This may not be an actual “Wyden siren,” but it still has his name attached to it. What’s being said here isn’t nearly as ominous as this single sentence he sent to CIA leadership earlier this year:
I write to alert you to a classified letter I sent you earlier today in which I express deep concerns about CIA activities.
Few people are capable of saying so much with so little. This one runs a bit longer, but it has implications that likely run deeper than the surface level issue raised by Wyden and others in a recent letter to Trump’s (satire is dead) Director of National Intelligence, Tulsi Gabbard. Here are the details, as reported by Dell Cameron for Wired:
In a letter sent Thursday to Director of National Intelligence Tulsi Gabbard, the lawmakers say that because VPNs obscure a user’s true location, and because intelligence agencies presume that communications of unknown origin are foreign, Americans may be inadvertently waiving the privacy protections they’re entitled to under the law.
Several federal agencies, including the FBI, the National Security Agency, and the Federal Trade Commission, have recommended that consumers use VPNs to protect their privacy. But following that advice may inadvertently cost Americans the very protections they’re seeking.
The letter was signed by members of the Democratic Party’s progressive flank: Senators Ron Wyden, Elizabeth Warren, Edward Markey, and Alex Padilla, along with Representatives Pramila Jayapal and Sara Jacobs.
That’s alarming. It’s also a conundrum. VPN use (often required for remote logins to corporate systems) is a great way to secure connections that are otherwise insecure, like those made originating from people’s homes (to log into their work stuff) or utilizing public Wi-Fi. There are also more off-the-book uses, like circumventing regional content limitations or just ensuring your internet activity can’t be tied to your physical location.
The trade-off depends on the threat you’re trying to mitigate. It’s kind of like the trade-off in cell phone security. Using biometrics markers to unlock your phone might be the best option if what you’re mainly concerned with is theft of your device. A thief might be able to guess a password, but they won’t be able to duplicate an iris or a fingerprint.
But if the threat you’re more worried about is this government, you’ll want the passcode. Courts have generally found that fingerprints and eyeballs aren’t “testimonial,” so if you’re worried about being compelled to unlock your device, the Fifth Amendment tends to favor passwords, at least as far as the courts are concerned.
It’s almost the same thing here. VPNs might protect you against garden-variety criminals, but the intentional commingling of origin/destination points by VPNs could turn purely domestic communications into “foreign” communications the NSA can legally intercept (and the FBI, somewhat less-legally can dip into at will).
That’s the substance of the letter sent to Gabbard, in which the legislators ask the DNI to issue public guidance on VPN usage that makes it clear that doing so might subject users to (somewhat inadvertent) domestic surveillance:
Americans reportedly spend billions of dollars each year on commercial VPN services, many of which are offered by foreign-headquartered companies using servers located overseas. According to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, VPNs have the potential to be vulnerable to surveillance by foreign adversaries. While Americans should be warned of these risks, they should also be told if these VPN services, which are advertised as a privacy protection, including by elements of the federal government, could, in fact, negatively impact their rights against U.S. government surveillance. To that end, we urge you to be more transparent with the American public about whether the use of VPNs can impact their privacy with regard to U.S. government surveillance, and clarify what, if anything, American consumers can do to ensure they receive the privacy protections they are entitled to under the law and Constitution.
I wouldn’t expect a response from ODNI. I mean, I wouldn’t expect one in any case, but I especially don’t expect Tulsi Gabbard to respond to a letter sent by a handful of Democratic Party members.
A warning would be nice, but even an Intelligence Community overseen by competent professionals, rather than loyalists and Fox News commentators would be hard-pressed to present a solution. To be fair, this letter isn’t asking for a fix, but rather telling the Director of National Intelligence to inform the public of the risks of VPN usage, including increasing their odds of being swept up in NSA dragnets.
Certainly the NSA isn’t concerned about “incidental collection.” It’s never been too concerned about its consistent “incidental” collection of US persons’ communications and data in the past and this isn’t going to budge the needle, especially since it means the NSA would have to do more work to filter out domestic communications and the FBI would be less than thrilled with any efforts made to deny it access to communications it doesn’t have the legal right to obtain on its own.
Since the government won’t do this, it’s up to the general public, starting with everyone sharing the contents of this letter with others. VPNs can still offer considerable security benefits. But everyone needs to know that domestic surveillance is one of the possible side effects of utilizing this tech.
The Trump administration is loosening restrictions on the sharing of law enforcement information with the CIA and other intelligence agencies, officials said, overriding controls that have been in place for decades to protect the privacy of U.S. citizens.
Government officials said the changes could give the intelligence agencies access to a database containing hundreds of millions of documents — from FBI case files and banking records to criminal investigations of labor unions — that touch on the activities of law-abiding Americans.
Administration officials said they are providing the intelligence agencies with more information from investigations by the FBI, Drug Enforcement Administration and other agencies to combat drug gangs and other transnational criminal groups that the administration has classified as terrorists.
But they have taken these steps with almost no public acknowledgement or notification to Congress. Inside the government, officials said, the process has been marked by a similar lack of transparency, with scant high-level discussion and little debate among government lawyers.
“None of this has been thought through very carefully — which is shocking,” one intelligence official said of the moves to expand information sharing. “There are a lot of privacy concerns out there, and nobody really wants to deal with them.”
A spokesperson for the Office of the Director of National Intelligence, Olivia Coleman, declined to answer specific questions about the expanded information sharing or the legal basis for it.
Instead, she cited some recent public statements by senior administration officials, including one in which the national intelligence director, Tulsi Gabbard, emphasized the importance of “making sure that we have seamless two-way push communications with our law enforcement partners to facilitate that bi-directional sharing of information.”
In the aftermath of the Watergate scandal, revelations that Presidents Lyndon Johnson and Richard Nixon had used the CIA to spy on American anti-war and civil rights activists outraged Americans who feared the specter of a secret police. The congressional reforms that followed reinforced the long-standing ban on intelligence agencies gathering information about the domestic activities of U.S. citizens.
Compared with the FBI and other federal law enforcement organizations, the intelligence agencies operate with far greater secrecy and less scrutiny from Congress and the courts. They are generally allowed to collect information on Americans only as part of foreign intelligence investigations. Exemptions must be approved by the U.S. attorney general and the director of national intelligence. The National Security Agency, for example, can intercept communications between people inside the United States and terror suspects abroad without the probable cause or judicial warrants that are generally required of law enforcement agencies.
Since the terror attacks of Sept. 11, 2001, the expansion of that surveillance authority in the fight against Islamist terrorism has been the subject of often intense debates among the three branches of government.
Word of the Trump administration’s efforts to expand the sharing of law enforcement information with the intelligence agencies was met with alarm by advocates for civil liberties protections.
“The Intelligence Community operates with broad authorities, constant secrecy and little-to-no judicial oversight because it is meant to focus on foreign threats,” Sen. Ron Wyden of Oregon, a senior Democrat on the Senate Select Committee on Intelligence, said in a statement to ProPublica.
Giving the intelligence agencies wider access to information on the activities of U.S. citizens not suspected of any crime “puts Americans’ freedoms at risk,” the senator added. “The potential for abuse of that information is staggering.”
Most of the current and former officials interviewed for this story would speak only on condition of anonymity because of the secrecy of the matter and because they feared retaliation for criticizing the administration’s approach.
Virtually all those officials said they supported the goal of sharing law enforcement information more effectively, so long as sensitive investigations and citizens’ privacy were protected. But after years in which Republican and Democratic administrations weighed those considerations deliberately — and made little headway with proposed reforms — officials said the Trump administration has pushed ahead with little regard for those concerns.
“There will always be those who simply want to turn on a spigot and comingle all available information, but you can’t just flip a switch — at least not if you want the government to uphold the rule of law,” said Russell Travers, a former acting director of the National Counterterrorism Center who served in senior intelligence roles under both Republican and Democratic administrations.
The 9/11 attacks — which exposed the CIA’s failure to share intelligence with the FBI even as Al Qaida moved its operatives into the United States — led to a series of reforms intended to transform how the government managed terrorism information.
A centerpiece of that effort was the establishment of the NCTC, as the counterterrorism center is known, to collect and analyze intelligence on foreign terrorist groups. The statutes that established the NCTC explicitly prohibit it from collecting information on domestic terror threats.
National security officials have spent much less time trying to remedy what they have acknowledged are serious deficiencies in the government’s management of intelligence on organized crime groups.
In 2011, President Barack Obama noted those problems in issuing a new national strategy to “build, balance and integrate the tools of American power to combat transnational organized crime.” Although the Obama plan stressed the need for improved information-sharing, it led to only minimal changes.
President Donald Trump has seized on the issue with greater urgency. He has also declared his intention to improve information-sharing across the government, signing an executive order to eliminate “information silos” of unclassified information.
More consequentially, he went on to brand more than a dozen Latin American drug mafias and criminal gangs as terrorist organizations.
The administration has used those designations to justify more extreme measures against the criminal groups. Since last year, it has killed at least 148 suspected drug smugglers with missile strikes in the Caribbean and the eastern Pacific, steps that many legal experts have denounced as violations of international law.
Some administration officials have argued that the terror designations entitle intelligence agencies to access all law enforcement case files related to the Sinaloa Cartel, the Jalisco New Generation Cartel and other gangs designated by the State Department as foreign terrorist organizations.
The first criterion for those designations is that a group must “be a foreign organization.” Yet unlike Islamist terror groups such as al-Qaida or al-Shabab, Latin drug mafias and criminal gangs like MS-13 have a large and complex presence inside the United States. Their members are much more likely to be U.S. citizens and to live and operate here.
Those steps were seen by some intelligence experts as potentially opening the door for the CIA and other agencies to monitor Americans who support antifa in violation of their free speech rights. The approach also echoed justifications that both Johnson and Nixon used for domestic spying by the CIA: that such investigations were needed to determine whether government critics were being supported by foreign governments.
The wider sharing of law enforcement case files is also being driven by the administration’s abrupt decision to disband the Justice Department office that for decades coordinated the work of different agencies on major drug trafficking and organized crime cases. That office, the Organized Crime Drug Enforcement Task Force, was abruptly shut down on Sept. 30 as the Trump administration was setting up a new network of Homeland Security Task Forces designed by the White House homeland security adviser, Stephen Miller.
The new task forces, which were first described in detail by ProPublica last year, are designed to refocus federal law enforcement agencies on what Miller and other officials have portrayed as an alarming nexus of immigration and transnational crime. The reorganization also gives the White House and the Department of Homeland Security new authority to oversee transnational crime investigations, subordinating the DEA and federal prosecutors, who were central to the previous system.
That reorganization has set off a struggle over the control of OCDETF’s crown jewel, a database of some 770 million records that is the only central, searchable repository of drug trafficking and organized crime case files in the federal government.
Until now, the records of that database, which is called Compass, have only been accessible to investigators under elaborate rules agreed to by the more than 20 agencies that shared their information. The system was widely viewed as cumbersome, but officials said it also encouraged cooperation among the agencies while protecting sensitive case files and U.S. citizens’ privacy.
Although the Homeland Security Task Forces took possession of the Compass system when their leadership moved into OCDETF’s headquarters in suburban Virginia, the administration is still deciding how it will operate that database, officials said.
However, officials said, intelligence agencies and the Defense Department have already taken a series of technical steps to connect their networks to Compass so they can access its information if they are permitted to do so.
The White House press office did not respond to questions about how the government will manage the Compass database and whether it will remain under the control of the Homeland Security Task Forces.
The National Counterterrorism Center, under its new director, Joe Kent, has been notably forceful in seeking to manage the Compass system, several officials said. Kent, a former Army Special Forces and CIA paramilitary officer who twice ran unsuccessfully for Congress in Washington state, was previously a top aide to the national intelligence director, Tulsi Gabbard.
The FBI, DEA and other law enforcement agencies have strongly opposed the NCTC effort, the officials said. In internal discussions, they added, the law enforcement agencies have argued that it makes no sense for an intelligence agency to manage sensitive information that comes almost entirely from law enforcement.
“The NCTC has taken a very aggressive stance,” one official said. “They think the agencies should be sharing everything with them, and it should be up to them to decide what is relevant and what U.S. citizen information they shouldn’t keep.”
The FBI declined to comment in response to questions from ProPublica. A DEA spokesperson also would not discuss the agency’s actions or views on the wider sharing of its information with the intelligence community. But in a statement the spokesman added, “DEA is committed to working with our IC and law enforcement partners to ensure reliable information-sharing and strong coordination to most effectively target the designated cartels.”
Even with the Trump administration’s expanded definition of what might constitute terrorist activity, the information on terror groups accounts for only a small fraction of the records in the Compass system, current and former officials said.
The records include State Department visa records, some files of U.S. Postal Service inspectors, years of suspicious transaction reports from the Treasury Department and call records from the Bureau of Prisons.
Investigative files of the FBI, DEA and other law enforcement agencies often include information about witnesses, associates of suspects and others who have never committed any crimes, officials said.
“You have witness information, target information, bank account information,” the former OCDETF director, Thomas Padden, said in an interview. “I can’t think of a dataset that would not be a concern if it were shared without some controls. You need checks and balances, and it’s not clear to me that those are in place.”
Officials familiar with the interagency discussions said NCTC and other intelligence officials have insisted they are interested only in terror-related information and that they have electronic systems that can appropriately filter out information on U.S. persons.
But FBI and other law enforcement agencies have challenged those arguments, officials said, contending that the NCTC proposal would almost inevitably breach privacy laws and imperil sensitive case information without necessarily strengthening the fight against transnational criminals.
Already, NCTC officials have been pressing the FBI and DEA to share all the information they have on the criminal groups that have been designated as terrorist organizations, officials said.
The DEA, which had previously earned a reputation for jealously guarding its case files, authorized the transfer of at least some of those files, officials said, adding to pressure on the FBI to do the same.
Administration lawyers have argued that such information sharing is authorized by the Intelligence Reform and Terrorism Prevention Act of 2004, the law that reorganized intelligence activities after 9/11. Officials have also cited the 2001 Patriot Act, which gives law enforcement agencies power to obtain financial, communications and other information on a subject they certify as having ties to terrorism.
The central role of the NCTC in collecting and analyzing terrorism information specifically excludes “intelligence pertaining exclusively to domestic terrorists and domestic counterterrorism.” But that has not stopped Kent or his boss, intelligence director Gabbard, from stepping over red lines that their predecessors carefully avoided.
In October, Kent drew sharp criticism from the FBI after he examined files from the bureau’s ongoing investigation of the assassination of Charlie Kirk, the right-wing activist. That episode was first reported by The New York Times.
Last month, Gabbard appeared to lead a raid at which the FBI seized truckloads of 2020 presidential voting records from an election center in Fulton County, Georgia. Officials later said she was sent by Trump but did not oversee the operation.
In years past, officials said, the possibility of crossing long-settled legal boundaries on citizens’ privacy would have precipitated a flurry of high-level meetings, legal opinions and policy memos. But almost none of that internal discussion has taken place, they said.
“We had lengthy interagency meetings that involved lawyers, civil liberties, privacy and operational security types to ensure that we were being good stewards of information and not trampling all over U.S. persons’ privacy rights,” said Travers, the former NCTC director.
When administration officials abruptly moved to close down OCDETF and supplant it with the Homeland Security Task Forces network, they seemed to have little grasp of the complexities of such a transition, several people involved in the process said.
The agencies that contributed records to OCDETF were ordered to sign over their information to the task forces, but they did so without knowing if the system’s new custodians would observe the conditions under which the files were shared.
Nor were they encouraged to ask, officials said.
While both the FBI and DEA have objected to a change in the protocols, officials said smaller agencies that contributed some of their records to the OCDETF system have been “reluctant to push back too hard,” as one of them put it.
The NCTC, which faced budget cuts during the Biden administration, has been among those most eager to service the new Homeland Security Task Forces. To that end, it set up a new fusion center to promote “two-way intelligence sharing of actionable information between the intelligence community and law enforcement,” as Gabbard described it.
The expanded sharing of law enforcement and intelligence information on trafficking groups is also a key goal of the Pentagon’s new Tucson, Arizona-based Joint Interagency Task Force-Counter Cartel. In announcing the task force’s creation last month, the U.S. Northern Command said it would work with the Homeland Security Task Forces “to ensure we are sharing all intelligence between our Department of War, law enforcement and Intelligence Community partners.”
In the last months of the Biden administration, a somewhat similar proposal was put forward by the then-DEA administrator, Anne Milgram. That plan involved setting up a pair of centers where DEA, CIA and other agencies would pool information on major Mexican drug trafficking groups.
At the time, one particularly strong objection came from the Defense Department’s counternarcotics and stabilization office, officials said. The sharing of such law enforcement information with the intelligence community, an official there noted, could violate laws prohibiting the CIA from gathering intelligence on Americans inside the United States.
The Pentagon, he warned, would want no part of such a plan.
As the debate over Section 702 continues, more weird stuff keeps happening. For once, there’s serious opposition to a clean renewal, and it’s coming from both sides of the legislature. Then there are things like this, which is one of the stranger incidents to accompany a surveillance fight, as reported by Dell Cameron for Wired.
At a private meeting about the reauthorization of a major United States surveillance program late last year, the Republican chairman of the US House Permanent Select Committee on Intelligence (HPSCI) presented an image of Americans protesting the war in Gaza while implying possible ties between the protesters and Hamas, an allegation that was used to illustrate why surveillance reforms may prove detrimental to national security, WIRED has learned. Sources who attended the meeting say it alarmed Republicans who are pursuing new limits on the US government’s power to warrantlessly access the communications of US citizens.
Yeah, that should alarm everyone, not just Republicans looking for any reason to stick it to the FBI after a few of their own (Trump supporters all) got swept up by the Bureau’s warrantless access to the NSA’s ostensibly foreign-facing collection.
Now, there are lots of reasons most Republicans aren’t happy with this development. The first reason was listed in the previous paragraph. They also may not like protesters being placed under surveillance because many of them still make excuses for the insurrectionists in their midst and love to portray the January 6th invasion of the Capitol building as a protest that just got a little out of hand.
Republicans are also aware this is an executive power and right now they don’t have their own guy as Chief Executive. That’s another reason to oppose a clean reauthorization of Section 702 surveillance powers. The fact that Biden himself has asked for clean reauthorization is another reason to oppose it, even if they might have supported one with Trump still in office.
But this is still pretty disturbing, all politics aside. HPSCI Chairman Mike Turner apparently felt these slides were appropriate for a discussion of a foreign-facing surveillance power — one that’s come under considerable fire for the FBI’s constant, casual abuse of this collection to engage in warrantless domestic surveillance.
Mike Turner, of course, doesn’t really want anything to happen to Section 702. And, given this presentation, it seems clear he doesn’t mind if the FBI uses it to target American citizens, even those engaged in protected First Amendment activities. Faced with an actual reform bill that would codify a warrant requirement for accessing US persons’ communications, Turner fired off a competing “reform” proposal.
His proposal would have codified the FBI’s voluntary changes (which do not include a warrant requirements) and exempt people like him from being targeted by backdoor searches of NSA collections. His reform would force the FBI to notify Congress members if they had been subject to a 702 query and seek permission from certain government officials before gathering information that might include communications harvested by the NSA. As for the rest of us, nothing.
Turner’s briefing — and his startling PowerPoint presentation — were part of a concerted effort to talk legislators into dropping the proposed warrant requirement. I guess the good news is that this attempt failed spectacularly and may have even pushed some people off the fence towards the side demanding warrants.
As you read the next few paragraphs, keep in mind this is coming from the head of the House Intelligence Committee, which is not only a committee (meaning several legislators are involved) but one with access to actual intelligence (in the spy sense of the word), interns, staffers, advisors, aides, and any number of people who might have been able to head this off before it happened.
Instead, now that it’s been made public, the PR wing of the HPSCI has offered up whatever the fuck this is:
A spokesperson for the House Intelligence Committee said in an email on Friday that the protesters depicted in the slide had “responded to what appears to be a Hamas solicitation.”
A WIRED review of the slides shown by Turner casts doubt on that claim. Notably, while the two slides were portrayed as being related to a single protest in November outside Senate majority leader Chuck Schumer’s Brooklyn residence, WIRED has since learned that the slides reference two separate events that occurred nearly a month apart.
What’s more, the allegation that the protesters were following Hamas’ lead is based on a post on X that contains false information about who organized one of these two events.
Jeff Naft, the HPSCI spokesperson, further stated that the purpose of the slides was to “illustrate” that even if the pictured protesters “had ties to Hamas,” they could not be lawfully surveilled using Section 702.
I have no reason to believe that was the original intent of the slides. But even if it was, no one who viewed this presentation saw it that way, as Cameron reports.
“At the outset of the presentation, he’s running through slides, making his case for why 702 reauthorization is needed,” a senior Republican aide tells WIRED. “Then he throws up that photo. The framing was: ‘Here are protesters outside of Chuck Schumer’s house. We need to be able to use 702 to query these people.’”
Another aide in attendance said: “The sentiment was that [Turner] wanted to know if these people were talking to Hamas. That’s how I interpreted why he brought up those slides.”
That appears to have been the intent, no matter what Turner’s spokesperson is saying after the fact. If Naft is supposed to be the spin doctor, the HPSCI needs to sue him for malpractice.
And even if anyone in attendance agreed with Turner’s insinuation that pro-Palestinian protesters should be placed under the Section 702-enabled microscope, at least they’re smart enough to realize how this sort of thing works if it becomes the FBI’s new pattern-and-practice following reauthorization:
“What we know for sure is this,” a Republican aide says, “However the government decides to treat left-wing protesters today, that’s how we should expect protesters in our party to be treated under future administrations.”
That’s how it works. Surveillance powers like Section 702 cross administrations. They don’t align with election years. And that should nudge more legislators to consider what’s best in the long run, rather than what’s politically expedient. And, no matter how you feel about the FBI and its steady dipping into the NSA pool, you should never try to insinuate that political protesters should be subjected to domestic surveillance.
Sure, the government can pretend the Third Party Doctrine applies here. But chances are that most of this data being collected by phone apps and other services isn’t being collected with the full knowledge of device users. This is the sort of thing that’s hidden in the deep end of Terms of Use boilerplate, suckering people out of all kinds of data because they made the mistake of assuming a seemingly-innocuous match-3 game wouldn’t attempt to ping their phone’s location and tie it to specific device IDs.
U.S. Senator Ron Wyden, D-Ore., released documents confirming the National Security Agency buys Americans’ internet records, which can reveal which websites they visit and what apps they use. In response to the revelation, today Wyden called on the administration to ensure intelligence agencies stop buying personal data from Americans that has been obtained illegally by data brokers. A recent FTC order held that data brokers must obtain Americans’ informed consent before selling their data.
“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”
You’d think the NSA would be able to obtain this data without having to buy it from sketchy third-party vendors. I mean, it has erected one of the most pervasive surveillance apparatuses in the world. It’s completely capable of engaging in domestic surveillance. And, indeed, it often does! So why would it need to purchase something it can obtain (more legitimately[?]) from its own dragnets and risk having part of its collection techniques exposed?
There’s no clear answer to that question, other than it’s pretty easy to spend government money when you’ve got plenty of it. Wyden’s letter [PDF] goes into a bit more detail, but (for obvious reason) it’s not the equivalent of sneaking damning documents out of an NSA data center and handing them over to journalists after exiting the country.
That being said, it took Wyden holding a top NSA position hostage for the government to admit it was buying data from brokers to engage in domestic surveillance.
The secrecy around data purchases was amplified because intelligence agencies have sought to keep the American people in the dark. It took me nearly three years to clear the public release of information revealing the NSA’s purchase of domestic internet metadata. DoD first provided me with that information in March, 2021, in response to a request from my office for information identifying the DoD components buying Americans’ personal data. DoD subsequently refused a request I made in May, 2021, to clear the unclassified information for public release. It was only after I placed a hold on the nominee to be the NSA director that this information was cleared for release.
Wyden asks each “IC [Intelligence Community] element” to open an investigation into the purchase of data from data brokers, as well as an FTC investigation into the business practices of the data brokers themselves. Each IC component is also asked to provide “an inventory of personal data purchased” from data brokers.
Wyden’s letter deals with all data purchased from brokers, but specifically exposes the NSA’s acquisition of internet browser records, which show which sites users visit and which apps they use. The NSA’s denial — delivered to Wyden late last year — claims the NSA isn’t doing something else entirely.
[N]SA does not buy and use location data collected from phones known to be used in the United States either with or without a court order.
That’s the only firm denial in the letter and it only says things about location data, which isn’t what Wyden is expressing his concern about.
However, the NSA — in the same 2023 letter — admitted to doing exactly what Wyden accused it of:
NSA does buy and use commercially available netflow (i.e., non-content) data related wholly to domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.
The NSA is admitting to domestic surveillance. Not the best look for an agency still hoping to resuscitate its reputation following several years of damning leaks, investigations, and inadvertent exposures. We already know the NSA is fully capable of “inadvertently” sweeping up US persons’ data and communications with its Section 702 collection. That’s the thing the FBI constantly abuses to engage in domestic surveillance. It should never need to buy this data from brokers because it has always been able to obtain it otherwise.
This appears to be the NSA collecting even more just because the situation presented itself, rather than for any demonstrated national security need. And that’s the sort of thing no American should be willing to treat as government business as usual.
Story after story after story has showcased how the intentionally convoluted adtech and data broker market sloppily traffics in all manner of sensitive consumer data, whether it’s your daily physical movements (say, the last time you visited an abortion clinic), your granular browsing habits, your medical history, your household energy use patterns, or even your mental health data.
This massive trove of data is then used to categorize and classify Americans on an increasingly complicated array of criteria in a bid to sling ads and sell products online. Companies collect way more consumer data than is needed, it’s simply not secured in any competent way, and while adtech brokers will happily claim they “anonymize” this data to protect consumer privacy, study after study have showcased how that word is absolutely meaningless, providing flimsy cover as the sector sells access to datasets relatively cheaply, often without competently screening the purchaser.
In the shadow of years of inaction by the US Congress on comprehensive privacy reform, a surveillance state has been quietly growing in the legal system’s cracks. Little deference is paid by prosecutors to the purpose or intent behind limits traditionally imposed on domestic surveillance activities. More craven interpretations of aging laws are widely used to ignore them. As the framework guarding what privacy Americans do have grows increasingly frail, opportunities abound to split hairs in court over whether such rights are even enjoyed by our digital counterparts.
The report is also quick to note what everybody has known for a long time: claims that industry “anonymizes” this data to protect consumer identities are generally bullshit, since it’s relatively trivial to identify users with just a modicum of additional data. “Anonymization” is tossed around casually as some kind of ethical and privacy get out of jail free card, when it’s simply gibberish:
It is no secret, the report adds, that it is often trivial “to deanonymize and identify individuals” from data that was packaged as ethically fine for commercial use because it had been “anonymized” first. Such data may be useful, it says, to “identify every person who attended a protest or rally based on their smartphone location or ad-tracking records.” Such civil liberties concerns are prime examples of how “large quantities of nominally ‘public’ information can result in sensitive aggregations.” What’s more, information collected for one purpose “may be reused for other purposes,” which may “raise risks beyond those originally calculated,” an effect called “mission creep.”
Sure, wholesale corruption and greed is a major reason why it’s 2023 and we still haven’t passed even a baseline privacy law for the internet era and competently regulated data brokers. But it’s also because holding the data broker and adtech space for lax privacy and security practices operates in stark contrast to the interests of those keen on mindlessly expanding our domestic surveillance apparatus:
Perhaps most controversially, the report states that the government believes it can “persistently” track the phones of “millions of Americans” without a warrant, so long as it pays for the information. Were the government to simply demand access to a device’s location instead, it would be considered a Fourth Amendment “search” and would require a judge’s sign-off. But because companies are willing to sell the information—not only to the US government but to other companies as well—the government considers it “publicly available” and therefore asserts that it “can purchase it.”
That’s why the often performative policy fixation on TikTok — and the pretense that banning TikTok actually fixes the broader problem — are naïve baby talk. It’s also a giant (often intentional) distraction from the real problem: our corrupt inability to pass even basic privacy legislation or regulate a data broker market that’s been running amok for the better part of two decades.
You’ll see endless hyperventilation in DC about China and TikTok, yet those same folks will curiously avoid discussing how domestic intelligence is also able to obtain this same data on the cheap. And they’ll avoid it because they don’t actually care about privacy, but they do care about making money and mindlessly expanding U.S. government surveillance power as it tramples accountability underfoot.
Under the dull roar of our great TikTok moral panic I’ve been trying to make the semi-nuanced point that while TikTok does present some legitimate privacy issues, a ban won’t fix the actual problem. Largely because U.S. policymakers and businesses don’t want to fix the actual problem. They don’t even want to acknowledge what the actual problem is.
Namely that we’ve created a vast, largely unregulated data broker market that traffics in vast realms of private user data. That data at scale is hugely profitable for everybody in the chain. But it’s also easily exploitable by Chinese intelligence agencies keen on building detailed profiles of Americans. And it’s a great way for the U.S. government to obtain sensitive U.S. resident data without those pesky warrants.
So again, banning TikTok isn’t actually doing what U.S. politicians (especially on the GOP side) claim.
Case in point: a new Gizmodo investigation found that over 28,000 different apps make use of TikTok’s software development kits. All of these apps send TikTok various data to handle things like slinging ads, logging in to services, and sharing videos from the app. It’s another example of how “ban TikTok and we’ve fixed the problem” is simplistic and stupid:
“A simple ban on the TikTok app itself is not going to stop data flowing to TikTok,” said Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union. “TikTok has software in other places, not to mention TikTok trackers spread across other parts of the web. I don’t have a TikTok account, but there are still plenty of ways the company can get data about me.”
That’s of course just the SDK. Were Chinese intelligence really keen on obtaining vast troves of U.S. resident location, browsing, and even mental health data… it’s rather trivial to buy it on the cheap from the global data broker market whose operations are convoluted specifically to help them avoid regulatory accountability. With or without TikTok’s help.
It’s kind of weird to me how despite the rampant coverage of the TikTok fracas, Gizmodo is one of very few outlets consistently pointing out to readers how banning TikTok doesn’t really address our propaganda or privacy problems:
“I’m not at all saying TikTok is innocent, but focusing specifically on one app from one country is not going to solve whatever problem you think you’re solving. It truly misses the point,” Kahn Gillmor said. “Do we really think that Facebook or Google are not capable of being influenced by the Chinese government? They know a market when they see one. I think the pressure that’s building is basically a race to be seen as tough on China.”
Again, if U.S. policymakers were actually serious about national security and privacy, we’d take widespread U.S. corruption more seriously. Corruption is eminently exploitable by foreign intelligence (see both Russia and China). It also prevented us from passing even a baseline privacy law for the internet era despite two straight decades of very clear warnings from experts and activists.
TikTok is held up as some exceptional, unique threat to U.S. consumer privacy and national security, and it’s just not. The entire ecosystem is rotten and exploitable by bad actors of every stripe, and it’s rotten because we’ve spent the better part of the last generation prioritizing making money over market health, consumer welfare, or national security:
“Lots of people have had a good look at the TikTok app, and they haven’t found a smoking gun, or anything that looks different from what happens with Facebook, Twitter, and other social networks,” Stockley said. “If the federal government had something within the app that they could expose, I would expect they’d do it.”
Actually fixing this problem would result in U.S. companies making less money from over-collecting consumer data then failing repeatedly to secure it before selling access to it to any nitwit with a few nickels. Actually fixing this problem would require reining in the U.S. government’s widespread domestic surveillance machine, and its routine abuse of this barely regulated market to avoid getting warrants.
A TikTok ban lets a parade of DC blowhards pretend they’re doing something about the problem and being tough on China, even if they’re not actually doing either. For the GOP, it also serves as chum for a xenophobic base, and it lets them pretend they’re fixing a problem (a barely regulated data broker market) their own shitty policies actively created.
Telecom giants are no strangers to helping governments spy on journalists, activists, and their own citizens. AT&T, for example, is effectively so bone-grafted to the NSA here in the States, you literally cannot physically tell where the government ends and the telecom giant begins.
Chinese companies like Huawei have also jumped to the head of the line when asked by repressive governments in Africa to spy on government political opponents, critics, and journalists, or to help Chinese officials track and manage the genocide of the Uighur population.
Now the war in Ukraine and the subsequent economic sanctions on Russia has revealed that Nokia’s also perfectly willing to help violent and oppressive governments when there’s money to be made. When Nokia decided to join countless other companies in exiting Russia to punish it for its attack on Ukraine, the New York Times notes they left something very interesting behind:
“For more than five years, Nokia provided equipment and services to link SORM to Russia’s largest telecom service provider, MTS, according to company documents obtained by The New York Times. While Nokia does not make the tech that intercepts communications, the documents lay out how it worked with state-linked Russian companies to plan, streamline and troubleshoot the SORM system’s connection to the MTS network.”
While this sort of behavior usually sees some light hand-wringing, there’s a long history of both this sort of cooperation, and limited accountability for it. The United States, for example, provided significant IT and telecom support to vicious, tyrannical governments in South America during Operation Condor in the 70s, helping them better coordinate widespread acts of terrorism, murder, and torture.
In this case, Nokia’s planning and strategic aid helped the Russian NSB and Russian telecom giant MTS implement the System for Operative Investigative Activities (SORM), which, in turn, helped with the tracking, surveillance, and violence against and in some cases the murder of activists, journalists, and political opponents.
The documents obtained by the Times indicated that Nokia knew it was aiding the Russian government in this way, and made hundreds of millions of dollars in annual revenue as a result. Analysis of the documents suggest the system simply wouldn’t have been possible without Nokia’s help. Some of this had been reported previously, though Nokia had tried to downplayed its involvement.
This was the sort of thing that U.S. lawmakers spent years freaking out over when it came to allegations that Huawei used its hardware to spy, leading to a massive global embargo of Huawei products (though no public evidence was ever offered, and the U.S. was often caught doing similar things). In fact, Nokia’s now a big player in our 5G deployments thanks to the embargo on Huawei.
So the great irony here is that the U.S. (an increasingly authoritarian government and a big fan of unchecked surveillance), embargoed Huawei gear over unchecked surveillance in service to an authoritarian government, driving a significant chunk of U.S. 5G build out business to Nokia, which was just caught… helping authoritarian governments engage in unchecked surveillance.
Super consistent and savvy policy making.
What Congress gets upset about on the domestic surveillance front often ebbs and flows arbitrarily, based on things like the color of an executives’ skin, who is flinging around campaign contributions, and whether the U.S. is the one doing the spying. We’ve led by (poor) example on much of this stuff for more than a generation, and the sour outcome shouldn’t be particularly surprising.
When most people think of the CIA (Central Intelligence Agency), they think of a foreign-facing spy agency with a long history of state sponsored coup attempts (some successful!), attempted assassinations of foreign leaders, and putting the US in the torture business. What most people don’t assume about the CIA is that it’s also spying on Americans. After all, we prefer our embarrassments to be foreign-facing — something that targets (and affects) people we don’t really care about and governments we have been told are irredeemable.
An entity with the power to provoke military action halfway around the world has periodically shown an unhealthy interest in domestic affairs, which are supposed to be off-limits for the nation’s most morally suspect spies. The CIA (along with the FBI) routinely abuses its powers to perform backdoor searches of foreign surveillance stashes to locate US-based communications. It also has asked the FBI to do its dirty secondhand surveillance work for it in order to bypass restrictions baked into Executive Order 12333 — an executive order issued by Ronald Reagan that significantly expanded surveillance permissions for US agencies.
Perhaps most significantly — at least in terms of this report — the order instructed other government agencies to be more compliant with CIA requests for information. Since its debut in December 1981, the order has been modified twice (by George W. Bush) to give the government more power.
That’s the authority the CIA has been using to spy on Americans, as a recent PCLOB (Privacy and Civil Liberties Oversight Board) report shows. The PCLOB performed a “deep dive” in CIA domestic spying at the request of Senators Ron Wyden and Martin Heinrich. After its completion, the senators asked for an unclassified version of the PCLOB’s report. That report has arrived. And, according to Ron Wyden’s statements, it shows the CIA is utilizing EO 12333 to spy on Americans and bypass the protections (however minimal) the FISA court provides to Americans.
“FISA gets all the attention because of the periodic congressional reauthorizations and the release of DOJ, ODNI and FISA Court documents,” said Senators Wyden and Heinrich in response to the newly declassified documents. “But what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law. In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA context.”
Wyden and Heinrich called for more transparency from the CIA, including what kind of records were collected and the legal framework for the collection. The PCLOB report noted problems with CIA’s handling and searching of Americans’ information under the program.
Even if the spying isn’t direct, the outcome is pretty much identical to direct targeting. With EO 12333, the CIA obtains the compliance from other federal agencies envisioned by Ronald Reagan back in 1981 as his administration ran headlong into the CIA-implicating Iran-Contra scandal.
Domestic data is supposed to be “masked” if incidentally acquired by foreign-facing surveillance collections. Sometimes this simply doesn’t happen. Sometimes unmasking occurs without proper permission or oversight. The FBI uses this to its advantage. So does the CIA. But the FBI handles domestic terrorism. The CIA does not. That makes the CIA’s abuse possibly more egregious than the FBI’s numerous violations of the same restrictions placed on domestic surveillance via foreign interception of communications by the NSA.
The PCLOB report [PDF] shows the CIA has obtained bulk financial data from other sources, possibly without proper masking of incidentally-collected US persons data. According to the CIA’s response to the report, the only thing separating CIA analysts from US persons’ data and communications is a pop-up box warning them that access may be illegal. This is only a warning. It does not (nor could it) prevent analysts from obtaining data they shouldn’t have access to without explicit permission.
How extensive this “incidental” collection is remains to be seen. And there’s a good chance no one will ever know how often this pop-up was ignored to collect data generated by US citizens and residents. Much of the report is redacted and what was shared with the PCLOB was limited to whatever the CIA felt like sharing. The oversight of programs like these is deliberately limited by the Executive Order — one that made the assumption some things (like national security) are too important to be done properly or overseen directly.
The report does note that the CIA has internal processes to limit abuse of backdoor searches. But it also points out the CIA has read EO 12333 and its modifications to mean it can do what it wants when it wants without worrying too much about straying outside of the generous lines drawn by this Executive Order.
The limits include a requirement to use the “least intrusive collection techniques feasible within the United States or directed against United States persons abroad.” Annex A implements E.O. 12333’s “least intrusive collection technique” requirement regarding activities outside of the United States involving U.S. persons. Given that the Executive Order’s restriction only applies to activities in the United States or activities directed against U.S. persons abroad, the CIA interprets the language of Annex A to only apply to collections directed against USPs abroad. Annex A does not require [redacted] to apply the least intrusive collection technique to collections covered by this report, which are generally not directed against USPs.
There’s the exploitable loop: the EO only applies to collections “directed” at US persons. Since all information is pulled from foreign-facing surveillance collections that “incidentally” collect US persons data, the resulting collection the CIA has access to is completely legal. Analysts access these collections specifically to find US persons’ data, but because no agency deliberately targeted US persons, it’s all above board.
This is the exploitation of foreign bulk collections to obtain information about Americans. While some may argue the damage is minimal because it only accesses information (financial records) unlikely to have an established expectation of privacy, people obviously know their financial institutions track their purchases, but that’s not the same thing as people assuming the government should be able to access records — which may contain sensitive information — using nothing more than an Executive Order that was ostensibly written to strengthen foreign surveillance efforts.
And that’s only what can be observed from this redacted release. This isn’t the CIA’s only attempt to hoover up info on US persons via side channels. Wyden’s letter hints at FISA reforms, which likely refers to domestic phone records the NSA used to collect in bulk — a program that was specifically targeted by Congress following the Snowden revelations. What’s contained in this report is a narrow examination of one part of the CIA’s exploitation of bulk collections to obtain US persons data. And if it feels this confident about its nearly unrestricted ability to perform these backdoor searches, examinations of other aspects of this program are likely to find other domestic data is ending up in the hands of CIA analysts who are supposed to be focused on foreign activities.
The DHS doesn’t mind engaging in domestic surveillance. After all, it’s the Department of Homeland Security, so its purview is the homeland and everyone in it. The problem is the American public has rights and that is always something to consider, however briefly, when doing things like flying drones over American cities or, more questionably, placing people engaged in First Amendment expression under surveillance.
The DHS is now directly engaged in policing free speech. Demonstrations triggered by a Minnesota police officer’s killing of an unarmed Black man are occurring on a daily basis. In some cities, the protests have never stopped. Federal agents — including (inexplicably) a task force from the DEA — have stepped in to investigate suspected federal crimes. However noble and correct the goal, the physical manifestation of this effort has been unidentified federal officers — clad head-to-toe in war gear — dragging people off the street and into unmarked vehicles.
Those who’ve experienced this say they were questioned aggressively by officers who refused to identify themselves and released with zero paperwork documenting their seemingly unconstitutional detainment or what criminal acts they were suspected of committing.
The DHS is prepared to take its Gestapo act nationwide with the blessing of the president. Any city with a crime problem, or a protest problem… or a “liberal” mayor can expect a swarm of DHS components to step in and start intimidating the protesting populace.
As is the case with any mission involving surveillance, you need to be prepared for the creep. No, this creep belongs to the mission supported by your average DHS foot soldier — one dressed like he’s in Fallujah and believes he has seen the enemy. And it is you. (By “you,” I mean your average American standing within rental-car-driving distance of any federal property.)
A document provided to Lawfare on July 19 from the Department of Homeland Security’s (DHS) Office of Intelligence & Analysis (I&A) describes personnel as “collecting and reporting on various activities in the context of elevated threats targeting monuments, memorials, and statues”—and it gives legal guidance concerning the “expanded intelligence activities necessary to mitigate the significant threat to homeland security” posed by such activities.
The document, titled “Job Aid: DHS Office of Intelligence & Analysis (I&A) Activities in Furtherance of Protecting American Monuments, Memorials, Statues, and Combatting Recent Criminal Violence,” is not classified. Its three pages each bear the heading “UNCLASSIFIED//FOR OFFICIAL USE ONLY.” But it clearly indicates that at least parts of the intelligence community are being tasked with monitoring and collecting information on some protest activities.
Try not to live or work too close to national monuments, Americans. You are the newest threat to the homeland’s security. Participation trophies erected to victims of the War of Northern Aggression are sacrosanct if they’re owned and operated by the US of A.
One DHS official says this is fine. (Likely more of them feel the same way, but this is the one Lawfare got on the record.) Ken Cuccinelli says statues and such are “federal facilities,” and therefore as important to the nation’s security as actual government buildings or government databases. And it’s not just the federal stuff. The South may rise again yet.
It appears to also include planned vandalism of Confederate (and other historical) monuments and statues, whether federally owned or not.
Thank god this country is coming to the defense of long-dead white men. That’s what’s important in the wake of white officers killing unarmed Black men.
The memo leverages federal law as a truncheon against anyone who might harbor ill will against federal property which, it must be repeatedly noted, includes monuments erected to racists who engaged in treason. Say what you will about the current president, but at least he hasn’t engaged in treason in an openly racist fashion. Yet.
So, in order to ensure the existence of certain people and their progeny, the DHS will be ramping up its domestic surveillance in hopes of catching those violently or non-violently opposed to icons representing America’s racist history. Here’s what the DHS is permitted to do in response to Trump’s executive order demanding the protection of icons who presided over a secession that didn’t even last as long as Heinz colored ketchup.
I&A personnel are required to use the least intrusive collection techniques feasible and sufficient when collecting [US person information] or when collecting intelligence or information within the United States. … I&A personnel are permitted to engage in physical surveillance, the use of mail covers, and the use of monitoring devices only to the extent permitted by and consistent with [rules limiting their use to counterintelligence investigations]. I&A personnel are not permitted to engage in electronic surveillance or unconsented physical searches. Use of these techniques within the United States will be coordinated with the Federal Bureau of Investigation….
Oh, good. Whoever wrote this must be unfamiliar with most of the terms used in the memo they wrote. I’m not sure where they got their info, but it was likely surreptitious and removed from court oversight. You cannot combine “least intrusive method” and “coordinated with the FBI” and still expect “least intrusive” to remain “least intrusive.” As for the mail cover part, does the DHS really feel the “liberal anarchists” routinely blamed by the administration are communicating via snail mail? “Hey, we’re going to tear down a racist monument later this week. As soon as I can find what’s left of my ‘forever’ stamps, I’ll send you the details.”
As for the ban on “unconsented physical searches,” it would appear dragging people into unmarked vans for searches and questioning — as observed in Portland, Oregon — would violate the DHS’s internal rules.
The DHS is supposed to focus on threats, according to this memo. But the threats include those against non-living sculptures and government buildings. Nothing forbids the DHS from going “open source” and surveilling even more protected speech: social media posts by American citizens. Whatever’s published publicly can be observed without troubling any Constitutional amendments. But should the DHS do this, especially when the only thing “threatened” is some statues of questionable societal value?
The memo does at least tell DHS personnel they can’t engage in surveillance of protected speech. But the rest of it gives them all the excuses they need to ignore this Constitutional guidance. Free speech apparently isn’t free if it includes disparagement of national monuments that agents and officers can construe as potentially threatening.
While we may agree there is value in protecting certain federal property from attacks or vandalism, the inclusion of non-entities whose replacement value is up for discussion twists this into an easily-abusable avenue for increased domestic surveillance. As Lawfare points out, it’s kind of absurd to extend efforts to prevent harm to government functions to include literally symbolic entities.
We will leave for another day the almost philosophical question of what level of damage might reasonably be said to impede the purpose or function of a statue. Suffice it to say that DHS analysts are now authorized to collect intelligence on threats to inflict such damage—though apparently not damage that falls short of impeding a statue’s “purpose or function,” whatever that may be.
The memo cautions against unjustified surveillance but surrounds it with vague directives like this one, where actions not overtly worshipful of a federally-erected monument could be perceived as an impediment to its “purpose or function.” Most monuments are erected in hopes of respectful adoration. Standing in the way of intended adoration may be enough to welcome the unblinking gaze of the DHS’s many eyes.
This isn’t how America is supposed to work. Political speech deserves the utmost in First Amendment protections. There’s a long list of federal crimes federal agencies could be concerning themselves with. But the DHS and the administration have decided idolatry is a proud tradition that must be upheld. The president loves his symbols. And the DHS’s activities — observed with horror by American citizens engaged in peaceful protests — are Trump’s jingoistic words made flesh.
“I think people have to find out what the government was doing during that period. If we’re worried about foreign influence, for the very same reason we should be worried about whether government officials abused their power and put their thumb on the scale,” he said in a Fox News interview airing Friday. “I’m not saying that happened, but I’m saying that we have to look at that.”
Let me restate that: William Barr is opposed to certain, very narrow subsets of domestic surveillance. Specifically, Barr doesn’t think the government should have spied on Trump and his campaign staff, if that’s what actually happened, which Barr doesn’t actually seem to know.
But if you’re literally anyone else, domestic surveillance is just another name for national security, whether you’re a random Verizon customer or one of the world’s most useful websites.
Wikimedia’s case could mark the first time a public court weighs in on the constitutionality of this decade-old spying operation. But in stark contrast to Barr’s public expressions of concern over the privacy of Americans, his Justice Department has thrown up a series of litigation roadblocks in an effort to prevent the court from ruling on the legality of this surveillance dragnet.
In fact, on Thursday, Justice Department lawyers argued that Wikimedia’s case should be dismissed outright. They contend that Wikimedia cannot prove with sufficient certainty that its communications are surveilled, and that it therefore lacks “standing” to sue.
We expect hypocrisy from those in the self-service business. Government officials are not expected to apply their ideals and beliefs consistently across the board. The DOJ itself, however, is completely ambivalent. It is more than willing to spy on both presidential candidates and everyone else in the country, even as it argues none of the millions of entities swept up in the NSA’s dragnets have standing to sue over violated rights.
Barr wants to dig into the federal government’s spying on Trump, but doesn’t want the public to dig into the government’s spying on everyone else. Tough, but unfair. But that’s how the government operates, and AG William Barr is no exception. To use the DOJ’s own argument, Barr’s seemingly baseless claims about spying on the Trump campaign shouldn’t be granted standing by the general public, much less the DOJ he wants to investigate itself.
/cdn.vox-cdn.com/uploads/chorus_image/image/63698749/pogo-met-the-enemy.0.1505425927.0.jpg){kind=link}