Wikileaks Latest Info-Dump Shows, Again, That The NSA Indeed Engages In Economic Espionage Against Allies

from the with-friends-like-these dept

With all the revelations that have come out about the NSA and our foreign and domestic spy programs, it can, at times, become difficult to parse out exactly what we're supposed to be getting pissed off about and what is the exact kind of spy-work we ought to expect the alphabet agencies to conduct. Some of the groups that are involved in getting these revelations out there don't make it much easier, of course. Take as an example the latest Wikileaks info-dump, which chiefly concerns the NSA's spy program against our ally Japan. From the press release accompanying the documents:

Today, Friday 31 July 2015, 9am CEST, WikiLeaks publishes "Target Tokyo", 35 Top Secret NSA targets in Japan including the Japanese cabinet and Japanese companies such as Mitsubishi, together with intercepts relating to US-Japan relations, trade negotiations and sensitive climate change strategy. The list indicates that NSA spying on Japanese conglomerates, government officials, ministries and senior advisers extends back at least as far as the first administration of Prime Minister Shinzo Abe, which lasted from September 2006 until September 2007. The telephone interception target list includes the switchboard for the Japanese Cabinet Office; the executive secretary to the Chief Cabinet Secretary Yoshihide Suga; a line described as "Government VIP Line"; numerous officials within the Japanese Central Bank, including Governor Haruhiko Kuroda; the home phone number of at least one Central Bank official; numerous numbers within the Japanese Finance Ministry; the Japanese Minister for Economy, Trade and Industry Yoichi Miyazawa; the Natural Gas Division of Mitsubishi; and the Petroleum Division of Mitsui.

Now, what Wikileaks is doing is mashing together the NSA spying on the Japanese government, our ally, with Japanese industry. That's silly, in my estimation. In fact, much of the hand-wringing that goes on about our spy networks spying on allies seems naive in the extreme, as if to suggest that our closest allies aren't conducting similar spy programs on our government. You can insist, if you like, that America should not be spying on her allies, but then I get to insist that you grow up, because that's exactly the kind of work you want the NSA doing.

But on the economic side, things get a little murkier. The NSA has insisted for years that the agency does not engage in economic espionage, actions which would put it out of the norm for how we treat our allies. It's also been clear for some time that the NSA is full of crap in this regard. This latest Wikileaks dump fleshes out just how much economic espionage we do against our allies, even very close allies like Japan.

The documents demonstrate intimate knowledge of internal Japanese deliberations on such issues as: agricultural imports and trade disputes; negotiating positions in the Doha Round of the World Trade Organization; Japanese technical development plans, climate change policy, nuclear and energy policy and carbon emissions schemes; correspondence with international bodies such as the International Energy Agency (IEA); strategy planning and draft talking points memoranda concerning the management of diplomatic relations with the United States and the European Union; and the content of a confidential Prime Ministerial briefing that took place at Shinzo Abe's official residence.

It's just more egg on the face of government and security officials who have claimed to have kept their hands clean of economic espionage. There's sure to be more of interest in the documents as they get parsed out, but if nothing else we can be reminded that the NSA is a spy agency and that its officials have been caught lying over and over again.

Filed Under: economic espionage, espionage, japan, nsa, surveillance, trade deals

White House Finally Answers Snowden Pardon Petition: The Only Good Whistleblowing Is Punished Whistleblowing

from the because-of-course-this-would-be-the-answer dept

The White House has finally responded -- more than two years later -- to a petition asking for a pardon of Edward Snowden. The petition surfaced soon after Snowden went public with his identity. Less than three weeks later -- June 25, 2013 -- it had passed the 100,000-signature threshold.

Understandably, the administration was in no hurry to respond to this petition. In the immediate aftermath of the first leaks, no entity was more unpopular than the NSA. Snowden, on the other hand, probably could have won a number of local elections as a write-in candidate at that point. So, the administration sat on it, as it has sat on a great many petitions not particularly aligned with its desires.

Unfortunately, the public's opinion hasn't shifted much. As other agencies have become more plaintive in their requests to undermine privacy and safety to keep criminals from "going dark," the public has become less and less enthusiastic about being forced to make more sacrifices in the interest of security. The NSA also hasn't become more popular in the interim. So buying time by cherry-picking We The People petitions to respond to hasn't made answering this petition any easier for the administration.

More than two years later -- 763 days past the point it became a viable petition -- the administration has answered. And the answer could have been written two years ago, as it refuses to acknowledge Snowden's contribution to recent surveillance reforms. The response was written by Lisa Monaco, the president's advisor on Homeland Security and Counterterrorism. Considering the source, the response is unsurprising. But it starts off with a lie:

Since taking office, President Obama has worked with Congress to secure appropriate reforms that balance the protection of civil liberties with the ability of national security professionals to secure information vital to keep Americans safe.

Wrong. The "appropriate reforms" have been forced into existence by leaked documents Snowden provided. This "conversation" the President keeps claiming he always wanted to have only took place because he could no longer ignore it. This opening sentence is worse than merely disingenuous. It's a complete rewrite of Obama's civil liberties legacy. Before the Snowden leaks, Obama's stance on surveillance was "whatever Bush did, only more."

Next, Monaco goes on to say that no matter how instrumental Snowden was in the recent surveillance reforms (without ever actually saying that), he's still a just a criminal and should be treated as one.

Instead of constructively addressing these issues, Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it.

Except that this administration is no friend to whistleblowers. Snowden knew this. Snowden also knew the "proper channels" were mostly there to ensure whistleblowers were silenced and punished. So he ran. This administration has prosecuted more whistleblowers than all other administrations combined. When Snowden took off, it was five years into Obama's presidency, plenty of time to gauge what sort of odds the "proper channels" offered.

From that point, Monaco goes on to claim that the only legitimate act of civil disobedience is a punished act of civil disobedience.

If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do: Challenge it, speak out, engage in a constructive act of protest, and -- importantly -- accept the consequences of his actions. He should come home to the United States, and be judged by a jury of his peers -- not hide behind the cover of an authoritarian regime. Right now, he's running away from the consequences of his actions.

First off, this is wrong. As has been explained countless times, under the Espionage Act, which is what Snowden would be charged under, he is not allowed to present the evidence in his defense that he was blowing the whistle on an illegal program (and yes, it has been ruled illegal). Nor is he allowed to argue that the leak was in the public interest. In other words, the law is stacked such that he cannot present his argument fairly. The deck is stacked and Monaco knows the deck is stacked and ignores that -- which is exceptionally dishonest.

I would imagine Monaco -- and by extension, the administration -- would also feel that those who hacked Hacking Team are the real criminals here, not the company that sold surveillance software and zero-day exploits to governments known for widespread abuse of their citizens. "Look, we appreciate them highlighting these dubious and likely illegal contracts. But to move forward, we really need to put the hackers who obtained the documents on trial."

But, honestly, no one expected this response to go any other way. No one who holds the top office in the nation is going to sell out the rest of the government for a whistleblower. So, it could have saved everyone the trouble and posted this answer June 26, 2013.

Filed Under: ed snowden, espionage act, lisa monaco, nsa, obama administration, petition, surveillance, we the people

DOJ To Court: Hey, We're Shutting Down Section 215, So We Can Probably Stop Arguing About The Legality Of Bulk Collection

from the you-sort-of-won!-what-more-do-you-want? dept

Just as James Clapper's office was officially announcing the death of the bulk phone metadata program (ending November 29th, with three months of post-wind-down wind-down for data analysts), the DOJ was filing a motion in the Second Circuit Court of Appeals basically arguing that its finding that the program was illegal really doesn't matter anymore.

According to the DOJ, there really is no program -- at least if you don't count the six months the NSA has to make the move to the more targeted USA Freedom version. So this discussion about which program isn't authorized by which PATRIOT Act provision is… well, not completely moot, but like pretty much literally weeks away from moot, so why are we wasting our time here [EXASPERATED SIGH].

Plaintiffs’ claims will be moot when the bulk collection of telephony metadata under Section 215 ends on November 29, 2015, though they are not moot right now. On that date, the statutory authority for the Section 215 bulk telephony-metadata program will expire, and the data previously collected and held under that program will not be used in the future for intelligence-gathering or law-enforcement purposes. In the meantime, however, the Court should respect Congress’s decision to create an orderly transition away from the Section 215 bulk telephony-metadata program. Especially in light of Congress’s considered judgment that this program should continue for this limited period, plaintiffs are not entitled to any of the relief they request.

In support of its argument that the court should ignore its own findings and just listen to what the FISA Court said (and what legislators didn't say, but obviously intended), the government points to its own Tumblr post (certainly a historical moment in its own right) detailing the specifics of the end of Section 215.

On July 27, 2015, the Office of the Director of National Intelligence (ODNI) issued a public statement that the NSA has determined that “analytic access to that historical metadata collected under Section 215 . . . will cease on November 29, 2015,” at the end of the transition period. See Statement by ODNI on Retention of Data Collected Under Section 215 of the USA PATRIOT Act, available at http:// icontherecord.tumblr.com/post/125179645313/ statement-by-the-odni-on-retention-of-data (ODNI July 27 Statement). Thus, after that date, no further bulk collection of telephony metadata will take place under the Section 215 program, and the historical telephony metadata will not be used for intelligence or law-enforcement purposes and will not be disseminated.

To sum up: these past abuses should no longer be of concern as the data is going to be flushed (for the most part) within the next nine months. To better enable said data flush, the Second Circuit Court might want to wrap up the ACLU's suit (and hasten the end of the EFF's) so that no data is still being "preserved" past the November 2015 dump point.

To that end, the DOJ constantly reminds the Second Circuit that the FISA Court really has a handle on these sort of things and why don't we just leave it to the pros.

The FISC was right that Congress authorized the Section 215 bulk telephony-metadata program to continue during the six-month transition period. [p. 6]

As the FISC correctly noted, Congress’s decision to delay that ban for six months is a powerful indication that it intended to permit bulk collection in the interim period. [p. 9]

The FISC was thus correct when it observed that “after lengthy public debate, and with crystal clear knowledge of the fact of ongoing bulk collection of call detail records” Congress “chose to allow a 180-day transitional period . . . .” June 29 FISC Op. at 11. This Court need not and should not determine whether Congress “ ‘ratif[ied] the FISA Court’s interpretation of ’ ” Section 215. [p. 11]

This filing, like its Tumblr statement announcing the official end of the collection, emphasizes the single aspect of the Section 215 bulk collections that has been the focus of this litigation and most legislative efforts: phone metadata. The authorization, even in its altered, post-USA Freedom Act form -- provides for much more than just this one type of collection. The DOJ goes so far as to call the USA Freedom Act a "ban" on bulk, untargeted collections, when it actually doesn't go quite that far.

Marcy Wheeler points out that the DOJ may be less interested in the outcome of this ruling as it is with the implications of the EFF's litigation. What could be uncovered if the NSA is forced to turn over relevant records from its bulk metadata collection is more illegal -- or at least unauthorized -- collection activity.

I believe both ACLU and EFF’s phone dragnet client Counsel on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.

EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).

This announcement by Clapper's office, followed shortly thereafter on the same day by the filing of its response in the Second Circuit case, certainly gives the appearance that the NSA has lifted the corner of the rug and is just waiting for the signal to start sweeping any undiscovered abuses -- along with those previously exposed -- under it. That the expiration of the authority and the passage of the USA Freedom Act may have provided it with a better broom is unexpectedly fortuitous.

Filed Under: 4th amendment, bulk records, doj, james clapper, lawsuits, nsa, odni, section 215, surveillance, usa freedom act
Companies: aclu, eff

Director Of National Intelligence Hammers Final Official Nail Into Bulk Phone Records Program

from the will-still-need-six-to-nine-months-of-additional-hammering-though dept

The Office of the Director of National Intelligence has issued a statement addressing the inevitable shutdown of the Section 215 bulk phone metadata program.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Caveats apply. Data will still be held as required by a handful of ongoing lawsuits. With the "bulk" part of the bulk records program shut down (but not completely), the government is obviously hoping for a speedy end to the litigation resulting from the Snowden leaks. That's the other motivating factor behind this public statement that not only states an end date, but the additional restrictions past that point.

This is a pretty remarkable moment in the security v. privacy battle, but there are still reasons to be concerned. The bulk telephony metadata program has received a majority of the focus since Snowden's initial leak and the NSA, at times, has seemed almost too willing to let this program act as a scapegoat for its multiple privacy-violating surveillance programs.

Not that there haven't been seriously heated (and seriously misguided) arguments offered in support of this program, but if you take a close look at the history of the debate over Section 215, the most-spirited defenses have not been raised by the NSA, but by legislators and former intelligence officials. The program appears to have been sacrificed in order to prevent more intrusive surveillance programs from being subjected to more intense scrutiny.

And it's not even the totality of what can be collected under Section 215. The statement from the ODNI specifically addresses only one kind of "tangible thing."

The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

We don't know what else is being collected in bulk under the PATRIOT Act provision -- the same authority that expired this year and was replaced with the stipulations of the USA Freedom Act -- but we know it's more than just "telephony metadata." "Tangible things" encompasses far more than phone metadata ("books, records, papers, documents, and other items"), but this statement -- as well as arguments it's made in court in support of the six-month wind-down period -- only address phone records.

The Second Circuit Court found that the bulk collection of records under Section 215 was likely illegal. That opinion called into question anything collected under this authority, but the government here (and in its recent filing in the Second Circuit Court) acts as though the "illegal" collection activity is limited solely to phone records.

Other NSA programs are going to be far more useful in gathering data and intelligence than the collection of phone records. Phone calls may never go away entirely, but the shift to mobile communications (followed shortly thereafter by the shift to feature phones and smartphones) has made phone calls the least used feature on these devices. Messaging programs and social media platforms now carry the bulk of everyday communications. And the NSA has programs in place to sweep up these as well, whether as content or metadata. So, all of this focus on "telephony" only serves to obscure what else it may still collect with the revamped program, as well as everything else it does under much more secretive legal authorities.

Filed Under: bulk phone records, bulk records, james clapper, nsa, odni, section 215, surveillance, usa freedom act

NSA Apologist Offers Solutions To 'Encryption' Problem, All Of Which Are Basically 'Have The Govt Make Them Do It'

from the wishful-thinking dept

Benjamin Wittes, one of the NSA apologists ensconced at Lawfare, has written a long piece in defense of FBI head James Comey's assertions that there must be some way tech companies can give him what he wants without compromising the privacy and security of every non-terrorist/criminal utilizing the same broken encryption.

What he suggests is highly problematic, although he obviously pronounces that word as "pragmatic." He implies the solution is already known to tech companies, but that their self-interest outweighs the FBI's push for a "greater good" fix.

The theory is that companies have every incentive for market reasons to protect consumer privacy, but no incentives at all to figure out how to provide law enforcement access in the context of doing so.

There's some truth to this theory. Tech companies are particularly wary of appearing to be complicit in government surveillance programs as a couple of years of leaks have done considerable damage to their prospects in foreign markets.

Wittes suggests the government isn't doing much to sell this broken encryption plan, despite Comey's multiple statements on the dangers posed by encrypted communications. And he's right. If the government truly wants a "fix," it needs to start laying the groundwork. It can't just be various intel/law enforcement heads stating "we're not really tech guys" and suggesting tech companies put the time and effort into solving their problems for them.

If we begin—as the computer scientists do—with a posture of great skepticism as to the plausibility of any scheme and we place the burden of persuasion on Comey, law enforcement, and the intelligence community to demonstrate the viability of any system, the obvious course is government-sponsored research. What we need here is not a Clipper Chip-type initiative, in which the government would develop and produce a complete system, but a set of intellectual and technical answers to the challenges the technologists have posed. The goal here should be an elaborated concept paper laying out how a secure extraordinary access system would work in sufficient detail that it can be evaluated, critiqued, and vetted; think of the bitcoin paper here as a model. Only after a period of public vetting, discussion, and refinement would the process turn to the question of what sorts of companies we might ask to implement such a system and by what legal means we might ask.

Thus ends the intelligent suggestions in Wittes' thinkpiece. Everything else is exactly the sort of thing Comey keeps hinting at, but seems unwilling to actually put in motion. It's the government-power elephant in the room. Actually, several elephants. It's the underlying, unvocalized threat that lies just below the surface of Comey's government-slanted PR efforts. Wittes just goes through the trouble of vocalizing them.

First, he gives Comey's chickenshit, ignorant sales pitch a completely disingenuous, self-serving reading. Comey has refused to acknowledge the fact that what he's seeking is not actually possible. He claims he doesn't have the tech background to make more informed assertions while simultaneously insisting the solution exists -- and could easily be found if only these tech companies were willing to apply themselves.

[Comey] is talking in very different language: the language of performance requirements. He wants to leave the development task to Silicon Valley to figure out how to implement government's requirements. He wants to describe what he needs—decrypted signal when he has a warrant—and leave the companies to figure out how to deliver it while still providing secure communications in other circumstances to their customers.

The advantage to this approach is that it potentially lets a thousand flowers bloom. Each company might do it differently. They would compete to provide the most security consistent with the performance standard. They could learn from each other. And government would not be in the position of developing and promoting specific algorithms. It wouldn't even need to know how the task was being done.

In Wittes' estimation, Comey is being wise and promoting open innovation, rather than just refusing to openly acknowledge that his desire to access and intercept communications far exceeds his desire to allow millions of non-criminals access to safer connections and communications.

Wittes goes on to offer a handful of "solutions" to the Second Crypto War. Not a single one includes the government growing up and learning to deal with the new, encrypted status quo. He follows up the one useful suggestion -- government research exploring the feasibility of the proposed encryption bypass -- with one of his worst ideas:

If you simply require the latter [law enforcement access] as a matter of law, [tech companies] will devote resources to the question of how to do so while still providing consumer security. And while the problems are hard, they will prove manageable once the tech giants decide to work them hard—rather than protesting their impossibility.

There's not a worse idea out there than making certain forms of encryption illegal to use in the United States. But Wittes tries his hardest to find equally awful ideas. Like this one, which would open tech companies to an entire new area of liability.

Another, perhaps softer, possibility is to rely on the possibility of civil liability to incentivize companies to focus on these issues. At the Senate Judiciary Committee hearing this past week, the always interesting Senator Sheldon Whitehouse posed a question to Deputy Attorney General Sally Yates about which I've been thinking as well: "A girl goes missing. A neighbor reports that they saw her being taken into a van out in front of the house. The police are called. They come to the home. The parents are frantic. The girl's phone is still at home." The phone, however, is encrypted.

Wittes quotes Whitehouse's statements, in which he compares encryption to industrial pollution and suggests tech companies -- not the criminal in question; not the investigators who are seemingly unable to explore other options -- be held liable for the criminal's actions. Wittes poses a rhetorical question -- one that assumes most of America wants what Comey wants.

Might a victim of an ISIS attack domestically committed by someone who communicated and plotted using communications architecture specifically designed to be immune, and specifically marketed as immune, from law enforcement surveillance have a claim against the provider who offered that service even after the director of the FBI began specifically warning that ISIS was using such infrastructure to plan attacks? To the extent such companies have no liability in such circumstances, is that the distribution of risk that we as a society want?

Holding companies responsible for the actions of criminals is completely stupid. Providing encryption to all shouldn't put companies at risk of civil suits. The encryption isn't being provided solely for use by bad guys. It makes no more sense than holding FedEx responsible for shipments of counterfeit drugs. And yet, we've seen our government do exactly that, in essence requiring every affected private company to act as deputized law enforcement entities, despite there being no logical reason to put them in this position. Wittes feels the best solutions involve the government forcing companies to bend to its will, and provide compromised encryption under duress.

The final solution proposed by Wittes is to let everything go to hell and assume the political landscape -- along with tech companies' "sympathies" -- will shift accordingly. This would be the "let's hope for the tragic death of a child" plan:

[W]e have an end-to-end encryption issue, in significant part, because companies are trying to assure customers worldwide that they have their backs privacy-wise and are not simply tools of NSA. I think those politics are likely to change. If Comey is right and we start seeing law enforcement and intelligence agencies blind in investigating and preventing horrible crimes and significant threats, the pressure on the companies is going to shift. And it may shift fast and hard. Whereas the companies now feel intense pressure to assure customers that their data is safe from NSA, the kidnapped kid with the encrypted iPhone is going to generate a very different sort of political response. In extraordinary circumstances, extraordinary access may well seem reasonable.

If this does happen, Wittes' assumption will likely be correct. Politicians have never been shy about capitalizing on tragedies to nudge the government power needle. This will be no different. One wonders why no one has come forward with a significantly compelling tragedy by this point, considering the wealth of encryption options currently on the market. A logical person would assume this lack of compelling anecdotal evidence would suggest encryption really hasn't posed a problem yet -- especially considering the highly-motivated sales pitches that have been offered nonstop since Google and Apple's announcement of their encryption-by-default plans. The "problem" Comey and others so desperately wish to "solve" remains almost entirely theoretical at this point.

But the FBI and others aren't going to wait until the next tragedy. They want the path of least resistance now. The solutions proposed by Wittes are exactly the sort of thing they'd be interested in: expanded government power and increased private sector liability. This is why Comey has no solution to offer. There is none. There is only the option of making companies do what he wants, but he's too wary of public backlash to actually say these things out loud. Wittes has saved him the trouble and proven himself no more trustworthy than those who want easy access, no matter the negative implications or unintended consequences of these actions.

Filed Under: backdoors, ben wittes, encryption, going dark, nsa, surveillance

Dept. Of Defense Defends Strong Encryption While Its Impetuous Child -- The NSA -- Continues To Lament The Coming Darkness

from the somewhat-admiral-able-(I-AM-SO-SORRY) dept

Between the FBI and the NSA, arguments against encryption that locks bad guys out (and, consequently, the government) have filled the air over the past several months. "Going dark" is the repeated concern, as if encryption would leave the nation's intelligence and investigative agencies without any options to pursue terrorists/child pornographers. It's all FUD and it's all dangerous, because carving small holes in encryption CARVES HOLES IN ENCRYPTION. Never mind the intended uses of golden keys/backdoors. A hole is a hole.

The Department of Defense seems to recognize this fact, making it one of the only government entities involved in fighting worldwide terrorism to openly do so. Bruce Schneier asked Admiral James Winnefeld Jr. (vice-chairman of the Joint Chiefs of Staff) a question about encryption during a recent cybersecurity summit (video here -- relevant part at 32:52) and received something almost entirely removed from the current party line.

Bruce Schneier: I'd like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of "us" that makes sense is the world, is everybody. Any technologies that we've developed and built will be used by everyone -- nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers's both intelligence and attack jobs much harder. Are you okay with that?

Admiral James A. Winnefeld: Yes. I think Mike's okay with that, also. That's a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there's this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, "I want to take down that emitter so it'll make it safer for my airplanes to penetrate the airspace," and they're saying, "No, you've got to keep that emitter up, because I'm getting all kinds of intelligence from it." So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that -- it's not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I'm also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it's an excellent question. It really is.

Fittingly, the Department of Defense recognizes the importance of defense. Adding backdoors to encryption weakens defenses, including those used by government agencies and operatives. You can't simply introduce circumvention and pray that nobody other than approved parties make use of it. The FBI/NSA's obsession with government-ordered peepholes makes everything worse for everyone, not just their intended targets.

But these agencies are wholly unconcerned about collateral damage. It's clearly evident from their bulk surveillance programs and use of intercepts that gather everything before searching the data haul for incriminating material or useful intel. Encryption is at odds with haystacking, which these agencies continue to prize highly (and defend heatedly) despite clear evidence that intelligence gathering like this is inefficient at best, and wholly useless at worst.

Schneier goes on to point out that Admiral Mike Rogers, the head of the NSA, continues to push a narrative at odds with the DoD official's answer. Two weeks after this conference, Rogers gave a keynote address at CyCon, repeating his unfounded belief that encryption can be "safely" bypassed without compromising it.

Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so "why can't we create a similar kind of framework within the internet and the digital age?"

He added: "I certainly have great respect for those that would argue that the most important thing is to ensure the privacy of our citizens and we shouldn't allow any means for the government to access information. I would argue that's not in the nation's best long term interest, that we've got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn't be something arbitrary."

So, the Dept. of Defense says one thing, Mike Rogers (who was in the audience at the first conference) nods in agreement, and then goes on to contradict the stance of those helming the department directly above it in the government's organizational chart.

Rogers' nod to privacy is every bit as meaningless as his faux nod in agreement to Winnefeld's statement. There's very little being done by the NSA to "ensure" the "privacy" of American citizens. One only has to look at its purposeful weakening of NIST standards to see evidence of that. The FBI and NSA are more than willing to respect citizens' rights, but only if doing so doesn't make their intelligence gathering any more difficult. Privacy is always subservient to these agencies' ends, no matter how many statements they offer up that begin with lip service to privacy before adding, "but…"

Filed Under: admiral mike rogers, bruce schneier, defense department, encryption, going dark, igl, james winnefeld, nsa, strong encryption

NSA -- Despite Claiming It Doesn't Engage In Economic Espionage -- Engaged In Economic Espionage

from the oh-look-at-that dept

The NSA has long claimed that it does not engage in "economic espionage." NSA and Defense Department officials have repeatedly insisted that while they do lots of other things, economic espionage is not on the list:

“The Department of Defense does engage” in computer network exploitation, according to an e-mailed statement from an NSA spokesman, whose agency is part of the Defense Department. “The department does ***not*** engage in economic espionage in any domain, including cyber.”

These claims are made in a strange attempt to suggest that the NSA is somehow "better" than those like the Chinese, who absolutely do engage in economic espionage, looking for corporate secrets and the like. Of course, it's not entirely clear why not engaging in economic espionage is such an important moral argument for the NSA -- but, at the very least, the agency claims it has its limits.

Of course, it's already been pretty clear that this was more hot air than reality from the NSA anyway. Soon after the first Snowden leaks came out, it was suggested that there was evidence of economic espionage against Germany. Later revelations showed what appears to be economic espionage in Brazil. And, on top of that, we wondered why the US Trade Rep is listed as a "customer" of NSA intelligence if it wasn't doing economic espionage. Oh, and let's not even mention that former CIA boss and Defense Secretary Robert Gates has admitted to trying to do economic espionage, but stopping because the US wasn't very good at it.

Anyway, with all that it should be obvious that of course the NSA engages in economic espionage -- but as if to highlight this even more strongly, Wikileaks has now released more documents showing pretty clear economic espionage in the form of snooping on French finance ministers, looking to get information on "French export contracts, trade and budget talks."

As with the initial revelation that the NSA was spying on the French government, by itself, I don't find this too concerning. Governments spying on other governments is kind of how it goes. But it is notable that there's more evidence of economic espionage when the NSA is so insistent that it absolutely never engages in such tactics. It seems likely that the "out" the NSA would claim here is that it doesn't do economic espionage in the form of spying on companies to try to get their secrets. But it does other forms of economic espionage by spying on government officials engaged in trade deals and such... That seems like a distinction without much meaning.

Filed Under: economic espionage, finance minister, france, nsa, surveillance, trade

Two Overlooked Aspects Of Those Leaks About NSA Spying On French Presidents

from the reasons-to-be-cheerful dept

There's been quite a lot of excitement in the press about the latest leaks that the NSA has been spying on not just one French President, but (at least) three of them. As Mike pointed out, this isn't such a big deal, because it is precisely the kind of thing that you would expect the NSA to do -- as opposed to spying on the entire US public, which isn't. There is, though, an aspect that most people have overlooked: the fact that these NSA leaks don't appear to originate from Snowden's stash.

Of course, Mr Crypto himself, Bruce Schneier, did spot it, and pointed out it could be one of his "other" US intelligence community leakers, listed a couple of months ago, or even a completely new one. As that post shows, there are now a few people around that are leaking secret documents, and that's a pretty significant trend, since you might expect enhanced security measures taken in the wake of Snowden's leaks would have discouraged or caught anyone who attempted to follow suit.

That's not the only thing that's interesting about the French documents. As Fabio Chiusi points out in a blog post (original in Italian), they are the latest in a recent series of very rich leaks that include the Sony archives; the Saudi cables; the TPP transparency chapter; and -- not mentioned by Chiusi -- 17 chapters from TISA.

What all those collections have in common is the fact that they came from WikiLeaks. As Chiusi rightly emphasizes, after a period when WikiLeaks seemed to have lost its ability to release important material -- and thus its relevance -- the organization is beginning to hit its stride again. Coupled with the fact that there are half-a-dozen or so people who are leaking intelligence materials, that development offers hope that things are really beginning to look up on the transparency front.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: ed snowden, leakers, leaks, nsa, other leakers, surveillance
Companies: wikileaks

Leaked Damage Assessment Shows Government Mostly Interested In Investigating Leakers, Withholding Information From Public

from the oh,-and-terrorists,-I-suppose dept

The Intercept has just released an interesting document from its Snowden stash: an unredacted damage assessment of the New York Times' 2005 exposure of the NSA's warrantless wiretapping program -- a program that saw the agency monitoring the emails and phone calls of US citizens.

It's not that the government hasn't made damage assessments public before. It just does it very, very rarely and mostly for self-serving reasons. The most recent publications of damage assessments were in response to the Snowden leaks. The released assessments were heavily-redacted and made plenty of unfounded assertions about the damage done to the national security infrastructure by the leaks.

This 2005 damage assessment was never released. It was purely an internal document. Thanks to it being part of Snowden's package of leaked documents, it can be read without the sort of excessive redaction the government deploys when discussing even the most inane (or obvious) aspects of national security.

Such was the internal distress at the possible exposure of this surveillance program that the government managed to delay its publication for a year. Despite its successful pushback, the assessment here is no different that the assessment of the Snowden leaks. In other words, mostly speculation backed by very little support.

The memo gives a general explanation of what terrorists might do in reaction to the information revealed. It was “likely” that terrorists would stop using phones in favor of mail or courier, and use encryption and code words. They could also plant false information, knowing the U.S. government was listening. But the leaked program had not “been noted in adversary communications,” according to the memo. It gave no specific examples of investigations or targets that had or might be impacted by the revelations.

Once you get past the obvious suggestion that terrorists will adapt communication methods in light of presumably-unknown information, you get to more detailed discussion of the NYT article itself. The assessment breaks down every statement of fact in the article and provides its corresponding level of classification.

(TS//SI//STLW//NF//OC) "President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity."

(TS//SI//STL WIINF//OC) (NSA) "monitored the international telephone calls (communications to the U.S.) and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years … to track possible "dirty numbers" linked to Al Qaeda..."

(TS//SI//STLW//NF//OC) "NSA eavesdrops (under this program) without warrants on up to 500 people in the United States at any given time." ... the number monitored ... may have reached ... the thousands"

(S//SI) "Overseas, about 5,000 to 7,000 people suspected of terrorist ties are monitored (by NSA) at one time."

Oddly, the government considers the most obvious possible outcome of the exposure of this program (that terrorists would alter communications in light of this info) to be "classified."

(C) (The article) would alert would-be terrorists (inside the United States) that they might be under scrutiny.

If there was a battle for American hearts and minds to be fought in the wake of this publication, you'd think the agency would want this conclusion made public (preferably with some supporting evidence), rather than bury it with other classified documents.

Nearly a decade down the road, the government has yet to offer any solid proof that the New York Times' article resulted in compromised capabilities or surveillance programs.

“To this day we’ve never seen any evidence — despite all the claims they made to keep us from publishing — that it did any tangible damage to national security. This is further confirmation of that,” [New York Times writer Eric] Lichtblau told The Intercept.

In fact, the only clear response to the publication of this leaked info didn't take the form of altered collection techniques or additional terrorist attacks. It took the form of a full-blown DOJ investigation, involving 25 FBI agents and five prosecutors. This too, resulted in a whole lot of nothing.

The leak and the response to it indicates the government was more worried about US citizens, rather than its foreign adversaries, finding out about what it was up to.

Filed Under: 702, bulk collection, damage assessment, ed snowden, nsa, surveillance, warrantless wiretapping

Wikileaks Reveals NSA Spying On French Presidents

from the is-that-really-a-big-deal? dept

Wikileaks has released some new documents showing that the NSA spied on the communications of a bunch of French Presidents.

The top secret documents derive from directly targeted NSA surveillance of the communications of French Presidents Francois Hollande (2012–present), Nicolas Sarkozy (2007–2012), and Jacques Chirac (1995–2007), as well as French cabinet ministers and the French Ambassador to the United States. The documents also contain the "selectors" from the target list, detailing the cell phone numbers of numerous officials in the Elysee up to and including the direct cell phone of the President.

Prominent within the top secret cache of documents are intelligence summaries of conversations between French government officials concerning some of the most pressing issues facing France and the international community, including the global financial crisis, the Greek debt crisis, the leadership and future of the European Union, the relationship between the Hollande administration and the German government of Angela Merkel, French efforts to determine the make-up of the executive staff of the United Nations, French involvement in the conflict in Palestine and a dispute between the French and US governments over US spying on France.

To be honest, as with the spying on leadership of other allies like Germany, I really don't think this is that big of a deal in reality. This is what intelligence services are supposed to be doing: spying on foreign governments. The revelations may make for some awkward diplomatic conversations, but you can bet that pretty much everyone knew this was going on already.

But, where this has the potential to get interesting is in the public perception. If the public gets angry about it, it can create international tensions, or lead to various other issues. But, on the whole, compared to spying on private citizens, it's difficult to get too outraged over spying on other governments -- even those deemed "friendly." You can bet the French are doing everything they can to spy back on the US as well.

Filed Under: france, francois hollande, french presidents, jacques chirac, nicolas sarkozy, nsa, privacy, surveillance, wikileaks
Companies: wikileaks