NSA Reform

 What Could Have Been And What We've Got

The revelations, leaks, and laws of the last few years, from warrantless wiretapping and Edward Snowden to laws like SOPA, ACTA, and now the president’s attempt to fast track TPP, have painted a portrait of a superpower increasingly at war with the net. But people like the net, they live more and more of their lives on the net, which makes this conflict politically difficult and confusing.

Obama and German Chancellor Merkel in June of 2013, with whom things got chilly after Snowden documents revealed that the NSA spied on Merkel.

In August, in the wake of the Snowden revelations, President Obama created a Review Group to investigate the NSA and recommend reforms as needed. Obama protested repeatedly that his actions had nothing to do with Snowden, and he was just about to do this anyway, rather like a teenager caught loafing on the job.

The president's panel of five (Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire) was by no means a collection of bleeding hearts. It included Sunstein, formerly of the OMB (Office of Management and Budget), and Swire, who had worked in the White House. Morell is a former Acting CIA Director, and Clarke, a former republican National Security Council coordinator on counter-terrorism and Special Advisor to Bush II on Cybersecurity. It was a group of loyal insiders, who remain loyal to this day.

Nevertheless the Review Group released a 300-page book focused on 46 recommendations for reform, and substantial reform at that. But despite its length, it was perhaps most fascinating in the negative spaces and long pauses between the words. On January 17th, Obama announced his reforms in a speech and a Presidential Policy Directive, or PPD and again, the story of what he didn't say is more fascinating than what he did. Among the issues raised by Snowden’s revelations or the review group that Obama didn’t address in his speech or policy directive were:

• Stopping the use of existing vulnerabilities in offensive operations
• Stopping the weakening of globally used encryption standards and implementations
• Complying better with the MLA Treaty (Cooperating with international law enforcement)
• Establishing an adversary for the FISA court
• Bringing mass surveillance authorizations and National Security letters more in line with subpoena or even warrant requirements.
• Taking Cybercommand and Information Assurance out of the NSA
• Making NSA leadership open to civilians and Senate-confirmed
• Restricting the NSA to a foreign mission
• Restricting the NSA mission to terrorism or other major threats, not law enforcement
• Getting Congress and civil libertarians more involved in policy decisions of the intel community, including the handling of "big data"
• Fixing the broken secrecy and clearance system.

Some of the more pressing issues still in the media if not the recommendation process include:

• Examining the intrusion into and modification of global networks
• Having an open debate about the legality of Five Eyes information sharing
• Having more public consultation on all of these issues
• Asking what the cultural consequences of mass surveillance are at all levels of society

I haven’t covered all of these very worthy topics in this reaction, though I hope to look at more in the future. This is a partial look at a few of the recommendations, the reforms, and what I believe to be some of their more important consequences.

Breaking up the NSA

The review panel recommended three things that would have distributed the power of the NSA, which is now bigger than the FBI and CIA combined. The first was a civilian, senate-confirmed head of the department, to add congressional oversight to the choice. The second was taking Cybercommand, the military's hacker and largely offensive security wing, out of the NSA, which is primarily meant to have an intelligence mission. The third was moving the NSA's Information Assurance Directorate elsewhere, because its mission to secure networks represents a conflict of interest for military and spying operations required to penetrate networks. Currently, all of these are run by General Keith Alexander.

Keith Alexander being sworn in.

“We jokingly referred to him as Emperor Alexander — with good cause, because whatever Keith wants, Keith gets,” a former senior CIA official told Wired's Jim Bamford, in a profile that was written before the Snowden documents started showing how far the Emperor had gone.

Before the review was officially in, and long before his January speech and policy directive, Obama rejected dividing up the power and the functions of the head of the NSA and Cybercommand.

"I think it's related to Obama's decision to ignore the (security vulnerabilities): a commitment to aggression first, then defense," said Marcy Wheeler, of the blog Emptywheel.

Weak encryption and secret vulnerabilities known as 0days present a continual and clear threat to contemporary life. (0days are so called because the software’s creators, being unaware of the flaw, have had zero days to patch the software and make it safe.) Criminal and state actors can and do exploit these software flaws to steal money, secrets, and cripple infrastructure. Snowden documents revealed that the NSA has weakened industry encryption standards and weaponized secret 0days for American products for use in spying operations. The Review Group has recommended both these practices stop, a recommendation tightly linked with breaking up the functions of the NSA, because these missions are inherently a conflict of interest.

"There's no repudiation of the NSA deliberately weakening the cryptography and security standards that we rely on, said Matt Blaze, Professor of CIS at University of Pennsylvania. "Sabotaging these standards — as the NSA appears to have done in at least one case (the DUAL_EC random number standard) — is inherently a tool of mass surveillance. Because the standards are used across infrastructure shared by everyone, a weakened standard makes everyone more vulnerable, not just the targets. This is a critical issue, a strong point made by the review panel, and I was disappointed that it wasn't addressed."

Information Assurance remains part of a military and intelligence mission, still conflicting with those whose jobs are made easier by keeping the world insecure.

This decision gives America no internal champion for security, but rather a powerful agency with the insane task of damaging and exploiting the very software that controls America's hospitals and dams, its banks, power grids, trains, factories, and so on.

"The weakening infrastructure issue is critical, and should be understood as a national security problem on its own," said Blaze.

In many ways, Obama's decision to prioritize offense to the abandonment of defense reflects the security community itself, which feeds into the NSA. The henhouse has been filled with foxes, all told by their commander they are doing a good job. Defense is always harder to do socially -- no one comes in to your office every day and says “Nothing happened! Good job!” even though that is one of the most vital parts of maintaining systems, against both security threats and the universe's basic entropy. Still, sane governments find ways of maintaining the maintainers, and those that don't have a history of collapsing under unusual weather and barbarian attacks.

“The US Government should protect Americans from criminals and terrorists by improving encryption standards, helping vendors fix bugs more rapidly, and generally strengthening the security of widely used products and services. As many Target shoppers will tell you, secret vulnerabilities don't necessarily stay secret,” said Jon Peha, a professor of both public policy and engineering at Carnegie Mellon University, who authored a note used by the Review Group. Peha was hopeful, and saw the speech and PPD as the start of a process and not the final word.

"I would have liked to hear the President endorse this goal in his recent speech, but we should not see that one speech as the last word on surveillance. More changes will come, in part from the President and in part from Congress. The technical community should continue to speak out about its concerns, and to ask hard questions."

Most breaches or hacks are due to the inevitable accidental bugs endemic to complex software. But keeping and inserting vulnerabilities, and weakening standards, leaves everyone wondering with every hack or data breach, could this have been caused by something the government could have fixed, but hid for their own use, or even worse, inserted themselves?

Getting the NSA out of places it's not supposed to be

There's a lot in the negative space of the recommendations — activities called out for prohibition with disturbing specificity. Some of these we've seen in the Snowden documents, like the use of government surveillance for industrial espionage. Other activities like hacking of financial systems and changing bank account information haven't shown up in the Snowden cache yet, and perhaps won't, but the detailed prohibition is suggestive. Recommendations that the NSA concern itself with foreign matters of terrorism, counter-terrorism, and the potential loss of life point to an agency getting involved with domestic matters and more quotidian law enforcement, which were hinted at in a recent ACLU FOIA request showing that the NSA feeds selectors in the form of phone numbers to the FBI on a daily basis.

In saying the NSA belongs only in terrorism and foreign affairs, the Review Group found itself unwillingly backing up Snowden's accusation that the NSA is acting as a domestic spying agency concerned with the personal affairs of at least some Americans. "Also note (though the Group didn't say it) the government has used the AUMF (Authorization for Use of Military Force) to justify some of the spying (notably Jack Goldsmith's 2004 opinion authorizing the illegal dragnet)," says Wheeler, "There's actually an opinion they relied on for a long time saying the 'military' could invade 'buildings' in search of terrorists under AUMF, which was used to justify NSA spying domestically."

Which brings us back to a point that Senator Ron Wyden has been making for years.

We don't know the legal theory of the intelligence agencies and military. It's secret law, with secret definitions of words that would likely make no sense in the normal course of English usage.

We now know that "bulk collection" is the Orwellian term for mass surveillance, with the agencies claiming that nothing is technically surveilled until some later time in the intelligence process, a point still fuzzy for the public.

But they still have been caught out breaking their own rules: selector violations, engaging in LOVE INTs generally aimed at female objects of desire. We don't know yet, and may never, who else they pay special attention to. The NSA refused to answer direct questions to Keith Alexander from Congressman Bernie Sanders as to whether they spy on Congress, in a moment that was not reassuring to anyone anywhere in America. Eventually it answered with a non-answer, saying Congress was subject to the same rules all other Americans are, without being willing to say what they are in detail. We are all left guessing how interesting we are, how watched, how much we should watch out what we say or do in our online lives. But the NSA doesn't send out men with guns, that's the FBI, Secret Service, and local law enforcement.

We have no idea what the FBI does with the selectors/numbers/people they get from the NSA. We now know that the FBI doesn’t feel it needs a warrant to investigate those selectors, but little else. We have no idea what the criteria are for these numbers -- whether the FBI is asking, or what they are asking for. The FBI may investigate them, they may use private information to force them to become informers, they may file them away and never look at them again. We just don't know, and no one from the Department of Justice is volunteering more information.

As above, so below.

One of the questions of the handling of surveillance reform that hasn't been well considered is the way it "trickles down" to use old White House parlance. State and local governments are getting into the same legal and technical tools, albeit at smaller scales, to make mini versions of the larger surveillance state. The use of administrative subpoenas with phony “gag orders” acts a bit like NSLs, and they can even request bulk collection, sometimes successfully if a sensible lawyer doesn't get to look at it.

State and local authorities can also call on the Third-Party Doctrine, which governments use, and arguably abuse, to get to warehoused personal data that would otherwise require a warrant. They can set up cameras, record comings and goings, request transaction records, and stop and search their people without a warrant, and seize their property on the thinnest of grounds. But should they? The obvious moral answer is no, but these institutions look above them, to the federal government, for guidance.

Take the example of Oakland's DAC, Domain Awareness Center, a classic mini-surveillance and control mechanism. The DAC seeks to create a network of cameras and collate it with data from other systems, including truck tracking in the port, constant license plate reading, port and road data, and satellite photography, among other things.

Oakland is not a great place for this to be happening.

The city council has no privacy policy for DAC material, that's something they'll do later. Oakland Police, the biggest supporters of the DAC, spent ten years fighting federal receivership due to a history and ongoing pattern of brutal abuse of their people. A report from November 2011 showed they'd paid out $57 million in ten years to settle cases from alleged victims -- and those were just the ones that could afford lawyers. Since then, they've paid out another $2.9 million for abuse of the Occupy protesters, which doesn't yet include Scott Olsen, the veteran they famously shot in the head with a less-lethal round.

Oakland is a poor city; it can't really afford its extravagant police force, and it certainly couldn't afford its DAC.

Surveillance trickles down in more than one way. At a time when Oakland is closing schools and dealing with more than $50 million in budget shortfalls, the DAC is made possible by DHS grants. These same grants have been militarizing the police all over America as well as giving them wide surveillance capabilities — capabilities that haven't translated into much terrorism prevention, but have been aggressively brought to bear on protesters all over the nation in the 15 years since the Battle of Seattle in 1999.

Oakland Police, and the future of struggle?

In one of the most revealing moments of these baby Big Brothers, a FOIA request for Oakland City mails about the DAC revealed that none of the talk was about crime -- no mention of murders, assaults, thefts, or the violent crime Oakland officials express constant frustration with. Instead, there was talk of tracking protests and labor strikes. The internal desires of Oakland's minders revealed a frustration with the dissent that finds such powerful political expression in Oakland, and strategies for heading it off.

"I have also made it clear that the United States does not collect intelligence to suppress criticism or dissent," Obama said in his speech Friday. Whether that is true or not for his NSA and Cybercommand, the Obama Executive has had no problems with funding such efforts at the local level.

My fears about reforms that aren’t reforms aren’t just for the billions of people around the world subjected to the casual and continual gaze of the security services of Five Eyes. Reforms that aren't reforms tell the locals— go ahead, gather as much information on the people in your community as you can, this is your right, this is for your purposes, this is how we do things. We'll trust you to oversee yourself. In the cases of police departments like Oakland, you can even do all this on our dime.

Internationally, the lack of real reform on America's part leaves other nations scrambling to catch up with the NSA on both domestic and international surveillance, and make the world a poorer, less expressive, and less secure place. To the old political maxim that there is no such thing as a tax repealed, we may be able to add that no surveillance, once allowed, is ever restrained.