*Obama's Data Harvesting Program and PRISM *
http://cryptome.org/2013/06/obama-prism.pdf
*US Secret Service/Homeland Secruity PRISM-ID *
http://cryptome.org/2013/06/usss-prism-id.pdf
----------------------------------------------------------
http://www.emptywheel.net/
Are Guardian’s Sources Responding to a New Use of Surveillance,
Post-Boston?<http://www.emptywheel.net/2013/06/09/are-guardians-sources-responding-to-a-new-use-of-surveillance-post-boston/>
By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Sunday June
9, 2013 1:11 pm
[image: boundless
heatmap]<http://www.emptywheel.net/wp-content/uploads/2013/06/boundless-heatmap.jpg>Little
mentioned as we talk about the massive amounts of spying Obama’s
Administration undertakes is this passage from the President’s recent
speech<http://www.whitehouse.gov/the-press-office/2013/05/23/remarks-president-barack-obama>
on
counterterrorism.
That’s why, in the years to come, we will have to keep working hard to
strike the appropriate balance between our need for security and preserving
those freedoms that make us who we are. That means reviewing the
authorities of law enforcement, *so we can intercept new types of
communication*, and build in privacy protections to prevent abuse. [my
emphasis]
As massive as the surveillance collection currently is, Obama recently
called to expand it.
Most people have assumed that’s a reference to FBI’s persistent call for
CALEA II, newly proposed to be a
law<https://www.nytimes.com/2013/05/08/us/politics/obama-may-back-fbi-plan-to-wiretap-web-users.html?ref=charliesavage&gwh=1377579C1399D3E4F15415DAEA8AF52B>
imposing
fines on companies that don’t comply with “wiretap” orders.
The F.B.I. director, Robert S. Mueller III, has argued that the bureau’s
ability to carry out court-approved eavesdropping on suspects is “going
dark” as communications technology evolves, and since 2010 has
pushed<http://www.nytimes.com/2010/09/27/us/27wiretap.html> for
a legal mandate requiring companies like Facebook and Google to build into
their instant-messaging and other such systems a capacity to comply with
wiretap orders. That proposal, however, bogged down amid concerns by other
agencies, like the Commerce Department, about quashing Silicon Valley
innovation.
While the F.B.I.’s original proposal would have required Internet
communications services to each build in a wiretapping capacity, the
revised one, which must now be reviewed by the White House, focuses on
fining companies that do not comply with wiretap orders. The difference,
officials say, means that start-ups with a small number of users would have
fewer worries about wiretapping issues unless the companies became popular
enough to come to the Justice Department’s attention.
That is certainly at least part of what Obama’s seeking (though the
ill-considered planpresents as many security
issues<http://www.schneier.com/blog/archives/2013/06/the_problems_wi_3.html>
as
it does privacy ones).
But I note that Mike Rogers said
this<http://abcnews.go.com/Politics/week-transcript-sen-dianne-feinstein-rep-mike-rogers/story?id=19343314&singlePage=true#.UbShKfbipr0>
on
ABC this morning.
And so each one of these programs — and I think the Zazi case is so
important, because that’s one you can specifically show that this was the
key piece that allowed us to stop a bombing in the New York Subway system.
But these programs, that authorized by the court by the way, only focused
on non-United States persons overseas, that gets lost in this debate, are
pieces of the puzzle. And you have to have all of the pieces of the puzzle
to try to put it together. That’s what we found went wrong in 9/11.
And *we didn’t have all of the pieces of the puzzle, we found out
subsequently, to the Boston bombings, either. And so had we had more pieces
of the puzzle you can stop these things before they happen*. [my emphasis]
Mike Rogers asserted, with no evidence given, that had we had more
information on Tamerlan Tsarnaev, we might have been able to prevent the
Boston attack.
Rogers has, in the past,
suggested<http://www.emptywheel.net/2013/05/15/putins-game/> that
if we had gotten the texts between Tsarnaev’s mother and a relative in
Russia discussing Tamerlan’s interest in fighting jihad. But it’s not clear
that anything prevented us from collecting the relative’s communications,
and if the discussion of fighting is as obvious as reporting claims (I
suspect it is not), there would have been adequate probable cause to ID the
mother.
In fact, one of the Guardian’s other
scoops<http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining>
makes
it clear that we don’t collect all that much SIGINT from Russia in the
first place, so the fact we missed the text may say more about our
intelligence focus than the technologies available to us.
Nevertheless, Rogers at least suggests that we might have been able to
prevent the attack had we had more data.
In part of an interview with Andrea
Mitchell<https://twitter.com/mitchellreports/status/343695454451666944>
that
has not yet (AFAIK) been shown, James Clapper whined that the intelligence
community was accused of not being intrusive enough following the Boston
attack.
DNI Clapper @TodayShow <https://twitter.com/todayshow>: I find it a little
ironic that after the Boston bombings we were accused of not being
intrusive enough
Which makes me wonder whether Obama is calling for more than just CALEA II,
but has floated using all this data in new ways because two guys were able
to conduct a very low-tech attack together.
Glenn Greenwald said somewhere (I haven’t been able to find it) that he had
been working on the PRISM story for around 2 months. If so, that would put
it close to the Boston attack (though if it were two full months, it’d make
it before the attack).
Given that timing, I’m wondering if the final straw that motivated this
presumably high level NSA person to start leaking was a proposed new use of
all this data hoovered up. Clapper et al insist that the FISA Court does
not currently allow the NSA to data mine the data collected in its dragnet.
But have then been thinking about changing that?
Posted in FISA <http://www.emptywheel.net/category/fisa/>,
PATRIOT<http://www.emptywheel.net/category/patriot/>
, Terrorism <http://www.emptywheel.net/category/terrorism/> | Tagged Boston
Marathon Attack <http://www.emptywheel.net/tag/boston-marathon-attack/>, CALEA
II <http://www.emptywheel.net/tag/calea-ii/>, James
Clapper<http://www.emptywheel.net/tag/james-clapper/>
, Mike Rogers <http://www.emptywheel.net/tag/mike-rogers/>, Tamerlan
Tsarnaev <http://www.emptywheel.net/tag/tamerlan-tsarnaev/> | *8*
Replies<http://www.emptywheel.net/2013/06/09/are-guardians-sources-responding-to-a-new-use-of-surveillance-post-boston/#comments>
Dianne
Feinstein: We Need to Collect Data on Every Single American Because We
Can’t Control Our
Informants<http://www.emptywheel.net/2013/06/09/dianne-feinstein-we-need-to-collect-data-on-every-single-american-because-we-cant-control-our-informants/>
By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Sunday June
9, 2013 10:56 am
I will have far, far more to say about the claims about the various
surveillance programs aired on the Sunday shows today.
But this<http://abcnews.go.com/Politics/week-transcript-sen-dianne-feinstein-rep-mike-rogers/story?id=19343314&page=4#.UbSTg_bipr1>
is
absolutely batshit crazy.
FEINSTEIN: Well, of course, balance is a difficult thing to actually
identify what it is, but I can tell you this: These programs are within the
law. The [Section 215] business records section is reviewed by a federal
judge every 90 days. It should be noted that the document that was released
that was under seal, which reauthorized the program for another 90 days,
came along with a second document that placed and discussed the strictures
on the program. That document was not released.
So here’s what happens with that program. The program is essentially walled
off within the NSA. There are limited numbers of people who have access to
it. The only thing taken, as has been correctly expressed, is not content
of a conversation, but the information that is generally on your telephone
bill, which has been held not to be private personal property by the
Supreme Court.
If there is strong suspicion that a terrorist outside of the country is
trying to reach someone on the inside of the country, those numbers then
can be obtained. If you want to collect content on the American, then a
court order is issued.
So, the program has been used. Two cases have been declassified. *One of
them is the case of David Headley, who went to Mumbai, to the Taj hotel,
and scoped it out for the terrorist attack*. [my emphasis]
Dianne Feinstein says that one of the two plots where Section 215 prevented
an attack was used (the other, about Najibullah Zazi, is equally batshit
crazy, but I’ll return to that) is the Mumbai attack.
What’s she referring to is tracking our own informant, David Headley.
And it didn’t prevent any attack. The Mumbai attack was successful.
Our own informant. A successful attack. That’s her celebration of success 215′s
use.
So her assertion is we need to collect metadata on every single American
because DEA can’t keep control of its informants.
Update: Technically DiFi didn’t say this was a success, just that it had
been used. I’ve edited the post accordingly.
Posted in FISA <http://www.emptywheel.net/category/fisa/>,
PATRIOT<http://www.emptywheel.net/category/patriot/>
| Tagged David Headley <http://www.emptywheel.net/tag/david-headley/>, Dianne
Feinstein <http://www.emptywheel.net/tag/dianne-feinstein/>,
Najibullah Zazi<http://www.emptywheel.net/tag/najibullah-zazi/>
| *12* Replies<http://www.emptywheel.net/2013/06/09/dianne-feinstein-we-need-to-collect-data-on-every-single-american-because-we-cant-control-our-informants/#comments>
Once
Upon a Time the PRISM Companies Fought Retroactive
Immunity<http://www.emptywheel.net/2013/06/09/once-upon-a-time-the-prism-companies-fought-retroactive-immunity/>
By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Sunday June
9, 2013 9:03 am
[image: Screen shot 2013-06-09 at 8.30.08
AM]<http://www.emptywheel.net/wp-content/uploads/2013/06/Screen-shot-2013-06-09-at-8.30.08-AM.png>Since
the disclosure of the PRISM program, I have thought about a
letter<http://www.emptywheel.net/2009/01/18/hints-that-the-fiscr-plaintiff-is-an-email-provider/>
the
industry group for some of the biggest and earliest PRISM
participants<http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data>
—
Google, Microsoft, and Yahoo — wrote to then House Judiciary Chair John
Conyers during the 2008 debate on FISA Amendments Act. (The screen capture
reflects a partial list of
members<http://web.archive.org/web/20090807002630/http://www.ccianet.org/index.asp?bid=11>
from
2009.)
Remarkably, the letter strongly condemned the effort to grant companies
that had broke the law under Bush’s illegal wiretap program immunity.
The Computer & Communications Industry Association (CCIA) strongly opposes
S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on
February 12, 2008. *CCIA believes that this bill should not provide
retroactive immunity to corporations that may have participated in
violations of federal law*. CCIA represents an industry that is called upon
for cooperation and assistance in law enforcement. To act with speed in
times of crisis, *our industry needs clear rules*, not vague promises that
the U.S. Government can be relied upon to paper over Constitutional
transgressions after the fact.
CCIA dismisses with contempt the manufactured hysteria that industry will
not aid the United States Government when the law is clear. As a
representative of industry, I find that suggestion insulting. To imply that
our industry would refuse assistance under established law is an affront to
the civic integrity of businesses that have consistently cooperated
unquestioningly with legal requests for information. *This also conflates
the separate questions of blanket retroactive immunity for violations of
law, and prospective immunity, the latter of which we strongly support*.
Therefore, CCIA urges you to reject S. 2248. *America will be safer if the
lines are bright*. The perpetual promise of bestowing amnesty for any and
all misdeeds committed in the name of security will condemn us to the
uncertainty and dubious legalities of the past. Let that not be our future
as well. [my emphasis]
Microsoft, Yahoo, and Google all joined PRISM within a year of the date of
the February 29, 2008 letter (Microsoft had joined almost six months
before, Google would join in January 2009).
[image: Screen shot 2013-06-07 at 11.08.29
AM]<http://www.emptywheel.net/wp-content/uploads/2013/06/Screen-shot-2013-06-07-at-11.08.29-AM.png>Clearly,
the demand that the companies that broke the law not receive retroactive
immunity suggests none of the members had done so. It further suggests that
those companies that did break the law — the telecoms, at a minimum — had
done something the email providers wanted them held accountable for. This
suggests, though doesn’t prove, that before PRISM, the government may have
accessed emails from these providers by taking packets from telecom
switches, rather than obtaining the data from the providers themselves.
Google had also
fought<http://news.findlaw.com/hdocs/docs/google/gonzgoog11806m.html>
a
DOJ subpoena in 2006 for a million URLs and search terms, purportedly in
the name of hunting child pornographers.
And those of us who follow this subject have always speculated (with some
support from sources) that the plaintiff in a 2007 FISA Court
challenge<http://www.fas.org/irp/agency/doj/fisa/fiscr082208.pdf> to
a Protect America Act (the precursor to FISA Amendments Act) was an email
provider.
All of those details suggest, at the very least, that email providers
(unlike telecoms, which we know were voluntarily giving over data shortly
after 9/11) fought government efforts to access their data.
But it also suggests that the email providers may have treated PRISM as a
less worse alternative than the government accessing their data via other
means (which is a threat the government used to get banks to turn over
SWIFT data, too).
It seems likely the way the government “negotiates” getting data companies
to willingly turn over their data is to steal it first.
Posted in FISA <http://www.emptywheel.net/category/fisa/>,
PATRIOT<http://www.emptywheel.net/category/patriot/>
| Tagged AT&T <http://www.emptywheel.net/tag/att/>, Computer &
Communications Industry
Association<http://www.emptywheel.net/tag/computer-communications-industry-association/>
, FISA Amendments Act <http://www.emptywheel.net/tag/fisa-amendments-act/>,
Google <http://www.emptywheel.net/tag/google/>,
Microsoft<http://www.emptywheel.net/tag/microsoft/>
, PRISM <http://www.emptywheel.net/tag/prism/>,
Verizon<http://www.emptywheel.net/tag/verizon/>
, Yahoo <http://www.emptywheel.net/tag/yahoo/> | *12*
Replies<http://www.emptywheel.net/2013/06/09/once-upon-a-time-the-prism-companies-fought-retroactive-immunity/#comments>
What
Obama’s Presidential Policy Directive on Cyberwar Says about NSA’s
Relationship with
Corporations<http://www.emptywheel.net/2013/06/08/why-is-us-government-intrusiveness-on-network-defense-less-than-on-prism/>
By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Saturday June
8, 2013 4:48 pm
The Guardian has had three big scoops this week: revealing that Section 215
has, indeed, been used for dragnet collection of US person
data<http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order>
, describing PRISM<http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data>,
a means of accessing provider data in real-time that was authorized by the
FISA Amendments Act, and publishingObama’s Presidential
Directive<http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text>
on
offensive cyberwar.
The latter revelation has received a lot less coverage than the first two,
perhaps because it doesn’t affect most people directly (until our rivals
retaliate). “Of course Obama would have a list of cybertargets to hit,” I
heard from a number of people, with disinterest.
But I thought several passages from Obama’s PPD-20 are of particular
interest for the discussion on the other two scoops — particularly what
degree of access PRISM has to corporate networks real-time data. First,
consider the way definitions of several key terms pivot on whether or not
network owners know about a particular cyber action.
Network Defense: Programs, activities, and the use of tools necessary to
facilitate them (including those governed by NSPD-54/HSPD-23 and
NSD-42) *conducted
on a computer network, or information or communications system by the owner
or with the consent of the owner and, as appropriate, the users* for the
primary purpose of protecting (1) that computer, network, or system; (2)
data stored on, processed on, or transiting that computer, network, or
system; or (3) physical and virtual infrastructure controlled by that
computer, network, or system. *Network defense does not involve or require
accessing or conducting activities on computers, networks, or information
or communications systems without authorization from the owners or
exceeding access authorized by the owners*. (u)
[snip]
Cyber Collection: Operations and related programs or activities conducted
by or on behalf of the United States Government, in or through cyberspace,
for the primary purpose of collecting intelligence — including from
information that can be used for future operations — from computers,
information or communications systems, or networks with the intent to
remain undetected. *Cyber collection entails accessing a computer,
information system, or network without authorization from the owner* or
operator of the computer, information system, or network or from a party to
a communication *or by exceeding authorized access*. Cyber collection
includes those activities essential and inherent to enabling cyber
collection, such as inhibiting detection or attribution, even if they
create cyber effects. (C/NF)
Defensive Cyber Effects Operations (DCEO): Operations and related programs
or activities — other than network defense or cyber collection — conducted
by or on behalf of the United States Government, in or through cyberspace,
that are intended to enable or produce cyber effects outside United States
Government networks for the purpose of defending or protecting against
imminent threats or ongoing attacks or malicious cyber activity against
U.S. national interests from inside or outside cyberspace. (C/NF)
Nonintrusive Defensive Countermeasures (NDCM): The subset of DCEO that *does
not require accessing computers, information or communications systems, or
networks without authorization from the owners or operators* of the
targeted computers, information or communications systems, or networks
exceeding authorized access and only creates the minimum cyber effects
needed to mitigate the threat activity. (C/NF)
So you’ve got:
- Network defense, which is what network owners do or USG (or
contractors) do at their behest to protect key networks. I assume this like
anti-virus software on steroids.
- Cyber collection that, regardless of where it occurs, is done in
secret. This is basically intelligence gathering about networks.
- Nonintrusive Defensive Countermeausres, which is more active defensive
attacks, but ones that can or are done with the permission of the network
owners. This appears to be the subset of Defensive Cybereffects Operations
that, because they don’t require non-consensual network access, present
fewer concerns about blowback and legality.
- Defensive Cybereffects Operations, which are the entire category of
more active defensive attacks, though the use of the acronym DCEO appears
to be limited to those defensive attacks that require non-consensual access
to networks and therefore might cause problems. The implication is they’re
generally targeted outside of the US, but if there is an imminent threat
(that phrase again!) they can be targeted in the US.
In other words, this schema (there are a few more categories, including
strictly offensive attacks) seems to be about ensuring there is additional
review for defensive attacks (but not strictly data collection) intended to
use non-consensual network access.
As I suggested, these attacks based on nonconsensual access is all supposed
to be primarily focused externally, unless the President approves.
The United States Government shall conduct neither DCEO nor OCEO that are
intended or likely to produce cyber effects within the United States unless
approved by the President. A department or agency, however, with
appropriate authority may conduct a particular case of DCEO that is
intended or likely to produce cyber effects within the United States if it
qualifies as an Emergency Cyber Action as set forth in this directive and
otherwise complies with applicable laws and policies, including
Presidential orders and directives. (C/NF)
Of course, a lot of the networks or software outside of the US are still
owned by US corporations (and the implication seems to be that these
categories remain even if they’re not). Consider, for example, how central
Microsoft exploits<http://www.emptywheel.net/2013/06/07/side-by-side-timeline-of-nsas-communications-collection-and-cyber-attacks/>
have
been to US offensive attacks on Iran. How much notice has MS gotten that we
planned to use the insecurity of their software?
Nevertheless, a big chunk of this PPD — the part that has received endless
discussion publicly — pertains to that network defense, getting
corporations to either defend their own networks properly or agree to let
the government do it for them. (Does the USG bill for that, I wonder?)
Which partly explains the language in the PPD on partnerships with
industry, treated as akin to partnerships with states or cities.
The United States Government shall seek partnerships with industry, other
levels of government as appropriate, and other nations and organizations to
promote cooperative defensive capabilities, including, as appropriate,
through the use of DCEO as governed by the provisions in this directive; and
Partnerships with industry and other levels of government for the
protection of critical infrastructure shall be coordinated with the
Department of Homeland Security (DHS), *working with the relevant
sector-specific agencies and, as appropriate, the Department of
Commerce* (DOC).
(S/NF)
[snip]
The United States Government shall work with private industry — through
DHS, DOC, and relevant sector-specific agencies — to protect critical
infrastructure in a manner that minimizes the need for DCEO against
malicious cyber activity; however, *the United States Government shall
retain DCEO, including anticipatory action taken against imminent threats,
as governed by the provisions in this directive, as an option to protect
such infrastructure*. (S/NF)
The United States Government shall — in coordination, as appropriate, with
DHS, law enforcement, and other relevant departments and agencies, to
include sector-specific agencies — obtain the consent of network or
computer owners for United States Government use of DCEO to protect against
malicious cyber activity on their behalf, *unless the activity implicates
the United States’ inherent right of self-defense* as recognized in
international law or the policy review processes established in this
directive and appropriate legal reviews determine that such consent is not
required. (S/NF)
One thing I’m most curious about this PPD is the treatment of the
Department of Commerce. Why is DOC treated differently than sector-specific
agencies? Do they have some kind of unseen leverage — a carrot or a stick —
to entice cooperation that we don’t know about?
Aside from that, though, there are two possibilities (which probably
amounts to just one) when the government will go in and defend a company’s
networks without their consent.
Imminent threat, inherent right to self-defense.
Ultimately, this seems to suggest that the government will negotiate
access, but if it deems your networks sufficiently important (Too Big To
Hack) and you’re not doing the job, it’ll come in and do it without telling
you.
And of course, nothing in this PPD explicitly limits cyber collection —
that is, the non-consensual access of networks to collect information. I
will wait to assume that suggests what it seems to, but it does at least
seem a giant hole permitting the government to access networks so long as
it only takes intelligence about the network.
Which brings us to these two categories included among the policy criteria.
Transparency: The need for consent or notification of network or computer
owners or host countries, the potential for impact on U.S. persons and U.S.
private sector networks, and the need for any public or private
communications strategies after an operation; and
Authorities and Civil Liberties: The available authorities and procedures
and the potential for cyber effects inside the United States or against
U.S. persons. (S/NF)
Neither is terrifically well-developed. Indeed, it doesn’t seem to consider
civil liberties, as such, at all. Which may be why the Most Transparent
Administration Evah™ considers transparency to consist of:
- Informing corporations that own networks
- Accounting for the impact on US persons (but not informing them,
apparently, though Network Defense allows users to be informed “as
appropriate”)
- Prepping propaganda for use after an operation
The entire PPD lays out potential relationships with corporations as |
