Tag: intelligence

Big Teacher Is Watching

Researching government invasions of privacy all day, I come across my fair share of incredibly creepy stories, but this one may just take the cake.  A lawsuit alleges that the Lower Merion School District in suburban Pennsylvania used laptops issued to each student to spy on the kids at home by remotely and surreptitiously activating the webcam built into the bezel of each one. The horrified parents of one student apparently learned about this capability when their son was called in to the assistant principal’s office and accused of “inappropriate behavior while at home.” The evidence? A still photograph taken by the laptop camera in the student’s home.

I’ll admit, at first I was somewhat skeptical—if only because this kind of spying is in such flagrant violation of so many statutes that I thought surely one of the dozens of people involved in setting it up would have piped up and said: “You know, we could all go to jail for this.” But then one of the commenters over at Boing Boing reminded me that I’d seen something like this before, in a clip from Frontline documentary about the use of technology in one Bronx school.  Scroll ahead to 4:37 and you’ll see a school administrator explain how he can monitor what the kids are up to on their laptops in class. When he sees students using the built-in Photo Booth software to check their hair instead of paying attention, he remotely triggers it to snap a picture, then laughs as the kids realize they’re under observation and scurry back to approved activities.

I’ll admit, when I first saw that documentary—it aired this past summer—that scene didn’t especially jump out at me. The kids were, after all, in class, where we expect them to be under the teacher’s watchful eye most of the time anyway. The now obvious question, of course, is: What prevents someone from activating precisely the same monitoring software when the kids take the laptops home, provided they’re still connected to the Internet?  Still more chilling: What use is being made of these capabilities by administrators who know better than to disclose their extracurricular surveillance to the students?  Are we confident that none of these schools employ anyone who might succumb to the temptation to check in on teenagers getting out of the shower in the morning? How would we ever know?

I dwell on this because it’s a powerful illustration of a more general point that can’t be made often enough about surveillance: Architecture is everything. The monitoring software on these laptops was installed with an arguably legitimate educational purpose, but once the architecture of surveillance is in place, abuse becomes practically inevitable.  Imagine that, instead of being allowed to install a bug in someone’s home after obtaining a warrant, the government placed bugs in all homes—promising to activate them only pursuant to a judicial order.  Even if we assume the promise were always kept and the system were unhackable—both wildly implausible suppositions—the amount of surveillance would surely spike, because the ease of resorting to it would be much greater even if the formal legal prerequisites remained the same. And, of course, the existence of the mics would have a psychological effect of making surveillance seem like a default.

You can see this effect in law enforcement demands for data retention laws, which would require Internet Service Providers to keep at least customer transactional logs for a period of years. In face-to-face interactions, of course, our default assumption is that no record at all exists of the great majority of our conversations. Law enforcement accepts this as a fact of nature. But with digital communication, the default is that just about every activity creates a record of some sort, and so police come to see it as outrageous that a potentially useful piece of evidence might be deleted.

Unfortunately, we tend to discuss surveillance in myopically narrow terms.  Should the government be able to listen in on the phone conversations of known terrorists? To pose the question is to answer it. What kind of technological architecture is required to reliably sweep up all the communications an intelligence agency might want—for perfectly legitimate reasons—and what kind of institutional incentives and inertia does that architecture create? A far more complicated question—and one likely to seem too abstract to bother about for legislators focused on the threat of the week.

Holder on the Hot Seat

Today Politico Arena asks:

Terror suspects: Eric Holder’s defense (nothing new here)–agree or disagree?

My response:

There’s no question that after the killings in Little Rock and Fort Hood, the decision to try the KSM five in a civilian court in downtown Manhattan, and the Christmas Day bombing attempt (the government’s before and after behavior alike), the Obama-Holder “law-enforcement” approach to terrorism is under serious bipartisan scrutiny.  And Holder’s letter yesterday to his critics on the Hill isn’t likely to assuage them, not least because it essentially ignores issues brought out in the January 20 hearings before the Senate Committee on Homeland Security, like the government’s failure to have its promised High-Value Interrogation Group (HIG) in place.
 
Nor are the administration’s repeated efforts to justify itself by saying it’s doing only what the Bush administration did likely to persuade.  In the aftermath of 9/11, and in the teeth of manifold legal challenges, the Bush administration hardly developed a systematic or consistent approach to terrorism.  Much thought has been given to the subject since 9/11, of course, and it’s shown the subject to be anything but simple.  Nevertheless, if anything is clear, it is that if we are in a war on terror (or in a war against Islamic terrorists), as Obama has finally acknowledged, then the main object in that war ought not to be ”to bring terrorists to justice” through after-the-fact prosecutions – the law-enforcement approach – but to prevent terrorist attacks before they happen, which means that intelligence gathering should be the main object of this war.  And that, precisely, is what the obsession with Mirandizing, lawyering up, and prosecuting seems to treat as of secondary importance.  Intelligence is our first line of defense – and should be our first priority.

The Art of Foreign Policy Punditry

Foreign Policy magazine performs an important public service, publishing a compendium of the “top 10 worst predictions for 2009.” My favorite?

If we do nothing, I can guarantee you that within a decade, a communist Chinese regime that hates democracy and sees America as its primary enemy will dominate the tiny country of Panama, and thus dominate the Panama Canal, one of the worlds most important strategic points.

Rep. Dana Rohrabacher (R-Calif.), Dec. 7, 1999

Rohrabacher made this alarming prediction during a debate on the U.S. handover of the Panama Canal. His fellow hawk, retired Adm. Thomas Moorer, even warned that China could sneak missiles into Panama and use the country as a staging ground for an attack on the United States. Well, Rohrabacher’s decade ran out this December, and all remains quiet on the Panamanian front. As for China, the United States is now its largest trading partner.


Flowers and Chocolates?

The point here isn’t to poke fun at Rohrabacher, or any of the other predictors featured on the FP list.  Rather, it’s to point out that predicting the future is really hard.  And as Ben Friedman and I have harped on, you just can’t aspire to any predictive competence without sound theory to guide you.  In order to judge that if we do (or don’t do) X, Y will happen, you need a theory connecting X to Y.  So looking back at our predictions, and comparing them to the results of our policies, is a useful way to test the theories on which we based our policies in the first place.

Putting falsifiable predictions out there is a collective action problem, though: If I start offering nothing but precise point-predictions about what will or won’t happen if we start a war with Iran, or how big the defense budget will get, or anything else, I’m going to get a lot of things wrong.  And if everyone else keeps offering vapid, non-falsifiable rhetoric, I stand to look like a real jackass while everyone can hide behind the fog of common-use language.  As I wrote in the National Interest a while back:

Foreign-policy analysts have an incredibly difficult task: to make predictions about the future based on particular policy choices in Washington. These difficulties extend into the world of intelligence, as well. The CIA issues reports with impossibly ambitious titles like “Mapping the Global Future”, as if anyone could actually do that. The father of American strategic analysis, Sherman Kent, grappled with these difficulties in his days at OSS and CIA. When Kent finally grew tired of the vapid language used for making predictions, such as “good chance of”, “real likelihood that” and the like, he ordered his analysts to start putting odds on their assessments. When a colleague complained that Kent was “turning us into the biggest bookie shop in town”, Kent replied that he’d “rather be a bookie than a [expletive] poet.”

Actually, though, it’s worse than this.  As I wrote in the American Conservative, there’s basically no endogenous mechanism to hold irresponsible predictors accountable:

In 1992, the Los Angeles Times ran an article outlining the dynamics of the “predictions” segment of the popular “McLaughlin Group” TV program.  Michael Kinsley, who had been a panelist on the program, admitted

“When I was doing the show, I was much more interested in coming up with an interesting prediction than in coming up with one that was true.  There’s no penalty for being wrong, but there is a penalty for being boring.  …Prognosticators have known for centuries that people only remember what you got right.  They don’t remember what you got wrong.”

Foreign-policy analysis works in much the same way.  Errant predictions are quickly forgotten.  It is the interesting predictions that the media want, and unfortunately interesting predictions in the context of foreign policy often mean predictions of unprovoked foreign attacks, geopolitical chaos, and a long queue of bogeymen waiting to threaten us.  (By contrast, after a given policy is enacted, its proponents have to spin it in a positive light, as in Iraq.)  Meanwhile, it is the person with the quickest wit and the pithiest one-liner–not the deepest understanding–who winds up with the responsibility of informing the American electorate about foreign-policy decisions.

So it’s very good to see that Foreign Policy has interest in holding everyone’s feet to the fire.  John Mueller does a similar service in The Atomic Obsession, pointing out the many predictions of doom, apocalypse and general disaster that have characterized both the hawkish establishment and the leftish arms-control clique.

If this sort of exercise becomes common, though, watch for foreign-policy commentators not to develop a growing sense of modesty about their predictive power, but rather to take greater care in avoiding falsifiable statements altogether.

Three Keys to Surveillance Success: Location, Location, Location

The invaluable Chris Soghoian has posted some illuminating—and sobering—information on the scope of surveillance being carried out with the assistance of telecommunications providers.  The entire panel discussion from this year’s ISS World surveillance conference is well worth listening to in full, but surely the most striking item is a direct quotation from Sprint’s head of electronic surveillance:

[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.

To be clear, that doesn’t mean they are giving law enforcement geolocation data on 8 million people. He’s talking about the wonderful automated backend Sprint runs for law enforcement, LSite, which allows investigators to rapidly retrieve information directly, without the burden of having to get a human being to respond to every specific request for data.  Rather, says Sprint, each of those 8 million requests represents a time when an FBI computer or agent pulled up a target’s location data using their portal or API. (I don’t think you can Tweet subpoenas yet.)  For an investigation whose targets are under ongoing realtime surveillance over a period of weeks or months, that could very well add up to hundreds or thousands of requests for a few individuals. So those 8 million data requests, according to a Sprint representative in the comments, actually “only” represent “several thousand” discrete cases.

As Kevin Bankston argues, that’s not entirely comforting. The Justice Department, Soghoian points out, is badly delinquent in reporting on its use of pen/trap orders, which are generally used to track communications routing information like phone numbers and IP addresses, but are likely to be increasingly used for location tracking. And recent changes in the law may have made it easier for intelligence agencies to turn cell phones into tracking devices.  In the criminal context, the legal process for getting geolocation information depends on a variety of things—different districts have come up with different standards, and it matters whether investigators want historical records about a subject or ongoing access to location info in real time. Some courts have ruled that a full-blown warrant is required in some circumstances, in other cases a “hybrid” order consisting of a pen/trap order and a 2703(d) order. But a passage from an Inspector General’s report suggests that the 2005 PATRIOT reauthorization may have made it easier to obtain location data:

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [REDACTED PHRASE]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [REDACTED PHRASE] from the FISA Court. Therefore, OIPR decided not to request [REDACTED PHRASE] pursuant to Section 215 until it re-briefed the issue for the FISA Court. As a result, in 2006 combination orders were submitted to the FISA Court only from January 1, 2006, through March 8, 2006.

The new statutory language permits FISA pen/traps to get more information than is allowed under a traditional criminal pen/trap, with a lower standard of review, including “any temporarily assigned network address or associated routing or transmission information.” Bear in mind that it would have made sense to rely on a 215 order only if the information sought was more extensive than what could be obtained using a National Security Letter, which requires no judicial approval. That makes it quite likely that it’s become legally easier to transform a cell phone into a tracking device even as providers are making it point-and-click simple to log into their servers and submit automated location queries.  So it’s become much more  urgent that the Justice Department start living up to its obligation to start telling us how often they’re using these souped-up pen/traps, and how many people are affected.  In congressional debates, pen/trap orders are invariably mischaracterized as minimally intrusive, providing little more than the list of times and phone numbers they produced 30 years ago.  If they’re turning into a plug-and-play solution for lojacking the population, Americans ought to know about it.

If you’re interested enough in this stuff to have made it through that discussion, incidentally, come check out our debate at Cato this afternoon, either in the flesh or via webcast. There will be a simultaneous “tweetchat” hosted by the folks at Get FISA Right.

The FISA Amendments: Behind the Scenes

I’ve been poring over the trove of documents the Electronic Frontier Foundation has obtained detailing the long process by which the FISA Amendments Act—which substantially expanded executive power to conduct sweeping surveillance with little oversight—was hammered out between Hill staffers and lawyers at the Department of Justice and intelligence agencies. The really interesting stuff, of course, is mostly redacted, and I’m only partway though the stacks, but there are a few interesting tidbits so far.

As Wired has already reported, one e-mail shows Bush officials feared that if the attorney general was given too much discretion over retroactive immunity for telecoms that aided in warrantless wiretapping, the next administration might refuse to provide it.

A couple other things stuck out for me. First, while it’s possible they’ve been released before and simply not crossed my desk, there are a series of position papers — so rife with  underlining that they look like some breathless magazine subscription pitch — circulated to Congress explaining the Bush administration’s opposition to various proposed amendments to the FAA. Among these was a proposal by Sen. Russ Feingold (D-WI) that would have barred “bulk collection” of international traffic and required that the broad new intelligence authorizations specify (though not necessarily by name) individual targets. The idea here was that if there were particular suspected terrorists (for instance) being monitored overseas, it would be fine to keep monitoring their communications if they began talking with Americans without pausing to get a full-blown warrant — but you didn’t want to give NSA carte blanche to just indiscriminately sweep in traffic between the U.S. and anyone abroad. The position paper included in these documents is more explicit than the others that I’ve seen about the motive for objecting to the bulk collection amendment. Which was, predictably, that they wanted to do bulk collection:

  • It also would prevent the intelligence community from conducting the types of intelligence collection necessary to track terrorits and develop new targets.
  • For example, this amendment could prevent the intelligence community from targeting a particular group of buildings or a geographic area abroad to collect foreign intelligence prior to operations by our armed forces.

So to be clear: Contra the rhetoric we heard at the time, the concern was not simply that NSA would be able to keep monitoring a suspected terrorist when he began calling up Americans. It was to permit the “targeting” of entire regions, scooping all communications between the United States and the chosen area.

One other exchange at least raises an eyebrow.  If you were following the battle in Congress at the time, you may recall that there was a period when the stopgap Protect America Act had expired — though surveillance authorized pursuant to the law could continue for many months — and before Congress approved the FAA. A week into that period, on February 22, 2008, the attorney general and director of national intelligence sent a letter warning Congress that they were now losing intelligence because providers were refusing to comply with new requests under existing PAA authorizations. A day later, they had to roll that back, and some of the correspondence from the EFF FOIA record makes clear that there was an issue with a single recalcitrant provider who decided to go along shortly after the letter was sent.

But there’s another wrinkle. A week prior to this, just before the PAA was set to expire, Jeremy Bash, the chief counsel for the House Permanent Select Committee on Intelligence, sent an email to “Ken and Ben,” about a recent press conference call. It’s clear from context that he’s writing to Assistant Attorney General Kenneth Wainstein and General Counsel for the Director of National Intelligence Ben Powell about this press call, where both men fairly clearly suggest that telecoms are balking for fear that they’ll no longer be immune from liability for participation in PAA surveillance after the statute lapses. Bash wants to confirm whether they really said that “private sector entities have refused to comply with PAA certifications because they were concerned that the law was temporary.” In particular, he wants to know whether this is actually true, because “the briefs I read provided a very different rationale.”  In other words, Bash — who we know was cleared for the most sensitive information about NSA surveillance — was aware of some service providers being reluctant to comply with “new taskings” under the law, but not because of the looming expiration of the statute. One of his correspondents — whether Wainstein or Powell is unclear — shoots back denying having said any such thing (read the transcript yourself) and concluding with a terse:

Not addressing what is in fact the situation on both those issues (compliance and threat to halt) on this email.

In other words, the actual compliance issues they were encountering would have to be discussed over a more secure channel. If the issue wasn’t the expiration, though, what would the issue have been? The obvious alternative possibility is that NSA (or another agency) was attempting to get them to carry out surveillance that they thought might fall outside the scope of either the PAA or a particular authorization. Given how sweeping these were, that should certainly give us pause. It should also raise some questions as to whether, even before that one holdout fell into compliance, the warning letter from the AG and the DNI was misleading. Was there really ever a “gap” resulting from the statute’s sunset, or was it a matter of telecoms balking at an attempt by the intelligence community to stretch the bounds of their legal authority? The latter would certainly fit a pattern we saw again and again under the Bush administration: break the law, inducing a legal crisis, then threaten bloody mayhem if the unlawful program is forced to abruptly halt — at which point a nervous Congress grants its blessing.

Who Reads the Readers?

This is a reminder, citizen: Only cranks worry about vastly increased governmental power to gather transactional data about Americans’ online behavior. Why, just last week, Rep. Lamar Smith (R-TX) informed us that there has not been any “demonstrated or recent abuse” of such authority by means of National Security Letters, which permit the FBI to obtain many telecommunications records without court order. I mean, the last Inspector General report finding widespread and systemic abuse of those came out, like, over a year ago! And as defenders of expanded NSL powers often remind us, similar records can often be obtained by grand jury subpoena.

Subpoenas like, for instance, the one issued last year seeking the complete traffic logs of the left-wing site Indymedia for a particular day. According to tech journo Declan McCullah:

It instructed [System administrator Kristina] Clair to “include IP addresses, times, and any other identifying information,” including e-mail addresses, physical addresses, registered accounts, and Indymedia readers’ Social Security Numbers, bank account numbers, credit card numbers, and so on.

The sweeping request came with a gag order prohibiting Clair from talking about it. (As a constitutional matter, courts have found that recipients of such orders must at least be allowed to discuss them with attorneys in order to seek advise about their legality, but the subpoena contained no notice of that fact.) Justice Department officials tell McCullagh that the request was never reviewed directly by the Attorney General, as is normally required when information is sought from a press organization. Clair did tell attorneys at the Electronic Frontier Foundation, and  when they wrote to U.S. Attorney Timothy Morrison questioning the propriety of the request, it was promptly withdrawn. EFF’s Kevin Bankston explains the legal problems with the subpoena at length.

Perhaps ironically, the targeting of Indymedia, which is about as far left as news sites get, may finally hep the populist right to the perils of the burgeoning surveillance state. It seems to have piqued Glenn Beck’s interest, and McCullagh went on Lou Dobbs’ show to talk about the story. Thus far, the approved conservative position appears to have been that Barack Obama is some kind of ruthless Stalinist with a secret plan to turn the United States into a massive gulag—but under no circumstances should there be any additional checks on his administration’s domestic spying powers.  This always struck me as both incoherent and a tragic waste of paranoia. Now that we’ve had a rather public reminder that such powers can be used to compile databases of people with politically unorthodox browsing habits, perhaps Beck—who seems to be something of an amateur historian—will take some time to delve into the story of COINTELPRO and other related projects our intelligence community busied itself with before we established an architecture of surveillance oversight in the late ’70s.

You know, the one we’ve spent the past eight years dismantling.

Obama’s (In)Decision on Afghanistan

According to CBS News, President Barack Obama will send most, if not all, of the 40,000 additional troops that General Stanley McChrystal requested and reportedly plans to keep those troops in Afghanistan for the long-term.

Watch CBS News Videos Online

If the CBS report turns out to be true—the White House has backed away, and other news outlets are leaving the story alone for the moment—the president’s decision is disappointing, but expected. Last month, the administration ruled out the notion of a near-term U.S. exit from Afghanistan, arguing that the Taliban and al Qaeda would perceive an early pullout as a victory over the United States. But if avoiding a perception of weakness is the rationale that the administration is operating under then we have already lost by allowing our enemies to dictate the terms of the war.

Gen. McChrystal’s ambitious strategy hopes to integrate U.S. troops into the Afghan population. These additional troops might reduce violence in the short- to medium-term. But this strategy rests on the presumption that Afghans in heavily contested areas want the protection of foreign troops. The reality might be very different; western forces might instead be perceived as a magnet for violence.

McChrystal’s strategy also presumes that an additional 40,000 troops will be enough. But proponents of an ambitious counterinsurgency strategy need to come clean on the total bill that would be required. For a country the size of Afghanistan, with roughly 31 million people, the Army and Marine Corps counterinsurgency doctrine advises between 620,000 to 775,000 counterinsurgents—whether native or foreign. Furthermore, typical counterinsurgency missions require such concentrations of forces for a decade or more. Given these realities, we could soon hear cries of “surge,” “if only,” and “not enough.”

Even if the United States and its allies committed themselves to decades of armed nation building, success against al Qaeda would hardly be guaranteed. After all, in the unlikely event that we forged a stable Afghanistan, al Qaeda would simply reposition its presence into other regions of the world.

It is well past time for the United States to adapt means to ends. The choice for President Obama is not between counterterrorism or counterinsurgency; but between counterterrorism and counterterrorism combined with counterinsurgency. Protecting the United States from terrorism does not require U.S. troops to police Afghan villages. Where terrorists do appear, we hardly need to tinker with their communal identities. We can target our enemies with allies on the ground or, if that fails, by relying on timely intelligence for use in targeted airstrikes or small-unit raids.

President Obama’s decision on Afghanistan could define his presidency. If an escalating military strategy leads only to thousands of more deaths, and at a cost of tens or hundreds of billions of dollars, then that is a bitter legacy indeed.