*
  • Shaheen*
  • Stabenow
  • Whitehouse

I’m interested in the way the Dem SASC members voted. I’ve put asterisks next to those people above; SASC members voting for Udall’s Amendment are Udall himself, Akaka, Webb, Gillibrand, and Blumenthal. Begich did not vote.

Update: Ron Paul corrected to Rand per skinla.

Does Treasury Believe Spreading Our Flawed Banking System Is a Solution to Terrorism?

Sheldon Whitehouse had a hearing on terrorist finance the other day. There was an interesting exchange that I think bears notice.

The hearing focused, in part, on hawalas, not least because DOJ recently prosecuted Mohammad Younis, the guy whose hawala Faisal Shahzad used to fund his terrorist attempt. Richard Blumenthal suggested (around 75:50 and following) that that funding may have come from Pakistani authorities (implicitly, the ISI). The FBI’s acting head of counterterrorism wouldn’t answer a question about that in public session.

A more interesting response came from Treasury’s Assistant Secretary for Terrorist Financing, Daniel Glaser. Sheldon Whitehouse asked him (at 92:50 and following) whether we were making progress on solving the problem hawalas create for counterterrorism efforts. Here’s my transcription of Glaser’s response:

Daniel Glaser: The reason hawala and other forms of informal remittances and informal money services exist is because there’s large communities around the world that don’t have access to formal financial services or affordable financial services. So the long-term quote-unquote solution to hawala is a generational one and it is about building an international financial system that everybody around the world has access to. Now, since that’s a long-term solution, we need to address the problem in a shorter term way as well.

[snip]

The way we try to approach it beyond the long term effort to make financial services available to everybody is regulatory prong, enforcement, international standards, and general economic development.

While Glaser described a four-pronged approach in his written testimony (and described in more detail in the parts of his response that I’ve snipped), he said the ultimate solution would come when international financial services were available to everyone.

So the way to solve terrorism, then, is to make sure everyone banks at Jamie Dimon’s bank?

That’s an exaggeration, of course. And unless and until bankers get squeamish about the way the US government is accessing SWIFT, integrating everyone into the formal finance system would give counterterrror investigators transparency into terror financing. But given the state of the banking system–given how much more damage the international financial system has done to the world in the last decade than terrorism (leaving aside the effect of couter-terrorism and false counter-terrorism, like the Iraq War) it troubles me that a high ranking Treasury Department official believes one solution to terrorism is modern banking.

Now Glaser strikes me as an incredibly intelligent and sincere guy–coming from him this “generational solution” sounded like a completely sincere idea. So while this comment made my spidey sense tingle, it didn’t in the way it would have if, say, TurboTax Timmeh Geithner had said it.

Nevertheless, here are some issues it raises.

Read more

DiFi’s Secret Law

Steven Aftergood linked to this colloquy on the PATRIOT Act which reveals a lot about Ron Wyden and Mark Udall’s efforts to force the government to admit how it’s suveilling Americans. The colloquy basically puts not just the agreement, but the circumstances that went into the agreement, into the Congressional record.

After some Senatorial blathering (mostly Wyden and Udall talking about how swell DiFi is for making this agreement), DiFi starts the colloquy by describing a meeting the night before (that is, on Wednesday night) between her, Wyden, Udall, Jeff Merkley, and Sheldon Whitehouse.

Mrs. FEINSTEIN. Mr. President, I wish to thank both Senator Wyden and Senator Udall for their comments. We did have a meeting last night. We did discuss this thoroughly. The decision was that we would enter into this colloquy, so I will begin it, if I may.

These Senators and I, along with the junior Senator from Oregon, Mr. Merkley, the Senator from Colorado, Mr. Mark Udall, and the Senator from Rhode Island, Mr. Whitehouse met last night to discuss this amendment, the legal interpretation of the Foreign Intelligence Surveillance Act provisions and how these provisions are implemented.

Note the presence of Merkley and Whitehouse, which I’ll return to.

DiFi then talks about how great the collection program in question is.

I very much appreciate the strong views Senator Wyden and Senator Udall have in this area, and I believe they are raising a serious and important point as to how exactly these authorities are carried out. I believe we are also all in agreement that these are important counterterrorism authorities and have contributed to the security of our Nation.

At which point Wyden interrupts and basically says (still speaking in Senate blather, mind you), “um, no.”

Mr. President, I have enormous respect for my special friend from California, the distinguished chairwoman of the Intelligence Committee. I have literally sat next to her for more than a decade. We agree on virtually all of these issues, but this is an area where we have had a difference of opinion.

Wyden and Udall basically both then repeat their warnings about how the government is doing something with PATRIOT not explicitly supported by the law. At which point DiFi pipes up to say, alright already, I’ve conceded you have a point but don’t talk about this here! Talk about it in my secret committee!

Mrs. FEINSTEIN. Mr. President, if I may respond, I have agreed that these are important issues and that the Intelligence Committee, which is charged with carrying out oversight over the 16 various intelligence agencies of what is called the intelligence community, should be carried out forthrightly. I also believe the place to do it is in the Intelligence Committee itself.

At which point she lays out the terms of the agreement: the Senate Intelligence Committee will have a hearing on the secret law right after the Memorial Day break, and if the Committee agrees to make a fix, they will amend the Intelligence Authorization.

I have said to these distinguished Senators that it would be my intention to call together a hearing as soon as we come back from the Memorial Day break with the intelligence community agencies, the senior policymakers, and the Department of Justice to make sure the committee is comfortable with the FISA programs and to make changes if changes are needed. We will do that.

So it would be my intention to have these hearings completed before the committee considers the fiscal year 2012 intelligence authorization bill so that any amendments to FISA can be considered at that time.

The fact is, we do not usually have amendments to the intelligence authorization bill, but I believe the majority leader will do his best to secure a future commitment if such is needed for a vote on any amendment. I have not agreed to support any amendment because at this stage it is hypothetical, and we need to look very deeply into what these Senators have said and pointed out last night with specificity and get the response to it from the intelligence committee, have both sides hear it, and then make a decision that is based not only on civil liberties but also on the necessity to keep our country safe. I believe we can do that.

Note DiFi’s mention of “specificity,” which I’ll return to.

After DiFi finishes, Wyden pipes in to say that if the Intelligence Committee doesn’t decide to make a fix, then Harry Reid has promised that Wyden and Udall can introduce their amendment on a different bill, one DiFi doesn’t have control over.

Senator Udall and I have discussed this issue with Senator Reid. Senator Reid indicated to the chairwoman and myself and Senator Udall that we would have an opportunity through these hearings–and, of course, any amendments to the bill would be discussed on the intelligence authorization legislation, which is a matter that obviously has to be classified–but if we were not satisfied, if we were not satisfied through that process, we would have the ability to offer an amendment such as our original one on the Senate floor.

Read more

Did Thomas Drake Include Privacy Concerns in His Complaints to DOD’s Inspector General?

I’ve been reviewing the docket on Thomas Drake’s case to see whether it touches on the privacy concerns Drake had about NSA’s post-9/11 activities.

It appears it doesn’t, even while there was an ongoing dispute about whether or not Drake will have access to the materials he submitted to the DOD Inspector General in support of claims that the ThinThread program operated more effectively than the Trailblazer program that Michael Hayden chose to enrich SAIC with instead (the Judge ruled that material would be admissible, but not a formal whistleblower defense, which Drake wasn’t trying to do anyway).

There are a couple of reasons why the silence, in the legal filings, about privacy concerns is interesting (aside from the fact that it’s a focus of Jane Mayer’s article.

First, because the two-sentence summary of the conclusion of the DOD IG Report on Trailblazer and ThinThread that the defense provides in a filing doesn’t address privacy.

In 2004, after more than a year of fact-finding, the Inspector General issued its initial audit findings. In a report entitled, “Requirements for the Trailblazer and Thinthread Systems,” the auditors concluded that “the National Security Agency is inefficiently using resources to develop a digital network exploitation system that is not capable of fully exploiting the digital network intelligence available to analysts from the Global Information Network . . . (T)he NSA transformation effort may be developing a less capable long-term digital network exploitation solution that will take longer and cost significantly more to develop.” The NSA continued to support the “less capable” program and its successor.

Which suggests the IG Report may not have addressed the claim that, in addition to being less efficient at “connecting the dots” than ThinThread, Trailblazer also offered none of the privacy protections ThinThread had.

That’s important because the government argued that Drake couldn’t claim to be a whistleblower because, by 2007, the issues at hand were resolved. They’re arguing both that any whistleblower claims would be mooted because Turbulence, Trailblazer’s successor, integrated “significant portions” of ThinThread, and that the debate was “over” by 2007, when Drake was (according to the indictment) serving as a source for Baltimore Sun reporter Siobhan Gorman.

In or about December 2004, the DOD IG completed its audit of [Trailblazer], including the allegations raised in the complaint letter. The NSA responded in August 2004 and February 2005, stating that based on the judgments of NSA’s experienced technical experts, the allegations were unfounded. Nonetheless, NSA agreed to incorporate significant portions of [ThinThread] into [Trailblazer] as a result of the DOD IG recommendations, thus largely mooting the issues raised in the complaint. In addition, starting in late 2005 and early 2006, the NSA transitioned away from [Trailblazer] to [Turbulence], another corporate architecture solution for Signals Intelligence collection.

[snip]

Just as importantly, by 2007, the timeframe of the charges in this case, there was no imminent harm faced by the defendant, because [Trailblazer] had incorporated elements of [ThinThread], and also because NSA had transitioned away from [Trailblazer] to [Turbulence].

[snip]

The defendant’s actions had no impact in the debate regarding the efficacy of [Trailblazer and ThinThread], because NSA had begun transitioning to [Turbulence] by 2006. Put simply, the debate was over.

There’s a lot going on in this passage. Obviously, the government is trying to claim that since Drake was allegedly collecting information for Gorman in 2007, he couldn’t claim he was whistleblowing.

Mind you he was not claiming he was whistleblowing, in the legal sense. He was only trying to get the IG materials to prove that’s why he collected three of the documents he’s accused of willingly keeping; basically, he’s arguing that if he overlooked three documents out of 5 boxes worth originally collected for the IG–and did not retain the really classified materials–that he basically just overlooked the three documents, rather than willfully retained them.

And the government is playing funny with dates. After all, they say Drake served as a source for Gorman from February 27, 2006, to November 28, 2007. The key story about ThinThread Drake served as a source for was dated May 18, 2006. And one of the charges accuses Drake of obstruction for shredding other documents. So not only is the 2007 date bogus because it igonores debates ongoing in 2006, but the government suggests that either Drake would be guilty for illegally retaining information, or obstructing an investigation. Moreover, Drake maintains he inadvertently included the three IG-related documents in the several boxes of unclassified materials, so the fact the debate was over is pointless.

Moreover, the successor to Trailblazer, Turbulence, was suffering from the same management problems Trailblazer had, as the defense notes just after citing the IG Report. The government wants to pretend the shift from Trailblazer to Turbulence ended the complaints about management problems, but it didn’t.

But then there’s the way the government portrays the IG complaint: efficacy. As I laid out the other day, there are four ways, Gorman’s sources claim, that ThinThread was better than Trailblazer:

The program the NSA rejected, called ThinThread, was developed to handle greater volumes of information, partly in expectation of threats surrounding the millennium celebrations. Sources say it bundled together four cutting-edge surveillance tools. ThinThread would have:

* Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.

In other words, privacy was just one of three ways ThinThread was better than Trailblazer, according to Gorman’s sources.

But that’s not the aspect the government seems to address. That is, the government seems to be saying that, because Turbulence adopted some of the approaches of ThinThread that made it more efficient at analysis, Drake can’t complain. The suggestion is (though we can’t know because of the secrecy) privacy is not, like efficacy, an adequate reason to blow the whistle. Neither privacy, nor the Constitution.

And that’s interesting for two more reasons. First, because the government references a notebook of documents Drake provided that had nothing to do with the IG Report.

There was, for example, a notebook of documents provided by the defendant, many of which had nothing to do with the IG’s audit, but this notebook was destroyed before the case began, and after the IG completed its audit.

Is it playing games with the scope of the audit? That is, did Drake provide materials on privacy, which the IG didn’t include within the scope of its report? If so, the IG’s destruction of the notebook, in violation of DOD’s document retention policy, is all the more interesting.

Then, finally, the debates about privacy continued into 2007 and 2008. In August 2007, specifically, Mike McConnell nixed a Democratic version of the Protect America Act because it required the government to tell FISA judges what the plan for minimizing US person data is and allowed the judges to review for compliance. Debates on how to fix PAA continued throughout the fall and into the following year, with Russ Feingold and Sheldon Whitehouse both trying to make real improvements on the minimization requirements.

The government seems to want to say that Drake’s privacy concerns aren’t a valid whistleblowing concern. Because, I guess, government officials aren’t allowed to whistleblow about citizens’ rights.