Posts

Did FBI Plan Russia’s Fire Sale in San Francisco for a Specific Reason?

You’ve no doubt seen pictures of the black smoke rising above Russia’s consulate yesterday, an apparently sour-smelling smoke on a day of record heat in San Francisco. A facility ordered to close in DC sported a more modest fire.

None of that’s surprising. When diplomatic facilities shut down, especially on short notice as happened here, they need to get rid of records, not least all the spying records. We did it in the MENA embassies closed in the face of attacks in 2012, including the facility in Benghazi. We burned documents in our embassy in Moscow in 1991. This is what diplomatic personnel, and spies operating under official cover, are trained to do.

It provides the same kind of spectacle that evicting Russians who’ve long inhabited suburban compounds did in December (and I confess to convincing EFF to sending an intern to sniff the air to figure out what besides paper might be burning). That said, it is to be expected.

But I wonder whether there’s not something more to the way this was carried out. Eli Lake took a break from scolding violence he otherwise champions if used by those he disagrees with to do some actual reporting. He explained that in late July, in an effort to minimize Russia’s reaction to the sanctions Congress pushed through over Trump’s objections, a top State Department official offered Russia a deal: they could have their NY and MD compounds back so long as they promised to use them only for recreation and agreed to let authorities search the compounds. But agreeing to those criminal searches was too much for Russia to agree to, which led State to revert to the normal processes.

U.S. officials tell me that Undersecretary of State Tom Shannon, a career foreign service official appointed during the Obama administration, made a last-minute effort to stop the Russians from retaliating against the new sanctions, a response to Russia’s election meddling that Trump reluctantly signed.

At the end of July, Shannon presented a “non-paper,” a proposal with no official diplomatic markings, to his Russian counterpart that offered the return of two diplomatic compounds President Barack Obama shuttered in December.

[snip]

Almost no one else in the government knew about Shannon’s efforts. Two U.S. officials who work closely on Russia told me that the FBI’s spy hunters in particular were furious when they found out Shannon had made the unofficial offer to return the compounds closed in December. Fiona Hill, the National Security Council’s senior director for European and Russian affairs, was also unaware of the offer, according to these officials.

Shannon’s non-paper was not a total giveaway. It included tougher terms for how the Russians could use their compounds, specifying they could only be used for recreational activities. It also explicitly gave U.S. authorities the right to enter the compounds if there was suspicion of criminal activity or espionage.

That apparently was too much for Moscow. They went ahead with the diplomatic expulsions anyway. This time when the Trump administration considered its response, it went through a more rigorous inter-agency process, according to U.S. officials who participated in it. The FBI in particular pressed for closing the consulate in San Francisco because it was a center for Russian espionage activities on the West Coast.

It’s this last bit I’m particularly interested in. The WaPo reported earlier this year something I had heard as well: the decisions on expulsions in December had reflected a last minute shift to include more people in San Francisco.

More broadly, the list of 35 names focused heavily on Russians known to have technical skills. Their names and bios were laid out on a dossier delivered to senior White House officials and Cabinet secretaries, although the list was modified at the last minute to reduce the number of expulsions from Russia’s U.N. mission in New York and add more names from its facilities in Washington and San Francisco.

And I’ve heard Russians pushed to have their Houston consulate shut down in lieu of the San Francisco one, to no avail.

It’s what came next that is really interesting. In both San Francisco and DC, apparently after the Russians had vacated their property (remember reports that the Russians may have gotten warning about their compounds in December), the US informed them Russians in San Francisco and the facility in DC would be subject to search.

On August 31, the US authorities announced unprecedented restrictive measures against Russian diplomatic and consular missions in the US, requiring us to close, in a matter of two days, the consulate general in San Francisco, one of the largest Russian consulates in the US that provides visa, notary and other consular services to Russian and US nationals from across a number of densely populated states. Russia is also required to close without delay its Trade Representation in Washington, D.C. and its annex in New York. The US also tightened requirements regarding the mobility of Russian diplomats and official delegations.

This move is yet another blatant violation of international law, including the commitments undertaken by the US under the Vienna Conventions on Diplomatic and Consular Relations. It goes far beyond Washington’s previous initiatives, which included the expropriation by the Barack Obama administration in December 2016 of countryside retreats of the Russian Embassy and Permanent Mission to the UN, despite their immunity status.

Following the illegal seizure of high-value Russian state property, we are being pushed to sell them. On top of that, the latest demands announced by the US pose a direct threat to the security and safety of Russian citizens. The US secret services intend to conduct a search of the Consulate General in San Francisco on September 2, including the apartments of its staff who live in the building and have immunity. In this connection, they were ordered to leave the premises for a period of 10 to 12 hours with their families, including small children and even infants. This is an intrusion into a consular office and the residence of diplomatic workers, who are forced outside so as not to stand in the way of the FBI agents.

I believed the Russians are right here — the tit for tat evictions are normal, and so are the fires before vacating a compound. The searches of diplomatic property are likely not (never mind that FBI could get FISA warrants to search them in a cinch — that just wouldn’t permit them to do this so quickly and aggressively).

The last time Putin spoke of retaliation like this came shortly before the NotPetya worm, and raised in the context of kompromat by a power that collected kompromat on Trump and the Republicans, may well be backed by a real ability to deliver on the threat.

So I’m wondering if the FBI had more specific reasons to use the opportunity of Russia refusing our sweetheart deal to want to close this consulate and flush whatever and whoever is in it out into the open? That’s true, especially given the criminal hacking cases targeting Silicon Valley companies we’re trying out there (the Yahoo and the Nikulin one both may have tangential ties to the DNC hack).

Undoubtedly, this is all happening because FBI believes it will make Russian spying, particularly that targeting our tech industry, far more difficult. But I wonder if some specific goal made the difference to really taking a hard line?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner Claims NSA’s Collection on Russians Had Already Been Compromised

I guess today is Reality Winner day.

As Trevor Timm describes, Winner is trying to get comments she made in an interview with the FBI thrown out, arguing she was for legal purposes in custody yet did not receive a Miranda warning. In support of that argument, she submitted a declaration describing what happened to her that day — basically how 10 male FBI agents showed up to search her house, with two taking her to a back room to interrogate her.

In addition to all the details about how many male FBI agents there were and how they had her stand in the fenced yard when they were done interrogating her, she describes how she answered when they asked whether she believed she had compromised sources and methods.

16. Law enforcement specifically asked me whether I believed the disclosure of the document compromised the “sources and methods” contained in the document, to which I advised that it was likely those “sources and methods” had already been compromised.

17. I specifically told law enforcement that, “whatever we were using had already been compromised, and that this report was just going to be like a one drop in the bucket.”

Critics will argue that this wasn’t Winner’s operational judgment to make, though it does reveal that even in this interview, she attested that she didn’t think her leak would damage intelligence.

But I’m interested in her claim that these collection points were already burned.

While many people complain that the IC has withheld too much information about the Russian hack, there are some details that have been released that are downright surprising. Sure, we don’t know who leaked the Steele dossier, but it may have led to the exposure (and possible execution) of his sources. We do know, however, that DOJ itself revealed (in the Yahoo indictment) that it collected email conversations of FSB officers among themselves. We’ve heard vague reporting, too, that Russians figured out they were tapped and went silent accordingly. One early report I got about Russia’s involvement in the DNC hack explained that the suspected hackers rolled up a good deal of their infrastructure after it was exposed.

But Winner (who’s an analyst, remember, not a technical person) claims, that “whatever we were using had already been compromised” with apparent confidence.

Which raises questions whether that’s based on actual knowledge of how Russians were responding to our spying.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Europe Gets Impatient for Yahoo Answers

As I’ve noted, James Clapper’s office has been irresponsibly silent about what kind of scan FBI asked Yahoo to subject all of its email users to in 2015. And those in Congress who haven’t been briefed on it are demanding information.

But they’re not the only ones. Europe is too (as Yahoo seemed all too aware when it wrote Clapper asking him to clarify the scan).

And they’ve got a bit more leverage over the Intelligence Community than non-intelligence committee members of Congress do, because the EU prohibits data collected in Europe from being used for mass surveillance.

Dutch MEP Sophia In t’Veld asked the European Commission questions but has thus far gotten no answer.

Yahoo has allegedly scanned customer emails for US intelligence purposes at the request of US intelligence agencies. According to reports, in 2015 Yahoo secretly built a custom software program allowing it to search all of its customers’ incoming emails for specific information requested by US intelligence officials. In the Schrems judgment, the Safe Harbour programme allowing EU personal data to be transferred to the US was declared invalid, among other reasons because of the mass surveillance protocols used by US intelligence services.

Will the Commission investigate these reports and ask clarification from the US administration?

Was the Commission aware of these alleged activities by Yahoo at the time it adopted the Privacy Shield decision? If not, do these revelations prompt the Commission to reconsider its decision on Privacy Shield?

Does the Commission consider Yahoo to have violated the terms of Safe Harbour, does the Commission consider that these practices would be allowed under Privacy Shield, and how will the Commission verify that violations in this regard do not take place?

And the Article 29 Working Party — the data protection authorities — last week asked Yahoo directly.

In addition, the WP29 was also informed that Yahoo has scanned customer emails for US
intelligence purposes at the request of US intelligence agencies. According to reports, in
2015 Yahoo searched all of its customers’ incoming emails for specific information
requested by US intelligence officials.

The reports are concerning to WP29 and it will be important to understand the legal
basis and justification for any such surveillance activity, including an explanation of how
this is compatible with EU law and protection for EU citizens.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

In Spying, “Things like phone numbers or emails” Turn Out to Be Far More

According to Reuters, the Intelligence Community doesn’t intend to share any details of the Yahoo scan revealed several weeks back with anyone outside of the FISA oversight committees — the House and Senate Intelligence and Judiciary Committees.

Executive branch officials spoke to staff for members of the Senate and House of Representatives committees overseeing intelligence operations and the judiciary, according to people briefed on the events, which followed Reuters’ disclosure of the massive search.

But attempts by other members of Congress and civil society groups to learn more about the Yahoo order are unlikely to meet with success anytime soon, because its details remain a sensitive national security matter, U.S. officials told Reuters. Release of any declassified version of the order is unlikely in the foreseeable future, the officials said.

On its face, it’s a stupid stance, as I think the scan probably fits within existing legal precedents that have already been made public, even if it stretches those precedents from “packet content as content” to “email content as content” (and it may not even do that).

In addition, given that the scan was approved by a judge (albeit one working within the secret FISA court and relying on prior decisions that were issued in secrecy), by releasing more details about the scan the government could at least claim that a judge had determined the scan was necessary and proportionate to obtain details about the (as described to NYT) state-sponsored terrorist group targeted by the scan. This decision presumably relies on a long line of decisions finding warrantless surveillance justified by special needs precedents, which began to be laid out for FISC in In Re Sealed Case in 2002.

Nevertheless, even given the toll the government’s secrecy is having on Yahoo (and presumably on other providers’ willingness to cooperate with the IC), the government thus far has remained intransigent in its secrecy.

Which suggests that the IC believes it would risk more by releasing more data than by its continued, damaging silence.

I’ve already explained one of the risks they might face: that their quick anonymous description of this as a “state-sponsored terrorist group” might (this is admittedly a wildarsed guess) really mean they hacked all of Yahoo’s users to get to Iranian targets, something that wouldn’t have the same scare power as terrorists like ISIS, especially in Europe, which has a markedly different relationship with Iran than the US has.

But I also think ODNI risks losing credibility because it appears to conflict with what ODNI specifically and other spook officials generally have said in the past, both to the US public and to the international community. As I note here, the definition of “facility” has been evolving at FISC since at least 2004. But the privacy community just released a letter and a quote to Reuters that seems unaware of the change. The letter asserts,

According to reports, the order was issued under Title I of FISA, which requires the government to demonstrate probable cause that its target is a foreign power or an agent of a foreign power (such as a spy or a terrorist), and probable cause that the “facility” at which the surveillance is conducted will carry the target’s communications. If reports are true, this authority to conduct a particularized search has apparently been secretly construed to authorize a mass scan.

Traditional FISA orders haven’t been limited to particularized targets since 2007, when an order targeting Al Qaeda was used to temporarily give Stellar Wind legal sanction. If one order requiring a scan of traffic at  telecom switches could target Al Qaeda in 2007, then surely one order can target Iran’s Revolutionary Guard or a similar organization in 2016. The problem is in the execution of the order, requiring Yahoo to scan all its incoming email, but it’s not clear the legal issues are much worse than in the 2007 execution.

A Reuters source goes even further, suggesting that all of Yahoo is the facility, rather than the specific code tied to the targeted group.

The groups say that Title I of the Foreign Intelligence Surveillance Act, under which sources said the order was issued, requires a finding that the target of such a wiretap is probably an agent of a foreign power and that the facility to be tapped is probably going to be used for a transmission. An entire service, such as Yahoo, has never publicly been considered to be a “facility” in such a case: instead, the word usually refers to a phone number or an email account.

Never mind that under the phone dragnet, Verizon was counted as the targeted selector (which was used by terrorists and everyone else), though admittedly that was just for metadata. Had Yahoo been designed the “place” at which a physical search were conducted this usage might be correct (that said, we know very little about how physical searches, including for stored communication, work in practice), but as Semiannual reports have made clear (admittedly in the Section 702 context), facility has come to be synonymous with selector.

[T]argeting is effectuated by tasking communication facilities (also referred to as “selectors”), including but not limited to telephone numbers and electronic communications accounts, to Section 702 electronic communication service providers.

Facilities are selectors, and here FBI got a selector tied to a kind of usage of email — perhaps an encryption signature — approved as a selector/facility.

In spite of the fact that somewhere among 30 NGOs someone should have been able to make this argument (and ACLU’s litigation side surely could do so), there is good reason for them to believe this.

That’s because the IC has very deliberately avoided talking about how what are called “about” scans but really should be termed signature scans really work.

This is most striking in a March 19, 2014 Privacy and Civil Liberties Oversight Board hearing, which was one of the most extensive discussions of how Section 702 work. Shortly after this hearing, I contacted PCLOB to ask whether they were being fully briefed, including on the non-counterterrorism uses of 702, such as cyber, which use (or used) upstream selectors in a  different way.

Several different times in the hearing, IC witnesses described selectors as “selectors such as telephone numbers or email addresses” or “like telephone numbers or email addresses,” obscuring the full extent of what might be included (Snowden tweeted a list that I included here). Bob Litt did so while insisting that Section 702 (he was referring both to PRISM and upstream here) was not a bulk collection program:

I want to make a couple of important overview points about Section 702. First, there is either a misconception or a mischaracterization commonly repeated that Section 702 is a form of bulk collection. It is not bulk collection. It is targeted collection based on selectors such as telephone numbers or email addresses where there’s reason to believe that the selector is relevant to a foreign intelligence purpose.

I just want to repeat that Section 702 is not a bulk collection program.

Then-Deputy Assistant Attorney General Brad Weigmann said selectors were “really phone numbers, email addresses, things like that” when he defined selector.

A selector would typically be an email account or a phone number that you are targeting. So this is the, you get, you know, terrorists at Google.com, you know, whatever. That’s the address that you have information about that if you have reason to believe that that person is a terrorist and you would like to collect foreign intelligence information, I might be focusing on that person’s account.

[snip]

So that’s when we say selector it’s really an arcane term that people wouldn’t understand, but it’s really phone numbers, email addresses, things like that.

And when then-NSA General Counsel Raj De moved from describing Section 702 generally (“selectors are things like”), to discussing upstream, he mistakenly said collection was based on “particularly phone numbers or emails” then immediately corrected himself to say, “things like phone numbers or emails.”

So there’s two types of collection under Section 702. Both are targeted, as Bob was saying, which means they are both selector-based, and I’ll get into some more detail about what that means. Selectors are things like phone numbers and email addresses.

[snip]

It is also however selector-based, i.e. based on particular phone numbers or emails, things like phone numbers or emails. This is collection to, from, or about selectors, the same selectors that are used in PRISM selection. This is not collection based on key words, for example.

 

That language would — and apparently did — create the false impression that about collection really did just use emails and phone numbers (which is why I called PCLOB, because I knew they were or had also targeted cyber signatures).

Here’s how all that evasiveness appeared in the PCLOB 702 report:

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

That certainly goes beyond the linguistic game the IC witnesses were playing, but stops well short of explaining that this really isn’t all about emails and phone numbers.

Plus, there’s one exchange from that March 2014 hearing that might be taken to rule out about collection from a PRISM provider. In reply to specific prodding from Elisabeth Collins Cook, De said about collection cannot be made via PRISM.

MS. COLLINS COOK: I wanted to ask one additional question about abouts. Can you do about collection through PRISM?

MR. DE: No.

MS. COLLINS COOK: So it is limited to upstream collection?

MR. DE: Correct. PRISM is only collection to or from selectors.

Of course, De was referring to warrantless collection under Section 702. He wasn’t talking at all about what is possible under Title I. But it may have left the impression that one couldn’t order a PRISM provider to do an about scan, even though in 2007 FISA ordered telecoms to do about scans.

Ultimately, though, the IC is likely remaining mum about these details because revealing it would make clear what publicly released opinions do, but not in real detail: that these about scans have gotten far beyond a collection of content based off a scan of readily available metadata. These scans likely replicate the problem identified in 2004, in that the initial scan is not of things that count as metadata to the provider doing the scan.

The IC may have FISC approval for that argument. But they also had FISC approval for the Section 215 dragnet. And that didn’t live up to public scrutiny either.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Yahoo to Clapper: Global, Global, Beyond our Borders, Global

I joked when Yahoo first released its letter to James Clapper the other day, asking that he release details about the 2015 scan first revealed by Reuters. It has the tone of a young woman who is justifiably upset because, after sleeping with her, some jerk is pretending he doesn’t even know her.

But as it happens, I’m in Europe, trying to learn more about Privacy Shield and related issues. So I thought I would call attention to the emphasis Yahoo lawyer Ronald Bell (who was the guy who decided not to challenge this) puts on the international impact of Clapper’s decision, thus far, to remain silent.

As you know, Yahoo consistently campaigns for government transparency about national security requests and for the right to share the number and nature of the requests we receive from all governments. We apply a principled approach to handling government requests for user data, including in the national security context, articulated in our publicly-available Global Principles for Responding to Government Requests and regular transparency reports. Our company not only embraces its privacy and human rights responsibilities, we do so enthusiastically, passionately, and with a deep sense of global and moral responsibility. But transparency is not merely a Yahoo issue: Transparency underpins the ability of any company in the information and communications technology sector to earn and preserve the trust of its customers. Erosion of that trust online implicates the safety and security of people around the world and diminishes confidence and trust in U.S. businesses at home and beyond our borders.

Recent new stories have provoked broad speculation about Yahoo’s approach and about the activities and representations of the U.S. government, including those made by the Government in connection with negotiating Privacy Shield with the European Union. That speculation results in part from lack of transparency and because U.S. law significantly constrain–and severely punish–companies’ ability to speak for themselves about national security related orders even in ways that do not compromise U.S. government investigations.

We trust that the U.S. government recognizes the importance of clarifying the record in this case. On behalf of Yahoo and our global community of users, I respectfully request that the Office of the Director of National Intelligence expeditiously clarify this matter. [bold emphasis mine]

Folks here definitely followed the Yahoo story. Their understanding of what happened leads them to believe the scan violates European prohibitions on mass surveillance. Importantly, they’re not aware that this was done with an “individual” FISA order rather than under Section 702. As I’ve written, “individual” orders have been used for bulk scans since 2007, but in this case, an “individual” order would also mean that a judge had reviewed the scan and found it proportional, which would make a big difference here (at least to authorities; a number of other people are raring to challenge such judgements on whether it is an adequate court or not).

So yeah, by disclosing details of this scan, Yahoo may be in much better position vis a vis European authorities, if not consumers.

But there’s another reason why Clapper’s office — or rather ODNI General Counsel Bob Litt — may be so quiet.

Litt is the one who made many of the representations about US spying to authorities here. Someone — Litt, if he’s still around for a hearing that may take place under President Hillary — may also need to go testify under oath in an Irish court in conjunction with a lawsuit there. Whoever testifies will be asked about the kinds of surveillance implicating European users the government makes US companies do.

In other words, Bob Litt is the one who made certain representations to the European authorities. And now some of those same people are asking questions about how this scan complies with the terms Litt laid out.

Which makes his silence all the more instructive.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Can the Government Use FISA to Get Evidence of Past Criminal Activities?

A terror support case due to start in NYC in December seems to present some interesting questions about the use of EO 12333 and FISA evidence. Ahmed Mohammed El Gammal was arrested last year on charges he helped someone else — who apparently got killed in Syria — travel to and train for ISIL. After almost a year and several continuations, the government provided notice they intended to use material gathered under a FISA physical surveillance order (but not an electronic surveillance order). The case clearly involves a ton of Internet communications; the defense proposed voir dire questions ask if potential jurors are familiar with Twitter, Tango, Whatsapp, Cryptocat, Viber, Skype, Surespot or Snapchat, and asks how much potential jurors use Facebook.

After the government submitted the FISA notice, El Gammal’s lawyers submitted three filings: one seeking access to CIPA information, one seeking to suppress the FISA material, and one asking where all the other surveillance came from.

The FISA complaint, aside from the standard challenge, appears to stem from both the delay in notification and some concerns the government did not adhere to minimization procedures (in the defense reply, they noted that the government had already released minimization procedures but refused to do so here). In addition, the FISA challenge suggests the government used FISA to “was to gather evidence of his past criminal activity,” which it argues is unlawful. His lawyers also seem to question whether there was no other way to obtain the information (which is particularly interesting given the delayed notice).

In addition, the government’s response describes some of the reasons El Gammal’s lawyers suspect the government used some kind of exotic (probably 12333) surveillance against him (some of which are partly or entirely redacted in the defense filings).

The defendant’s motion speculates that the Government relied upon undisclosed techniques when it (1) “appears to have sought information about El Gammal from at least two entities—Verizon and Yahoo—before his identity seems to have become known through the criminal investigation,” (Def. Memo. 3) (2) “seems to have learned about El Gammal before receiving, in the criminal investigation, the first disclosure that would necessarily have identified him,” (Def. Memo. 5) and (3) appeared to have “reviewed the contents of [CC-1’s] [social media] account before [the social media provider] made its Rule 41 return” (Def. Memo. 5). This speculation is baseless. The Government has used a number of investigative techniques in this case. Not all of those techniques require notice or disclosure at this (or any) stage of the investigation.2 And the Government has complied with its notice and disclosure obligations to date.

2 Additional background regarding this investigation is provided in Section IV.A. of the Government’s September 23, 2016 Classified Memorandum in Opposition to the Defendant’s Pretrial Motion to Suppress, and for the Disclosure of the FISA Order, Application, and Related Materials.

It appears that the government had obtained Facebook material (the primary social media involved here) either under Section 702 or EO 12333, then parallel constructed it via warrant. And it appears to suggest the involvement of some kind  of programmatic Verizon and Yahoo collection that may not have been disclosed (El Gammal was in custody before the end of the old phone dragnet).

Particularly given the timing (in the wake of FBI obtaining a way to get into Syed Rezwan Farook’s phone), I had thought the physical search might have been to decrypt El Gammal’s iPhone, but it appears the government had no problems accessing the content of multiple Apple devices.

There’s no reason to think El Gammal will have any more luck obtaining this information than previous defendants seeking FISA and 12333 information have been.

But his lawyers (SDNY’s excellent public defenders office) do seem to think they’re looking at something more programmatic than they’ve seen before. And they do seem to believe those techniques are being parallel constructed.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

More Thoughts on the Yahoo Scan

I want to lay out a few more thoughts about the still conflicting stories about the scan the government asked Yahoo to do last year.

The three different types of sources and their agenda

First, a word about sourcing. The original three stories have pretty identifiable sources. The first Reuters story, by tech security writer Joseph Menn and describing the scan as “a program to siphon off messages” that the security team believed might be a hacker, cited three former Yahoo employees and someone apprised of the events (though I think the original may have relied on just two former Yahoo employees).

NYT had a story, by legal reporter Charlie Savage and cyber reporter Nicole Perloth and relying on “two government officials” and another without much description, that seems to have gotten the legal mechanism correct — an individual FISA order — but introduced the claim that the scan used Yahoo’s existing kiddie porn filter and that “the technical burden on the company appears to have been significantly lighter” than the request earlier this year to Apple to unlock Syed Rezwan Farook’s iPhone.

A second Reuters story, by policy reporter Dustin Volz and spook writer Mark Hosenball, initially reported that the scan occurred under Section 702 authority, though has since corrected that to match the NYT report. It initially relied on government sources and reported that the “intelligence committees of both houses of Congress … are now investigating the exact nature of the Yahoo order,” which explains a bit about sourcing.

Motherboard’s tech writer Lorenzo Franceschi-Bicchieri later had a story, relying on ex-Yahoo employees, largely confirming Reuters’ original report and refuting the NYT’s technical description. It described the tool as “more like a ‘rootkit,’ a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.”

A followup story by Menn cites intelligence officials reiterating the claim made to NYT — that this was a simple tweak of the spam filter. But then it goes on to explain why that story is bullshit.

Intelligence officials told Reuters that all Yahoo had to do was modify existing systems for stopping child pornography from being sent through its email or filtering spam messages.

But the pornography filters are aimed only at video and still images and cannot search text, as the Yahoo program did. The spam filters, meanwhile, are viewable by many employees who curate them, and there is no confusion about where they sit in the software stack and how they operate.

The court-ordered search Yahoo conducted, on the other hand, was done by a module attached to the Linux kernel – in other words, it was deeply buried near the core of the email server operating system, far below where mail sorting was handled, according to three former Yahoo employees.

They said that made it hard to detect and also made it hard to figure out what the program was doing.

Note, to some degree, the rootkit story must be true, because otherwise the security team would not have responded as it did. As Reuters’ sources suggest, the way this got implemented is what made it suspicious to the security team. But that doesn’t rule out an earlier part of the scan involving the kiddie porn filter.

To sum up: ex-Yahoo employees want this story to be about the technical recklessness of the request and Yahoo’s bureaucratic implementation of it. Government lawyers and spooks are happy to explain this was a traditional FISA order, but want to downplay the intrusiveness and recklessness of this by claiming it just involved adapting an existing scan. And intelligence committee members mistakenly believed this scan happened under Section 702, and wanted to make it a 702 renewal fight issue, but since appear to have learned differently.

The ungagged position of the ex-Yahoo employees

Three comments about the ex-Yahoo sources here. First, the stories that rely on ex-Yahoo employees both include a clear “decline to comment” from Alex Stamos, the Yahoo CISO who quit and moved to Facebook in response to this event. If that decline to comment is to be believed, these are other former Yahoo security employees who have also since left the company.

Another thing to remember is that ex-Yahoo sources were already chatting to the press, though about the 2014 breach that exposed upwards of 500 million Yahoo users. This Business Insider piece has a former Yahoo person explaining that the architecture of Yahoo’s systems is such that billions of people were likely exposed in the hack.

“I believe it to be bigger than what’s being reported,” the executive, who no longer works for the company but claims to be in frequent contact with employees still there, including those investigating the breach, told Business Insider. “How they came up with 500 is a mystery.”

[snip]

According to this executive, all of Yahoo’s products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access.

That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn’t been deleted.

[snip]

“That is what got compromised,” the executive said. “The core crown jewels of Yahoo customer credentials.”

I can understand why Yahoo security people who lost battles to improve Yahoo’s security but are now at risk of being scapegoated for a costly problem for Yahoo would want to make it clear that they fought the good fight only to be overruled by management. The FISA scan provides a really succinct example of how Yahoo didn’t involve its security team in questions central to the company’s security.

One more thing. While Stamos and maybe a few others at Yahoo presumably had (and still have) clearance tied to discussing cybersecurity with the government, because none of them were involved in the response to this FISA order, none of them were read into it. They probably had and have non-disclosure agreements tied to Yahoo (indeed, I believe one of these stories originally referenced an NDA but has since taken the reference out). But because Yahoo didn’t involve the security team in discussions about how to respond to the FISA request, none of them would be under a governmental obligation, tied to FISA orders, to keep this story secret. So they could be sued but not jailed for telling this story.

It wouldn’t be the first time that the government’s narrow hold on some issue made it easier for people to independently discover something, as Thomas Tamm and Mark Klein did with Stellar Wind and the whole world did with StuxNet.

Stories still conflict about what happened after the scan was found

Which brings me to one of the most interesting conflicts among the stories now. I think we can assume the scan involved a single FISA order served only on Yahoo that Yahoo, for whatever reason, implemented in really reckless fashion.

But the stories still conflict on what happened after the security team found the scan.

Yahoo’s non-denial denial (issued after an initial, different response to the original Reuters story) emphasizes that no such scan currently remains in place.

We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.

That could mean the scan was ended when the security team found it, but it could also mean Yahoo hurriedly removed it after Reuters first contacted it so it could claim it was no longer in place.

The original Reuters story doesn’t say what happened, aside from describing Stamos’ resignation. NYT’s spook and lawyer sources said, “The collection is no longer taking place.” The updated congressionally-sourced Reuters story says the scan was dismantled and not replaced before Stamos left.

Former Yahoo employees told Reuters that security staff disabled the scan program after they discovered it, and that it had not been reinstalled before Alex Stamos, the company’s former top security officer, left the company for Facebook last year.

The Motherboard story is the most interesting. It suggests that the security team found the scan, started a high severity response ticket on it, Stamos spoke with top management, and then that response ticket disappeared.

After the Yahoo security team discovered the spy tool and opened a high severity security issues within an internal tracking system, according to the source, the warning moved up the ranks. But when the head of security at the time, Alex Stamos, found out it was installed on purpose, he spoke with management; afterward, “somehow they covered it up and closed the issue fast enough that most of the [security] team didn’t find out,“ the source said.

The description of the disappearing ticket could mean a lot of things. But it doesn’t explain whether the scan itself (which the security team could presumably have found again if it worked in the same fashion) continued to operate.

Reuters’ latest story suggests the scan remained after the security team learned that Marissa Mayer had approved of it.

In the case of Yahoo, company security staff discovered a software program that was scanning email but ended an investigation when they found it had been approved by Chief Executive Officer Marissa Mayer, the sources said.

This seems to be consistent with Motherboard’s story about the disappearing ticket — that is, that the investigation ended because the ticket got pulled — but doesn’t describe how the scan continued to operate without more security people becoming aware of it.

But the implication of these varying stories is that the scan may have been operating (or restarted, after Stamos left), in a way that made Yahoo vulnerable to hackers, up until the time Reuters first approached Yahoo about the story. Even NYT’s best-spin sources don’t say when the scan was removed, which means it may have been providing hackers a back door into Yahoo for a year after the security team first balked at it.

Which might explain why this story is coming out now. And why ODNI is letting Yahoo hang on this rather than providing some clarifying details.

And what if the target of this scan is IRGC

As you know, I wildarse guessed that the target of this scan is likely to be Iran’s Revolutionary Guard. I said that because we know IRGC at least used to use Yahoo in 2011, we know the FISC long ago approved treating “Iran” as a terrorist organization, and because there are few other entities that could be considered “state-sponsored terrorist groups.” I think NYT’s best-spin sources might have used that term in hopes everyone would yell Terror!! and be okay with the government scanning all of Yahoo’s users’ emails.

But the apparent terms of this scan conflict with the already sketchy things the IC has told the European Union about our spying on tech companies. So the EU is surely asking for clarifying details to find out whether this scan — and any others like it that the FISC has authorized — comply with the terms of the Privacy Shield governing US tech company data sharing.

And while telling the NYT “state-sponsored terrorist group” might impress the home crowd, it might be less useful overseas. That’s because Europe doesn’t treat the best basis for the claim that IRGC is a terrorist group — its support of Hezbollah — the the same light we do. The EU named Hezbollah’s military wing a terrorist group in 2013, but as recently as this year, the EU was refusing to do so for the political organization as a whole.

That is, if my wildarseguess is correct, it would mean not only that an intelligence request for a back door exposed a billion users to hackers, but also that it did so to pursue an entity that not even all our allies agree is a top counterterrorism (as distinct from foreign intelligence) target.

Thus, it would get to the core of the problem with the claim that global tech companies can install back doors with no global ramifications, because there is no universally accepted definition of what a terrorist is.

Which, again, may be why ODNI has remained so silent.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Does a Fifth of Yahoo’s Value Derive from (Perceived) Security and Privacy?

The NYPost is reporting that Verizon is trying to get a billion dollar discount off its $4.8 billion purchase price for Yahoo.

“In the last day we’ve heard that [AOL head, who is in charge of these negotiations] Tim [Armstong] is getting cold feet. He’s pretty upset about the lack of disclosure and he’s saying can we get out of this or can we reduce the price?” said a source familiar with Verizon’s thinking.

That might just be tough talk to get Yahoo to roll back the price. Verizon had been planning to couple Yahoo with its AOL unit to give it enough scale to be a third force to compete with Google and Facebook for digital ad dollars.

The discount is being pushed because it feels Yahoo’s value has been diminished, sources said.

AOL/Yahoo will reach about 1 billion consumers if the deal closes in the first quarter, with a stated goal to reach 2 billion by 2020. AOL boss Tim Armstrong flew to the West Coast in the past few days to meet with Yahoo executives to hammer out a case for a price reduction, a source said.

At one level, this is just business. Verizon has the opportunity to save some money, and it is exploring that opportunity.

But the underlying argument is an interesting one, as it floats a potential value — over a fifth of the original purchase price — tied to Yahoo’s ability to offer its users privacy.

As I understand it, the basis for any discount would be an interesting debate, too. The NYP story implies this is a reaction to both Yahoo’s admission that upwards of 500 million Yahoo users got hacked in 2014 and the more recent admission that last year Yahoo fulfilled a FISA order to scan all its incoming email addresses without legal challenge.

Yahoo has claimed that it only recently learned about the 2014 hack of its users — it told Verizon within days of discovering the hack. If that’s true, it’s not necessarily something Yahoo could have told Verizon before the purchase. (Indeed, Verizon should have considered Yahoo’s security posture when buying it.) But there are apparently real questions about how forthcoming Yahoo has been about the extent of the hack. The number of people affected might be in the billions.

Yahoo can’t claim to have been ignorant about its willingness to respond to exotic FISA requests without legal challenge, however.

Verizon bought Yahoo at a time when Yahoo’s aggressive challenged to PRISM back in 2007 was public knowledge. Given that Verizon had been — or at least had been making a show — of limiting what it would agree to do under USA Freedom Act (Verizon got too little credit, in my opinion, for being the prime necessary driver behind the reform), that earlier legal challenge would have aligned with what Verizon itself was doing: limiting its voluntary cooperation with US government spying requests. But now we learn Yahoo had repurposed its own spam and kiddie porn filter to help the government spy, without complaint, and without even telling its own security team.

I’ll let the mergers and acquisitions lawyers fight over whether Verizon has a claim about the purchase price here. Obviously, the $1 billion is just the opening offer.

But there is a real basis for the claim, at least in terms of value. Verizon bought Yahoo to be able to bump its user base up high enough to be able to compete with Google and Facebook. The perception, particularly in Europe, that Yahoo has neither adequately valued user security nor pushed back against exotic US government demands (especially in the wake of the Snowden revelations) will make it a lot harder to maintain, much less expand, the user base that is the entire purpose for the purchase.

So we’re about to learn how much of an international Internet Service Provider’s value is currently tied to its ability to offer security to its users.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Yahoo Scan: On Facilities and FISA

There are now two competing explanations for what Yahoo was asked by the government to do last year.

Individual FISA order or 702 directive?

NYT (including Charlie Savage, who FOIAed all the FISC opinions and then wrote a book about them) explains Yahoo got an individual FISA order to search for a “signature” that the FBI had convinced the FISA Court was associated with a state-sponsored terrorist group.

A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, several people familiar with the matter said on Wednesday.

Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.

To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.

With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature.

Reuters — in a story emphasizing the upcoming debate about reauthorization — says that the order was a Section 702 order.

The collection in question was specifically authorized by a warrant issued by the secret Foreign Intelligence Surveillance Court, said the two government sources, who requested anonymity to speak freely.

Yahoo’s request came under the Foreign Intelligence Surveillance Act, the sources said. The two sources said the request was issued under a provision of the law known as Section 702, which will expire on Dec. 31, 2017, unless lawmakers act to renew it.

The FISA Court warrant related specifically to Yahoo, but it is possible similar such orders have been issued to other telecom and internet companies, the sources said.

Yet it also reports that both Intelligence Committees are investigating more about this request (which tells you something about Reuters’ potential sources and how much the spooks’ overseers actually know about this).

The intelligence committees of both houses of Congress, which are given oversight of U.S. spy agencies, are now investigating the exact nature of the Yahoo order, sources said.

For what it’s worth, at least until 2012, I think NSA and FBI might have been able to request this scan under 702; there are a bunch of court decisions, including one associated with what got reported as an upstream violation in 2012, that we haven’t seen on this point though. But particularly given Reuters’ discussion of a “warrant” — which is more often used with traditional FISA — I suspect NYT is correct on this.

“Hard” and “soft,” and “upstream,” “about,” and “PRISM” are confusing the debate

The source of the confusion seems to stem from two separate sets of vocabulary that are unhelpful in understanding how FISA works.

The first set has to do with “hard” and “soft” selectors, language used in XKeyscore, which basically conducts boolean searches of buffered Internet traffic. Hard selectors are name, email, or phone identifiers associated with a specific person. Soft selectors are characteristics that can range from geographic location to specific code — so a search might ask for users of the encryption tool Mujahadeen Secrets in Syria, for example, which will return a bunch of people whose identities may not be known but whose activities warrant interest. Soft selectors can include searches on what counts as “content,” but they also search on what counts as metadata.

I think the hard/soft distinction is misleading because — as far as I know — FISA has always operated on single selectors, not boolean searches. NSA isn’t asking providers — whether they’re phone companies or Internet providers — to go find people who are in interesting places and use interesting crypto (though AT&T may be an exception to this rule). Rather, they’re asking for communications obtained by searching on specific selectors.

To be sure, for each target, there will be a range of selectors, often a huge number of them. Even for one person, as I have noted, NSA and FBI probably know of at least a hundred selectors. One Google subpoena response I examined, for examined, included 15 “hard” identifiers for just one person (and multiply that by any major Internet service a person used). For a targeted organization like “Russian GRU hackers,” the NSA will probably have still more. But — again, as far as we know — FISA providers are asked to return data based off known selectors. But as I’ll show below, they’ve been asked to return data off selectors that would count as both hard and soft under XKeyscore.

The other set of confusing vocabulary comes from public debates about FISA (including PCLOB’s report on Section 702). Some debates have made a distinction between “upstream” and “PRISM.” Upstream is when NSA gives the telecoms a selector to collect information from scans conducted at switches, but it fundamentally refers to how something is collected, not who does it (and it’s possible there are backbone providers we haven’t thought of who also participate). PRISM is when NSA/FBI give Internet providers selectors to return activity on; it’s a description of from whom the information is collected. But even there, a PRISM provider will provide far more than just the email associated with a given selector.

Sometimes “upstream” collection is referred to as “about” collection. That’s misleading. “About” collection — that is, communications that contain a selector in what counts as content areas of the communication — is a subset of upstream collection. But what is really happening is that when the telecoms sniff packets to find a given selector, they need to sniff both the header and content to get all the communications they’re after, which is what PCLOB is saying here.

With regard to the NSA’s acquisition of “about” communications, the Board concludes that the practice is largely an inevitable byproduct of the government’s efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate “about” communications from its collection without also eliminating a significant portion of the “to/from” communications that it seeks. The Board includes a recommendation to better assess “about” collection and a recommendation to ensure that upstream collection as a whole does not unnecessarily collect domestic communications.

One hazard of using “about” to refer to “upstream” collection is it leads people to forget that the NSA needs to use upstream collection to comprehensively collect non-PRISM Internet traffic, even when working just from “hard” selectors like email addresses. Some of this collection (as the PCLOB passage above makes clear) is just looking for any emails involving a target, not emails talking “about” that target. But at least according to PCLOB, because of the way this collection is done, even if NSA is only searching for a hard selector email, it will get “about” traffic.

As you can see, however, this language is already going to be insufficient to discuss the Yahoo request, which is effectively an “upstream” search on a PRISM providers’ content (though I’m not clear whether it happens at the packet level or not). We also don’t yet know whether the signature involved counts as content, but the filters Yahoo adapted for the process clearly scan the content.

Public discussions have hidden how 702 includes non-email selectors

But the bigger problem with this discussion is that people are confused about what FISA permits the government to search on.

One huge shortcoming of the PCLOB report — one I pointed out at the time — is that it pretended that Section 702 was not used for cybersecurity. That’s unfortunate because cybersecurity is the area where Section 702 most obviously includes non-email selectors, what would be called “soft” selectors in XKeyscore. When I first confirmed that NSA was using 702 for cybersecurity back when I briefly worked at the Intercept, it was based off the search on a cyber “signature,” not an email. The target was a (state-sanctioned) hacker, but the search was not for the hacker’s email, but for his tools.

Here’s how PCLOB briefly alluded to this activity.

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

The Semiannual reports are one place where the government has officially admitted that it searches on more than just email addresses.

Section 702 authorizes the targeting of non-United States persons reasonably believed to be located outside the United States. This targeting is effectuated by tasking communication facilities (also referred to as “selectors”), including but not limited to telephone numbers and electronic communications accounts, to Section 702 electronic communication service providers. [my emphasis]

As I said, the Snowden documents confirm that NSA has searched on malware signatures. Given the obvious application and the non-denials I have gotten from various quarters, I would bet a great deal of money that NSA has also searched on some signature associated with AQAP’s Inspire magazine, effectively allowing it to track anyone who downloads (or decrypts) the magazine.

In a series of tweets yesterday, Snowden confirmed that the scope is even more broad.

In practical terms, this means anything you can convince FISC to stamp. At NSA, I saw live examples of the following:

The usual suspects (emails, IPs, usernames, etc), but also cryptographic hashes that identify known files (MD5/SHA1), sub-strings from base-64 encoded email attachments (derived from things like embedded corporate logos), and any uncommon artifacts arising from a target’s tooling, for example if their app transmits a UUID (like a registration code or serial).

The possibilities here are basically limitless, and we can’t infer the specific nature of the string without more info.

The point is, “upstream” collection — whether done at a telecom switch or a tech server — can (and will, so long as FISC will authorize it) search on any string that will return the communications of interest, with “communications” extending to include “cyberattacks conducted by disembodied code.”

To understand FISA collection, then, it is best to think in terms of selectors or facilities that will return a desired target. Here’s some language from an Semiannual report that explains the distinction between target and facility (and why the classified numbers in the report are undoubtedly much larger than the unclassified 92,000 “target” number we’re given to explain the scope of FISA collection).

The provided number of facilities on average subject to acquisition during the reporting period remains classified and is different from the unclassified estimated number of targets affected by Section 702 released on June 26, 2014, by ODNI in its 2013 Transparency Report: Statistical Transparency Report Regarding Use of National Security Authorities (hereafter the 2013 Transparency Report). The classified number provided in the table above estimates the number of facilities subject to Section 702 acquisition, whereas the unclassified number provided in the 2013 Transparency Report estimates the number of targets affected by Section 702 (89,138). As noted in the 2013 Transparency Report, the “number of 702 ‘targets’ reflects an estimate of the number of known users of particular facilities (sometimes referred to as selectors) subject to intelligence collection under those Certifications.” Furthermore, the classified number of facilities in the table above accounts for the number of facilities subject to Section 702 acquisition during the current six month reporting period (e.g., June 1, 2013 – November 30, 2013), whereas the 2013 Transparency Report estimates the number of targets affected by Section 702 during the calendar year 2013.

As explained above, for any given target, there may be a slew of selectors or facilities that NSA can collect on (though they probably only collect on a limited selection of all the selectors they know; they use the other selectors to make sure they can find all the online activity of someone). The government tracks this internally by counting how many average selectors or facilities are targeted in a given day. These numbers will get more interesting, by the way, once the numbers incorporate USA Freedom Act compliance, which (in my opinion) significantly serves to require providers to provide all known selectors, that is, to even further expand the universe of known selectors.

A history of the word “facility”

But to understand the background to the Yahoo thing, it is absolutely necessary to understand how the word “facility” has evolved within FISC (and we only have access to some of this). As far as we know, the meaning of the word started to change in 2004 when Coleen Kollar-Kotelly approved the installation of “Pen Registers” (really, packet sniffers) at switches to accomplish with the Internet dragnet what Stellar Wind had been doing (that is, the collection of Internet metadata in bulk), based on the logic that al Qaeda was using those facilities to communicate. Her ruling changed the definition of facility from meaning an individual user (a phone number or email address) to many users including the target. When Kollar-Kotelly first approved it, she required the government to tell her which specific switches they were going to target — that is, which switches were likely to carry traffic from target countries like Yemen and Afghanistan. But when John Bates reauthorized the Internet dragnet in 2010, he let the government decide on a rolling basis which facilities it would collect metadata from.

Thus, starting in 2004 and expanded in 2010, “facility” — the things targeted under FISA — no longer were required to tie to an individual user or even a location exclusively used by targeted users.

When Kollar-Kotelly authorized the Internet dragnet, she distinguished what she was approving, which did not require probable cause, from content surveillance, where probable cause was required. That is, she tried to imagine that the differing standards of surveillance would prevent her order from being expanded to the collection of content. But in 2007, when FISC was looking for a way to authorize Stellar Wind collection — which was the collection on accounts identified through metadata analysis — Roger Vinson, piggybacking Kollar-Kotelly’s decision on top of the Roving Wiretap provision, did just that. That’s where “upstream” content collection got approved. From this point forward, the probable cause tied to a wiretap target was freed from a known identity, and instead could be tied to probable cause that the facility itself was used by a target.

There are several steps between how we got from there to the Yahoo order that we don’t have full visibility on (which is why PCLOB should have insisted on having that discussion publicly). There’s nothing in the public record that shows John Bates knew NSA was searching on non-email or Internet messaging strings by the time he wrote his 2011 opinion deeming any collection of a communication with a given selector in it to be intentional collection. But he — or FISC institutionally — would have learned that fact within the next year, when NSA and FBI tried to obtain a cyber certificate. (That may be what the 2012 upstream violation pertained to; see this post and this post for some of what Congress may have learned in 2012.) Nor is there anything in the 2012 Congressional debate that shows Congress was told about that fact.

One thing is clear from NSA’s internal cyber certificate discussions: by 2011, NSA was already relying on this broader sense of “facility” to refer to a signature of any kind that could be associated with a targeted user.

The point, however, is that sometime in the wake of the 2011 John Bates opinion on upstream, FISC must have learned more about how NSA was really using the term. It’s not clear how much of Congress has been told.

The leap from that — scanning on telephone switches for a given target’s known “facility” — to the Yahoo scan is not that far. In his 2010 opinion reauthorizing the Internet dragnet, Bates watered down the distinction between content and metadata by stripping protection for content-as-metadata that is also used for routing purposes. There may be some legal language authorizing the progression from packets to actual emails (though there’s nothing that is unredacted in any Bates opinion that leads me to believe he fully understood the distinction). In any case, FISCR has already been blowing up the distinction between content and metadata, so it’s not clear that the Yahoo request was that far out of the norm for what FISC has approved.

Which is not to say that the Yahoo scan would withstand scrutiny in a real court unaware of the FISC precedents (including the ones we haven’t yet seen). It’s just to say we started down this path 12 years ago, and the concept of “facilities” has evolved such that a search for a non-email signature counts as acceptable to the FISC.

If a facility is not a user, then how do you determine foreignness?

[Update: I realize this discussion is, given the increasing certainty that the Yahoo scan was done under an individual FISA order, irrelevant for the Yahoo case, because FBI has been cleared to collect on signatures in the US. But the issue is still an important one when discussing “facilities” that have been divorced from a geographically located user.]

There’s one final thing we don’t have visibility on.

When Kollar-Kotelly started down this path, she focused on facilities that were foreign-facing. That is, there was a high likelihood messages transiting those switches were one-side foreign, and therefore targetable, certainly for a PRTT. But as I noted, that foreign-facing distinction got badly watered down in 2010. And Yahoo’s entire universe of emails would not be particularly foreign focused (though a lot of foreigners use Yahoo).

The question is, if NSA or FBI is targeting a facility that is not tied to a given user, but is instead tied to an organization that is located overseas, how does the government determine foreignness on a signature? NSA’s General Counsel would permit analysts to collect on but not target metadata of, say, bots in the US based on the assumption that the ultimate source of the bot was overseas. If the signature that FBI searches on derives from overseas — as in the case where Inspire magazine is produced overseas — does that by itself deem a communication involving that signature to be “located” overseas, and therefore targetable.

I suspect that may be why NYT’s sources emphasized that the target of the Yahoo search was a state-sponsored terrorist organization, rather than just a terrorist organization, because by definition that state would be overseas. But I also suspect that a lot of the recent troubles at NSA pertaining to “roving” selectors stems from the ambiguity that arises when you start targeting selectors that are not by definition geographically bounded.

The way the government targets facilities is constitutionally problematic in any case. But this question of foreignness seems to present both statutory and constitutional problems.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.