After looking over the White House intelligence task force's proposals to reform the way the US government does surveillance, we pointed out one oddity that hinted that the NSA may have been engaged in financial manipulation. Others have been combing through the report for other hints of things it might accidentally reveal, and Ed Felten (who I still think should have led the task force) has spotted another one, in how the report discusses the issue of backdoors in software. He notes that the wording is odd in the following bit:
Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability , or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.
[Footnote: Any cryptographic algorithm can become exploitable if implemented incorrectly or used improperly.]
A quick read of that might suggest that the panel did not find out about any such backdoors and that the NSA told them there were no such backdoors. But Felten notes that, especially given the NSA's almost pathological need to say things that appear to imply one thing, but which can be read to state the exact opposite, if the wording came from the NSA, it may be indicating the existence of backdoors of some kind.
Turning to the text, the most interesting feature is the difference between the first and second sentences, which have parallel structure but use different language. Here’s a chart laying out the differences:
First sentence
Second sentence
unaware of any vulnerability
in vast majority … no vulnerability
vulnerability created by USG
[any vulnerability]
generally available commercial software
generally used, commercially available … software
[any software]
encryption software
puts users at risk of [non-USG exploit]
[exploitable by USG] or anyone else
decrypting data
unauthorized access
This structure leaves open the possibility that there are vulnerabilities known to and exploitable by the US Government (USG). These might fall into several categories:
vulnerabilities created by the USG that are exploitable only with the knowledge of a cryptographic key known only to the USG. An example would be the widely suspected backdoor in the NIST pseudorandom number generator standard.
vulnerabilities created by the USG that allow access to data by means other than decryption, for example by allowing remote access to data at rest, or by causing copies of data to be sent to NSA collection points.
vulnerabilities in software that is not generally available, such as internally developed software used by large companies to manage their data centers.
vulnerabilities that are in non-encryption software and were not created by the USG. These would be outside the scope of both sentences.
He goes further to note that the lack of definitions around "generally available commercial software" and "generally used, commercially available... software" leaves open a world of unanswered questions.
One wonders how the people who chose those phrases would classify critical open source software such as Linux or OpenSSL. Are these “commercial software”? Even if not “commercial software”, are they “commercially available”? I can see two possibilities here. Perhaps this is imprecise drafting by the panel who might have intended to cover all of the relevant software but, being less familiar with the technical community, might have missed this nuance. Or perhaps this is one of the NSA’s word games, meant to leave a loophole.
Some will, undoubtedly, argue that this is all nitpicking, and we should take the report at face value. However, given that nearly every time the NSA has been asked to discuss various programs, it seems to carefully parse its words in exactly this manner -- to imply one thing, while really meaning the exact opposite -- it seems that the NSA has lost the benefit of the doubt here, and it's perfectly reasonable to raise questions about what is truly meant by certain claims.
Russian President Vladimir Putin gave a big press conference on Thursday, and spent some time talking about President Obama, Ed Snowden and the various US surveillance programs that have been revealed. Putin appeared to be quite supportive of the surveillance programs, saying that he believes that the US's surveillance programs are a "necessity" and "mainly directed at fighting terrorism," so there's not a real problem with them. He even defended collecting data on everyone "because you have to monitor not only a specific terrorist suspect, but rather his whole network of relationships." That Vladimir Putin would appreciate vast spying power is hardly a surprise. But this claim is raising some eyebrows:
"How do I feel about Obama after Snowden's revelations? I envy him because he can do this without incurring any consequences."
Did you catch that? Putin, the former head of the KGB, and very well known for using Russian intelligence services to his strong advantage is envious that President Obama has all this surveillance capabilities at his fingertips and that all of this can be revealed "without incurring any consequences." It seems like there should be a general rule of thumb: when Vladimir Putin is envious of your surveillance state, you've gone too far.
While many of us were surprised at the details of the White House's intelligence task force's proposals on reforming the surveillance system, Marcy Wheeler is already wondering if part of the reason for the White House to release this now, ahead of schedule, is to try to cut off the judicial reviews of the constitutionality of the various programs, as well as the legislative reforms winding their way through Congress. She argues that the report gives the President cover to delay many of these things, and even, potentially, ward off a full constitutional review in the courts -- such that things like the "third party doctrine" (allowing the government to get data from third parties without a warrant) never fully get tested again in court:
So long as the President deliberates on whether to accept these recommendations (which make changes but have obvious loopholes), he'll also buy time for DOJ to decide how to respond to these suits. Most important, for them, will be to protect the Third Party doctrine (which allows them to get information from telecoms and banks and other businesses), even if it means mooting the lawsuits by shifting the phone dragnet back to the providers.
I also think the first half (or so) of these recommendations are designed to moot the Leahy-Sensenbrenner bill (FREEDOM). Even if Obama accepted all the recommendations that parallel Leahy-Sensenbrenner (that would affect the phone dragnet, other bulk collection, National Security Letters, back door searches, and other use of incidentally collected US person data), it would still preserve Executive prerogative to resume such practices. They're not going to do that, mind you, but this will likely stall the debate over Leahy-Sensenbrenner until after Obama makes his decision on what to accept and reject.
All of that may be true -- and is a concern to monitor. But, at the very least, we're seeing increasingly mounting pressure for President Obama to enact real changes to these programs, rather than just defending them blindly.
Since the Snowden revelations first started coming out, forcing James Clapper to admit that he flat-out lied to Congress, we've been somewhat perplexed as to how Clapper could come out of the whole thing "unscathed." Congress seemed willing to look the other way, and the President didn't appear to have any interest in firing Clapper or Keith Alexander, so as not to "let Snowden win." But, it's never made much sense. Lying to Congress is a pretty serious crime -- and considering the lying was to cover up a program that just this week was found to be unconstitutional, it seems even more serious. The fact that anyone in Congress thinks that Clapper can even be remotely trusted to tell the truth going forward when he got away with lying, seems bizarre.
Hopefully that will be changing now.
Back in October, Rep. Jim Sensenbrenner, the author of the PATRIOT Act, argued that Clapper should be fired and prosecuted, but hadn't done anything to move that forward. However, with Monday's ruling now making it pretty clear that the program that Clapper lied about (in response to a question from Senator Ron Wyden), Sensenbrenner, along with six of his colleagues on the House Judiciary Committee have sent a letter to Eric Holder, demanding an investigation into Clapper's lying to Congress. The letter is quite a read. They're pretty direct about calling out Clapper for lying, how this is against the law, how others in government have been prosecuted for the same thing, and even how allowing this to go unpunished contributes to "cynicism" about the government.
Congressional oversight depends on truthful testimony--witnesses cannot be allowed to lie to Congress. Accordingly, we request you to investigate the Director of National Intelligence James Clapper's "erroneous" statements to the Senate Select Committee on Intelligence earlier this year.
[....] 18 U.S.C. § 1001 makes it a crime to "knowingly and willfully" make any "materially false" statement in the course of any "investigation or review, conducted pursuant to the authority of any committee." One of the hallmarks of American democracy is that no one is above the law...
[....] Director Clapper has served his country with distinction, and we have no doubt he believed he was acting in its best interest. Nevertheless, the law is clear. He was asked a question and he was obligated to answer truthfully. He could have declined to answer. He could have offered to answer in a classified setting. He could have corrected himself immediately following the hearing. He did none of these things despite advance warning that the question was coming.
The country's interests are best served when its leaders deal truthfully with its citizens. The mutual sense of good faith it fosters permits compromise and concessions in those cases that warrant it. Director Clapper's willful lie under oath fuels the unhealthy cynicism and distrust that citizens feel toward their government and undermines Congress's ability to perform its Constitutional function.
There are differences of opinion about the propriety of the NSA's data collection programs. There can be no disagreement, however, on the basic premise that congressional witnesses must answer truthfully.
It seems unlikely that Holder will do anything, but this is the first official move we've seen towards actually punishing Clapper for lying to Congress. It would be nice if others in Congress supported this effort as well.
What we have below is actually a ProPublica post by Kara Brandeisky, posted back in August of this year, but republished here under ProPublica's Creative Commons license. However, given the White House task force's recommendations, we thought it might be useful to be reminded what Senator Obama fought for concerning surveillance before he was President. Many of these look remarkably similar to what the task force proposes...
When the House of Representatives recently considered an amendment that would have dismantled the NSA's bulk phone records collection program, the White House swiftly condemned the measure. But only five years ago, Sen. Barack Obama, D-Ill. was part of a group of legislators that supported substantial changes to NSA surveillance programs. Here are some of the proposals the president co-sponsored as a senator.
As a senator, Obama wanted to limit bulk records collection.
The measure Obama supported in 2007 is actually similar to the House amendment that the White House condemned earlier this month. That measure, introduced by Reps. Justin Amash, R-Mich., and John Conyers, D-Mich., would have ended bulk phone records collection but still allowed the NSA to collect records related to individual suspects without a warrant based on probable cause.
The amendment failed 35-63. Obama later reversed his position and supported what became the law now known to authorize the PRISM program. That legislation — the FISA Amendments Act of 2008 — also granted immunity to telecoms that had cooperated with the government on surveillance.
The law ensured the government would not need a court order to collect data from foreigners residing outside the United States. According to the Washington Post, analysts are told that they can compel companies to turn over communications if they are 51 percent certain the data belongs to foreigners.
Powerpoint presentation slides published by the Guardian indicate that when analysts use XKeyscore — the software the NSA uses to sift through huge amounts of raw internet data — they must first justify why they have reason to believe communications are foreign. Analysts can select from rationales available in dropdown menus and then read the communications without court or supervisor approval.
Finally, analysts do not need court approval to look at previously-collected bulk metadata either, even domestic metadata. Instead, the NSA limits access to incidentally collected American data according to its own "minimization" procedures. A leaked 2009 document said that analysts only needed permission from their "shift coordinators" to access previously-collected phone records. Rep. Stephen Lynch, D-Mass., has introduced a bill that would require analysts to get special court approval to search through telephone metadata.
As a senator, Obama wanted the executive branch to report to Congress how many American communications had been swept up during surveillance.
Feingold's 2008 amendment, which Obama supported, would have also required the Defense Department and Justice Department to complete a joint audit of all incidentally collected American communications and provide the report to congressional intelligence committees. The amendment failed 35-63.
The Inspector General of the Intelligence Community told Senators Ron Wyden, D-Ore., and Mark Udall, D-Co. last year that it would be unfeasible to estimate how many American communications have been incidentally collected, and doing so would violate Americans' privacy rights.
As a senator, Obama wanted to restrict the use of gag orders related to surveillance court orders.
Obama co-sponsored at least two measures that would have made it harder for the government to issue nondisclosure orders to businesses when compelling them to turn over customer data.
One 2007 bill would have required the government to demonstrate that disclosure could cause one of six specific harms: by either endangering someone, causing someone to avoid prosecution, encouraging the destruction of evidence, intimidating potential witnesses, interfering with diplomatic relations, or threatening national security. It would have also required the government to show that the gag order was "narrowly tailored" to address those specific dangers. Obama also supported a similar measure in 2005. Neither measure made it out of committee.
The Obama administration has thus far prevented companies from disclosing information about surveillance requests. Verizon's surveillance court order included a gag order.
Meanwhile, Microsoft and Google have filed motions with the Foreign Intelligence Surveillance Court seeking permission to release aggregate data about directives they've received. Microsoft has said the Justice Department and the FBI had previously denied its requests to release more information. The Justice Department has asked for moretime to consider lifting the gag orders.
As a senator, Obama wanted to give the accused a chance to challenge government surveillance.
Until recently, federal prosecutors would not tell defendants what kind of surveillance had been used.
The New York Times reported that in two separate bomb plot prosecutions, the government resisted efforts to reveal whether its surveillance relied on a traditional FISA order, or the 2008 law now known to authorize PRISM. As a result, defense attorneys had been unable to contest the legality of the surveillance. Sen. Dianne Feinstein, D-Calif., later said that in both cases, the government had relied on the 2008 law, though prosecutors now dispute that account.
On July 30, the Justice Department reversed its position in one bomb plot prosecution. The government disclosed that it had not gathered any evidence under the 2008 law now known to authorize sweeping surveillance.
But that's not the only case in which the government has refused to detail its surveillance. When San Diego cab driver BasaalySaeedMoalin was charged with providing material support to terrorists based on surveillance evidence in Dec. 2010, his attorney, Joshua Dratel, tried to get the government's wiretap application to the Foreign Intelligence Surveillance Court. The government refused, citing national security.
Dratel only learned that the government had used Moalin's phone records as the basis for its wiretap application — collected under Section 215 of the Patriot Act — when FBI Deputy Director Sean Joyce cited the Moalin case as a success story for the bulk phone records collection program.
As a senator, Obama wanted the attorney general to submit a public report giving aggregate data about how many people had been targeted for searches.
Under current law, the attorney general gives congressional intelligence committees a semiannual report with aggregate data on how many people have been targeted for surveillance. Obama co-sponsored a 2005 bill that would have made that report public. The bill didn't make it out of committee.
Despite requests from Microsoft and Google, the Justice Department has not yet given companies approval to disclose aggregate data about surveillance directives.
As a senator, Obama wanted the government to declassify significant surveillance court opinions.
Currently, the attorney general also gives congressional intelligence committees "significant" surveillance court opinions, decisions and orders and summaries of any significant legal interpretations. The 2005 bill that Obama co-sponsored would have released those opinions to the public, allowing redactions for sensitive national security information.
Before Edward Snowden's disclosures, the Obama Justice Department had fought Freedom of Information Act lawsuits seeking surveillance court opinions. On July 31, the Director of National Intelligence released a heavily redacted version of the FISA court's "primary order" compelling telecoms to turn over metadata.
In response to a request from Yahoo, the government also says it is going to declassify court documents showing how Yahoo challenged a government directive to turn over user data. The Director of National Intelligence is still reviewing if there are other surveillance court opinions and other significant documents that may be released. Meanwhile, there are severalbills in Congress that would compel the government to release secret surveillance court opinions.
It's been an interesting week. With both a federal judge and the White House's own task force both basically saying that the current NSA surveillance efforts go way too far, it seems time to admit that what Ed Snowden did was an incredible service to the American public (not to mention the rest of the world). The fact that the US is still trying to charge him under the Espionage Act is a travesty. You would think that revealing a secret government program that a federal judge found violates the Constitution would make one a hero and a whistleblower, rather than an outlaw.
And while some in the NSA have even floated the idea of granting Snowden amnesty, that seems like a non-starter in the White House. A report from the meeting President Obama held with tech company execs this week notes that at least one executive told the President that he should pardon Snowden -- something the President refused to do:
One participant suggested the president pardon Snowden. Obama said he could not do so, said one industry official. White House officials have said that Snowden is accused of leaking classified information and faces felony charges in the United States, and that he should be returned as soon as possible to the United States, “where he will be accorded full due process and protections.”
Whatever happens as a result of Judge Leon's decision this week and whatever comes of today's recommendations from the intelligence review panel, we cannot forget who it was who helped our country get to the stage of having this debate, not to speak of the personal price he has had to pay as a whistleblower -- turning to foreign dictatorships for refuge. We should be treating him as a hero for what he did, and Congress can do something about it.
The constitution bars a bill of attainder -- a law declaring that a particular individual is guilty of a crime. But there is no reason why Congress cannot enact a bill of non-attainder: a statute declaring retroactively that Edward Snowden is not guilty of any crime for what he has done to date, and forbidding the government from prosecuting him fo rpast conduct. Surely we own him that much for what he has done for us.
It's an interesting idea, and one that seems highly unlikely to happen -- especially as many in Congress stupidly are still referring to Snowden as a "traitor." But, there does seem to be growing support in Congress for real reforms over the surveillance efforts, and one would hope that those who are in support of such changes could also see why they ought to make a strong effort to protect the person who made those changes possible.
Matt Blaze has been pointing out that when you read the new White House intelligence task force report and its recommendations on how to reform the NSA and the wider intelligence community, that there may be hints to other excesses not yet revealed by the Snowden documents. Trevor Timm may have spotted a big one. In the recommendation concerning increasing security in online communications, the second sub-point sticks out like a sore thumb:
If you can't read that, it says:
Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial system.
While there have been plenty of reports about the US running hundreds of offensive cyberattacks on others, outside of things like Stuxnet, not many have been directly identified. And I'm unaware of any claims suggesting attempts to "manipulate the financial system" of any particular country and/or to "change the amounts held in financial accounts." It seems a bit odd to come out of the blue like that, and certainly suggests that this particular bullet point likely came as a result of a rather specific thing that came up during the task force's review.
So, now we wait for the inevitable news of what sort of financial shenanigans the NSA was up to.
Given the earlier reports suggesting that the "independent" task force set up to review the NSA's activities had come back with a list of suggestions for changes that were mostly cosmetic, rather than substantive, it was a bit of a surprise to see the White House come out today to say that those earlier reports were incorrect and that they were releasing the report in full today (way ahead of schedule). And, now the report is out. After giving it a single read (300+ pages), it is a lot more substantial than many of us expected -- so much so that even the NSA's biggest apologists are "shocked" at how "awkward" it must be for the White House to claim to set up an independent task force, and then have it come back with recommendations that are quite different than what the White House itself has been proposing. It's as if the NSA's apologists assumed this was long in the bag, and that the task force itself was always a joke. Turns out that's not the case.
That's not to say this is perfect. There are significant areas where it seems the recommendations could and should go much further. But it does argue for reining in significant amounts of surveillance, providing much greater oversight, protecting non-US persons' privacy as well as US persons, and a variety of other very real changes. It also (as Judge Leon did on Monday) says that there's no real evidence the bulk collection of metadata was useful in any real way... but, oddly, then allows the program to continue, but in a different manner: having the telcos retain the data in case it's later needed (along with relevant court approvals) rather than just keeping the whole database to troll through. There are all sorts of problems with mandatory data retention as well, but we'll talk about that eventually.
It recommends putting significant restrictions on the ability of the FISA court to force companies to disclose private information, and also includes restrictions on the regularly abused "national security letters" process, which the FBI frequently uses to get information without a warrant. It supports much greater transparency about the programs, including allowing companies to reveal details of the number of requests they received for information. And, as mentioned above, they don't just stop at protecting the privacy of US persons, but non-US as well, including that any spying on non-US persons needs to have a direct national security purpose, and cannot be based on political or religious views alone. It also recommends against revealing information about non-US persons, such as the reported plans to leak the porn viewing habits of certain non-terrorists with views with which the American government disagreed.
The report clearly notes the drift by the NSA away from its core mission of national security, and suggests that various actions need to get back to having a specific national security reason. It also argues for splitting up parts of the NSA by designating the NSA itself as only covering foreign intelligence, moving its "Information Assurance Directorate" and (as we'd discussed last week) finally separating US Cyber Command from the NSA (something the White House has apparently already rejected). The report highlights the need for greater privacy assurances, including reconstituting the Civil Liberties Oversight Board into the Civil Liberties and Privacy Protection Board -- and granting it much more power for oversight, while also placing a Special Assistant to the President for Privacy in the executive branch. As many had expected, it also recommends making the FISA court a more adversarial process (something the White House has suggested it may be open to).
The report also recommends that the NSA be blocked from trying to undermine or weaken encryption standards, and actually says that the White House should support greater use of encryption across the board.
There are recommendations to better lock down information within the intelligence community to prevent another Snowden from walking off with documents... but also more avenues for whistleblowers, including having them go to that newly constituted privacy board.
It's final recommendation is one that's most telling, and one of the issues that's most confused me throughout this process. It suggests that the government start actually doing a "cost-benefit" analysis of the various security efforts it engages in. As we've noted, the incredible thing about the revealed programs is that they provided very little benefit, but the costs were astounding, both in managing the programs themselves, but, more importantly, in the impact economically and diplomatically of having those programs revealed.
Now, this report is just a set of proposals, which the White House can reject. In fact, it's likely that many will be rejected or ignored. But, to actually have this review board -- which many expected to be nothing more than yet another rubber stamp -- issue something this detailed, comprehensive... and which really does recommend some very real changes, is a pleasant surprise.
Ever since the Snowden documents started revealing the massive overreach by the NSA, defenders of the agency and the programs have stuck by their mantra that the program is "legal" and that it was "approved by all three branches of the government." That line has been repeated over and over again. Of course, as we noted back in August, it quickly became apparent that the three parts charged with oversight were all being misled by the NSA. However, at this point, the claim that the programs have been approved by all three branches is demonstrably false.
Of course, you can expect that defenders of the NSA programs will continue to ignore all this and insist, yet again, that the programs have been approved by all three branches of government, but at that point, hopefully people will remind them that, even if that was true (and it was already misleading), all three branches of government appear to have changed their minds about it.
By now you probably know the name Michael Hayden. Former NSA and CIA Director Hayden now seems to focus all his time on pimping the security state to the American public. He steadfastly claims that all negative impact and lawlessness on the part of the spy agencies is fiction, and that state secrets and your privacy are ironically equal. He also enjoys the occasional wistful guffaw at the notion of assassinating Edward Snowden. When it comes to dealing honestly about the spying state of our nation, he's the kind of man you could fit into briefcase if you gave him an enema.
But, look, he's a professional spy, which means he's a professional liar about spying. That's what they do. But on Meet The Press this Sunday, he decided to expand the lying to envelope some of the much-smarter founding fathers that I happen to love. Here's a clip of his interview:
In case you can't watch the clip, here are some highlights with some minor, ahem, commentary after them.
"I didn't see the excesses. I saw the potential for problems. There is no abuse. Oh, and by the way, I don't see any unlawfulness either."
In other words, true to Hayden's form, the blatant abuse by the NSA of spying on Americans that was uncovered, and to which the NSA themselves admittedat least minor problems, never happened. It must be very nice to live in a world where you get to pretend to be a Monty Python Black Knight. We've abused you! No you haven't, it's just flesh wound. Brilliant.
"This was all done according to the Madisonian formula. President authorized, the legislature legislated and the courts oversaw."
If you have studied even the barest basics of the American government in history, you'll recognize the "Madisonian Model" as the separation of powers. However, Hayden is oversimplifying things here to the absolute extreme. The entire concept behind James Madison's model was about restraining the Presidential office to nominating judges, signing bills, negotiating treaties and commanding the nation's troops. It takes some serious logical gymnastics to claim that the massive spying done by the alphabet agencies at the behest of the past two presidents would fit within Madison's vision.
Still, I don't mind seeing Hayden come on programs like this and spout this kind of nonsense, either about the abuses of the NSA in general or his lack of historical knowledge more specifically. That's because he comes off purely as a smarmy, lying, self-serving blowhard without an ounce of credibility. Nothing will bury the NSA spying program more quickly than its proponents, if they keep this up.
