Aw, isn’t that nice: a new follower! Wonder if it has anything to do with this?
Category Archives: Politics
The law-making behind “lawful intercepts”
There’s a truly astonishing piece by Mark Danner in the New York Review of Books about how the ‘legal’ basis for bulk collection and warrantless wiretapping was laid. The program was originally code-named Stellar Wind. Here’s an excerpt that gives the general flavour; the date is March 10, 2004:
John Ashcroft has been in intensive care for nearly a week. Though Ashcroft is the chief law enforcement officer of the United States—and though it is the attorney general’s signature that is required to recertify Stellar Wind—no one seems to have thought it relevant to tell the commander in chief. No matter; Bush telephones intensive care, insists on speaking to the heavily sedated Ashcroft, and tells him he is sending over his chief of staff and White House counsel “to talk to him about an urgent matter.” What follows is the famous Hospital Room Showdown, the great melodramatic set piece of the Bush administration, which features, as Barton Gellman describes it in the superb Angler: The Cheney Vice Presidency, “men in their forties and fifties, stamping on the brakes, abandoning double-parked vehicles, and running up a hospital stairwell as fast as their legs could pump.”
The White House men were clutching the paper they were determined to persuade the attorney general to sign, and the Justice Department lawyers, led by James Comey, Ashcroft’s deputy, were determined to prevent him from signing it. They converged in a hospital room around the IV-festooned body of the ailing attorney general, who “looked half dead.” Nonetheless, Gellman tells us, in the midst of this coven of lawyers, like some unvanquishable horror movie character, Ashcroft “raised himself up stiffly” off the bed.
He glared at his visitors and said they had no business coming. He gave a lucid account of the reasons that Justice had decided to withhold support. And then he went beyond that. Ashcroft said he never should have certified the program.
…If it were up to him now, he would refuse to approve. But it was not up to him. Gesturing at his deputy, Ashcroft said, “There is the attorney general.” Spent and pale, Ashcroft sank back down.
In the face of this defiance, the White House chief of staff and counsel ignore Comey and stride from the room and then race back to the White House where, Bush informs us rather laconically, “they told me Ashcroft hadn’t signed.” Why not? Apparently they didn’t say and the president doesn’t ask. Instead, he decides to overrule the objections of the Department of Justice and sign “an order keeping the TSP alive based on my authority as head of the executive branch.”
It is, as will soon become clear, a momentous decision, though there is no sign he realizes quite how momentous. Still, the president isn’t happy. “I went to bed irritated,” Bush tells us, “and had a feeling I didn’t know the full story.”
The military-information complex, updated
In my Observer column last Sunday I contrasted the old military-industrial complex that so worried President Eisenhower with the emerging military-information complex (the core of which consists of the four Internet giants: Google, Facebook, Yahoo and Microsoft). What I should have guessed is that the two complexes are beginning to merge.
Consider, for example, this interesting Pando Daily piece by Yasha Levine, which says, in part:
Last week, I detailed how Google does much more than simply provide us civvies with email and search apps. It sells its tech to enhance the surveillance operations of the biggest and most powerful intel agencies in the world: NSA, FBI, CIA, DEA and NGA — the whole murky alphabet soup.
In some cases — like the company’s dealings with the NSA and its sister agency, the NGA — Google deals with government agencies directly. But in recent years, Google has increasingly taken the role of subcontractor: selling its wares to military and intelligence agencies by partnering with established military contractors. It’s a very deliberate strategy on Google’s part, allowing it to more effectively sink its hooks into the nepotistic, old boy government networks of America’s military-intelligence-industrial complex.
Over the past decade, Google Federal (as the company’s D.C. operation is called) has partnered up with old school establishment military contractors like Lockheed Martin, as well as smaller boutique outfits — including one closely connected to the CIA and former mercenary firm, Blackwater.
This approach began around 2006.
Around that time, Google Federal began beefing up its lobbying muscle and hiring sales reps with military/intelligence/contractor work experience — including at least one person, enterprise manager Jim Young, who used to work for the CIA. The company then began making the rounds, seeking out partnerships with with established military contractors. The goal was to use their deep connections to the military-industrial complex to hard sell Google technology.
Don’t you just love that corporate moniker: Google Federal! So now we have a tripartite complex: military-industrial-information.
The Public-Private Surveillance Partnership: still going strong
I annoyed a lot of people in the industry in December when I pointed out that the NSA and the Internet companies have the same business model: intensive surveillance. So it’s good to see a real expert, Bruce Schneier, lay it on the line.
We don’t know what sort of pressure the U.S. government has put on Google and the others. We don’t know what secret agreements those companies have reached with the NSA. We do know the NSA’s BULLRUN program to subvert Internet cryptography was successful against many common protocols. Did the NSA demand Google’s keys, as it did with Lavabit? Did its Tailored Access Operations group break into to Google’s servers and steal the keys?
We just don’t know.
The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was “pretty sure that information within Google is now safe from any government’s prying eyes.” A more accurate statement might be, “Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want.” That’s a lousy marketing pitch, but as long as the NSA is allowed to operate using secret court orders based on secret interpretations of secret law, it’ll never be any different.
The Dictator’s Dilemma
My Observer Comment piece on the latest episode in the ongoing conflict between the state and the Internet.
Here we go again: authoritarian ruler finds that social media are making life uncomfortable for him in the run-up to elections; finds Twitter particularly annoying; instructs local authorities to shut off access for his citizens; announces that he is unbothered by international criticism of this act of censorship which, he says, will demonstrate the power of his republic.
Welcome to Turkey, our staunch ally in the fight against jihad and the Forces of Darkness. There is a certain grim familiarity in the story of Prime Minister Erdogan’s battle against social media…
Military-Industrial Complex 2.0
This morning’s Observer column.
As they burgeoned, the big internet companies looked with disdain on the leviathans of the military-industrial complex. Kinetic warfare seemed so yesterday to those whose corporate mantras were about “not being evil” and adhering to “the hacker’s way”. So when Snowden revealed NSA claims that the spooks had untrammelled access to their servers the companies reacted like nuns accused of running a webcam porn site. It wasn’t true, they protested, and even it if was they knew nothing about it. Of course they did comply with government requests approved by a secret court, but that was the extent of it. As the months rolled by, however, this reassuring narrative has unravelled. We discovered that the NSA and GCHQ had indeed covertly tapped the data-traffic that flows between the companies’ server farms. But since Google and co were – they claimed – unaware of this, perhaps their protestations of innocence seemed justified. More embarrassing were the revelations about the astonishing lengths to which one company (Microsoft) went to facilitate NSA access to its users’ private communications.
Last Wednesday, another piece of the jigsaw slotted into place. The NSA’s top lawyer stated unequivocally that the technology firms were fully aware of the agency’s widespread collection of data. Rajesh De, the NSA general counsel, said that all communications content and associated metadata harvested by the NSA occurred with the knowledge of the companies – both for the Prism system and the covert tapping of communications moving across the internet.
William Binney at the Oxford Union
William Binney is one of the original NSA whistleblowers. He resigned in 2001 after more than 30 years with the agency because of concerns that NSA surveillance was widened to cover American citizens. Not a great public speaker, but an admirable citizen.
So who’s lying — the NSA or the tech companies?
From the outset of the furore over the Snowden revelations it’s been obvious that either the NSA or the tech companies must have been lying about whether the agency did or did not have access to the companies’ communications. This statement by the NSA’s lead counsel asserts that the companies knew all along about the agency’s data collection practices.
The senior lawyer for the National Security Agency stated unequivocally on Wednesday that US technology companies were fully aware of the surveillance agency’s widespread collection of data, contradicting months of angry denials from the firms.
Rajesh De, the NSA general counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called “upstream” collection of communications moving across the internet.
Asked during a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”
They can’t both be right: so who’s lying?
Snooping is a public health issue
This morning’s Observer column.
One of the things that baffles me is why more people are not alarmed by what Edward Snowden has been telling us about the scale and intrusiveness of internet surveillance. My hunch is that this is partly because – strangely – people can’t relate the revelations to things they personally understand.
In the past two weeks, two perceptive commentators have been trying to break through this barrier. One is Cory Doctorow, the science-fiction novelist, who had a terrific essay in the Guardian arguing that instead of increasing our security, government agencies such as the NSA, GCHQ and others are actually undermining it. The essay is worth reading in full, but one part of it stood out for me. It’s about the thriving, underworld online market in malicious software. Nowadays, if some hacker discovers a previously unknown vulnerability in widely used software, that discovery can be very valuable – and people will pay large sums for such “zero-day” exploits. But here’s the creepy bit: sometimes, the purchasers are government agencies that buy these pieces of malware to use as weapons against their enemies.
To most people, this will seem pretty abstruse. But with the imaginative skill of a good writer, Doctorow nails it: “If you discovered,” he writes, “that your government was more interested in weaponising typhus than they were in curing it, you would demand that your government treat your water supply with the gravitas and seriousness that it is due.”
LATER: Right on cue, another great blog post by Bruce Schneier, putting this stuff in an everyday context:
Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject’s home, office, and car. He would eavesdrop on his computer. He would listen in on that subject’s conversations, both face to face and remotely, and you would get a report on what was said in those conversations. (This is what President Obama repeatedly reassures us isn’t happening with our phone calls. But am I the only one who finds it suspicious that he always uses very specific words? “The NSA is not listening in on your phone calls.” This leaves open the possibility that the NSA is recording, transcribing, and analyzing your phone calls — and very occasionally reading them. This is far more likely to be true, and something a pedantically minded president could claim he wasn’t lying about.)
Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to — and for how long — who he wrote to, what he read, and what he purchased. This is all metadata, data we know the NSA is collecting. So when the president says that it’s only metadata, what you should really hear is that we’re all under constant and ubiquitous surveillance.
What’s missing from much of the discussion about the NSA’s activities is what they’re doing with all of this surveillance data. The newspapers focus on what’s being collected, not on how it’s being analyzed — with the singular exception of the Washington Post story on cell phone location collection. By their nature, cell phones are tracking devices. For a network to connect calls, it needs to know which cell the phone is located in. In an urban area, this narrows a phone’s location to a few blocks. GPS data, transmitted across the network by far too many apps, locates a phone even more precisely. Collecting this data in bulk, which is what the NSA does, effectively puts everyone under physical surveillance.
This is new. Police could always tail a suspect, but now they can tail everyone — suspect or not. And once they’re able to do that, they can perform analyses that weren’t otherwise possible. The Washington Post reported two examples. One, you can look for pairs of phones that move toward each other, turn off for an hour or so, and then turn themselves back on while moving away from each other. In other words, you can look for secret meetings. Two, you can locate specific phones of interest and then look for other phones that move geographically in synch with those phones. In other words, you can look for someone physically tailing someone else. I’m sure there are dozens of other clever analyses you can perform with a database like this. We need more researchers thinking about the possibilities. I can assure you that the world’s intelligence agencies are conducting this research.
Schneier is one of the very best commentators on this stuff. Everything he writes about it is worth reading.
Casuistry, algorithms and surveillance
One of the reasons the political establishment and intelligence community are so unapologetic about the bulk collection of metadata and other personal information is because they cling to a particular interpretation of what “collecting” means. In this interpretation, hoovering up data and storing it in data-centres does not constitute “collecting”. Only when a human looks at a particular data point is it actually “collected”.
Here’s how Brice Schneier puts it:
And the word “collect” has a very special definition, according to the Department of Defense (DoD). A 1982 procedures manual (pdf; page 15) says: “information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties.” And “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”
Director of National Intelligence James Clapper likened the NSA’s accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. “So the task for us in the interest of preserving security and preserving civil liberties and privacy,” says Clapper, “is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.” Only when an individual book is read does it count as “collection,” in government parlance.
So, think of that friend of yours who has thousands of books in his house. According to the NSA, he’s not actually “collecting” books. He’s doing something else with them, and the only books he can claim to have “collected” are the ones he’s actually read.
This is why Clapper claims — to this day — that he didn’t lie in a Senate hearing when he replied “no” to this question: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”
If the NSA collects — I’m using the everyday definition of the word here — all of the contents of everyone’s e-mail, it doesn’t count it as being collected in NSA terms until someone reads it. And if it collects — I’m sorry, but that’s really the correct word — everyone’s phone records or location information and stores it in an enormous database, that doesn’t count as being collected — NSA definition — until someone looks at it. If the agency uses computers to search those emails for keywords, or correlates that location information for relationships between people, it doesn’t count as collection, either. Only when those computers spit out a particular person has the data — in NSA terms — actually been collected.
There’s a word for this: casuistry. And it’s not just the preserve of politicians and intelligence agencies. Google & Co are just as bad — as when the Google executive quoted by Schneier says “”Worrying about a computer reading your email is like worrying about your dog seeing you naked.”
To which Schneier replies:
when you’re watched by a dog, you know that what you’re doing will go no further than the dog. The dog can’t remember the details of what you’ve done. The dog can’t tell anyone else. When you’re watched by a computer, that’s not true. You might be told that the computer isn’t saving a copy of the video, but you have no assurance that that’s true. You might be told that the computer won’t alert a person if it perceives something of interest, but you can’t know if that’s true. You do know that the computer is making decisions based on what it receives, and you have no way of confirming that no human being will access that decision. When a computer stores your data, there’s always a risk of exposure. There’s the risk of accidental exposure, when some hacker or criminal breaks in and steals the data. There’s the risk of purposeful exposure, when the organization that has your data uses it in some manner. And there’s the risk that another organization will demand access to the data. The FBI can serve a National Security Letter on Google, demanding details on your email and browsing habits. There isn’t a court order in the world that can get that information out of your dog.
Yep.