As we just recently covered, the FBI's enthusiasm for starting investigations far outweighs its interest in ensuring they are justifiable. A site owner who forwarded an email containing a threat to hack his site was misinterpreted by an FBI agent to be a threat against the agency, kicking off (at least) six years of monitoring. Even as evidence failed to pile up, the investigation went continued unabated, ultimately costing the site owners' a chunk of income as donors scattered when news of the investigation became public.
We authorized the FBI to look at one threatening email we received, and only that email, so that the FBI could identify the stalker. However, the FBI ignored our request and violated our trust by unlawfully searching our private emails and turning us into the targets of an intrusive investigation without any just cause—all the while without informing us that they had identified the email stalker as Paula Broadwell, who was having an affair with Mr. Petraeus.
It looks as if the FBI is way too willing to extend itself permissions that haven't been specifically granted. Maybe the investigating agents felt Kelley meant to give the agency carte blanche access to her and her husband's email accounts, but was unable to articulate her desire to have her privacy violated thanks to the stress she was under. Or something.
All of this and yet the FBI didn't feel compelled to apprise Kelley of the outcome of its intrusive investigation. (In the end, charges were dropped.) Rather, it opted to leak her information to the press and misconstrue the contents of certain emails it had obtained without permission, leaving she and her husband to deal with the resulting fallout (rumors of an affair, media campouts in Kelley's yard).
The resulting investigation by the military cleared her (and the general she was linked to by the FBI's perusal of her emails) of any impropriety but the damage was already done. The agency's decision to exceed its authorization has managed to turn another person into an advocate against its excesses.
It appears from the NSA's leaks that the government may be trying to collect everything about everyone and everywhere—including America's closest friends and allies—with or without the knowledge of the White House. Unaccountable individuals given free rein to invade people's privacy—and a government that maintains the tools that permit them to do so—are a prescription for a privacy disaster.
With all the current economic, political, social and diplomatic issues facing the country, it is understandable that many Americans seem relatively unconcerned about intrusions on individual privacy. They shouldn't be. The unauthorized search of my family's emails was triggered when we appealed to law enforcement for protection. But who knows what else might set off governmental invasion of privacy—politics or some other improper motivation might suffice. If this could happen to us, it could happen to you.
Not only does this sort of behavior chill speech and make a mockery of the Fourth Amendment, it also makes the country -- and its citizens -- less safe. If people have to think twice before asking law enforcement or investigative agencies to look into possible criminal activity out of fear of having their own personal information sifted through or subjected to months of intrusive surveillance, they may opt to ignore the problem or take matters into their own hands. Either outcome is undesirable.
The NSA has made many placating statements about how it's limited by its authorizations, rather than its capabilities. These have never been particularly reassuring, and are even less so now, as its investigative counterpart appears more than willing to twist requests for help into invitations to snoop.
The FBI monitored a prominent anti-war website for years, in part because agents mistakenly believed it had threatened to hack the bureau’s own site.
Internal documents show that the FBI’s monitoring of antiwar.com, a news and commentary website critical of US foreign policy, was sparked in significant measure by a judgment that it had threatened to “hack the FBI website” and involved a formal assessment of the “threat” the site posed to US national security.
But antiwar.com never threatened to hack the FBI website. Heavily redacted FBI documents, obtained through the Freedom of Information Act and shared with the Guardian, show that Eric Garris, the site’s managing editor, passed along to the bureau a threat he received against his own website.
These documents are part of antiwar.com's ongoing lawsuit against the FBI (brought with the assistance of the ACLU). What's been released so far is heavily redacted and severely limited. The FBI's FOIA reply letter indicates it has only released 47 out of 170 "reviewed" pages. More details of this incursion on antiwar.com owners' First Amendment rights is sure to surface if the lawsuit is successful.
The mistake, which ran uncorrected for more than a half-decade, was prompted by an agent's mischaracterization of the threatening email Eric Garris received and forwarded to the agency in 2001 (see last page of PDF), the day after the 9/11 attacks. The message here was directed at antiwar.com, and Garris probably figured he was doing the right thing in alerting the FBI to such a threat against his site -- having no idea that FBI would misread the forwarded email to be a threat by Garris against the FBI.
“YOUR SITE IS GOING DOWN.”
“Be warned assholes, ill be posting your site address to all the hack boards tonight, telling them about the little article at the moscowtimes and all. YOUR SITE IS HISTORY”
Why this agent took it upon himself to investigate the messenger is unclear, but this mistake is cited years down the road as justification for the ongoing investigation. Certainly the date had something to do with it (even if this mistaken determination wasn't made until January of 2002). Every security and law enforcement agency was experiencing very heightened "awareness," for lack of a better word. But as the years wore on, no one seemed willing to shut the investigation down, despite having time for cooler heads to prevail and failing to turn up evidence suggesting the two site owners were a threat to national security.
Even more incredibly, the investigation wasn't limited to those affected by the mischaracterization by the FBI's San Francisco office. For whatever reason, the New Jersey branch independently opened its own investigation -- one of the FBI's infamous "threat assessments," an investigative "out" that allows the agency to monitor pretty much anyone for any period of time without having to justify its actions with little things like reasonable suspicion.
The agency continued this monitoring through 2008 (at least), despite the fact an analyst noted in 2004 that the investigation was highly questionable in terms of being constitutionally sound as well as noting the so-called evidence compiled to date was pretty much worthless.
ANALYST COMMENTS: The rights of individuals to post information and to express personal views on the Internet should be honored and protected; however, some material that is circulated on the Internet can compromise current active FBI investigations. The discovery of two detailed Excel spreadsheets posted on www.antiwar.com may not be significant by itself since distribution of the information on such lists are wide spread.
Many agencies outside of law enforcement have been utilizing this information to screen their employees. Still, it is unclear whether www.antiwar.com may only be posting research material compiled from multiple sources or if there is material posted that is singular in nature and not suitable for public release…
But this clear thinking is immediately undercut by the analyst's further comments, which question the financial ties of the website and refer to the San Francisco's office's mischaracterization of Garris' forwarded email as a relevant "fact."
There are several unanswered questions regarding www.antiwar.com. It describes itself as a non-profit group that survives on generous contributions from its readers. Who are these contributors and what are the funds utilized for? Due to the lack of background information available on Justin Raimondo, it is possible that this name is only a pseudonym used on www.antiwar.com. If this is so, then what is his true name? Two facts have been established by this assessment. Many individuals worldwide do view this website including individuals who are currently under investigation and Eric Garris has shown intent to disrupt FBI operations by hacking the FBI website.
First off, it's disconcerting to know that the FBI judges websites by their visitors. You may be a law-abiding citizen but if your site is visited by "persons of interest," there's a very good chance the FBI will be digging into your personal information as well. The documents detail that the seized hard drive of a suspect revealed that he had visited "many websites" over an 11-month period, with antiwar.com being one of them. If this is a justification for monitoring, then everything from Google's search page to those terrible cable company splash pages that get set as default home pages by installers could be considered worthy of further monitoring.
Second, the repetition of the mistaken conclusion is troublesome, especially as it asserts that hacking the FBI's public-facing site (i.e., tearing down its poster) will somehow disrupt "FBI operations." While it may disrupt those who maintain the public site, it should have little effect on FBI operations. This shows the irrational fear of anything hacker-related has been deeply ingrained in government agencies for years. (Worse, it shows it hasn't improved.)
By 2005, both field offices determined the justification for ongoing monitoring of antiwar.org to be "meager" and "insufficient," but yet the investigations continued through 2008, at minimum. The end date (if there is one) remains a mystery as there is nothing in the released documents suggesting an official termination of the investigations.
And here's where we come to another harmful outcome of government surveillance. In 2011, the site owners discovered they were being (or had been) investigated by the FBI. Thanks to this becoming public knowledge, the site's owners have seen a severe dropoff in income.
Garris said that since antiwar.com learned of the FBI surveillance in 2011, donations dried up by 20% in the following year.
“We’ve actually talked to three large contributors shortly after that who told us that they’d not feel comfortable giving us money anymore because they were afraid of the repercussions, and I don’t know how many other donors have been put off in that way,” Garris said.
An FBI agent's mistake is all it takes to open up your personal and financial data to curious federal agents. It's also all it takes to make it significantly harder to exercise your First Amendment rights. Adding a financial burden to the heightened possibility that your efforts (and unrelated activities) are being monitored is more than sufficiently chilling for most people. Hopefully, the site owners' lawsuit will hold someone accountable for a First Amendment-violating "mistake" that continued for more than 6 years, despite failing to uncover anything that justified continued surveillance.
Over the last few years, the NYPD's intrusive surveillance of the city's Muslim population has raised many concerns about civil liberty violations while simultaneously failing to turn up much in the way of terrorist plots.
Dear Acting Assistant Attorney General Samuels and Section Chief Smith:
The undersigned civil rights, faith, community, and advocacy groups request that the Civil Rights Division of the Department of Justice commence a prompt investigation under 42 U.S.C. § 14141 into the New York City Police Department’s (“NYPD”) discriminatory surveillance of American Muslim communities.
As shown by the NYPD’s own documents, for over a decade, the Department has engaged in unlawful religious profiling and suspicionless surveillance of Muslims in New York City (and beyond). This surveillance is based on the false and unconstitutional premise, reflected in the NYPD’s published “radicalization” theory, that Muslim religious belief, practices, and community engagement are grounds for law enforcement scrutiny. That is a premise rooted in ignorance and bias: it is wrong and unfairly stigmatizes Muslims, who are a law-abiding, diverse, and integral part of our nation and New York City. Unsurprisingly, the NYPD’s surveillance program has had far-reaching, deeply negative effects on Muslims’ constitutional rights by chilling speech and religious practice and harming religious goals and missions. It has frayed the social fabric of Muslim communities by breeding anxiety, distrust, and fear. The NYPD’s biased policing practices hurt not only Muslims, but all communities who rightfully expect that law enforcement will serve and protect America’s diverse population equally, without discrimination.
Under the Violent Crime Control and Law Enforcement Act of 1994 § 210401, the United States Attorney General is authorized to conduct investigations concerning “a pattern or practice of conduct by law enforcement officers . . . that deprives persons of rights, privileges, or immunities secured or protected by the Constitution or laws of the United States.” 42 U.S.C. § 14141(a)...
As we've seen previously, the NYPD has placed blanket surveillance on entire mosques, justifying it with guidelines weakened by a former CIA officer who exploited post-9/11 paranoia to broadly expand the department's surveillance powers and eliminate built-in protection of civil liberties. This surveillance continues to this day despite an NYPD official admitting these programs have yet to generate a single useful lead or investigation.
The ACLU has drawn support across a variety of religious groups, many of which recognize that while the NYPD may be focused on Muslims now, any other religious (or political, activist, etc.) group could be subject to the same intrusive surveillance if a future attack brings with it guilt by association.
If the DOJ follows through, this will be the second time in recent months that it has weighed in on the NYPD's questionable tactics. Back in June, Attorney General Eric Holder filed a brief recommending that if Judge Scheindlin found the department's stop-and-frisk program to be unconstitutional, independent oversight should be appointed to keep the department in line. Sheindlin did find elements of the program unconstitutional and one of the remedies was, indeed, independent oversight.
As was pointed out then, the DOJ's reputation may be terrible, but one of the few areas in which it has been "aggressive and commendable" is its handling of civil rights violations by police departments. Hopefully, this will result in more of the same.
from the mind-on-his-money-and-his-money-on-his-mind dept
The currently ongoing International Association of Chiefs of Police has, so far, seen law enforcement officials exhibit a new found wariness of rolling out invasive surveillance technology in the wake of the NSA leaks. This sort of caution and concern has sadly been missing up until now. The generally accepted practice has been to roll out surveillance programs quickly, with little in the way of oversight or privacy protections, and deal with the fallout later.
As I expressed in the previous post, I was concerned if this would change following appearances by James Comey, the new director of the FBI, and Attorney General Eric Holder, neither of which have a history of prioritizing Americans' civil liberties.
At a time when FBI agents play a larger role than ever fighting violent crime and terrorism, they are facing potentially devastating cuts because of congressional budget slashing.
“I’m required to cut 3,500 positions, to cut my operations to the bone, to do things like ration gas money and to stare at the prospect of sending my folks home for an extended period,” FBI Director James Comey said.
The FBI during Mueller's final year made its budget by "looking through the couch cushions," Comey said. With a new government fiscal year set to begin October 1 and Congress not close to passing a budget, "the couch has been turned upside-down," he said...
Comey said he was considering a furlough of 10 days or more for each of the FBI's 36,000 employees. New agent classes at a bureau compound in Quantico, Virginia, stopped within the past few months, he said.
"I'm happy to have a discussion with anyone who thinks I have too many people or too many resources," Comey said.
Great! Let's have that discussion.
The FBI, unlike many, many other government agencies (including the DOJ, which oversees it), has had very few budget fiascoes. But this lack of headline-grabbing waste scandals does not mean the FBI is necessarily running a tight ship. Comey claims a loss of projected cut of $800 million (from a budget of $8.1 billion) will result in the slashing of 3,600 jobs. Before he gets to the point of handing out pink slips, he may want to take a look at some areas where money's being wasted.
The DOJ has plenty of questionable expenditures, including the overuse of private jets and a love for expensive conferences, both of which resulted in $61 million of arguably wasted funds. As the FBI is a department of the DOJ, it would probably benefit from some belt-tightening further up the ladder.
The FBI, like millions of people around the world, is easily flattered. For no apparent reason other than the possibility of rubbing elbows with stars, the FBI funds a "Hollywood division" that provides consultation and free use of FBI facilities to TV and movie producers. This $1.5 million expenditure isn't much more than a couple of atoms of the drop in the bucket, considering the agency's $8 billion budget, but it seems to be set up in the most ingratiatingly backwards way. Shouldn't studios be paying the FBI for its expertise and facilities, rather than allowing taxpayers to pick up the tab? Just something to consider, Comey.
After Comey's first statements on the agency's budget woes, the ACLU made some suggestions of its own. Why not eliminate some programs that rank high on the busywork scale but low on actual results? Bonus: fewer civil liberties violations and their attendant lawsuits. In addition to the questionable profiling performed under its "Domain Management" programs, there's plenty of waste to be found in other intelligence gathering/investigative programs.
Modifications to guidelines governing the FBI's domestic operations in 2008 gave it the leeway to perform "assessment," i.e. intrusive investigations targeted at persons without any suspicion of illegal activity or threats to national security.
In the two years from March of 2009 to March 2011, the FBI opened more than 82,000 of these assessments of people and groups without a factual basis to suspect wrongdoing. Only 3,315 of these assessments found information sufficient to justify further investigation.
Not only was the hit rate insignificant (and hardly enough to justify the opening of 82,000 assessments), but the FBI is still holding onto the data collected on the 78,000 targets it was unable to find any reason to continue investigating.
The ACLU of Northern California recently obtained hundreds of SARs from California, including many that were entered into eGuardian, which clearly show people are targeted based on racial and religious characteristics and First Amendment-protected activity like photography. The Government Accountability Office criticized the federal government's SAR programs for failing to establish metrics to determine whether they actually improve security. Any program that violates rights and doesn't improve security should be closed immediately.
On top of that, there's the Fusion Centers the FBI works with. Although these are technically a DHS line item, any money being spent collaborating with (or withholding information from[?]) entities a Congressional investigation called "wasteful," "useless" and "possibly fraudulent" is money better spent elsewhere.
So, there's some more areas where money could be saved, or at the very least, diverted to investigative activities with better success rates (and, of course, fewer instances of civil liberties violations).
But even without cutting back a single program, there's something to be said for cutting staff. While unpleasant for those on the receiving end of pink slips, the fact is that the FBI's budget has more than doubled since 2001 ($3.2 billion to $8.1 billion). It has also added nearly 7,000 positions over that same period. The FBI goes on at length about its counterterrorism work but there's little hard evidence to support the theory that the terrorist threat has expanded at the same rate as its budget. But this discrepancy between budget and staff indicates the issue isn't too many employees.
When Comey talks about cutting staff, he's not looking at the real problem. An agency that's ballooned to twice its size budget-wise in 12 years without coming anywhere close to doubling its staff is likely sitting on a ton of redundant systems and inefficient processes. If the agency was truly stretched, it would be adding more agents rather than more initiatives and sketchy surveillance programs.
Let's not forget that the agency has twice blown a significant amount of money on updating its computer system. It gave $600 million to SAIC (the contractors behind Oakland's new Orwellian surveillance system), which managed to cobble together a spectacular failure over a five-year period, one so terrible it was scrapped immediately. The job was handed off to a new contractor and given a $400 million budget and a four-year window back in 2006. That system finally went fully live in August of 2012.
This is the FBI director's response to a 10% budget cut. He makes it sound as though the agency will fade quietly out of existence unless given more money than it was given the year before, and he obviously expects this to continue in perpetuity. If he believes a $800 million haircut (relatively-speaking) will make the agency resort to "looking through the couch cushions" in order to fund its work, then it's hardly a surprise it's asking for $270,000 to fulfill an FOIA request. Hard times mean looking for new revenue streams.
from the this-is-what-happens-when-you-go-through-official-channels dept
Two consecutive administrations have treated whistleblowers badly, with Obama's administration actually managing to out-evil the Bush administration in terms of persecuting and prosecuting those who have exposed governmental wrongdoing. A recently filed lawsuit covered by Courthouse News Service details the allegations brought by another whistleblower, an unnamed John Doe, who suffered retaliatory action at the hands of the DOJ from 2003-2008.
A former federal prosecutor sued the Justice Department, claiming he provided it with evidence that 9/11 hijacker Mohamed Atta was raising money for terrorism in the United States before 2000, but was fired for not signing off on an illegal search and seizure related to the case.
John Doe sued the Justice Department, Attorney General Eric Holder and the U.S. Merit Systems Protection Board in Federal Court, claiming the Department fired him for blowing the whistle on federal misconduct.
He also claims that the Justice Department smeared him Soviet style, claiming his substantive disagreements with his bosses stemmed from mental problems.
According to the filing, Doe's trouble began in 2003 when he refused to authorize an illegal search and seizure. The law enforcement agent looking for approval then decided to go over Doe's head and get it approved by his superiors, one of which was the US Attorney General. Doe disclosed this proposed search and seizure via a memo, which prevented the search from taking place and got him booted from the case.
At this point, the US Attorney's office decided Doe must be crazy.
"In the summer of 2003, the USAO [U.S. Attorney's Office] suggested that John Doe's conflicts with their leadership must be the product of a psychological condition. John Doe met with a psychologist identified by the USAO, who found no need for any treatment or assessment, viewing the matter as a leadership problem."
The psychologist found no existing problems but the retaliation didn't cease. The US Attorney's office continued to punish him for his "conduct" during his "emotional state." Doe did spend some time away from work as a result of work-related stress and anxiety, but soon after returned and continued this whistleblowing.
"John Doe made additional disclosures regarding his supervisors' misconduct from 2005 through 2008 which are protected under the Whistleblower Protection Act. These additional protected disclosures included reports of misconduct by his superiors in disciplinary proceedings, in political hirings, and in mishandling of a terrorist investigation."
Things got worse both for the prosecutor and the agency in 2008, when everything came full circle.
Though he says he was given special work accommodations to cope with stress and anxiety, it all ended in 2008 when the Justice Department came under fire from allegations that it covered up misconduct, including allegations of perjury, paying informants to set up innocent people, beating suspects and tampering with recordings. The allegations were specifically made against the agent whom Doe says asked him to authorize the illegal search and seizure in 2003.
So, even though Doe was continuing to provide valuable assistance working on terrorist-related cases (most notably, a money exchange case that involved Mohamed Atta and provided proof of a funding network that existed prior to 9/11) and had attempted to out an agent who would cause the DOJ considerable embarrassment years later, his supervisors were more concerned with his previous refusal to assist in 2003's illegal search. They ordered him to withdraw his memo stating the claim that the money exchange case was tied to the 9/11 attacks and accused him of going outside the chain of command. Soon after that, he was demoted and fired. The US Merit Systems Protection Board denied his appeal and released his private medical records to others in the DOJ.
"These actions were a concerted effort by the USAO through certain of its employees to intimidate and coerce John Doe and to humiliate and embarrass him in the eyes of the public in an effort to destroy his credibility as a witness in the new trial motions. These actions were also in retaliation for numerous instances of whistle blowing by John Doe," the complaint states.
If the allegations are true, it's another example of the government saying one thing and doing another. The government claims whistleblowers are integral to the system and even sets up minimal protections for those exposing wrongdoing. But it's only interested in hearing about certain kinds of wrongdoing. If you've come across some small examples of budget carelessness or fraud, the government is all ears. But if it's anything related to the War on Terror, especially anything concerning the many arms of the DOJ, the government not only doesn't want to hear it, but wants to make sure those who do speak up are expelled from the system and blacklisted.
from the no-expectation-of-privacy-and-no-right-to-sue dept
Privacy activists EPIC have taken a novel approach to challenging the bulk records collections. Rather than work its way up through the circuit courts, it has appealed to the Supreme Court directly, asking it to find that the NSA has exceeded its authority by collecting data on American citizens.
Arguing that no lower court would have the authority to rule upon the legality of that FISC order, EPIC took its plea directly to the Supreme Court. Its filing in July asked the Court to rule that the FIS Court has wrongly claimed authority for its global data-gathering under a 2001 federal law. That law gave the FIS tribunal the power to issue electronic surveillance orders to produce "tangible things" during an investigation of potential threats to national security.
EPIC asked the Supreme Court either to vacate the FIS Court order to Verizon or to bar its further enforcement, contending that the compelled "production of millions of domestic telephone records . . . cannot plausibly be relevant to an authorized investigation" of potential terrorist activities.
The government has filed a brief arguing that EPIC's complaint should be routed through lower courts first. The government's rebuttal leans heavily on procedural arguments, first pointing out that only the federal government itself or the entity receiving the FISC orders can challenge these orders. In addition, the government points out that the law creating the FISA Court does not provide protection to third parties like EPIC.
It also argues (as it has successfully in the past) that EPIC can't prove it has suffered harm from the collection of its phone data.
Further, the government contended, EPIC has not offered proof that it could satisfy the requirements of the Constitution's Article III as a party with a specific claim to an injury as a result of government action.
Notably, the government isn't arguing that EPIC can't prove its metadata was obtained. Snowden's first leak eliminated that issue. Instead, it's arguing that no citizen or entity other that the entity the records were obtained from has standing to sue or otherwise challenge FISA court orders.
But the government has gone even further, playing both sides of the issue in order to both continue to acquire the bulk records and prevent anyone from challenging the collection. The government wants to enjoy all of the benefits of the bulk collection without suffering from any of the drawbacks. So far, this has paid off. Its arguments are inconsistent (to put it mildly), and a recent court case involving a convicted terrorist may test the limits of its arguments.
The government's response (PDF), filed on September 30th, is a heavily redacted opposition arguing that when law enforcement can monitor one person's information without a warrant, it can monitor everyone's information, "regardless of the collection's expanse." Notably, the government is also arguing that no one other than the company that provided the information—including the defendant in this case—has the right to challenge this disclosure in court.
The court (well, the FISA court) has agreed with this as well, at least part of it. It has stated that rights do not suddenly appear because a collection that is deemed legal for one person (like phone metadata) is used to collect data on several people.
The government's opposition to a new trial relies heavily on a recently declassified opinion from the Foreign Intelligence Surveillance Court, which concluded that "where one individual does not have a Fourth Amendment interest, grouping together a large number of similarly situated individuals cannot result in a Fourth Amendment interest springing into existence ex nihilo."
But that same argument should work against the government's claim that no single person or entity (other than the company handing over the data) has standing, especially in this case. Just as certainly as rights do not "spring into existence," standing doesn't suddenly disappear because the collection is untargeted. If the government can use the argument that a collection of millions of records is no more illegal than the collection of a single person's records, then it would seem reasonable that every person who "provides" these collectible records to third parties would have standing to challenge these disclosures.
What the government is doing in Moalin's case is highly hypocritical.
The government has always argued that there's no reasonable expectation to privacy in information handed to a third party like your phone or Internet provider, commonly referred to as the "third-party doctrine." But [EFF staff attorney Hanni] Fakhoury says that in this case, the government is taking an even more aggressive stance. In essence, its argument is that "these records aren't even Moalin's to begin with so he can't complain."
Fakhoury disagrees "with the idea that the user has no standing to challenge the use of evidence that says something about him" and thinks the government undermines its own argument about who has standing to contest the evidence. "[T]hey want to use the phone records to prove a fact about Moalin but then claim that these records aren't his."
The government needs this win very badly as it's using Moalin's case to prove the necessity of the 215 bulk records collections. But it wants to do so by arguing that someone who can assert they've suffered direct harm from this collection (Moalin is in jail, after all) doesn't have standing.
The government wants an unchallenged bulk collection and is throwing down every argument it can in order to head off possible challenges, either to the collection itself or to the evidence it provides. The end result is a very thorough abuse of the Third Party Doctrine that, so far, has allowed intelligence agencies to reap all the benefits and suffer none of the consequences. If the government wants to argue that collecting from everyone is no different than collecting one person's records, then it shouldn't be able to turn around and claim no one has standing to challenge the collected data -- either as evidence or the constitutionality of the collection.
While there's plenty of attention being paid to Lavabit's temporary re-opening for the sake of letting people export their accounts, a much more interesting issue is the recent development in the legal case. Lavabit has filed its latest brief, and there are some interesting discussions about the details of the case. From my reading, Lavabit makes a very strong argument that the government has no right to demand the production of Lavabit's private SSL keys, as it's an overreach way beyond what traditional wiretapping laws allow. Lawyer Orin Kerr's analysis argues that Lavabit's case is weak, mainly arguing that the federal government can subpoena whatever the hell they want, and just because it conflicts with your business model: too bad. Lavabit argues that complying with the government's order is oppressive because it would effectively mean it would be committing fraud on all its customers:
[T]o comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut down entirely. That is the key point, and the resulting harm goes far beyond a mere inconvenient search for records. Just as requiring a hotel owner to install glass doors on all its hotel rooms would destroy the hotel’s business, Lavabit cannot exist as an honest company if the government is entitled to take this sort of information in secret. Its relationship with its customers and business partners depends on an assurance that it will not secretly enable the government to monitor all of their communications at all times. If a mere grand jury subpoena can be used to get around that (in secret, no less), then no business—anywhere—can credibly offer its customers a secure email service.
But Kerr points out that this is a "really weak argument":
This strikes me as a really weak argument. Lavabit is essentially claiming that its anti-government business model trumps the subpoena power. That is, it is arguing that the subpoena is “oppressive” precisely because it would work: It would allow the government to conduct the surveillance it is allowed to conduct under the Pen Register statute.
Further, Kerr argues that to accept Lavabit's argument would mean that any company that announces an "ideology or business strategy" that opposes government surveillance could then resist legitimate government subpoenas simply by arguing that they are oppressive and abusive.
I respect Kerr and always look forward to his legal analysis, but I think he's wrong at a variety of levels here, and, tragically the judge in the case seems to have the same confused view of what Lavabit is actually arguing (though, one could argue, that is actually the fault of Lavabit in not making its case clearly). Lawyer Scott Greenfield does a good job explaining why Kerr has mischaracterized Lavabit's defense -- first noting that being pro-privacy is hardly being "anti-government" as Kerr implies. Then pointing out that Lavabit's argument isn't that the government's demand for its private keys was merely oppressive because of its business model, but because it would put Lavabit out of business -- which is not the same thing.
This isn't really a fair characterization of Lavabit's point. Initially, the argument is that revelation of the private key would be the ruination of the business. By exposing every customer to government disclosure, and covert disclosure at that, the government would take a viable business, making money and delivering a service as businesses are allowed to do in America, and destroy it. Poof, company gone. Business gone. Revenue gone. Wham, bam, thank you, Ladar.
But there's an even bigger point in here, which I think Kerr misses entirely, and Greenfield skips over: from a technology standpoint, what the government is demanding of Lavabit is absolutely oppressive and abusive. And, for that, it helps to look at Ed Felten's discussion of the case, in which he notes that the judge and other DOJ supporters in this case (including, it would seem, Kerr) are basically arguing that "If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access." But Felten points out that requiring "court ordered access" is tantamount to requiring a massive vulnerability to insider attacks:
To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.
From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.
Insider attacks are a big problem. You might have read about a recent insider attack against the NSA by Edward Snowden. Similar but less spectacular attacks happen all the time, and Lavabit, or any well-run service that holds user data, has good reason to try to control them.
Now, go back to the judge's order or Kerr's analysis, and revisit it with what Felten pointed out, and you realize how far off-base both the Judge and Kerr are in their analyses. Lavabit didn't design its system to be setup the way it was because it was "anti-government," but rather because it wanted to create secure email that protects against a variety of different kinds of attacks, both insider and outsider. That's why it found the government's request so "abusive" and "oppressive." Not because of an ideological disagreement, but rather because of the technological reality that handing over Lavabit's private keys absolutely wrecks any real security of Lavabit's system, which is Lavabit's entire business.
So, while Kerr and the judge in the case seem to think it's a mere ideological issue, that's simply not true. It's a technological issue, on which Lavabit's entire business was based. If Kerr and the judge are correct, then, as Felten properly notes, it becomes effectively illegal to build a really secure communications system. That seems positively ridiculous, especially in a time when we're told (by the very government agency that wants to do all this spying) that we need better online security to protect against attacks.
It's led us to a point in our relationship with the government, where we have an executive -- a Department of Justice -- that's unwilling to prosecute high officials who lied to Congress and the country on camera, but they'll stop at nothing to persecute someone who told them the truth. And that's a fundamentally dangerous thing to democracy.
That encapsulates so much of what the problem is with everything that's happened in the past few months. It's a point well worth repeating. The other video I really liked was the one where Snowden talked about the problem of secret laws and secret programs and the idea that the government is supposed to be in power with the consent of the governed, but how that's impossible without oversight.
The key statement:
This is not about any particular program. This is about a trend in the relationship between the governing and the governed in Amercia, that is coming increasingly into conflict with what we expect as a free and democratic society. If we can't understand the policies and programs of our government, we cannot grant our consent in regulating them....
Snowden has mostly stayed hidden away from the public eye since all of this began. He's turned down basically all interview requests, so there's been very little shown of him actually speaking, other than the initial video he recorded with Laura Poitras and Glenn Greenwald. Once again, these videos show someone who appears to have thought deeply about what he is doing and why he did it.
from the moving-at-the-speed-of-treading-water dept
The problem of over-classification continues, not that it ever wasn't a problem. An Office of Inspector General (OIG) report on the DOJ's classification policies and procedures notes that the 9/11 Commission, which was formed in 2002, reached the same conclusion almost a decade ago. In the wake of the largest terrorist attack on the US, the Commission pointed out that over-classification "interferes with accurate and actionable information sharing, increases the cost of information security, and needlessly limits stakeholder and public access to information." Basically stated, over-classification has the ability to kill.
According to the Information Security Oversight Office, in 2012 alone, executive branch agencies issued more than 95 million “classification decisions.” That’s a 3 percent increase on the figure for 2011 (92 million), and a 25 percent rise on the figure for 2010 (77 million).
The IG report says that while misclassification at the DOJ is not “widespread,” redactions done by the department are sometimes wrong and unnecessary, and that officials appear to have a blasé approach to classification. The IG reviewed a sample of 141 documents in total—from the FBI, the DEA, the National Security Division, and the Criminal Division—and found a total of 357 “classified document marking errors,” meaning that they either did not contain required classification markings or contained incorrect classification markings.
The report breaks it down a bit more dryly, but without blunting the impact.
[W]e found several documents in which unclassified information was inappropriately identified as being classified. We also identified many documents that either did not contain required classification markings or contained incorrect classification markings. Some of these marking errors included missing, incomplete, or incorrect classification blocks, source references, portion markings, dissemination markings, and declassification instructions.
The lack of clear direction and best practices has led directly to this bizarre classification "system," in which each person makes their own rules and builds upon the similarly made-up "rules" of their peers.
In addition, we found that the National Security Division, Criminal Division, and the DEA incorrectly categorized many decisions to classify information as “original” classification decisions when these decisions actually were derivative classification decisions, as the classified information in the documents had been classified previously. The risk inherent in this practice is that individuals who inappropriately apply original decisions could apply these decisions inconsistently for the same types of information and information that should be treated similarly will be classified differently across programs. Also, this practice could result in classifiers believing that they could establish the classification levels, dissemination controls, or declassification dates of their choosing rather than the ones previously established by the actual original classification decision.
That's the sort of sloppiness that leads to 95 million "classification decisions" in a single year. The promised transparency of the current administration doesn't stand a chance when thousands of DOJ employees are making millions of these "decisions" every year. This widespread and chaotic "system" also defangs FOIA laws, as anything deemed classified can reasonably be withheld from requesters.
But what's more disturbing than the secrecy-driven bureaucracy is the fact that it's gone on for so long with almost no perceptible improvement. Every OIG report over the past several years has detailed problems and made specific recommendations for improvement, but these seem to be routinely ignored or, at best, briefly entertained before the various entities return to business as usual.
In 2006, the Government Accountability Office (GAO) also reviewed DOJ’s management of classified information. This review included an assessment of DOJ’s implementation of NARA’s Information Security Oversight Office on-site inspection recommendations. GAO reported that DOJ did not know the optimum number of staff it needed for its classification program because it had not assessed its needs and did not have a strategy to identify how it would use additional resources to address classification program deficiencies. GAO found that, as a result of these resource issues, DOJ had not fully implemented various recommendations from NARA’s Information Security Oversight Office and DOJ’s ability to oversee classification practices across components was insufficient.
Seven years have passed and the DOJ still hasn't fully implemented the recommendations and its oversight it still "insufficient." Not only is the DOJ uninterested in improving, it's also taken a hands-off approach to ensuring its own security, making the over-classification of documents even more useless, considering many of these could be viewed by people without proper clearance or just walk right out the door.
The Office of the Inspector General (OIG) reviewed personnel security processes throughout DOJ and issued reports in September 2012 and March 2013 that included recommendations to increase resources devoted to certain security program issues. These reports found that SEPS [Security and Emergency Planning Staff] did not implement adequate personnel security processes to identify security violations and enforce security policies. Moreover, SEPS issued minimal guidance for components to follow in managing their contractor security programs and the guidance does not provide standards for maintaining accurate rosters on contract employees or periodic reinvestigations.
The report also details ongoing issues. Money spent on automated tools meant to prevent "original" classification decisions is wasted as the tools are rolled out unevenly and without adequate training. The DOJ's internal inspection reports are loaded with "methodological errors" and, in some cases, mandatory annual inspections were only being performed every third year. In other cases, information pertaining to classification violations was withheld from SEPS oversight (and consequently, the OIG).
According to FBI officials, in 2010 the FBI incorrectly entered Top Secret information from an Intelligence Community agency into a Secret-level FBI database used to track terrorist threats. The incident was identified when an FBI employee was informed by the Intelligence Community agency that certain information, when combined, was classified at the Top Secret level. As part of this review, in March 2013 the OIG learned of the incident followed up with the FBI to determine whether the classified information had been removed from the Secret database and whether the classified information might also have been inappropriately included in other FBI systems. FBI officials told us that they were not certain whether the information was included in other FBI systems. Ultimately, it was not until July 2013, approximately 3 years after the incident and after multiple inquiries by the OIG, that the FBI completed the removal of the information from other FBI systems.
Notably, we found that the FBI did not inform SEPS of the compromise. In August 2013, after the OIG inquired about why the FBI had not met its responsibility to notify SEPS of the incident, the FBI officials informed us that they would notify SEPS that month.
Like many other OIG reports, the overall picture painted is depressing. The bloat associated with a large-scale bureaucracy (over 115,000 employees in the DOJ alone -- and many other agencies under its purview) makes any change in course abysmally slow, almost to the point of being imperceptible. This problem is made worse by the DOJ's preference towards erring on the side of secrecy.
Eleven years since the 9/11 Commission's report and nothing has changed. But this should come as no surprise, considering there's very little being deployed in the way of incentives or deterrents that might effect a change. If there's no impetus, there's no forward motion.
The DOJ will continue to veer towards secrecy because that is the standard MO of nearly any government agency -- especially those involved in our two greatest "battles," terrorism and drugs. "Original" classification decisions will continue to be a problem simply because the government has drilled low-level, terrorism-related panic into everyone's brains. No one wants to be the person whose unclassified document is waved around as the reason the terrorists are winning. Better safe than sorry.
Two consecutive administrations have leveraged these two wars to create a rift between the "combatants" and the public, further encouraging greater secrecy -- the same secrecy that threatens the success of the "combatants" by compartmentalizing intelligence and data into bureaucratic fiefdoms patrolled by men and women with itchy "CLASSIFIED" trigger fingers.
The upsides to a cohesive and restrained classification system belong almost solely to the public -- greater transparency and information dissemination. Our public servants, when faced with national security and other existential threats, will almost always find the public good being pushed to the bottom of the priority list. Annual reports come and go, but a classified document stays locked up for dozens of years.
The OIG has no carrot and no stick. The improvements needed have to come from above and within, but neither show much willingness to change.
Over the past several months, the Obama Administration has defended the government's far-reaching data collection efforts, arguing that only criminals and terrorists need worry. The nation's leading internet and telecommunications companies have said they are committed to the sanctity of their customers' privacy.
I have some very personal reasons to doubt those assurances.
In 2004, my telephone records as well as those of another New York Times reporter and two reporters from the Washington Post, were obtained by federal agents assigned to investigate a leak of classified information. What happened next says a lot about what happens when the government's privacy protections collide with the day-to-day realities of global surveillance.
The story begins in 2003 when I wrote an article about the killing of two American teachers in West Papua, a remote region of Indonesia where Freeport-McMoRan operates one of the world's largest copper and gold mines. The Indonesian government and Freeport blamed the killings on a separatist group, the Free Papua Movement, which had been fighting a low-level guerrilla war for several decades.
I opened my article with this sentence: "Bush Administration officials have determined that Indonesian soldiers carried out a deadly ambush that killed two American teachers."
I also reported that two FBI agents had travelled to Indonesia to assist in the inquiry and quoted a "senior administration official" as saying there "was no question there was a military involvement.''
The story prompted a leak investigation. The FBI sought to obtain my phone records and those of Jane Perlez, the Times bureau chief in Indonesia and my wife. They also went after the records of the Washington Post reporters in Indonesia who had published the first reports about the Indonesian government's involvement in the killings.
As part of its investigation, the FBI asked for help from what is described in a subsequent government report as an "on-site communications service" provider. The report, by the Department of Justice's Inspector General, offers only the vaguest description of this key player, calling it "Company A.''
"We do not identify the specific companies because the identities of the specific providers who were under contract with the FBI for specific services are classified,'' the report explained.
Whoever they were, Company A had some impressive powers. Through some means – the report is silent on how – Company A obtained records of calls made on Indonesian cell phones and landlines by the Times and Post reporters. The records showed whom we called, when and for how long -- what has now become famous as "metadata."
Under DOJ rules, the FBI investigators were required to ask the Attorney General to approve a grand jury subpoena before requesting records of reporters' calls. But that's not what happened.
Instead, the bureau sent Company A what is known as an "exigent letter'' asking for the metadata.
A heavily redacted version of the DOJ report, released in 2010, noted that exigent letters are supposed to be used in extreme circumstances where there is no time to ask a judge to issue a subpoena. The report found nothing "exigent'' in an investigation of several three-year-old newspaper stories.
The need for an exigent letter suggests two things about Company A. First, that it was an American firm subject to American laws. Second, that it had come to possess my records through lawful means and needed legal justification to turn them over to the government.
The report disclosed that the agents' use of the exigent letter was choreographed by the company and the bureau. It said the FBI agent drafting the letter received "guidance" from "a Company A analyst.'' According to the report, lawyers for Company A and the bureau worked together to develop the approach.
Not surprisingly, "Company A" quickly responded to the letter it helped write. In fact, it was particularly generous, supplying the FBI with records covering a 22-month period, even though the bureau's investigation was limited to a seven-month period. Altogether, "Company A" gave the FBI metadata on 1,627 calls by me and the other reporters.
Only three calls were within the seven-month window of phone conversations investigators had decided to review.
It doesn't end there.
The DOJ report asserts that "the FBI made no investigative use of the reporters' telephone records." But I don't believe that is accurate.
In 2007, I heard rumblings that the leak investigation was focusing on a diplomat named Steve Mull, who was the deputy chief of mission in Indonesia at the time of the killings. I had known Mull when he was a political officer in Poland and I was posted there in the early 1990s. He is a person of great integrity and a dedicated public servant.
The DOJ asked to interview me. Of course, I would not agree to help law enforcement officials identify my anonymous sources. But I was troubled because I felt an honorable public servant had been forced to spend money on lawyers to fend off a charge that was untrue. After considerable internal debate, I decided to talk to the DOJ for the limited purpose of clearing Mull.
It was not a decision I could make unilaterally. The Times also had a stake in this. If I allowed myself to be interviewed, how could the Times say no the next time the government wanted to question a Times reporter about a leak?
The Times lawyer handling this was George Freeman, a journalist's lawyer, a man Times reporters liked having in their corner. George and the DOJ lawyers began to negotiate over my interview. Eventually, we agreed that I would speak on two conditions: one, that they could not ask me for the name of my source; and two, if they asked me if it was ‘X,' and I said no, they could not then start going through other names.
Freeman and I sat across a table from two DOJ lawyers. I'm a lawyer, and prided myself on being able to answer their questions with ease, never having to turn to Freeman for advice.
Until that is, one of the lawyers took a sheaf of papers that were just off to his right, and began asking me about phone calls I made to Mull. One call was for 19 minutes, the DOJ lawyer said, giving me the date and time. I asked for a break to consult with Freeman.
We came back, and answered questions about the phone calls. I said that I couldn't remember what these calls were about – it had been more than four years earlier – but that Mull had not given me any information about the killings. Per our agreement, the DOJ lawyers did not ask further questions about my sources, and the interview ended.
I didn't know how the DOJ had gotten my phone records, but assumed the Indonesian government had provided them. Then, about a year later, I received a letter from the FBI's general counsel, Valerie Caproni who wrote that my phone records had been taken from "certain databases" under the authority of an "exigent letter,'' (a term I had never heard).
Caproni sent similar letters to Perlez, to the Washington Post reporters, and to the executive editors of the Post and the Times, Leonard Downie and Bill Keller, respectively. In addition, FBI Director Robert Mueller called Downie and Keller, according to the report.
Caproni wrote that the records had not been seen by anyone other than the agent requesting them and that they had been expunged from all databases.
I'm uneasy because the DOJ report makes clear that the FBI is still concealing some aspect of this incident. After describing Caproni's letters, the report says: "However, the FBI did not disclose to the reporters or their editors that [BLACKED OUT]." The thick black lines obliterate what appear to be several sentences.
If you were to ask senior intelligence officials whether I should wonder about those deletions, they'd probably say no.
I'm not so sure.
The government learned extensive details about my personal and professional life. Most of those calls were about other stories I was writing. Some were undoubtedly to arrange my golf game with the Australian ambassador. Is he now under suspicion? The report says the data has been destroyed and that only two analysts ever looked at it.
But who is this 'Company A" that willingly cooperated with the government? Why was it working hand in glove with the FBI? And what did the FBI director not tell the editors of the Times and the Washington Post when he called them acknowledging the government had improperly obtained reporter's records?