Friday, April 29, 2016

Recent Discussions of Neoliberalism

People seem to have trouble defining neoliberalism adequately, and especially when it comes to labeling Hillary Clinton as a neoliberal. In a recent article at Jacobin Corey Robins gives a short history of the neoliberal version of the Democratic Party, specifically aimed at the Clinton/DLC/Third Way. Billmon discussed this article in this storify piece, in which he describes three current factions in the practice of neoliberalism, There is the Neo-Keynesian version, as with Krugman; the Monetarist version, that of Milton Friedman and his many followers;, and the Supply Side version, like Paul Ryan and his economic advisors. Each of the factions has attached itself to a political ideology. Both of these pieces should be read by anyone seeking to clarify their thinking about neoliberalism.

Underlying all of them is the broader program described by Michel Foucault, which turns in large part on the notion of governmentality, a point made by Mike Konzcal in this review of Philip Mirowski’s Never Let a Serious Crisis Go to Waste. After I read that book, I wrote several pieces at FDL trying to comprehend the idea of governmentality and make it comprehensible. Here are links to several of those posts.

1. How We Govern Our Selves and Ourselves.

2. The Panoptic Effect.

3. Discipline for the Benefit of the Rich.

4. Control of Markets in Foucault’s The Birth of Biopolitics.

5. Liberalism and the Neoliberal Reaction.

The idea of governability is present in the texts I’ve been looking at. In Polanyi, we saw the transformation of the farm-dwelling peasant into the city-dwelling factory worker. Arendt touches on it with her discussion of people who cannot find a place in the productive sector of society, the superfluous people. Veblen writes about the enormous productivity of machine culture, and the changes it demanded of the worker, about which more later. The great problem is that machine culture required a tremendous amount of self-discipline from the workers to make factories function. The principal institutions of society were remade to enforce that self-discipline, from the Army to the schools to the government. Other tools included prisons and mental institutions.

In one way or another, all of these writers on neoliberalism seem to agree that the goal of neoliberalism is to replace the notion of the self as reasonably free citizen, responsible for the self, the family, the community and the state, with the notion of the self as a buyer and seller engaged in zero-sum competition with all other buyer/sellers. We are consumers of any and all goods and services, and entrepreneurial sellers of the self seen as a bundle of skills on offer to the highest bidder. Each separate transaction, buying and selling, is an opportunity for judgment by the all-knowing market. If we are successful, it’s because we are winners. If we are losers, we are superfluous. It’s an even harsher transformation of the human being than the one from peasant to factory worker.

Notorious “FOIA Terrorist” Jason Leopold “Saves” FBI Over $300,000

Last week, Jim Comey suggested the FBI paid more for the vulnerability that helped it break into Syen Rizwan Farook’s phone than he will be paid for the 7 years he’ll remain at FBI. The WSJ then did this math.

Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.

His annual salary is about $180,000 a year, so that comes to $1.26 million or more.

“[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’

Over 600 outlets covered that story, claiming — without further confirmation — that FBI paid over $1 million for the hack, with many accounts settling on $1.3 million.

I noted at the time that 1) Jim Comey has a history of telling untruths when convenient and 2) he had an incentive to exaggerate the cost of this exploit, because it would pressure Congress to pass a bill, like the horrible Burr-Feinstein bill, that would force Apple and other providers to help law enforcement crack phones less expensively. I envisioned this kind of exchange at a Congressional hearing:

Credulous Congressperson: Wow. $1M. That’s a lot.

Comey: Yes, you’ll need to triple our budget or help me find a cheaper way.

Lonely sane Congressperson: But, uh, if we kill security won’t that be more expensive?

Comey: Let me tell you abt time I ran up some steps.

I then mused that, because Comey had officially acknowledged paying that kind of figure, it would make it a lot easier to FOIA the exact amount. By the time I tweeted that thought, of course, Jason Leopold had already submitted a FOIA for the amount.

Sure enough, the outcome I figured has already happened: without offering an explanation for the discrepancy, Mark Hosenball reported today that the figure was actually under $1 million, and FBI will be able to use it on other phones.

The FBI paid under $1 million for the technique used to unlock the iPhone used by one of the San Bernardino shooters – a figure smaller than the $1.3 million the agency’s chief initially indicated the hack cost, several U.S. government sources said on Thursday.

The Federal Bureau of Investigation will be able to use the technique to unlock other iPhone 5C models running iOS 9 – the specifications of the shooter’s phone – without additional payment to the contractor who provided it, these people added.

Just one FOIA submission later (and, probably, the calls of a bunch of outraged members of Congress wondering why FBI paid $1.3 million for a hack they claimed, in explaining why they would not submit the hack to the Vulnerabilities Equity Process that might require them to share it with Apple nine months after Apple patched it, they didn’t understand at all), and all of a sudden this hack is at least $300,000 less expensive (and I’m betting a lot more than that).

You see how effective a little aggressive FOIAing is at reining in waste, fraud, and abuse?

A pity it can’t reverse the impact of all those credulous reports repeating Comey’s claim.

Friday Morning [?!]: Chamber of Delights

It’s Friday. FINALLY. And it’s jazz exploration day, too. Today we sample some chamber jazz, here with Meg Okura and the Pan Asian Chamber Ensemble.

It. Me. That is to say, of all genres, this one feels most like a part of myself. Here’s another chamber jazz favorite — Quarter Chicken Dark from The Goat Rodeo Sessions. And another — Model Trane, the first cut in this linked video by Turtle Island Quartet.

You can see and hear for yourself what makes chamber jazz different from other genres: chamber instruments used in classical music to perform jazz.

Whew, I needed this stuff. Hope you like it, too, though I know it’s not everybody’s cup of tea.

My morning was overbooked, only have time today for a few things that caught my eye.

Encryption and privacy issues

Go To Jail Indefinitely card for suspect who won’t unlock hard drives (Naked Security) — Seems odd this wasn’t the case the USDOJ used to force cracking of password-protected accounts on devices, given the circumstances surrounding an unsympathetic defendant.

Amicus brief by ACLU and EFF for same case (pdf – Ars Technica)

Supreme Court ruling extends reach of FBI’s computer search under Rule 41 (Bloomberg) — Would be nice if the Email Privacy Act, now waiting for Senate approval, addressed this and limited law enforcement’s overreach.

Climate change and its secondary effects

India’s ongoing drought now affects 330 million citizens, thousands have died from heat and dehydration (Oneindia) — 330 million is slightly more people than the entire U.S. population. Imagine what could happen if even one or two percent of these affected fled the country as climate refugees.

Tiger poaching in India dramatically increased over last year (Phys.org) — Have to ask if financial stress caused by drought encouraged illegal killing of tigers, now that more tigers have been poached this year to date compared to all of last year. Are gains in tiger population now threatened by primary and secondary effects of climate change?

Though severe El Nino deepened by climate change causes record drought now, an equally deep La Nina could be ahead (Phys.org) — Which could mean dramatic rains and flooding in areas where plant growth has died off, leaving little protection from water runoff. Are any governments planning ahead even as they deal with drought?

Hope your weekend is pleasant — see you Monday morning!

Rosemary Collyer’s Worst FISA Decision

In addition to adding former National Security Division head David Kris as an amicus (I’ll have more to say on this) the FISA Court announced this week that Rosemary Collyer will become presiding judge — to serve for four years — on May 19.

Collyer was the obvious choice, being the next-in-line judge from DC. But I fear she will be a crummy presiding judge, making the FISC worse than it already is.

Collyer has a history of rulings, sometimes legally dubious, backing secrecy and executive power, some of which include,

2011: Protecting redactions in the Torture OPR Report

2014: Ruling the mosaic theory did not yet make the phone dragnet illegal (in this case she chose to release her opinion)

2014: Erroneously freelance researching the Awlaki execution to justify throwing out his family’s wrongful death suit

2015: Serially helping the Administration hide drone details, even after remand from the DC Circuit

I actually think her mosaic theory opinion from 2014 is one of her (and FISC’s) less bad opinions of this ilk.

The FISC opinion I consider her most troubling, though, is not a FISC decision at all, but rather a ruling from last year in an EFF FOIA. Either Collyer let the government hide something that didn’t need hidden, or it has exploited EFF’s confusion to hide the fact that the Internet dragnet and the Upstream content programs are conducted by the same technical means, a fact that would likely greatly help EFF’s effort to show all Americans were unlawfully spied on in its Jewell suit.

Back in August 2013, EFF’s Nate Cardozo FOIAed information on the opinion referred to in this footnote from John Bates’ October 3, 2011 opinion ruling that some of NSA’s upstream collected was illegal.

Screen Shot 2015-10-31 at 6.52.30 PM

Here’s how Cardozo described his FOIA request (these documents are all attached as appendices to this declaration).

Accordingly, EFF hereby requests the following records:

1. The “separate order” or orders, as described in footnote 15 of the October 3 Opinion quoted above, in which the Foreign Intelligence Surveillance Court “address[ed] Section 1809(a) and related issues”; and,

2. The case, order, or opinion whose citation was redacted in footnote 15 of the October 3 Opinion and described as “concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its ‘upstream collection.’”

Request 2 was the only thing at issue in Collyer’s ruling. By my read, it would ask for the entire opinion the citation to which was redacted, or at least identification of the case.

EFF, of course, is particularly interested in upstream collection because it’s at the core of their many years long lawsuit in Jewell. To get an opinion that ruled upstream collection constituted unlawful collection sure would help in EFF’s lawsuit.

In her opinion, Collyer made a point of defining “upstream” surveillance by linking to the 2012 John Bates opinion resolving the 2011 upstream issues (as well as to Wikipedia!), rather than to the footnote he used to describe it in his October 3, 2011 opinion.

The opinion in question, referred to here as the Section 1809 Opinion, held that 50 U.S.C. § 1809(a)(2) precluded the FISC from approving the Government’s proposed use of certain data acquired by the National Security Agency (NSA) without statutory authority through “Upstream” collection. 3

3 “Upstream” collection refers to the acquisition of Internet communications as they transit the “internet backbone,” i.e., principal data routes via internet cables and switches of U.S. internet service providers. See [Caption Redacted], 2012 WL 9189263, *1 (FISC Aug. 24, 2012); see also http://ift.tt/1gfilxm (last visited Oct. 19, 2015); http://ift.tt/1i7zNoo (last visited Oct. 19, 2015).

That had the effect of excluding an entirely redacted sentence from the footnote Bates used to explain it, which in context may have described a little more about the underlying opinion.

Screen Shot 2016-04-28 at 11.38.32 AM

Having thus laid out the case, Collyer deferred to NSA declarant David Sherman’s judgment — without conducting a review of the document — that releasing the document would reveal details about the implementation of upstream surveillance.

Specifically, the release of the redacted information would disclose sensitive operational details associated with NSA’s “Upstream” collection capability. While certain information regarding NSA’s “Upstream” collection capability has been declassified and publicly disclosed, certain other information regarding the capability remains currently and properly classified. The redacted information would reveal specific details regarding the application and implementation of the “Upstream” collection capability that have not been publicly disclosed. Revealing the specific means and methodology by which certain types of SIGINT collections are accomplished could allow adversaries to develop countermeasures to frustrate NSA’s collection of information crucial to national security. Disclosure of this information could reasonably be expected to cause exceptionally grave damage to the national security.

[snip]

With respect to the FISC opinion withheld in full, it is my judgment that any information in the [Section 1809 Opinion] is classified in the context of this case because it can reasonably be expected to reveal classified national security information concerning particular intelligence methods, given the nature of the document and the information that has already been released. . . . In these circumstances, the disclosure of even seemingly mundane portions of this FISC opinion would reveal particular instances in which the “Upstream” collection program was used and could reasonably be expected to encourage sophisticated adversaries to adopt countermeasures that may deprive the United States of critical intelligence. [my emphasis]

Collyer found NSA had properly withheld the document as classified information the release of which would cause “grave damage to national security.”

Now, especially thanks to the November 6, 2015 Section 702 certification approval opinion released last week, we have a fair amount of detail about opinions addressing 50 U.S.C. §1809(a)(2) violations written before October 3, 2011 (this post and this post lay some of that out). These are the three possibilities to explain what that prior memo is.

One possibility is that the May 13, 2011 opinion titled “Opinion and Order Requiring Destruction of Information Obtained by Unauthorized Electronic Surveillance” (see page 57) is that opinion. NSA left unredacted Hogan’s description of a “Title I collection in a particular case,” and made it clear that in that individual case, NSA collected data it was not authorized to collect. Hogan did not identify the problem as an upstream violation, though it would be unremarkable for every individual electronic surveillance order to include upstream surveillance, to collect the online behavior of a target outside of PRISM producers, as it would be equally unremarkable to target jihadist forums and the like using upstream surveillance. An order using multiple methods to target the same identifier might explain why Bates described the opinion as relating to “among other things, certain data acquired by NSA without statutory authority through its ‘upstream collection.’” But the timing would be particularly curious, given that NSA submitted the first clarification letter revealing its upstream 702 violations on May 2, before the final opinion in the individual case got finalized.

If that’s the opinion that NSA said would cause grave damage to national security, it seems odd that less than a year after Collyer’s ruling, NSA decided they can now segregate information from the opinion (I assume they didn’t mean to leave the title of the opinion unredacted, but as far as I know NYC has not collapsed as a result).

Another possibility is that the redacted opinion is the July 2010 John Bates opinion that spends its last 18 pages (98-116) discussing the application of 50 USC §1809(a)(2) to NSA surveillance. A December 2010 opinion leading up to the May 13, 2011 one cites from it at length (57), and Hogan cited from it at length two times (73 fn 54, 76 fn 56). In 2013, I assumed that’s what Bates’ later reference was to, and I still think it most likely, as it has become clear that that July 2010 opinion is the base opinion laying out how FISC applies 50 USC §1809(a)(2) to NSA surveillance that has gotten a little bit out of hand. In any case, those 18 pages are what EFF was looking for in the first place, the opinion on how NSA applies this law; they just somehow missed it in a critical opinion on PRTT.

The counterargument that this is the opinion in question is two-fold. First, Bates says that the memo he was citing from pertains to upstream surveillance, and we’ve been led to think of the Internet dragnet as a simple pen register.

Except that we know it is a “pen register” applied to telecom switches. There are few explicit explanations of this in officially released NSA documents, but in places — such as when Bates explains his inconceivable approval to expand this collection after railing about 5 years of violations, he makes clear that “Acquisition of particular forms of metadata (described in Part II, supra) is authorized for all e-mail [redacted] communications traversing any of the communications facilities at the specified locations.” (81) It’s more clear that upstream surveillance expanded on this PRTT collection from application documents (see DOJ’s supplemental memorandum at PDF 93) to conduct upstream collection to replace Stellar Wind, which cite Colleen Kollar-Kotelly’s 2004 PRTT opinion finding telecom switches were a facility under the term of the FISA pen/trap and trace provision, though that reference seems to cite from this paragraph, which is redacted in the original.

Screen Shot 2016-04-29 at 9.53.18 AM

Bates even makes it clear this PRTT collection can involve the collection of content when he talks about criminal decisions on whether the government could collect and then delete Post Cut Through Direct Dial content from a Pen Register (though curiously he may not cite earlier 2009 FISC discussions about its own permission to collect then minimize such information).

Screen Shot 2016-04-28 at 12.05.10 PM

This discussion makes two things clear: first, PRTT is upstream collection; it’s what upstream content collection pointed to as precedent. But in its public releases, NSA has tried to hide the fact that is is. I’ll come back to that.

Another counterargument that this is the opinion is that it has already been released!!! The opinion was released in response to an EPIC FOIA in November 2013 and EFF started suing for it in May 2014 (it was “randomly” assigned to Collyer, who had been a FISC judge starting in March 2013, in June 2014).

It is not without precedent for the government to play funny games with FOIAs. I’ve noted how the NSC withheld the Memorandum of Notification underlying the war on terror without ACLU realizing, at first, that’s what they were arguing over. A more exact analogy is is how, in another ACLU FOIA, the government has pretended that the Special Procedures for Communications Metadata Analysis have not been released (though they were released again yesterday, along with some of the underlying language they’re trying to hide from ACLU) so as to avoid having to release the underlying memo.

Of potentially critical import, along the way (I believe in early 2015), EFF agreed not to ask for the docket information or date of the opinion.

Plaintiff narrowed its challenges here to exclude (1) docket numbers, certification numbers and the like, (2) all withholdings pursuant to exemption (b)(6), and (3) names or descriptions of surveillance targets, all that remains in dispute are withholdings of classified intelligence sources and methods and law-enforcement procedures and methods that are exempt under (b)(1), (b)(3), and (b)(7).

The government is, after all, hiding both the docket number and date of the July 2010 memo (significantly, they’re also hiding the dates of the 2009 PRTT violations that resulted in a shut-down of PRTT collection at moments that coincide in key ways with EFF’s challenges to the NSA program). The only thing they’ll tell us that it was shut down and (they claim, though even NSA’s IG couldn’t entirely verify this) purged all the data very quickly in the weeks after Bates ruled the upstream collection was unconstitutional. So there’s no way we can prove (except for basic analysis and the fact they accidentally released the July 2010 date to Charlie Savage in a FOIA) that the PRTT opinion, which is technically upstream collection, predates the October 3, 2011 one. And the government can avoid having to convince Collyer that these dates and dockets are a key operational detail (which they’re not) even while they withhold the few tidbits that would make it clear the July 2010 memo is the one responsive to EFF’s FOIA.

The final counterargument for why the July 2010 memo is not the one in question is that it would make Bates’ syntax about the “government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its ‘upstream collection’” rather curious. All the data he ruled against the use of was acquired from switches. Moreover, unless the category violations of Kollar-Kotelly’s 2004 order were far broader than what Bates approved in his July 2010 opinion, then he ultimately found they had the statutory authority, just not the authority granted by the court (effectively because Bates redefined Dialing, Routing, Addressing, or Signaling information more broadly in 2010).

Of course, there’s a third possibility, that the opinion in question is a third one, one we’ve never heard of yet. The biggest reason I think that unlikely is that July 2010 does appear to be the base discussion of 50 USC §1809(a)(2) (it doesn’t, for example, cite any earlier discussion). Which would mean any other 50 USC §1809(a)(2) opinion would come in the fairly narrow window between July 2010 and October 2011. That’d be a lot of opinions (along with the May 2011 one) finding that NSA was illegally wiretapping Americans. Moreover, I would think a third opinion ruling what is technically upstream collection illegal would get even more discussion in Bates’ 2011 opinion.

As I said, I think it’s most likely that the government — with Collyer’s assistance — is hiding the fact that that 2010 opinion is the one Bates cited in his 2011 opinion. Sherman’s explanation that the information was classified “in the context of this case … given the nature of the document and the information that has already been released” would support an understanding that NSA refused to tell EFF that the already released 2010 opinion is the one they were looking for all along so as to hide the fact that PRTT is nothing more than upstream collection.

But there is a very obvious reason why they’d want to do that. The government has argued in EFF’s suits that upstream 702 collection does not infringe on the rights of Americans because the telecoms sort it before they hand it over to NSA. The only things that get handed over are transactions including the selector in question, the selectors are by definition foreign, and the switches from which they collected are supposed to be foreign facing.

None of those things are true of PRTT collection. Even in 2004, when Kollar-Kotelly limited collection to switches that were more likely to include terrorism traffic, the collection was designed to include all the metadata of Americans’ international conversations from those switches. In 2010, Bates expanded the number of switches NSA collected from, affecting a far greater percentage of Americans. He also expanded what could be collected from a packet to include stuff that is technically content (though the violations revealed in 2009 make it clear NSA was always collecting content under the Internet dragnet). Furthermore, when NSA intakes bulk collected data — as distinct from when they intake content — they put everything into a table of relationships. The analysts will never see the majority of this data, but effectively, the first thing the techs did on intake of PRTT data was conduct a search of every single record they obtained (I strongly believe this is why NSA did not permit its IG to review the intake part of the PRTT process when they destroyed it all in 2011, because it might have revealed that they were effectively illegally surveilling content from all Americans as part of the intake process).

EFF may not win their argument that upstream content collection is an illegal search. But (perhaps counterintuitively) they should be more likely to make that argument for PRTT, not least because NSA shut it down entirely on two different occasions.

And that is why I believe NSA wants to avoid admitting that that 2010 PRTT opinion is technically about unlawful upstream collection: because it will make it far easier for EFF to win their lawsuits against the government. They were granted discovery in February, so hopefully they can get to this information in any case. But I strongly suspect the NSA withheld a document it had already released only to make it harder for EFF to prove that even after PRTT moved under FISA’s oversight, it continued to be illegal collection for 5 years and then one more year, even as determined by John Bates.

And NSA did all this with the cooperation of a FISA judge they happened to “randomly” pull for this case, one who should have known enough by the point she ruled to understand the stakes. That is why I think Collyer will be a crummy FISC judge. Even if this FOIA suit was about the May 2011 opinion, it clearly was improperly withheld. But if it was about the already released July 2010 one, then it suggests a real abuse of authority.

Two years ago, I noted that we effectively have gotten to the point where we have a one (wo)man national security court, because the presiding judge (and maybe one or two other DC-based judges) sit on the big programmatic cases. That’s particularly problematic when, as now, we have a particularly crummy judge from a constitutional perspective.

Thursday, April 28, 2016

The Shell Game the Government Played During Yahoo’s Protect America Act Challenge

In his opinion finding Protect America Act constitutional, Judge Reggie Walton let his frustration with the way the government kept secretly changing the program at issue.

For another, the government filed a classified appendix with the Court in December 2007, which contained the certifications and procedures underlying the directives, but the government then inexplicably modified and added to those certifications and procedures without appropriately informing the Court or supplementing the record in this matter until ordered to do so. These changes and missteps by the government have greatly delayed the resolution of its motion, and, among other things, required this Court to order additional briefing and consider additional statutory issues, such as whether the P AA authorizes the government to amend certifications after they are issued, and whether the government can rely on directives to Yahoo that were issued prior to the amendments.

The unsealed classified appendix released today (the earlier released documents are here) provides a lot more details on the shell game the government played during the Yahoo litigation, even with Walton. (It also shows how the government repeatedly asked the court to unseal documents so it could share them with Congressional Intelligence Committees or other providers it wanted to cooperate with PAA).

I mean, we expected the government to demand that Yahoo litigate blind, as it did in this February 26, 2008 brief arguing Yahoo shouldn’t be able to see any classified information as it tried to represent the interests of its American customers. (PDF 179)

In the approximately thirty years since the adoption of FISA, no court has held that disclosure of such documents is necessary to determine the legality of electronic surveillance and physical search. Similarly, there is of course a long history of ex parte and in camera proceedings before this Court. For almost three decades, this Court has determined, ex parte and in camera, the lawfulness of electronic surveillance and physical search under FISA. See 50 U.S.C. § 1805(a) (“the judge shall enter an ex parte order as requested or as modified approving the electronic surveillance” upon making certain findings); 50 U.S.C. § 1824(a) (same with respect to physical search).

Under the Protect America Act, then, the government has an unqualified right to have the Court review a classified submission ex parte and in camera which, of course, includes the unqualified right to keep that submission from being disclosed to any party in an adversarial proceeding before this Court.

But we shouldn’t expect a FISC judge presiding over a key constitutional challenge to have to beg to learn what he was really reviewing, as Walton had to do here. (PDF 159-160)

The Court is issuing this ex parte order to the Government requiring it to provide clarification concerning the impact on this case of various government filings that have been made to the FISC under separate docket.

[snip]

lt is HEREBY ORDERED that the government shall file a brief no later than February 20. 2008, addressing the following questions: 1. Whether the classified appendix that was provided to the Court in December 2007 constitutes the complete and up-to-date set of certifications and supporting documents (to include affidavits, procedures concerning the location of targets, and minimization procedures) that are applicable to the directives at issue in this proceeding. If the answer to this question is .. yes,'” the government” s brief may be filed ex parte. If the government chooses to serve Yahoo with a cop) of the brief~ it shall serve a copy of this Order upon Yahoo as well: .

2. If the answer to question number one is “no,” the Government shall state what additional documents it believes are currently in effect and applicable to the directives to Yahoo that are at issue in this proceeding. The government shall file copies of any such documents with the Court concurrent with filing its brief. The government shall serve copies of this Order, its brief, and any additional documents upon Yahoo, unless the government moves this Court for leave to file its submission ex parte, either in whole or in part. If the government files such a motion with the Court, it shall serve a copy of its motion upon Yahoo. The government shall also serve a copy of this Order upon Yahoo, unless the government establishes good cause for not doing so within the submission it seeks to file ex parte.

This is what elicited the government’s indignant brief about actually telling Yahoo what it was arguing about.

As a result of the government’s successful argument Yahoo had to argue blind, it did not learn — among other things — that CIA would get all the data Yahoo was turning over to the government, or that the government had basically totally restructured the program after the original expiration date of the program, additional issues on which Yahoo might have challenged the program.

Perhaps more interesting is that it wasn’t until Walton ruled on March 5 that he would not force the government to share any of these materials with Yahoo that the government finally provided the last relevant document to Judge Walton, the Special Procedures Governing Communications Metadata Analysis. (PDF 219)

On January 3, 2008, the Attorney General signed the “Department of Defense Supplemental Procedures Governing Communications Metadata Analysis,” which purported to supplement the DoD Procedures (“Supplement to DoD Procedures”), a copy of which is attached hereto as Exhibit A. The Supplement to DoD Procedures concerns the analysis of communications metadata that has already been lawfully acquired by DoD components, including the National Security Agency (NSA). Specifically, the Supplement to DoD Procedures clarifies that NSA may analyze communications metadata associated with U.S. persons and persons believed to be in the United States. The Supplement to DoD Procedures does not relate to the findings the Attorney General must make to authorize acquisition against a U.S. person overseas

This is particularly suspect given that one of the changes implemented after the original certification was to share data with CIA, something directly addressed in the memo justifying SPCMA to the Attorney General’s office (and a detail the government is still trying to officially hide).

Now, to be fair, in the original release, it was not clear that the government offered this much explanation for SPCMA, making it clear that the procedural change involved making American metadata visible. But the government very clearly suggested — falsely — that SPCMA had no Fourth Amendment implications because they didn’t make Americans overseas more likely to be targeted (which the government already knew was the key thrust of Yahoo’s challenge).

The opposite is true: by making US person metadata visible, it ensured the government would be more likely to focus on communications of those with whom Americans were communicating. These procedures — which were approved more than two months, one document dump, and one court order agreeing to keep everything secret from Yahoo earlier — were and remain the key to the Fourth Amendment exposure for Americans, as was argued just last year. And they weren’t given to even the judge in this case until he asked nicely a few times.

This was the basis for the dragnet that still exposes tens of thousands of Americans to warrantless surveillance. And it got briefed as an afterthought, well after the government could be sure it’d get no adversarial challenge.

Bob Graham Says FBI Aggressively Deceived on Sarasota 9/11 Investigation

James Clapper has suggested that the 28 pages of the Joint Congressional Inquiry may be declassified by June. I’m skeptical the pages will be entirely declassified, but look forward to them.

Meanwhile, former Senate Intelligence Chair has begun to press for an accounting on the Sarasota cell of apparent 9/11 supporters. In an interview with NPR, he stated clearly that FBI lied (um, misstated) what they knew about the Sarasota cell and called for the investigations to be reopened without the tight time limits imposed on the original commissions.

I think it’s been more than a cover up. I think it’s what I call aggressive deception: instances in which the FBI has publicly released statements which I know from personal experience were untrue. They stated that in this Sarasota situation they had completed the investigation, that the investigation determined that there were no connections between the hijackers and the prominent Saudi family and that they had turned over all of this information to the Congressional Inquiry and the 9/11 Citizen’s [sic] Commission. I know for a fact that none of those three statements are true.

[snip]

It’s more than a cover-up. The FBI misstated what is in their own records relative to the situation in Sarasota.

Of course, the FBI went even further with its aggressive deception on the anthrax attack.

Nevertheless (or perhaps, “as a result”), Robert Mueller will probably have the new FBI headquarters named after him, based on the bogus premise that his FBI didn’t engage in some of the same kinds of deceits as J Edgar Hoover’s FBI did.

Wednesday, April 27, 2016

Wednesday Morning: Lüg mich an, Lügner

I admit freely my facility with the German language is poor. I hope this post’s headline reads, “Lie to me, Liar.” Which is about as close as I could get to “Lying Liars” because I can’t conjugate the verb ‘to lie.’

~shrug~

It’s not like anybody’s paying me for this, unlike the lying liars at Volkswagen who’ve been paid to deceive the public for a decade. This video presentation featuring Daniel Lange and Felix Domke — a security consultant and an IT consultant, respectively, who reverse engineered VW’s emissions control cheat — is a bit long, but it’s chock full of unpleasant truths revealing the motivations behind VW’s Dieselgate deceptions. The video underpins the cheat outlined in a 2006 VW presentation explaining how to defeat emissions tests.

The one problem I have with this video is the assumption that the fix on each of the affected vehicles will be $600. Nope. That figure is based on how much has been set aside for the entire Dieselgate fix, NOT the actual cost to repair the vehicles.

Because if VW really fixed the vehicles to match the claims they made when they marketed and sold these “clean diesel” passenger cars, it’d cost even more per vehicle. I suspect one of the motivations behind inadequate reserves for a true repair is a reluctance to disclose to competitors how much emissions standards-meeting “clean diesel” really costs.

And of course, avoiding more stringent calculations also prevents an even bigger hit to the company’s stock price, which might affect the pockets of some board members and executives rather disproportionately to the rest of the stock market.

Just how closely that figure per car hews to the agreement with the court this past week will be worth noting, since the video was published in December last year.

But now for the much bigger, even more inconvenient Lügner Lügen: This entire scandal exposes the fraud that is the U.N. Framework Convention on Climate Change Paris agreement.

We know a small nonprofit funded research by a tiny group of academics exposing VW’s emissions controls defeat. We know this set off a cascade of similar analysis, exposing even more cheating by more automobile manufacturers.

But why are we only now finding out from nonprofits and academics about this fraud? Didn’t our elected representatives create laws and the means for monitoring compliance as well as enforcement? Why aren’t governments in the U.S. and the EU catching these frauds within a year of their being foisted on the public?

These questions directly impact the Paris agreement. We’re not starting where emissions standards have been set and where the public believes conditions to be, but at real emissions levels. In other words, we are digging out of  a massive pollution hole.

Our elected officials across the world will avoid funding the dig-out; they’ll continue another layer of lies to prevent removal from office. And we can reasonably expect from them only what they’ve done so far, which Dieselgate has proven to be little.

For that matter, Flint’s water crisis has much in common with Dieselgate, relying on academic research and nonprofit entities to reveal mortal threats to the community. Flint’s crisis showed us government at all levels can be even worse at writing laws, monitoring compliance, and subsequent enforcement.

If the public cannot expect government to do the job it believes it elected them to do over the last several decades, how ever can they expect their government to enact the terms of the Paris agreement? How can we expect third world countries to reduce carbon emissions to save the world from the devastation of climate change while we and our governments continue to ignore corporations’ ongoing deceptions?

No roundup today, gang. I strongly recommend watching the video above. Thanks to BoingBoing for linking to it.

Domestic Collection and Stellar Wind

I’m in the middle of comparing John Yoo’s May 17, 2002 letter to Colleen Kollar-Kotelly (which is largely the November 2, 2001 justification he wrote for Stellar Wind) with Jack Goldsmith’s May 6, 2004 memo on Stellar Wind, which reined in some aspects of Stellar Wind. And I realized something about the authorization process.

On page 17 of his memo, Goldsmith describes the previous opinions issued by OLC. The discussion is largely redacted, but it does describe say the October 4, 2001 memo “evaluated the legality of a hypothetical electronic surveillance program,” whereas the November 2, 2001 memo “examined the authorities granted by the President in the November 2, 2001 Authorization of STELLAR WIND and concluded that they were lawful.”

Already, that’s an interesting assertion given that the Yoo letter doesn’t do that entirely. First, at least in the letter to Kollar-Kotelly, Yoo also treated the program as hypothetical.

Electronic surveillance techniques would be part of this effort. The President would order warrantless surveillance in order to gather intelligence that would be used to prevent and deter future attacks on the United States. Given that the September 11 attacks were launched and carried out from within the United States itself, an effective surveillance program might include individuals and communications within the continental United States. This would be novel in two respects. Without access to any non-public sources, it is our understanding that generally the National Security Agency (NSA) only conducts electronic surveillance outside the United States that do not involve United States persons. Usually, surveillance of communications by United States persons within the unites states is conducted by the FBI pursuant to a warrant obtained under the Foreign Intelligence Surveillance Act (“FISA”). Second, interception could include electronic messages carried through the internet, which again could include communications within the United States involving United States persons. Currently, it is our understanding that neither the NSA nor law enforcement conducts broad monitoring of electronic communications in this matter within the United States, without specific authorization under FISA.

[snip]

Thus, for example, all communications between United States persons, whether in the United States or not, and individuals in [redacted–likely Afghanistan] might be intercepted. The President might direct the NSA to intercept communications between suspected terrorists, even if one of the parties is a United States person and the communication takes place between the United States and abroad. The non-content portion of electronic mail communications also might be intercepted, even if one of parties is within the United States, or one or both of the parties are non-citizen U.S. persons (i.e., a permanent resident alien). Such operations would expand the NSA’s functions beyond the monitoring only of international communications of non-U.S. persons. [my emphasis]

Importantly, these hypothetical descriptions come from the section of Yoo’s letter before it appears to begin tracking his earlier memo closely. So it’s unclear whether this description of Stellar Wind matches the one in the November 2 memo. It’s certainly possible that Yoo gave an incomplete version of what he had in the earlier memo or even pulled in (hypothetical) language from the October 4 memo. It’s possible, too, that language on domestic content collection reflected a retroactive review Yoo did of the first authorization. (An extended discussion of how Yoo’s early memos track the Authorizations — including discussion of another hypothetical memo Yoo wrote on September 17 — starts at PDF 361.)

Of particular interest, this hypothetical description includes the possibility of intercepting entirely domestic Internet communications (see emphasized language). We know — from the unredacted NSA Stellar Wind IG Report and even from the redacted Joint IG Report — that was something included in the first presidential Authorization, but not the subsequent ones.

The wording of the first authorization could have been interpreted to allow domestic content collection where both communicants were located in the U.S. or were U.S. persons. General Hayden recalled that when the Counsel to the Vice President pointed this out, General Hayden told him that NSA would not collect domestic communications because 1) NSA was a foreign intelligence agency, 2) NSA infrastructure did not support domestic collection, and 3) his personal standard was so high that there would be no problem getting a FISC order for domestic collection.

We also know NSA did collect some domestic collection — on about 3,000 selectors, possibly triggered to non-US persons within the US — at least until Stellar Wind got transitioned to FISA in 2009.

This is a minor, but potentially important one. Yoo was writing hypothetical authorizations for stuff the NSA later pretended not to be authorized to do, but was doing. Those earlier hypothetical authorizations didn’t go away. And therefore, no matter what the authorizations said, there’d still be that authorization sitting there.

Tuesday, April 26, 2016

Tuesday Morning: Monitor

Y me lamento por no estar alla
Y hoy te miento para estar solos tu y yo
Y la distancia le gano al amor
Solo te veo en el monitor

— excerpt, Monitor by Volovan

Sweet little tune, easy to enjoy even if you don’t speak Spanish.

Speaking of monitor…

Flint Water Crisis: Michigan State Police monitoring social media
Creeptastic. MSP is following social media communications related to Flint water crisis, which means they’re watching this blog and contributors’ tweets for any remarks made about Flint. Whatever did they do in the day before social media when the public was unhappy about government malfeasance?

MDEQ personnel told Flint city water employee to omit tests with high lead readings
The charges filed last week against two Michigan Department of Environmental Quality and a Flint city employee were related to the manipulation and falsification of lead level tests. From out here it looks like Mike Glasgow did what the MDEQ told him to do; with the city under the control of the state, it’s not clear how Glasgow could have done anything else but do what the state ordered him to do. Which governmental body had higher authority under emergency management — the city’s water department, or the MDEQ? And what happens when personnel at the MDEQ aren’t on the same page about testing methodology?

MDHHS too worried about Ebola to note Legionnaire’s deaths in 2014-2015?
Michigan’s Department of Health and Human Services director Nick Lyons maintains a “breakdown in internal communication” kept information about the Legionnaire’s disease outbreak from reaching him. He also said MDHHS was focused on Ebola because of its high mortality rate overseas. There were a total of 11 cases of Ebola in the U.S. between 2014 and 2015, none of which were diagnosed or treated in Michigan. Meanwhile, 10 people died of Legionnaire’s due to exposure to contaminated Flint water in that same time frame. Not certain how MDHHS will respond to an imported biological crisis when it can’t respond appropriately to a local one created by the state.

Other miscellaneous monitoring

  • Charter Communications and Time Warner tie-up approved, with caveat (Reuters) — Charter can’t tell content providers like HBO they can’t sell their content over the internet – that’s one of a few exceptions FCC placed on the deal. I think this is just insane; the public isn’t seeing cheaper broadband or cable content in spite of allowing ISPs to optimize economies of scale. Between Charter/TWC and Comcast, they’ll have 70% of all broadband connections in the U.S.
  • Mitsubishi Motors fudged its fuel economy numbers for last 25 years (AP) — This investigation is exactly what should happen across EU, because EU-based manufacturers have done this for just as long or longer. And the EU knows this, turns a blind eye to the tricks automakers use to inflate fuel economy ratings.
  • Goldman Sachs has a brand new gig: internet-based banking (Fortune) — This is the fruit of GS’ acquisition of General Electric’s former financial arm. Hmm.
  • BAE Systems has a nice graphic outlining the SWIFT hack via Bangladesh’s central bank (BAE) — Makes it easy to explain to Grampa how somebody carted off nearly a billion dollars.

Toodledy-doo, Tuesday. See you tomorrow morning!

The Easy Section 702 Surveillance Number James Clapper Can Share

Last week, a bunch of House Judiciary Committee members set James Clapper a letter stating that before the Committee deals with Section 702 reauthorization next year, they’d like:

  • The number of telephone communications in which one caller is located in the United States
  • The number of Internet communications acquired through upstream collection that originate or terminate in the United States
  • The number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work

They asked for those numbers by May 6.

In response, Clapper is humming and hawing about “several options” for disclosing how many Americans get spied on under Section 702.

Clapper said that “any methodology we come up with will not be completely satisfactory to all parties.”

“If we could have made such an estimate and if such an estimate were easy to do — explainable without compromise — we would’ve done it a long time ago,” he said.

We just learned there is, however, one number that should be easy-peasy to make public (and one I’m frankly alarmed the HJC members didn’t mention, as they should have known about it for some time): the number of back door searches FBI conducts on Section 702 data for reasons other than national security.

As I noted the other day, in response to FISC amicus (and former Eric Holder counsel) Amy Jeffress’ argument that FBI’s back door searches of Section 702 are unconstitutional, Thomas Hogan required FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” As I noted, that’s an easily gamed number — I’m sure FBI treats a lot of criminal matters as national security ones, and FBI has the ability to see if there is 702 data without looking at it, permitting it to see if the same data is available under another authority.

Nevertheless, DOJ must have an exact number of reports they’ve submitted in response to this reporting requirement, which has been in place for over four months.

That’s not to say HJC shouldn’t insist on getting estimates for all the other numbers they’re seeking. But they should also demand that this number — the number of times FBI is using a foreign intelligence exception for criminal prosecutions that should be subject to a probable cause standard — be made public.

Monday, April 25, 2016

The Theory of Business Enterprise Part 2: Neoclassical Economists and Veblen

The material framework of modern civilization is the industrial system, and the directing force which animates this framework is business enterprise. To a greater extent than any other known phase of culture, modern Christendom takes its complexion from its economic organization. This modern economic organization is the “Capitalistic System” or “Modern Industrial System,” so called. Its characteristic features, and at the same time the forces by virtue of which it dominates modern culture, are the machine process and investment for a profit.

That’s the first paragraph of The Theory of Business Enterprise by Thorstein Veblen. The 1904 book is written in an unfamiliar style, combining words and formulations we don’t use any more with a decided lack of the kinds of references we’d expect in a work of sociology or economics. It shows a kind of subversive humor as well. The reference to Christendom is funny coming from an agnostic whose rejection of religion made it difficult for him to find work. And it’s blunt.

The first three chapters lay out several ideas about the way society was organized at the time he wrote. By then the industrialization of the country and the consolidation into trusts, holding companies and interlocking directorates was well underway. The dominant force in society, Veblen says, was the industrial process with its intricate workings that required coordination of workers across many plants and industries for maximum efficiency. It required standardization of processes and goods across the range of activity, from hours of operation to fine details about the items produced so that they could be used for many different purposes. That meant that a large segment of the population had to adapt the way they lived to accommodate the processes of industry. The people who controlled the great enterprises held direct or indirect control over a large part of the lives a vast number of working people.

At the beginning of the Industrial Revolution factories were owned an operated by individuals with a view to making a living. Over time the Captains of Industry (his words) built up capital and began to treat factories not as sources of livelihood but assets to be bought and sold, and operated as generators of profit from investment. As Veblen describes the activities of the businessmen, it feels like the creation of a market in plants and equipment and other rights of ownership like railroad rights-of-way and patents. The industrial processes themselves were not operated, or even necessarily understood, by the Captains. They were designed and operated by engineers, inventors and mechanics, ond operated by workers with varying degrees of skill. All of them were working to make production as simple and as useful as possible. They depended for their livelihoods on paychecks from the Captains of Industry.

As different parts of production moved from handicraft to machine process, ownership of parts of the industrial process often were not the most efficient, as with railroads and electricity. The boundaries were unstable because the Captains of Industry were constantly fighting with one another for control of different parts of the process.

Standard economics in Veblen’s time looked a lot like our neoliberal economics as taught by Mankiw. Veblen disagrees. He starts with the proposition that the sole point of investment for profit is profit, not efficiency or the good of the community.

1. Standard economics taught that businesses are efficient. The smooth working of industrial processes require constant attention and interstitial adjustments. Veblen points out that there are opportunities for profit when the smooth operation of industrial processes is disrupted. It doesn’t matter how the disruption comes about, whether there is an improvement that reduces a cost, or a spike in demand perhaps because of a war, or a drop in demand because of a depression, or whether the Captain of Industry disrupts his own operations or whether a competitor does so. Disruptions are opportunities for profit. It doesn’t matter that the workers are thrown out or the community suffers. There are profits to be made.

The outcome of this management of industrial affairs through pecuniary transactions, therefore, has been to dissociate the interests of those men who exercise the discretion from the interests of the community. This is true in a peculiar degree and increasingly since the fuller development of the machine industry has brought about a close-knit and wide-reaching articulation of industrial processes, and has at the same time given rise to a class of pecuniary experts whose business is the strategic management of the interstitial relations of the system. Broadly, this class of business men, in so far as they have no ulterior strategic ends to serve, have an interest in making the disturbances of the system large and frequent, since it is in the conjunctures of change that their gain emerges. Qualifications of this proposition may be needed, and it will be necessary to return to this point presently.

What this means that that there are people in businesses who job is to disrupt things to make a profit. Veblen doesn’t believe in the magic invisible hand of the market; he sees the fists of the Captains of Industry.

2. Standard economics taught that one of the main values provided by the businessman is the rationalization of industrial processes. Veblen says that consolidation is done not in the interest of smoother industrial processes, but in the interest of profits. It only happens when the Captains of Industry can profit, which is always long after the need becomes obvious, and only in the way in which the Captains of Industry can profit, which may or may not be most efficient. He admits that a businessman may be motivated by ideals of workmanship and serviceability (his word) to the community, but this is “not measurable in its aggregate results”. To the extent it is measurable, it comes from the elimination of the costs of the business transactions that are eliminated by mergers and “industrially futile manoeuvring” to gain leverage for deals, so that

… probably the largest, assuredly the securest and most unquestionable, service rendered by the great modern captains of industry is this curtailment of the business to be done, this sweeping retirement of business men as a class from the service and the definitive cancelment of opportunities for private enterprise.

3. Standard economics taught that businesses are subject to the indirect control of consumers, who decide by their purchases which businesses survive and which fail. Veblen says that businesses of his day, business owners are removed from actual contact with customers. There is plenty of money to be made cheating customers, he says, in part because industrial processes were so efficient that there was plenty of room for waste and war.

4. Standard economics taught that competition is the lifeblood of capitalism. Veblen says businessmen charge as much as they can. Competition is only a factor when the Captain doesn’t have a monopoly, and then it is only one of several factors.

But it is very doubtful if there are any successful business ventures within the range of the modern industries from which the monopoly element is wholly absent. They are, at any rate, few and not of great magnitude. And the endeavor of all such enterprises that look to a permanent continuance of their business is to establish as much of a monopoly as may be. Fn. omitted.

5. Standard economics taught that the market pays according to the value of the work done, which is taken to be proportional to the value to the community. Veblen says there is no relationship between the profits and wages of a business and value to the community, and that money is a poor proxy for value to a community. He also says that wages bear no relation to the productive value of the work done, but rather workers are paid only enough to get them to work hard enough to make the products of their labor saleable.

Standard economics from Veblen’s day is taught in Econ 101 today. Veblen is an astringent antidote.

Monday Morning: Tectonic Shift

Last week after the artist Prince Rogers Nelson died, a segment of the population were mystified by the reaction to his passing. They’d missed impact this artist had had on music which happened concurrent with a paradigm shift in the entertainment industry. Prince rose in sync with music videos in the 1980s when musical artists became more than sound alone.

Music television has since collapsed as anyone who watched MTV and VH-1 since 2000 can tell you. Programming once dedicated to music videos became a mess of unscripted reality programs and oddments, punctuated occasionally by music specials, chasing an audience which increasingly found and consumed music on the internet.

This weekend, though, marked another shift. R&B pop artist Beyoncé released a ‘visual album’ on HBO on Saturday evening entitled ‘Lemonade’. The work was available exclusively through Tidal after its HBO premiere until midnight last night when it was released on Apple iTunes. This is the first music collection released in this manner, using a cable network not previously dedicated to music in tandem with internet streaming and download sales.

I won’t offer any analysis here about the album; you’re not looking if you do not see at least a fraction of the deluge of reaction and think pieces responding to Beyoncé’s latest work. I will say, though, that like Prince’s Purple Rain in 1984, this collection of work will have long-term impact across not only music but the entire entertainment industry.

Let’s launch this week’s roundup…

The Dutch pull a Lavabit-plus
Encrypted communications network Ennetcom was shut down on Friday and its owner arrested. Dutch law enforcement claimed Ennetcom was used by organized crime; its owner is accused of money laundering and illegal weapons possession. The network relied on servers located in Canada, where law enforcement has cooperated with the Netherlands by copying the information on the servers. Unlike the former secure email provider Lavabit in the U.S., it’s not clear there was any advance request for information by way of warrant served on Ennetcom in either the Netherlands or in Canada. Given the mention of illegal weapons, one might wonder if this seizure is related to the recent prosecution of gun smugglers in the UK.

Time for ‘Spring Cleaning’ — get rid of digital dust bunnies
Seems like a surprising source for a nudge on this topic, but the Better Business Bureau is right to encourage cleaning and maintenance. If you read Marcy’s post this morning, you know failing to use adequate passwords and firewalls can be costly. It’s time to go through your electronic devices and make sure you’re using two-factor authentication where possible, freshly reset strong passwords, and on your network equipment as well as your desktop and mobile devices.

Planning for your funeral – on Facebook?
A BBC piece this past week noted that Facebook will eventually have more dead users than live ones. Which brings up an interesting question: how do you want your digital presence handled after you die? Do you have instructions in place? Keep in mind, too, that your social media could be mined to recreate an online personality — your personality. Do you want to live forever in teh toobz?

Investigation into Flint’s water crisis continues
A Michigan legislative panel appointed by Governor Rick Snyder will hear from more state and local officials today in its fifth such meeting to investigate the Flint water crisis. Snyder is conveniently out of the country trying to drum up business in Europe — and conveniently not drinking Flint’s water.

Odds and sods

  • Waiting for word on Yahoo’s final bidders list (Bloomberg) — No word yet on who will remain among the 10 first-round bidders offering between $4-$8 billion.
  • German regulators won’t approve recall and fix of VW’s 2.0-liter diesel-powered Passat (Bloomberg) — And yet the U.S. is going forward with VW’s proposed fix for 2.0l vehicles? Odd, given Germany’s less-stringent approach to automotive emissions compared to U.S. and California in particular.
  • A UK-based inquiry found widespread emissions controls failure (Phys.org) — By widespread, I mean “not a single car among the 37 models involved in the study met an EU lab limit for nitrogen oxide emissions under normal driving conditions.” VW’s emissions controls defeat was just the tip of the iceberg.

There’s your Monday. Have at it!

UPDATE — 5:25 P.M. EDT — Oops, the auto-publish feature failed me today. I wasn’t able to come back and check the egg timer on this post and it got stuck in the queue. Oh well, better luck tomorrow morning!

NSA Failed to Fully Inform FISC Even After It Started Fact-Checking Itself

On Friday, I described how, for four years after the FISA Court ruled that NSA couldn’t keep otherwise unlawfully collected information from a single traditional FISA order, the NSA continued to do just that with data from 702 orders.

Hogan was [] surprised to learn NSA was doing the same thing — and had been! — with Section 702 data that had otherwise been purged, which the NSA confessed to Hogan in July of last year. That is, having stopped the practice with a single traditional FISA order, they kept doing it with programmatic 702 data.

In light of the May 2011 [redacted], the Court was very surprised to learn from the July 13, 2015 Notice that the NSA had not been deleting from [redacted] Section 702 records placed on the NSA’s Master Purge List (“MPL”).

[snip]

As the Court explained to the government at the October 8 Hearing, it expects the government to comply with its heightened duty of candor in ex parte proceedings at all times. Candor is fundamental to this Court’s effective operation in considering ex parte submissions from the government, particularly in matters involving large and complex operations such as the implementation of Section 702.

That’s pathetic, given the history of material misstatements to FISC.

All the more so given that it happened after NSA implemented an effort to make sure it started telling FISC the truth (the date is redacted, but it probably happened sometime between October 2011 and March 2013).

As laid out in a 2013 reissue of a 2012 NSA IG report (this report starts at PDF 55; Charlie Savage liberated this via FOIA), NSA implemented a fact-checking process on its own FISC submissions. (See PDF 101)

Screen Shot 2016-04-25 at 9.15.54 AM

NSA is hiding when they first started fact-checking themselves, but it happened by March 2013. Which means the 2013 and 2014 702 recertification submissions were fact-checked. “The [Verification of Accuracy] procedures require all factual statements within the declarations to be verified.” Yet neither told FISC that NSA continued to retain communications from selectors on the Master Purge List in a management database two and three years after the time (at that point) FISC had told NSA, in an order titled, “Opinion and Order Requiring Destruction of Information Obtained by Unauthorized Electronic Surveillance,” it could not do so, not even with data unlawfully obtained on a single targeted FISA order. It took another year before NSA confessed to FISC it was keeping 702 data that should have been purged.

Perhaps the continued discovery of three to four violations every time NSA submits its recertification process reflects the slow implementation of fact-checking. Or perhaps there are just too many databases in which willing NSA employees can stash information before it gets purged off all the other databases.

But if the VoA was supposed to “increase confidence” in what NSA says to courts and Congress, it’s not clear how continuing to miss things like ongoing retention of unlawfully collected information does that.

Related posts on the November 6, 2015 reauthorization opinion

The NSA Has Never Not Been Violating FISA Since It Moved Stellar Wind to FISA in 2004

The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

Former Top Holder Aide Says Back Door Searches Violate Fourth Amendment; FISC Judge Thomas Hogan Doesn’t Care

FBI’s Back Door Searches: Explicit Permission … and Before That
Last July, NSA and CIA Decided They Didn’t Have to Follow Minimization Procedures, and Judge Hogan Is Cool with That

Please consider a donation to support this work.

Turns Out Their Reassurances Were Too SWIFT

When I first wrote about the $81 million bank heist of Bangladesh, I noted that the hack appeared to target SWIFT, the international payment transfer system, even while SWIFT itself was giving us reassurances that they had not been breached.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

Three days ago, Reuters issued a report that seemed to reiterate the centrality of the negligence of Bangladesh bank for the hack, which was relying on a second-hand, $10 router for its SWIFT set-up.

Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world’s biggest cyber heists said.

The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.

“It could be difficult to hack if there was a firewall,” Alam said in an interview.

The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added.

Though local cops cast some of the blame on SWIFT.

The police believe that both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.

“It was their responsibility to point it out but we haven’t found any evidence that they advised before the heist,” he said, referring to SWIFT.

A spokeswoman for Brussels-based SWIFT declined comment.

Which might have been the tip-off that this was coming…

The attackers who stole $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system, said security researchers at British defense contractor BAE Systems.

SWIFT, a cooperative owned by 3,000 financial institutions, confirmed to Reuters that it was aware of malware targeting its client software. Its spokeswoman Natasha Deteran said SWIFT would release on Monday a software update to thwart the malware, along with a special warning for financial institutions to scrutinize their security procedures.

[snip]

Deteran told Reuters on Sunday that it was issuing the software update “to assist customers in enhancing their security and to spot inconsistencies in their local database records.” She said “the malware has no impact on SWIFT’s network or core messaging services.”

The software update and warning from Brussels-based Swift, or the Society for Worldwide Interbank Financial Telecommunication, come after researchers at BAE (BAES.L), which has a large cyber-security business, told Reuters they believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.

One wonders whether SWIFT would have released a public statement if not for BAE’s imminent public report on this?

Again, NSA managed to hack into SWIFT (double-dipping on the sanctioned access they got through an agreement with the EU) via printer traffic at member banks.

NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

So SWIFT had warning there were vulnerabilities in its local printer system (though it’s not clear this is the same vulnerability the Bangladesh thieves used).

You’d think SWIFT would have made some effort when that became public to shore up vulnerabilities in the global finance system. Instead, they left themselves vulnerable to a $10 router.

CyberCommand Turns Its “Cyberbombs” from Assad to ISIS

David Sanger has a long piece on how CyberCom is — for the first time, he says! — launching cyberattacks on ISIS.

The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons.

The effort reflects President Obama’s desire to bring many of the secret American cyberweapons that have been aimed elsewhere, notably at Iran, into the fight against the Islamic State — which has proved effective in using modern communications and encryption to recruit and carry out operations.

The National Security Agency, which specializes in electronic surveillance, has for years listened intensely to the militants of the Islamic State, and those reports are often part of the president’s daily intelligence briefing. But the N.S.A.’s military counterpart, Cyber Command, was focused largely on Russia, China, Iran and North Korea — where cyberattacks on the United States most frequently originate — and had run virtually no operations against what has become the most dangerous terrorist organization in the world.

[snip]

The goal of the new campaign is to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters. A benefit of the administration’s exceedingly rare public discussion of the campaign, officials said, is to rattle the Islamic State’s commanders, who have begun to realize that sophisticated hacking efforts are manipulating their data. Potential recruits may also be deterred if they come to worry about the security of their communications with the militant group.

[snip]

“We are dropping cyberbombs,” Mr. Work said. “We have never done that before.”

The campaign has been conducted by a small number of “national mission teams,” newly created cyberunits loosely modeled on Special Operations forces.

Golly, what a novel idea, hacking an adversary that relies on the Internet for its external strength? Imagine how many people we could have saved if we had done that a few years ago? And all this time CyberCom has just been sitting on its thumbs?

Sanger suggests, of course, that CyberCom has been otherwise focused on Russia, China, Iran, and North Korea, which (post-StuxNet) would be significantly an active defense. He pretends that cyber attacks have not been used in the ISIS theater at all.

Of course they have. They’ve been going on so long they even made the Snowden leaks (as when NSA “accidentally” caused a blackout in Syria).

But it would be inconvenient to mention attacks on Syria (as distinct from its ally Iran), I guess, because it might raise even more questions about why we’d let ISIS get strong enough, largely using the Internet, to hit two European capitals without undercutting them in the most obvious way. It all makes a lot of sense if you realize we have, at the same time, been directing those resources instead at Bashar al-Assad.

Sunday, April 24, 2016

The NSA Has Never Not Been Violating FISA Since It Moved Stellar Wind to FISA in 2004

Back in 2013, I noted that FISA Judge John Bates had written two posts finding NSA had violated 50 U.S.C. §1809(a)(2), which prohibits the “disclos[ure] or use[ of] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized by” FISA. Each time he did it, Bates sort of waggled around the specter of law-breaking as a way of forcing NSA to destroy data they otherwise wanted to retain and use. I suspect that is why NSA moved so quickly to shut down its PRTT program in 2011 in the wake of his upstream opinion.

In his November 6, 2015 opinion reauthorizing Section 702, presiding judge Thomas Hogan described two more definite violations of 50 U.S.C. §1809(a)(2), and one potential one, bringing the list of times the FISC caught NSA illegally surveilling Americans to four, and potentially five, times.

  1. Fall 2009 confession/July 2010 opinion: Collection of categories of data under the bulk PRTT program not permitted by the FISC
  2. June 2010 confession/December 10 2010, May 13, 2011 opinions: Retention of overcollected data from a traditional FISA warrant in mission management systems ultimately not deemed necessary for collection avoidance
  3. May 2011 confession/October 3, 2011 opinion: Collection of entirely domestic communications on upstream surveillance MCTs
  4. July 13, 2015 confession/November 6, 2015 opinion: Retention of 702 communications that had been otherwise purged in mission management systems, even though FISC had ruled against such retention in 2011
  5. [Potential] July 13, 2015 confession/November 6, 2015 opinion: Retention of data that should have been purged or aged off in compliance databases

Hogan describes these incidents starting on 56.

Between June and August of 2010, the government filed some notices notices of violation in conjunction with a single electronic surveillance order (on page 58, he describes that as dealing “exclusively with Title I collection in a particular case.”) It’s unclear whether the scope of the surveillance extended beyond what had been authorized, or whether the government had conducted surveillance based on illegally collected data (Hogan refers to it both as overcollection but also as poison fruit). As part of its efforts to resolve the problem, the government argued it could keep some of this poisonous fruit in some kind of oversight database to prevent further collection. But it also argued that its minimization procedures “only applied to interceptions authorized by the Court and did not apply to the fruits of unlawful surveillance,” effectively arguing that if it broke the law the FISC could then not tell it what to do because it had broken the law. The government also argued 50 U.S.C. §1809(a)(2) “only prohibits use or disclosure of unlawfully obtained information for investigative or analytic purposes,” meaning it could keep illegal data for management purposes.

FISC didn’t buy this argument generally, but in a December 10, 2010 opinion did permit NSA to retain “the results of unauthorized surveillance [that] are needed to remedy past unauthorized surveillance or prevent similar unauthorized surveillance in the future.” In that opinion, FISC cited John Bates’ July 2010 PRTT opinion discussing the application of 50 U.S.C. §1809(a)(2).

After further review, on May 13, 2011, the court ruled that the specific data in question did not fall within that exception.

[C]ourts should not attempt “to restrict the unqualified language of a [criminal] statute to the particular evil that Congress was trying to remedy — even assuming that it is possible to identify that evil from something other than the text of the statute itself.” Brogan v United States, 522 U.S. 398, 403 (1998) … The exception recognized in the December 10, 2010 Opinion stands on narrower but firmer ground: that in limited circumstances, prohibiting use of disclosure of the results of unauthorized electronic surveillance would be “so ‘absurd or glaringly unjust’ … as to [call into] question whether Congress actual intended what the plain language of Section 1809(a)(2) “so clearly imports.”

That decision only related to one traditional FISA order — but it did lay out the principle that NSA couldn’t keep illegally collected data for vague management reasons.

Which is why Hogan was so surprised to learn NSA was doing the same thing — and had been! — with Section 702 data that had otherwise been purged, which the NSA confessed to Hogan in July of last year. That is, having stopped the practice with a single traditional FISA order, they kept doing it with programmatic 702 data.

In light of the May 2011 [redacted], the Court was very surprised to learn from the July 13, 2015 Notice that the NSA had not been deleting from [redacted] Section 702 records placed on the NSA’s Master Purge List (“MPL”).

[snip]

As the Court explained to the government at the October 8 Hearing, it expects the government to comply with its heightened duty of candor in ex parte proceedings at all times. Candor is fundamental to this Court’s effective operation in considering ex parte submissions from the government, particularly in matters involving large and complex operations such as the implementation of Section 702.

After the hearing, the government submitted several filings effectively saying it was purging the data, then admitting that the technical process it had implemented to effect the purge was only purging some of the selectors that had been illegally collected.

In any case, after 4 years of retaining 702 data that had to be purged, they were finally moving towards deleting it last year.

The second violation pertains to two tools (both names of which are redacted) that help determine whether a selector can be or has been properly tasked (on page 76, Hogan suggests “most Section 702 information [in these databases] that is otherwise subject to purge pertains to roamer communications.”

The first appears to be a pre-tasking tool to see whether it properly tasked. This tool has not aged off PRISM data within the required 5 years, nor upstream data within the required 2 years, though it has aged off pre-October 31, 2011 upstream data. NSA has not done so “because of the utility of these records for compliance and collection avoidance purposes.”  It also helps to respond to OSD and ODNI oversight questions.

The second is a post-tasking tool to identify whether a Section 702 target may be in the US. It doesn’t age off PRISM data within the required 5 years, though it does treat upstream data properly. In addition, it doesn’t purge items that have been added to the Master Purge List. Rather than purging, it just masks certain fields from most users.

In general, Hogan seemed to believe most of this data did fall within the narrow exception laid out in the December 2010 opinion permitting the retention of unauthorized data for the purposes of collection avoidance, though he asked for further briefing that would have taken place in January.

He did point to the inclusion in these two tools of other selectors that had been put on the purge list, however, which would raise additional questions:

Examples would be incidentally acquired communications of or concerning United States persons that are clearly not relevant to the authorized purpose of the acquisition or that do not contain evidence of a crime which may be disseminated under the minimization procedures … attorney-client communications that do not contain foreign intelligence information or evidence of a crime … and any instances in which the NSA discovers that a United Staes person or person not reasonably believed to be outside the United States at the time of targeting has been intentionally targeted under Section 702.

That is, Hogan raised the possibility that these tools included precisely the kind of information that should be deliberately avoided.

Ah well. He still reauthorized Section 702.

Consider what this means: between the five years between when, in fall 2004, NSA told Colleen Kollar-Kotelly it was violating her category restrictions until the time, in 2009, it admitted it continued to do so, between the non-disclosure of what NSA was really doing with upstream surveillance between 2008 and 2011, and the time it treated 702 data in a way it had just been told (in May 2011) it could not even with a single FISA order, NSA has always been in violation of 50 U.S.C. §1809(a)(2) since it moved Stellar Wind to FISA.

And that’s just the stuff they have admitted to.

Saturday, April 23, 2016

DOJ’s Awesome New Trick to Break into Apple Phones

DOJ has apparently come up with an amazing new trick to break into Apple phones: to ask defendants in the weeks before they sentence them.

Throughout the challenge over the phone in EDNY, Apple has raised a number of other ways DOJ could get into Jun Feng’s phone. That includes some known forensic tools, but especially — given that Feng pled guilty — simply asking him for his password a second time. According to WSJ’s report on why DOJ just withdrew their request in that case, DOJ hadn’t tried the latter method, until now.

In a one-page letter filed with a Brooklyn federal court Friday night, the government said an individual had recently come forward to offer the passcode to the long-locked phone. The filing means that in both of the high-profile cases pitting the Justice Department against Apple, the government first said it couldn’t open the phone, only to suddenly announce it had found a way into the device as the case proceeded in court.

“Yesterday evening, an individual provided the passcode to the iPhone at issue in this case,’’ prosecutors said in their terse letter to the judge. “Late last night, the government used that passcode by hand and gained access to the iPhone. Accordingly, the government no longer needs Apple’s assistance to unlock the iPhone, and withdraws its application.’’

[snip]

After he was arrested, Mr. Feng told agents that he didn’t remember the phone’s passcode, leading investigators eventually to seek Apple’s help. The Wall Street Journal reported last week that Mr. Feng only recently learned his phone had become an issue in a high-stakes legal fight between prosecutors and Apple. Mr. Feng, who has pleaded guilty and is due to be sentenced in the coming weeks, is the one who provided the passcode to investigators, according to people familiar with the matter.

Geniuses! Use the sentencing process, rather than the All Writs Act, to open up a phone captured two years ago (which probably has even less usable evidence than Syed Rizwan Farook’s phone did.

These prosecutors are really using some amazing tools these days.

 

Friday, April 22, 2016

The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

As I noted, in his opinion approving the Section 702 certifications from last year, Judge Thomas Hogan had a long section describing the 4 different kinds of violations the spooks had committed in the prior year.

One of those pertained to FBI agents not establishing an attorney-client review team for people who had been indicted, as mandated by the FBI’s minimization procedures.

In his section on attorney-client review team violations, Hogan describes violations in all four of the Quarterly Reports submitted since the previous 702 certification process: December 19, 2014, March 20, 2015, June 19, 2015, and September 18, 2015. He also cites three more Preliminary Compliance Reports that appear not to be covered in that September 18, 2015 report: one on September 9, 2015, one on October 5, 2015, and one on October 8, 2015. His further discussion describes the government claiming at a hearing on October 8 to discuss the issue that, thanks to a new system FBI had deployed to address the problem, “additional instances of non-compliance with the review team requirement were discovered by the time of the October 8 Hearing.”

But as Hogan notes in his November 2015 opinion, FBI discovered a lot of these issues because FBI had had a similar problem the previous year and he required them to review for it closely in his 2014 order. A July 30, 2014 letter submitted as part of the recertification process describes two instances in depth: one noticed in February 2014 and reported in the March Quarterly report, and one noticed in April and reported in the June 2014, each involving multiple accounts. A footnote to that discussion admits “there have been additional, subsequent instances of this type of compliance incident.”

Set aside, for the moment, the persistence with which FBI failed to set up review teams to make sure prosecutorial teams were not reading the attorney-client conversations of indicted defendants (who are the only ones who get such protection!!!). Set aside the excuses they gave, such as that they thought this requirement — part of the legally mandatory minimization procedures — didn’t apply for sealed indictments or with targets located outside the United States.

Conservatively, this significantly redacted discussion identifies 9 examples (2 reported in Compliance Reports in 2014, at least 1 reported each in each of four quarterly Compliance report between applications, plus 3 individual compliance reports submitted after the September Compliance report) when people who have been indicted had their communications collected under Section 702, whether they were the target of the 702 directives or not.

And yet, as Patrick Toomey wrote in December, not a single defendant has gotten a Section 702 notice during the period in question.

Up until 2013, no criminal defendant received notice of Section 702 surveillance, even though notice is required by statute. Then, after reports surfaced in the New York Times that the Justice Department had misled the Supreme Court and was evading its notice obligations, the government issued five such notices in criminal cases between October 2013 and April 2014. After that, the notices stopped — and for the last 20 months, crickets.

We know both Mohamed Osman Mohamud — who received a 702 notice personally — and Bakhtiyor Jumaev — who would have secondary 702 standing via Jamshid Muhtorov, with whom he got busted — had their attorney-client communications spied on. But that wasn’t (damn well better not have been!!) 702 spying, because both parties to all those conversations were in the US.

These are 9 different defendants who’ve not yet been told they were being spied on under 702.

Why not?

The answer is probably the one Toomey laid out: that even though members of a prosecutorial team were listening in on attorney-client conversations collected under 702, DOJ made sure nothing from those conversations (or anything else collected via 702) got used in another court filing, and thereby avoided the notice requirement.

Based on what can be gleaned from the public record, it seems likely that defendants are not getting notice because DOJ is interpreting a key term of art in Fourth Amendment law too narrowly — the phrase “derived from.” Under FISA itself, the government is obliged to give notice to a defendant when its evidence is “derived from” Section 702 surveillance of the defendant’s communications. There is good reason to think that DOJ has interpreted this phrase so narrowly that it can almost always get around its own rule, at least in new cases.

It is clear from public reporting and DOJ’s filings in the ACLU’s lawsuit that it has spent years developing a secret body of law interpreting the phrase “derived from.” Indeed, from 2008 to 2013, National Security Division lawyers apparently adopted a definition of “derived” that eliminated notice of Section 702 surveillance altogether. Then, after this policy became public, DOJ came up with something else, which produced a handful of notices in existing cases.

Savage reports in Power Wars that then-Deputy Attorney General James Cole decided that Section 702 information had to have been “material” or “critical” to trigger notice to a defendant. But the book doesn’t provide any details about the legal underpinnings for this rule or, crucially, how Cole’s directive was actually implemented within DOJ. The complete absence of Section 702 notices since April 2014 suggests DOJ may well have found new ways of short-circuiting the notice requirement.

One obvious way DOJ might have done so is by deeming evidence to be “derived from” Section 702 surveillance only when it has expressly relied on Section 702 information in a later court filing — for instance, in a subsequent FISA application or search warrant application. (Perhaps DOJ’s interpretation is slightly more generous than this, but probably not by much.) DOJ could then avoid giving notice to defendants simply by avoiding all references to Section 702 information in those court filings, citing information gleaned from other investigative sources instead — even if the information from those alternative sources would never have been obtained without Section 702.

So these 9 mystery defendants don’t tell us anything new. They just give us a number — 9 — of defendants the government now has officially admitted have been spied on under 702 who have not been told that.

As I noted, Judge Hogan did not include this persistent attorney-client problem among the things he invited Amy Jeffress to review as amicus. Whether or not she would have objected to the persistent violation of FBI’s minimization procedures, a review of them would also have given her evidence from which she might have questioned FBI’s compliance with another part of 702, that defendants get notice.

But DOJ seems pretty determined to flout that requirement going forward.