Michael Hayden Admits That He Can't Prove Stories Revealing NSA Snooping Have Harmed National Security

from the oh-now-he-tells-us dept

With all of the focus on the Snowden revelations from the past few months, it's put new attention on the big story from 2005, in which the NY Times revealed President Bush's warrantless wiretapping program, run by then NSA boss Michael Hayden. The NYT story, famously, was held for thirteen months as the government tried to do everything to block it from being published -- especially during the 2004 election season. The claims were always the same: publishing the story would be a massive threat to national security -- just like you hear today with the Snowden revelations. The NY Times public editor, Margaret Sullivan, decided to revisit that decision to delay the publication for over a year with various parties involved in the decision, and see how they feel about it now. There are a few interesting tidbits, but the one that struck me most is actually buried in a parenthetical. It's Michael Hayden admitting that, despite all his whining about the harm of revealing this stuff, there's no evidence it actually did any harm:

And even Mr. Hayden told me that he can’t prove any harm to national security from the publication of the eavesdropping stories -- then or now.

The "then or now" seems rather important. First of all, with the older story, nearly a decade forward and no proof of harm? That seems rather revealing, since they insisted so strongly that publication would be horrific and would ruin their chances to spy on people (sound familiar?) Furthermore, he's now admitting that he can't prove harm from the recent stories either -- even though he seems to have no trouble going around fear mongering, claiming such damage has been done, at every other opportunity.

The article claims that the NY Times learned its lesson from this, and that it's much less inclined to take the government's word on claims that publishing a story will cause national security harm anymore.

“I think our story broke the fever,” Mr. Risen said. “We’re much better now” about pushing back against government pressure. Jill Abramson, the executive editor (then managing editor), has not only defended the Snowden-related stories as squarely in the public interest but has had Times reporters and editors collaborating with The Guardian and ProPublica on Snowden-sourced stories.

Hopefully, that remains true. It's easy for the government to fear monger over these things, but every time they do, it's difficult to think of a single example where the claims of harm on our national security have ever been accurate.

Filed Under: harm, michael hayden, national security, nsa, nsa surveillance

22 Examples Of NSA Surveillance Creating Chilling Effects

from the more-evidence-of-how-it's-unconstitutional dept

In the EFF's lawsuit against the NSA over domestic surveillance, the organization has filed 22 first hand examples of organizations which have directly experienced the chilling effects of the surveillance program, which the EFF reasonably argues shows how the program violates the Constitutional right to freely associate. There are numerous examples of public interest groups discovering that members or community members have curtailed communication, declined membership or used other ways of cutting off contact, as they now fear the threat of potential "guilt by association." Once again, this is the kind of stuff that isn't supposed to happen in America, and it's another reason why the surveillance efforts are so pernicious.

"The plaintiffs, like countless other associations across the country, have suffered real and concrete harm because they have lost the ability to assure their constituents that the fact of their telephone communications between them will be kept confidential from the federal government," EFF Senior Staff Attorney David Greene said. "This has caused constituents to reduce their calling. This is exactly the type of chilling effect on the freedom of association that the First Amendment forbids."

These cases tend to take a while, but the chilling effects are happening now, are very real and are going to continue until the NSA is stopped from its overaggressive surveillance.

Filed Under: chilling effects, lawsuit, nsa, nsa surveillance, right of association
Companies: eff

You'd Think NSA Employees Would Know Better Than To Hand Out Their Passwords, But Many Gave Them To Snowden

from the nsa-is-trustworthy? dept

In the latest bizarre news concerning the Snowden leaks, Reuters is reporting that Ed Snowden was able to convince a number of NSA employees to give him their login info, which helped him access a lot of the content. Of course, this differs from earlier reports, which had suggested that, as a sys admin, he'd simply been able to login as other employees.

A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments, said a source close to several U.S. government investigations into the damage caused by the leaks.

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.

What fascinates me about this is the idea that if you were working for the NSA, wouldn't you know to never give out your password to anyone, ever? It just seems like basic common sense (also: if you were one of those 20 to 25 people, I'd imagine that as soon as Snowden's name came out, you were sweating bullets). You'd think that NSA employees wouldn't do that sort of thing.

And, once again, what this brings us back around to is the simple fact that NSA employees are humans and sometimes they do the wrong thing. That is why the surveillance program is so worrisome. Keith Alexander and others can insist that there were only a small number of abuses, but all the data actually showed is that the NSA only caught a small number of abuses. It's quite likely that many more have happened, and continue to happen. The fact that it's apparently not that difficult to get NSA employees to cough up their login info shows that for all the talk of careful review, audits, limits and security -- humans remain a very weak link, and there are all sorts of ways to get at information even if the NSA believes it's locked down and carefully monitored.

Filed Under: ed snowden, humans, nsa, nsa surveillance, passwords, secrecy, sharing

Why Saying 'We Knew This' Or 'Everybody Spies' In Response To NSA Revelations Is Wrong

from the we-didn't-know,-and-it's-not-the-same dept

Two of the most common responses from people (often in the press) who want to minimize the importance and the impact of the Snowden revelations about NSA surveillance are that (1) "there's nothing new" or "people knew this already" and (2) "everyone spies on everyone -- what's the big deal?" The latter one got some new life recently after it was revealed that Brazil had spied on US diplomats in the past. As you may remember, Brazil has been acting outraged in response to the revelations of US spying on Brazilians and Brazilian companies. However, both responses are simply not accurate.

Zeynep Tufekci recently wrote a great piece over at Medium, in which she debunks these weak excuses, by pointing out that (1) while some people claim to have known, tons of people didn't -- and that's what's important and (2) the scale here is well beyond what was done in the past.

To start with, it does not matter much whether knowledgeable people should have guessed the scale of NSA spying or not. That is probably the least relevant question one can ask about all this. It relies on an old and outdated understanding of a world that is simply no more.

Repeating the mantra “this is nothing new, all governments spy” may make the mostly DC-insider chorus who cling to it ever more tightly with each new leak feel better, and entrench their self-image as insiders. There are certainly psychological and financial rewards to acting and feeling like insiders. But it does nothing to change the fact that this chorus has completely missed the point of the tectonic shifts affecting them, and all governance: They aren’t the only insiders anymore.

The “nothing new here” people aren’t fully correct, even in the technical details. It’s true: spying by governments, including on their own citizens and on other governments, be they enemies, allies or frenenemies, is not new. It’s even expected. However, the scale of the spying, enabled by the shift to digital infrastructure, is certainly novel.

As we discussed recently, the real "danger" of these leaks is that the US government can't get away with its hypocritical positions so easily any more, because the public (especially the non-US public) is demanding a response. And that makes a huge difference.

Furthermore, she points out, the most amazing thing in all of this is that the NSA appears to have no plan at all in place for how to deal with this situation. It's as if they just assumed that everything they did would remain secret. Basically, Tufekci points out, the NSA relied on the idea that some "insiders" might know about this, but the great unwashed "outsiders" would never know.

But that's changed. In a big way -- and that matters, because the "context collapse" can have massive implications:

Context collapse is everywhere. It’s not just teenagers on Facebook whose ordinary adolescent boundary-testing actions are viewed by finger-wagging adults; it’s not just a variety of institutions that have found their internal communications meant for friendly eyes are exposed to the world; it’s not just academics whose scholarly studies are being dug up by various constituencies as fodder for outrage. It’s everywhere.

The outsiders are peeking in and moving in, and they are here to stay. If, as an institution, keeping your balance relies on outsiders staying outside while you talk in jargon and acronyms with your fellow insiders, it’s time to look for a safety net and a harness. A fall is coming, sooner or later. In this world, “this is what we have always done” is not going to cut it.

Meanwhile, there's a related article over at The Atlantic by James Fallows, in which he publishes an email from a Defense Department insider, which hopefully should put to rest the idea that everyone knew about this and that there's nothing "shocking" in the revelations. This is from an actual insider who argues the exact opposite, even as he supports many of the general actions:

I obviously can't be quoted by name on this ... and indeed, since this email is being read (Hi guys!), I can probably get fired just for sending it, but let me just stress how shocking these NSA revelations are.

Look, I'm not a shrinking violet. I work for DoD. I support much of the war on terror. Some of these assholes out there just need killing. And gathering info on them that allows us to schwhack them is okay with me.

But there is law. And my view is that you have two choices. Either you change the law openly, publicly, or if that is impossible and you consider violating the law imperative, then you make a claim of "exceptional illegality."

But, that insider notes, the stunning thing about the NSA revelations aren't that they exceeded what most people believed the law is, but that it was an everyday thing rather than an "exceptional" case:

But the thing about the NSA revelations is that this isn't exceptional illegality. It is routine, somehow justified by legal opinions written by John Yoo-style hacks.

And worse, it is so routine that 29 y/o contractors have access to it.

The situation is stunning in many ways. To claim that "there's nothing new" or that "everyone spies" is to miss almost everything that's important about these revelations and the impact they are already having.

Filed Under: hypocrisy, impact, insiders, knowledge, nsa, nsa surveillance, outsiders, scale

Inspector General For Intelligence Community Rejects Congress' Request To Investigate The NSA

from the oversight! dept

Remember, kids, how the NSA and its defenders keep talking about how much oversight there is? One part of that is the inspector general who is supposed to make sure that the NSA isn't going rogue. Except... now that the Judiciary Committee asked the intelligence community Inspector General Charles McCullough to investigate the NSA's dragnet data collections, he's told them he just can't do it, according to a recent report at Politico.

“At present, we are not resourced to conduct the requested review within the requested timeframe,” wrote McCullough, before adding he and other agency inspectors general are weighing now whether they can combine forces on a larger probe.

Not surprisingly, those who asked for the help, are not pleased. Senator Pat Leahy appears particularly angry about this:

That response didn’t sit well with Leahy, who raised the letter during a scathing speech on the Senate floor Wednesday that slammed the intelligence community for a “trust deficit.” Leahy also emphasized his belief that “the American people are rightly concerned that their private information could be swept up into a massive database, and then compromised.”

While it may be true that McCullough does not have significant resources to do this kind of investigation, that really just highlights the problem. There clearly is not sufficient oversight over the NSA's activities. The fact that the very person in charge of this kind of investigation, when told to do it by Congress, says he can't, should demonstrate just how little actual oversight there is. Perhaps instead of putting more money towards stopping the next Ed Snowden, the Senate should give that money to the inspector general to investigate the NSA and encourage the next Ed Snowden to come forward.

Filed Under: charles mccullough, inspector general, nsa, nsa surveillance, oversight, pat leahy, senate judiciary committee

NSA Insists It Needs All The Metadata, While Eric Holder Says He Was 'Concerned' About It Even Before Snowden

from the yeah,-right dept

Earlier this week, as we've noted, the leaders of the Intelligence Community fought hard for their metadata, arguing that they were "necessary" and under no circumstances would they give up their precious metadata. They even made nonsensical arguments, including suggesting that if the NSA doesn't get to keep the metadata it's actually worse for Americans' privacy. And of course, it seems a bit bizarre that the NSA is so focused on this when it's pretty clear that the program hasn't been particularly useful in stopping terrorism.

Of course, a day later, after these representatives from the Intelligence Community made it abundantly clear that they had no interest, whatsoever, in giving up their metadata, Attorney General Eric Holder suddenly announced that the administration has been concerned about the metadata collections since before the Snowden leaks, and that the administration wants to "work with Congress" as Congress considers legislation to stop bulk metadata collection.

Of course, the idea that anyone in the administration was legitimately concerned about the bulk metadata collection is pretty laughable given everything they've done to defend it, including having the representatives from the intelligence community go to the PCLOB on Monday suggesting that all hell would break loose without their precious, precious metadata. It seems that Holder's statement is much more about the administration seeing the writing on the wall with the USA Freedom Act, and realizing that it now wants to pretend that it's been thinking about cutting back on the bulk metadata collection all along.

Filed Under: eric holder, metadata, nsa, nsa surveillance, pclob, section 215

Pissed Off Google Security Guys Issue FU To NSA, Announce Data Center Traffic Now Encrypted

from the keep-at-it dept

So far, one of the biggest stories of the Snowden NSA leaks, by far, is the revelation that the NSA was infiltrating the private data links between Google and Yahoo data centers (and, it seems likely, other companies as well). Google had clearly suspected this, as it had been reported earlier that they were scrambling to encrypt those data links. As you may recall, the original Washington Post article also noted that two Google engineers who were shown the NSA's slides "exploded in profanity" and anger at the NSA.

It would appear that this sentiment is pretty common across Google's security team, and they're displaying their anger on Google Plus -- but also announcing that all that data is now encrypted. When the news first broke, security engineer Brandon Downey expressed reasonable anger about the news:

Fuck these guys.

I've spent the last ten years of my life trying to keep Google's users safe and secure from the many diverse threats Google faces.

[...] But after spending all that time helping in my tiny way to protect Google -- one of the greatest things to arise from the internet -- seeing this, well, it's just a little like coming home from War with Sauron, destroying the One Ring, only to discover the NSA is on the front porch of the Shire chopping down the Party Tree and outsourcing all the hobbit farmers with half-orcs and whips.

On Tuesday, the Washington Post revealed a few more slides showing more details of the NSA's infiltration of private data links between data centers. In response to that, another security engineer, Mike Hearn, announced that all the traffic shown in those slides is now encrypted, along with his own "fuck you" to the NSA and GCHQ:

I now join him in issuing a giant Fuck You to the people who made these slides. I am not American, I am a Brit, but it's no different - GCHQ turns out to be even worse than the NSA.

We designed this system to keep criminals out. There's no ambiguity here. The warrant system with skeptical judges, paths for appeal, and rules of evidence was built from centuries of hard won experience. When it works, it represents as good a balance as we've got between the need to restrain the state and the need to keep crime in check. Bypassing that system is illegal for a good reason.

Unfortunately we live in a world where all too often, laws are for the little people. Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement, we therefore do what internet engineers have always done - build more secure software. The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.

Of course, some people might reasonably question the idea that Google is "little people" here. And, while it's good to see Google staffers furious about this, it remains to be seen if Google will actually do more about this. A lawsuit against the US government for hacking into its network seems called for. And, potentially against Level 3 as well, given that it appears Level 3 provided much of the dark fiber Google was using -- and the company gave a giant "if the government comes to us, we can't talk about it" response, that hinted strongly towards "the government came to us and had us tap Google's private links."

Hopefully, we'll start to see that employee anger over this turn into much more: including better privacy tools for users and using Google's political pull to fight the NSA in DC as well.

Filed Under: datacenters, encryption, engineers, nsa, nsa surveillance, security
Companies: google, level 3

Is There Any Alternative To The NSA's 'Take It All' Approach?

from the intelligent-intelligence-services dept

At the moment, the only half-way serious attempt at justifying the NSA's "take it all" approach to surveillance is to claim that there is no alternative if we want intelligence agencies to spot and stop extreme threats like terrorism:

President Obama and his top advisers have concluded that there is no workable alternative to the bulk collection of huge quantities of "metadata," including records of all telephone calls made inside the United States.

But maybe there are other ways of achieving the same goals, and it's just that the US government is loath to give up the capabilities it has developed to spy on its own citizens and the rest of the world, and so doesn't try too hard to find any. For example, one threat that is often invoked to justify surveillance is that of terrorists causing explosions, potentially with great loss of life. Searching through trillions of pieces of metadata to find clues about bombers before they act really is like looking for the proverbial needle in a haystack -- it's significant that NSA leaders have used this metaphor time and again. Wouldn't it be better to search for signs of the explosives directly, as in this research project, reported by New Scientist?

Bomb-makers or chemists with Breaking Bad crystal-meth labs better watch out. A sewer system full of chemical sensors could sniff out their homemade labs as part of a €4.5 million European Union-funded research programme called Emphasis.

The idea is that once a sewer sensor finds telltale traces of home-brewed explosives, it sounds an alarm and a police team carrying a portable, high-resolution sensing unit can be dispatched to narrow the search and pinpoint the exact location.

This approach would not only be proportionate -- it's tightly focused on the specific threat, not on vague epiphenomena that the threat may produce in the Internet's vast flood of digital data -- it would also be far more effective when fully deployed, since it would allow the actual bomb-making laboratories and materials themselves to be located, not just people who are discussing related matters.

Maybe the NSA's dogged reliance on the haystack approach is impeding the search for more intelligent methods. Instead of varying the selectors, or exploring yet more hops in the hope that terrorists will somehow be revealed in the vast stores of the world's metadata, a better approach would be to develop new ways to spot specific major threats -- whether it is explosives, chemical weapons or radioactive material. If those can be addressed effectively in this way, there will be no need for a "take it all" approach, and we can go back to a system where surveillance is the exception, directed at real suspects, rather than the rule, encompassing us all.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: collect it all, metadata, nsa, nsa surveillance

NSA Official Positively Compares Metadata Searches To Stop And Frisk

from the an-apt-comparison,-but-hardly-in-the-way-he-means-it dept

There's a huge disconnect between the mindset of the intelligence community and everyone else outside it. Considering the majority still lies with those on the outside, you'd think they'd make more of an effort to connect. But, as this statement, made to the PCLOB (Privacy and Civil Liberties Oversight Board), indicates the gap hasn't narrowed in the slightest.

Employees at the National Security Agency follow the same standards as controversial "stop and frisk" policies when accessing phone surveillance data, intelligence officials said Tuesday.

Though the agency collects data about all U.S. phone calls, NSA employees need to demonstrate “reasonable and articulable suspicion” when they want to access that phone call data.

"It’s effectively the same standard as stop and frisk,” NSA General Counsel Rajesh De said during a hearing held by the Privacy and Civil Liberties Oversight Board, which supervises anti-terrorism surveillance programs.

It simply cannot be stressed enough that you need to choose your words wisely when discussing programs that are already suspected of violating civil liberties. Comparing them to something just as controversial only calls the programs into further question, not to mention Rajesh De's judgement.

A board member called De out on this, pointing out the NYPD's program is hardly without its problems, seeing as it's currently the subject of multiple lawsuits including two high-profile cases in federal courts. Having been apprised of developments outside the intelligence bubble, the officials "amended their claim," so to speak.

The intelligence officials defended their version of the process, saying that searches of the phone call database are subject to more oversight than police officers who stop and frisk people on the street.

Well, one would hope so, considering the particular "cops on the street" Rajash De compared NSA analysts to have had very little oversight over their program, which simply requires an officer to fill out a small form and check some boxes ("furtive movement") in order to justify shoving someone up against the wall.

As it stands now (especially with the City's stay being granted), stop and frisk hardly even needs "reasonable suspicion." Supposedly the NSA does, but again, we're expected to take officials' word on this, and any references De (or anyone else) makes towards "oversight" should probably be ignored. "Oversight" is the ideal, not the reality. The same goes for the NYPD, which has been granted (like the NSA) an extremely long leash by indulgent overseers (Mayor Bloomberg/intelligence committees).

DNI counsel Robert Litt added that the "actual degree of intrusion" when the agency searches the (not officially a) collection is much less than that of a stop and frisk search. Well, I would hope so. For one thing, no one's pockets are being turned out or having their crotch region manhandled. If they were, there'd be a whole lot fewer unnoticed privacy violations, much to the chagrin of Mike Rogers.

Filed Under: metadata, nsa, nsa surveillance, pclob, rajesh de, stop and frisk

Intelligence Community Lawyers Argue That Curbing Metadata Collections Will Damage Americans' Privacy

from the fox-claims-removal-of-henhouse-guardianship-will-result-in-'increased'-h dept

The NSA's bulk record collections is facing plenty of legislative opposition as a result of Snowden's leaks. Its own carelessness and abuse nearly cost the agency its metadata collections back in 2009 and it's apparently unwilling to consider any limitations being placed on this program going forward. Dianne Feinstein has pitched in with an attempt to codify the collection into law, something that will make it a bit more politically unassailable, but in the meantime, multiple pieces of legislation have been introduced to control the NSA's metadata dragnet.

This has prompted a variety of defensive tactics, from Feinstein op-eds to repeated assertions that the collection could have prevented the 9/11 attacks to cringe-inducing public relations videos featuring a slightly-unbuttoned General Alexander. The ODNI's General Counsel, Robert Litt, offered his own defense of the program while speaking to the PCLOB (Privacy and Civil Liberties Oversight Board). According to Litt, the suggested reforms would harm the very people they're intended to protect.

The NSA has previously argued that it was allowed by section 215 of the Patriot Act to store millions of phone records of Americans in order to find potential terrorists and their connections inside the United States. A court found that NSA could hold onto the data on the grounds that it was relevant to terrorism inquiries. In theory, storing the data with the companies, instead of at the NSA, would allow the telcos to serve as a kind of privacy watchdog. They'd be in a position to examine the government's requests for information about their customers and possibly to object to them in court.

But the intelligence lawyers warned that Americans' would be subject to even greater privacy incursions if their personal information were stripped from NSA's control.

You heard the man. Allowing telcos to store the collections onsite would cause greater harm to Americans' privacy than allowing the NSA to store them in its databases where it can peruse them at its leisure. Putting telcos in control would mean additional legwork for the NSA, mainly because it would be limited to obtaining data actually relevant to its investigations, rather than just grabbing it all and hoping everything collected becomes "relevant" at an undetermined point in the future.

This would seem to give Americans a bit more privacy protection, but the ODNI doesn't see it that way. The FBI's general counsel backed up Litt's theory with some speculation of his own.

Patrick Kelley, the acting general counsel of the FBI, said the phone company data could be made available to "other levels of law enforcement enforcement from local, state and federal who want it for whatever law enforcement purposes they're authorized to obtain it." He also raised a frightening prospect: "Civil litigation could also seek to obtain it for such things as relatively mundane as divorce actions," he said. "Who's calling who with your spouse ... So if the data is kept only by the companies than I think the privacy considerations certainly warrants scrutiny."

If Kelley believes this sort of scary "data sharing" would only be a possibility if telcos control the databases, then he's obviously been ignoring the developments of the last few months. Not only does the NSA share data with agencies like the DEA, but it also encourages them to falsify how they acquired the information. So, this privacy "concern" of Kelley's is already a reality -- and all the more reason to limit access to collected metadata. And that doesn't even touch the amount of data sharing it does with foreign countries, often in unminimized form. Furthermore, law enforcement can already access phone records as they're covered by the Third Party Doctrine, the same doctrine both the NSA and the FBI have been taking advantage of for years.

Second, even if it would increase the amount of civil litigation, that still would offer greater overall protection for Americans' phone data. How? Very simply. Litigation is targeted and data requests would be limited to those authorized by discovery. As it stands now, the NSA gets everything and is only limited by controls the NSA itself implements -- and those internal checks on abuse are only as strong as the NSA's statements to the FISA court claim they are.

And this fear of unfaithful partners' phone records being "outed" by litigants is easily mitigated, as FP's John Hudson points out.

Any act of Congress modifying the phone records database could include provisions prohibiting the use of telephone metadata for purposes not related to national security. And if lawmakers wanted to keep the information out of the hands of local police or civil attorneys, they could write a provision preserving its exclusive use by the NSA and the intelligence agencies.

This faux concern for the privacy of Americans is just another intelligence community dodge. Protecting privacy is only a concern when it's politically advantageous or can be twisted into a defense of embattled collection programs. Litt and Kelley's arguments are completely weightless. Worse, they both seem entirely unaware of the fact that recent revelations completely undercut their arguments. And yet, they approach an oversight board presumably familiar with these facts and make the arguments anyway.

This is just more evidence that the intelligence community is insular and self-absorbed, the result of many, many years of operating in complete secrecy. Its spokesmen and legal reps seem to be aware of nothing more recent than the latest talking points. These agencies are ultimately disinterested in protecting the privacy of Americans if it means scaling back their existing programs. Since they can't have it both ways (protect privacy, keep programs intact), they will always opt for the latter.

Filed Under: metadata, nsa, nsa surveillance, odni, patrick kelley, privacy, robert litt