NSA

Wikileaks is releasing over 500,000 U.S. national text pager intercepts from September 11, 2001, over the next two days: From 3AM on Wednesday November 25, 2009, until 3AM the following day (New York Time), WikiLeaks will release over half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 terrorist attacks in New York and Washington. The first message, corresponding to 3AM September 11, 2001, five hours before the first attack, will be released at 3AM November 25, 2009 and the last, corresponding to 3AM September 12, 2001 at 3AM November 26, 2009. Text pagers are mostly carried by persons operating in an official capacity. Messages in the collection range from Pentagon and New York Police Department exchanges, to computers reporting faults to their operators as the World Trade Center collapsed. This is a significant and completely objective record of the defining moment of our time. We hope that its entry into the historical record will lead to a deeper and more nuanced understanding of how this tragedy and its aftermath may have been prevented. While we are obligated by to protect our sources, it is clear that the information comes from an organization which has been intercepting and archiving national US telecommunications since prior to 9/11.The Transparent Society getting closer, it appears…

The Electronic Frontier Foundation has filed Jewel v. NSA to try another tactic in stopping unconstitutional warrantless wiretapping of U.S. residents. Their previous lawsuit against AT&T, Hepting v. AT&T, is still in federal court as the EFF argues with the government over whether the telecom immunity law passed by our spineless Congress is itself constitutional or applicable to the case. Jewel v. NSA names as defendants the National Security Agency, President George W. Bush, Vice President Dick Cheney, Cheney’s chief of staff David Addington, former Attorney General Alberto Gonzales, and “other individuals who ordered or participated in warrantless domestic surveillance.”

I saw two articles this morning which I think invite comparison. First, Phil Dunkelberger, CEO of PGP Corporation, says people visiting China should take laptops with no data, or encrypt what data they have: Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said. He said that without data encryption, executives could have business plans or designs pilfered, while journalists’ lists of contacts could be exposed, putting sources at risk. ...

There’s a telecom panel at the Netroots Nation conference today on the subject of “Big Telecom: An Emerging Threat to Our Democracy?” The implied answer is yes, and it appears that every participant on the panel will be making that case. Here’s the description of the panel: Massive telecom companies control virtually all of our voice and internet communications these days—and new evidence shows a near-total lack of commitment to our democracy. AT&T has proposed filtering all content traveling on its network. Verizon tried initially to block NARAL’s pro-choice text messages. Most telecom companies are fighting net neutrality. Can democracy survive an assault by those who control the tubes?The panel members don’t include anyone with any experience managing or operating an actual telecom network, but instead includes two people who have repeatedly demonstrated not only an ignorance of telecom law, technology, and policy, but who have misrepresented facts and failed to engage with the arguments of their critics, Matt Stoller and Timothy Karr (see posts on this blog in the “net neutrality” category). The closest person to a representative of a telecom is Michael Kieschnick of Working Assets, a company that is a reseller of long distance and wireless service on Sprint’s network. I agree with many of their positions–I don’t think ISPs should be allowed to block websites on the basis of disagreement with content. I think ISPs should be transparent about their network management processes and filtering. Where I disagree with them is that they advocate that the FCC step in to regulate the Internet in a way that it has never had authority to do so before, and demand that network operators not be allowed to implement classes of service with different rates of charges, or even usage caps. Art Brodsky expresses the point which has also been made by Robb Topolsky of Public Knowledge, Timothy Karr of Free Press, and Matt Stoller: In the name of “network management,” some companies want to throttle down the use of legal applications, like BitTorrent which may, coincidentally, provide competition in entertainment programming. They want to impose usage caps across the board on all customers which would stifle innovation and curb the use of video (there’s that anti-competitive meme again) without actually solving the problem of the so-called “bandwidth hogs.” The way caps are being discussed now, they would only lead to higher prices and less usage for an industry that already charges more for less than most broadband providers around the world. Parts of our broadband industry may be the only sector in the world that wants to cut down the amount of its product it wants customers to use.Brodsky’s last sentence is clearly false–broadband is like a fixed-price all-you-can-eat buffet. All businesses want to maximize their profits by maximizing revenue and minimizing costs. When bandwidth is sold at a fixed cost in unlimited amounts, where a small number of users are consuming the majority of the service, it’s in the business’s interest to restrict those users or charge them more for what they consume in order to satisfy the rest in a cost-effective manner. The options are few–you can either restrict the “bandwidth hogs” in some way, charge them more so that they pay for what they use, or raise the price for everyone. These guys seem to advocate the latter approach, while I’m in favor of allowing all the options to be used in a competitive market. Where I disagree with Comcast’s approach in issuing RST packets to block BitTorrent traffic is not that they did it, but that they were not transparent about what they were doing (and apparently didn’t quite get it quite right–it should not have completely broken BitTorrent, but only slowed it down). Brodsky’s suggestion that Comcast has an interest in blocking BitTorrent because it provides competition in the entertainment space is absurd–they have an interest in blocking it because it’s a very popular application which itself exploits Internet protocols in a way not anticipated by the designers in order to consume more bandwidth, getting around the congestion controls in TCP/IP by using multiple TCP streams. If BitTorrent traffic wasn’t filling up the majority of Comcast’s bandwidth, they’d have no interest in it, except when the MPAA and RIAA issue them subpoenas about their users infringing copyrights. If the government prohibits the use of differential classes of service (which is already heavily used by private companies to give priority to applications within their enterprise which have requirements for low latency and jitter, such as real-time streaming audio and video, including Voice over IP) and requires that congestion be dealt with by building out infrastructure sufficiently that there will never be congestion no matter how many users max out their connectivity with BitTorrent, that will reduce competition by culling smaller companies out of the picture and making market entry more difficult. In any environment where a provider’s upstream capacity is less than the sum of the capacity to every customer (and that’s everywhere, today, and always has been), all-you-can-eat bandwidth is like a commons. The more that is available, the more the heavy users will consume, to the detriment of each other and the light users. Without setting caps and having tiered pricing or implementing technology that prioritizes packets and drops from the heavy users and from less-realtime-sensitive applications first (like BitTorrent), there are no incentives against consuming everything that is available. I also think it’s a huge mistake to have the FCC start regulating the Internet. FCC chairman Kevin Martin would no doubt love to place indecency standards and filtering requirements on Internet content. Once you open the door to FCC regulation of the Internet, that becomes more likely. And the FCC has been completely ineffectual at dealing with existing abuses like fraudulent telemarketing, illegal prerecord calls to residences and cell phones, caller ID spoofing, etc., already covered by statute and regulation. I’d rather see clear statutes that include private rights of action than entrust control of the Internet to the FCC. The FCC is a slow-moving bureaucracy, and AT&T and Verizon have the deepest pockets, the most lawyers, and the most personnel who have shuffled back and forth between government (including the NSA) and industry. That gives AT&T and Verizon the tactical advantage, and leads to less competition rather than more. Which brings me to the warrantless wiretapping and telecom immunity issues, which Cindy Cohn of the EFF no doubt addressed on the Netroots Nation panel. I suspect I have little if any disagreement with her. I’ve long been a supporter of the EFF, as are many people involved in the management of ISPs. I strongly oppose telecom immunity for warrantless wiretapping, a complete abdication of Congress’ responsibility to support the U.S. Constitution. But this shows the power of AT&T and Verizon. Not only did they get what they wanted, but the very infrastructure which was built to do this massive interception of traffic for the NSA and for law enforcement interception under the CALEA laws was built for them with assistance from government funds. All telecoms have to be compliant with CALEA (now including VoIP and broadband Internet providers), but the big incumbents who were most capable of affording it on their own got it at the lowest costs, while their competition was required to build it out at their own expense even if it never gets used. But there are legitimate uses for deep packet inspection, for understanding the nature of the traffic on a network for management purposes, including tracking down security and abuse issues. Since it is in the hands of the end user to use encryption to protect sensitive content, I think use of DPI by network providers is reasonable for the purposes of providing better service in the same way that it’s reasonable for a voice provider to intercept traffic for quality measurement purposes. It’s also reasonable for interception to occur for “lawful intercept,” but it should always require a court order (i.e., both executive and judicial branch approval) on reasonable grounds. The difficulty of obtaining wiretaps depicted in the television program “The Wire” is how it should be. I’ve written a lot on these issues, much which can be found in this blog’s Network Neutrality Index. If any reader of this blog happens to have attended the Netroots Nation telecom panel or comes across a description of its content, please point me to it, as I’d like to see what was said. I don’t have high hopes for the accuracy or reasonability of statements from Stoller and Karr, but I could be surprised, and the other panelists probably had interesting and important things to say. (See my Blogger profile for the disclosure of my employment by Global Crossing, which is currently listed by Renesys as the #3 network provider on the Internet in terms of number of customers, ahead of AT&T and Verizon, behind Sprint and Level 3.) UPDATE: The “Big Telecom” panel was live-blogged (dead, unarchived link: http://openleft.com/showDiary.do;jsessionid=C865142FFB85E14AAD27045B9A342B15?diaryId=7032"). Stoller’s anecdote about the Bill of Rights on metal is referring to Dean Cameron’s “security edition” of the Bill of Rights, which was also promoted by Penn Jillette. ...

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.) ...

Gary D. Barnett, president of a financial services firm in Montana, has written an article about InfraGard for The Future of Freedom Foundation, apparently inspired by the Progressive article. Thankfully, he avoids the bogus “shoot to kill” claims, but he introduces some erroneous statements of his own. It’s apparent that he didn’t bother speaking to anyone in InfraGard or doing much research before writing his article, which is another attempt to spread fear, uncertainty, and doubt about the program. Barnett first goes wrong when he writes: ...

An article in The Progressive by Matthew Rothschild worries that the FBI’s InfraGard program is deputizing businesses, training them for martial law, and giving them a free pass to “shoot to kill.” Rothschild writes: The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does—and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to “shoot to kill” in the event of martial law.Nonsense. I’ve been a member of the Phoenix InfraGard Members Alliance for years. It’s a 501(c)(3) organization sponsored by the FBI whose members have been subjected to some rudimentary screening (comparable to what a non-cleared employee of the federal government would get). Most InfraGard meetings are open to the general public (contrary to Rothschild’s statement that “InfraGard is not readily accessible to the general public”), but the organization facilitates communications between members about sensitive subjects like vulnerabilities in privately owned infrastructure and the changing landscape of threats. The FBI provides some reports of threat information to InfraGard members through a secure website, which is unclassified but potentially sensitive information. InfraGard members get no special “shoot to kill” or law enforcement powers of any kind–and membership in the organization is open to anyone who can pass the screening. As Rothschild notes in the first sentence of his article, there are over 23,000 members–that is a pretty large size for a conspiracy plot. At one point in the article, Rothschild quotes InfraGard National Members Alliance chairman Phyllis Schneck referring to a “special telecommunications card that will enable your call to go through when others will not.” This is referring to a GETS card, for the Government Emergency Telecommunications Service, which provides priority service for call completion in times of emergency or disaster to personnel who are working to support critical infrastructure. There is a similar service for wireless priority (Wireless Priority Service), and yet another for critical businesses and organizations (like hospitals) which need to have their telecommunications service re-established first after a loss of service due to disaster (Telecommunications Service Priority). These programs are government programs that are independent of InfraGard, though InfraGard has helped members who represent pieces of critical infrastructure obtain GETS cards. The ACLU’s concern about InfraGard being used as a tip line to turn businesses into spies is a more plausible but still, in my opinion, unfounded concern. Businesses are not under any pressure to provide information to InfraGard, other than normal reporting of criminal events to law enforcement. The only time I’ve been specifically asked to give information to InfraGard is when I’ve been asked to speak at a regular meeting, which I’ve done a few times in talks that have been open to the public about malware threats and botnets. Check out the comments in The Progressive for some outright hysteria about fascism and martial law. I saw similar absurdity regarding the Department of Homeland Security’s TOPOFF 4 exercise, which was a sensible emergency planning exercise. Some people apparently are unable to distinguish common-sense information sharing and planning in order to defend against genuine threats from the institution of a fascist dictatorship and martial law. Now, I think there are plausible criticisms to be made of the federal government’s use of non-governmental organizations–when they’re used to sidestep laws and regulations like the Freedom of Information Act, to give lots of government grant money to organizations run by former government employees, to legally mandate funding of and reporting to private organizations and so forth. The FBI has created quite a few such organizations to do things like collect information about missing and exploited children, online crime, and so forth, typically staffed by former agents. But personally, I’ve not witnessed anything in InfraGard that has led me to have any concerns that it’s being used to enlist private businesses into questionable activities–rather, it’s been entirely devoted to sharing information that private businesses can use to shore up their own security and for law enforcement to prosecute criminals. UPDATE (February 9, 2008): The irony is that Matthew Rothschild previously wrote, regarding 9/11 truthers: We have enough proof that the Bush administration is a bunch of lying evildoers. We don’t need to make it up.He’s right about that, but he’s now helped spread nonsense about InfraGard and seriously damaged his own credibility. I find it interesting that people are so willing to conclude that InfraGard is a paramilitary organization, when it’s actually an educational and information sharing organization that has no enforcement or even emergency, disaster, or incident response function (though certainly some of its members have emergency, disaster, and incident response functions for the organizations they work for). UPDATE (February 10, 2008): I suspect tomorrow Christine Moerke of Alliant Energy will be getting calls from reporters asking what specifically she confirmed. I hope they ask for details about the conference in question, whether it was run by InfraGard or DHS, what the subject matter was, and who said what. If there’s actually an InfraGard chapter endorsing the idea that InfraGard members form armed citizen patrols authorized to use deadly force in time of martial law, that’s a chapter that needs to have its leadership removed. My suspicion, though, is that some statements about protection of infrastructure by their own security forces in times of disaster or emergency have been misconstrued. Alliant Energy operates nuclear plants, nuclear plants do have armed guards, and in Arizona, ARS 13-4903 describes the circumstances under which nuclear plant security officers are authorized to use deadly force. Those people, however, are thoroughly trained and regularly tested regarding the use of force and the use of deadly force in particular, which is not the case for InfraGard members. UPDATE (February 11, 2008): Somehow, above, I neglected to make the most obvious point–that the FBI doesn’t have the authority to grant immunity to prosecution for killing. If anyone from the FBI made that statement to InfraGard members, they were saying something that they have no authority to deliver on. UPDATE (February 12, 2008): I’ve struck out part of the above about the ACLU’s concern about spying being unfounded, as I think that’s too strong of a denial. There is a potential slippery slope here. The 9/11 Commission Report pointed to various communication problems that led to the failure to prevent the 9/11 attacks. These problems included failure to share information (mainly from the CIA to the FBI and INS), failure to communicate information within the FBI (like Phoenix Special Agent Ken Williams’ memo about suspicious Middle Easterners in flight schools), and failure to have enough resources to translate NSA intercepts (some specific chatter about the attacks was translated after the attacks had already occurred). As a result, the CIA has been working closely with the FBI on counterterrorism and counterintelligence at least since 2001. (Also see Dana Priest, “CIA Is Expanding Domestic Operations,” The Washington Post, October 23, 2002, p. A02, which is no longer available on the Post’s site but can be found elsewhere on the web, on sites whose other content is so nutty I refuse to link, as well as this January 2006 statement from FBI Director Robert Mueller on the InfraGard website, which includes the statement that “Today, the FBI and CIA are not only sharing information on a regular basis, we are exchanging employees and working together on cases every day.”) The slippery slope is this–the CIA is an organization which recruits and develops in its officers a sense of flexible ethics which has frequently resulted in incredible abuses, and which arguably has done more harm than good to U.S. interests. (My opinion on the CIA may be found in my posts on this blog labeled “CIA”; I highly recommend Tim Weiner’s Legacy of Ashes: The History of the CIA.) Some of that ethical flexibility may well rub off on FBI agents who work closely with CIA case officers. (The FBI itself has also had a history of serious abuses, an objective account of which may be found in Ronald Kessler’s book The Bureau: The Secret History of the FBI.) And then, that same ethical flexibility may rub off on InfraGard members as a result of their relationships with the FBI (and potentially relationships with the CIA, as well). The intelligence community seems to have a hunger for more and more information from more and more sources, but it is already awash in a sea of information that it has trouble processing today. (It doesn’t help that the Army fires direly needed Arabic translators because they are gay.) The need is to accurately assess the information that it has, and ensure that bits and pieces aren’t cherry-picked to produce desired conclusions, as well as ensure that information isn’t sought or assembled to serve personal and political ends of particular interests rather than combatting genuine threats to the country and its citizens. My recommendation is that all InfraGard members read Kessler’s The Bureau, Weiner’s Legacy of Ashes, and view the film that won the 2007 Academy Award for best foreign film, “The Lives of Others,” to help innoculate them against such a slippery slope. UPDATE: Amy Goodman interviewed Matt Rothschild for “Democracy Now!” on Wisconsin Public Television, in which it is pretty clear to me that Rothschild is exaggerating something he doesn’t understand–what he cites as evidence doesn’t support what he claims. Here’s a key excerpt, see the link for the full transcript: MR: […] And one other member of InfraGard [Christine Moerke of Alliant Energy] confirmed to me that she had actually been at meetings and participated in meetings where the discussion of lethal force came up, as far as what businesspeople are entitled to do in times of an emergency to protect their little aspect of the infrastructure. AG: But just to clarify, Matt Rothschild, who exactly is empowered to shoot to kill if martial law were declared? The business leaders themselves? MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told. […] You know, this is a secretive organization. They’re not supposed to talk to the press. You need to get vetted by the FBI before you can join it. They get almost daily information that the public doesn’t get. And then they have these extraordinary, really astonishing powers being vested in them by FBI and Homeland Security, shoot-to-kill powers. I mean, this is scary stuff. MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.It looks to me like the following transformation has occurred: 1. At a DHS conference on emergency response, somebody asks if owners of critical pieces of infrastructure should be expected to use deadly force if necessary to protect it (e.g., a nuclear power plant). 2. Somebody at DHS answers yes. They may even add that in some cases the law provides specific justification for use of deadly force (as in the Arizona statute I cite above). 3. Matt turns that into a general right to “shoot-to-kill” in times of martial law by any InfraGard member. 4. The blogosphere turns that into roving citizen patrols unleashed on the nation as the Bush hit squad after declaration of martial law. I don’t see his key source–Christine Moerke–confirming anything beyond #1 and #2. Note other exaggerations and contradictions–Rothschild claims that InfraGard is highly secretive and selective, yet has quickly grown to over 23,000 members and has multiple public websites. He fails to note that most InfraGard meetings are open to the general public, or that it has been discussed in many articles in the national press over the last decade. Rothschild speaks of “business leaders,” which the blogosphere has turned into “CEOs,” yet I suspect the most common “business leader” represented in InfraGard is an IT or physical security manager. UPDATE (February 15, 2008): The FBI has issued an official response to Rothschild’s Progressive article (PDF), which says, in part: In short, the article’s claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to “shoot to kill” than other civilians. The FBI encourages InfraGard members – and all Americans – to report crime and suspected terrorist activity to the appropriate authorities.The FBI response also states that Rothschild has “refused even to identify when or where the claimed ‘small meeting’ occurred in which issues of martial law were discussed,” and promises to follow up with further clarifying details if they get that information. UPDATE (February 25, 2008): Here’s another blogger with a rational response to The Progressive article. UPDATE (March 2, 2008): Matthew Rothschild has responded to the FBI’s response on Alex Jones’ Info Wars blog, and he stands behind every word of his original article. He doesn’t display any knowledge of or response to any of the criticisms I’ve offered. ...

The Washington Times reported on December 21 that several years ago, Chinese intelligence successfully subverted the National Security Agency in Hawaii. First, by creating a company based in Hawaii to do Chinese translations which successfully obtained government contracts with the NSA to translate intercepted Chinese communications. The intercepted communications included sufficient information to identify the sources, giving the Chinese the ability to control what information was obtained by the NSA either by preventing significant information from being carried over by the compromised channel or by introducing disinformation. This shows one of the problems that faces a world superpower whose own language is commonly used and which does little or nothing to encourage its citizens to learn other languages. Understanding communications in other languages require the assistance of translators who may be working for the enemy, and the enemy can almost get away with speaking freely anywhere while being overheard, since the likelihood of comprehension is so small. The more communications you need translated, the more translators you need, and the greater the likelihood of compromise. UPDATE (January 2, 2008): Noah Schachtman at Wired and Jeffrey Carr at IntelFusion cast some doubt on this story. ...

Former Qwest CEO Joseph Nacchio, found guilty of insider trading in April, is claiming in his appeal that part of the reason Qwest stock dropped in value is that the NSA cancelled some lucrative contracts with the company as punishment for its failure to cooperate in illegal warrantless wiretapping (unlike AT&T and Verizon). The Bush administration is pushing for retroactive immunity to be granted to AT&T and Verizon for its participation in these unconstitutional programs by threatening to veto any surveillance bill that doesn’t include such immunity. If the Democrats were smart, they’d go ahead and send him a surveillance bill without the immunity, and then criticize him when he vetoes it for taking action that is going to kill Americans. ...

CIA Director (and former head of the NSA) Gen. Michael Hayden is unhappy with CIA Inspector General John Helgerson’s work uncovering abuses at the CIA, so he’s ordered his own investigation of the IG, including an examination of the office’s confidential files. That’s sure to put a chill on employee cooperation with or reporting of abuses to the IG’s office.