from the prosecuting-domestically-but-kicking-down-doors-all-over-the-world dept
The government has filed another document in response to discovery requests in the Ross Ulbricht/Silk Road case. Again, it argues that there's no Fourth Amendment concerns here, so Ulbricht's legal team isn't entitled to receive any more information about how the FBI accessed the servers central to the government's case.
The government's arguments [pdf link] put Ulbricht in an uncomfortable position -- explain why he has an interest in these servers or stop challenging the government's submitted evidence.
[T]he burden is on Ulbricht to allege facts that, if proven, would establish a violation of his Fourth Amendment rights. The Horowitz Declaration manifestly fails to satisfy that burden. As a threshold matter, the declaration does not establish that Ulbricht had a reasonable expectation of privacy in the SR Server, as required for him to have standing to move for its suppression in the first place. Indeed, a declaration from a member of Ulbricht’s legal team such as Mr. Horowitz would be insufficient for this purpose anyway. To establish standing, a defendant must submit an “‘affidavit from someone with personal knowledge demonstrating sufficient facts to show that he had a legally cognizable privacy interest in the searched premises at the time of the search...’”
Ulbricht’s counsel would not have any personal knowledge of Ulbricht’s privacy interest in the SR Server; presumably, only Ulbricht would. Ulbricht’s assertion that he is not required to submit such an affidavit and that the issue of standing “must . . . be resolved through an evidentiary hearing,” (Reply Br. 18), is flatly wrong. Again, to merit a hearing, a defendant must first allege facts that, if proven at a hearing, would establish a violation of his personal Fourth Amendment rights – including facts sufficient to show the defendant had a protected privacy interest in the property searched. Without competently asserting such an interest, a defendant has no standing to bring a suppression motion at all, let alone demand a hearing on the motion.
Basically: admit the servers are yours and we can start discussing your Fourth Amendment rights. This is the DOJ asking Ulbricht to do its work for it. These servers are only allegedly Ulbricht's at this point.
Then the DOJ's lawyer moves on to say, "Actually, we don't really care what you do or don't assert. You have no Fourth Amendment rights to anything kept in that location."
Even if Ulbricht were to demonstrate that he has standing, which he plainly has failed to do, the Horowitz Declaration still would not warrant a hearing because it fails to allege facts that, if proven, would establish a violation of Ulbricht’s Fourth Amendment rights. The Horowitz Declaration nowhere alleges that the SR Server was either located or searched in a manner that violated the Fourth Amendment. It merely critiques certain aspects of the Tarbell Declaration concerning how the SR Server was located. The Horowitz Declaration fails to allege any alternative explanation of how the SR Server was located that, if proven, would establish that Ulbricht’s Fourth Amendment rights were somehow violated.
Turner dismisses claims that the NSA was involved or that illegal wiretaps were used, simply stating that the government would have turned over the applicable evidence if these accusations were true. (Which is highly doubtful -- especially in the NSA's case -- but theoretically true.) But then he goes on to say that even if hacking were involved, it simply doesn't matter.
In any event, even if the FBI had somehow “hacked” into the SR Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment. Because the SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise.
There's the message the DOJ is sending, at least in this case: if anything of yours resides in a foreign country, all protections are waived. All the government needs is to prove is that its search was "reasonable" and prompted by "legitimate governmental interests" -- not exactly the high bar the DOJ presents it as. Nothing is off-limits anywhere outside of this country. If the NSA hasn't already hoovered it up, the FBI's coming through the back door -- not exactly heartening news for citizens whose everyday lives heavily with extraterritorial entities like Internet services and cloud storage.
There's been some attention paid to a recent Forbes article that confirms what pretty much everyone has always said: Congress won't move forward with reforming the CFAA. There's nothing particularly new in the article. It's just rehashing things that were hashed out over the past few years: the Computer Fraud and Abuse Act, a very out-of-date law concerning hacking, has been abused mightily for decades, well beyond its intended purpose. It got lots of attention as the law being used against Aaron Swartz, but the abuses started long before that. However, many tech companies, led by Oracle, have fought against reform (in part because they use the threat of the law to keep employees from running off with trade secrets, even though there are other laws for that). At the same time, the DOJ would actually like to make the law even worse.
And, in the simplistic minds of many in Congress, if the big industry associated with the issue and the government don't want the necessary reforms -- even if the public is interested in such reforms -- it's just not worth doing. This doesn't necessarily mean that CFAA reform won't eventually happen, but like ECPA reform, patent reform and other related issues, very little can actually get through Congress these days. So in many cases, in the minds of certain folks in Congress, it's just not worth trying, even if it's the right thing to do.
An online hacker who went by the name "Guccifer" got a lot of attention a year and a half ago or so for regularly hacking into the email and social media accounts of various political officials and insiders along with some Hollywood folks, with the most high profile being former President George W. Bush's email, leading to the leaking of some of Bush's early attempts at painting. But that was hardly all. Among others, he hacked into email and/or social media accounts of Senator Lisa Murkowski, Colin Powell, top Hillary Clinton advisor Sidney Blumenthal, venture capitalist John Doerr, former White House chief of staff Kenneth Duberstein, actor Jeffrey Tambor (Jeffrey Tambor?!?!), Sex and the City author Candace Bushnell, Watergate reporter Carl Bernstein, President Obama's head of the National Intelligence Council Christopher Kojm and the head of the National Nuclear Security Administration Neile Miller. In other words, Guccifer was pretty busy.
While the indictment does not name the people who were hacked, calling them Victim 1, 2, 3, 4 and 5, it's not difficult to figure out that Victim 1 is President Bush's sister Dorothy Bush, which is how he got the GWB paintings (GWB had sent photos of them to his sister) and Victim 3 is Colin Powell, who had to deny an affair with a foreign diplomat after some of his emails were leaked. The indictment appears to suggest a particular infatuation with Powell, as it also included hacks of his Facebook page and posting anti-Bush rants on Powell's Facebook page.
I'm always a little nervous about computer hacking cases, because the government is fairly well known for exaggerating non-hacking situations and pretending that they're hacking under the CFAA, but assuming that this guy really did get into all of these accounts, it seems like what the CFAA was more written to cover in the first place.
The full indictment is below, but what I'm trying to figure out is how "victim 2" got included in the list. Notice if you can spot which one of the following "is different from the others" in the list below:
Victim 1... was a family member of two former
U.S. presidents who was the true owner of an AOL account....
Victim 2... was a sanitation engineer who was the true
owner of an AOL account....
Victim 3... was a former U.S. Cabinet member who
resided in the Eastern District of Virginia. Victim 3 was the true owner of an AOL account with
subaccounts and a Facebook account....
Victim 4... was a former member of the U.S. Joint Chiefs
of Staff who was the true owner of a Facebook account....
Victim 5, known to the grand jury, was a journalist and former presidential
advisor who was the true owner of an AOL account with subaccounts....
It just seems that if you were to put the five of those together at a Washington DC cocktail party, one of them would stick out as somewhat different from the others.
Any hackers that manage to carry out "cyberattacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof" would face the full life sentence, according to the serious crime bill proposed in Wednesday's Queen's speech.
As well as targeting cyberterrorists, the new offence in the proposed update to the Computer Misuse Act [CMA] 1990 would also hand harsher sentences to those hackers carrying out industrial espionage, believed to be a growing menace affecting UK business.
The law would have a maximum sentence of 14 years for attacks that create "a significant risk of severe economic or environmental damage or social disruption". Currently, the section of the CMA covering such an offence carries a 10-year sentence.
Much of this is the kind of activity carried out in the form of attacks sponsored by governments outside the UK -- or, as in the case of the NSA, directly by those governments. Despite the recent grandstanding by the US when it filed criminal charges against members of the Chinese military whom it accuses of espionage, there is little hope of ever persuading the main players to hand over their citizens for trial, so the new UK law will be largely ineffectual against the most serious threats.
But there is a real danger in the "or significant risk, thereof" part, since that gives the UK authorities huge scope to claim -- as they have in other contexts -- that some online action "risked" some terrible outcome, even though nothing actually happened. Things are made worse by the fact that there is no public interest defense or exemption for research. As the Guardian notes:
The government has also not addressed complaints over the application of current computer crime law, which some in the security industry claim actually makes the internet less safe.
This is because certain kinds of research could be deemed illegal. Experts known as penetration testers, who look for weaknesses in internet infrastructure, often carry out similar actions to real cybercriminals in their attempts to improve the security of the web, such as scanning for vulnerabilities.
But such research is punishable under British law, even if it is carried out for altruistic ends, leaving potential weaknesses unresolved, critics of the CMA said.
What this means is that while it will fail to tackle the most serious online attacks, and chill research into security flaws, the proposed Bill will conveniently allow the UK government to target groups like Anonymous who carry out high-profile but relatively harmless actions over the Net. This section of the proposed Bill is really about the UK government bolstering its already disproportionate powers to throttle online protests by characterizing them as "serious cyberattacks", and threatening to impose life sentences on anyone involved.
The Computer Fraud and Abuse Act is so severely flawed that people are extremely hesitant to report security holes in websites, especially after witnessing what happened to Weev (Andrew Auernheimer), who went to jail for exposing a flaw in AT&T's site that exposed user info when values in the URL were incremented.
"I remember a person was recently arrested for finding this same flaw in a website and told (at&t/apple??) about it. He was arrested and jailed if I remember right. This is the type of chilling effects that come when people view techies as hackers and are arrested for pointing out flaws.
By changing the number at the end you can harvest personal info.
I won't report the flaw, I could go to jail."
Is that overdramatic? Doubtful. People have reported security flaws to companies only to have these entities press charges, file lawsuits or otherwise tell them to shut up. Weev's only out because the government's case was brought in the wrong venue. The CFAA, which has been used to punish many helpful people, is still intact and as awful as ever.
As the (also anonymous) redditor points out, he or she has tried to contact the company but has found no avenue to address this security hole which exposes names, addresses and email addresses of customers sending in claims for a free year of Netflix streaming that came bundled with their purchase of an LG Smart TV. Incrementing the digits at the end of the URL brings up other claims, some with images of receipts attached. In addition, anyone can upload support documents to these claims.
Here's a screenshot of the hole in question:
As the original poster points out, with a little coding, someone could put together a database of addresses that most likely house a brand new LG Smart TV. And this may not just be limited to LG. ACB Incentives is the company behind this promotion, and it handles the same sort of online rebate forms for a variety of companies. These rebate submission sites all branch off acbincentives.com, which could mean it's just a matter of figuring out how each one handles submitted claims, URL-wise.
Now, I've contacted the company to let them know. Amanda Phelps at the Memphis branch says she's bringing it to the attention of programming. I also let her know that it may affect other rebate pages but that I can't confirm that. We'll see how quickly this is closed*, but all in all, the people at ACB seemed to be concerned and helpful, rather than suspcious.
*Very quickly, it appears. See note at top of post.
But the underlying point remains. Many people who discover these flaws aren't criminals and aren't looking to expose the data of thousands of unsuspecting users. They're simply concerned that this is happening and often incredulous that major companies would be this careless with customers' data. That the kneejerk reaction has often been to shoot the messenger definitely gives those discovering these holes second thoughts as to reporting them, a hesitation that could allow someone with more nefarious aims to exploit the exposed data. The law needs to change, and so does the attitude that anyone discovering a flaw must be some sort of evil hacker -- or that the entity must do whatever it takes, even if it means throwing the CFAA at someone, just to prevent a little embarrassment.
The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:
Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.
But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:
The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.
New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.
Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.
Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.
There have been a bunch of stories going around about how 5-year-old Kristoffer Von Hassel figured out a way to hack the Xbox Live password system. Kristoffer's parents noticed that their son was logging into his father's account and playing games he wasn't supposed to be playing. They asked him how he was doing it and he showed them:
Just after Christmas, Kristoffer's parents noticed he was logging into his father's Xbox Live account and playing games he wasn't supposed to be.
“I got nervous. I thought he was going to find out,” said Kristoffer.
In video shot soon after, his father, Robert Davies, is heard asking Kristoffer how he was doing it.
A suddenly excited Kristoffer showed Dad that when he typed in a wrong password for his father’s account, it clicked to a password verification screen. By typing in space keys, then hitting enter, Kristoffer was able to get in through a back door.
Kristoffer's father, Robert Davies, works in computer security (which, frankly, makes me a little skeptical that Kristoffer really made this discovery), and submitted the bug to Microsoft, who not only quickly fixed it, but also listed Kristoffer on their March "acknowledgements" for security researchers who helped them find bugs and vulnerabilities.
Of course, the flip side to this story is how we've seen the CFAA used in the past to go after people discovering similar flaws. Compare the story of Kristoffer to the story of Andrew "weev" Auernheimer. Kristoffer clearly exceeded authorized access to the Xbox Live system in order to obtain something of value (perhaps he gets off because the "something" is not worth more than $5,000, but still...). Of course, weev is an obnoxious internet troll, and Kristoffer is a cute 5-year-old. I guess that's what's meant by "prosecutorial discretion."
We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.
Throughout the case, it's been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev's case, that the DOJ really has no idea what weev did. They're just sure it's bad because it involves computers and stuff. Seriously, as reported by Vice:
"He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.
Say what? If that's the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It's likely that under that "standard" Moramarco himself is a felon, because I'll bet he "decrypts and decodes and all of these things he doesn't understand" on pretty much a daily basis. But, a tip to the US Attorneys' office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you've locked up has done.
But, Moramarco apparently doesn't want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.
Yes, apparently exposing the fact that AT&T left its customers' info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.
As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn't have brought the case anywhere (one judge apparently mentioned Hawaii).
The case is important because of all the CFAA abuse we've seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ's own admissions of its lack of understanding about weev's actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn't like and doesn't understand.
from the not-so-fun-when-it's-your-metadata,-huh? dept
Earlier today, we wrote about Senator Dianne Feinstein's justified anger over the CIA "spying" on the Senate Intelligence Committee staffers as they went about putting together a massive (and apparently incredibly damning) report condemning the CIA's torture program. Having now watched the whole video of her speech, as well as read the transcript, there's a lot more here to discuss. You can watch the speech yourself if you'd like, or read the full transcript, which we've embedded below:
Apparently, some of the concerns actually stem from an earlier incident, from back in 2010, during which the CIA deleted access to a bunch of documents that it had previously given to the committee staffers. This came after an initial fight over whether or not the CIA would interfere with the staffers' efforts. The Intelligence Committee eventually agreed with the CIA's request that the research work be carried out on the CIA's premises, but only after the CIA promised not to interfere and to leave the staffers alone. The staffers requested lots of documents, and the CIA did a full pure data dump on them, just handing over piles and piles of documents with no context at all. Basically, it appears the CIA sought to bury the staffers in bullshit, hoping to hide many of the important bits. In response, the staffers asked the CIA to provide an electronic search engine, in order to go through the electronic documents. Also, to keep things organized, the staffers would regularly make local copies and/or print out key documents so they could more easily organize them and keep track of them. Based on this, they noticed that some documents that had initially been available "went missing" in 2010:
In May of 2010, the committee staff noticed that [certain] documents that had been provided for the committee’s review were no longer accessible. Staff approached the CIA personnel at the offsite location, who initially denied that documents had been removed. CIA personnel then blamed information technology personnel, who were almost all contractors, for removing the documents themselves without direction or authority. And then the CIA stated that the removal of the documents was ordered by the White House. When the committee approached the White House, the White House denied giving the CIA any such order.
After a series of meetings, I learned that on two occasions, CIA personnel electronically removed committee access to CIA documents after providing them to the committee. This included roughly 870 documents or pages of documents that were removed in February 2010, and secondly roughly another 50 were removed in mid-May 2010.
This was done without the knowledge or approval of committee members or staff, and in violation of our written agreements. Further, this type of behavior would not have been possible had the CIA allowed the committee to conduct the review of documents here in the Senate. In short, this was the exact sort of CIA interference in our investigation that we sought to avoid at the outset.
Apparently, this snafu was settled quietly between the intelligence committee and the CIA, with the CIA promising not to do it again.
Now, as we've been pointing out, and which was revealed by McClatchy and the NY Times last week, this latest fight is focused mostly on a draft of an internal review by the CIA of the torture program, conducted for then director Leon Panetta. Feinstein reveals some more key details about this document. First, it appears that Panetta more or less ordered the CIA to conduct what appears to be a "shadow review" of the very same documents that were being handed over to the Senate staffers. The report, as noted, appears to come to the same basic conclusions about the CIA's torture program (i.e., that it went to insane lengths and produced absolutely nothing in the way of useful intelligence). This internal review also contradicted the CIA's "official response" to the Intelligence Committee's own report.
Here's where it gets a bit trickier. When current CIA director John Brennan was asked for the full internal report, rather than the draft that the staffers had, there appears to have been a freakout at the CIA, because no one had intended for the intelligence committee to see the report, either as a draft or final report. The CIA appears to have believed that Senate staffers got access to the report illegally (hence the CIA's request that the staffers be investigated for illegal activity). Feinstein denies all of this and notes that the draft report was among the many documents provided in the data dump -- in what now looks like an accident by the CIA folks (and some contractors) in charge of compiling the data dump for the intelligence committee. The staffers "found" this document by using that search tool, which they'd asked the CIA to provide.
Feinstein goes on to reject the claims made by the CIA and CIA supporters that (1) the staffers should have known not to read the documents since they were marked "deliberative" or "privileged" and (2) that they somehow "mishandled" those classified documents by printing them out and bringing them to the Senate. As she notes, both of those claims make little sense. On the classification:
As with many other documents provided to the committee at the CIA facility, some of the Internal Panetta Review documents—some—contained markings indicating that they were “deliberative” and/or “privileged.” This was not especially noteworthy to staff. In fact, CIA has provided thousands of internal documents, to include CIA legal guidance and talking points prepared for the CIA director, some of which were marked as being deliberative or privileged.
Moreover, the CIA has officially provided such documents to the committee here in the Senate. In fact, the CIA’s official June 27, 2013, response to the committee study, which Director Brennan delivered to me personally, is labeled “Deliberative Process Privileged Document.”
We have discussed this with the Senate Legal Counsel who has confirmed that Congress does not recognize these claims of privilege when it comes to documents provided to Congress for our oversight duties.
That takes care of that. On the question of mishandling the documents, the argument is not quite as strong, but still quite reasonable. Yes, it does appear that staffers did not follow the exact process for removing the documents -- in that they were supposed to first review it with CIA staffers, but the reasoning here is not so crazy. The review process was supposedly just so that the CIA could make sure that names of key people or details of operations weren't revealed. The staffers made sure that all such info had been redacted before moving the document -- and, of course, they recognized that this document was a bit of a smoking gun for the CIA in that it appeared to confirm that Director Brennan had been lying to the committee. Taking it to the CIA to review would be an odd move -- especially for staffers tasked with oversight of the CIA itself. Even more important, the staffers noticed that, like back in 2010, that draft review document suddenly "disappeared" from their computer system, despite the previous promises that the CIA wouldn't do that any more (also, she points out that the CIA had previously destroyed early evidence about their torture program). So they made the entirely reasonable decision to make a copy and store it in the Senate:
When the Internal Panetta Review documents disappeared from the committee’s computer system, this suggested once again that the CIA had removed documents already provided to the committee, in violation of CIA agreements and White House assurances that the CIA would cease such activities.
As I have detailed, the CIA has previously withheld and destroyed information about its Detention and Interrogation Program, including its decision in 2005 to destroy interrogation videotapes over the objections of the Bush White House and the Director of National Intelligence. Based on the information described above, there was a need to preserve and protect the Internal Panetta Review in the committee’s own secure spaces.
Now, the Relocation of the Internal Panetta Review was lawful and handled in a manner consistent with its classification. No law prevents the relocation of a document in the committee’s possession from a CIA facility to secure committee offices on Capitol Hill. As I mentioned before, the document was handled and transported in a manner consistent with its classification, redacted appropriately, and it remains secured—with restricted access—in committee spaces.
Now that brings us to the latest "fight." In late 2013, after the intelligence committee had seen that draft report, it had requested the final report from the CIA. That set off alarm bells in the CIA when they realized that the committee knew such a report existed, leading to a freakout and further "searching" the staffers' supposedly private computers and networks:
Shortly thereafter, on January 15, 2014, CIA Director Brennan requested an emergency meeting to inform me and Vice Chairman Chambliss that without prior notification or approval, CIA personnel had conducted a “search”—that was John Brennan’s word—of the committee computers at the offsite facility. This search involved not only a search of documents provided to the committee by the CIA, but also a search of the ”stand alone” and “walled-off” committee network drive containing the committee’s own internal work product and communications.
According to Brennan, the computer search was conducted in response to indications that some members of the committee staff might already have had access to the Internal Panetta Review. The CIA did not ask the committee or its staff if the committee had access to the Internal Review, or how we obtained it.
Instead, the CIA just went and searched the committee’s computers. The CIA has still not asked the committee any questions about how the committee acquired the Panetta Review. In place of asking any questions, the CIA’s unauthorized search of the committee computers was followed by an allegation—which we have now seen repeated anonymously in the press—that the committee staff had somehow obtained the document through unauthorized or criminal means, perhaps to include hacking into the CIA’s computer network.
As I have described, this is not true. The document was made available to the staff at the offsite facility, and it was located using a CIA-provided search tool running a query of the information provided to the committee pursuant to its investigation.
Of course, as Julian Sanchez points out, from this description, it certainly appears that the CIA was collecting "just metadata," and, as you may recall, Feinstein has been at the forefront of arguing that no one should care about the NSA's activities, because it's just metadata. Kinda funny how perspective shifts when it's your metadata being discussed. Suddenly, it becomes a constitutional issue:
Based on what Director Brennan has informed us, I have grave concerns that the CIA’s search may well have violated the separation of powers principles embodied in the United States Constitution, including the Speech and Debate clause. It may have undermined the constitutional framework essential to effective congressional oversight of intelligence activities or any other government function.
Besides the constitutional implications, the CIA’s search may also have violated the Fourth Amendment, the Computer Fraud and Abuse Act, as well as Executive Order 12333, which prohibits the CIA from conducting domestic searches or surveillance.
And yet that doesn't apply when the NSA spies on all Americans? Yes, Feinstein is absolutely right to be angry about this. It is an astounding breach of protocol, and given that it's the Senate Intelligence Committee's job to oversee the CIA, it appears to be quite a brazen move by the CIA to effectively undermine the Senate's oversight. It's just too bad she doesn't see how the very same things she's angry about concerning her own staff apply equally to everyone else.
There's one other issue in the speech that should be highlighted as well. She notes both of the referrals (that we've previously discussed) to the DOJ: the request to investigate the CIA's activities, and the CIA's tit-for-tat response asking for an investigation into the staffers' access and removal of the draft Panetta review. Feinstein also points out that the person at the CIA who filed the crimes report against her staffers at the DOJ was heavily involved in the torture program the report condemns, and certainly suggests that the move is much more about intimidating Senate overseers:
Weeks later, I was also told that after the inspector general referred the CIA’s activities to the Department of Justice, the acting general counsel of the CIA filed a crimes report with the Department of Justice concerning the committee staff’s actions. I have not been provided the specifics of these allegations or been told whether the department has initiated a criminal investigation based on the allegations of the CIA’s acting general counsel.
As I mentioned before, our staff involved in this matter have the appropriate clearances, handled this sensitive material according to established procedures and practice to protect classified information, and were provided access to the Panetta Review by the CIA itself. As a result, there is no legitimate reason to allege to the Justice Department that Senate staff may have committed a crime. I view the acting general counsel’s referral as a potential effort to intimidate this staff—and I am not taking it lightly.
I should note that for most, if not all, of the CIA’s Detention and Interrogation Program, the now acting general counsel was a lawyer in the CIA’s Counterterrorism Center—the unit within which the CIA managed and carried out this program. From mid-2004 until the official termination of the detention and interrogation program in January 2009, he was the unit’s chief lawyer. He is mentioned by name more than 1,600 times in our study.
And now this individual is sending a crimes report to the Department of Justice on the actions of congressional staff—the same congressional staff who researched and drafted a report that details how CIA officers—including the acting general counsel himself—provided inaccurate information to the Department of Justice about the program.
Once again, it's worth noting that these are the very same folks that, just weeks ago, Feinstein was insisting would never abuse their positions because they're professionals. She said that on January 19th. That was just four days after CIA Director Brennan had told her about how the CIA had conducted the almost certainly illegal search on her own staffers.\
And, of course, this is the point that many of us have been making all along to Feinstein and other kneejerk defenders of the intelligence community. No matter how "professional" they are, they're still human. And given situations where their own jobs may be threatened, they're going to do what they do, and that often leads to serious abuses, like the ones that now have Feinstein so angry. That's why we're so concerned by her lack of real oversight of the intelligence community for years, as well as the rather permissive attitude that both Congress and the courts have taken for years to the intelligence community, by insisting that they only do what they do for the purposes of "national security." I'm curious what kind of "national security" reason the CIA has for spying on the very staffers who were investigating the CIA's torture program?
By this point, it should be clear that when Senators Ron Wyden and Mark Udall ask questions to senior intelligence community officials in open hearings, it's not because they don't know the answers, but because they do, and they have information that they think should be public. Remember, of course, that, years ago, Wyden and Udall were clearly hinting at what Ed Snowden eventually revealed. So, during yesterday's hearing during which leaders from the intelligence community tried to pull their usual "be scared American people!" schtick, Wyden's and Udall's questions point to some potential mischief by the CIA. Both asked questions of CIA boss John Brennan concerning the legality of certain actions. It is unlikely that they did this because they were just curious. Wyden kicked it off by asking if the Computer Fraud and Abuse Act (CFAA) applied to the CIA:
Wyden: Does the federal Computer Fraud and Abuse Act apply to the CIA?
Brennan: I would have to look into what that act actually calls for and its applicability to CIA’s authorities. I’ll be happy to get back to you, Senator, on that.
Wyden: How long would that take?
Brennan: I’ll be happy to get back to you as soon as possible but certainly no longer than–
Wyden: A week?
Brennan: I think that I could get that back to you, yes.
Of course, we've written about the CFAA many times, and how the broadly (terribly) written law has been abused by law enforcement to go after all sorts of ordinary or reasonable computer activity. But Wyden is flipping this around in a slightly interesting way -- asking if the CFAA applies to the CIA. The answer, actually, is probably no, the CFAA doesn't apply to the CIA. If you look at 18 USC 1030(f) (which is part of the CFAA), it says:
This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
It seems likely that the eventual answer from Brennan to Wyden will basically point to this particular language. But that's not particularly important, as the intent of the question likely had little to do with actually looking at the scope of the CFAA, but rather hinting very strongly that the CIA is hacking into computers in a manner that would violate the CFAA if it wasn't being done by law enforcement.
This was then followed up soon after with a question from Udall, again to Brennan, asking a slightly different question about the CIA's legal authority, which Brennan doesn't actually answer, instead answering a different question that wasn't asked:
Udall: I want to be able to reassure the American people that the CIA and the Director understand the limits of its authorities. We are all aware of Executive Order 12333. That order prohibits the CIA from engaging in domestic spying and searches of US citizens within our borders. Can you assure the Committee that the CIA does not conduct such domestic spying and searches?
Brennan: I can assure the Committee that the CIA follows the letter and spirit of the law in terms of what CIA’s authorities are, in terms of its responsibilities to collect intelligence that will keep this country safe. Yes Senator, I do.
Got that? He was asked "do you spy on Americans?" and the answer was "we follow the law." Considering that Wyden and Udall have been among the leading folks pointing out that the intelligence community has regularly reinterpreted the laws in secret in order to broaden their claimed authority, that answer is hardly assuring. Instead, it sure sounds like the CIA admitting that, hell yes, they spy on Americans under their twisted interpretation of the law. Combine that with Wyden's question -- which may or may not be about the same issue, but the two have often coordinated on these issues -- and it certainly hints at the idea that the CIA is hacking into Americans' computers.
Over the last few months, much of the focus has been on the NSA, but it's important to remember that the CIA actually is bigger in terms of its budget, and remains incredibly powerful and secretive. Also, over the last decade or so there appears to be significant evidence of incredible abuse by the CIA. As we've noted a few times, the Senate Intelligence Committee has been sitting on a supposedly explosive report that cost $40 million to put together, detailing some horrific CIA abuses, which the CIA has been doing everything possible to stop from being released.
Given all this, how long will it be until we discover "explosive" revelations about the CIA that confirm what Wyden and Udall have been hinting at?