One of the most disappointing aspects of the NSA and GCHQ revelations is the almost total lack of outrage in the UK. The government there has simply stuck to its line that everything was done in accordance with the law, and has refused to consider a formal review of British spying in light of what we have learned. This has led Nick Clegg, Deputy Prime Minister and head of the junior coalition party, to announce his own inquiry:
Nick Clegg, the Liberal Democrat leader, has commissioned a review into the new intrusive capabilities of British intelligence agencies and the legal framework in which they operate, after failing to persuade David Cameron that the coalition government should act now to tighten the accountability of Britain's spies.
The review, to be chaired by [the intelligence and military thinktank the Royal United Services Institute]'s director general, Michael Clarke, is in part modelled on the work commissioned in January by Obama from John Podesta, Bill Clinton's former chief of staff, into big data and privacy. Clegg says the aim of the review, due to report after the general election, will be to bring the issue into the mainstream of public debate, noting the "quality of the debate in the US provides an unflattering contrast to the muted debate on this side of the Atlantic".
The shadow home secretary, Yvette Cooper, is preparing to argue that the current arrangements are unsustainable for the government, and that it is damaging to trust in the agencies if ministers continue to hide their heads in the sand.
In a speech that represents Labour's most serious intervention since the controversy about the scale of state surveillance broke last summer, she will say: "The oversight and legal frameworks are now out of date. In particular that means we need major reforms to oversight and a thorough review of the legal framework to keep up with changing technology."
One reason for Labour's reticence here is because of its past record. Under Tony Blair, it was Labour that gave police sweeping anti-terrorism powers that severely damaged civil liberties in the UK. And it was Labour that tried to bring in identity cards, and the Conservatives and Lib Dems who threw them out when they came into power in 2010. That makes Labour's sudden embrace of enhanced oversight to protect freedom and privacy somewhat unconvincing.
But at least the party feels it has to make the right noises on the issue, rather than ducking it completely. Coupled with Clegg's unofficial inquiry into how the UK's spies should operate, these are welcome signs that UK politicians are finally starting to ask some serious questions about the massive scale of surveillance revealed by Snowden's leaks, and the harm it causes. It's not much, but it's a start; now we just need David Cameron and the UK government to do the same.
It's long forgotten now, but back in August, the US and Germany were said to be working on an agreement not to spy on each other's governments. As we noted at the time, such an agreement would almost certainly be meaningless. Of course, that news came out after the initial Snowden leaks, but prior to the high profile news in October that the NSA was monitoring German Chancellor Angela Merkel's calls. While President Obama (after first claiming he had no idea it was happening) promised Merkel that the NSA would stop spying on her phone calls, by January, those plans for a big "bilateral no-spy deal" were basically dead.
And, indeed, over the weekend, German newspaper Bild am Sonntag reported that the NSA may have stopped bugging Merkel's phone, but instead it had started bugging the phones of basically everyone around her, including pretty much every senior government official who reported to her. The report quotes a "high-ranking NSA employee in Germany" explaining what's going on:
"We have had the order not to miss out on any information now that we are no longer able to monitor the chancellor's communication directly," it quoted the NSA employee as saying.
This shouldn't be that surprising. This is what the NSA is going to do, after all. But what amazes me about this story is the fact that it's already leaked out, and that despite all the talk of cracking down on future leaks out of the NSA, the NSA already has another leaker releasing information that is clearly politically sensitive. So many folks like to point to Snowden as if he's the only leaker the NSA ever had or ever will have. But it's increasingly looking like there are others within the NSA who are equally uncomfortable with what's become of the intelligence community.
Even before the NSA scandal broke, I've been endlessly entertained watching the blistering hypocrisy toward Chinese network hardware vendor Huawei. For years Huawei has been accused of being a Chinese spy, even if investigations seem to repeatedly show no actual evidence of Chinese spying. We're not talking about superficial inquiries, we're talking about eighteen month, in-depth reviews by people with every interest in exposing them. Despite no evidence, every few months or so somebody in the government trots out Huawei as a bogeyman they can toss about for one political reason or another.
Never mind that almost all network gear is made in China (whether the company is Chinese or not). Never mind that obviously NSA allegations show the United States spies on almost everyone, constantly. Never mind that reports have emerged that a lot of the spy allegations are originating with their competitor Cisco. Huawei is a spy. We're sure of it. And covert network snooping is bad. When China does it.
The constant allegations ultimately scuttled Huawei's attempt to bring more gear competition to the United States market, blocked Huawei's potential bid on a nationwide U.S. first responder network, and the United States has since been working hard to ensure that other countries don't use Huawei gear either. According to the Wall Street Journal, after convincing Australia to ditch Huawei gear, the United States is also warning South Korea that Huawei might just be a spy, apparently citing all of the non-existent evidence already mentioned:
"In meetings with their South Korean counterparts in recent months, senior U.S. officials pointed to what Washington sees as a risk that Huawei's equipment could be used for spying on communications among the close partners, as well as compromise secure networks used by American military personnel and intelligence officers in South Korea, U.S. officials said."
The idea that somebody would indiscriminately spy using network gear sure sounds terrifying. Fortunately, United States to South Korea communications will instead rely on gear from any number of network hardware vendors, whose equipment is also built in China -- in many instances in the exact same factories by the exact same workers. Not to say China is an angel or doesn't spy (though I should note their gear is considered good enough to filter UK porn), but at this juncture the United States giving lectures on network privacy is like Lindsay Lohan giving advice on balanced and healthy living. Gosh, one would hate to think that years of trotting Huawei out as a political bogeyman pinata was all just an elaborate song and dance put on simply to sell more Cisco and Juniper routers.
As governments around the world refuse to act in the wake of revelations about global spying, more and more people are launching legal actions to force them to address the problem. Back in December we wrote about several that had been filed in the UK, and now the well-known Chaos Computer Club (CCC) in Germany is launching its own legal challenge, in conjunction with the International League for Human Rights:
After months of press releases about mass surveillance by secret services and offensive attacks on information technology systems, we now have certainty that German and other countries' secret services have violated the German criminal law. With this criminal complaint, we hope to finally initiate investigations by the Federal Prosecutor General against the German government. The CCC has learned with certainty that the leaders of the secret services and the federal government have aided and abetted the commission of these crimes.
It is the understanding of the CCC that these crimes are felonies pursuant to German federal laws, specifically 99 StGB (illegal activity as a foreign spy), §§ 201 ff. StGB (violation of privacy) and § 258 StGB (obstruction of justice).
That's a very specific claim about which German laws have been broken; less clear is what CCC means by "learned with certainty": does that simply refer to the information that Snowden's leaks have provided, or has CCC obtained something more -- quite likely given its contacts and past achievements? The complaint also has an important request:
In the criminal complaint, we ask to hear technical expert and whistleblower Edward Snowden as a witness, and that he be provided safe passage and protection against extradition to the US.
As a parting shot, CCC also wants to encourage others to file similar criminal complaints in order to lend weight to their demands:
We do not only want to call the Federal Prosecutor General's office to investigations but also ask you to get involved and also file a criminal complaint.
Looks like pressure is beginning to build on governments, and it will be interesting to see what other legal actions are filed in Germany and elsewhere.
The latest report from the NY Times based on Snowden's revelations seems to jump all over the place, talking about a variety of efforts by the NSA to spy on people. Much of it seems to repeat earlier claims about the NSA's malware program, codenamed QUANTUM. It updates the earlier claims that there are 50,000 QUANTUM-infected computers to claim that the number is now 100,000. However, it also notes that most of the targets are exactly the kinds of things you'd expect the NSA to be spying on: the Chinese and Russian militaries, mainly.
Perhaps more interesting is that it builds on the reporting in Der Spiegel concerning the NSA's catalog of tech tools to infiltrate computers, to tie those back to the QUANTUM program, and note that many of the tools rely not on an internet connection, but on a secretly inserted radio transmitter, which can be picked up by a device in an "oversized suitcase" that can be placed miles away. By itself, none of this is all that surprising, but the documents certainly suggest the NSA is doing this on a larger scale than suspected in the past:
“What’s new here is the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before,” said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”
Again, these activities certainly seem more in line with what you'd expect the NSA to be doing, and raise (yet again) the question of why the NSA needs to "collect it all" when it appears that programs like these can be quite effective in doing targeted surveillance against those actually seeking to attack the US in some manner?
Separately, as the article notes, this has made the US's moral high ground concerning claims that China is doing similar surveillance on the US seem quite questionable. As the article notes, the US's attempted distinction between "national security" and "economic espionage" doesn't make much sense to many.
When the Chinese place surveillance software on American computer systems — and they have, on systems like those at the Pentagon and at The Times — the United States usually regards it as a potentially hostile act, a possible prelude to an attack. Mr. Obama laid out America’s complaints about those practices to President Xi Jinping of China in a long session at a summit meeting in California last June.
At that session, Mr. Obama tried to differentiate between conducting surveillance for national security — which the United States argues is legitimate — and conducting it to steal intellectual property.
“The argument is not working,” said Peter W. Singer of the Brookings Institution, a co-author of a new book called “Cybersecurity and Cyberwar.” “To the Chinese, gaining economic advantage is part of national security. And the Snowden revelations have taken a lot of the pressure off” the Chinese.
Of course, if the US were focused on actually increasing security on US computing systems and networks, rather than undermining them with backdoors and vulnerabilities, perhaps we'd be more protected from the Chinese. It's too bad that the NSA hasn't actually been helping on that front at all.
Every day, Rep. Peter King seems more and more like a TV villain politician. He's so... over the top in his crazy surveillance state opinions that it's almost difficult to believe he's real. Just take a stroll through his previous statements, in which he's attacked the NY Times for supporting Ed Snowden, whom he calls both a "traitor" and a "terrorist appeaser." He's said that it's a "disgrace" that anyone might call out the fact that Director of National Intelligence James Clapper lied to Congress. He's argued that it's "slander" to call the NSA's activities "spying." And he's argued that Glenn Greenwald should be arrested and prosecuted for reporting on Snowden's leaks.
His latest, it seems, is in response to Senator Bernie Sanders' simple question to the NSA, about whether or not it was spying on Congress (I'll note that Sanders appears to use "spying" in the manner in which King has previously insisted was "slander"). King was asked about Sanders' question, and argued that the NSA should be spying on Congress because they might be "talking to an al-Qaeda leader."
Specifically, after a very leading question from the Fox News reporter, King says:
I think members of Congress should be treated the same as everyone else. If a member of Congress is talking to an Al Qaeda leader in Iraq or Afghanistan, why should that member of Congress be any different from any person on the street?
While that might sound ridiculous at first, I guess if any member of Congress knows about talking to terrorist leaders, it would be Rep. Peter King. As we've pointed out multiple times, King was a very big supporter of a known terrorist group, the IRA, back in the 80s, supporting the group that was known for bombing a shopping center, killing six and injuring 90.
King goes on with this whopper:
What they're trying to suggest is that somehow the NSA is spying on members of Congress. They're not spying on anyone.
Anyone? Really? They're clearly spying on lots and lots of people, because that's the NSA's job. King goes on to pretend, again, that metadata is no big deal since it just shows phone numbers. So, I'm curious, will Rep. Peter King release his own phone records for the last year? After all, it's no big deal. Just the phone numbers he called, the times he called and how long he was on call. Just like the info the NSA collects, and which King insists is not secret.
While the ACLU may have lost (for now, though it will appeal) its case concerning the legality of the NSA's use of Section 215 of the PATRIOT Act to scoop up all metadata on every phone call, that's clearly not stopping the organization from challenging the government's surveillance efforts. The ACLU has filed a new lawsuit, which is technically in response to a rejected Freedom of Information Act request for info on Executive Order 12333.
As we've mentioned in the past, while so much focus on the NSA's activities have been directed at things like FISA and the PATRIOT Act, those only cover surveillance of "US persons." So much of what the NSA is doing is targeted at people abroad, and for that, those US laws don't apply. Instead, nearly all of it comes from Executive Order 12333. And, while US courts have no jurisdiction over people abroad, what more and more people are recognizing, is that the NSA is using its (even broader) powers under EO 12333 to collect tons of information on people both abroad and in the US.
Although EO 12,333 permits the government to target foreigners abroad for surveillance, recent revelations have confirmed that the government interprets that authority to permit sweeping monitoring of Americans' international communications. How the government conducts this surveillance, and whether it appropriately accommodates the constitutional rights of American citizens and residents whose communications are intercepted in the course of that surveillance, are matters of great public significance and concern. While the government has released several documents describing the rules that govern its collection and use of Americans' international communications under statutory authorities regulating surveillance on U.S. soil, little information is publicly available regarding the rules that apply to surveillance of Americans' international calls and emails under EO 12,333.
That gap in public knowledge is particularly troubling in light of recent revelations, which make clear that the NSA is collecting vast quantities of data worldwide pursuant to EO 12,333. For instance, recent news reports indicate that, relying on the executive order, the NSA is collecting: nearly 5 billion records per day on the location of cell phones, including Americans' cell phones; hundreds of millions of contact lists or address books from personal email and instant messaging accounts; and information from Google and Yahoo user accounts as that information travels between those companies' data centers located abroad.
This is quite important for a variety of reasons, including that nearly every rationale given by the NSA and its defenders for surveillance programs under Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act simply doesn't apply to surveillance done under EO 12333. Claims such as that the surveillance has oversight from all three branches of government? That's not true at all -- not even in the fake-oversight way that there's "official" oversight of the US-focused programs. Claims that the courts have tested these programs? Again, not so. The FISA Court has no authority over the programs that are technically under EO 12333. Basically, it's fair game -- and since it's now obvious that these programs are collecting data on Americans, the ACLU is making the fairly strong argument that there needs to be some legal analysis -- and, as a starting point, the government should reveal its own basis for these programs.
from the like-they-don't-have-a-history-of-abuses? dept
For all the focus on the NSA of late, a few folks have been trying to remind everyone that the FBI is heavily involved in all of this and, in many ways, has an equally bad if not worse record in abusing the rights of Americans. Many of the programs discussed were to retrieve information by the FBI or the NSA, and it turns out that the FBI often does much of the dirty work for the NSA, including interfacing with various companies to get access to data. We'd mentioned recently how the FBI was pushing tech companies to install "port readers" at both telco and tech companies (though, many tech firms were resisting), and also that the FBI had been ramping up their use of malware.
Shane Harris, over at Foreign Policy has a nice profile on the FBI's Data Intercept Technology Unit, or DITU, who handles most of this work. It repeats the story of the port readers, but adds how the DITU is often the unit that works with tech companies and then passes info along to the NSA -- so some companies don't even realize they're dealing with the NSA, believing it's just via the FBI (not that this would make things any better). It also notes that the DITU tends to be made up of a lot of ex-telco guys who know very specifically how the telco networks work, something that at least some people at the telcos may be uncomfortable with the government knowing (though, again, the telcos seem much more willing to open up to the government than the tech companies).
It's an interesting profile all around, but at the end it gets even more interesting, as an ex-law enforcement source that Harris talks to highlights that without investigating what the DITU is up to, Congress' exploration of what's going on will be very incomplete.
The former law enforcement official said Holder and Mueller should have offered testimony and explained how the FBI works with the NSA. He was concerned by reports that the NSA had not been adhering to its own minimization procedures, which the Justice Department and the FBI review and vouch for when submitting requests to the Foreign Intelligence Surveillance Court.
"Where they hadn't done what was represented to the court, that's unforgivable. That's where I got sick to my stomach," the former law enforcement official said. "The government's position is, we go to the court, apply the law -- it's all approved. That makes for a good story until you find out what was approved wasn't actually what was done."
That makes it sound like even more bad behavior is going to be revealed eventually...
We recently wrote about how Kurt Eichenwald's bizarre and irrational deference to his friends in the security state led him to claim that Ed Snowden is a Chinese spy, whose work was specifically designed to aid China in its attempts to attack the internet. The level of cognitive dissonance to make such an argument is quite stunning. Thankfully, most people seemed to see right through the insanity. In the meantime, over at The Guardian, John Kampfner has what might be considered the much more accurate version of the same story. It notes how the knowledge of the NSA's activities have played right into Russia and China's hands concerning their efforts to gain greater control over the internet:
Slowly but surely governance of the internet is moving from the existing mishmash of institutions and into the hands of national governments. The Chinese call this "cyber autonomy".
Authoritarian regimes are showing ever-greater confidence in restricting information, filtering, blocking, monitoring and punishing anyone who steps over the mark.
And, yes, the knowledge of what the US is doing is giving the Chinese, Russians and plenty of others greater confidence to push for their own agenda. Amazingly, and in a sad statement on the state of the US government today, the report notes that a Chinese official recently argued:
At the recent IGF in Indonesia the Chinese were, for the first time, out in force. One "expert" offered to explain to a US state department official why US human rights standards are not up to scratch and how China could help.
This is, certainly, all just political posturing from a country that has a dreadful human rights record, but as we've noted plenty of times, the loss of any semblance of a moral high ground by the US on human rights has serious consequences. But unlike Eichenwald, Kampfner doesn't blame the messenger. Instead he puts the blame squarely where it belongs -- on the US government for its activities.
American dominance of the internet is being challenged on several fronts. The Obama administration and its spooks only have themselves to blame.
Except, of course, they're using compliant mouthpieces like Eichenwald to, instead, try to blame the messenger. Nothing is going to get fixed here until the current leadership either takes responsibility or is replaced in office by those who will take responsibility.
Over the past several months, the Obama Administration has defended the government's far-reaching data collection efforts, arguing that only criminals and terrorists need worry. The nation's leading internet and telecommunications companies have said they are committed to the sanctity of their customers' privacy.
I have some very personal reasons to doubt those assurances.
In 2004, my telephone records as well as those of another New York Times reporter and two reporters from the Washington Post, were obtained by federal agents assigned to investigate a leak of classified information. What happened next says a lot about what happens when the government's privacy protections collide with the day-to-day realities of global surveillance.
The story begins in 2003 when I wrote an article about the killing of two American teachers in West Papua, a remote region of Indonesia where Freeport-McMoRan operates one of the world's largest copper and gold mines. The Indonesian government and Freeport blamed the killings on a separatist group, the Free Papua Movement, which had been fighting a low-level guerrilla war for several decades.
I opened my article with this sentence: "Bush Administration officials have determined that Indonesian soldiers carried out a deadly ambush that killed two American teachers."
I also reported that two FBI agents had travelled to Indonesia to assist in the inquiry and quoted a "senior administration official" as saying there "was no question there was a military involvement.''
The story prompted a leak investigation. The FBI sought to obtain my phone records and those of Jane Perlez, the Times bureau chief in Indonesia and my wife. They also went after the records of the Washington Post reporters in Indonesia who had published the first reports about the Indonesian government's involvement in the killings.
As part of its investigation, the FBI asked for help from what is described in a subsequent government report as an "on-site communications service" provider. The report, by the Department of Justice's Inspector General, offers only the vaguest description of this key player, calling it "Company A.''
"We do not identify the specific companies because the identities of the specific providers who were under contract with the FBI for specific services are classified,'' the report explained.
Whoever they were, Company A had some impressive powers. Through some means – the report is silent on how – Company A obtained records of calls made on Indonesian cell phones and landlines by the Times and Post reporters. The records showed whom we called, when and for how long -- what has now become famous as "metadata."
Under DOJ rules, the FBI investigators were required to ask the Attorney General to approve a grand jury subpoena before requesting records of reporters' calls. But that's not what happened.
Instead, the bureau sent Company A what is known as an "exigent letter'' asking for the metadata.
A heavily redacted version of the DOJ report, released in 2010, noted that exigent letters are supposed to be used in extreme circumstances where there is no time to ask a judge to issue a subpoena. The report found nothing "exigent'' in an investigation of several three-year-old newspaper stories.
The need for an exigent letter suggests two things about Company A. First, that it was an American firm subject to American laws. Second, that it had come to possess my records through lawful means and needed legal justification to turn them over to the government.
The report disclosed that the agents' use of the exigent letter was choreographed by the company and the bureau. It said the FBI agent drafting the letter received "guidance" from "a Company A analyst.'' According to the report, lawyers for Company A and the bureau worked together to develop the approach.
Not surprisingly, "Company A" quickly responded to the letter it helped write. In fact, it was particularly generous, supplying the FBI with records covering a 22-month period, even though the bureau's investigation was limited to a seven-month period. Altogether, "Company A" gave the FBI metadata on 1,627 calls by me and the other reporters.
Only three calls were within the seven-month window of phone conversations investigators had decided to review.
It doesn't end there.
The DOJ report asserts that "the FBI made no investigative use of the reporters' telephone records." But I don't believe that is accurate.
In 2007, I heard rumblings that the leak investigation was focusing on a diplomat named Steve Mull, who was the deputy chief of mission in Indonesia at the time of the killings. I had known Mull when he was a political officer in Poland and I was posted there in the early 1990s. He is a person of great integrity and a dedicated public servant.
The DOJ asked to interview me. Of course, I would not agree to help law enforcement officials identify my anonymous sources. But I was troubled because I felt an honorable public servant had been forced to spend money on lawyers to fend off a charge that was untrue. After considerable internal debate, I decided to talk to the DOJ for the limited purpose of clearing Mull.
It was not a decision I could make unilaterally. The Times also had a stake in this. If I allowed myself to be interviewed, how could the Times say no the next time the government wanted to question a Times reporter about a leak?
The Times lawyer handling this was George Freeman, a journalist's lawyer, a man Times reporters liked having in their corner. George and the DOJ lawyers began to negotiate over my interview. Eventually, we agreed that I would speak on two conditions: one, that they could not ask me for the name of my source; and two, if they asked me if it was ‘X,' and I said no, they could not then start going through other names.
Freeman and I sat across a table from two DOJ lawyers. I'm a lawyer, and prided myself on being able to answer their questions with ease, never having to turn to Freeman for advice.
Until that is, one of the lawyers took a sheaf of papers that were just off to his right, and began asking me about phone calls I made to Mull. One call was for 19 minutes, the DOJ lawyer said, giving me the date and time. I asked for a break to consult with Freeman.
We came back, and answered questions about the phone calls. I said that I couldn't remember what these calls were about – it had been more than four years earlier – but that Mull had not given me any information about the killings. Per our agreement, the DOJ lawyers did not ask further questions about my sources, and the interview ended.
I didn't know how the DOJ had gotten my phone records, but assumed the Indonesian government had provided them. Then, about a year later, I received a letter from the FBI's general counsel, Valerie Caproni who wrote that my phone records had been taken from "certain databases" under the authority of an "exigent letter,'' (a term I had never heard).
Caproni sent similar letters to Perlez, to the Washington Post reporters, and to the executive editors of the Post and the Times, Leonard Downie and Bill Keller, respectively. In addition, FBI Director Robert Mueller called Downie and Keller, according to the report.
Caproni wrote that the records had not been seen by anyone other than the agent requesting them and that they had been expunged from all databases.
I'm uneasy because the DOJ report makes clear that the FBI is still concealing some aspect of this incident. After describing Caproni's letters, the report says: "However, the FBI did not disclose to the reporters or their editors that [BLACKED OUT]." The thick black lines obliterate what appear to be several sentences.
If you were to ask senior intelligence officials whether I should wonder about those deletions, they'd probably say no.
I'm not so sure.
The government learned extensive details about my personal and professional life. Most of those calls were about other stories I was writing. Some were undoubtedly to arrange my golf game with the Australian ambassador. Is he now under suspicion? The report says the data has been destroyed and that only two analysts ever looked at it.
But who is this 'Company A" that willingly cooperated with the government? Why was it working hand in glove with the FBI? And what did the FBI director not tell the editors of the Times and the Washington Post when he called them acknowledging the government had improperly obtained reporter's records?