Tag: classified information

What We Can and Can’t Know About NSA Spying: A Reply to Prof. Cordero

Georgetown Law professor Carrie Cordero—who previously worked at the Department of Justice improving privacy procedures for monitoring under the Foreign Intelligence Surveillance Act—attended our event with Sen. Ron Wyden (D-OR) on the FISA Amendments Act last week.  Perhaps unsurprisingly, she’s rather more comfortable with the surveillance authorized by the law than our speakers were, and posted some critical commentary at the Lawfare blog (which is, incidentally, required reading for national security and intelligence buffs). Marcy Wheeler has already posted her own reply, but I’d like to hit a few points as well. Here’s Cordero:

Since at least the summer of 2011, [Wyden and Sen. Mark Udall] have been pushing the Intelligence Community to provide more public information about how the FAA works, and how it affects the privacy rights of Americans. In particular, they have, in a series of letters, requested that the Executive Branch provide an estimate of the number of Americans incidentally intercepted during the course of FAA surveillance. According to the exchanges of letters, the Executive Branch has repeatedly denied the request, on the basis that: i) it would be an unreasonable burden on the workforce (and, presumably, would take intelligence professionals off their national security mission); and ii) gathering the data the senators are requesting would, in and of itself, violate privacy rights of Americans.

The workforce argument, even if true, is, of course, a loser. The question of whether the data call itself would violate privacy rights is a more interesting one. Multiple oversight personnel independent of the operational and analytical wings of the Intelligence Community – including the Office of Management and Budget, the NSA Inspector General, and just last month, the Inspector General of the Intelligence Community, have all said that the data call requested by the senators is not feasible. The other members of the SSCI appear to accept this claim on its face. Meanwhile, Senator Wyden states he just finds the claim unbelievable. That there must be some way it can be done, he says, if even on a sample basis. Maintaining that position puts him in an interesting place, however: is the privacy advocate actually advocating for violating the privacy rules, to appease a Congressional request? Assuming that he would not actually want to advocate that the rules be waived at the request of a politician, a question then arises as to whether the Intelligence Community has adequately explained exactly how the data call would work and why it would conflict with existing privacy rules and protections, such as minimization procedures.

I’ll grant Cordero this point: as absurd as it sounds to say “we can’t tell you how many Americans we’re spying on, because it would violate their privacy,” this might well be a concern if those of us who follow these issues from the outside are correct in our surmises about what NSA is doing under FAA authority. The only real restriction the law places on the initial interception of communications is that the NSA use “targeting procedures” designed to capture traffic to or from overseas groups and individuals. There’s an enormous amount of circumstantial evidence to suggest that initial acquisition is therefore extremely broad, with a large percentage of international communications traffic being fed into NSA databases for later querying. If that’s the case, then naturally the tiny subset of communications later reviewed by a human analyst—because they match far narrower criteria for suspicion—is going to be highly unrepresentative. To get even a rough statistical sample of what’s in the larger database, then, one would have to “inspect”—possibly using software—a whole lot of the innocent communications that wouldn’t otherwise ever be analyzed. And possibly the rules currently in place don’t make any allowance for querying the database—even to analyze metadata for the purpose of generating aggregate statistics—unless it’s directly related to an intelligence purpose.

A few points about this.  First: assuming, for the moment, that  this is the case, why can’t NSA and DOJ say so clearly and publicly? Because it would somehow imperil national security to characterize the surveillance program even at this highest level of generality, without any mention of particular search parameters or targets? Would it “help the terrorists” if they answered a more recent query from a bipartisan group of senators, asking whether database searches (as opposed to initial “targeting”) had focused on specific American citizens?  Please.

A  more plausible hypothesis is that they recognize that an official, public acknowledgement that the government is routinely copying and warehousing millions of completely innocent communications—even if they’re only looking at the “suspicious” minority— would not go over entirely smoothly with the citizenry. There might even be a demand for some public debate about whether this is the kind of thing we’re willing to countenance. Legal scholars might become curious whether whatever arguments support the constitutionality of this practice hold up as well in the light of the day as they do when they’re made unopposed in closed chambers. Even without an actual estimate, any meaningful discussion of the workings of the program would be likely to undermine the whole pretense that it only “incidentally” involves the communications of innocent Americans, or that the constraints on “targeting”constitute a meaningful safeguard.  The desire to avoid the whole hornet’s nest using the pretext of national security is perhaps understandable, but it shouldn’t be acceptable in a democracy. Yet everyone knows overclassification is endemic—even the government’s own former “classification czar” has blasted the government’s use of inappropriate secrecy as a weapon against critics.

Second, transparency at this level of generality is an essential component of privacy protection. To the extent that the rules governing  access to the database preclude any attempt to audit its aggregate contents—including by automated software tallying of identifiers such as area codes and IP addresses—then they should indeed be changed, not because a senator demanded it, but because they otherwise preclude adequate oversight. An online service that keeps no server logs would be somewhat more protective of its users privacy… if  its database were otherwise perfectly secure against intrusion or misuse. In the real world, where there’s no such thing as perfect security, such a service would be protecting user privacy extremely poorly, because it would lack the ability to detect and prevent breaches. If it is not possible to audit the NSA’s system in this way, then that system needs to be altered until it is possible. If giving Congress a rough sense of the extent of the agency’s surveillance of Americans falls outside the parameters of the intelligence mission (and therefore the permissible uses of the database), it’s time for a new mission statement.

Finally, Cordero closes by noting the SSCI has touted its own oversight as “extensive” and “robust,” which Cordero thinks “debunks” the  suggestion embedded in our event title that the FAA enables “mass spying without accountability.”  (Can I debunk the debunking by lauding the accuracy and thoroughness of my own analysis?)  Unfortunately, the consensus of most independent analysts of the intelligence committees’ performance is a good deal less sanguine—which makes me hesitant to take that self-assessment at face value.

As scholars frequently point out, the overseers are asked to process incredibly complex information with a limited cleared staff to assist them, and often forbidden to take notes at briefings or remove reports from secure facilities. When you read about those extensive reports, recall that in the run-up to the invasion of Iraq only six senators and a handful of representatives ever read past the executive summary of the National Intelligence Estimate on Iraq’s WMD programs to the far more qualified language of the  full 92-page report. You might think the intel committees would need to hold more hearings than their counterparts to compensate for these disadvantages, but UCLA’s Amy Zegart has found that they consistently rank at the bottom of the pack, year after year. Little wonder, then, that years of flagrant and systemic misuse of another controversial surveillance tool—National Security Letters—was not uncovered by the “extensive” and “robust” oversight of the intelligence committees, but by the Justice Department’s inspector general.

In any event, we seem to have at least 13 senators who don’t believe they’ve been provided with enough information to perform their oversight role adequately. Perhaps they’re setting the bar too high, but I find it more likely that their colleagues—who over time naturally grow to like and trust the intelligence officials upon whom they rely for their information—are a bit too easily satisfied. There are no  prizes for expending time, energy, and political capital on ferreting out civil liberties problems in covert intelligence programs, least of all in an election year. It’s far easier to be satisfied with whatever data the intelligence community deigns to dribble out—often with heroic indifference to statutory reporting deadlines—and take it on faith that everything’s running as smoothly as they say. That allows you to write, and even believe, that you’re conducting “robust” oversight without knowing (as Wyden’s letter suggests the committee members do not) roughly how many Americans are being captured in NSA’s database, how many purely-domestic communications have been intercepted,  whether warrantless “backdoor” targeting of Americans is being done via the selection of database queries. But the public need not be so easily satisfied, nor accept that meaningful “accountability” exists when all those extensive reports leave the overseers ignorant of so many basic facts.

Wikileaks Sheds Light on Government Ineptitude

For years I have told anybody who would listen how U.S. efforts to stabilize Afghanistan contribute to Pakistan’s slow-motion collapse. Well it appears that my take on the situation was not so over-the-top. Amid some 250,000 confidential diplomatic cables released by online whistleblower Wikileaks, former U.S. ambassador to Pakistan Anne W. Patterson warned in cable traffic that U.S. policy in South Asia “risks destabilizing the Pakistani state, alienating both the civilian government and the military leadership, and provoking a broader governance crisis without finally achieving the goal.”

On one level, this cable underscores what a disaster American foreign policy has become. But on another level, the leak of this and other cables strikes me as completely odd and slightly scary. How did Pfc. Bradley Manning, who stands accused of stealing the classified files from Siprnet and handing them to Wikileaks founder Julian Assange, obtain access to these files in the first place? How does a young, low-level Army intelligence analyst gain access to a computer with hundreds of thousands of classified documents from all over the world?

After 9/11, the government made an effort to link up separate archives of government information. In theory, anyone in the State Department or the U.S. military can access these archives if he has: (1) a computer connected to Siprnet, and (2) a “secret” security clearance. As Manning told a fellow hacker: “I would come in with music on a CD-RW labeled with something like ‘Lady Gaga’ … erase the music … then write a compressed split file. No one suspected a thing… [I] listened and lip-synched to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history.” Manning said he “had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months.”

I’m all for less government secrecy, particularly when U.S. officials are doing bizarre things like tabulating the biometric data of various UN officials, the heads of other international institutions, and African heads of state. That these supposedly “confidential” communications were so easily leaked highlights the appalling ineptitude of our unwieldy national security bureaucracy. Indeed, the phenomenon of Wikileaks says as much about government policy as it does about government incompetence.

Random Thoughts on WikiLeaks

I’ve fielded some questions today about the WikiLeaks story, and I’m feeling pretty conflicted.

I’m aware of the fact that the leak of classified information could pose a short-term risk to national security, but it is my sense that most of the claims of dire harm are overwrought. There is considerable evidence that much – perhaps most – classified material is improperly classified; governments oftentimes invoke claims of secrecy to shield themselves from embarrassment, not to protect national security. In that sense, some diplomats and government officials might be red in the face today, but I doubt that most Americans are feeling less secure than before the latest revelations from WikiLeaks.

If I thought that the attention on minute and often mundane details that shouldn’t be classified precipitated a closer look at overclassification, WikiLeaks might have a beneficial side effect. As it is, however, it is likely to increase the government’s obsession with secrecy, with policymakers scrambling to close down supposedly dangerous loopholes, some of which were opened up after 9/11 to facilitate information-sharing between agencies. This process of clamping down on interagency collaboration has already begun.

As to the particulars, with respect to diplomatic correspondence, there is a tension between individuals sharing their genuine opinions about another country, or that country’s leaders, and concern that their candid assessments in private conversations be revealed. People do keep secrets from one another, including their friends, spouses and family members. It is basic human nature. And it is basic human nature to clam up the next time you’re talking to a friend who recently blabbed your secrets to a third party. As such, the WikiLeaks episode might have a chilling effect on candor, but I believe that this effect will dissipate over time.

Concern that this will undermine U.S. diplomatic standing, or otherwise lead people to question the U.S. government’s capacity for conducting foreign policy, is misplaced. We don’t (or shouldn’t) question the U.S. Army’s ability to conduct military operations because of the occasional friendly fire incident. Given the volume of documents released in now several Wikileaks’ rounds, some might ask whether this is the equivalent of many thousands of unfortunate incidents, and therefore a sign of a systemic failure. I doubt it. The vast majority of individuals in possession of classified material treat this information with great care. More to the point, I am confident that this will be a minor episode in U.S. diplomatic history when compared to huge blunders such as the war in Iraq and the deepening – and open-ended – war in Afghanistan.

The WikiLeaks case also touches on the law, and of an individual’s responsibility to obey such laws, two of my least favorite subjects. Not all laws are sacrosanct, and I’ve just noted that much classified material shouldn’t be. As such, some might claim that releasing such information is a legitimate form of civil disobedience, because the laws governing release of documents are unjust.

But I don’t think that overclassification and other resorts to secrecy to shield the government from public scrutiny are on par with far more egregious violations of the basic rights and liberties of all citizens. If I could be convinced otherwise, I might change my mind.

For now, because I don’t trust individual leakers to be able to discern which material is legitimately classified, and which is not, I believe that individuals who possess classified material and knowingly release it to people not cleared for such information should be prosecuted to the full extent of the law.

Finally, as a practical matter, I am particularly leery of individuals passing judgment on when to follow the rules, and when to ignore them, in cases involving national security. We rightly condemn military officers who defy civilian authority over the conduct of war. We should be equally critical of people who choose to go their own way in the conduct of information warfare. People with access to classified material have chosen to work in the government. They therefore choose to abide by the government’s rules, and should expect to pay a penalty if they violate them.