Posts

The NSA’s Retroactive Discovery of Tamerlan Tsarnaev

In the days after the Boston Marathon attack last year, NSA made some noise about expanding its domestic surveillance so as to prevent a similar attack.

But in recent days, we’ve gotten a lot of hints that NSA may have just missed Tamerlan Tsarnaev.

Consider the following data points.

First, in a hearing on Wednesday, Intelligence Community Inspector General Charles McCullough suggested that the forensic evidence found after the bombing might have alerted authorities to Tamerlan Tsarnaev’s radicalization.

Senator Tom Carper: If the Russians had not shared their initial tip, would we have had any way to detect Tamerlan’s radicalization?

[McCullough looks lost.]

Carper: If they had not shared their original tip to us, would we have had any way to have detected Tamerlan’s radicalization? What I’m getting at here is just homegrown terrorists and our ability to ferret them out, to understand what’s going on if someone’s being radicalized and what its implications might be for us.

McCullough: Well, the Bureau’s actions stemmed from the memo from the FSB, so that led to everything else in this chain of events here. You’re saying if that memo didn’t exist, would he have turned up some other way? I don’t know. I think, in the classified session, we can talk about some of the post-bombing forensics. What was found, and that sort of thing. And you can see when that radicalization was happening. So I would think that this would have come up, yes, at some point, it would have presented itself to law enforcement and the intelligence community. Possibly not as early as the FSB memo. It didn’t. But I think it would have come up at some point noting what we found post-bombing.

Earlier in the hearing (around 11:50), McCullough described reviewing evidence “that was within the US government’s reach before the bombing, but had not been obtained, accessed, or reviewed until after the bombing” as part of the IG Report on the attack. So some of this evidence was already in government hands (or accessible to it as, for example, GCHQ data might be).

We know some of this evidence not accessed until after the bombing was at NSA, because the IG Report says so. (See page 20)

Screen Shot 2014-04-12 at 12.37.13 PM

That may or may not be the same as the jihadist material Tamerlan posted to YouTube in 2012, which some agency claims could have been identified as Tamerlan even though he used a pseudonym for some of the time he had the account.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.” After reviewing a draft of this report, the FBI commented that Tsarnaev’s YouTube display name changed from “muazseyfullah” to “Tamerlan Tsarnaev” on or about February 12, 2013, and suggested that therefore Tsarnaev’s YouTube account could not be located using the search term “Tamerlan Tsarnaaev” before that date.20 The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

20 In response to a DOJ OIG request for information supporting this statement, the FBI produced a heavily redacted 3-page excerpt from an unclassified March 19, 2014, EC analyzing information that included information about Tsarnaev’s YouTube account. The unredacted portion of the EC stated that YouTube e-mail messages sent to Tsarnaev’s Google e-mail account were addressed to “muazseyfullah” prior to February 12, 2013, and to “Tamerlan Tsarnaev” beginning on February 14, 2013. The FBI redacted other information in the EC about Tsarnaev’s YouTube and Google e-mail accounts.

The FBI may not have been able to connect “muazseyfullah” with Tamerlan, but that’s precisely what the NSA does with its correlations process; it has a database that does just that (though it’s unclear whether it would have collected this information, especially given that it postdated the domestic Internet dragnet being shut down).

Finally, there’s the matter of the Anwar al-Awlaki propaganda.

An FBI analysis of electronic media showed that the computers used by Tsarnaev contained a substantial amount of jihadist articles and videos, including material written by or associated with U.S.-born radical Islamic cleric Anwar al-Aulaqi. On one such computer, the FBI found at least seven issues of Inspire, an on-line English language magazine created by al-Aulaqi. One issue of this magazine contained an article entitled, “Make a Bomb in the Kitchen of your Mom,” which included instructions for building the explosive devices used in the Boston Marathon bombings.

Information learned through the exploitation of the Tsarnaev’s computers was obtained through a method that may only be used in the course of a full investigation, which the FBI did not open until after the bombings.

The FBI claims they could only find the stuff on Tamerlan’s computer using methods available in full investigations (this makes me wonder whether the FBI uses FISA physical search warrants to remotely search computer hard drives).

But that says nothing about what NSA (or even FBI, back in the day when they had the full time tap on Awlaki, though it’s unclear what kind of monitoring of his content they’ve done since the government killed him) might have gotten via a range of means, including, potentially, upstream searches on the encryption code for Inspire.

In other words, there’s good reason to believe — and the IC IG seems to claim — that the government had the evidence to know that Tamerlan was engaging in a bunch of reprehensible speech before he attacked the Boston Marathon, but they may not have reviewed it.

Let me be clear: it’s one thing to know a young man is engaging in reprehensible but purportedly protected speech, and another to know he’s going to attack a sporting event.

Except that this purportedly protected speech is precisely — almost exactly — the kind of behavior that has led FBI to sic multiple informants and/or undercover officers on other young men, including Adel Daoud and Mohamed Osman Mohamud, even in the absence of a warning from a foreign government.

And they didn’t here.

Part of the issue likely stems from communication failures between FBI and NSA. The IG report notes that “the relationship between the FBI and the NSA” was one of the most relevant relationships for this investigation. Did FBI (and CIA) never tell the NSA of the Russian warning? And clearly they never told NSA of his travel to Russia.

But part of the problem likely stems from the way NSA identifies leads — precisely the triaging process I examined here. That is, NSA is going to do more analysis on someone who communicates with people who are already targeted. Obviously, the ghost of Anwar al-Awlaki is one of the people targeted (though the numbers of young men who have Awlaki’s propaganda is likely huge, making that a rather weak identifier). The more interesting potential target would be William Plotnikov, the Canadian-Russian boxer turned extremist whom Tamerlan allegedly contacted in 2012 (and it may be this communication attempt is what NSA had in its possession but did not access until after the attacks). But I do wonder whether the NSA didn’t prioritize similar targets in countries of greater focus, like Yemen and Somalia.

It’d be nice to know the answer to these questions. It ought to be a central part of the debate over the NSA and its efficacy or lack thereof. But remember, in this case, the NSA was specifically scoped out of the heightened review (as happened after 9/11, which ended up hiding the good deal of warning the NSA had before the attack).

We’ve got a system that triggers on precisely the same kind of speech that Tamerlan Tsarnaev engaged in before he attacked the Marathon. But it didn’t trigger here.

Why not?

3 Different Inspectors General Say There Is More, Secret, Information on the Tsarnaev Brothers’ Mother

The Senate Homeland Security Committee is having a hearing on the joint IG Report on the Boston Marathon attack.

Most of the questions will be in closed session, including one Tom Coburn plans to ask about whether the government tracks travel of people who have received asylum from places, they then travel back to those places. (See after 25:00)

At least as interesting a question — another that was largely deferred for closed session — came from Tom Carper. (after 36:25) He asked if there was more information on Zubeidat Tsarnaev that might have led the government to find the attack — and the FBI, IC, and CIA Inspectors General confirmed there was.

Senator Tom Carper: I want to be sensitive to what you can say in a public setting and what you can’t. But I have a couple of questions that relate to Mrs. Tsarnaev, and to the extent that you discuss her that you can share with us in a public setting. I have a couple of specific questions but is there any more general comments that you would like to make about how you address her role in all this that you can share in a public setting?

[Watch David Buckley, CIA’s IG, immediately consulting with his aide in response to this question.]

DOJ IG Michael Horowitz: The one thing that I can say from the standpoint that we looked at, the lead information included information about her, not just Tamerlan. The judgement was made to only look at — to only open on Tamerlan. But we found there was certainly sufficient information if the FBI had wanted to open on her as well that they could have done so. They made the judgment not to. And that was a decision made right at the outset, in March of 2011.

Carper: Others, please.

Intelligence Community IG Charles McCullough: I would agree there was information that we found when we examined the post-bombing information that was collected. I think probably that would have to be discussed in the classified session. But there was information that we found post-bombing that would relate to that Senator.

Carper: Mr. Buckley?

CIA IG David Buckley: Mr. Chairman, I too have information that I’ll impart in the closed session regarding this.

Apparently, the Russian notice describing Tamerlan’s deepening commitment to extremism also included details on Zubeidat.

And three of the four IGs (I believe, but need to review this, FBI, IC (NCTC), and DHS) admitted that had the investigation been focused on Zubeidat, the government might have found more information.

Remember, it was in a conversation between Zubeidat and a friend or relative where discussion of Tamerlan’s aspirations for jihad had come up in Russian collections. If, for example, NSA had collected that conversation but not found it, they might have found it had they searched on her name rather than Tamerlan.

Update: Some interesting quotes on second view.

@11:50, McCullough describes reviewing “anything that was within the US government’s reach before the bombing, but had not been obtained, accessed, or reviewed until after the bombing” (and whether the USG could have known it existed before the bombing). This probably refers to NSA materials.

@46:00 Carper asks whether we might have found Tamerlan without the Russian tip. McCullough responds that we might have through “forensics.”

Carper: If the Russians had not shared their initial tip, would we have had any way to detect Tamerlan’s radicalization?

[McCullough looks lost.]

Carper: If they had not shared their original tip to us, would we have had any way to have detected Tamerlan’s radicalization? What I’m geting at here is just homegrown terrorists and our ability to ferret them out, to understand what’s going on if someone’s being radicalized and what its implications might be for us.

McCullough: Well, the Bureau’s actions stemmed from the memo from the FSB, so that led to everything else in this chain of events here. You’re saying if that memo didn’t exist, would he have turned up some other way? I don’t know. I think, in the classified session, we can talk about some of the post-bombing forensics. What was found, and that sort of thing. And you can see when that radicalization was happening. So I would think that this would have come up, yes, at some point, it would have presented itself to law enforcement and the intelligence community. Possibly not as early as the FSB memo. It didn’t. But I think it would have come up at some point noting what we found post-bombing.

 

 

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

On Thursday, the Inspectors General of the Intelligence Community, DOJ, CIA, and DHS (but not NSA) released their report on the Marathon Bombing. While the public release was just a very condensed summary, included the redaction of both classified and “sensitive” information, and made no attempt to reconstruct data government agencies had or could have had on Dzhokhar Tsarnaev, the report did show that the NSA had data on Tamerlan Tsarnaev and that the FBI found information on his computers that NSA might have gotten via other means.

On Friday, prosecutors in the case against Dzhokhar refused to tell him what they collected under FISA.

Before I get into the government’s refusal on FISA notice — some of which has repercussions for other cases — let’s go over what electronic communications the government did have or could have had.

First, the IG Report (which did not specifically involve NSA’s IG and did not include Dzhokhar in its scope) nevertheless points to information NSA collected in 2012 that was not turned over to FBI until after the attack.

Screen Shot 2014-04-12 at 12.37.13 PM

The report also points to communications dating to January 2011, which is entirely redacted. This probably refers to communications the Russians intercepted, not the NSA (indeed, the report discusses NSA data, above, later in the same section, which indicates the earlier redaction doesn’t pertain to NSA). Though there’s no indication whether the NSA received notice of these communications, including the non-US person interlocutor located overseas involved in them, who would have been a legal NSA target.

Read more

Working Thread on the Combined Marathon IG Report

I started reading the Combined IG Report on the Marathon attack (including the DOJ, CIA, DHS, and Intelligence Community IGs, but not NSA). And the whole thing looked so bogus from the start, I figured a working thread was in order.

One thing to remember here: we’ve only got a 32-page summary that includes 5 pages of agency (but not CIA) response and a title page. We’re getting a mere fraction of the 168-page report.

To make things worse, some things are redacted that aren’t even classified, they’re just sensitive.

Redactions in this document are the result of classification and sensitivity designations we received from agencies and departments that provided information to the OIGs for this review. As to several of these classification and sensitivity designations, the OIGs disagreed with the bases asserted. We are requesting that the relevant entities reconsider those designations so that we can unredact those portions and make this information available to the public.

(PDF 2) Several things in this passage:

Law enforcement officials identified brothers Tamerlan and Dzhokhar Tsarnaev as primary suspects in the bombings. After an extensive search for the then unidentified suspects, law enforcement officials encountered Tamerlan and Dzhokhar Tsarnaev in Watertown, Massachusetts. Tamerlan Tsarnaev was shot during the encounter and was pronounced dead shortly thereafter.

First, they don’t say what law enforcement officials IDed the brothers. That sentence precedes one which claims there were “unidentified suspects,” which suggests they had suspicions before they were “IDed.” The word “encountered” is awfully suspicious, given that explanations of how the shootout in Watertown happened have been contradictory. And note they don’t say whether Tamerlan died immediately or not–again, an issue about which there’s some contention.

(PDF 2) Note they tell us Anzor’s ethnicity, but not his wife’s (who is more central to this narrative)?

(PDF 2) The report dodges legitimate questions about why the family got refugee status by referring only to “an immigration benefit.” Given reports the uncle had ties to the CIA, that benefit may be more than a simple asylum request.

(PDF 3) Note that, after having previously said the brothers were ID’ed by LE, they now specify FBI [Actually, I think that’s wrong: this is still ambiguous about who IDed them]. But the timing is crazy: it says FBI reviewed its records by April 19, but never says when they were IDed, and doesn’t say whether they were reviewed during a period of suspicion.

By April 19, 2013, after the Tsarnaev brothers were identified as suspects in the bombings, the FBI reviewed its records and determined that in early 2011 it had received lead information from the FSB about Tamerlan Tsarnaev, had conducted an assessment of him, and had closed the assessment after finding no link or “nexus” to terrorism.

(PDF 4) This seems very broad. I wonder what they’re including? Online communications?

As a result, the scope of this review included not only information that was in the possession of the U.S. government prior to the bombings, but also information that existed during that time and that the federal government reasonably could have been expected to have known before the bombings.

(PDF 4) This passage and footnote are huge dodges, making the entire report meaningless.

We carefully tailored our requests for information and interviews to focus on information available before the bombings and, where appropriate, coordinated with the U.S. Attorney’s Office conducting the prosecution of alleged bomber Dzhokhar Tsarnaev.1

1 The initial lead information from the FSB in March 2011 focused on Tamerlan Tsarnaev, and to a lesser extent his mother Zubeidat Tsarnaeva. Accordingly, the FBI and other agencies did not investigate Dzhokhar Tsarnaev’s possible nexus to terrorism before the bombings, and the OIGs did not review what if any investigative steps could have been taken with respect to Dzhokhar Tsarnaev.

I’ll come back to this. But the indictment lists a number of things that the FBI, in their stings, have found and used to identify easy marks. They did not do so here, with Dzhokhar. Which raises real questions about why they chose not to pursue him when they’ve pursued so many other young men like Dzhokhar?

(PDF 4) Here’s who was included in this review:

We also requested other federal agencies to identify relevant information they may have had prior to the bombings. These agencies included the Department of Defense (including the National Security Agency (NSA)), Department of State, Department of the Treasury, Department of Energy, and the Drug Enforcement Administration.

There has been little discussion of DEA’s likely awareness of the brothers, but it is likely, given that they were dealing drugs with potential ties to organized crime. And NSA, but I harp on that too much. I’m curious what role DOE might have.

(PDF 4) Again, they specify they’re only looking at pre-attack data. Which dodges what they could have collected but didn’t.

Additionally, each OIG conducted or directed its component agencies to conduct database searches to identify relevant pre-bombing information.

(PDF 4-5) As with HHSC’s report, the FBI stalled here.

As described in more detail in the classified report, the DOJ OIG’s access to certain information was significantly delayed at the outset of the review by disagreements with FBI officials over whether certain requests fell outside the scope of the review or could cause harm to the criminal investigation. Only after many months of discussions were these issues resolved, and time that otherwise could have been devoted to completing this review was instead spent on resolving these matters.

(PDF 5) The 12333 passage makes it clear NSA had a big role here. But, again, its IG did not conduct an investigation.

(PDF 6-7) The CIA section is very thin. I assume some stuff is missing.

(PDF 8) Note the importance of NSA’s sharing with FBI here?

Of particular relevance to this review are the relationships between the FBI, CIA, and DHS, as well as the relationship between the FBI and the NSA, and the NCTC’s relationships throughout the Intelligence Community.

(PDF 8) This makes clear that the transcription and birthdate errors were in both FSB warnings; it’s just that CIA didn’t fix the second one.

Importantly, the memorandum included two incorrect dates of birth (October 21, 1987 or 1988) for Tamerlan Tsarnaev, and the English translation used by the FBI transliterated their last names as Tsarnayev and Tsarnayeva, respectively.

(PDF 10) This passage seems to admit that FBI could have, but did not, search FISA related databases. It also suggests there was a “certain telephone database,” which might include the Hemisphere database, which performs the same function as the NSA claims (falsely) the phone dragnet does. Note, too, that they’ve only checked for the Tsarnaevs in FBI databases. I’ll come back to these databases in a later post.

Additionally, the DOJ OIG determined that the CT Agent did not use every relevant search term known or available at the time to query the FBI systems, including certain telephone databases and databases that include information collected under authority of the Foreign Intelligence Surveillance Act (FISA). However, searches of FBI databases conducted at the direction of the DOJ OIG during this review produced little information beyond that identified by the CT Agent during the assessment, with the exception of additional travel-related data for Zubeidat Tsarnaeva.

(PDF 11) Note that the second FBI letter to FSB, dated October 7, 2011, postdated the FSB notice to CIA. But it also comes at a time when Boston area law enforcement were conducting an investigation into the murder of Tamerlan’s best friend. The Waltham murders are not mentioned at all in the unclassified report.

(PDF 12) The IG Report does not tell us the date in September when FSB provided notice to CIA. Given that Tamerlan may have just been or was about to be involved in a grisly murder, I find that omission very notable.

(PDF 12) Note you can be watchlisted without derogatory information. This seems to be because of the exception mentioned in FN 10. But fat lot of good it did in this case. Per the footnote, that exception subsequently got disqualified, though I bet it has been qualified again.

(PDF 12) The IG Report doesn’t even acknowledge there was some other kind of difference between the first and the later watchlist entries as indicated on pp 33-4 of the HHSAC Committee report, which suggests that discussion may be redacted entirely.

(PDF 16) Note that, as happens with all Legal Permanent Residents, Tamerlan was photographed (and fingerprinted) during immigration. I’m surprised there isn’t more discussion of this (though it may be classified). But one big point of this relatively new border protocol is to have recent pictures on hand in case, say, you need to do facial recognition on pictures from a terrorist attack. Were they used?

(PDF 19) Note the big redaction describing intercepted communications. This may simply describe what the Russians had collected, which led to their tip. But I do wonder whether NSA collected its own version, not least because details of the Russian intercept has been widely reported.

(PDF 20) Note that the discussion of Tamerlan’s (remember, Dzhokhar is not included here) computer materials is described solely in terms of what FBI could do. That’s different from what both DHS does (they track public online speech) and NSA. It’s unclear whether they could have found some of this using methods available to them, but the report’s silence on that point is notable.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.”

[snip]

The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

The passage goes on to report the 7 copies of Inspire on one of the computers used by Tamerlan (again, there’s no mention of Dzhokhar here).

Something they’re not saying, but we know to be true.  Had they picked up Inspire either through a 702 upstream search or XKeyscore, they would have had identifiers that could have pegged Tsarnaev’s identity and tied it to all his other identities, regardless of the fact Tamerlan used an alias until February 2013.

And note the big redaction: NSA had information that dated to 2012, which may well have been the intercepts with Plotnikov.

Finally, note that FBI never turned over most of the information about Tamerlan’s Google accounts. The excuse (as noted above) was the ongoing investigation. But I wonder whether that’s ongoing investigation into the Waltham murder or the Marathon attack.

(PDF 25) Note the discussion of enhancement in the 2nd-to-last bullet. I believe this suggests that transliteration questions are only addressed with this enhancement.

(PDF 25) Note that they at least used to delete US person travel info after 6 months unless it represents terrorism information. This would arise from NCTC’s minimization procedures.

(PDF 32) As noted above, we don’t get John Brennan’s response to this, though he presumably sent one. I suspect that means there are classified recommendations for the Agency and that his response reflects that. While it’s not clear what the foreign target would be in this context (perhaps an investigation of the person to whom Zubeidat was speaking about Tamerlan wanting to join jihad?) but there seems to have been some.

Why Does NSA Get a Pass on the Boston Marathon Attack?

In addition to a motion claiming the FBI asked Tamerlan Tsarnaev to become an informant during their investigation of him in 2011, Dzhokhar Tsarnaev’s lawyers submitted a motion requesting notice of whether the government intends to submit as evidence or has in its possession surveillance information that would be helpful to Dzhokhar’s defense.

This motion is not going anywhere.

The government would generally be obliged to turn this over only if they planned to use it (or evidence derived from it, in the still very attenuated way they define such things) in trial. And as the defense notes in the motion, any surveillance that might exist would most likely be of Dzhokhar’s family, especially his brother, not him. Moreover, the defense points to Amnesty v. Clapper to invoke the government’s admission that it collects data not just in FISA-authorized programs, but also in EO 12333 ones.

And, although we do not reach the question, the Government contends that it can conduct FISA-exempt human and technical surveillance programs that are governed by Executive Order 12333. See Exec. Order No. 12333,

Yet there is no established obligation to notice such evidence, as there is for FISA.

All that said, to justify their demand, the defense notes the government’s non-response to three past attempts to get such information. And they note two passages from the recently released House Homeland Security Committee report on the bombing to justify their renewed claim.

This threat assessment included a check of “U.S. government databases and other information to look for such things as derogatory telephone communications, possible use of online sites associated with the promotion of radical activity, associations with other persons of interest, travel history and plans, and education history.” Id. at 12. The report also states that, according to FBI officials in Moscow, “electronic communication” between Tamerlan and a jihadist named William Plotnikov “may have been collected.”

If any “derogatory” telephone communications had been discovered, presumably the assessment into Tamerlan wouldn’t have been closed after less than 4 months, as the report makes clear it was (the Russian notice was March 4, 2011; the FBI set an alert on Tamerlan on March 22, 2011; the FBI closed the assessment on June 24, 2011). Ditto if Tamerlan had significant online activity “associated with the promotion of radical activity” (he would have, after his return from Russia). So for the moment assume nothing significant came of these searches, which are attributed to the FBI. Nevertheless, these comments at least nod to databases that may be, or may be derived from, NSA databases.

The possible intercept between Tamerlan and Plotnikov may have dated to a year after the FBI’s assessment, although this NBC report, which seems to have been based on an unredacted report, suggests it predated the warnings. In any case, it’s almost certainly a Russian intercept, not an NSA one: the paragraph reporting it (see the partly redacted paragraph on page 15) is one of just a few in this report classified FGI, indicating it derives from foreign government intelligence. If the FBI (and later, CIA) did learn that Tamerlan had come up in incriminating intercepts with Plotnikov in 2011, that’s something the NSA presumably could have replicated (and would be solidly within NSA’s interpretation of permissible taps under reverse targeting restrictions as laid out in the most recent PCLOB hearing, even assuming such tasking were done under FAA).

Dzhokhar’s defense doesn’t deal with what I consider a far more intriguing mention, undoubtedly because it remains heavily redacted (see page 32-34). This one deals with the second Russian alert later that fall — it is another FGI paragraph and footnote — this time to the CIA. It reveals that in providing a warning reported to be largely the same as one sent 6 or 7 months earlier, the CIA version of the Russian warning used the wrong year of birth and transliterated his name differently. There was some other difference in this alert as well (this would be described in the sentence at 33-34, which the following sentence on the name and date inaccuracy add to). And while much of this heavily redacted discussion involves the mechanics of data sharing, what is clear is CIA added Tamerlan (with the wrong birth date and transliteration) to two more databases than FBI had, TIDES (a kind of centralized database) and TSDB (a centralized terrorist screening database) based on some reason to be suspicious. Just as significantly, according to NBC (which also spoke to a “US intelligence official,” though it doesn’t attribute this specific claim at all), CIA also passed on this information to several other agencies. “On Oct. 19, 2011, the CIA shared information on Tsarnaev with the National Counterterrorism Center (NCTC), DHS, the State Department and the FBI.”

Take a step back here and consider this claim. First, NBC’s source (or the unredacted report) would have you believe a legal alien in the US got added to the TSDB for alleged ties with extremists in Russia without NSA also getting notice of it. It would also have you believe that any further checks done into Tamerlan at this time never stumbled over the grisly Waltham murder committed just weeks earlier, or Tamerlan’s odd behavior afterwards. Tamerlan was getting added to databases, but no one made a Request for Information about the underlying claims involving people who could be legally targeted in Russia to the NSA, at least as far as the public story goes.

And note what doesn’t appear in the House report, but which does appear in Dzhokhar’s indictment?

Inspire magazine is an English language online publication of al-Qaeda in the Arabian Peninsula. Volume One of Inspire magazine, which is dated summer 2010, contains detailed instructions for constructing IEDs using pressure cookers, explosive powder from fireworks, shrapnel, adhesive, and other materials. IEDs constructed in this manner are designed to shred flesh, shatter bone, and cause extreme pain and suffering, as well as death.

[snip]

At a time unknown to the Grand Jury, but before on or about April IS, 2013, DZHOKHAR A. TSARNAEV downloaded to his computer a copy of Volume One of Inspire magazine, which includes instructions on how to build IEDs using pressure cookers or sections of pipe, explosive powder from fireworks, and shrapnel, among other things.

There are codes within Inspire that could and presumably are targeted under NSA’s upstream collection, meaning if such downloads in any way crossed key international switches, they might have been identified and tracked, along with metadata identifying Dzhokhar’s computer.

And yet, in spite of all these potential bread crumbs the NSA might have had, no one has thought to ask NSA whether they did. The HHSC didn’t ask NSA for information, And the joint IG report on the attacks did not include NSA’s IG.

Don’t get me wrong. I’m actually sympathetic to the idea that even the most diligent effort cannot prevent every attack. I’m not endorsing doing any more domestic collection than NSA already does — though what it does, it does precisely to identify people like Tamerlan, people who have conversations with known extremists overseas. According to both NSA and FBI’s rules, neither would have needed even Reasonable Articulable Suspicion into Tamerlan — though they clearly had that — to do a back door search on, say, Plotnikov’s communications. I’m also not saying this would make a lick of difference in Dzhokhar’s trial (though the allegation is that his computer, not Tamerlan’s, is the one with Inspire on it).

But if we’re going to do drawn out assessments every time we miss a terrorist attack, shouldn’t we also be assessing the actions or inactions of the people who run massive dragnets ostensibly because they’ll identify people like Tamerlan? If we’re going to have this dragnet — and if NSA is going to justify it by pointing to terrorism — shouldn’t we be assessing its role in actually preventing terrorism?

The Other Problem with the Obama Proposal: Who Does the Pizza Joint Review?

I’m sure I’ll spend all day discussing the various proposals to “fix” the dragnet.

I’ve already shown why the House Intelligence bill is not an improvement and should not be discussed by credible people as one.

And on Twitter and briefly in that piece, I described two problems that aren’t addressed at all in either of these proposals, including President Obama’s plan laid out by Charlie Savage.

  • The Reasonable Articulable Suspicion standard is still far too lenient, allowing the government to engage in a broad digital stop-and-frisk system
  • Once supplied to NSA, it will presumably subject tens or hundreds of thousands of innocent people to the full array of NSA’s tradecraft

Finally, though, there’s one other problem, which directly affects how many people get subjected to such analytical tradecraft, a problem identified by no other person than … Barack Obama.

Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns.

I suspect one of those privacy concerns, as I laid out in this post, is the necessity to make analytical judgments about what high volume numbers distort the chaining system.

Someone needs to go in and take out such high volume numbers — which include voice mail access numbers, telemarketers, and pizza joints — otherwise almost everyone is two degrees of separation from everyone else.

For two of these functions, I assume the telecoms can do the task as easily as the NSA. (The dirty secret is they conduct the same kind of 3-degrees analysis as the government does!) They know what their own (and reseller phone companies) voice mail access numbers are, after all, and surely they track the telemarketer spam that weighs down their system.

It’s the pizza joints that have me — that always have me — worried.

Pizza joints absolutely distort the contact chaining system. Keith Alexander learned this when the contact chaining he was doing — and he used to claim he had mapped out all the evil people tied to Iraq — showed everyone to be guilty because they frequented the same pizza joints.

When he ran INSCOM and was horning in on the NSA’s turf, Alexander was fond of building charts that showed how a suspected terrorist was connected to a much broader network of people via his communications or the contacts in his phone or email account.

“He had all these diagrams showing how this guy was connected to that guy and to that guy,” says a former NSA official who heard Alexander give briefings on the floor of the Information Dominance Center. “Some of my colleagues and I were skeptical. Later, we had a chance to review the information. It turns out that all [that] those guys were connected to were pizza shops.”

Nevertheless, sometimes a cigar is just a cigar, and sometimes a tie through a pizza joint can be a very important tie through a pizza joint, as I believe Gerry’s Italian Kitchen was in the case of the Tsarnaev brothers. If NSA purged the pizza joint in that case, they may have eliminated some of the most important evidence tying the brothers (or at least Tamerlan) to the Waltham murder in 2011.

So who, under this new system, will do the pizza joint analysis?

If the phone companies do it (which I doubt, because of cases like the Tsarnaevs), it will mean even more intensive data mining of customer data while it remains in their hands.

If the NSA does it, it means a lot more totally innocent people will have their data turned over to NSA to do as they wish.

Don’t get me wrong. The Obama proposal is an improvement off the status quo. But for these reasons, including the pizza joint problem, it still doesn’t comply with the Fourth or First Amendments.

Would We Have Accepted the Dragnet if NSA Had to Admit It Could Have Prevented 9/11?

Screen shot 2014-02-18 at 10.16.30 AMI’m going to return to Glenn Greenwald’s latest showing details of how the NSA treated WikiLeaks and, to a lesser degree, Anonymous (as well as Alexa O’Brien’s update on the investigation into WikiLeaks) later.

If GCHQ does this kind of tracking, how did Five Eyes miss the Tsarnaev brothers?

But for now I want to look at one slide covering GCHQ’s AntiCrisis monitoring approach (see slide 34), which in this case is focused on WikiLeaks. It shows how GCHQ has the ability — and had it in 2012 — to monitor particular websites. It shows GCHQ can monitor the visitors of a particular website, where they’re coming from, what kind of browsers they use. None of that is, in the least surprising. But given those capabilities, it would be shocking if GCHQ weren’t doing similar monitoring of AQAP’s online magazine Inspire, with the added benefit that certain text strings in each Inspire magazine would make it very easy to track copies of it as it was downloaded, even domestically via upstream collection. And for the UK, this isn’t even controversial; even possessing Inspire in the UK can get you imprisoned.

Given that that’s the case, why didn’t GCHQ and NSA find the Tsarnaev brothers who — the FBI has claimed but provided no proof — learned to make a bomb from the Inspire release that GCHQ or NSA hacked? Why isn’t NSA reviewing why it didn’t find the brothers based on cross-referencing likely NSA tracking of Inspire with its FBI reporting on Tamerlan Tsarnaev?

I used to not believe NSA should have found the Tsarneavs. But now that I’ve seen all the nifty tools we’ve learned NSA and, especially, GCHQ have, they really do owe us an explanation for why they didn’t find the Tsarnaev brothers, one of whom was already in an FBI database, and who was allegedly learning to make a pressure cooker bomb from a document that surely gets tracked by the NSA and its partners.

Speaking of NSA failures…

Which brings me back to James Clapper’s interview with Eli Lake.

Clapper said the problems facing the U.S. intelligence community over its collection of phone records could have been avoided. “I probably shouldn’t say this, but I will. Had we been transparent about this from the outset right after 9/11—which is the genesis of the 215 program—and said both to the American people and to their elected representatives, we need to cover this gap, we need to make sure this never happens to us again, so here is what we are going to set up, here is how it’s going to work, and why we have to do it, and here are the safeguards… We wouldn’t have had the problem we had,” Clapper said.

“What did us in here, what worked against us was this shocking revelation,” he said, referring to the first disclosures from Snowden. If the program had been publicly introduced in the wake of the 9/11 attacks, most Americans would probably have supported it. “I don’t think it would be of any greater concern to most Americans than fingerprints

Now, I’ll have to review the latest declarations in Jewel, but I think Clapper’s statement — that the genesis of today’s phone dragnet dates to 9/11 —  goes slightly beyond what has been admitted, because it ties today’s phone dragnet program back to the PSP phone dragnet program. Ron Wyden has tried to make the tie between the illegal program and the current one clear for months. Clapper has now inched closer to doing so.

But I also want to take issue with Clapper’s claim that if NSA had presented a “gap” to Members of Congress and the public after 9/11 we would have loved the dragnet.

Had we known of the errors and territorialism that permitted 9/11, would we have agreed to any of this?

I do so, in part, because the claim there was a “gap” is erroneous and has been proven to be erroneous over and over. Moreover, that myth dates not to the days after 9/11, but to misrepresentations about the content of the 9/11 Commission report 3 years later. Note, too, that (as has happened with Inspector Generals reviews of the Boston Marathon attack) the Commission got almost no visibility into what NSA had against al Qaeda.

More importantly, had NSA gone to the public with claims about gaps it did and didn’t have before 9/11, we would likely have talked not about providing NSA more authority to collect dragnets, but instead, about the responsibility of those who sat on intelligence that might have prevented 9/11.

As Thomas Drake and the other NSA whistleblowers have made clear, the NSA had not shared intelligence reports that might have helped prevent 9/11.

I found the pre- and post-9/11 intelligence from NSA monitoring of some of the hijackers as they planned the attacks of 9/11 had not been shared outside NSA. Read more

The Dog Ate Charles McCullough’s Homework

Let’s take the narrative the Federal Government wants to tell us about the Boston Marathon attack.

Both FBI and CIA got tips from Russia in early- and mid-2011 implicating Tamerlan Tsarnaev in extremism which FBI, which appropriately has jurisdiction, investigated and entered into the relevant databases accessible to Joint Terrorism Task Force partners.

Later that year, the government alleges (based on the word of a guy they killed immediately thereafter), Tamerlan and Ibragim Todashev — and possibly Tamerlan’s brother Dzhokhar — knifed three friends and associates to death on 9/11 while they waited for pizza from a place the brothers may have once worked; while several of the people on both sides of that killing were involved in selling drugs, the presumed motive for that killing (especially given the date) pertains to Islamic extremism, not a drug and money dispute, in spite of or perhaps because of the pot and money left at the scene. After the killing, Tamerlan disappeared from the scene in Cambridge and was never interviewed by the cops. Senate Intelligence Committee members allege Russia passed on another warning about Tamerlan after October 2011, though the FBI insists it kept asking for more information to no avail.

The next year, Tamerlan left for Russia and Chechnya and Dagestan, but the Homeland Security dragnet missed him because Aeroflot misspelled his name (an issue that contributed to their missing the UndieBomb, too; Russia’s original tip to the FBI had gotten his birthdate wrong). While in Russia, Tamerlan met a bunch of Chechen extremists, several of whom were killed shortly after he met them. Then, Tamerlan returned to Boston, and he and his brother made some bombs out of pressure cookers and fireworks in his Cambridge flat (testimony of their cab driver notwithstanding), and then set them off near the finish line of the Boston Marathon, killing 3 and maiming hundreds.

In spite of the thousands of videos of the event, FBI’s prior investigation, and immigration records on the brothers including pictures, the government’s facial recognition software proved unable to find them (in spite of claims “FBI” officials were asking around Cambridge already), so the government released their pictures and set off a manhunt that resulted in Tamerlan’s death and the arrest of Dzhokhar.

That’s the story, right?

Two weeks after the attack, James Clapper tasked the Intelligence Community Inspector General, Charles McCullough, with investigating the attack to see if it could have been prevented (note, after the 2009 UndieBomb attack, the Senate Intelligence Committee conducted such an investigation but I’ve heard no peep of them doing so here). Also involved in that investigation are DOJ, DHS, and CIA’s IG, but not NSA’s IG, in spite of the fact that the Russians, at least, reportedly intercepted international texts implicating Tamerlan in planning jihad (though there’s no reason to believe the non-US side of those texts — a family member of the brothers’ mother — would have been a known CT target). (Note that, even as McCullough has been conducting this investigation, which ultimately involves information that has been leaked to the press, James Clapper has him conducting investigations into unauthorized leaks — does anyone else see the huge conflict here???)

Back on September 19 (perhaps not coincidentally the day after Ibragim Todashev’s friend Ashurmamad Miraliev was arrested in FL and questioned for 6 hours without a lawyer), McCullough wrote Congress to tell them that because “information relevant to the review is still being provided to the review team,” the review would be indefinitely delayed.

According to the BoGlo, McCullough is offering a new excuse for further delay: the shutdown.

Officials said the shutdown has hampered various agencies’ ability to conduct interviews, undertake research, or pay support personnel who are responsible for reviewing the operations of the government’s terrorism databases before the Marathon attack and determining whether information on the bombing suspects was properly handled.

[snip]

Last month congressional oversight communities were informed that while officials were “working diligently” to complete the review, the process of interviewing counter-terrorism officials and reviewing computer files had turned out to be more challenging than expected. McCullough, the intelligence community’s inspector general, said at the time that “information relevant to the review is still being provided to the review teams.”

A senior Senate staffer, who was not authorized to speak publicly, said briefings recently scheduled for intelligence officials to brief key congressional committees on the progress of the review were canceled.

So here we are over 6 months after the attack, and an inquiry purportedly reviewing whether our CT information sharing (led by the National Counterterrorism Center, which reports to Clapper, to whom McCullough also reports as a non-independent IG) did what it was supposed to, is still having trouble reviewing the actual databases (!?!?), ostensibly because they had to furlough the support people doing that rather than allow them to figure out how to fix problems to prevent the next terrorist attack. (Remember, James Clapper testified he had furloughed 70% of civilian IC staff, to the shock of Chuck Grassley and others.)

Perhaps that’s the problem. Perhaps it is the case that in 6 months time, IC support personnel had not yet been able to access and assess the database counterterrorism professionals are expected to monitor and respond to almost instantaneously. If that is the case, it, by itself, ought to be huge news.

Or perhaps there’s something about the Waltham investigation that has made it newly embarrassing that warnings before and — if blathery Senators are to be believed — after the murders didn’t focus more attention on Tamerlan Tsarnaev.

US Deports Ibragim Todashev’s Girlfriend

The Guardian and Boston Magazine report that Tatiana Gruzdeva, the woman whom FBI had apparently detained to pressure Ibragim Todashev to cooperate, is now back in Moldova after being deported to Russia. Gruzdeva had claimed she was deported for granting an interview to Boston Magazine, and that outlet quotes a lawyer explaining how that might be the case.

[I]mmigration lawyers Susan Church and Jeremiah Freedman told me Gruzdeva was most likely given something called an order of supervision—and yes, they said, under an order of supervision, the feds can deport her for speaking to the media.

Church says this proviso matches Gruzdeva’s account that she was given a one-year extension to stay in America and that she was allowed to file for work papers. Orders of supervision are usually given under another legal provision called deferred action. Church says it’s common for people to file for work under these circumstances.

According to Freedman, orders of supervision can include certain requirements like not speaking to the press. “If you violate the conditions of your order of supervision,” he said, “they pick you up and put you in jail again.” And Church says these requirements don’t have to be explicit. “A person who has an overstay really doesn’t have any legal rights,” said Church. “They could be picked up at any time.”

“That is really a privilege that is not extended to many people,” said Church,

I’m as interested in this account for what it says about Gruzdeva’s likely status — deferred action — as the explanation for how speaking to Boston Magazine could get her deported. Because, from what I’ve seen, such an extension along with work privileges is virtually unheard of in the immigration context, even for people who are far more cooperative with law enforcement than we at least understand Gruzdeva to have been.

So Gruzdeva gets that privilege, and while released spends a lot of time with Todashev’s father, Abdulbaki, who is a government official in Grozny. When her roommate, Ashurmamad Miraliev. who had been close friends with Todashev and also spent time with Abdulbaki, was arrested, she went public, which led not only to accusations the FBI was recruiting members of this community as informants, but also ultimately to Gruzdeva’s loss of that privilege and her deportation. While in the US, Abdulbaki was interviewed by the FBI and other law enforcement. And according to the Guardian, Gruzdeva was debriefed in Moscow before she traveled onto Moldova.

So what is the FBI (and another unnamed federal agency, on whose request Miraliev is being detained) really after here?

Why Isn’t the NSA Evaluating Why It Didn’t Have Chechen Intelligence on Tamerlan Tsarnaev?

As I noted last week, four Inspectors General are conducting (an indefinitely delayed) review of their Agencies’ handing of intelligence in advance of the Boston Marathon attack. But just four Agencies are involved:

  • Intelligence Community
  • CIA
  • DOJ
  • DHS

That is, the NSA’s Inspector General is not participating in the review.

And while I understand that Tamerlan Tsarnaev’s domestic communications could not have been collected by NSA (and presumably none of the people from Dagestan and Chechnya with whom he had contact were selected as identifiers for the Section 215 dragnet), he still allegedly had contacts while in Russia with fairly prominent extremists. And there are two reasons why NSA might have collected Chechen contacts of Tamerlan’s: both because extremists in Chechnya have ties to al Qaeda (indeed, a number of them are and were fighting in Syria), and because Chechen mobsters have ties to the mobs being targeted under Obama’s Transnational Criminal Organization initiative.

So did the NSA have anything on the Chechens Tamerlan allegedly met with? In any case, wouldn’t it be worth a review of what they have and what they might have had?

Apparently not, at least according to the IC.

There is precedent for protecting the NSA from such retroactive scrutiny. Recall that the 9/11 Commission barely touched what files the NSA might have had.

[T]he 9/11 Commission, which went out of business in 2004, failed to conduct a thorough inspection of the government’s most important library of raw intelligence on al Qaeda and the 9/11 plot. And nobody appears to have inspected that intelligence since.

The archives, maintained by the National Security Agency at its headquarters in Fort Meade, Maryland, were reviewed—in a cursory fashion—only in the final days of the commission’s investigation, and then only because of last-minute staff complaints that the NSA’s vast database was being ignored.

Throughout its investigation, staffers complained, the commission’s leaders were fixated on what could be found in the terrorism files of the CIA and the FBI, the two big targets for criticism in the panel’s final report, and largely ignored the NSA, the government’s chief eavesdropping agency.

[snip]

“It’s always been frightening to me to consider what is still at the NSA, whatever we never had time to see,” said a former commission staff member, who now works elsewhere in the federal government and is barred from speaking to the press for attribution. “It’s kind of shocking to me that no one has tried to get back in there since. We certainly didn’t see everything at NSA.”

And I can imagine why, particularly after Edward Snowden started leaking, the NSA might not want to check whether it had data it simply missed. How embarrassing if it had to admit that it missed a terrorist because its haystack has gotten too big?

Still, given the allegations about Tamerlan’s entirely foreign associates, I’m not convinced the NSA would have collected nothing.

Keith Alexander today claimed NSA used the Section 215 database in the wake of the Boston Marathon attack (though how they claimed the allegedly self-radicalized Tsarnaev’s had ties to Al Qaeda, I don’t know) to chase down potential associates in NYC.

“We did use [Section] 215,” he said, referring to the Patriot Act provision that the government has claimed a federal court has agreed gives it the authority to collect data on practically all calls made in the United States. “We used it to support the FBI in their investigation.”

So the NSA was involved in the investigation, at least.

So can’t we have a teensy review to see if it did, and if our target selection in Chechnya and Dagestan and appropriate?