Homeland Security Watch

News and analysis of critical issues in homeland security

April 16, 2014

Disengaging in order to more fully engage?

Filed under: Intelligence and Info-Sharing,Radicalization,Terrorist Threats & Attacks — by Philip J. Palin on April 16, 2014

Two separate events, disconnected in any substantive way (as far as I know) but an interesting coincidence in terms of timing:

Monday the Muslim Public Affairs Council held a press conference alongside notable Muslim community leaders at the National Press Club to announce a new campaign to actively prevent violent extremism. Called the Safe Spaces Initiative, the campaign is the first major national grassroots effort to equip American Muslim community and campus leaders with practical tools for developing healthy communities as well as intervention strategies for troubled individuals. You can download the paper from the Safe Spaces website.

Tuesday the New York Police Department said it would disband a special unit charged with detecting possible terrorist threats by carrying out secret surveillance of Muslim groups. The squad that conducted the surveillance, known as the Demographics Unit, was formed in 2003. It brought the NYPD under fire from community groups and activists who accused the force of abusing civil rights and profiling.

New York Mayor Bill de Blasio said, “This reform is a critical step forward in easing tensions between the police and the communities they serve, so that our cops and our citizens can help one another go after the real bad guys.”

April 10, 2014

Mass aggregation and analysis of data: Debate, discussion, desiderata

Filed under: Intelligence and Info-Sharing,Legal Issues,Media,Privacy and Security — by Philip J. Palin on April 10, 2014

On Monday the Supreme Court declined a petition to expedite consideration of Klayman v. Obama.   The plantiffs had sought to by-pass appellate review given the government’s “outrageous intrusion of privacy” confirmed by a Federal District Court’s finding.

Klayman is one of several cases focused on the government’s aggregation and analysis of metadata, as exposed by the Edward Snowden document releases.  (Prior consideration by HLSWatch is available here.)

Since the December decision in Klayman at least one other Federal District Court has affirmed the constitutionality of actions that the judge in Klayman suggested would cause Madison to spin in his grave.  A variety of related cases — and contending judgments — are working their way through the courts.

It would have been unusual for the Supreme Court to abbreviate the process.  On this issue a fulsome set of legal engagements should serve to clarify key issues.

The political process around mass surveillance is also advancing.  On March 25 the President outlined several reforms to how metadata is collected and accessed.  The Republican Chair and ranking Democrat on the House Intelligence Committee have proposed their own reforms. There is also an effort underway to frame-up policy directions for the digital domain that go beyond a privacy-v-security binary.

The political context features several advocacy groups, such as the ACLU and EFF, pressing for privacy rights; several commercial organizations including AT&T, Verizon, Google and Facebook reluctant to be identified  as co-conspirators in invading consumer privacy; and a mainstream media keen to cover any source of conflict.

At least in the United States there is deeply divided public opinion.  For example one January poll found that 48 percent of respondents approved and 47 percent did not approve of tracking phone calls for potential terrorist links. Roughly twenty-percent of those who approved of the phone tracking also agreed the program is “too much intrusion into Americans’ private life”.   This tracks with what seems to be increasing concern that “anti-terrorism policies” threaten civil liberty, even as support for specific anti-terrorism activities remains strong.

TREND: What concerns you more about the government’s anti-terrorism policies, that they have gone too far in restricting the average person’s civil liberties, or that they have not gone far enough to adequately protect the country?
                     Jan 09  Oct 01  Aug 02  Jul 10  Jan 14
                     2014    2013    2013    2013    2010

Gone too far         51      43      46      45      25
Not gone far enough  33      40      39      40      63
DK/NA                16      17      15      15      12

Are these public attitudes contradictory… ambivalent… paradoxical?  Are these the ill-considered judgments of a poorly informed mass or a signal of profound crowd-wisdom?

Our intellectual culture is (mostly unconsciously) influenced by Hegel (abstract, negative, concrete or sometimes thesis, antithesis, synthesis and more).  The law is especially Hegelian in its dependence on the adversarial process.  Well beyond the law we are inclined to engage contending perspectives in search for ideal solutions.  For some this ideal emerges from historical (empirical) context.  For others there is an ideal that transcends history and experience.  In either case there can be a tendency to exclude or negate one option in order to achieve an other.

It is worth noting this is Hegelianism without Hegel who wrote, “Genuine tragedies in the world are not conflicts between right and wrong. They are conflicts between two rights.”  But much of our current discontent with so many aspects of politics, law, and governance may very well emerge from an intellectual conceit that seeks the best and disdains the rest.

If you characterize an issue as privacy versus security, I will probably lean toward privacy.  To acknowledge this predisposition can be helpful. It ought not be confused with thought. First principles inform but very seldom resolve our problem-solving.  Thinking requires an examination of context and contingencies and potential consequences.

Privacy and security are not necessarily in conflict, as for example in the language of the Fourth Amendment: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”

When privacy and security are perceived to be in conflict, what is the source of conflict? What are the contingent Goods that an active instance of privacy or security seems to threaten?  For surely neither privacy nor security are ends-in-themselves.  Rather each are aspects of a more comprehensive Good or Goods.  Can we articulate our valuations to each other so that we might resolve the perceived conflict by directly addressing the goals which privacy and security are thought to advance (or retard)?  Are we disagreeing over first principles or tertiary techniques?

Issues of privacy and security are clearly being considered as matters of law.  In these legal considerations ancient ethical concerns are referenced and there will clearly be contemporary ethical implications whatever the legal outcomes.

The current political arguments strike me as mostly rhetorical rather than ethical.   Typically absolute rights or obvious needs are assumed much more than demonstrated. Strawmen are set forth by every side.

In both the legal and political domains the consideration tends to be adversarial — pseudo-Hegelian — in method.   I have no objection to this as one of several methods by which a shared understanding can emerge.  I am concerned if it is the predominant method.

Where do you participate in serious and sustained consideration of important ethical issues?   Especially civic issues such as the matter of privacy v. security?  Where and how have you seen non-adversarial methods generate practical solutions?

I hope your answers are more fruitful than my own.  If not, I wonder how much the paucity of such approaches suggest a social-civic anemia for which our current political confrontations are but a symptom?

January 30, 2014

The mitigation message

East Rivers Elementary

Cobb County elementary school children sleeping Tuesday night in the gym

Last Tuesday my train pulled into Union Station, Washington DC, shortly before noon.  The station and surrounding city were unusually quiet.  The Federal Office of Personnel Management had given most of its employees liberal leave to stay home.   Most area schools followed this lead.

On Capitol Hill — where I still had some meetings — the snow did not really begin until about 2:00 and was not quite as bad as predicted even into the height of the typical rush hour, which given the OPM decision had much more rush than usual.

By the next morning there was nearly 4 inches of snow at Reagan Airport and over 8 at Dulles.  Wednesday got underway with official delays.

Still some were inclined to second-guess the Tuesday mitigation decision made with the best possible information Monday night.

I hope the second-guessers are giving close attention to the more recent news out of Atlanta.

Even at dawn Tuesday, January 28 the best information available to Georgia decision-makers — very much including the general public — was that the worst weather would track south and east of Atlanta.  Beginning between about 7 and 8 that morning the best information began to shift.  By 10 it was snowing in Bartow County on the northwestern edge of metro Atlanta.  By 11 it was snowing hard and icing.  At 11:23 Cobb County Schools (along the Northwest Atlanta beltway) closed and began busing students home.  At 12:15 Georgia DOT suggested private-sector workers head home.

By 1:00 many Atlanta highways were grid-locked, more the result of sudden volume than — yet — because of the weather.  (Should bring back unpleasant memories of similar events in Chicago and DC in recent years.)  As some of you know, traffic is not an unusual problem in Atlanta, even in fragrant and sunny springtime.

At 1:55 the Governor declared a State of Emergency; the most immediate effect being to pour state employees onto already packed roads.  Across the United States we are predisposed to evacuations.  It is a bad — sometimes, someplaces deadly — habit.

By mid-afternoon the snow and especially ice were adding to the problems.  You have probably seen the videos.  There were several hundred vehicle accidents just in the Atlanta area.

On Wednesday many Tuesday afternoon commuters were still stuck in their cars.  Some had abandoned their vehicles.  In several cases school buses were forced to retreat back to classrooms.  Several hundred children — the numbers are still unclear — spent the night in their schools. (See picture above.) My ten-year-old nephew got home from school, but neither of his parents could.  Shane spent the night at the neighbors.

There will be after-action analyses. There will be studies.  There will be hearings.  There will be blame-gaming. There will be lessons-learned.

What I hope someone will declare clearly and well is that 1) there are many things we cannot accurately predict, 2) especially in unpredictable contexts innate vulnerabilities are exposed, and 3) in densely networked environments, like cities, these vulnerabilities can sometimes meet and mate, propagating suddenly and prolifically.

So… for a whole host of risks we are wise to invest in mitigation and to keep in mind that what will always seem an over-investment before will likely pay profitable dividends after.

This principle applies well beyond the weather, including water systems, supply chains, fuel networks, bridges, and much, much more.

January 29, 2014

Senate Intelligence Hearing: Current and Projected National Security Threats Against the United States

This morning the Senate Select Committee on Intelligence held a hearing “Current and Projected National Security Threats Against the United States.” Testifying were the Directors of National Intelligence, CIA, DIA, and FBI.

I’ve yet to watch the hearing or read the transcript, but thought they’d be worth sharing.

 

The transcript can be found here: http://www.washingtonpost.com/world/national-security/transcript-senate-intelligence-hearing-on-national-security-threats/2014/01/29/b5913184-8912-11e3-833c-33098f9e5267_story.html

January 17, 2014

The President’s remarks on signals intelligence

Filed under: Cybersecurity,Intelligence and Info-Sharing,Privacy and Security — by Philip J. Palin on January 17, 2014

This is a cut-and-paste from the White House website of the President’s remarks given at the Department of Justice earlier today. The topic. as headlined by the White House, is “signals intelligence”. I have highlighted a few phrases in bold, toward the end of a long day and longer week. No particular insight is promised in the highlights. But especially with this President, a careful read of the whole is almost always worth it.

–+–

THE PRESIDENT: At the dawn of our Republic, a small, secret surveillance committee borne out of the “The Sons of Liberty” was established in Boston. And the group’s members included Paul Revere. At night, they would patrol the streets, reporting back any signs that the British were preparing raids against America’s early Patriots.

Throughout American history, intelligence has helped secure our country and our freedoms. In the Civil War, Union balloon reconnaissance tracked the size of Confederate armies by counting the number of campfires. In World War II, code-breakers gave us insights into Japanese war plans, and when Patton marched across Europe, intercepted communications helped save the lives of his troops. After the war, the rise of the Iron Curtain and nuclear weapons only increased the need for sustained intelligence gathering. And so, in the early days of the Cold War, President Truman created the National Security Agency, or NSA, to give us insights into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.

Throughout this evolution, we benefited from both our Constitution and our traditions of limited government. U.S. intelligence agencies were anchored in a system of checks and balances — with oversight from elected leaders, and protections for ordinary citizens. Meanwhile, totalitarian states like East Germany offered a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers, and persecuted people for what they said in the privacy of their own homes.

In fact, even the United States proved not to be immune to the abuse of surveillance. And in the 1960s, government spied on civil rights leaders and critics of the Vietnam War. And partly in response to these revelations, additional laws were established in the 1970s to ensure that our intelligence capabilities could not be misused against our citizens. In the long, twilight struggle against Communism, we had been reminded that the very liberties that we sought to preserve could not be sacrificed at the altar of national security.

If the fall of the Soviet Union left America without a competing superpower, emerging threats from terrorist groups, and the proliferation of weapons of mass destruction placed new and in some ways more complicated demands on our intelligence agencies. Globalization and the Internet made these threats more acute, as technology erased borders and empowered individuals to project great violence, as well as great good. Moreover, these new threats raised new legal and new policy questions. For while few doubted the legitimacy of spying on hostile states, our framework of laws was not fully adapted to prevent terrorist attacks by individuals acting on their own, or acting in small, ideologically driven groups on behalf of a foreign power.

The horror of September 11th brought all these issues to the fore. Across the political spectrum, Americans recognized that we had to adapt to a world in which a bomb could be built in a basement, and our electric grid could be shut down by operators an ocean away. We were shaken by the signs we had missed leading up to the attacks — how the hijackers had made phone calls to known extremists and traveled to suspicious places. So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack.

It is hard to overstate the transformation America’s intelligence community had to go through after 9/11. Our agencies suddenly needed to do far more than the traditional mission of monitoring hostile powers and gathering information for policymakers. Instead, they were now asked to identify and target plotters in some of the most remote parts of the world, and to anticipate the actions of networks that, by their very nature, cannot be easily penetrated with spies or informants.

And it is a testimony to the hard work and dedication of the men and women of our intelligence community that over the past decade we’ve made enormous strides in fulfilling this mission. Today, new capabilities allow intelligence agencies to track who a terrorist is in contact with, and follow the trail of his travel or his funding. New laws allow information to be collected and shared more quickly and effectively between federal agencies, and state and local law enforcement. Relationships with foreign intelligence services have expanded, and our capacity to repel cyber-attacks have been strengthened. And taken together, these efforts have prevented multiple attacks and saved innocent lives — not just here in the United States, but around the globe.

And yet, in our rush to respond to a very real and novel set of threats, the risk of government overreach — the possibility that we lose some of our core liberties in pursuit of security — also became more pronounced. We saw, in the immediate aftermath of 9/11, our government engaged in enhanced interrogation techniques that contradicted our values. As a Senator, I was critical of several practices, such as warrantless wiretaps. And all too often new authorities were instituted without adequate public debate.

Through a combination of action by the courts, increased congressional oversight, and adjustments by the previous administration, some of the worst excesses that emerged after 9/11 were curbed by the time I took office. But a variety of factors have continued to complicate America’s efforts to both defend our nation and uphold our civil liberties.

First, the same technological advances that allow U.S. intelligence agencies to pinpoint an al Qaeda cell in Yemen or an email between two terrorists in the Sahel also mean that many routine communications around the world are within our reach. And at a time when more and more of our lives are digital, that prospect is disquieting for all of us.

Second, the combination of increased digital information and powerful supercomputers offers intelligence agencies the possibility of sifting through massive amounts of bulk data to identify patterns or pursue leads that may thwart impending threats. It’s a powerful tool. But the government collection and storage of such bulk data also creates a potential for abuse.

Third, the legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas. This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders. And the whole point of intelligence is to obtain information that is not publicly available. But America’s capabilities are unique, and the power of new technologies means that there are fewer and fewer technical constraints on what we can do. That places a special obligation on us to ask tough questions about what we should do.

And finally, intelligence agencies cannot function without secrecy, which makes their work less subject to public debate. Yet there is an inevitable bias not only within the intelligence community, but among all of us who are responsible for national security, to collect more information about the world, not less. So in the absence of institutional requirements for regular debate — and oversight that is public, as well as private or classified — the danger of government overreach becomes more acute. And this is particularly true when surveillance technology and our reliance on digital information is evolving much faster than our laws.

For all these reasons, I maintained a healthy skepticism toward our surveillance programs after I became President. I ordered that our programs be reviewed by my national security team and our lawyers, and in some cases I ordered changes in how we did business. We increased oversight and auditing, including new structures aimed at compliance. Improved rules were proposed by the government and approved by the Foreign Intelligence Surveillance Court. And we sought to keep Congress continually updated on these activities.

What I did not do is stop these programs wholesale — not only because I felt that they made us more secure, but also because nothing in that initial review, and nothing that I have learned since, indicated that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens.

To the contrary, in an extraordinarily difficult job — one in which actions are second-guessed, success is unreported, and failure can be catastrophic — the men and women of the intelligence community, including the NSA, consistently follow protocols designed to protect the privacy of ordinary people. They’re not abusing authorities in order to listen to your private phone calls or read your emails. When mistakes are made — which is inevitable in any large and complicated human enterprise — they correct those mistakes. Laboring in obscurity, often unable to discuss their work even with family and friends, the men and women at the NSA know that if another 9/11 or massive cyber-attack occurs, they will be asked, by Congress and the media, why they failed to connect the dots. What sustains those who work at NSA and our other intelligence agencies through all these pressures is the knowledge that their professionalism and dedication play a central role in the defense of our nation.

Now, to say that our intelligence community follows the law, and is staffed by patriots, is not to suggest that I or others in my administration felt complacent about the potential impact of these programs. Those of us who hold office in America have a responsibility to our Constitution, and while I was confident in the integrity of those who lead our intelligence community, it was clear to me in observing our intelligence operations on a regular basis that changes in our technological capabilities were raising new questions about the privacy safeguards currently in place.

Moreover, after an extended review of our use of drones in the fight against terrorist networks, I believed a fresh examination of our surveillance programs was a necessary next step in our effort to get off the open-ended war footing that we’ve maintained since 9/11. And for these reasons, I indicated in a speech at the National Defense University last May that we needed a more robust public discussion about the balance between security and liberty. Of course, what I did not know at the time is that within weeks of my speech, an avalanche of unauthorized disclosures would spark controversies at home and abroad that have continued to this day.

And given the fact of an open investigation, I’m not going to dwell on Mr. Snowden’s actions or his motivations; I will say that our nation’s defense depends in part on the fidelity of those entrusted with our nation’s secrets. If any individual who objects to government policy can take it into their own hands to publicly disclose classified information, then we will not be able to keep our people safe, or conduct foreign policy. Moreover, the sensational way in which these disclosures have come out has often shed more heat than light, while revealing methods to our adversaries that could impact our operations in ways that we may not fully understand for years to come.

Regardless of how we got here, though, the task before us now is greater than simply repairing the damage done to our operations or preventing more disclosures from taking place in the future. Instead, we have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals and our Constitution require. We need to do so not only because it is right, but because the challenges posed by threats like terrorism and proliferation and cyber-attacks are not going away any time soon. They are going to continue to be a major problem. And for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.

This effort will not be completed overnight, and given the pace of technological change, we shouldn’t expect this to be the last time America has this debate. But I want the American people to know that the work has begun. Over the last six months, I created an outside Review Group on Intelligence and Communications Technologies to make recommendations for reform. I consulted with the Privacy and Civil Liberties Oversight Board, created by Congress. I’ve listened to foreign partners, privacy advocates, and industry leaders. My administration has spent countless hours considering how to approach intelligence in this era of diffuse threats and technological revolution. So before outlining specific changes that I’ve ordered, let me make a few broad observations that have emerged from this process.

First, everyone who has looked at these problems, including skeptics of existing programs, recognizes that we have real enemies and threats, and that intelligence serves a vital role in confronting them. We cannot prevent terrorist attacks or cyber threats without some capability to penetrate digital communications — whether it’s to unravel a terrorist plot; to intercept malware that targets a stock exchange; to make sure air traffic control systems are not compromised; or to ensure that hackers do not empty your bank accounts. We are expected to protect the American people; that requires us to have capabilities in this field.

Moreover, we cannot unilaterally disarm our intelligence agencies. There is a reason why BlackBerrys and iPhones are not allowed in the White House Situation Room. We know that the intelligence services of other countries — including some who feign surprise over the Snowden disclosures — are constantly probing our government and private sector networks, and accelerating programs to listen to our conversations, and intercept our emails, and compromise our systems. We know that.

Meanwhile, a number of countries, including some who have loudly criticized the NSA, privately acknowledge that America has special responsibilities as the world’s only superpower; that our intelligence capabilities are critical to meeting these responsibilities, and that they themselves have relied on the information we obtain to protect their own people.

Second, just as ardent civil libertarians recognize the need for robust intelligence capabilities, those with responsibilities for our national security readily acknowledge the potential for abuse as intelligence capabilities advance and more and more private information is digitized. After all, the folks at NSA and other intelligence agencies are our neighbors. They’re our friends and family. They’ve got electronic bank and medical records like everybody else. They have kids on Facebook and Instagram, and they know, more than most of us, the vulnerabilities to privacy that exist in a world where transactions are recorded, and emails and text and messages are stored, and even our movements can increasingly be tracked through the GPS on our phones.

Third, there was a recognition by all who participated in these reviews that the challenges to our privacy do not come from government alone. Corporations of all shapes and sizes track what you buy, store and analyze our data, and use it for commercial purposes; that’s how those targeted ads pop up on your computer and your smartphone periodically. But all of us understand that the standards for government surveillance must be higher. Given the unique power of the state, it is not enough for leaders to say: Trust us, we won’t abuse the data we collect. For history has too many examples when that trust has been breached. Our system of government is built on the premise that our liberty cannot depend on the good intentions of those in power; it depends on the law to constrain those in power.

I make these observations to underscore that the basic values of most Americans when it comes to questions of surveillance and privacy converge a lot more than the crude characterizations that have emerged over the last several months. Those who are troubled by our existing programs are not interested in repeating the tragedy of 9/11, and those who defend these programs are not dismissive of civil liberties.

The challenge is getting the details right, and that is not simple. In fact, during the course of our review, I have often reminded myself I would not be where I am today were it not for the courage of dissidents like Dr. King, who were spied upon by their own government. And as President, a President who looks at intelligence every morning, I also can’t help but be reminded that America must be vigilant in the face of threats.

Fortunately, by focusing on facts and specifics rather than speculation and hypotheticals, this review process has given me — and hopefully the American people — some clear direction for change. And today, I can announce a series of concrete and substantial reforms that my administration intends to adopt administratively or will seek to codify with Congress.

First, I have approved a new presidential directive for our signals intelligence activities both at home and abroad. This guidance will strengthen executive branch oversight of our intelligence activities. It will ensure that we take into account our security requirements, but also our alliances; our trade and investment relationships, including the concerns of American companies; and our commitment to privacy and basic liberties. And we will review decisions about intelligence priorities and sensitive targets on an annual basis so that our actions are regularly scrutinized by my senior national security team.

Second, we will reform programs and procedures in place to provide greater transparency to our surveillance activities, and fortify the safeguards that protect the privacy of U.S. persons. Since we began this review, including information being released today, we have declassified over 40 opinions and orders of the Foreign Intelligence Surveillance Court, which provides judicial review of some of our most sensitive intelligence activities — including the Section 702 program targeting foreign individuals overseas, and the Section 215 telephone metadata program.

And going forward, I’m directing the Director of National Intelligence, in consultation with the Attorney General, to annually review for the purposes of declassification any future opinions of the court with broad privacy implications, and to report to me and to Congress on these efforts. To ensure that the court hears a broader range of privacy perspectives, I am also calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.

Third, we will provide additional protections for activities conducted under Section 702, which allows the government to intercept the communications of foreign targets overseas who have information that’s important for our national security. Specifically, I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases communications between Americans and foreign citizens incidentally collected under Section 702.

Fourth, in investigating threats, the FBI also relies on what’s called national security letters, which can require companies to provide specific and limited information to the government without disclosing the orders to the subject of the investigation. These are cases in which it’s important that the subject of the investigation, such as a possible terrorist or spy, isn’t tipped off. But we can and should be more transparent in how government uses this authority.

I have therefore directed the Attorney General to amend how we use national security letters so that this secrecy will not be indefinite, so that it will terminate within a fixed time unless the government demonstrates a real need for further secrecy. We will also enable communications providers to make public more information than ever before about the orders that they have received to provide data to the government.

This brings me to the program that has generated the most controversy these past few months — the bulk collection of telephone records under Section 215. Let me repeat what I said when this story first broke: This program does not involve the content of phone calls, or the names of people making calls. Instead, it provides a record of phone numbers and the times and lengths of calls — metadata that can be queried if and when we have a reasonable suspicion that a particular number is linked to a terrorist organization.

Why is this necessary? The program grew out of a desire to address a gap identified after 9/11. One of the 9/11 hijackers — Khalid al-Mihdhar — made a phone call from San Diego to a known al Qaeda safe-house in Yemen. NSA saw that call, but it could not see that the call was coming from an individual already in the United States. The telephone metadata program under Section 215 was designed to map the communications of terrorists so we can see who they may be in contact with as quickly as possible. And this capability could also prove valuable in a crisis. For example, if a bomb goes off in one of our cities and law enforcement is racing to determine whether a network is poised to conduct additional attacks, time is of the essence. Being able to quickly review phone connections to assess whether a network exists is critical to that effort.

In sum, the program does not involve the NSA examining the phone records of ordinary Americans. Rather, it consolidates these records into a database that the government can query if it has a specific lead — a consolidation of phone records that the companies already retained for business purposes. The review group turned up no indication that this database has been intentionally abused. And I believe it is important that the capability that this program is designed to meet is preserved.

Having said that, I believe critics are right to point out that without proper safeguards, this type of program could be used to yield more information about our private lives, and open the door to more intrusive bulk collection programs in the future. They’re also right to point out that although the telephone bulk collection program was subject to oversight by the Foreign Intelligence Surveillance Court and has been reauthorized repeatedly by Congress, it has never been subject to vigorous public debate.

For all these reasons, I believe we need a new approach. I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.

This will not be simple. The review group recommended that our current approach be replaced by one in which the providers or a third party retain the bulk records, with government accessing information as needed. Both of these options pose difficult problems. Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns. On the other hand, any third party maintaining a single, consolidated database would be carrying out what is essentially a government function but with more expense, more legal ambiguity, potentially less accountability — all of which would have a doubtful impact on increasing public confidence that their privacy is being protected.

During the review process, some suggested that we may also be able to preserve the capabilities we need through a combination of existing authorities, better information sharing, and recent technological advances. But more work needs to be done to determine exactly how this system might work.

Because of the challenges involved, I’ve ordered that the transition away from the existing program will proceed in two steps. Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of the current three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding or in the case of a true emergency.

Next, step two, I have instructed the intelligence community and the Attorney General to use this transition period to develop options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this metadata itself. They will report back to me with options for alternative approaches before the program comes up for reauthorization on March 28th. And during this period, I will consult with the relevant committees in Congress to seek their views, and then seek congressional authorization for the new program as needed.

Now, the reforms I’m proposing today should give the American people greater confidence that their rights are being protected, even as our intelligence and law enforcement agencies maintain the tools they need to keep us safe. And I recognize that there are additional issues that require further debate. For example, some who participated in our review, as well as some members of Congress, would like to see more sweeping reforms to the use of national security letters so that we have to go to a judge each time before issuing these requests. Here, I have concerns that we should not set a standard for terrorism investigations that is higher than those involved in investigating an ordinary crime. But I agree that greater oversight on the use of these letters may be appropriate, and I’m prepared to work with Congress on this issue.

There are also those who would like to see different changes to the FISA Court than the ones I’ve proposed. On all these issues, I am open to working with Congress to ensure that we build a broad consensus for how to move forward, and I’m confident that we can shape an approach that meets our security needs while upholding the civil liberties of every American.

Let me now turn to the separate set of concerns that have been raised overseas, and focus on America’s approach to intelligence collection abroad. As I’ve indicated, the United States has unique responsibilities when it comes to intelligence collection. Our capabilities help protect not only our nation, but our friends and our allies, as well. But our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy, too. And the leaders of our close friends and allies deserve to know that if I want to know what they think about an issue, I’ll pick up the phone and call them, rather than turning to surveillance. In other words, just as we balance security and privacy at home, our global leadership demands that we balance our security requirements against our need to maintain the trust and cooperation among people and leaders around the world.

For that reason, the new presidential directive that I’ve issued today will clearly prescribe what we do, and do not do, when it comes to our overseas surveillance. To begin with, the directive makes clear that the United States only uses signals intelligence for legitimate national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary folks. I’ve also made it clear that the United States does not collect intelligence to suppress criticism or dissent, nor do we collect intelligence to disadvantage people on the basis of their ethnicity, or race, or gender, or sexual orientation, or religious beliefs. We do not collect intelligence to provide a competitive advantage to U.S. companies or U.S. commercial sectors.

And in terms of our bulk collection of signals intelligence, U.S. intelligence agencies will only use such data to meet specific security requirements: counterintelligence, counterterrorism, counter-proliferation, cybersecurity, force protection for our troops and our allies, and combating transnational crime, including sanctions evasion.

In this directive, I have taken the unprecedented step of extending certain protections that we have for the American people to people overseas. I’ve directed the DNI, in consultation with the Attorney General, to develop these safeguards, which will limit the duration that we can hold personal information, while also restricting the use of this information.

The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security, and that we take their privacy concerns into account in our policies and procedures. This applies to foreign leaders as well. Given the understandable attention that this issue has received, I have made clear to the intelligence community that unless there is a compelling national security purpose, we will not monitor the communications of heads of state and government of our close friends and allies. And I’ve instructed my national security team, as well as the intelligence community, to work with foreign counterparts to deepen our coordination and cooperation in ways that rebuild trust going forward.

Now let me be clear: Our intelligence agencies will continue to gather information about the intentions of governments — as opposed to ordinary citizens — around the world, in the same way that the intelligence services of every other nation does. We will not apologize simply because our services may be more effective. But heads of state and government with whom we work closely, and on whose cooperation we depend, should feel confident that we are treating them as real partners. And the changes I’ve ordered do just that.

Finally, to make sure that we follow through on all these reforms, I am making some important changes to how our government is organized. The State Department will designate a senior officer to coordinate our diplomacy on issues related to technology and signals intelligence. We will appoint a senior official at the White House to implement the new privacy safeguards that I have announced today. I will devote the resources to centralize and improve the process we use to handle foreign requests for legal assistance, keeping our high standards for privacy while helping foreign partners fight crime and terrorism.

I have also asked my counselor, John Podesta, to lead a comprehensive review of big data and privacy. And this group will consist of government officials who, along with the President’s Council of Advisors on Science and Technology, will reach out to privacy experts, technologists and business leaders, and look how the challenges inherent in big data are being confronted by both the public and private sectors; whether we can forge international norms on how to manage this data; and how we can continue to promote the free flow of information in ways that are consistent with both privacy and security.

For ultimately, what’s at stake in this debate goes far beyond a few months of headlines, or passing tensions in our foreign policy. When you cut through the noise, what’s really at stake is how we remain true to who we are in a world that is remaking itself at dizzying speed. Whether it’s the ability of individuals to communicate ideas; to access information that would have once filled every great library in every country in the world; or to forge bonds with people on other sides of the globe, technology is remaking what is possible for individuals, and for institutions, and for the international order. So while the reforms that I have announced will point us in a new direction, I am mindful that more work will be needed in the future.

One thing I’m certain of: This debate will make us stronger. And I also know that in this time of change, the United States of America will have to lead. It may seem sometimes that America is being held to a different standard. And I’ll admit the readiness of some to assume the worst motives by our government can be frustrating. No one expects China to have an open debate about their surveillance programs, or Russia to take privacy concerns of citizens in other places into account. But let’s remember: We are held to a different standard precisely because we have been at the forefront of defending personal privacy and human dignity.

As the nation that developed the Internet, the world expects us to ensure that the digital revolution works as a tool for individual empowerment, not government control. Having faced down the dangers of totalitarianism and fascism and communism, the world expects us to stand up for the principle that every person has the right to think and write and form relationships freely — because individual freedom is the wellspring of human progress.

Those values make us who we are. And because of the strength of our own democracy, we should not shy away from high expectations. For more than two centuries, our Constitution has weathered every type of change because we have been willing to defend it, and because we have been willing to question the actions that have been taken in its defense. Today is no different. I believe we can meet high expectations. Together, let us chart a way forward that secures the life of our nation while preserving the liberties that make our nation worth fighting for.

Thank you. God bless you. May God bless the United States of America. (Applause.)

January 1, 2014

ACLU v Clapper: More complementary than conflicting?

Filed under: Intelligence and Info-Sharing,Legal Issues,Privacy and Security,Terrorist Threats & Attacks — by Philip J. Palin on January 1, 2014

Last Friday Federal District Judge William H. Pauley III released his decision in ACLU v. Clapper. Busy with post-Christmas travel and such I mostly heard the headlines.

Before reading the actual text — and overly influenced by those headlines — I intended to post today on the divergence of Judge Pauley from Judge Leon’s Klayman v Obama decision (see prior post).

But when I finally read the actual text of the decision, this non-lawyer finds significant complementarity in what Judges Leon and Pauley have decided.

Yes, Leon found bulk collection of meta-data to be illegal, while Pauley found the same practice legal.  But decisions (lawyerly or not) are often as icebergs where most of the weight is found below the surface.

In their analysis of what is being done by the US intelligence community and the potential implications for liberty, the two decisions seem to me to reach somewhat similar judgments. But Leon perceives innate abuse where, in the particular case before him, Pauley sees and hears mostly prospective rather than actual harm.

Again, you should read the original — which can be downloaded here — but to support my reading and entice you to read more, here is the opening of the Pauley decision, the bold highlights are my own:

The September 11th terrorist attacks revealed, in the starkest terms, just how dangerous and interconnected the world is. While Americans depended on technology for the conveniences of modernity, al-Qaeda plotted in a seventh-century milieu to use that technology against us. It was a bold jujitsu. And it succeeded because conventional intelligence gathering could not detect diffuse filaments connecting al-Qaeda.

Prior to the September 11th attacks, the National Security Agency (“NSA”) intercepted seven calls made by hijacker Khalid al-Mihdhar, who was living in San Diego, California, to an al-Qaeda safe house in Yemen. The NSA intercepted those calls using overseas signals intelligence capabilities that could not capture al-Mihdhar’s telephone number identifier.

Without that identifier, NSA analysts concluded mistakenly that al-Mihdhar was overseas and not in the United States. Telephony metadata would have furnished the missing infonnation and might have permitted the.NSA to notify the Federal Bureau of lnvestigation (“FBI”) of the fact that al-Mihdhar was calling the Yemeni safe house from inside the United States.

The Government learned from its mistake and adapted to confront a new enemy: a terror network capable of orchestrating attacks across the world. It launched a number of counter-measures, including a bulk telephony metadata collection program-a wide net that could find and isolate gossamer contacts among suspected terrorists in an ocean of seemingly disconnected data.

This blunt tool only works because it collects everything. Such a program, if unchecked, imperils the civil liberties of every citizen. Each time someone in the United States makes or receives a telephone call, the telecommunications provider makes a record of when, and to what telephone number the call was placed, and how long it lasted. The NSA collects that telephony metadata. If plumbed, such data can reveal a rich profile of every individual as well as a comprehensive record of people’s associations with one another.

The natural tension between protecting the nation and preserving civil liberty is squarely presented by the Government’s bulk telephony metadata collection program. Edward Snowden’s unauthorized disclosure of Foreign Intelligence Surveillance Court (“FISC”) orders has provoked a public debate and this litigation. While robust discussions are underway across the nation, in Congress, and at the White House, the question for this Court is whether the Government’s bulk telephony metadata program is lawful. This Court finds it is. But the question of whether that program should be conducted is for the other two coordinate branches of Government to decide.

Legality, efficacy, and wisdom are three quite different standards. They may — or may not — overlap.

December 19, 2013

Klayman v Obama

Filed under: Intelligence and Info-Sharing,Legal Issues,Privacy and Security,Terrorist Threats & Attacks — by Philip J. Palin on December 19, 2013

Many of the issues we have previously discussed in terms of balancing liberty and security are taken up in Monday’s decision by a federal district judge to grant a Motion for Preliminary Injunction regarding bulk collection of meta-data by the National Security Agency.

Among most legally-trained commentators, there seems to be a consensus the district court’s injunction will be overturned by the US Court of Appeals, based largely on the Supreme Court’s previous decision in Smith v Maryland where no reasonable expectation of privacy was extended to the telephone numbers we choose to dial.

Judge Richard Leon probably also expects his decision to be overturned at the appellate level.  His opinion is written, it seems to this non-lawyer, more for the benefit of the Supreme Court than as a matter of conforming with the details of current law.  Indeed, the Judge stayed his own order “in view of the national security interests at stake in this case and the novelty of the constitutional issues involved.” (My italics)

As regular readers might imagine, I am sorely tempted to opine on what the judge wrote.  I spent (too) much of Tuesday reading and re-reading the sixty -eight page decision.  I agree with most of what I read and while the government’s argument may still prevail I am grateful Judge Leon has teed-up the issues so well.

But in this instance I will exercise more restraint than usual and not share with you my favorite bits.  If you have cause to read Homeland Security Watch you really owe it to yourself — your life, fortune, sacred honor and posterity — to read the full opinion and order. Please find it here:  Klayman v Obama

Judge Leon has written the clearest non-technical description I have read of what the NSA has actually been doing.  His statement of facts places these actions in their full legal context. Some important operational judgments are offered.  His footnotes are especially insightful and trenchant.  Whatever your angle on this issue, this is an original text worth your time and careful attention.  Get it, read it, and reflect.

–+–

Almost a month earlier than previously promised (gosh, I wonder why?), Wednesday afternoon the White House released the Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies.   Including appendices the full report is 308 pages long.  I have not yet mastered the text.  Eventually we should try to compare and contrast Judge Leon’s text with this one.  It is entitled, “Liberty and Security in a Changing World.”

December 12, 2013

Five surveillance principles proposed

Filed under: Intelligence and Info-Sharing,Privacy and Security,Private Sector — by Philip J. Palin on December 12, 2013

Several leading technology companies have called on world governments — and especially the US government — to abide by five principles when engaging in information surveillance:

1.  Limiting Governments’ Authority to Collect Users’ Information

Governments should codify sensible limitations on their ability to compel service providers to disclose user data that balance their need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the Internet. In addition, governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications.

2. Oversight and Accountability

Intelligence agencies seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.

3.  Transparency About Government Demands

Transparency is essential to a debate over governments’ surveillance powers and the scope of programs that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly disclose this data publicly.

4. Respecting the Free Flow of Information

The ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally.

5.  Avoiding Conflicts Among Governments

In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty — or “MLAT” — processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.

More background on this initiative and the guidelines can be found at reformgovernmentsurveillance.com

Eric Snowden’s exposure of National Security Agency practice has reminded me of a now quarter-century old critique of US intelligence practices by a British pal.  He commented that even the old rifle versus shotgun analogy did not capture the difference between US intelligence gathering and behavior by other spy agencies. “A shot-gun still requires some rough targeting.  US intelligence is more like a gas attack, wafting wherever the wind blows.”

My British colleague explained the difference as a matter of resources and especially budget.  ”We have to choose our targets carefully.  The US has the money, men, and machines to spend billions on blind alleys.”

In this new century we have women and even better machines.  The so-called “black budget” also found in the Snowden leaks suggests the NSA spends about $10.5 billion per year, roughly 20 percent of the overall federal intelligence budget.  The British government spends about $3.2 billion on its overall intelligence operations.

–+–

I look forward to a great future for America – a future in which our country will match its military strength with our moral restraint, its wealth with our wisdom, its power with our purpose. (John F. Kennedy)

August 15, 2013

A welcome Presidential invitation (but please proceed even if there are no RSVPs)

Filed under: Intelligence and Info-Sharing,Legal Issues,Privacy and Security,Terrorist Threats & Attacks — by Philip J. Palin on August 15, 2013

AUGUST 16 UPDATE: Today the Washington Post reports on several hundred incidents of the NSA failing to conform with current regulations and legal boundaries for domestic surveillance.  This is where strong action by the executive — as outlined below — is most needed and can be most effective.

ORIGINAL POST:

Friday the President used the White House press room to announce and take a few questions on proposals to better balance civil liberties with digital surveillance.

Monday the Wall Street Journal editorialized that these proposals constitute a “retreat on his core powers as Commander in Chief.”  If I understand the editorial correctly, the WSJ perceives the President has sovereign authority under Article II, Section 2 to spy on us as much as he perceives the nation’s security might require.  Judicial oversight as currently provided by the Foreign Intelligence Surveillance Act is, in their view, unconstitutional.  Any due process is, it would seem, collaboration with our enemies.

On the left hand: Writing in The Atlantic, Conor Friedersdorf conducts an eviscerating exegesis of the rather brief — even bland — Presidential statement and concludes, “Obama is still lying, obfuscating, and misleading the American people. In doing so, he is preventing representative democracy from functioning as well as it might.”   He perceives a President corrupted by power and given over to condescension, setting the stage for our liberties to be lost forever.

There are of course judgments farther to the right and left of these still recognizably reasoned opinions.  But rather quickly “right” and “left” are lost to something closer to Freudian obsessions or the deepest mysteries of Jung’s collective unconscious.  Obama becomes a token or talisman or target of spiritual warfare and whatever he says is treated like a just-discovered manuscript in a Dan Brown novel.

My take is more prosaic.  The President — like all of us — is a creature of his prior experiences.  Among these are 1) a black man with insider knowledge of white America, 2) community organizer, and 3) lawyer.

If the first prior is having any influence here, it is expressed in the President’s perpetual pragmatism.  He intends to “get ahead” (what this means specifically depends on context).  To do so he needs to be realistic about the impediments or threats he will encounter.  He is predisposed to action that mitigates or obviates knowable problems. The surveillance programs (and the drone program and much more) inherited from his predecessor are adapted, expanded, and subjected to more detailed processes.

As a community organizer he is sensitive to matching his interventions to the values, aspirations, capabilities, and readiness of those he is trying to organize.  He can facilitate, provoke, propose… but it is up to the community to choose and sustain (or not).  Fundamental issues can be teed up, but it is the community’s role  – not his — to decide.  Notice how often, including in this instance, he unveils a process that tends to turn the initiative over to others.  He will advocate for certain principles or objectives, but if and how these are adopted is really up to others.

As a lawyer President Obama is inclined to procedural solutions: a task force, a privacy advocate, checklists, reviews, appeals…  Justice Frankfurter once wrote, “The safeguards of due process of law and the equal protection of the laws summarize the history of freedom of English-speaking peoples running back to Magna Carta and reflected in the constitutional development of our people. The history of American freedom is, in no small measure, the history of procedure.”  Whether or not the President knows the quote, he regularly demonstrates his concurrent view.

As a white man I have not needed to be quite so pro-active regarding threats and impediments.  My approach to management and leadership is similar to that of a community organizer. The successes tend, I am proud to say, to be substantive and long-lasting.  But failure is much, much more common.   I am personally impatient with procedure, but as a matter of human history I agree with Frankfurter (and the President) on its important role.

There are tangible threats to the United States which surveillance can help prevent and mitigate.  There is a profound threat to our liberty that emerges from government surveillance, especially in this digitally networked era.  Procedures are, probably, the most important part of any large bureaucracy’s effort to mitigate abuse of this unprecedented surveillance capability.

In a different time or place I might, despite all my failures, still advocate for community-based engagement with these treacherous issues.  Unfortunately, in this time and place if our civil liberties are to be reasonably preserved in face of these extraordinary technical means, strong and specific Presidential action will be needed.  Legislation would be better, but I don’t think it will happen.  Community consensus would be even better, but on this issue nothing even close to consensus is possible any time soon.

It is problematic. It is paradoxical.  But a community’s strength sometimes depends on individuals to sacrifice legitimate power in order advance what is best for the community.  On Monday the Wall Street Journal editorial board complained, “Mr. Obama invited Congress to tie him and future presidents down with new oversight and limits on a surveillance program…”  It is right to extend the invitation.  It will be necessary to do even more.

August 12, 2013

President’s statement on surveillance policy

Filed under: Intelligence and Info-Sharing — by Philip J. Palin on August 12, 2013

Following is all but one non-substantive paragraph of a statement the President made at the White House on Friday.  He answered some related questions.  I will probably offer some thoughts of my own in this Thursday’s post.

–+–

As I said at the National Defense University back in May, in meeting those threats we have to strike the right balance between protecting our security and preserving our freedoms. And as part of this rebalancing, I called for a review of our surveillance programs. Unfortunately, rather than an orderly and lawful process to debate these issues and come up with appropriate reforms, repeated leaks of classified information have initiated the debate in a very passionate, but not always fully informed way.

Now, keep in mind that as a senator, I expressed a healthy skepticism about these programs, and as President, I’ve taken steps to make sure they have strong oversight by all three branches of government and clear safeguards to prevent abuse and protect the rights of the American people. But given the history of abuse by governments, it’s right to ask questions about surveillance — particularly as technology is reshaping every aspect of our lives.

I’m also mindful of how these issues are viewed overseas, because American leadership around the world depends upon the example of American democracy and American openness — because what makes us different from other countries is not simply our ability to secure our nation, it’s the way we do it — with open debate and democratic process.

In other words, it’s not enough for me, as President, to have confidence in these programs. The American people need to have confidence in them as well. And that’s why, over the last few weeks, I’ve consulted members of Congress who come at this issue from many different perspectives. I’ve asked the Privacy and Civil Liberties Oversight Board to review where our counterterrorism efforts and our values come into tension, and I directed my national security team to be more transparent and to pursue reforms of our laws and practices.

And so, today, I’d like to discuss four specific steps — not all inclusive, but some specific steps that we’re going to be taking very shortly to move the debate forward.

First, I will work with Congress to pursue appropriate reforms to Section 215 of the Patriot Act — the program that collects telephone records. As I’ve said, this program is an important tool in our effort to disrupt terrorist plots. And it does not allow the government to listen to any phone calls without a warrant. But given the scale of this program, I understand the concerns of those who would worry that it could be subject to abuse. So after having a dialogue with members of Congress and civil libertarians, I believe that there are steps we can take to give the American people additional confidence that there are additional safeguards against abuse.

For instance, we can take steps to put in place greater oversight, greater transparency, and constraints on the use of this authority. So I look forward to working with Congress to meet those objectives.

Second, I’ll work with Congress to improve the public’s confidence in the oversight conducted by the Foreign Intelligence Surveillance Court, known as the FISC. The FISC was created by Congress to provide judicial review of certain intelligence activities so that a federal judge must find that our actions are consistent with the Constitution. However, to build greater confidence, I think we should consider some additional changes to the FISC.

One of the concerns that people raise is that a judge reviewing a request from the government to conduct programmatic surveillance only hears one side of the story — may tilt it too far in favor of security, may not pay enough attention to liberty. And while I’ve got confidence in the court and I think they’ve done a fine job, I think we can provide greater assurances that the court is looking at these issues from both perspectives — security and privacy.

So, specifically, we can take steps to make sure civil liberties concerns have an independent voice in appropriate cases by ensuring that the government’s position is challenged by an adversary.

Number three, we can, and must, be more transparent. So I’ve directed the intelligence community to make public as much information about these programs as possible. We’ve already declassified unprecedented information about the NSA, but we can go further. So at my direction, the Department of Justice will make public the legal rationale for the government’s collection activities under Section 215 of the Patriot Act. The NSA is taking steps to put in place a full-time civil liberties and privacy officer, and released information that details its mission, authorities, and oversight. And finally, the intelligence community is creating a website that will serve as a hub for further transparency, and this will give Americans and the world the ability to learn more about what our intelligence community does and what it doesn’t do, how it carries out its mission, and why it does so.

Fourth, we’re forming a high-level group of outside experts to review our entire intelligence and communications technologies. We need new thinking for a new era. We now have to unravel terrorist plots by finding a needle in the haystack of global telecommunications. And meanwhile, technology has given governments — including our own — unprecedented capability to monitor communications.

So I am tasking this independent group to step back and review our capabilities — particularly our surveillance technologies. And they’ll consider how we can maintain the trust of the people, how we can make sure that there absolutely is no abuse in terms of how these surveillance technologies are used, ask how surveillance impacts our foreign policy — particularly in an age when more and more information is becoming public. And they will provide an interim report in 60 days and a final report by the end of this year, so that we can move forward with a better understanding of how these programs impact our security, our privacy, and our foreign policy.

So all these steps are designed to ensure that the American people can trust that our efforts are in line with our interests and our values. And to others around the world, I want to make clear once again that America is not interested in spying on ordinary people. Our intelligence is focused, above all, on finding the information that’s necessary to protect our people, and — in many cases — protect our allies.

It’s true we have significant capabilities. What’s also true is we show a restraint that many governments around the world don’t even think to do, refuse to show — and that includes, by the way, some of America’s most vocal critics. We shouldn’t forget the difference between the ability of our government to collect information online under strict guidelines and for narrow purposes, and the willingness of some other governments to throw their own citizens in prison for what they say online.

And let me close with one additional thought. The men and women of our intelligence community work every single day to keep us safe because they love this country and believe in our values. They’re patriots. And I believe that those who have lawfully raised their voices on behalf of privacy and civil liberties are also patriots who love our country and want it to live up to our highest ideals. So this is how we’re going to resolve our differences in the United States — through vigorous public debate, guided by our Constitution, with reverence for our history as a nation of laws, and with respect for the facts.

August 8, 2013

An abundance of caution

Filed under: Intelligence and Info-Sharing,Risk Assessment,Strategy,Terrorist Threats & Attacks — by Philip J. Palin on August 8, 2013

Diplomatic Posts ClosedOn Monday the State Department’s deputy spokesperson, Marie Harf, explained several U.S. diplomatic posts would remain closed for up to a week out of an “abundance of caution” prompted by a potential terrorist attack.

As the Tsarnaev brothers fled, flinging explosives from their stolen car, residents of Boston and many close-in suburbs were told to stay inside behind locked doors.  The unprecedented, rather amazing, shut-down of a huge urban area was justified by an abundance of caution emerging from a proven murderous capacity and a continued proximate capability demonstrated just hours before.

As Hurricane Sandy churned north, Mayor Bloomberg announced mandatory evacuations and scheduled suspension of the transit system as warranted by an abundance of caution. Soon enough — and well before landfall — he was warning of a clear and present danger.

Congressional leaders who have been briefed on the intelligence “stream” are unified in endorsing the abundance of caution undertaken in recent days.  It is reassuring that our feuding representatives can find anything on which to agree.  Especially when such vociferous political adversaries make common-cause, I am inclined to defer to their assessment of the current context.  The evidence has, apparently, pointed to a fast-approaching threat.

But I will raise an issue of strategy or perhaps policy beyond the current circumstance: With Hurricane Sandy the threat velocity was known and New York was absolutely in the target zone.  In the case of Boston, Watertown, and near-by, bombing, murder and mayhem were undeniably clear and present.

What seems to be the situation with Al-Qaeda in the Arabian Peninsula (AQAP) and AQ-Core is a communications intercept involving a vague instruction to do something big.  I will admit this strikes me — so early in the post-Snowden period — as a suspicious choice by Messrs. Zawahiri and Wuhayshi. (Or… in our Kafkaesque counterterrorism context is the intercept report a false-flag to distract AQ et al from the actual tradecraft involved?) When or where or precisely who might carry out the attack is not known.  So… we evacuate or shelter-in-place across roughly the same expansive space as the Umayyad Caliphate.

But… taking the reported intercept on face value, AQAP has a significant capacity in Yemen.  Given demonstrated AQAP capabilities, the shuttering of our Sana’a facility and evacuation of most personnel is probably a prudent measure.  (The government of Yemen disagrees and claims to have foiled a local plot.)

We have seen that other AQ franchises across North Africa, Iraq, Syria and elsewhere also have existing capacity.  I don’t have the resources to assess threat capabilities in each nation where our official outpost has closed its doors.  No doubt if the decision-criterion is an “abundance of caution” a sufficient argument can be made for each.

–+–

Last week I was given a boilerplate contract to sign.  It included a clause that could have been used by the other party to claim 125 percent of any revenue I generated from a set of long-time clients.  This was not the original intent of the clause, but was a possible application.  Such action by the other party is very unlikely, but out of an abundance of caution I arranged for an amendment to the agreement.

This is an example of the origins of the phrase.  In Latin it is “ex abundanti cautela”.  In Roman law the tendency to explicitly engage and counter very unlikely possibilities is prompted by an an abundance of caution.  Such action is certainly prudent. It is also — at least in the context of ancient Roman law — tedious, pedantic, and often so ridiculous as to become absurd.

Today the phrase is usually unveiled with a kind of magisterial flourish that suggests no reasonable person could possibly contest the good sense of behaving with an abundance of caution.

Is over-abundance possible?

New York could — out of an abundance of caution — announce voluntary evacuations every time one of those individual tracks in the hurricane cone-of-probability crosses between Atlantic City and the Hamptons.

The Boston area shelter-in-place order was lifted about 6:15 PM.  After nearly eleven hours behind locked doors, caution seemed a bit over-ripe. The surviving suspect was located in the boat about a half-hour later.  What would have been our assessment of the Boston shut-down if the second suspect had not been located that evening?

 –+–

Most of our risks are no-notice. But with hurricanes — and to a lesser extent tornadoes and blizzards — there is an emerging ability to take action to avert harm.  The reason we spend billions on  the intelligence community and offer the first fruits of liberty on the altar of security is to give us similar warning for evil intention.

What we have learned from weather-related warning is that preventive action not followed by a confirming event increases the tendency of the population to take unnecessary risks next time.  Over-zealous — or unlucky — efforts to prevent harm can perversely cause greater harm.

While we are certainly dealing with probabilities, this is not — yet — a matter of contending mathematical models.  We are left with concepts… judgments… words.  Always fallible, but fully worth our careful thought.

An abundance of caution is an ancient legal principle supportive of taking preventive action. So is the common law’s “bad tendency” which was succeeded by “clear and present danger” which has evolved into justifying preventive action by the State only where the threat of violence is both imminent and likely.

Is the threat proximate in time and space and probable?  We will still disagree, but these are the right questions to ask.  These are the right questions to answer in justifying dramatic preventive or preemptive action.

July 26, 2013

Congressional prospects for NSA operations

Filed under: Congress and HLS,Intelligence and Info-Sharing,Terrorist Threats & Attacks — by Philip J. Palin on July 26, 2013

As I explained in an early June post, I have mostly been reassured by the controversy over NSA domestic intelligence gathering.  So far the evidence I have seen indicates operations have been undertaken consistent with the law, with judicial authorization, and with Congressional oversight.

The close vote on Wednesday night to continue funding NSA operations is another example of the system working as it ought.  It is helpful and appropriate that policy of this sort be actively and critically examined by the people’s representatives.  Our security mavens have been forcefully reminded of their obligation to consult with Congress on policy and strategy.  (And I even hope against hope that those in Congress may have learned to listen more carefully.  I know I’m a glutton for disappointment.)

If some are tempted to “learn” from this experience that they need to be even more secretive, they are idiots.  If they instead recognize the benefit of proactive and principled engagement at the policy level, we will all be better off: both in terms of our tactical security and the preservation of liberty.

I am glad the funding was continued.  I am glad the vote was close.  I am glad that other efforts are underway to ensure legal constraints on domestic intelligence operations.  Yesterday reporting by ProPublica identified six proposals still under consideration by Congress:

1) Raise the standard for what records are considered “relevant”

2) Require NSA analysts to obtain court approval before searching metadata

3) Declassify Foreign Intelligence Surveillance Court opinions

4) Change the way Foreign Intelligence Surveillance Court judges are appointed

5) Appoint a public advocate to argue before the Foreign Intelligence Surveillance Court

6) End phone metadata collection on constitutional grounds

Read more on each proposal by Kara Brandeisky at ProPublica

July 9, 2013

How to spy on yourself without really trying.

Filed under: Intelligence and Info-Sharing — by Christopher Bellavita on July 9, 2013

A friend sent me an email this morning with this subject line: “This is Amazing.”

The message said:

Check this metadata app (you can only use it of you use a gmail account): immersion.media.mit.edu 

I wasn’t the only one to learn about this new creation from the MIT Media Lab.  A lot of people wanted to try it out. So it took a long time to get through. But eventually I did.

I gave the Media Lab permission to see the metadata from my gmail account. Yes, you have to surrender your privacy to see what surrendering your privacy could be like. But what the hell. It’s only metadata. Metadata’s innocuous.

If you’d like to try Immersion, but either don’t use gmail or don’t want to share your account with MIT, here’s a link to an Immersion demonstration:  https://immersion.media.mit.edu/demo

And here is a link to a seven minute video explaining Immersion: https://vimeo.com/69464265

Here’s what the Media Lab’s Immersion Project showed me about my gmail metadata, covering 2004 through July 2013 (names removed):

Cb network image one

Interesting, but what could it mean?

I found James Vincent’s description of the Immersion Project in The Independent:

Plugging your Gmail address into MIT’s Immersion allows the system to scrape your email account for its metadata, and produces a complex bubble map showing who you talk to, how much you talk to them, and what your relationships with your contacts are.

Vincent’s article led me to a blog post by Ethan Zuckerman, describing how he used the tool.

Among his observations:

The Obama administration and supporters have responded to criticism of these programs [identified by Snowden] by assuring Americans that the information collected is “metadata”, information on who is talking to whom, not the substance of conversations. As Senator Dianne Feinstein put it, “This is just metadata. There is no content involved.” By analyzing the metadata, officials claim, they can identify potential suspects then seek judicial permission to access the content directly. Nothing to worry about. You’re not being spied on by your government – they’re just monitoring the metadata.

Sociologist Kieran Healy shows another set of applications of these techniques, using a much smaller, historical data set. He looks at a small number of 18th century colonists and the societies in Boston they were members of to identify Paul Revere as a key bridge tie between different organizations. In Healy’s brilliant piece, he writes in the voice of a junior analyst reporting his findings to superiors in the British government, and suggests that his superiors consider investigating Revere as a traitor. He closes with this winning line: “…if a mere scribe such as I — one who knows nearly nothing — can use the very simplest of these methods to pick the name of a traitor like Paul Revere from those of two hundred and fifty four other men, using nothing but a list of memberships and a portable calculating engine, then just think what weapons we might wield in the defense of liberty one or two centuries from now.”

Zuckerman published the Immersion Project’s image of his gmail account, along with an analysis.
Other network example

The largest node in the graph, the person I exchange the most email with, is my wife, Rachel. I find this reassuring, but [two people involved with Immersion] have told me that people’s romantic partners are rarely their largest node. Because I travel a lot, Rachel and I have a heavily email-dependent relationship, but many people’s romantic relationships are conducted mostly face to face and don’t show up clearly in metadata. But the prominence of Rachel in the graph is, for me, a reminder that one of the reasons we might be concerned about metadata is that it shows strong relationships, whether those relationships are widely known or are secret.

The Immersion image of my emails allowed me to identify people who are key in my network. Here’s an image of one of them, again I have removed the names:

One person image

I am also able to see, based on the thickness of the connecting lines, who in my network has the strongest ties to this central person. And that’s just scratching the metadata surface.

Back to Zuckerman’s blog. After describing some additional implications of his Immersion-generated social network image, he writes:

My point here isn’t to elucidate all the peculiarities of my social network (indeed, analyzing these diagrams is a bit like analyzing your dreams – fascinating to you, but off-putting to everyone else). It’s to make the case that this metadata paints a very revealing portrait of oneself. And while there’s currently a waiting list to use Immersion, this is data that’s accessible to NSA analysts and to the marketing teams at Google. [my emphasis] That makes me uncomfortable, and it makes me want to have a public conversation about what’s okay and what’s not okay to track.

Jonathan O’Donnell commented on Zuckerman’s post with a brief literature review about the consequences of data tracking (see the original posting for links to the cited research):

For me, the classic paper in this area is Paul Ohm’s analysis of why anonymization doesn’t work. He shows that small amounts of metadata, and a modicum of known facts, will reveal big amounts of private information (Ohm, 2010).

For example:
In 1997, two students at Massachusetts Institute of Technology (MIT) analyzed the Facebook profiles of 6,000 past and present MIT students. They demonstrated that they were able to predict, with a very high degree of certainty, whether someone was gay or not, based on their friendship group (Jernigan & Mistree, 2009).

In 2009, Acquisti and Gross demonstrated that they could ‘guess’ a large number of American social security numbers using just the birth date and place of a person (Acquisti and Gross, 2009).

In 2009, Zheleva and Getoor demonstrated that friendship and group affiliation on social networks could be used to recover the information of private-profile users. They found that they could predict (with reasonable degrees of success) country of residence (Flickr), gender (Facebook), breed of dog (Dogster) and whether someone was a spammer (BibSonomy), even when 50% of the sample group were private-profile users (Zheleva and Getoor, 2009).

In 2011, Calandrino and others demonstrated that you could use the “You might also like” feature on Hunch, Last.fm, LibraryThing, and Amazon to predict individual purchasing, listening and reading habits of users of these systems. As long as you knew a small number of items that were true about a person, you could use the system to investigate their private behaviour on these sites (Calandrino et al, 2011).

…I’m pretty sure that these techniques can be chained, so that if you are a prolific user of social networks, people can tell your gender, sexual orientation, country of residence, breed of dog, purchasing, listening, reading and spamming activities, your social security number and your name, even if you were anonymous.

But so what, if you’ve done nothing wrong? Why be concerned?

Some of my colleagues ask me that.

I know of at least one major police department that is concerned the ease of social network tracking is making life more dangerous for its undercover officers. The officers practice safe social networking. But they have little control over the social network practices of other people in their professional and social networks — let alone control over the people in the friends of their friends networks.  It gets megacomplex really quickly.


A few months ago, Bruce Schneier wrote that it’s too late to talk about control.  The Internet won, he says.  Privacy lost.

The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we’re being tracked all the time. … [It] is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.

Sure, we can take measures to prevent this. We can limit what we search on Google from our iPhones, and instead use computer web browsers that allow us to delete cookies. We can use an alias on Facebook. We can turn our cell phones off and spend cash. But increasingly, none of it matters.

There are simply too many ways to be tracked. The Internet, e-mail, cell phones, web browsers, social networking sites, search engines: these have become necessities, and it’s fanciful to expect people to simply refuse to use them just because they don’t like the spying, especially since the full extent of such spying is deliberately hidden from us and there are few alternatives being marketed by companies that don’t spy.

So, we’re done. Welcome to a world where Google knows exactly what sort of porn you all like, and more about your interests than your spouse does. Welcome to a world where your cell phone company knows exactly where you are all the time. Welcome to the end of private conversations, because increasingly your conversations are conducted by e-mail, text, or social networking sites.

And welcome to a world where all of this, and everything else that you do or is done on a computer, is saved, correlated, studied, passed around from company to company without your knowledge or consent; and where the government accesses it at will without a warrant.

Welcome to an Internet without privacy, and we’ve ended up here with hardly a fight.

Oh well, there’s always Pong.  Pong’s innocuous.

April 11, 2013

Redundant from L. redundantem (nom. redundans), prp. of redundare “come back, contribute,” lit. “overflow,” from re- “again” + undare “rise in waves,” from unda “a wave”

Filed under: Budgets and Spending,Intelligence and Info-Sharing,Technology for HLS — by Philip J. Palin on April 11, 2013

You may have seen the headlines:  Redundant Federal Programs Waste Billions (USA Today).

Or heard something similar:  Latest GAO report reveals 162 areas of redundancy across government (Federal News Radio).

Most of the broadcast news mentioned something about catfish inspectors and each military branch developing its own camouflage  uniform. Conservative or liberal — from inside or outside government — it is the kind of “news” that fails to create any new brain synapses and, probably, calcifies our current neural networks.

This lack of real thinking reflects the way information is headlined and how we typically receive the information, not what GAO is actually reporting.

The Government Accountability Office study released on Tuesday references several Department of Homeland Security practices.  In addition to a list from prior years, two more are highlighted in this most recent report:

Department of Homeland Security Research and Development: Better policies and guidance for defining, overseeing, and coordinating research and development investments and activities would help DHS address fragmentation, overlap, and potential unnecessary duplication.

Field-Based Information Sharing: To help reduce inefficiencies resulting from overlap in analytical and investigative support activities, the Departments of Justice and Homeland Security and the Office of National Drug Control Policy could improve coordination among five types of field-based information sharing entities that may collect, process, analyze, or disseminate information in support of law enforcement and counterterrorism-related efforts—Joint Terrorism Task Forces, Field Intelligence Groups, Regional Information Sharing Systems centers, state and major urban area fusion centers, and High Intensity Drug Trafficking Areas Investigative Support Centers.

I am sure any post-hoc study of  research-and-development or intelligence-gathering (even more-so intelligence creating) activities will always find a wide range of decisions and actions  hard to defend.   Any careful audit should find hundreds or thousands of hours obviously lost on following bad leads, interminable meetings, unnecessary travel, dysfunctional turf protection, and much, much more (or actually less and less).  A thorough analysis could authoritatively map how one failure led to another and another.

R&D and the intelligence process share a concern with anticipating, even creating the future.  Once we arrive at the future we can usually look back and bemoan (or self-justify) the dead-ends and circuitous paths chosen.   We may even be able to recognize how alternate — preferable? — futures were very close-at-hand, but have now receded in our wake.

Malcolm Gladwell argues that ten years and 10,000 hours are — along with other crucial inputs — prerequisites to “outlier” success.  What  would an audit at five years and 5000 hours find? What does a half-made success look like? Thomas Edison famously said, “I failed my way to success.”

In the commercial world “redundancy” is often called competition.  In biology redundancy is very closely related to diversity.  In engineering and other design applications redundancy is sometimes valued rather than maligned.

This is not to discourage DHS from looking hard at its research-and-development policies.  The improved coordination of field-based information-sharing sounds like a win-win.  But fragmentation, overlap, and duplication are not always net negatives.  Elinor Ostrom and her colleagues found that polycentric governance — featuring considerable fragmentation, overlap, and duplication — is often more effective at achieving policy goals than more centralized and “efficient” structures.

[Redundancy = Bad] is a dangerous heuristic.  Stop using it.

January 3, 2013

Due process: Collect, keep, and kill

No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgment of his equals or by the law of the land. (Clause 39, Magna Carta)

No person shall… be deprived of life, liberty, or property, without due process of law… (Fifth Amendment to the Constitution of the United States)

–+–

Recent months have seen one-time expediencies dressed-up as new principles to frame the relationship between citizen and State.  Three examples:

On the Friday after Christmas the Senate reauthorized broad executive authority for  electronic surveillance and collection. The vote was 73-to-23 and extended for five years the Foreign Intelligence Surveillance Act. The House adopted the legislation earlier in the year.  On Sunday the President the signed the extension into law. Proposed amendments, including those offered by Senator Wyden,  that would have enhanced Congressional oversight of FISA were defeated.  FISA was originally intended to provide due process for the gathering of intelligence on non-citizens and so protect the privacy of citizens.  There has been increasing concern regarding how FISA methods now unintentionally — but perhaps quite widely — sweep up citizen communications as well.

According to a December 13, 2012 Wall Street Journal report, there may be good cause for concern.   In an exclusive investigative report, Julia Angwin found that new Department of Justice guidelines, “now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation. Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited.”

Meanwhile the White House is, according to several sources including Presidential adviser John Brennan, developing a legal and procedural framework for the deadly use of drones. Addressing the use of drones during an October 18 appearance on “The Daily Show,” President Obama said,  “One of the things we’ve got to do is put a legal architecture in place, and we need Congressional help in order to do that, to make sure that not only am I reined in but any president’s reined in terms of some of the decisions that we’re making.”  According to a May report in the New York Times, “Mr. Obama has placed himself at the helm of a top secret “nominations” process to designate terrorists for kill or capture, of which the capture part has become largely theoretical. He had vowed to align the fight against Al Qaeda with American values; the chart, introducing people whose deaths he might soon be asked to order, underscored just what a moral and legal conundrum this could be.”   Among the President’s decisions, presumably, was the targeted killing of Anwar al-Awlaki, a US citizen who was killed by drone-delivered Hellfire missiles on September 30, 2011 and his sixteen year-old son, also born in the US, who was killed in another drone attack two weeks later.  Both citizens were killed in Yemen.

The predominant motivation in each instance above — and others — is the protection of the American people and nation.  There is no imminent threat of Orwellian intention or intervention.

In each of these examples legislators and the executive are attempting to develop due process that is appropriate to their understanding of the present challenge.   (The judicial branch is poised to soon rejoin consideration of the issue.)

Nonetheless while it is, I suspect, the specific intention of no one, the space where individual liberty adjoins civil authority is being incrementally reshaped.  In the Anglo-American tradition there has long been in both theory and practice the presumptive primacy of individual initiative, what Blackstone termed “the absolute rights of man.”  The balance is shifting toward a presumed ability by the government to maintain order.

Perhaps this is the inevitable outcome of more and more diverse individuals living in dense proximity to each other.  Perhaps it is a prudent response to demonstrated risk.  Perhaps it reflects an emerging social consensus that liberty is less valued than previously.  Or we might be in the process of  redefining liberty.  These shifts might even be the accidental consequence of what Nassim Taleb has termed “naive interventionism”.  The preference, even obligation, to “do something” over doing nothing, even when the doing is non-productive or counter-productive.

Whatever the cause, the pattern can be perceived and seems to be persisting.

December 13, 2012

WSJ: National Counterterrorism Center given access to full-spectrum of Federal databases

Filed under: Intelligence and Info-Sharing,Privacy and Security — by Philip J. Palin on December 13, 2012

If you’re a Wall Street Journal subscriber, you  read the story late Wednesday night or earlier today.   If not it’s behind the Journal’s pay-wall.   I carried today’s (paper) Wall Street Journal to my morning meetings and didn’t see it until lunchtime.

But here’s how Wired magazine is summarizing the WSJ’s investigative journalism:

In a secret government agreement granted without approval or debate from lawmakers, the U.S. attorney general recently gave the National Counterterrorism Center sweeping new powers to store dossiers on U.S. citizens, even if they are not suspected of a crime, according to a news report.

Earlier this year, Attorney General Eric Holder granted the center the ability to copy entire government databases holding information on flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and other data, and to store it for up to five years, even without suspicion that someone in the database has committed a crime, according to the Wall Street Journal, which broke the story.

Whereas previously the law prohibited the center from storing data compilations on U.S. citizens unless they were suspected of terrorist activity or were relevant to an ongoing terrorism investigation, the new powers give the center the ability to not only collect and store vast databases of information but also to trawl through and analyze it for suspicious patterns of behavior in order to uncover activity that could launch an investigation.

The changes granted by Holder would also allow databases containing information about U.S. citizens to be shared with foreign governments for their own analysis.

A former senior White House official told the Journal that the new changes were “breathtaking in scope.”

MORE FROM WIRED

Next Page »