by Mike Masnick
Thu, Jul 24th 2014 7:43am
by Mike Masnick
Mon, Jul 21st 2014 3:38pm
Court Rules Against EFF In DOJ FOIA Lawsuit... But Mainly Because ODNI Already Declassified Most Of It
from the progress dept
Following the Snowden revelations, and the sudden "we love transparency*" (*not really) attitude of the ODNI, it started re-reviewing the original redactions and (look at that!) suddenly realized that it didn't actually need to have wasted so much black ink on the originals. EFF continued to push back on certain redactions, and ODNI magically discovered even more wasted black ink. Eventually, huge portions of the various documents that had previously been withheld were revealed. EFF kept pushing, and asked the court to review some of the remaining redactions, just to make sure that ODNI wasn't hiding anything solely out of embarrassment, rather than for legitimate national security purposes. The court got to secretly review the unredacted document, asked some detailed questions of the DOJ, leading to even more redactions falling by the wayside. So, now, finally, after all of that, the judge has basically said that all of the remaining redactions are legitimate, and thus effectively rules "against" the EFF.
However, this is a pretty clear victory for the EFF, considering that during the course of the case it was able to remove many of the original redactions. Of course, this is still problematic, because it highlights how many of those original redactions were clearly improper, and it took this long and convoluted process (and Ed Snowden) before ODNI was willing to reveal these documents concerning a rather key program in how the NSA conducts surveillance.
by Mike Masnick
Wed, Jul 9th 2014 2:23pm
from the want-to-try-that-again? dept
The Justice Department did not respond to repeated requests for comment on this story, or for clarification about why the five men’s email addresses appear on the list. But in the weeks before the story was published, The Intercept learned that officials from the department were reaching out to Muslim-American leaders across the country to warn them that the piece would contain errors and misrepresentations, even though it had not yet been written.The fact that it was out warning people that the story was inaccurate before anything had even been written is... quite telling. Also, the fact that it only seemed to focus on the lack of a FISA warrant (and against one individual) seems like the standard form of the intelligence community choosing their words especially carefully to say one thing, while implying something else entirely. Now that the report has actually come out, the Office of the Director of National Intelligence (ODNI) has issued a statement that is more of the same. You will note, for instance, that it does not deny spying on the five named individuals -- only that it doesn't spy on people because of their political, religious or activist views:
Prior to publication, current and former government officials who knew about the story in advance also told another news outlet that no FISA warrant had been obtained against Awad during the period cited. When The Intercept delayed publication to investigate further, the NSA and the Office of the Director of National Intelligence refused to confirm or deny the claim, or to address why any of the men’s names appear on the FISA spreadsheet. Prior to 2008, however, FISA required only an authorization from the attorney general—not a court warrant—for surveillance against Americans located overseas. Awad frequently travelled to the Middle East during the timeframe of his surveillance.
It is entirely false that U.S. intelligence agencies conduct electronic surveillance of political, religious or activist figures solely because they disagree with public policies or criticize the government, or for exercising constitutional rights.Again, note the specific denial they're making. They're not denying they spied on these five individuals. They're claiming that if they spied on them, it wasn't because of their religion -- though the evidence presented in the Intercept article certainly rules out many other explanations. And, remember, it was just a week ago that it was revealed that the NSA, does, in fact, consider people interested in Tor or open source privacy to be extremists. So, while it may be technically true that these individuals weren't targeted because of their religion, it does seem fairly clear that the intelligence community has fairly low standards for what it takes to convince themselves that someone may be a threat.
Unlike some other nations, the United States does not monitor anyone’s communications in order to suppress criticism or to put people at a disadvantage based on their ethnicity, race, gender, sexual orientation or religion.
Our intelligence agencies help protect America by collecting communications when they have a legitimate foreign intelligence or counterintelligence purpose.
Furthermore, the statement admits that there are cases where it spies on people without approval from the FISA Court, but doesn't say what those examples are beyond "in an emergency." That may imply the only cases are in an emergency, but that's not what the statement actually says:
With limited exceptions (for example, in an emergency), our intelligence agencies must have a court order from the Foreign Intelligence Surveillance Court to target any U.S. citizen or lawful permanent resident for electronic surveillance.And, again, as the Intercept report itself notes, prior to 2008, there were different standards in place for people traveling overseas (even Americans) which could explain how some of these individuals were targeted.
These court orders are issued by an independent federal judge only if probable cause, based on specific facts, are established that the person is an agent of a foreign power, a terrorist, a spy, or someone who takes orders from a foreign power.
The ODNI statement more or less concludes by suggesting that the five people named may have been agents of foreign powers, which is quite a claim:
No U.S. person can be the subject of surveillance based solely on First Amendment activities, such as staging public rallies, organizing campaigns, writing critical essays, or expressing personal beliefs.It's a neat little out. Accused of spying on five Americans who pretty clearly do not appear to be agents of foreign powers, just hint strongly that they really are agents of foreign powers. It's back to the good old days of McCarthyism.
On the other hand, a person who the court finds is an agent of a foreign power under this rigorous standard is not exempted just because of his or her occupation.
by Mike Masnick
Wed, Jul 2nd 2014 3:11pm
from the eff-may-need-a-whole-floor-devoted-to-nsa-lawsuits dept
EFF filed a FOIA request to find out about the NSA's process for determining whether to exploit or reveal a zero day... and hasn't received a response, despite a promise by the government to "expedite" the request. Hence: the new lawsuit.
"This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."These days, it really does seem that the only way to get the government to cough up these kinds of documents is to file a lawsuit, which really defeats the purpose of the whole FOIA process. Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead.
Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.
"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," Global Policy Analyst Eva Galperin said.
by Tim Cushing
Mon, Jun 30th 2014 8:39pm
New FISC Memorandum Says Bulk Metadata Program Still Good To Go Until Congress Or Supreme Court Says Otherwise
from the we-still-have-the-greatest-enthusiasm-and-confidence-in-the-mission dept
Also noted was the fact that the new transparency was short a few documents, namely the March renewal order for the bulk phone metadata collection. Lo and behold and under the cover of late Friday afternoon (to better be smuggled in as the nation punched its collective timeclock), the Office of the Director of National Intelligence released two orders: the March and June renewals of the bulk records collections.
There's nothing very notable about either of the two renewal orders, both of which say roughly the same thing and wear their fashionable black redaction marks on exactly the same words. What is notable is the memorandum opinion released with them, which details the events that have occurred in recent months that have affected both the collection and the minimization procedures the NSA follows.
In the past few months, two metadata-related lawsuits have resulted in court orders demanding preservation of evidence, some of which was due to age off as part of the normal minimization procedures. The court orders wreaked a bit of havoc in FISC judge Reggie Walton's court, forcing him to first order data to be destroyed (noting again that the minimization procedures were one of the few things that even allowed this bulk collection of American data to be legal) and finally, once the DOJ had stopped misleading him (and the cases' plaintiffs themselves), to halt the destruction of relevant (to the cases, not to counterterrorism) metadata.
Throughout it all, the DOJ performed a remarkable plate-spinning act, keeping all decisions aloft while it contemplated best-case scenarios. Unlike true plate-spinning acts, the DOJ really didn't care whether the plates continued spinning or crashed to the ground, as it's unlikely to ever allow this evidence to be used in court. (Indeed, it spent much of its plate-spinning time destroying data it was ordered to preserve.) Though the three involved courts had plenty to do to ensure the rights of non-NSA Americans weren't violated, the DOJ's main purpose was to shuttle paperwork back and forth until it could be safely revealed that the multi-billion dollar superspyplex was incapable of doing the very thing under discussion: preserving data past the expiration date. (This should have come as no surprise, considering the NSA had announced previously that it was incapable of searching its own email system. [And yet, it claims to have found only one email related to Snowden whistleblowing attempts.])
Also, during the past few months, two contradicting court opinions on the legality of the bulk record collections were released. The one that found it unconstitutional (DC district court judge Richard Leon) was stayed awaiting appeal, changing nothing in the NSA's plans to collect it all, but prompting some reflection from the FISA court. The other confirmed the status quo.
All the while, millions of gallons of prime (and confidential) desert water (acquired at budget rates) continued to flow into the NSA's new Utah spybox even as, ironically, fires broke out within the building itself. The security state is still alive and well… even if it seems to be pausing more frequently to catch its breath and favoring a limb or two.
But back to the order. During the disarray of the last few months, two bulk records orders were renewed. While the memorandum changes nothing, it does at least acknowledge the fact that the collection is under considerable public scrutiny, not to mention awaiting implementation of the administration's reforms. But it does point out that there are really only two entities that can bring a complete halt to this collection -- and so far, neither have made that move.
The unauthorized disclosure of the bulk telephony metadata collection more than a year ago led to many written and oral expressions of opinions about the legality of collecting telephony metadata. Congress is well aware that this Court has interpreted the provisions of 50 U.S.C. 1861 to permit this particular collection, and diverse views about the collection have been expressed by individual members of Congress. In recent months, Congress has contemplated a number of changes to the Foreign Intelligence Surveillance Act, a few of which would specifically prohibit this collection. Congress could enact statutory changes that would prohibit this collection going forward, but under the existing statutory framework, I find that the requested authority for the collection of bulk telephony metadata should be granted. Courts must follow the law as it stands until the Congress or the Supreme Court changes it.The House stripped the USA Freedom Act of nearly all of its teeth before passage, which makes it a long shot for Congress to explicitly outlaw this collection any time soon. Various other reform measures, including an amendment that slammed one domestic surveillance backdoor shut, have fared better.
The issue may eventually end up in the Supreme Court (which has shot down two attempts already), but despite a recent victory for the Fourth Amendment, the court system's deference to "national security" arguments has generally resulted in wins for the government. Even if it does land in front of the justices, there's little to indicate that whatever case forces consideration of the issue will be the best scenario to "test" the issue, much less provide a solid platform for Fourth Amendment arguments. And even if the Supreme Court does agree bulk records collection violates citizens' rights, the government will swiftly act to ensure the decision has only a minimal effect on its collection efforts.
Finally, there's a small paragraph that indicates that the release of these two documents was, again, not the result of the ODNI's half-hearted embrace of openness.
In light of the public interest in this particular collection and the government's declassification of related materials, including substantial portions of Judge Eagan's August 29 Opinion, Judge McLaughlin's October 11 Memorandum, and Judge Collyer's March 20 Opinion and Order, I request pursuant to FISC Rule 62 that this Memorandum Opinion and Accompanying Primary Order also be published, and I direct such request to the Presiding Judge as required by the Rule.The rule cited allows FISC judges to order the release of orders, opinions and decisions and is by no means a recent development. The rules date back to 2006, but it's only in the last year that we've seen anyone exercise this option. Does anyone out there think this would have occurred without "unauthorized disclosure?" Those looking to lock up Snowden for his leaks would do well to remember small details like this. Going through "proper channels" wouldn't have forced this level of transparency or prompted the secretive FISA court to start ordering declassifications on its own. It took a whole lot of pushing and the stripping away of layer after layer of secrecy and plausible deniability to achieve this.
by Tim Cushing
Fri, Jun 27th 2014 12:23pm
Transparency Report From Office Of The Director Of National Intelligence Shows Government Issuing 50 NSLs Per Day
from the section-702-still-most-efficient-use-of-paperwork dept
In the begrudging spirit of forced openness, the Office of the Director of National Intelligence (James "Least Untruthful" Clapper, presiding) has released its First
Annual Ever Transparency Report. So, what have our intelligence agencies been up to for the last calendar year? Well, a little of this and whole lot of that, all of it broken down into numbers that don't really provide that much transparency.
The figure that first stands out is related to the Section 702 program. As defined in intelspeak, the 702 program:
facilitates the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States, creating a new, more streamlined procedure to collect the communications of foreign terrorists.In plain English, the Section 702 program does this:
[The] collection done under Section 702 captures content of communications. This could include content in emails, instant messages, Facebook messages, web browsing history, and more.Like other bulk surveillance programs, Section 702 supposedly targets non-US persons but frequently "incidentally" collects content from US persons and other non-targets. This data on Americans is then searchable via backdoor searches. Much of this information is collected directly off the "Internet backbone" as communications flow through NSA collection points. The authority it operates under is incredibly vague and almost completely without adequate oversight. This last sentence explains the following numbers.
In contrast with sections 703, 704 and pen register requests -- where the number of targets roughly corresponds with the number of orders -- the 702 program operates under one order… which nets over 89,000 targets. Note -- and this is important -- that the report only says how many "targets" are "affected." It does not say how many other people's communications are "incidentally" collected along the away and made open to those backdoor searches. And, rest assured, that number is likely much larger than 89,000 -- especially since we already know that any communication "about" any target gets swept up, but that won't count towards that number. And, as discussed below, the definition of "target" can often mean something entirely different than what you think it means. This broad collection, one that harvests content rather than (supposedly harmless) metadata, is one of the NSA's favorite tools and explains its willingness to discuss alterations to the Section 215 bulk metadata program, but not to change the 702 program at all. (Not that anything much actually happened to the 215 program, even after all of the discussion.)
What's more interesting, though, is the long discussion about the incredibly high number of National Security Letters issued in 2013.
The FBI (along with other agencies) is issuing NSLs at the rate of 53 per day. The ODNI's long explanation attempts to portray this huge number as most certainly not evidence of NSL abuse.
In addition to those figures, today we are reporting (1) the total number of NSLs issued for all persons, and (2) the total number of requests for information contained within those NSLs. For example, one NSL seeking subscriber information from one provider may identify three e-mail addresses, all of which are relevant to the same pending investigation and each is considered a “request.”So, the FBI (and unnamed other agencies) must issue a new NSL (the "must" is up for discussion) for each account it wishes to collect from, whether it's an email address or some other online account. And if multiple names are used for one target, then new NSLs must be issued to claim that information. And so on, until the government is issuing nearly 20,000 per year.
The ODNI attempts to explain how difficult it is to narrow down how many people are being targeted by NSLs.
We are reporting the annual number of requests rather than “targets” for multiple reasons. First, the FBI’s systems are configured to comply with Congressional reporting requirements, which do not require the FBI to track the number of individuals or organizations that are the subject of an NSL.All well and good, but the DOJ's transparency report (linked to by the ODNI) breaks that number down just fine. (For whatever reason, the ODNI Tumblr post links to a report for 2012. The PDF of the ODNI's report contains a link to the 2013 version. Both are embedded below.)
Even if the FBI systems were configured differently, it would still be difficult to identify the number of specific individuals or organizations that are the subjects of NSLs. One reason for this is that the subscriber information returned to the FBI in response to an NSL may identify, for example, one subscriber for three accounts or it may identify different subscribers for each account…
We also note that the actual number of individuals or organizations that are the subject of an NSL is different than the number of NSL requests. The FBI often issues NSLs under different legal authorities, e.g., 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709, for the same individual or organization.
From the 2013 letter:
In 2013, the FBI made 14,219 NSL requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.From the 2012 letter:
In 2012 the FBI made 15,229 NSL requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 6,223 different United States persons.It appears the FBI has the power to narrow down the number of persons targeted by its NSLs, although something must have happened in 2013 that made it append the following footnote to its FY2013 letter.
In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same US. person and that include different spellings of the US. person's name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same US. person would be counted as two US. persons. This statement also applies to previously reported annual US. person numbers.The DOJ's transparency letters again point out that the FISA court is basically approving everything set in front of it. Only one order has been withdrawn in the last two years and only 74 of 3,511 orders presented for "electronic surveillance" and/or "physical searches" were modified. The Section 215 collection requests were sent back for modification more often (roughly 2/3rds of the time) but ultimately, not a single one of those requests were denied.
So, there's more transparency than we're used to, but the 702 program still remains the best kept open secret. One order accesses thousands of "targets," and the ODNI hasn't exactly been forthcoming with additional details. Another explanatory note included does, however, point out inadvertently how useless the word "target" is when deployed by the NSA.
Within the Intelligence Community, the term “target” has multiple meanings. For example, “target” could be an individual person, a group, or an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information that the U.S. government is authorized to acquire by the above-referenced laws.Section 702's "explanation" takes it even farther:
In addition to the explanation of target above, in the context of Section 702 the term “target” is generally used to refer to the act of intentionally directing intelligence collection at a particular person, a group, or organization.It's a noun, it's a verb, it's pretty much anything the NSA wants it to be, as Marcy Wheeler explains:
Except that it doesn’t admit that, at least in the past, sometimes target means “the switch we know lots of al Qaeda calls to use.” Meaning the term “target” is a misnomer even within the context they lay out.There's still nothing "targeted" about the NSA's supposedly targeted collections. The collection comes first and the targeting comes later -- sometimes using pre-determined selectors and other times by splashing around in the data until something presents itself. What the NSA means by "target" is nothing more than a term deployed to gain access to massive amounts of communications and data, all under the theory that it's somehow "relevant" to its counter-terrorism work.
The new report is a step towards transparency, but it's a very calculated move that throws out a few vague numbers while withholding anything that could put them into context. In this sense, it follows the administration's idea of transparency: nothing that goes deeper than the surface.
by Mike Masnick
Fri, Jun 20th 2014 3:01pm
from the well,-that-was-an-idea dept
We welcome your proposal, announced on March 27, 2014, to end the bulk collection of Americans' phone records under Section 215 of the USA PATRIOT Act. We believe as you do that the government can protect national security by collecting the phone records of individuals connected to terrorism, instead of collecting the records of millions of law-abiding Americans. We also believe that you have the authority to implement your proposal now, rather than continuing to reauthorize the existing bulk collection program in 90-day increments.And, of course, just hours later, James Clapper responded, not to the letter, but in a Tumblr post, which again mentions how President Obama promised to end such bulk collection, but then saying that the administration is still seeking the next 90 day extension to keep collecting those phone records. The post even calls out the passage of the totally watered-down USA Freedom Act in the House as "prohibiting" such bulk collection (even though it doesn't really do that, since it allows broad selectors that give the NSA effectively the same power). However...
Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President announced earlier this year.Wait. Given what importance of maintaining the capabilities? So far, every analysis of the program has shown that it wasn't important at all. How could anyone in the administration still claim with a straight face that the Section 215 bulk phone records collection is "important" when everyone who's seen the evidence agrees that the program has been next to useless in stopping terrorism.
Consistent with prior declassification decisions, in light of the significant and continuing public interest in the telephony metadata collection program, the Director of National Intelligence, James Clapper, has declassified the fact that the government’s application to renew the program was approved yesterday by the FISC. The order issued yesterday expires on September 12, 2014.
Either way, even though President Obama has already said that he wants the program ended, and he could do so, he's still keeping it going.
by Mike Masnick
Thu, May 29th 2014 12:56pm
from the so-there's-that... dept
There are numerous avenues that Mr. Snowden could have used to raise other concerns or whistleblower allegations. We have searched for additional indications of outreach from him in those areas and to date have not discovered any engagements related to his claims.Of course, it's worth noting that for all the talk of "proper channels" it's actually not so easy. In fact, the person that he would have gone to has already noted he would have told Snowden to shut up, and was completely insulting about Snowden. So it's not as if there really were legitimate channels. And Snowden already knew that going through the full whistleblowing process would get him labeled as a troublemaker.
That said, it does sound as though Snowden may have slightly exaggerated his claims concerning his conversation with the NSA's lawyers.
by Tim Cushing
Thu, May 15th 2014 3:01pm
from the the-ODNI-will-be-around-shortly-to-redact-your-brain dept
Intelligence agencies seem to make some very un-intelligent decisions. Just last month, James Clapper told NSA employees they were no longer free to talk to the media in an extremely misguided attempt to head off future leaks.
Now, the Office of the Director of National Intelligence (ODNI) has seen fit to issue a redacted document, which in itself is not an unusual event. The problem here is that the unredacted version, originally published by the ODNI itself, has been in the public domain for years now.
Last month, ODNI issued a heavily redacted version of its Intelligence Community Directive 304 on “Human Intelligence.” The redacted document was produced in response to a Freedom of Information Act request from Robert Sesek, and posted on ScribD.So, why would it do this? Steven Aftergood at FAS Secrecy News suspects it might be the ODNI caving to the CIA's desire to keep everything a secret.
The new redactions come as a surprise because most of the censored text had already been published by ODNI itself in an earlier iteration of the same unclassified Directive from 2008. That document has since been removed from the ODNI website but it is preserved on the FAS website here.
A comparison of the redacted and unredacted versions shows that ODNI is now seeking to withhold the fact that the Director of the Central Intelligence Agency functions as the National HUMINT Manager, among other things.The CIA is only rivaled by the New York Police Department in terms of unresponsiveness to FOIA requests. That it would demand information related to its "super-secret" HUMINT (human intelligence) work be redacted isn't a surprise. That it would have no idea that this information is out in the open is a bit more surprising. But considering the government's extremely scattershot approach to overclassification, it is not entirely unexpected.
The entire document is marked as "Unclassified," which means there's very little reason to have any of this redacted, especially considering its previous official, unredacted release. The CIA isn't the only agency to have its information withheld, although that is probably more a product of what the redacted statement says, rather than an indication of the other agencies' desire for secrecy. The sections for both the FBI and the Defense Department have this sentence blacked out.
Collects, analyzes, produces, and disseminates foreign intelligence and counterintelligence information, including information obtained through clandestine means.Apparently, the ODNI would prefer that no one know (enemies or citizens) these agencies secure information through "clandestine means," which is something everyone expects the CIA to be doing, if not the FBI.
The exemption stated [b(3)] is bit strange itself. It's supposedly limited to information that is subject to other statutes prohibiting the information's disclosure. Whatever that unnamed statute is, it must have gone into effect at some point between 2009 (the latest date on the unredacted version) and last month. Or, more likely, the exemption was just a handy excuse for blotting out the CIA's involvement in this particular form of intelligence gathering, one the ODNI won't have to explain until the end of the year when it (like all government agencies) must list the statutes used to justify b(3) redactions.
This is just another example of the greatest irony of the FOIA Act. The ODNI publishes a completely unredacted version on its own site but when a citizen asks for a copy, it redacts half the document. A Freedom of Information Act response creates an information deficit. That makes sense.
by Mike Masnick
Mon, May 12th 2014 4:02pm