We've been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it's quite likely there are a ton of little "easter egg" gems in there that the public doesn't want or need, but which we'll be stuck with -- and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:

(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND  SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—

(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;

(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that  the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.

What's odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don't disclose info. But, as we're constantly reminded, the whole point of the info sharing from companies in this bill is that it's voluntary. So there wouldn't be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped -- perhaps because that info implicated the US government itself:

I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by .... Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.

This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!

Wired has a troubling story of how the Senate Armed Services Committee is pushing a bill that would likely kill off an open source NoSQL project that came out of the NSA called Accumulo. Like many other such NoSQL efforts, the NSA basically took some Google white papers about its BigTable distributed database setup, and built its own open source version, with a few improvements... and then open sourced the whole thing and put it under the Apache Foundation. It's kind of rare to see such a secretive agency like the NSA open source anything, but it does seem like the kind of thing that ought to be encouraged.

Unfortunately, the Senate Armed Services Committee sees things very differently. As part of a 600-page bill that's being floated, it actually calls out Accumulo by name, and suggests that it violates a policy that says the government shouldn't build its own software when there are other competing commercial offerings on the market. The reasoning is basically that the government shouldn't spend resources reinventing the wheel if it can spend fewer resources using existing code. You can see the basic reasoning behind that, but applying it here makes little sense. As the article notes, here we're talking about software that's already been developed and released -- not a new effort to rebuild existing software. In fact, those who follow this stuff closely note that Accumulo did "break new ground" with some of its features when it was being built. To then kill it afterwards seems not just counterproductive, but could also create a chilling effect for government open source efforts, which seem like something we should be encouraging, not killing.

What's really odd is the close interest that the Senate seems to be paying to this. The discussion is very specific, naming Accumulo and some of the competing offerings on the market. They're specifically calling out this one product. Of course, as Julian Sanchez notes, there's a bit of irony in the fact that the very same Senate appears to have absolutely no interest in finding out how often the NSA spies on Americans... but sure is concerned about what database it uses to store all of the information it's getting.

Of course... all of this raises a separate issue in my mind: can the NSA even open source Accumulo? I though that creations of the federal government were automatically public domain, rather than under copyright. And, thus, putting it under a specific license might, in fact, present limitations that the government can't actually impose on the software.... Thus, shouldn't the software code actually be completely open as a public domain project? The government should be able set up an Apache-like setup, but one without any restrictions on the code.

The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.

In fact, in a story that has received almost no attention, the EFF was able to get three whistleblowers to speak out on the NSA's massive spying infrastructure:

In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.

So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like: Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.

He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.

But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.

Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):

One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.

It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.

Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:

The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.

So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.

So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.

We're still completely perplexed at how anyone in Congress could recognize that the NSA has refused to tell Congress how often it's violated the privacy of Americans without a warrant under the FISA Amendments Act (FAA) -- and then still vote to renew it. What kind of "oversight" is that? As Julian Sanchez recently wrote, it's no oversight at all. As he notes, the law requires the NSA to "prevent" the spying on folks when both parties in communication are in the US -- but here, the NSA is admitting that it has no mechanism to actually do that. Either (a) it's lying or (b) it's admitting that it cannot do what the law requires.

If we care about the spirit as well as the letter of that constraint being respected, it ought to be a little disturbing that the NSA has admitted it doesn’t have any systematic mechanism for identifying communications with U.S. endpoints. Similar considerations apply to the “minimization procedures” which are supposed to limit the retention and dissemination of information about U.S. persons: How meaningfully can these be applied if there’s no systematic effort to detect when a U.S. person is party to a communication?

Normally, this should be the point at which Congress steps in and says "no more" to the NSA. Instead, it shuns those who even ask the basic questions -- and as in the case of Rep. Dan Lungren, pretends that as long as no one proves to them that the NSA is abusing its power, there's simply no reason to demand evidence. That's not oversight. That's willful ignorance.

And... given that they're choosing to ignore their own oversight obligations over the NSA's spying on Americans, it should come as no surprise that the House Intelligence Committee unanimously voted to extend the FAA for five more years. Why not? It's not like Congress is actually going to make sure that the NSA is playing by the rules. The NSA apparently just needs to say that it would be too much work to do what the law requires and Congress says, "here, have a gift of five more years to spy on Americans against the specifics of the law." And, once again, as Sanchez points out, there are plenty of ways that the NSA could at least estimate how many Americans they're spying on.

But why would it do that? As Sanchez also points out, the NSA seems to redact anything even remotely embarrassing from its reports... including data on how often it failed to follow the law:

More generally, these reports contain a good deal of redacted statistical information that there is simply no plausible excuse for keeping secret. A table of “statistical data relating to compliance incidents,” for example, is included—but entirely blacked out. Are we to believe that the national security of the United States would be imperiled if the public knew the number of times the NSA had difficulty following the law? The reviewers conclude that the “number of compliance incidents remains small, particularly when compared with the total amount of activity”—but is there any legitimate reason for barring the public from knowing what counts as a “small” number, or just how massive the “total amount of activity” truly is?

How do folks in Congress who vote for this kind of thing defend such actions? They can't say that it's to protect Americans, when they refuse to even seek to get the data on whether or not Americans are being illegally spied upon.

Once again, we are left stunned by the sheer ridiculousness of Congress. In a House Judiciary Committee markup concerning the FISA Amendments Act (FAA), a proposed amendment to require the NSA to reveal how many times it had spied on Americans was voted down 20 - 11, led by chair Lamar Smith who just kept talking about how "important" it was get past the markup phase and pass the bill. Meanwhile, Rep. Dan Lungren lashed out at those who wanted the NSA to explain how often it had spied on Americans without warrants under this bill by saying (and I kid you not): "What evidence is there that it is being used to spy on Americans?"

You see, that's the problem. The NSA doesn't have to tell anyone -- and whenever officials ask, they're given ridiculous answers, like the claim that it would violate the privacy of Americans to tell Congress how many Americans' privacy the NSA violated. It's stunning that our elected officials -- many of whom don't know themselves what the NSA is doing -- seem to have no qualms passing this update to the bill without even being willing to ask a simple question: how many Americans have been spied on using this regulation?

On the Senate side, as we've noted, Senators Wyden and Udall have been indicating (within the limitations they have, due to security clearances) that the NSA is quite clearly using this law incredibly broadly -- perhaps to the level of scooping up all phone data, which goes way, way, way beyond the text of the law. If some in Congress are so sure that there's no evidence that it's being used to spy on Americans, then have the NSA answer the damn question. But, no, instead, they insist that we just have to push it through, or, as Lamar Smith says, "We have a duty to ensure the intelligence community can gather the intelligence they need to protect our country."

You know who you have an even bigger duty to? The American public. That's who you represent. Not the intelligence community. The failure of our elected officials to give even the most basic oversight to the NSA is astonishing. It's shameful. We all deserve better.

For quite some time now, we've been reporting on Senators Wyden and Udall's repeated attempts to get the government to explain how many American citizens the NSA spied on under the FISA Amendments Act (which is supposed to be used to spy on foreigners, but appears to have been used much more broadly). It's quite clear that Wyden and Udall, in their roles on the Senate Intelligence Committee, believe there is some information that the public needs to know about, but which is not public. So they keep asking the same basic question over and over again. As we noted last week, since most of the rest of Congress does not have this information, and yet is expected to vote on the renewal of the FISA Amendments Act, something is seriously wrong.

What's never made sense is why the feds simply refuse to admit how many Americans they've spied on under the law. In the past, the Director of National Intelligence has basically told Wyden and Udall that he wouldn't answer because he didn't want to. But the latest answer really takes the insanity to stunning new levels. As initially revealed at Wired, the NSA has refused to answer claiming that, not only would it be too much work to figure it out, but that figuring it out would violate the privacy of Americans.

Yes, I'm going to repeat that, because it's insane. The NSA claims that figuring out how many Americans it spied on would violate their privacy. Here's the specific language from the letter:

The NSA IG provided a classified response on 6 June 2012. I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA's mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons..

At this point, you have to just wonder if the NSA is flat out mocking Wyden and Udall and basically taunting them to make it clear that the NSA doesn't believe anyone has oversight powers concerning the agency. And, of course, there is the other explanation: that the NSA has spied on more or less everyone who owns a mobile phone (which has been suggested by some reports).

Either way, it certainly sounds like the NSA really doesn't care what the law actually says, so long as it gets to keep spying on people.

Early last week, we wrote about the oddity of how the White House didn't seem to much mind "leaks" that made the President look good in terms of being "tough" on our enemies, such as in the NY Times story confirming that the US was behind the Stuxnet malware, and that the President himself was very familiar with the program. This came at the same time as the White House continuing to vindictively prosecute people responsible for even very minor leaks, such as the Thomas Drake affair, in which some whistleblowing about out-of-control spending at the NSA tuned into a malicious prosecution.

Soon after that story came out, the issue of "good leaks" and "bad leaks" became a huge political football, as it gave the President's opponents an angle to attack him for leaking classified info. The President himself had to shoot back and insist that there were no such leaks happening from the White House -- which is clearly not true. Some of the information could have only come from administration officials.

And, of course, it wasn't just limited to Stuxnet, but other "leaks" of classified info, such as stories around the unmanned drone strike program, which lots of people have reported on, but which is still "classified." Of course, we've now seen grandstanding on both sides of the aisle decrying these leaks -- but not the actions that were exposed by them!

Instead, they all seem to be upset about the leaks themselves, rather than the fact that these questionable activities were secret in the first place. As John Cook recently wrote, these kinds of "leaks" are important because they let us know what our government is doing in our name. That's why these aren't leaks, so much as whistleblowing. And that's an important distinction. That's doubly true as we see to what ridiculous lengths the very same administration goes to in order to attack anyone who reveals information that makes it look bad.

One person's leak is another person's whistleblowing. To treat them all as "leaks" that must be punished (often severely) creates a significant chilling effect on reporting on key issues -- and (worse) gives the government a bubble in which it gets to abuse its power. Rather than condemning all these "leaks," we should be trying to (a) celebrate those who blew the whistle and (b) understand the details behind why such things were secret in the first place.

Remember the NDAA? Yeah, for a variety of reasons that bill got a lot of attention last year -- mostly focused on the question of detainment of terrorists. But there are some other nuggets in the bill, including one tidbit about "military activities in cyberspace." The existing version of the NDAA does grant the Defense Department the ability to conduct such military activities, but only "upon direction by the President" and if the purpose is to "defend our Nation, Allies and interests," subject to existing laws.

Here's the existing text:

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

However, the House Armed Services Committee is getting ready to do a markup on the NDAA that includes a change to that section (section 954), which expands the powers of the Defense Department, and basically gives it broad powers to conduct any military actions online -- with it specifically calling out clandestine operations online. Here's the text they want to substitute:

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

‘‘(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.

‘‘(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—

‘‘(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or

‘‘(2) to defend against a cyber attack against an asset of the Department of Defense.

‘‘(c) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.’"

Note a bunch of slightly sneaky things going on here. First, it gives blanket powers to the DoD, rather than saying it can only take actions on the President's direction. While we may not have much faith that the President wouldn't let the DoD do such things, giving such blanket approval upfront, rather than requiring specific direction is a pretty big change.

Second, and perhaps more important, the new language specifically grants the DOD (and the NSA, which is a part of DOD) the power to conduct "clandestine operations." This is (on purpose) left basically undefined. Combine this with the fact that the "Authorization of Use of Military Force" is so broadly defined in the current government, this then grants the DOD/NSA extremely broad powers to conduct "clandestine" operations with little oversight. Related to this is that it removes the restriction that the DOD must take actions that are "subject to the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflicts." Instead it lets them use such powers, without these restrictions, against anyone declared an enemy under the AUMF (lots and lots of people) or in any effort to stop a cyberattack against the DOD -- which again you can bet would be defined broadly. This is a pretty big expansion of online "war" powers for the Defense Department, with what appears to be less oversight. And all done while people are looking the other way...

Update: The White House has now officially threatened to veto CISPA.

In Congress, this week is CISPA week. With the bill going up for debate tomorrow, and the final vote scheduled for Friday, it's clear that the voice of the internet community has had an impact. The reps have been proposing their final amendments, and all are clear attempts to address some of the biggest criticisms from civil liberties groups and the public. CISPA has strong bi-partisan support and a very good chance of passing—and unfortunately, it's still a highly problematic bill. But, while the proposed amendments cannot perfect it, some of them could certainly reduce its potential for abuse in significant ways. If you're looking for a practical way to fight back against the serious privacy violation that CISPA represents in these final days before its potential passage, encouraging your representative to support these amendments is a good place to start.

There are two in particular that, though simple, would make drastic improvements on CISPA by refocusing it on network security and minimizing the chance of shared data being used to go after individuals. An amendment from Rep. Barton (pdf and embedded below) would insert the sensible requirement that shared data will only include personal information (further defined to include the content of any communications and even IP addresses) if it is necessary to combat a specific cyber attack. Another, even better amendment from Rep. Akin (pdf and embedded below) goes a step further and would bring CISPA back in line with the fourth amendment by barring the sharing of any personally identifiable information without a warrant. Of course, it's annoying that such an amendment is necessary—but the whole point of CISPA is to route around well-established requirements like going to a judge before violating someone's privacy. Though the bill still creates all sorts of potential privacy problems, the Akin amendment fixes a big one.

Rep. Thompson has also proposed an amendment (embedded below) that is supposed to address privacy concerns, and TPM reports that it is being backed by Ron Paul, who got attention earlier this week with a strong condemnation of CISPA. However, the Thompson amendment seems to lack teeth: it has a lot of talk about "minimizing" the impact on privacy and making "reasonable efforts" to remove personal information, and graciously offers to consult with "civil liberties stakeholders" (wouldn't that be everybody?), but it sets down no firm requirements or limitations. Despite being a fraction of the length, both the Akin and Barton amendments would do far more to fix CISPA, because they clearly prohibit certain activities.

Thompson's other proposed amendment (embedded below), however, is very good: it would limit the government recipients of the data from the overly broad "Federal Government" in the current bill to just Homeland Security and other civilian agencies. This addresses the significant fear that the NSA could use CISPA to expand their already-aggressive data collection programs. While civilian agencies and the DHS especially are hardly perfect, this would still be a lot better than handing data collected under CISPA over to the intelligence community.

There are other amendments on the table too, but these are some of the ones that get directly to the core privacy issues that make CISPA so dangerous. The CDT has a post taking a look at others. Ultimately the best solution would be to toss the bill out and start again, drafting sensible cybersecurity legislation that is evidence-based (starting with an evaluation of whether or not its even needed), and since Friday's vote is still not guaranteed there's no reason to stop speaking out against CISPA as a whole. But it's also a good idea to ensure that the bill is as good as it can possibly be when it goes up for vote, by pressuring Congress to adopt these critical amendments.

Earlier this week, we wrote about an excellent and detailed article in Wired about the efforts by the NSA to collect and store pretty much all communications data they could get their hands on -- whether originating in the US or not (despite clear rules that the NSA is only supposed to deal with foreign threats and communications). Some of that report merely confirmed earlier stories and news reports about programs like the warrantless wiretapping program the NSA runs, as well as deals with major telcos to allow NSA equipment directly on the network at key points to collect data. But parts of it broke some new news about the extent and depth of the NSA's data collection program, as well as its efforts to break the encryption that protects certain communications. As we noted, it was all pretty terrifying.

The article appears to have caught the attention of Congress as well, with Rep. Hank Johnson directly asking NSA boss General Keith Alexander (who you may remember from his FUD warnings about Anonymous taking down power grids) about whether or not various points made in the article are true, and Alexander denies them all, insisting that the NSA has neither the technical nor the legal capabilities to capture and sift through communications from Americans. He clearly states that "the NSA does not have the ability to do that in the United States," which is almost certainly untrue. He repeatedly states that for content in the US, the NSA would need to get a warrant to get this information. To be fair, he may be responding very carefully to Johnson's question, which is directed at the contents of emails or phone conversations -- which does require a warrant. Many of the bigger questions are less about the direct content of the communications but the metadata around those communications. Though, there are some questions about access to the actual content as well, especially when it comes to email. Alexander also insists that the NSA defers to the FBI on matters involving people in the US, even though many, many reports have suggested this is not actually true.

Johnson does press Alexander a bit on the question of whether it's the legal or technical parts that are holding the NSA back, and Alexander repeats that they simply don't have the technical capabilities:

"We don’t have the technical insights in the United States. In other words, you have to have something to intercept, or some way of doing that either by going to a service provider with a warrant or you have to be collecting in that area. We’re not authorized to do that, nor do we have the equipment in the United States to collect that kind of information."

There is a slight pause between "technical" and "insights" in the way he says it, as if he's searching for the proper word before choosing insights, but he later clearly says they don't have the equipment to do so -- which seems to contradict a ton of reports out there from pretty credible sources within the NSA.

As Ryan Singel writes at Wired:

It’s hard to tell here whether Alexander is parsing the questions closely, misspeaking or telling the truth. The heads of the intelligence service have a long tradition of misspeaking or telling untruths that advance their agenda. President George Bush himself on the re-election campaign trail said that no American had been wiretapped without a warrant, which was plainly false, according to numerous news stories and the government’s own admissions of the program.

In the aftermath of those half-truths, the Congress passed, and Bush signed into law, the FISA Amendments Act, which re-wrote the nation’s surveillance laws to give the NSA a much freer hand to wiretap American infrastructure wholesale.

I know that the assumption many will make is that he's flat out lying, and that wouldn't surprise me, but I do wonder if he's trying to pick his words carefully to get around lying—or if he knows he's so protected that he can just say whatever he wants without much fear of ever being called on it.