While the ACLU may have lost (for now, though it will appeal) its case concerning the legality of the NSA's use of Section 215 of the PATRIOT Act to scoop up all metadata on every phone call, that's clearly not stopping the organization from challenging the government's surveillance efforts. The ACLU has filed a new lawsuit, which is technically in response to a rejected Freedom of Information Act request for info on Executive Order 12333.
As we've mentioned in the past, while so much focus on the NSA's activities have been directed at things like FISA and the PATRIOT Act, those only cover surveillance of "US persons." So much of what the NSA is doing is targeted at people abroad, and for that, those US laws don't apply. Instead, nearly all of it comes from Executive Order 12333. And, while US courts have no jurisdiction over people abroad, what more and more people are recognizing, is that the NSA is using its (even broader) powers under EO 12333 to collect tons of information on people both abroad and in the US.
Although EO 12,333 permits the government to target foreigners abroad for surveillance, recent revelations have confirmed that the government interprets that authority to permit sweeping monitoring of Americans' international communications. How the government conducts this surveillance, and whether it appropriately accommodates the constitutional rights of American citizens and residents whose communications are intercepted in the course of that surveillance, are matters of great public significance and concern. While the government has released several documents describing the rules that govern its collection and use of Americans' international communications under statutory authorities regulating surveillance on U.S. soil, little information is publicly available regarding the rules that apply to surveillance of Americans' international calls and emails under EO 12,333.
That gap in public knowledge is particularly troubling in light of recent revelations, which make clear that the NSA is collecting vast quantities of data worldwide pursuant to EO 12,333. For instance, recent news reports indicate that, relying on the executive order, the NSA is collecting: nearly 5 billion records per day on the location of cell phones, including Americans' cell phones; hundreds of millions of contact lists or address books from personal email and instant messaging accounts; and information from Google and Yahoo user accounts as that information travels between those companies' data centers located abroad.
This is quite important for a variety of reasons, including that nearly every rationale given by the NSA and its defenders for surveillance programs under Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act simply doesn't apply to surveillance done under EO 12333. Claims such as that the surveillance has oversight from all three branches of government? That's not true at all -- not even in the fake-oversight way that there's "official" oversight of the US-focused programs. Claims that the courts have tested these programs? Again, not so. The FISA Court has no authority over the programs that are technically under EO 12333. Basically, it's fair game -- and since it's now obvious that these programs are collecting data on Americans, the ACLU is making the fairly strong argument that there needs to be some legal analysis -- and, as a starting point, the government should reveal its own basis for these programs.
from the like-they-don't-have-a-history-of-abuses? dept
For all the focus on the NSA of late, a few folks have been trying to remind everyone that the FBI is heavily involved in all of this and, in many ways, has an equally bad if not worse record in abusing the rights of Americans. Many of the programs discussed were to retrieve information by the FBI or the NSA, and it turns out that the FBI often does much of the dirty work for the NSA, including interfacing with various companies to get access to data. We'd mentioned recently how the FBI was pushing tech companies to install "port readers" at both telco and tech companies (though, many tech firms were resisting), and also that the FBI had been ramping up their use of malware.
Shane Harris, over at Foreign Policy has a nice profile on the FBI's Data Intercept Technology Unit, or DITU, who handles most of this work. It repeats the story of the port readers, but adds how the DITU is often the unit that works with tech companies and then passes info along to the NSA -- so some companies don't even realize they're dealing with the NSA, believing it's just via the FBI (not that this would make things any better). It also notes that the DITU tends to be made up of a lot of ex-telco guys who know very specifically how the telco networks work, something that at least some people at the telcos may be uncomfortable with the government knowing (though, again, the telcos seem much more willing to open up to the government than the tech companies).
It's an interesting profile all around, but at the end it gets even more interesting, as an ex-law enforcement source that Harris talks to highlights that without investigating what the DITU is up to, Congress' exploration of what's going on will be very incomplete.
The former law enforcement official said Holder and Mueller should have offered testimony and explained how the FBI works with the NSA. He was concerned by reports that the NSA had not been adhering to its own minimization procedures, which the Justice Department and the FBI review and vouch for when submitting requests to the Foreign Intelligence Surveillance Court.
"Where they hadn't done what was represented to the court, that's unforgivable. That's where I got sick to my stomach," the former law enforcement official said. "The government's position is, we go to the court, apply the law -- it's all approved. That makes for a good story until you find out what was approved wasn't actually what was done."
That makes it sound like even more bad behavior is going to be revealed eventually...
We recently wrote about how Kurt Eichenwald's bizarre and irrational deference to his friends in the security state led him to claim that Ed Snowden is a Chinese spy, whose work was specifically designed to aid China in its attempts to attack the internet. The level of cognitive dissonance to make such an argument is quite stunning. Thankfully, most people seemed to see right through the insanity. In the meantime, over at The Guardian, John Kampfner has what might be considered the much more accurate version of the same story. It notes how the knowledge of the NSA's activities have played right into Russia and China's hands concerning their efforts to gain greater control over the internet:
Slowly but surely governance of the internet is moving from the existing mishmash of institutions and into the hands of national governments. The Chinese call this "cyber autonomy".
Authoritarian regimes are showing ever-greater confidence in restricting information, filtering, blocking, monitoring and punishing anyone who steps over the mark.
And, yes, the knowledge of what the US is doing is giving the Chinese, Russians and plenty of others greater confidence to push for their own agenda. Amazingly, and in a sad statement on the state of the US government today, the report notes that a Chinese official recently argued:
At the recent IGF in Indonesia the Chinese were, for the first time, out in force. One "expert" offered to explain to a US state department official why US human rights standards are not up to scratch and how China could help.
This is, certainly, all just political posturing from a country that has a dreadful human rights record, but as we've noted plenty of times, the loss of any semblance of a moral high ground by the US on human rights has serious consequences. But unlike Eichenwald, Kampfner doesn't blame the messenger. Instead he puts the blame squarely where it belongs -- on the US government for its activities.
American dominance of the internet is being challenged on several fronts. The Obama administration and its spooks only have themselves to blame.
Except, of course, they're using compliant mouthpieces like Eichenwald to, instead, try to blame the messenger. Nothing is going to get fixed here until the current leadership either takes responsibility or is replaced in office by those who will take responsibility.
Over the past several months, the Obama Administration has defended the government's far-reaching data collection efforts, arguing that only criminals and terrorists need worry. The nation's leading internet and telecommunications companies have said they are committed to the sanctity of their customers' privacy.
I have some very personal reasons to doubt those assurances.
In 2004, my telephone records as well as those of another New York Times reporter and two reporters from the Washington Post, were obtained by federal agents assigned to investigate a leak of classified information. What happened next says a lot about what happens when the government's privacy protections collide with the day-to-day realities of global surveillance.
The story begins in 2003 when I wrote an article about the killing of two American teachers in West Papua, a remote region of Indonesia where Freeport-McMoRan operates one of the world's largest copper and gold mines. The Indonesian government and Freeport blamed the killings on a separatist group, the Free Papua Movement, which had been fighting a low-level guerrilla war for several decades.
I opened my article with this sentence: "Bush Administration officials have determined that Indonesian soldiers carried out a deadly ambush that killed two American teachers."
I also reported that two FBI agents had travelled to Indonesia to assist in the inquiry and quoted a "senior administration official" as saying there "was no question there was a military involvement.''
The story prompted a leak investigation. The FBI sought to obtain my phone records and those of Jane Perlez, the Times bureau chief in Indonesia and my wife. They also went after the records of the Washington Post reporters in Indonesia who had published the first reports about the Indonesian government's involvement in the killings.
As part of its investigation, the FBI asked for help from what is described in a subsequent government report as an "on-site communications service" provider. The report, by the Department of Justice's Inspector General, offers only the vaguest description of this key player, calling it "Company A.''
"We do not identify the specific companies because the identities of the specific providers who were under contract with the FBI for specific services are classified,'' the report explained.
Whoever they were, Company A had some impressive powers. Through some means – the report is silent on how – Company A obtained records of calls made on Indonesian cell phones and landlines by the Times and Post reporters. The records showed whom we called, when and for how long -- what has now become famous as "metadata."
Under DOJ rules, the FBI investigators were required to ask the Attorney General to approve a grand jury subpoena before requesting records of reporters' calls. But that's not what happened.
Instead, the bureau sent Company A what is known as an "exigent letter'' asking for the metadata.
A heavily redacted version of the DOJ report, released in 2010, noted that exigent letters are supposed to be used in extreme circumstances where there is no time to ask a judge to issue a subpoena. The report found nothing "exigent'' in an investigation of several three-year-old newspaper stories.
The need for an exigent letter suggests two things about Company A. First, that it was an American firm subject to American laws. Second, that it had come to possess my records through lawful means and needed legal justification to turn them over to the government.
The report disclosed that the agents' use of the exigent letter was choreographed by the company and the bureau. It said the FBI agent drafting the letter received "guidance" from "a Company A analyst.'' According to the report, lawyers for Company A and the bureau worked together to develop the approach.
Not surprisingly, "Company A" quickly responded to the letter it helped write. In fact, it was particularly generous, supplying the FBI with records covering a 22-month period, even though the bureau's investigation was limited to a seven-month period. Altogether, "Company A" gave the FBI metadata on 1,627 calls by me and the other reporters.
Only three calls were within the seven-month window of phone conversations investigators had decided to review.
It doesn't end there.
The DOJ report asserts that "the FBI made no investigative use of the reporters' telephone records." But I don't believe that is accurate.
In 2007, I heard rumblings that the leak investigation was focusing on a diplomat named Steve Mull, who was the deputy chief of mission in Indonesia at the time of the killings. I had known Mull when he was a political officer in Poland and I was posted there in the early 1990s. He is a person of great integrity and a dedicated public servant.
The DOJ asked to interview me. Of course, I would not agree to help law enforcement officials identify my anonymous sources. But I was troubled because I felt an honorable public servant had been forced to spend money on lawyers to fend off a charge that was untrue. After considerable internal debate, I decided to talk to the DOJ for the limited purpose of clearing Mull.
It was not a decision I could make unilaterally. The Times also had a stake in this. If I allowed myself to be interviewed, how could the Times say no the next time the government wanted to question a Times reporter about a leak?
The Times lawyer handling this was George Freeman, a journalist's lawyer, a man Times reporters liked having in their corner. George and the DOJ lawyers began to negotiate over my interview. Eventually, we agreed that I would speak on two conditions: one, that they could not ask me for the name of my source; and two, if they asked me if it was ‘X,' and I said no, they could not then start going through other names.
Freeman and I sat across a table from two DOJ lawyers. I'm a lawyer, and prided myself on being able to answer their questions with ease, never having to turn to Freeman for advice.
Until that is, one of the lawyers took a sheaf of papers that were just off to his right, and began asking me about phone calls I made to Mull. One call was for 19 minutes, the DOJ lawyer said, giving me the date and time. I asked for a break to consult with Freeman.
We came back, and answered questions about the phone calls. I said that I couldn't remember what these calls were about – it had been more than four years earlier – but that Mull had not given me any information about the killings. Per our agreement, the DOJ lawyers did not ask further questions about my sources, and the interview ended.
I didn't know how the DOJ had gotten my phone records, but assumed the Indonesian government had provided them. Then, about a year later, I received a letter from the FBI's general counsel, Valerie Caproni who wrote that my phone records had been taken from "certain databases" under the authority of an "exigent letter,'' (a term I had never heard).
Caproni sent similar letters to Perlez, to the Washington Post reporters, and to the executive editors of the Post and the Times, Leonard Downie and Bill Keller, respectively. In addition, FBI Director Robert Mueller called Downie and Keller, according to the report.
Caproni wrote that the records had not been seen by anyone other than the agent requesting them and that they had been expunged from all databases.
I'm uneasy because the DOJ report makes clear that the FBI is still concealing some aspect of this incident. After describing Caproni's letters, the report says: "However, the FBI did not disclose to the reporters or their editors that [BLACKED OUT]." The thick black lines obliterate what appear to be several sentences.
If you were to ask senior intelligence officials whether I should wonder about those deletions, they'd probably say no.
I'm not so sure.
The government learned extensive details about my personal and professional life. Most of those calls were about other stories I was writing. Some were undoubtedly to arrange my golf game with the Australian ambassador. Is he now under suspicion? The report says the data has been destroyed and that only two analysts ever looked at it.
But who is this 'Company A" that willingly cooperated with the government? Why was it working hand in glove with the FBI? And what did the FBI director not tell the editors of the Times and the Washington Post when he called them acknowledging the government had improperly obtained reporter's records?
You may recall that it came out last year that the New Zealand equivalent of the NSA, the GCSB, illegally spied on Kim Dotcom (oh, and dozens of others), possibly with the help of the NSA, despite not being allowed to spy on those in New Zealand.
An investigation by the police has agreed that the GCSB clearly broke the law... but the police have said that they don't plan to prosecute the spy agency. Because, you know, that might hold them accountable. Now, at least, the GCSB knows that it can abuse the law at will with no punishment.
Instead, it appears that the excuse being used by the police is the same one we've been hearing from NSA defenders: because these abuses weren't intentional, they can be ignored:
Today, Detective Superintendent Peter Read told a media conference that in spite of the GCSB committing one breach under the provisions of the Crimes Act, no criminal "intent" by the GCSB could be established.
I'm not sure that actually makes sense. Yes, when it comes to criminal activity, intent can be important in determining if it's actually criminal, but there's little doubt that the GCSB intentionally spied on Dotcom. It wouldn't have taken very much at all to recognize that Dotcom was a resident of New Zealand who GCSB is forbidden from surveilling. So it seems like the intent was pretty clear.
There are lots of people digging through the latest Ed Snowden leaks concerning the black budget for intelligence activities in the US trying to pick out various nuggets. Over at Wired, Kevin Poulsen has found one of the most interesting tidbits, highlighting how James Clapper cheers on the "groundbreaking cryptanalytic capabilities to defeat adversarial cryptofgraphy and exploit internet traffic." In short, the NSA has gotten pretty good at breaking encrypted communications. Encryption is a strong protector, but can be broken -- and that's always been a part of the NSA's mission: code-breaking. But, there have long been questions about to what level the NSA can break today's popular encryption standards. What today's leaks show is that they're apparently pretty successful and are spending more and more money on it:
The pie chart above? That's $11 billion and it employes 35,000 people. Breaking your encryption. As Poulsen notes, James Bamford (who has followed the NSA closely for years) revealed last year that the NSA had recently made an "enormous breakthrough" in cryptanalysis, and this should raise some questions about just how secure various forms of encryption really are today.
Over the weekend, Der Spiegel broke the somewhat unsurprising news that the NSA had bugged the UN and various EU embassies in the US and had hacked into the UN's videoconferencing software to be able to get access to such calls. On a first pass, this isn't all that surprising. As we noted with some earlier leaks, spying on foreign diplomats is just something that countries do. Spying on foreign government officials is very different than spying on the public. Of course, since the NSA insists that it does everything to avoid intercepting communications of people inside the US, I wondered how they could make that claim while directly tapping conference calls from the UN in NY. The answer is likely to be yet another classic NSA twisting of the words to find a loophole. While the UN headquarters are in NYC, "technically" the headquarters are outside of the US and in the control of the UN itself, but with an agreement that it abides by all local laws. This is similar to embassies, which are often treated as if they are the territory of the country that uses them. I'm wondering if the NSA is using that to argue these are fair game, since they're "outside" the US.
There's also the issue, as noted in the article, that President Obama has insisted that the spying on people was only done to prevent terrorism -- and spying on EU diplomats seems unlikely to have anything to do with terrorism prevention. But, again, spying between government officials is kind of expected, and not quite a huge deal, even if it may present a diplomatic problem for the US.
Much more interesting to me, however, is the snippet claiming that the NSA had figured out how to hack into the UN's video conferencing software, allowing them to record internal video conferences. In fact, after this was cracked just a year ago, a document was sent around, "celebrating" this:
Furthermore, NSA technicians working for the Blarney program have managed to decrypt the UN's internal video teleconferencing (VTC) system. The combination of this new access to the UN and the cracked encryption code have led to "a dramatic improvement in VTC data quality and (the) ability to decrypt the VTC traffic," the NSA agents noted with great satisfaction: "This traffic is getting us internal UN VTCs (yay!)." Within just under three weeks, the number of decrypted communications increased from 12 to 458.
Yay! We can spy on more things! Yay! Either way, I'm curious if anyone knows who provides the UN's video conferencing technology, because that's now a much more interesting issue. The suggestion being made that the NSA "cracked" the encryption that was being used could have much wider implications if true -- so it would be nice to know what kind of encryption, and what sort of system is being used. Either way, I'm guessing that many in the UN will be seeking out alternative communication methods shortly.
And, here we go again. This time, it's the WSJ journal with the scoop on NSA surveillance, and how the defenders of the NSA have been lying to us. Despite claims that the NSA was really only focused on foreign communications, the WSJ is reporting that it actually covers 75% of US internet traffic:
The National Security Agency—which possesses only limited legal authority to spy on U.S. citizens—has built a surveillance network that covers more Americans' Internet communications than officials have publicly disclosed, current and former officials say.
The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between citizens within the U.S. and also filters domestic phone calls made with Internet technology, these people say.
Basically, they're just revealing more details about the things that whistleblower Mark Klein revealed years ago: that the NSA has deals with the major telcos which scoop up a huge amount of internet traffic.
The programs, code-named Blarney, Fairview, Oakstar, Lithium and Stormbrew, among others, filter and gather information at major telecommunications companies. Blarney, for instance, was established with AT&T Inc., former officials say. AT&T declined to comment.
This filtering takes place at more than a dozen locations at major Internet junctions in the U.S., officials say.
The WSJ report is wrong on one account, though. It claims that people believed that the NSA's filtering actually happened "where undersea or other foreign cables enter the country" but that's not true. Mark Klein made it clear that the NSA had machines directly on AT&T's property.
And, of course, it will come as no surprise that these programs that work directly with telcos to tap into full internet traffic aren't just about metadata:
...this set of programs shows the NSA has the capability to track almost anything that happens online, so long as it is covered by a broad court order.
[....] Inevitably, officials say, some U.S. Internet communications are scanned and intercepted, including both "metadata" about communications, such as the "to" and "from" lines in an email, and the contents of the communications themselves.
This also shouldn't be a surprise. For all the talk of "metadata" it was always clear that the surveillance defenders were talking about this program only, which was the Patriot Act Section 215 "business records" program. But other programs, such as these listed above, were clearly about actual content as well.
While the report does note that some "minimization" happens, there is clearly widespread ability to abuse. The system works by having the NSA telling the telcos to only send over certain traffic covering "certain areas of interest" which the NSA then "briefly copies" and decides what to keep and what to dump. Again, this is consistent with earlier reports of the NSA searching all emails that go into and out of the US.
The latest report is, again, replete with NSA doublespeak. It claims that it's not "accessing" all of this traffic, because it asks the telcos to do some of the filtering for it. That's how it gets away with talking about "things we actually touch," even though its deals with the telcos basically mean they can access almost everything.
The WSJ further reports that, while most of the requests are targeted towards foreign communications, there are times when it's quite clear that requests are likely to cover domestic communications. Some telcos apparently push back, causing "friction", while others seem to comply with no qualms, though there is no indication of which telcos fall into which camp.
The report further confirms that this program is considered "legal" by the administration thanks to a broad interpretation of the FISA Amendments Act, giving the NSA the power to snoop on people "reasonably believed" to be outside the US, rather than requiring "probable cause" that they were "an agent of a foreign power." Also, there's this:
NSA has discretion on setting its filters, and the system relies significantly on self-policing. This can result in improper collection that continues for years.
The report also claims that it was one of these "mistakes" that resulted in three years of illegal collections (much greater than the "few months" that were revealed in last week's Washington Post article).
And now we wait for another bunch of carefully worded statements from NSA defenders...
Now, we were disappointed in those comments as well, but mainly because they were mostly meaningless trifles, designed to appease the public with promises of more transparency, rather than an actual promise to cut back on spying on every single person in the US. Apparently King is upset on the other side of things, believing that even the tiniest amount of increased transparency means that Al Qaeda will win:
The President’s announcement today that he will pursue “reforms” to National Security Agency counterterrorism programs is a monumental failure in presidential wartime leadership and responsibility. These programs are legal, transparent and contain the appropriate checks and balances among the executive, legislative and judicial branches of our government. These intelligence tools keep Americans safe every single day.
America is at war with Islamist terror groups that kill and maim innocent civilians. The current threat to the Homeland is just as high as it was before 9/11. It is difficult to imagine past war leaders such as Franklin Roosevelt or Winston Churchill willingly surrendering signals intelligence tools that are needed to fight our enemies. We need a president who defends our intelligence programs, explains them appropriately to the American people, and uses every legal capability in his arsenal to defeat al Qaeda.
The second paragraph is just pure fearmongering based on nothing -- especially the claims about the threats being just as high today as they were before 9/11. Of course, what's even more ridiculous here is that King was a long time supporter of foreign terrorist organization, the IRA, including supposedly endorsing an attack on a police station that killed nine people. I wonder if he felt that the UK government should have used the same secret surveillance techniques against the IRA?
King wasn't done there, apparently. Following that statement, he went on Face the Nation and apparently said with a straight face that the public referring to the NSA's activity as "spying" or "snooping" was slandering the NSA and somehow diminishes their patriotism. Really. The man is apparently serious.
“These people in the NSA are patriots,” King said. “Probably what’s annoyed me the most over the last several months is people casually using words like ‘spying,’ ‘snooping,’ ‘what is the NSA up to now?’ Does anybody think General Alexander wants to snoop on America? I think that demeans the whole political dialogue, and that’s why I wish the president would be more outgoing and defend the NSA lot more than he did.”
“This has really been a slander on the thousand of good men and women who every day dedicate their lives to our country, and particularly General Alexander, who is as patriotic as anyone I have ever met in government or anywhere,” King said. “There is too much loose talk here. Every time i hear ‘snooping’ and ‘spying’, it just drives me crazy. We know what these men and women are doing, and they’re absolutely dedicated patriots.”
Meanwhile, King is not the only one in Congress who is upset that the President even hinted at reforms and transparency. House Speaker John Boehner issued a slightly less inflammatory statement arguing that the President must not back down on keeping the program intact, despite the fact that (again) there is no evidence that it has been necessary in stopping a single terrorist attack.
Transparency is important, but we expect the White House to insist that no reform will compromise the operational integrity of the program. That must be the president’s red line, and he must enforce it. Our priority should continue to be saving American lives, not saving face.”
Actually, I thought our priority should be protecting the Constitution -- including the 4th Amendment -- but it appears that many members of Congress have forgotten that little requirement.
Right before the Snowden leaks came out, you may recall there were some other controversies, involving the DOJ spying on reporters, including claiming that reporter James Rosen was an "aider, abettor or co-conspirator" in order to get access to his emails and phone records. In response to this controversy, President Obama... put Attorney General Eric Holder in charge of investigating these efforts, despite the fact that it was under Eric Holder's watch that these things happened.
The new guidelines, which the official said would take effect almost immediately, would prevent the Federal Bureau of Investigation from portraying a reporter as a co-conspirator in a criminal leak as a way to get around a legal bar on secret search warrants for reporting materials, as an agent did in a recently revealed search warrant affidavit involving a Fox News reporter.
They would also make it harder — though not impossible — for prosecutors to obtain a journalist’s calling records from telephone companies without giving news organizations advance notice...
According to that report at the NY Times, the DOJ also said that it can't do any more unless laws are changed:
“This is as far as the department can go on its own until Congress passes the media shield legislation,” the Justice Department official said
That's simply not true. The DOJ's guidelines are just that: guidelines. They can set pretty clear guidelines for themselves that make it clear that the DOJ will not spy on reporters' communications with sources. But they're choosing not to do so. Either way, all of this seems (yet again) like a reaction to them being called out on questionable behavior. They made no effort to fix these guidelines until what they were doing came out in the news. It's difficult to take the DOJ seriously when they promise to change after they've been caught.