*Obama's Data Harvesting Program and PRISM *
http://cryptome.org/2013/06/obama-prism.pdf *US Secret Service/Homeland Secruity PRISM-ID * http://cryptome.org/2013/06/usss-prism-id.pdf -------------------------------------------------------------------- http://www.emptywheel.net/ Are Guardian’s Sources Responding to a New Use of Surveillance, Post-Boston?<http://www.emptywheel.net/2013/06/09/are-guardians-sources-responding-to-a-new-use-of-surveillance-post-boston/> By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Sunday June 9, 2013 1:11 pm [image: boundless heatmap]<http://www.emptywheel.net/wp-content/uploads/2013/06/boundless-heatmap.jpg>Little mentioned as we talk about the massive amounts of spying Obama’s Administration undertakes is this passage from the President’s recent speech<http://www.whitehouse.gov/the-press-office/2013/05/23/remarks-president-barack-obama> on counterterrorism. That’s why, in the years to come, we will have to keep working hard to strike the appropriate balance between our need for security and preserving those freedoms that make us who we are. That means reviewing the authorities of law enforcement, *so we can intercept new types of communication*, and build in privacy protections to prevent abuse. [my emphasis] As massive as the surveillance collection currently is, Obama recently called to expand it. Most people have assumed that’s a reference to FBI’s persistent call for CALEA II, newly proposed to be a law<https://www.nytimes.com/2013/05/08/us/politics/obama-may-back-fbi-plan-to-wiretap-web-users.html?ref=charliesavage&gwh=1377579C1399D3E4F15415DAEA8AF52B> imposing fines on companies that don’t comply with “wiretap” orders. The F.B.I. director, Robert S. Mueller III, has argued that the bureau’s ability to carry out court-approved eavesdropping on suspects is “going dark” as communications technology evolves, and since 2010 has pushed<http://www.nytimes.com/2010/09/27/us/27wiretap.html> for a legal mandate requiring companies like Facebook and Google to build into their instant-messaging and other such systems a capacity to comply with wiretap orders. That proposal, however, bogged down amid concerns by other agencies, like the Commerce Department, about quashing Silicon Valley innovation. While the F.B.I.’s original proposal would have required Internet communications services to each build in a wiretapping capacity, the revised one, which must now be reviewed by the White House, focuses on fining companies that do not comply with wiretap orders. The difference, officials say, means that start-ups with a small number of users would have fewer worries about wiretapping issues unless the companies became popular enough to come to the Justice Department’s attention. That is certainly at least part of what Obama’s seeking (though the ill-considered planpresents as many security issues<http://www.schneier.com/blog/archives/2013/06/the_problems_wi_3.html> as it does privacy ones). But I note that Mike Rogers said this<http://abcnews.go.com/Politics/week-transcript-sen-dianne-feinstein-rep-mike-rogers/story?id=19343314&singlePage=true#.UbShKfbipr0> on ABC this morning. And so each one of these programs — and I think the Zazi case is so important, because that’s one you can specifically show that this was the key piece that allowed us to stop a bombing in the New York Subway system. But these programs, that authorized by the court by the way, only focused on non-United States persons overseas, that gets lost in this debate, are pieces of the puzzle. And you have to have all of the pieces of the puzzle to try to put it together. That’s what we found went wrong in 9/11. And *we didn’t have all of the pieces of the puzzle, we found out subsequently, to the Boston bombings, either. And so had we had more pieces of the puzzle you can stop these things before they happen*. [my emphasis] Mike Rogers asserted, with no evidence given, that had we had more information on Tamerlan Tsarnaev, we might have been able to prevent the Boston attack. Rogers has, in the past, suggested<http://www.emptywheel.net/2013/05/15/putins-game/> that if we had gotten the texts between Tsarnaev’s mother and a relative in Russia discussing Tamerlan’s interest in fighting jihad. But it’s not clear that anything prevented us from collecting the relative’s communications, and if the discussion of fighting is as obvious as reporting claims (I suspect it is not), there would have been adequate probable cause to ID the mother. In fact, one of the Guardian’s other scoops<http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining> makes it clear that we don’t collect all that much SIGINT from Russia in the first place, so the fact we missed the text may say more about our intelligence focus than the technologies available to us. Nevertheless, Rogers at least suggests that we might have been able to prevent the attack had we had more data. In part of an interview with Andrea Mitchell<https://twitter.com/mitchellreports/status/343695454451666944> that has not yet (AFAIK) been shown, James Clapper whined that the intelligence community was accused of not being intrusive enough following the Boston attack. DNI Clapper @TodayShow <https://twitter.com/todayshow>: I find it a little ironic that after the Boston bombings we were accused of not being intrusive enough Which makes me wonder whether Obama is calling for more than just CALEA II, but has floated using all this data in new ways because two guys were able to conduct a very low-tech attack together. Glenn Greenwald said somewhere (I haven’t been able to find it) that he had been working on the PRISM story for around 2 months. If so, that would put it close to the Boston attack (though if it were two full months, it’d make it before the attack). Given that timing, I’m wondering if the final straw that motivated this presumably high level NSA person to start leaking was a proposed new use of all this data hoovered up. Clapper et al insist that the FISA Court does not currently allow the NSA to data mine the data collected in its dragnet. But have then been thinking about changing that? Posted in FISA <http://www.emptywheel.net/category/fisa/>, PATRIOT<http://www.emptywheel.net/category/patriot/> , Terrorism <http://www.emptywheel.net/category/terrorism/> | Tagged Boston Marathon Attack <http://www.emptywheel.net/tag/boston-marathon-attack/>, CALEA II <http://www.emptywheel.net/tag/calea-ii/>, James Clapper<http://www.emptywheel.net/tag/james-clapper/> , Mike Rogers <http://www.emptywheel.net/tag/mike-rogers/>, Tamerlan Tsarnaev <http://www.emptywheel.net/tag/tamerlan-tsarnaev/> | *8* Replies<http://www.emptywheel.net/2013/06/09/are-guardians-sources-responding-to-a-new-use-of-surveillance-post-boston/#comments>Dianne Feinstein: We Need to Collect Data on Every Single American Because We Can’t Control Our Informants<http://www.emptywheel.net/2013/06/09/dianne-feinstein-we-need-to-collect-data-on-every-single-american-because-we-cant-control-our-informants/> By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Sunday June 9, 2013 10:56 am I will have far, far more to say about the claims about the various surveillance programs aired on the Sunday shows today. But this<http://abcnews.go.com/Politics/week-transcript-sen-dianne-feinstein-rep-mike-rogers/story?id=19343314&page=4#.UbSTg_bipr1> is absolutely batshit crazy. FEINSTEIN: Well, of course, balance is a difficult thing to actually identify what it is, but I can tell you this: These programs are within the law. The [Section 215] business records section is reviewed by a federal judge every 90 days. It should be noted that the document that was released that was under seal, which reauthorized the program for another 90 days, came along with a second document that placed and discussed the strictures on the program. That document was not released. So here’s what happens with that program. The program is essentially walled off within the NSA. There are limited numbers of people who have access to it. The only thing taken, as has been correctly expressed, is not content of a conversation, but the information that is generally on your telephone bill, which has been held not to be private personal property by the Supreme Court. If there is strong suspicion that a terrorist outside of the country is trying to reach someone on the inside of the country, those numbers then can be obtained. If you want to collect content on the American, then a court order is issued. So, the program has been used. Two cases have been declassified. *One of them is the case of David Headley, who went to Mumbai, to the Taj hotel, and scoped it out for the terrorist attack*. [my emphasis] Dianne Feinstein says that one of the two plots where Section 215 prevented an attack was used (the other, about Najibullah Zazi, is equally batshit crazy, but I’ll return to that) is the Mumbai attack. What’s she referring to is tracking our own informant, David Headley. And it didn’t prevent any attack. The Mumbai attack was successful. Our own informant. A successful attack. That’s her celebration of success 215′s use. So her assertion is we need to collect metadata on every single American because DEA can’t keep control of its informants. Update: Technically DiFi didn’t say this was a success, just that it had been used. I’ve edited the post accordingly. Posted in FISA <http://www.emptywheel.net/category/fisa/>, PATRIOT<http://www.emptywheel.net/category/patriot/> | Tagged David Headley <http://www.emptywheel.net/tag/david-headley/>, Dianne Feinstein <http://www.emptywheel.net/tag/dianne-feinstein/>, Najibullah Zazi<http://www.emptywheel.net/tag/najibullah-zazi/> | *12* Replies<http://www.emptywheel.net/2013/06/09/dianne-feinstein-we-need-to-collect-data-on-every-single-american-because-we-cant-control-our-informants/#comments>Once Upon a Time the PRISM Companies Fought Retroactive Immunity<http://www.emptywheel.net/2013/06/09/once-upon-a-time-the-prism-companies-fought-retroactive-immunity/> By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Sunday June 9, 2013 9:03 am [image: Screen shot 2013-06-09 at 8.30.08 AM]<http://www.emptywheel.net/wp-content/uploads/2013/06/Screen-shot-2013-06-09-at-8.30.08-AM.png>Since the disclosure of the PRISM program, I have thought about a letter<http://www.emptywheel.net/2009/01/18/hints-that-the-fiscr-plaintiff-is-an-email-provider/> the industry group for some of the biggest and earliest PRISM participants<http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data> — Google, Microsoft, and Yahoo — wrote to then House Judiciary Chair John Conyers during the 2008 debate on FISA Amendments Act. (The screen capture reflects a partial list of members<http://web.archive.org/web/20090807002630/http://www.ccianet.org/index.asp?bid=11> from 2009.) Remarkably, the letter strongly condemned the effort to grant companies that had broke the law under Bush’s illegal wiretap program immunity. The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. *CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law*. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, *our industry needs clear rules*, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact. CCIA dismisses with contempt the manufactured hysteria that industry will not aid the United States Government when the law is clear. As a representative of industry, I find that suggestion insulting. To imply that our industry would refuse assistance under established law is an affront to the civic integrity of businesses that have consistently cooperated unquestioningly with legal requests for information. *This also conflates the separate questions of blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support*. Therefore, CCIA urges you to reject S. 2248. *America will be safer if the lines are bright*. The perpetual promise of bestowing amnesty for any and all misdeeds committed in the name of security will condemn us to the uncertainty and dubious legalities of the past. Let that not be our future as well. [my emphasis] Microsoft, Yahoo, and Google all joined PRISM within a year of the date of the February 29, 2008 letter (Microsoft had joined almost six months before, Google would join in January 2009). [image: Screen shot 2013-06-07 at 11.08.29 AM]<http://www.emptywheel.net/wp-content/uploads/2013/06/Screen-shot-2013-06-07-at-11.08.29-AM.png>Clearly, the demand that the companies that broke the law not receive retroactive immunity suggests none of the members had done so. It further suggests that those companies that did break the law — the telecoms, at a minimum — had done something the email providers wanted them held accountable for. This suggests, though doesn’t prove, that before PRISM, the government may have accessed emails from these providers by taking packets from telecom switches, rather than obtaining the data from the providers themselves. Google had also fought<http://news.findlaw.com/hdocs/docs/google/gonzgoog11806m.html> a DOJ subpoena in 2006 for a million URLs and search terms, purportedly in the name of hunting child pornographers. And those of us who follow this subject have always speculated (with some support from sources) that the plaintiff in a 2007 FISA Court challenge<http://www.fas.org/irp/agency/doj/fisa/fiscr082208.pdf> to a Protect America Act (the precursor to FISA Amendments Act) was an email provider. All of those details suggest, at the very least, that email providers (unlike telecoms, which we know were voluntarily giving over data shortly after 9/11) fought government efforts to access their data. But it also suggests that the email providers may have treated PRISM as a less worse alternative than the government accessing their data via other means (which is a threat the government used to get banks to turn over SWIFT data, too). It seems likely the way the government “negotiates” getting data companies to willingly turn over their data is to steal it first. Posted in FISA <http://www.emptywheel.net/category/fisa/>, PATRIOT<http://www.emptywheel.net/category/patriot/> | Tagged AT&T <http://www.emptywheel.net/tag/att/>, Computer & Communications Industry Association<http://www.emptywheel.net/tag/computer-communications-industry-association/> , FISA Amendments Act <http://www.emptywheel.net/tag/fisa-amendments-act/>, Google <http://www.emptywheel.net/tag/google/>, Microsoft<http://www.emptywheel.net/tag/microsoft/> , PRISM <http://www.emptywheel.net/tag/prism/>, Verizon<http://www.emptywheel.net/tag/verizon/> , Yahoo <http://www.emptywheel.net/tag/yahoo/> | *12* Replies<http://www.emptywheel.net/2013/06/09/once-upon-a-time-the-prism-companies-fought-retroactive-immunity/#comments>What Obama’s Presidential Policy Directive on Cyberwar Says about NSA’s Relationship with Corporations<http://www.emptywheel.net/2013/06/08/why-is-us-government-intrusiveness-on-network-defense-less-than-on-prism/> By: emptywheel <http://www.emptywheel.net/author/emptywheel/> Saturday June 8, 2013 4:48 pm The Guardian has had three big scoops this week: revealing that Section 215 has, indeed, been used for dragnet collection of US person data<http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order> , describing PRISM<http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data>, a means of accessing provider data in real-time that was authorized by the FISA Amendments Act, and publishingObama’s Presidential Directive<http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text> on offensive cyberwar. The latter revelation has received a lot less coverage than the first two, perhaps because it doesn’t affect most people directly (until our rivals retaliate). “Of course Obama would have a list of cybertargets to hit,” I heard from a number of people, with disinterest. But I thought several passages from Obama’s PPD-20 are of particular interest for the discussion on the other two scoops — particularly what degree of access PRISM has to corporate networks real-time data. First, consider the way definitions of several key terms pivot on whether or not network owners know about a particular cyber action. Network Defense: Programs, activities, and the use of tools necessary to facilitate them (including those governed by NSPD-54/HSPD-23 and NSD-42) *conducted on a computer network, or information or communications system by the owner or with the consent of the owner and, as appropriate, the users* for the primary purpose of protecting (1) that computer, network, or system; (2) data stored on, processed on, or transiting that computer, network, or system; or (3) physical and virtual infrastructure controlled by that computer, network, or system. *Network defense does not involve or require accessing or conducting activities on computers, networks, or information or communications systems without authorization from the owners or exceeding access authorized by the owners*. (u) [snip] Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence — including from information that can be used for future operations — from computers, information or communications systems, or networks with the intent to remain undetected. *Cyber collection entails accessing a computer, information system, or network without authorization from the owner* or operator of the computer, information system, or network or from a party to a communication *or by exceeding authorized access*. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. (C/NF) Defensive Cyber Effects Operations (DCEO): Operations and related programs or activities — other than network defense or cyber collection — conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks for the purpose of defending or protecting against imminent threats or ongoing attacks or malicious cyber activity against U.S. national interests from inside or outside cyberspace. (C/NF) Nonintrusive Defensive Countermeasures (NDCM): The subset of DCEO that *does not require accessing computers, information or communications systems, or networks without authorization from the owners or operators* of the targeted computers, information or communications systems, or networks exceeding authorized access and only creates the minimum cyber effects needed to mitigate the threat activity. (C/NF) So you’ve got: - Network defense, which is what network owners do or USG (or contractors) do at their behest to protect key networks. I assume this like anti-virus software on steroids. - Cyber collection that, regardless of where it occurs, is done in secret. This is basically intelligence gathering about networks. - Nonintrusive Defensive Countermeausres, which is more active defensive attacks, but ones that can or are done with the permission of the network owners. This appears to be the subset of Defensive Cybereffects Operations that, because they don’t require non-consensual network access, present fewer concerns about blowback and legality. - Defensive Cybereffects Operations, which are the entire category of more active defensive attacks, though the use of the acronym DCEO appears to be limited to those defensive attacks that require non-consensual access to networks and therefore might cause problems. The implication is they’re generally targeted outside of the US, but if there is an imminent threat (that phrase again!) they can be targeted in the US. In other words, this schema (there are a few more categories, including strictly offensive attacks) seems to be about ensuring there is additional review for defensive attacks (but not strictly data collection) intended to use non-consensual network access. As I suggested, these attacks based on nonconsensual access is all supposed to be primarily focused externally, unless the President approves. The United States Government shall conduct neither DCEO nor OCEO that are intended or likely to produce cyber effects within the United States unless approved by the President. A department or agency, however, with appropriate authority may conduct a particular case of DCEO that is intended or likely to produce cyber effects within the United States if it qualifies as an Emergency Cyber Action as set forth in this directive and otherwise complies with applicable laws and policies, including Presidential orders and directives. (C/NF) Of course, a lot of the networks or software outside of the US are still owned by US corporations (and the implication seems to be that these categories remain even if they’re not). Consider, for example, how central Microsoft exploits<http://www.emptywheel.net/2013/06/07/side-by-side-timeline-of-nsas-communications-collection-and-cyber-attacks/> have been to US offensive attacks on Iran. How much notice has MS gotten that we planned to use the insecurity of their software? Nevertheless, a big chunk of this PPD — the part that has received endless discussion publicly — pertains to that network defense, getting corporations to either defend their own networks properly or agree to let the government do it for them. (Does the USG bill for that, I wonder?) Which partly explains the language in the PPD on partnerships with industry, treated as akin to partnerships with states or cities. The United States Government shall seek partnerships with industry, other levels of government as appropriate, and other nations and organizations to promote cooperative defensive capabilities, including, as appropriate, through the use of DCEO as governed by the provisions in this directive; and Partnerships with industry and other levels of government for the protection of critical infrastructure shall be coordinated with the Department of Homeland Security (DHS), *working with the relevant sector-specific agencies and, as appropriate, the Department of Commerce* (DOC). (S/NF) [snip] The United States Government shall work with private industry — through DHS, DOC, and relevant sector-specific agencies — to protect critical infrastructure in a manner that minimizes the need for DCEO against malicious cyber activity; however, *the United States Government shall retain DCEO, including anticipatory action taken against imminent threats, as governed by the provisions in this directive, as an option to protect such infrastructure*. (S/NF) The United States Government shall — in coordination, as appropriate, with DHS, law enforcement, and other relevant departments and agencies, to include sector-specific agencies — obtain the consent of network or computer owners for United States Government use of DCEO to protect against malicious cyber activity on their behalf, *unless the activity implicates the United States’ inherent right of self-defense* as recognized in international law or the policy review processes established in this directive and appropriate legal reviews determine that such consent is not required. (S/NF) One thing I’m most curious about this PPD is the treatment of the Department of Commerce. Why is DOC treated differently than sector-specific agencies? Do they have some kind of unseen leverage — a carrot or a stick — to entice cooperation that we don’t know about? Aside from that, though, there are two possibilities (which probably amounts to just one) when the government will go in and defend a company’s networks without their consent. Imminent threat, inherent right to self-defense. Ultimately, this seems to suggest that the government will negotiate access, but if it deems your networks sufficiently important (Too Big To Hack) and you’re not doing the job, it’ll come in and do it without telling you. And of course, nothing in this PPD explicitly limits cyber collection — that is, the non-consensual access of networks to collect information. I will wait to assume that suggests what it seems to, but it does at least seem a giant hole permitting the government to access networks so long as it only takes intelligence about the network. Which brings us to these two categories included among the policy criteria. Transparency: The need for consent or notification of network or computer owners or host countries, the potential for impact on U.S. persons and U.S. private sector networks, and the need for any public or private communications strategies after an operation; and Authorities and Civil Liberties: The available authorities and procedures and the potential for cyber effects inside the United States or against U.S. persons. (S/NF) Neither is terrifically well-developed. Indeed, it doesn’t seem to consider civil liberties, as such, at all. Which may be why the Most Transparent Administration Evah™ considers transparency to consist of: - Informing corporations that own networks - Accounting for the impact on US persons (but not informing them, apparently, though Network Defense allows users to be informed “as appropriate”) - Prepping propaganda for use after an operation The entire PPD lays out potential relationships with corporations as negotiated, potentially leveraged, but coerced if need be. But at least corporations are assumed be entitled to some “transparency.” [Non-text portions of this message have been removed] ------------------------------------ --------------------------------------------------------------------------- LAAMN: Los Angeles Alternative Media Network --------------------------------------------------------------------------- Unsubscribe: <mailto:[email protected]> --------------------------------------------------------------------------- Subscribe: <mailto:[email protected]> --------------------------------------------------------------------------- Digest: <mailto:[email protected]> --------------------------------------------------------------------------- Help: <mailto:[email protected]?subject=laamn> --------------------------------------------------------------------------- Post: <mailto:[email protected]> --------------------------------------------------------------------------- Archive1: <http://www.egroups.com/messages/laamn> --------------------------------------------------------------------------- Archive2: <http://www.mail-archive.com/[email protected]> --------------------------------------------------------------------------- Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/laamn/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/laamn/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
