Last fall, we wrote about how the FBI had set up a fake AP news story in order to implant malware during an investigation. This came out deep in a document that had been released via a FOIA request by EFF, and first noticed by Chris Soghoian of the ACLU. The documents showed the FBI discussing how to install some malware, called a CIPAV (for Computer and Internet Protocol Address Verifier) by creating a fake news story:
It later came out that the way the FBI used this was an undercover agent pretended to be an AP reporter and sent the suspect -- a 15 year old high school kid... -- a "draft" of the article to review. And when the kid opened it, the malware was deployed.
In response to this, FBI director James Comey defended the practice, saying that it was legal "under Justice Department and FBI guidelines at the time" and, furthermore, that this bit of deception worked. Comey also said that while guidelines had changed, and such impersonation would require "higher-level approvals," it was still something the FBI could do.
The AP has now sued the FBI, along with the Reporters Committee on Freedom of the Press (RCFP) over its failure to reveal any more details about this effort following a FOIA request. For reasons that are beyond me, even though it's the AP filing the lawsuit and the AP writing about the lawsuit, reporter Michael Biesecker apparently doesn't think its readers can handle the actual filing, so they don't include it (this is bad journalism, folks). However, you can read the actual lawsuit here.
In short, the AP made a FOIA request for documents related to this specific case above, as well as "an accounting of the number of times" that the FBI "has impersonated media organizations or generated media-style material" to deliver malware. The FBI said it was working on it, and then bizarrely told the AP that the request was being "closed administratively" because it was being combined with someone else's FOIA request, which left the AP reasonably confused, since they had not initiated that request and had no idea who had.
In a letter from Mr. Hardy dated December 10, 2014, the FBI stated that, even
though the request had yet to be fulfilled, the AP Request was unilaterally “being closed
administratively,” because the “material responsive to your request will be processed in FOIA
1313504-0 as they share the same information.”
The combining of Mr. Satter’s request with Request No. 1313504-0 occurred
despite the fact that Mr. Satter had not filed Request No. 1313504-0 and was given no
information about the identity of the requester underlying FOIA Request No. 1313504-0.
When the AP asked the FBI for more info, it was told that "the estimated completion time for large requests is 649 days." And still refused to reveal who had sent in the other FOIA request. The AP filed a formal appeal, and a week ago was told that there was nothing to appeal because the FBI had not completed Request No. 1313504-0 (which, again, the AP had not actually sent in). Hence the lawsuit.
The RCFP FOIA request received a somewhat more standard "no responsive records" response, to which the RCFP pointed out that the FBI was clearly lying, given that the earlier response (to the EFF FOIA, which kicked off this whole thing) showed that there was, in fact, such responsive results (I know this experience all too well).
And thus, both organizations are now suing to force the FBI to actually turn over the damn documents. Can't wait to find out all the national security reasons (or will they be redacted) for why the FBI won't respond, and why it combined the AP's FOIA request with some totally unknown party's.
from the statute-of-limitations-may-be-a-problem dept
All the cool kids are suing the NSA these days. The EFF and ACLU led the way, suing the NSA before suing the NSA was cool. Others followed as a series Snowden/Greenwald split releases gained popularity (culimating in Greenwald leaving The Guardian to start his own labelwebsite). Most recently, those abused by the NSA for their whistleblowing efforts enlisted the help of the frequently more-entertaining-than-effective Larry Klayman to sue the NSA (and many others) for the retaliatory actions that followed their whistleblowing efforts.
The AP reports (without attaching the relevant filing, because information wants to be free omitted) that former Salt Lake City mayor Rocky Anderson is suing the NSA for "mass warrantless surveillance" conducted during the 2002 Winter Olympics, which were held less than six months after the 9/11 attacks.
Rocky Anderson may be suing the NSA, but it appears he's only doing so by hitching his name to a pre-existing lawsuit. Anderson's name isn't found among the listed plaintiffs, which basically makes him a "similarly situated party" -- indistinguishable from the average Salt Lake City resident except that the press is willing to publish his statements.
"I was outraged by this," Anderson said Wednesday. "Fundamentally, we want to get to the truth and expose what our government is doing."
Anderson says he learned about the program from a 2013 report in the Wall Street Journal and has since confirmed it with an unnamed agency source.
The suit names the NSA, FBI, George W. Bush, Michael Hayden, Dick Cheney and 50 "Does." What's alleged in the filing is the interception of data and communications in the Salt Lake City area for the duration of the Winter Olympics.
The NSA, in conjunction with the FBI, planned and implemented a mass warrantless program—for which there was no probable cause, completely outside the Constitution and outside of any applicable federal statutory laws, including FISA, the Wiretap Act, and the Stored Communications Act—in which blanket surveillance was attempted and achieved during a period preceding the commencement of the 2002 Salt Lake Winter Olympic Games and throughout the period of the Games, from February 8, 2002 (Opening Ceremony) through February 24 (Closing Ceremony), over everyone within designated geographical areas, including Salt Lake City, Utah, and the areas including and in the vicinity of all Olympic venues.
That surveillance included the interception and key-word spotting analysis of the contents of every text message sent and received, every email sent and received, and information reflecting the time and length of, and telephone numbers involved in, every telephone conversation involving any person within the areas subjected to the blanket surveillance. In some instances, people or telephone numbers were targeted by the NSA and FBI and telephone conversations involving such targeted telephone numbers were illegally and unconstitutionally recorded and subjected to analysis, without a warrant and without probable cause.
In support of these allegations, it cites the exposure of the "Stellar Wind" program in 2005, as well as other confirmations of the warrantless wiretapping authority granted after the 9/11 attacks.
The plaintiffs' standing relies on very simple assertions: that they made phone calls and sent text messages/emails during the Winter Olympics. Given what we know about the NSA's bulk collection programs, this is all that's really needed to make these allegations. Ex-mayor Rocky Anderson says he knows "about 200 others" who could make similar claims, but the barrier of entry for this class is low enough that thousands of residents and non-residents could join the proceedings, if granted class action status by the court. Here are the class stipulations:
All individuals in the United States who sent or received a phone call, text message, or email from or to a location within Salt Lake City or within an area including and adjacent to any other 2002 Salt Lake Winter Olympic Games venue where any of the defendants were engaged in warrantless surveillance of communications by telephone, text messaging, or email during the time of December 1, 2001 to February 24, 2002 (or whenever it is established the warrantless surveillance took place).
The lawsuit alleges First and Fourth Amendment violations, as well as violations of FISA, the Wiretap Act and the Stored Communications Act. It also cites similar violations of Utah's Constitution.
I'm not sure this suit has any chance of surviving a motion to dismiss by the government. While standing is easier to achieve now that leaked documents have verified the specifics of the NSA's collection programs, the courts have generally granted more deference to the government's "national security" arguments. What is (slightly) helpful is that the Second Circuit found the Section 215 bulk collection isn't actually authorized by the Patriot Act. While Utah resides outside of that Circuit, decisions that question the legitimacy of bulk surveillance still may prove useful to the plaintiffs' claims.
If there's going to be any retribution for the NSA's abuses, it will probably have to wait until the Supreme Court takes a swing at it. And by the time it does, the question about the legality of its bulk collection program (under Section 215) will be largely moot, thanks to the passage of the USA Freedom Act. While lawsuits like these have been mostly fruitless in their pursuit of favorable judgments, they have proven useful for shaking loose previously-hidden documents and legal justifications for warrantless, domestic surveillance.
The claims arise from the government's treatment of these whistleblowers after they started making noise about the NSA's surveillance programs. More specifically, the lawsuit points to the short-lived internet surveillance program THINTHREAD, which was ignored and abandoned in favor of something more expensive, but less protective of Americans' communications.
Plaintiffs worked in various roles on developing and perfecting a candidate program called THINTHREAD which was capable of performing the technical work desired by the NSA for surveillance of the internet efficiently, effectively, and at very low cost.
THINTHREAD was put into operation successfully but only on a demonstration basis. It was approved to demonstrate that it worked, but not officially commissioned for actual operational use.
Despite the Plaintiffs demonstrating that THINTHREAD actually worked, the NSA ignored THINTHREAD as a candidate for performing the desired surveillance of the internet and telephone communications, because THINTHREAD was inexpensive and highly effective, yet Lt. General Michael Hayden had made a corporate decision to “buy” externally rather than “build” internally the solution deemed necessary to harvest internet data.
$4 billion went into another program called TRAILBLAZER (THINTHREAD's internal development cost, by contrast, was only $4 MILLION), along with five years of development. In the end, TRAILBLAZER never worked properly and was abandoned by the NSA in 2006.
This wasteful "funneling" of funds to preferred government contractors was reported to the Dept. of Defense by four of the whistleblowers, under the heading of waste, fraud and misuse of taxpayers' money. The DoD wasn't happy. It issued a scathing internal report. But the NSA wasn't interested in having its faults pointed out. It sent the DOJ after the whistleblowers, using an unrelated leak of information about the NSA's expansive domestic surveillance programs to the New York Times as the impetus for a series of raids.
According to the filing, the raids were retaliatory. The government had already determined the plaintiffs had nothing to do with the leaks reported on by the New York Times. And it used faulty affidavits to justify the corresponding raids.
In fact, the affidavit for the search warrants are themselves based upon an illegal, warrantless phone tap and refer to a conversation illegally intercepted between Plaintiff Roark and Plaintiff William Binney, although misrepresenting the call’s contents. Further, the ultimate pretext for the search, a paper describing THINTHREAD at a high level that Binney had given the FBI, was falsely claimed by NSA to be classified. Thus, the search warrant affidavit is not only false but illegal.
The lawsuit also attempts to use the breadth and reach of known surveillance programs as proof the government knew the whistleblowers had nothing to do with the NYT leak.
Moreover, as later revealed by Edward Snowden, the NSA was even then, with the assistance of cooperating telephone and telecommunications companies, conducting mass interception and surveillance of all telephone calls within the domestic United States for the very purpose – at least so they claimed – of detecting both external and internal threats against the national security of the United States.
Therefore, through those phone and internet records, the Defendants had actual evidence at the time of the false affidavit and retaliatory searches and seizures that none of the Plaintiffs had communicated with the The New York Times or other journalists, except that Plaintiff Drake on his own had spoken confidentially with regard to public and /or unclassified information to the Baltimore Sun.
The end result of the FBI, NSA and DOJ's actions in response to whistleblowing (largely performed through proper channels) is a host of alleged civil liberties violations and other abuses, starting with the violation of 1998's Whistleblower Protection Act. From there, the whistleblowers allege violations of their First, Fourth and Fifth Amendment rights, along with malicious prosecution, intentional infliction of emotional distress and abuse of process.
It will be interesting to see where this goes. The government likely won't be able to dismiss the suit quickly, but the plaintiffs are going to run into a ton of immunity claims that will be buttressed by invocations of national security concerns. Their lawyer -- Larry Klayman -- has occasionally displayed his inability to distinguish between actionable claims and conspiracy theories, a tendency that doesn't improve the plaintiffs' chances of succeeding. But of all the outcomes I imagined for the stories of Drake, Binney, et al, taking these agencies on directly in federal court wasn't one of them.
FBI. DEA. NSA. CIA. DHS. TSA. All these acronyms (and more) participate in activities that can (and do) have negative effects on Americans' civil liberties. But that's OK, says the government, because we have oversight. This assertion just simply isn't true. The Snowden leaks proved what oversight existed was beholden to the NSA and frequently put itself between the agency and legislators on the outside of the inner circle in order to keep its secrets protected.
Elsewhere, the entities charged with providing oversight for government agencies -- the various Inspector General's offices -- were finding themselves unable to pursue their duties because the agencies they watched refused to cooperate with their investigations. Michael Horowitz, the DOJ Inspector General, frequently expressed his displeasure with the DEA and FBI, both of which refused to provide him with the documents he was seeking.
Over at the CIA, Inspector General David Buckley performed his investigation of the alleged hacking of Senate staffers' computers. He found the allegations to be true. The CIA responded by discrediting his report and performing its own internal audit, which naturally found the agency to be blameless and the Senate at fault for supposedly abusing its access to CIA documents. Buckley retired. The CIA has yet to replace him.
As if things couldn't get any worse, the Office of Legal Counsel decided the best route for effective oversight was to hand over control to the agencies being overseen. On July 20th, it issued a decision that said Inspectors General needed to seek permission from the agencies under their purview for access to sensitive documents. If the agencies turned them down, too bad. They'd just have to do without.
The IGs -- representing 72 government agencies -- have sent a letter to Congress asking them to overturn the OLC's decision. (via Unredacted)
Despite the unequivocal language of Section 6(a) of the IG Act, the OLC opinion concludes that it does not entitle the DOJ-IG to obtain independent access to grand jury, wiretap, and credit information in the DOJ’s possession that is necessary for the DOJ-IG to perform its work. Indeed, the OLC opinion concludes that such records cannot be obtained by the DOJ-IG pursuant to the IG Act, and can only be obtained in certain – but not all – circumstances through provisions in the specific laws related to those records. Further, the opinion provides that only the Department of Justice itself decides whether access by the DOJ-IG is warranted – placing the agency that the DOJ-IG oversees in the position of deciding whether to grant the Inspector General access to information necessary to conduct effective and independent oversight. Requiring an Inspector General to obtain permission from agency staff in order to access agency information turns the principle of independent oversight that is enshrined in the IG Act on its head.
The OLC opinion’s restrictive reading of the IG Act represents a potentially serious challenge to the authority of every Inspector General and our collective ability to conduct our work thoroughly, independently, and in a timely manner. Our concern is that, as a result of the OLC opinion, agencies other than DOJ may likewise withhold crucial records from their Inspectors General, adversely impacting their work. Even absent this opinion, agencies such as the Peace Corps and the U.S. Chemical Safety and Hazard Investigation Board (CSB) have restricted or denied their OIGs access to agency records on claims of common law privileges or assertions that other laws prohibit access. Similarly, the Department of Commerce denied its Inspector General (Commerce-IG) access to agency records that were needed for the Commerce-IG to complete an audit of agency operations because agency counsel had concluded, based on guidance that agency counsel said came from OLC, that it might be a violation of another federal statute to make the records available to its Inspector General. As a result, the Commerce-IG could not complete its audit.
In other words, things were already bad. Now, they're impossible. These agencies were already doing everything they could to thwart their oversight. Now, the OLC has given them permission to stonewall every single investigation that requires the access to "sensitive" agency documents -- which would be a great majority of them.
The letter goes on to point out that the OLC's decision creates a smokescreen that will have serious repercussions for years to come.
Without timely and unfettered access to all necessary information, Inspectors General cannot ensure that all government programs and operations are subject to exacting and independent scrutiny. Refusing, restricting, or delaying an Inspector General's independent access may lead to incomplete, inaccurate, or significantly delayed findings and recommendations, which in turn may prevent the agency from promptly correcting serious problems and pursuing recoveries that benefit taxpayers, and deprive Congress of timely information regarding the agency's activities. It also may impede or otherwise inhibit investigations and prosecutions related to agency programs and operations.
The OLC's decision is astounding, and should be undone as swiftly as possible. There's a lot of room for abuse in many agencies, and one of the only things acting as a check against this are the IGs. The assurances that there is sufficient oversight are hollow. There was very little oversight to begin with. With this determination in place, there's almost none. The denied access can likely be challenged, but time is often of the essence, and weeks or months of discussion over the release of documents can put a lot of space between badly-behaving agencies and whatever scandal they're attempting to ride out.
The OLC had decided government agencies shouldn't be accountable to the public, and its excuse is "security." It's being left up to agencies to decide what information is too "sensitive" to share with their overseers. And it will be evidence of screwups, quasi-legal activities and other abuses of power that receive this label first.
"Knowing it was wrong, you provided material support for a terrorist organization or some other offense," Comey said, explaining how the FBI sees these suspects in response to Huffington Post questions during a meeting with reporters last month. "That is the bulwark against prosecuting someone for having an idea or having an interest. You have to manifest a criminal intent to further the aims prohibited by the statute."
Asked if reposting materials alone would cross the line, Comey said the answer would be different based on the individual circumstances.
"It would depend upon what your mental state is in doing it," the FBI director said. "I can imagine an academic sharing something with someone as part of research would have a very different mental intent than someone who is sharing that in order to try and get others to join an organization or engage in an act of violence. So it's hard to answer in the abstract like that."
Yay. "Mental state" and "intent." That shouldn't be any problem to disprove in court. Comey says the burden of proof rests on the prosecution -- which it does -- but this "burden" becomes significantly lighter when "national security" is invoked and the onus suddenly shifts to the defendants, who are put in the position of proving a negative.
Much like Comey's certainty that secure encryption backdoors exist, the FBI head is also a firm believer that he and his agency will know materially-supportive retweets when they see them.
Comey said it was "pretty darn clear" where the line was.
Eye of the beholder and all that. Not exactly reassuring when the "pretty darn clear" line is being determined by an agency that appears to have created more terrorists in the US than any terrorist organization. Comey talks a lot in Reilly's article about "intent" and "mental state" -- two aspects that have been largely ignored in its counter-terrorist sting operations, which have resulted in the arrest of mentally-incompetent dreamers, senior citizens and a handful of easily-flattered bedroom revolutionaries. When the agency has to do everything but perform the terrorist attack itself, it would appear its definition of "intent" is very fluid... and any considerations about "mental states" completely subservient to its War on Terror desires.
A little over a month ago, we covered a FOIA response (if you could call it that...) from the FBI concerning TrueCrypt, in which it withheld all 69 pages of responsive documents. In addition to the ridiculousness of much of the withheld information being easily-accessible online, there was the question about what this denial meant for TrueCrypt.
When the FBI withholds documents, it often does so because the subject of the FOIA involves an ongoing investigation. In this case, the FBI cited an FOIA exemption related to "trade secrets and commercial information," which none of this was. So, why all the secrecy? Perhaps it was just the agency's default mode taking over. Or maybe it had something to do with TrueCrypt's sudden decision to halt development and declare the software "insecure." Had the FBI managed to "break" TrueCrypt or was its lack of a reponse to this request a signal that it was talking to the people behind it?
Scott Glenn, a 35-year-old Harris Corp. employee working at a US military base in Honduras, apparently made off with documents considered to be "military secrets."
In January, he admitted he hacked into the base commander's classified email account and copied thousands of messages and more than 350 attached documents, much of which dealt with U.S. military plans and information regarding the Middle East.
The judge who sentenced Glenn to 10 years in prison asserted Glenn grabbed these documents out of a desire to "damage" the "security" of the United States. His lawyer had argued that Glenn was nothing more than a "technological hoarder" -- someone who collects this sort of stuff just to be collecting it. He pointed to Glenn's retention of a secretary's hard drive that had no discernible value to anyone as evidence of Glenn's "hoarding" habit. He also pointed out Glenn never tried to distribute the documents or attempted to use them for financial gain.
Glenn, however, has both a troubled legal past and a hazy legal future. He has previously been expelled from a military base for committing benefits fraud and hacking into US databases for Iraqi businesses. He's also being investigated for "sexually exploiting" Honduran minors.
But the nexus point for this stash of military documents was TrueCrypt.
Glenn read up on the art of espionage and used an elaborate encryption system, TrueCrypt, with a decoy computer drive to distract investigators from another hidden drive that he protected with a complex 30-character password, army counterintelligence expert Gerald Parsons testified.
The FBI's counterintelligence squad in South Florida was able to crack Glenn's code, Parsons said.
Parsons said he didn't know how the FBI agents did it but he estimated it would have taken "billions" of years to crack the code using traditional methods.
This should be a bit concerning for TrueCrypt users. Either Glenn's password was cracked (rather than TrueCrypt's encryption) or the questions raised about the predictability of the random-number generator behind the encryption method have some validity. Because "traditional methods" would still be underway -- at least according to the expert presented by the prosecutors -- something else had to give. The most likely explanation is that Glenn gave up his password or had it trapped by a keylogger or other government surveillance software. The FBI has tried to crack TrueCrypt's encryption before and had no luck.
With many documents related to the case still sealed, it's unclear what the government's expert meant by "cracked." It likely means TrueCrypt is as secure as it has been, but its appearance in a case centering on a decrypted hard drive doesn't exactly encourage the throwing of caution to the wind.
The FBI recently raided a small gas station in Cleveland, Ohio for apparently no other reason than having a controversial mural painted on the wall.
The SWAT team, armed with rifles, handguns, and bulletproof vests, stormed through the store without showing any warrants or answering any questions about why they were there according to the store’s owner, Abe Ayad.
According to Cleveland’s NewsNet5, Ayad demanded to see a warrant from the agents, but they were never able to show him one.
Here's some video of the raid, which apparently concluded (the video, not the raid) when FBI agents shut down the recordings.
*While this sounds entirely despicable, there is a small bit of truth underlying the depiction of a rabbi with his mouth on an infant's penis. Here's a description of the circumcision process, as practiced by some Orthodox members of the Jewish faith. It's short, but says all it needs to say.
Under Jewish law, a mohel must draw blood from the circumcision wound. Most mohels do it by hand with a suction device, but some Orthodox groups use their mouth to draw blood after cutting the foreskin.
Abe Ayad "identifies" as a Muslim, which probably makes him a Muslim (distancing use of "identifies" courtesy of Cleveland.com), which probably explains why so many of his murals target Jews. That these are displayed on the outside of his business sort of makes it a civic issue. In all fairness to the city, it has never demanded a removal of the murals. It has only asked that they be made smaller and thus less visible from the road.
Ayad has refused. And if a man's home is his castle and his licensed business his castle with an ROI, then he should -- for the most part -- be free to decorate it with images others might find offensive. (Obviously, actually obscene images would be another issue altogether.) Those offended are free to tell Ayad he's a racist and a fool and spend their money elsewhere. It's not as though Ayad is the sole provider of anything in Cleveland. But considering the issues at the center of the artwork, the city has responded in a mostly commendable fashion. There seems to be nothing approaching a heckler's veto being humored here.
That's the good news. Here in the US, people are free to display their irrational hatred and ignorance. If Ayad isn't actually committing violence against Jews or imploring others to commit criminal acts, then his artwork is just a two-party wall of shame that should be pitied for its deep-held ignorance, rather than booed off the face of the planet by the offended.
Ayad also claims to have been raided by local police in 2009. He doesn't specifically say it was because of the murals (it's implied) but law enforcement seized money, guns and an apparently very expensive stamp collection. Most of it was subsequently returned.
"They can’t arrest me. For what?” said Ayad. “2009 they raided me too. No charges. They gave me back my guns, they kept my money and then they gave me back my money minus the coin collection, which was valued over $3 million.”
Similar items were seized in the recent raid. But this doesn't have anything to do with the murals, even if Ayad is skewing it in that direction. Cleveland.com has, simultaneously, no details and more details.
FBI spokeswoman Vicki Anderson said agents surrounded and sealed off the East 55th Street gas station about 10 a.m. to execute a warrant.
She would not provide any other details.
Ayad, however, did.
The store's owner, Abe Ayad, said agents were looking for evidence of food stamp fraud and illegal gun sales. Ayad said no such activity has taken place in the business.
Which is not the same thing as being raided for controversial murals. Ayad may believe this is part of a conspiracy to shut down his business and save the city from having to field more mural-related complaints, but it appears the issues at hand in this raid (and the 2009 raid as well) are unrelated to the paintings on the exterior walls.
Now, it may be possible that two raids with six years between them are both a part of a larger plan to disrupt and destroy Ayad's business. It could be Ayad's multiple appearances in court for civil lawsuits are also instrumental to the city's long-term plan to be rid of his murals forever. Or it could simply be that neither of these are related to the artwork, but rather inextricably tied together because the murals on the outside can't be separated from the interior of the business endorsing these viewpoints.
It may be that someone in Cleveland's law enforcement community has it in for Ayad, possibly because of the murals, but there doesn't appear to be a sustained history of harassment. While the city would undoubtedly enjoy a respite from Ayad's "antics" and the complaints that follow them, there's very little here to justify any claims that the FBI raided Ayad's store over the murals. Free speech (mostly) lives here and Ayad's contentious relationship with a great many people has yet to see his store shut down for any reason, legitimate or not.
As for Ayad not being allowed to see the warrant, that's perfectly legal as well. Law enforcement officers are under no obligation to present the warrant before performing searches or seizures. It's simply enough that the warrant exists and is presented to the raided party at some point during the search. A "warrantless raid" -- as this has been portrayed -- means the absence of a warrant, not just that the raided party wasn't presented with a warrant before it commenced. Any number of exigent circumstances exist that allow for the presentation of a warrant after a search/seizure has already commenced. In this case, paperwork was handed over to Ayad at the time of the agents' departure. So, while a bit on the shady side morally-speaking, the entire operation clearly falls within the legal bounds.
I'm all for a "bad cop/censorship" narrative, but one doesn't exist here. I prefer the ones where the official parties have buried themselves, rather than grab a shovel and start hurling dirt when in possession of only a bare minimum of facts. So, score one for the good guys, I guess -- pending any further details that point to the FBI being pointed in the direction of Ayad because (a) he's Muslim and (b) he owns guns.
from the dodgy-agency-dodged-by-respectable-parties dept
The FBI's cyber-initiatives may be doomed to fail. While it seems to have little problem acquiring and deploying new technology and techniques, it's finding it very hard to talk people into running all of it, as Alexander Martin at The Register points out.
The Federal Bureau of Investigation is struggling to hire computer scientists, according to a Department of Justice audit of the feeb's attempts to implement its Next Generation Cyber Initiative.
A 34-page audit report (PDF) from the DoJ notes that, while making considerable progress, the FBI has "encountered challenges in attracting external participants to its established Cyber Task Forces".
The Inspector General's report provides additional details on how far behind the agency is falling on its hiring goals. Even the hiring process itself is holding the FBI back.
While the process may start with a recruitment event attended by 5,000 interested candidates, the inability of candidates to meet the FBI’s specific eligibility criteria reduces that number to approximately 2,000 eligible candidates. Subsequently he told us that only about 2 candidates out of such a group are actually hired by the FBI. Another FBI official told us that the FBI loses a significant number of people who may be interested because of the FBI’s extensive background check process and other requirements, such as all employees must be United States citizens and must not have used marijuana in the past 3 years, and cannot have used any other illegal drug in the past 10 years. Another factor may be that private sector entities are able to offer technically trained, cyber professionals higher salaries than the FBI can offer.
The whitehat hackers the FBI would like to hire are looking for more pay and a less-intrusive hiring process. The FBI's hiring process and wage scale are unlikely to be responsive (though the latter is far more flexible than the former) to these demands. As long as coders can get better pay from employers that don't subject them to this level of pre-hire intrusion, the FBI will always find its staffing trailing its capabilities.
While the Five Eyes partners mentioned in the report have expressed their support of the FBI's cyber-focused joint task force, it's clear the public has not. But that part of the equation isn't mentioned in the OIG report. It may have been discussed off the record, but there's no acknowledgment that the post-Snowden climate -- combined with the exposure of FBI misconduct ranging from national security letter abuse to its series of entrapment-esque terrorism busts -- have made the FBI a less-than-desirable employer. Its reputation isn't entirely toxic, but it has managed to alienate a large portion of the tech crowd it wishes to hire. Director James Comey's continued assault on encryption isn't helping anything.
It's doubtful the deployment of a G.I.-bill-but-for-coders will fix this, but that's what the agency is looking to do.
One FBI official explained that the FBI is offering several incentives to recruit individuals including school loan repayment, reimbursement for continuing education, and hiring at higher salary levels on the general pay scale. He also added that the FBI is providing training opportunities for existing personnel including certifications and enrollment in the Carnegie Mellon University Master’s program in Information Technology as retention tools. In addition, in December 2014, the FBI announced to its employees a similar program at the New York University Polytechnic School of Engineering.
The good news is that once someone's hired by the FBI, they tend to stay, despite more lucrative opportunities elsewhere. But that's of little use when the problem is acquisition, rather than retention.
As of January 2015, however, 52 of the 134 Computer Scientist positions remained vacant and 5 of 56 field offices did not have at least 1 computer scientist, as planned.
Working for the FBI isn't like working for another tech company. The job also has a social cost that won't be addressed by student loan assistance and training opportunities. To work for the FBI, especially for someone who identifies as a "hacker," is to say goodbye to a large number of your colleagues. While the private sector doesn't lack for non-disclosure agreements, the FBI's disapproval of "shop talk" with friends and family carries hefty federal weight behind it. Normal small talk starts to resemble a series of probative queries. This may only exist in the minds of those interacting with friends and colleagues who have taken jobs at the FBI, but it's enough to make things uncomfortable.
The FBI may believe its problems are mostly of the pay scale variety, but there's more to it than purely fiscal concerns. The agency may do good work, but it has engaged in questionable investigations and activities almost since its formation. Leaks and FOIA documents have done further damage to its reputation in recent years. The FBI, despite its technical prowess -- appears to be anti-tech, at least in terms of fighting against any advances that impede its surveillance techniques. The agency, for the lack of a better word, is untrustworthy. The FBI appeals to candidates' idealism during the recruitment process, but over the years, it has repeatedly acted without integrity. Because of that, it will always have a problem finding whitehats willing to work for an entity that often seems to be in the "blackhat" camp.
There have been plenty of discussions on the possible "risks" of running a tor exit node, where clueless law enforcement might confuse traffic that comes out of that node as being from the person who actually manages the node. And, indeed, last year we wrote about an absolutely ridiculous case in which a tor exit node operator in Austria was found guilty as an "accomplice" because someone used his node to commit a crime. Thankfully, it appears that the US isn't going quite down that road yet. It appears that a month and a half ago, of all places, the website Boing Boing received a subpoena concerning the tor exit node that the site hosts, demanding an appearance before a federal grand jury in New Jersey.
Except, Boing Boing's lawyer, Lauren Gelman, quickly shot off a note explaining "tor exit node" to the FBI... and the FBI understood what was going on and moved on. Really. Here's the note that Gellman sent:
Special Agent XXXXXX.
I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).
The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.
I would be happy to discuss this further with you if you have any questions.
They didn't have any questions. They understood the situation and (one assumes) continued the investigation through other means. As Cory Docotorow writes:
The FBI agent did his homework, realized we had no logs to give him, and no one had to go to New Jersey. Case closed. For us, anyway. Not sure what went down with the grand jury.
We write plenty of stories about "clueless" law enforcement and politicians overreacting to things by not understanding the technology. Because that's newsworthy. But it is worthwhile, every once in a while, to remember that there are some in these jobs who do understand technology and are perfectly willing to understand what is happening and continue to do their jobs without going overboard.
And, as Cory notes, perhaps this story of nothing actually happening will be useful in convincing a few more people that maybe the "risks" of running a tor exit node aren't quite as high as some have made them out to be. Yes, you may receive a subpoena, but hopefully it's from law enforcement willing to understand how tor actually works and what it means.
The wonderful Freedom of the Press Foundation is now suing the US Justice Department for refusing to reveal its rules and procedures for spying on journalists. You can read the complaint here. The key issue: what rules and oversight exist for the DOJ when it comes to spying on journalists. As you may recall, a few years ago, it came out that the DOJ had been using some fairly sneaky tricks to spy on journalists, including falsely telling a court that reporter James Rosen was a "co-conspirator" in order to get access to his emails and phone records. In response to a lot of criticism, the DOJ agreed to "revise" its rules for when it snoops on journalists.
There is no change to how the F.B.I. may obtain reporters’ calling records via “national security letters,” which are exempt from the regular guidelines. A Justice spokesman said the device is 'subject to an extensive oversight regime.'
Extensive oversight regime, eh? The Freedom of the Press Foundation sought to find out just what kind of extensive oversight there really was -- and came up against a brick wall in the form of black redaction ink:
That's from the DOJ's Inspector General report, concerning a situation where the FBI had used an NSL to access a journalist's communications inappropriately. As the Freedom of the Press Foundation notes, elsewhere in that same report, it appears that the FBI is actually ignoring recommendations of the Inspector General concerning these situations, despite the "First Amendment interests implicated."
As the Foundation notes, the redactions here make the details entirely opaque, and the Inspector General's Office has made it clear that it disagreed with the redactions, saying that revealing the information behind that black ink "is important to the public's understanding of the FBI's compliance with NSL requirements." Given that the Foundation is now suing to find out those details. The lawsuit specifically requests that the DOJ reveal those documents in their entirety, which includes the "extensive regime, rules, guidelines, or infrastructure that oversees the
issuance of NSLs or exigent letters to obtain records regarding a member
of the media" as well as "the current procedures that FBI agents must undertake in advance of
issuing a NSL or exigent letter to obtain records regarding any member of
I'm going to go out on a limb here and say that the DOJ will reply, hysterically, that revealing this kind of information will put national security at risk and could reveal important law enforcement gathering techniques that will aid those out to harm us or some such crap. Perhaps they'll even toss in a request to dump the entire case for reasons of "national security." Just recognize that this is all busllshit. The request here is not for any details that are going to help any criminals get away with anything. All it is asking for is what process the FBI uses to make sure that it's not violating the First Amendment in spying on journalists. If that's something that needs to be kept secret, there can be only one reason: because the FBI is embarrassed by what it's doing in spying on journalists.