Schneier on Security

65535 • May 15, 2016 6:48 AM

@ Paul McCryptney and Winston Smith

“Dianne [Feinstein] was quizzical
Studied metaphysical masters of the past
Late nights all alone with her Mein Kampf
Ohhhh-oh-oh-oh
Burr (inhaling crazy gas
While fingering his wrinkled ass)
Calls her on the phone
“Can you help me start up a Fourth Reich
Right here at home?”
“Now as you’re logging onto the net
The Gestapo’s right behind”
“Bang, bang, Feinstein’s Silver Hammer
Comes down upon your heads
Bang, bang, Feinstein’s Silver Hammer
Gives hardons to the Feds” –Paul McCryptney

Good one!

You are referring to the Stacked Senate judiciary committee hearing on Fisa 702 reauthorization, May 10, 2016.

http://www.c-span.org/video/?409335-1/senate-judiciary-committee-holds-hearing-fisa-reauthorization

Feinstein has been entrenched in the US Senate for 24 years.

“[Feinstein ]she has served in the Senate since 1992.“ – wikipedia

https://en.wikipedia.org/wiki/Dianne_Feinstein

Emptywheel notes that contrary to the hearing line of BS the actual number of Backdoor US citizen searches could be quantified and released to the public – but would reveal the FBI and DEA’s parallel construction methods – and probably the spying on defense attorneys and privacy advocates..

https://www.emptywheel.net/2016/05/10/the-us-person-back-door-search-number-doj-could-publish-immediately/

Feinstein’s Mask has slipped. She clearly seems to represent the Intelligence Community and their K-street money bundlers – rather than her California voters.

01:59:52 into hearing

Elizabeth “Liza” Goitein

“Any agency that comes across — across threat information should share that information. Agencies should work together to address the threat. What the Fourth Amendment can not tolerate is the government collecting information, communications without a warrant with the intent of mining it for use in criminal cases against Americans. “

[Feinstein cuts her off and becomes a Constitutional Scholar]

FEINSTEIN: “Whoa, whoa. That’s where you and I differ. I think that all of the data is collected lawfully. I don’t believe it’s collected unlawfully.”

Just because Senator Feinstein is a Senator who collects a great deal of money from the Intelligence Community and their lobbyist’s doesn’t make Ms. Feinstein Supreme Court Judge or Constitutional Expert!

I listened to the entire two hour Senate hearing on the reauthorization of 702 and it is good example of political stacking.

Of the five people in front of the Senate committee three were Pro-702 spying advocates with only two anti-spying advocates.

Pro spying advocates:
• Matthew G. Olsen Director (Former) National Counterterrorism Center
• Kenneth L. Wainstein Adviser (Former) White House->Homeland Security and Counterterrorism
• Rachel L. Brand Member Privacy and Civil Liberties Oversight Board [who seems to be the head saboteur of PCLOB or “P-Club”]

Anti-spying advocates:
• Elizabeth “Liza” Goitein Co-Director Brennan Center for Justice at NYU School of Law->Liberty and National Security Program
• David Medine Chair Privacy and Civil Liberties Oversight Board [Who seems to crumble at the end of his testimony]

Pro-Spying Advocates of the Senate Committee:

Richard Blumenthal U.S. Senator [D] Connecticut
Chris Coons U.S. Senator [D] Delaware
John Cornyn U.S. Senator [R] Texas
Dianne Feinstein U.S. Senator [D] California
Chuck Grassley U.S. Senator [R] Iowa
Amy KlobucharU.S. Senator [D] Minnesota
Thom Tillis U.S. Senator [R] North Carolina
Sheldon Whitehouse U.S. Senator [D] Rhode Island

Anti-spying Senators:

Al Franken U.S. Senator [D] Minnesota [possibly anti-spying]
Patrick J. Leahy U.S. Senator [D] Vermont

David Medine and Elizbeth Goitien point out the illegal nature on the UPSTREAM and PRISM warrantless searches of American Communications for average vice crimes and out right fishing expeditions by the FBI and DEA.

[Extensive and worthwhile text of Warrantless Searches legal problems presented in public]

David Medine:

“…Section 702 has two components, PRISM and Upstream. In PRISM the government collects the contents of targets’ emails and other communications from electronic communications providers. While the targets are non-U.S. persons, from time to time those non-U.S. persons communicate with Americans… as a result, the government is collecting large quantities of Americans’ communications. These are incidental communications because the U.S. persons are not the targets, but these are not inadvertent because it’s known in advance that Americans’ communications will be collected.”

“In contrast, the Upstream program the government gets access to the telecommunications backbone, over which some telephone and Internet communications transit, and collect the contents of emails and phone calls. By using about collection, the government doesn’t look just in the header of to and from of an email, but it also scans the contents of the email for a targeted selector… As a result, if Liza and I were communicating by email and I sent her a message with an email address from my uncle in Turkey so she has a place to stay when traveling to Turkey. If it turns out that my uncle’s email address is one of the 94,000 selectors currently on target in 702 program, my email to Liza could be picked up and copied into an NSA database, even though neither one of us is suspected of wrongdoing. And even my uncle might not be suspected of wrongdoing and may simply have valuable foreign intelligence information.

“If this program is to continue, it should have privacy and civil liberties, particularly where U.S. persons are implicated. Accordingly, I recommend three legislative changes… First, many of the communications collected under 702 have nothing to do with terrorism or crime. They can include family photographs, love letters, personal financial matters, discussions of physical and mental health, and political and religious exchanges… U.S. persons’ queries of that database are therefore capable of revealing a significant slice of an American’s personal life. This is particularly the case for Americans who correspond frequently with foreigners, including relatives, friends and business associates.

“Since no warrant was every issued for these communications, which are covered by the Fourth Amendment, there should be some form of protection. Before querying these databases for a U.S. person identifier, intelligence agencies and the FBI should be required to submit a U.S. person identifier queries to the FISA Court for approval other than in exigent circumstances. Most important here is that there be an impartial life-tenured federal judge has the final say over whether Americans’ personal communications are collected and reviewed.
Second, Upstream and about communications raise two potential concerns. One is the collection of purely domestic communications American-to-American. And the other is over collection of communications. Building on the recommendations put forward in PCLOB’s 702 report, as technology evolves, the government should be required to elevate — evaluate the effectiveness of screening of domestic communications, and also should determine ways of separating out various types of about communications so we can have policy decisions as to whether all of them should be collected.

“Third, a large number of U.S. persons’ incidental communications are collected under 702, as I’ve mentioned. But how many? In order to have an informed democratic debate about the scope of this program, it’s important that citizens and members of Congress know how many Americans’ communications are being implicated in this program.

“I have no reason to doubt that the government has encountered difficulties in quantifying the number of U.S. persons’ records it incidentally collects. Nevertheless, I urge this committee to require all agencies collecting information under Section 702 to develop a manageable way to gather statistics and provide them to Congress on a regular basis…

[Emptywheel indicates the numbers are already provided by the FBI to the Justice Department and should be made public – See Empywheel’s posts]

“The minimization procedures call for the deletion of innocent Americans’ information upon discovery to determine whether it has any foreign intelligence value. But what the board’s report found is that in fact information is never deleted. It sits in the databases for five years or sometimes longer… And so the minimization doesn’t really address the privacy concerns of incidentally collected communications, again where there’s been no warrant at all in the process. And when the government shifts its attention from the non-U.S. person to the Americans’ communication, there should be court approval in that exchange… in Title III there has been a warrant before the information was collected. In the United States we simply can’t read people’s emails and listen to their phone call without court approval. And the same should be true when the government shifts its attention to Americans under this program.

“Thank you, Senator Feinstein. One of the things that our board discovered in our 702 investigation was, as — my board member Brand indicated, that the FBI routinely looks into 702 databases, and not just in investigations, but even in assessments when the FBI has absolutely no suspicion of wrongdoing, but they’re just sort of entitled to poke around and see if something is going on, they nonetheless access — query the 702 database. But the FBI’s minimization procedures weren’t transparent about that process… Sure. On the side of having a query, as I mentioned earlier, under the fourth amendment, the government is now accessing Americans’ personal communications. And I did want to clarify one point earlier. This program does not just target terrorists. I think it might be a very different situation if the only focus was terrorists. This program targets anyone with foreign intelligence value. It could be a completely innocent businessman or anyone else out of the country who has that information… And so we have an American talking to someone who is potentially innocent of any wrongdoing and yet capturing that American’s communications. It could be a love letter. It could be a business transaction. But all those are being captured. The question is when we shift our attention to those communications, should we have court approval?”

“If I could also add on the classification front? One of the things the board experienced in preparing its report is that we found some facts about the 702 Program that we thought could be made public without harming national security. Senator, as with — I would recommend three legislative changes. One is require the government to estimate the number of Americans’ communications that are intercepted under 702 [Empywheels point]; second is tighten up the upstream about collection process; and third is to require court approval for queries of Americans’ information under 702… following up on Senator Whitehouse’s point, is there has been no warrant issues for these collections. And when the attention shifts to Americans’ communications that are collected over a five year period with any of 90 plus thousand other people outside the United States, I think it becomes a moment when the fourth amendment would require court approval.

“We invited a former judge from the Fifth Court to testify about his experiences. And he said how frustrating it was as a judge to only hear one side… We invited a former judge from the Fifth Court to testify about his experiences. And he said how frustrating it was as a judge to only hear one side. He said in his normal civil or criminal docket he hears one side make an argument, sounds pretty persuasive. Then the other side makes an argument, that sounds pretty persuasive too. And the judge’s rule is to reconcile those competing views… he only heard one side. And that led the board to ultimately recommend that there be another side, particularly in cases having novel, legal or technological considerations like programmatic approvals up to 15 or 702.
“I think it would be useful to require by legislation that the Director of National Intelligence report annually to the Congress on the number of Americans’ communications that are incidentally collected and the methodology used to do that, because that’s an important part in this reauthorization process of evaluating but also on an ongoing basis, how the program is operating. [No notification to Defense Attorneys ] Notification of criminal defendants… [The European Problem] I think also is, it would eliminate the question of querying that information, because I think it’s a large amount of information over five years that’s — that’s collected. I’d add that this — our report on 702, I think, has also been helpful for Europeans as well.”

Elizabeth “Liza” Goitein does a very good job of articulating the warrantless search problem:

“…Our nation faces real threats from international terrorism. Your challenge and your responsibility is to ensure that these threats are addressed not only effectively, but in the way that’s consistent with the Constitution, the privacy interests of law-abiding individuals, and our nation’s economic interests… Section 702 in its current form does not accomplish those aims. Technological advances have revolutionized communications. People are communicating at a scale that was unimaginable just a few years ago. International phone calls, which were once difficult and expensive, as I remember, are now as simple as tapping a screen. And the Internet offers countless additional means of international communication. Globalization makes these exchanges as necessary as they are easy… As a result, the amount of information about Americans that the NSA intercepts, even when targeting foreigners overseas, has exploded. But instead of shoring up safeguards for ordinary Americans and foreigners who communicate internationally, section 702 did the opposite. It eliminated the requirement of an individual court order to collect communications between foreign targets and Americans. It also eliminated the requirement that the target be affiliated with a foreign power or terrorist group.

“The government today can target any foreigner overseas, regardless of whether he poses any threat to the United States and obtain his communications with Americans. While the government must certify that acquiring foreign intelligence is one of its purposes, the law defines foreign intelligence broadly enough to include conversations about current events… Moreover, the government has interpreted the law to allow collection of communications, not just to and from the target, but about the target. This legal fee change underlies the NSA’s upstream collection program whereby a huge proportion of communications flowing into and out of the United States are scanned for selectors associated with designated foreigners and picked up… Using upstream collection and PRISM, which obtains stored emails from U.S. companies, the NSA collects more than 250 million Internet communications a year. That undoubtedly includes millions if not tens of millions of Americans’ emails. And as we know, wholly domestic communications are included as well. To call this kind of mass collection targeted elevates form over substance. There are deep constitutional concerns with this surveillance. The Fourth Amendment may not apply to foreigners overseas. But when a law is designed to collect communications between foreigners and Americans, the Fourth Amendment is very much in play. And when the FBI searches through those communications for evidence to use against Americans in criminal cases, and then fails to notify the defendants how it obtained the evidence, it drives a hole the size of Fort Meade through the Fourth Amendment.

“Constitutional concerns aside the mass collection of communications comes with significant risks and harms. The OPM fiasco reminded us how vulnerable government databases are to foreign governments and other hackers. And any massive database that contains sensitive information about Americans carries with it the risk of abuse or negligent mishandling by this or some future administration. Overbroad surveillance also threatens our economic interests by impairing the legal and practical ability of U.S. technology companies to do business with customers overseas. We’re told that these risks are justified because Section 702 has helped to stop terrorist plots. But the question isn’t just whether Section 702 is useful. We must also ask whether effective surveillance can be conducted in a manner that’s less intrusive with fewer costs to our liberties… One final point. Within constitutional bounds set by the courts, Americans should be able to decide for themselves how much surveillance is too much. But to do that we need information

[No response from the Intelligence Community]

“Five years after Sen. Wyden first requested an estimate of the number of American communications collected under Section 702, we’re still waiting. Congress and the public need this basic information for the democratic process to work. I think that — thank you. I think to understand what’s so disturbing about backdoor searches you have to look at what comes before them… to fit its way into the foreign intelligence exception, as it’s called, to the Fourth Amendment, and in order to avoid getting a warrant or getting an individual FISA order, the government has to certify to the FISA Court not only that it’s targeting a foreigner, not an American; not only that it has a foreign intelligence purpose; but also that it’s not doing any reverse targeting, which means it has no intent to target any particular known Americans.
Then having made that certification, as soon as the data is obtained, all three agencies can sort through the data, looking for the communications of the very particular known Americans in which the government just disclaimed any interest. And the FBI doesn’t even need a foreign intelligence purpose to do it. The FBI can search for evidence in criminal cases that have no national security or foreign intelligence component whatsoever.

[Bait and switch tactic by the Intelligence Community]

“So this is a bait and switch that undermines the spirit, if not the letter of the reverse targeting prohibition. And more important, it undermines the purpose of that prohibition, which is to ensure that Section 702 doesn’t become an end run around the Fourth Amendment requirement and around the FISA Court’s — the FISA’s individual warrant order requirement when an American is a target… And I would note one more thing, which is that the president’s Review Group on Intelligence and Communication Technologies, which included a former deputy director and acting director of the CIA, the former chief Counterterrorism adviser to President George W. Bush recommended a warrant to search Americans’ communications… were trying to protect Americans from warrantless surveillance. And that’s what closing the backdoor is about.

[Poor to zero minimization of Americans conversations]

“I think that there’s this idea that if the government has collected the information lawfully, it should be able to use it for any legitimate government purpose. And whatever treat that may have in other context is clearly not the case with Section 702 because Congress has required minimization… Minimization is the opposite of you can use it for any purpose you want. And constitutionally it’s not the case either because the reasonableness inquiry includes an assessment of whether the safeguards on Americans’ data are sufficient… But in general investigations progress from using less intrusive means to using more intrusive means. At the beginning of the investigation you may just have a tip and you want to figure out whether to pursue that tip or not do anything… you’ll start by doing a query of databases to see what you already know and see if it’s worth pursuing. Then, as the investigation proceeds, you may develop enough information to satisfy probable cause requirement for a search warrant or a wiretap or so forth… at the very initial stages of the investigation, you typically don’t have much information and that’s why you do a query to then require the government to compile more information in order to start with a less intrusive means. That just doesn’t make sense to me, but Mr. Wainstein and Mr. Olsen may have more insight into that.

[Cut off by Senators on the privacy issues]

“Would you mind if I speak to the privacy issue a little bit as a representative of the Civil Liberties community here? I would hope that this Committee would take note of the fact that the privacy community is unanimously behind the requirement of a warrant because it is our considered opinion that this is far more protective of privacy to require a warrant than to allow carrying (ph) of that data… I think that search itself is the violation of the fourth amendment rights. I know Mr. Olsen said there is no evidence of abuse of backdoor searches. Backdoor searches are the abuse. It’s a warrantless search of Americans’ communications that were gathered based on a representation that the government was not targeting Americans… a search of data that the government is required by law and by the Fourth Amendment to minimize the use and access to U.S. person information… I believe that Section 702 goes much further than it needs to go in order to accomplish the aims that I think we all want to see accomplished. And I would point out that some of the cases, in fact all of the cases that have been made public relating to Section 702 successes, are cases in which the surveillance, the Section 702 surveillance, was of a known or suspected terrorist, or someone known or suspected to have ties to terrorism.”

“… while these are certainly evidence of you know Section 702 working, they do not support the idea that Section 702 needs to be…[cut off mid sentence]… the Brennan Center’s position is that the only way to secure the constitutional validity of Section 702 is to have an individual order when the government collects communications between a foreign target and an American… there are many, many other steps that could be taken to improve Section 702. That includes closing the backdoor search loophole. It includes narrowing the definition of foreign intelligence, narrowing the pool of people who can be targeted. so it’s not just any foreigner overseas.”

[Failure to notify Defense Attorneys]

“…ensuring that notice is given any time that Section 702 evidence is used in court or evidence derived from Section 702 is used in legal proceedings… I’ve heard this from former national security division attorneys, as getting to yes. And that’s not the role of the judiciary. I think part of that was that when there wasn’t another party there, the court wasn’t in the role of being a neutral adjudicator between two sides. And therefore, if the court said no to the government, the court effectively became the other side. I think that was a very uncomfortable role for the court and I think it made the court more inclined to try to move toward yes.

[No numbers on how many American conversations are searched]

“…therefore, if the court said no to the government, the court effectively became the other side. I think that was a very uncomfortable role for the court and I think it made the court more inclined to try to move toward yes. With respect to the queries, we don’t have numbers of how many times the FBI runs the U.S. persons queries of the data because the FBI doesn’t track those. The FBI, however, is by far, you know from the board’s reports, the most active and frequent U.S. person querier. And so, it’s important to get that information… you know, the FBI would have trouble figuring out who is a U.S. person in order to track these queries. The NSA does it. The CIA does it. They’re able to track the queries. I think the FBI should be able to as well… one quick point that I was hoping to get in when Senator Whitehouse was talking about the incidental collection idea — there is one very important distinction between the cases that have upheld the incidental collection of people who are in communications with a target and what we’re seeing with Section 702.”

“In those cases, under Title III of criminal warrants, there was not only strict minimization procedures which was mentioned but there was also a warrant in the beginning to target the original suspect and the courts have emphasized the importance of that warrant at the front end because that provides them vicarious protection to people in contact with the target and narrows the pool of people who can be collected on…the distinction is not so much between foreign and domestic, but in terms of the nature of the case, but in terms of who the target is. So, if the target is foreign, then there can be a warrantless collection… if the government is trying to build a case against an American, if the American is the target, then if it’s a foreign intelligence case they go to the FISA Court and they get an individualized order. If it’s a criminal case, they go to a magistrate and they get a warrant. And that distinction is very easy to make, whether someone is an American or not.

[Rights mot honored in actual cases]

“… that appears to be being honored in the breach, is what I would say. I mean, it has been — for a while it was not honored at all. And then about three years ago, there was apparently a change in policy, but we’ve been — there have only been eight notifications in the last three years. And that’s, I guess, the backdrop of hundreds of terrorism and national security prosecutions, dozens of material support prosecutions… there is definitely concern that the FBI is voiding the requirements, perhaps by a creative definition, perhaps by parallel construction, which is re-creating the evidence using less controversial tools or methods, perhaps both that, you know, it’s very easy to clear this up, for the department to simply release its policies for how it interprets the notification requirement. But the government has been fighting tooth and nail against FOIA requests to get those policies… that’s another area where this committee could be helpful to pry those loose… Senator Wyden initially asked for an estimate for, I think, I heard him used the word “ballpark” at one point. That should be possible. And with a couple of the programs, it should be fairly straightforward. There’s — with PRISM, it’s a little trickier but that’s why the civil liberties community has offered to work with the intelligence community to try to find a privacy protective way of generating the estimates. So, it should be possible… I think it’s vital, because I hear public statements by officials over and over that this program is targeted at foreigners and that the collection of Americans’ communications is incidental. These are terms of art with very specific legal meanings, but most Americans are not lawyers… when they hear this, they will reasonably assume that Americans’ communications that — not many Americans’ communications are collected. So I think having this estimate is important to pierce through the legalese and give Americans a truer sense of what the program entails, which they need in order to make their own decision and participate in the democratic process.

[Feinstein attacks Goitein]

“…when they hear this, they will reasonably assume that Americans’ communications that — not many Americans’ communications are collected. So I think having this estimate is important to pierce through the legalese and give Americans a truer sense of what the program entails, which they need in order to make their own decision and participate in the democratic process. Opposition to backdoor searches is not call to rebuild the wall… Backdoor search is when the FBI or any other agency targets a U.S. person for a search of data that was collected under Section 702, which is supposed to be targeted against foreigners overseas… the data is searching its unminimized (ph) form. So the FBI gets raw data, the NSA, the CIA get raw data and they search that raw data using U.S. person’s identifiers. That’s what I’m referring to as backdoor searches. I’m happy to call it U.S. person queries and trying to address USA — a U.S. person query is not calling to rebuild the wall. Any agency that comes across — across threat information should share that information. Agencies should work together to address the threat. What the Fourth Amendment can not tolerate is the government collecting information, communications without a warrant with the intent of mining it for use in criminal cases against Americans.

FEINSTEIN: Whoa, whoa. That’s where you and I differ. I think that all of the data is collected lawfully. I don’t believe it’s collected unlawfully.

[back to Goitein]

“…it’s not that simple, because collection and then how the data is treated are both parts of the same scheme that’s evaluated for its constitutionality. And what makes the collection at the front end lawful — and Judge Bates has said this on the FISA court — what makes it lawful to collect without a warrant is, in part, restrictions on how that data can be used on the back end… I do think there are situations in which having oversight and rules and policies about procedures for how searches are done, all those things, there are cases where that’s absolutely vital.”

“When you’re talking about a warrant and the basic requirement of getting a warrant to access Americans’ communications, you cannot substitute procedures for a warrant. And to quote Justice Roberts in the Riley case, which required a warrant to search cellphones, the founders did not fight a revolution to gain the right to government agency protocols…”

http://www.c-span.org/video/?409335-1/senate-judiciary-committee-holds-hearing-fisa-reauthorization

65535 • May 16, 2016 5:49 AM

@Richard

“Contrary to what has been implied, this is NOT, just ‘harmless metadata’ – instead they are archiving EVERYTHING using the NSA equivalent of a giant “internet DVR”-Richard

That is a good description. The average Jane/Joe can understand it.

“The truly scary thing about this is that then, any time the government wants to go after someone, they can retro-actively figure out whatever lame excuse that they feel they need (or don’t need) to give them legal authority to un-cork whatever surveillance data they want, from whenever they want, for ANY purpose they want… The Orwellian result of this is that we now effectively live in a police state with ubiquitous 100% cradle-to-grave full time surveillance on the personal data of every American.”- Richard

I agree. That is approximately where we are now. With the changes in rule 41 we are in a quasi-state of Martial Law.

“Recent headlines warn that the government now has greater authority to hack your computers, in and outside the US. Changes to federal criminal court procedures known as Rule 41 are to blame; they vastly expand how and whom the FBI can legally hack.” Wired.

https://www.wired.com/2016/05/history-fbis-hacking/

I will note that the “one way mirror” effect where the government hides behind a one-way mirror to control the pubic is growing. This turns democracy on its head. That cannot be tolerated.

I think it will take more governmental leaks and possibly a constitutional showdown between the IC/LE/up to the Presidential level, to avoid complete Marshal Law. That is with a capital M – with police checkpoints everywhere and Defense Attorney’s bugged all the time.

It’s very disturbing to note that the US Supreme Court help construct the draconian changes to rule 41 => making the public’s distrust in the Government and the Supreme Court higher each day. Things will end badly if the governments spying is not reversed.

+145 • May 19, 2016 6:19 PM

1337? Haven’t you ever used a calculator!? 😛

10 • May 20, 2016 10:59 PM

@41/14

Sum of digits? The operation I referred to was a simple digital calculator being turned upside-down. A ‘4’ was an ‘h’ long before a ‘#’ ever was, as far as I can tell