In Bizarre Move, Dianne Feinstein Attacks Tech Companies for Profiting Off Spying on Their Customers

/9 Comments/in , /by

Dianne Feinstein attacked PRISM providers’ use of encryption in yesterday’s Senate Judiciary Committee hearing with Loretta Lynch in really bizarre fashion.

Feinstein: Google, Microsoft, Dropbox, and other email and cloud servers use forms of encryption to protect customer data. Their encryption techniques are strong and that makes them relatively well protected against outside attack. But the reality is that many companies only protect data like your email in ways that they can still use it themselves, and profit from it. I believe that the amount of personal information in the hands of private corporations and what some of those corporations are doing with that data is concerning. Isn’t it true that private companies can encrypt data so that it is protected from outsiders but at the same time those same companies can use our personal content data to target advertisements?

Attorney General Lynch: Thank you Senator for raising this important issue. It certainly is the case that many companies — those that you mentioned and others — have strong encryption, which we think is a very positive thing, and yet retain the ability to use the data that is transmitted along their systems, both for security purposes  as well as for marketing purposes. And so it is certainly the case, as we have seen in our talks with various companies, that strong encryption can be accompanied with the ability to still access the data and use the data in relevant ways. And we think that this is something that’s part of the overall debate on this important issue as we all consider — as you have also noted — how much personal information we willingly turn over to private companies and how we want that information handled. And certainly as we continue to discuss this issues I thank you for raising them and making them part of the debate.

Feinstein: Well, thank you very much because with my own devices, and I’m not the most “hep” person when it comes to all of this [raising phone] I’ve been amazed to learn what I can’t control. And my understanding is that it’s private information like web browsing history, email content, geolocation information, even when encrypted on smart phones. So I think it is an area of concern as companies want to defy a probable cause warrant, that they can use this data for their own profit making motives, and that’s of concern.

First, let me remind you: this woman represents Silicon Valley! And yet it’s not clear precisely what she means here.

Don’t get me wrong: I’d love to have a service with the facility of Google but without all the snooping on content and location. It concerns me that Google keeps much of that information even if you opt out of most data sharing.

But why is the Ranking Member of the Collect It All Committee raising these concerns — aside from maybe just now learning how much companies have on her? Indeed, it seems there are at least three reasons why a Collect It All fan should prefer this option:

  • The proprietary information these companies collect — at least the cookies and location data — is available both with a subpoena and under PRISM. Indeed, it should provide some of the most interesting information about intelligence and law enforcement targets.
  • DiFi has just championed a bill that makes the packet sniffing DiFi claims to be concerned about — which allows Google to target us for advertising — more useful for government cybersecurity purposes, too, as Google can not only sniff for their own security purposes, but also share what they find with the government.
  • The Administration is in the middle of a campaign — successful with at least Facebook and probably with some services on Google as well — to ask tech companies to use their marketing algorithm function to disfavor ISIS propaganda and favor counter-propaganda.

In other words, DiFi should love this state of affairs!

The only explanation (aside from some recent discovery of how much of her own data these companies have) I can think of is that DiFi has learned how little data iMessage and Signal collect on people, and was supposed to complain that she is furious that companies that, by collecting so little, limit how cooperative they can be in cases of legal requests, also offer security for their customers. But she appeared to be reading from a written statement, so that doesn’t make sense either.

The only other possibility I can imagine is that the government is trying to expand its access to this proprietary information under PRISM, and providers are balking. Which would be rather interesting.

Share this entry

The Government Spoliationing for a Fight with EFF

/2 Comments/in , /by

On November 6, 2007, Judge Vaughn Walker issued a preservation order in EFF’s challenge to what we now know to be Stellar Wind, the Shubert case (which would be applied to the Jewel case after that). Nevertheless, in spite of that order, in 2009 the NSA started destroying evidence that it had collected data outside of the categories Judge Colleen Kollar-Kotelly authorized way back in 2004.

Also in 2009, NSA shifted records showing 3,000 people — which highly likely included CAIR’s staff and clients — had been dragnetted without the First Amendment review mandated by Section 215 (CAIR wasn’t a plaintiff on EFF’s earlier suits but they are on EFF’s phone dragnet suit, First Unitarian United). When they did, the government even appeared to consider the existing protection order in the EFF case; I have FOIAed their deliberations on that issue, but thus far have been stonewalled.

Finally, in 2011, NSA destroyed — on very little notice and without letting their own IG confirm the destruction of data that came in through NSA’s intake process — all of its Internet dragnet data.

In other words, on three known occasions, the NSA destroyed data covered by the protection order in Northern California, one of them even after admitting a protection order might cover the data in question. In two of those cases, we know the data either exceeded FISA’s orders or violated the law.

In fact, it wasn’t until 2014, when the government started asking Judge Reggie Walton for permission to destroy the phone dragnet data and EFF complained mightily, that NSA started complying with the earlier protection order. Later that same year, it finally asked FISC to keep the Protect America Act and FISA Amendments Act data also included under that order in its minimization procedures.

These posts provide more background on this issue: postpost, post, post.

In other words, on three different occasions (even ignoring the content collection), NSA destroyed data covered by the protection order. spoiling the evidence related to EFF’s lawsuits.

Which is why I find this claim — in the January 8 filing I’ve been waiting to read, but which was just posted on March 4 (that is, 5 days after the NSA would have otherwise had to destroy everything on February 29 under USA Freedom Act).

The Government remains concerned that in these cases, absent relief from district courts or explicit agreement from the plaintiffs, the destruction of the BR Metadata, even pursuant to FISC Order, could lead the plaintiffs to accuse the Government of spoliation. In Jewel, the plaintiffs have already moved for spoliation sanctions, including an adverse inference against the Government on the standing issue, based on the destruction of aged-off BR Metadata undertaken in accordance with FISC Orders. See Jewel Pls.’ Brief Re: the Government’s Non-compliance with the Court’s Evidence Preservation Orders, ECF No. 233.

Gosh, after destroying data on at least three different occasions (again, ignoring at least two years of content they destroyed), the government is worried that if it destroyed more it might get in trouble? Please!

Elsewhere, the strategy in this filing seems to be to expand the possible universe they’d have to set aside under the three cases (plus Klayman) for which there is a protection order as to make it virtually impossible to set it aside so as to destroy the rest. In addition, having let the time when they could have set aside such data easily pass because they were still permitted to access the data (say, back in 2014, when they got caught violating their protection order), they now claim that the closure of the dragnet makes such a search virtually impossible now.

It’s a nifty gimmick. They can’t find a way to destroy the data because they already destroyed even legally suspect data. And we learn about it only now, after the data would otherwise be destroyed, but now can’t be because they didn’t find some better resolution 2 years ago.

Share this entry

More Evidence Secret “Tweaks” To Section 702 Coming

/1 Comment/in /by

Way at the end of yesterday’s Senate Intelligence Committee Global Threats hearing, Tom Cotton asked his second leading question permitting an intelligence agency head to ask for surveillance, this time asking Admiral Mike Rogers whether he still wanted Section 702 (the first invited Jim Comey to ask for access to Electronic Communications Transactions Records with National Security Letters, as Chuck Grassley had asked before; Comey was just as disingenuous in his response as the last time he asked).

Curiously, Cotton offered Rogers the opportunity to ask for Section 702 to be passed unchanged. Cotton noted that in 2012, James Clapper had asked for a straight reauthorization of Section 702.

Do you believe that Congress should pass a straight reauthorization of Section 702?

But Rogers (as he often does) didn’t answer that question. Instead, he simply asserted that he needed it.

I do believe we need to continue 702.

At this point, SSCI Chair Richard Burr piped up and noted the committee would soon start the preparation process for passing Section 702, “from the standpoint of the education that we need to do in educating and having Admiral Rogers bring us up to speed on the usefulness and any tweaks that may have to be made.”

This seems to parallel what happened in the House Judiciary Committee, where it is clear some discussion about the certification process occurred (see this post and this post).

Note this discussion comes in the wake of a description of some of the changes made in last year’s certification in this year’s PCLOB status report. That report notes that last year’s certification process approved the following changes:

  • NSA added a requirement to explain a foreign intelligence justification in targeting decisions, without fully implementing a recommendation to adopt criteria “for determining the expected foreign intelligence value of a particular target.” NSA is also integrating reviewing written justifications in its auditing process.
  • FBI minimization procedures were revised to reflect how often non-national security investigators could search 702-collected data, and added new limits on how 702 data could be used.
  • NSA and CIA write justifications for conducting back door searches on US person data collected under Section 702, except for CIA’s still largely oversight free searches on 702-collected metadata.
  • NSA and CIA twice (in January and May) provided FISC with a random sampling of its tasking and US person searches, which the court deemed satisfactory in its certification approval.
  • The government submitted a “Summary of Notable Section 702 Requirements” covering the rules governing the program, though this summary was not comprehensive nor integrated into the FISC’s reauthorization.

As the status report implicitly notes, the government has released minimization procedures for all four agencies using Section 702 (in addition to NSA, CIA, and FBI, NCTC has minimization procedures), but it did so by releasing the now-outdated 2014 minimization procedures as the 2015 ones were being authorized. At some point, I expect we’ll see DEA minimization procedures, given that the shutdown of its own dragnet would lead it to rely more on NSA ones, but that’s just a wildarseguess.

Share this entry

The Government’s Classified Briefing to HJC: A New Certificate?

/in /by

As I noted, after years of legislating Section 702 of the FISA Amendments Act in public, yesterday the House Judiciary Committee had a closed hearing on it, which raises all sorts of questions about what has changed.

The agencies presenting to the committee did provide an unclassified statement for the record that is mostly stuff we know (one of the most interesting details is that it considers upstream telephony collection to be a different kind of collection than upstream Internet collection). But it does provide 3 examples of things that it would explain to the committee in classified session. One is utterly predictable: examples of counterterrorism intelligence obtained under Section 702.

Section 702 collection is a major contributor to NSA’s counterterrorism reporting and on other topics as well. Since its enactment in 2008, the number of signals intelligence reports issued by NSA based at least in part on Section 702 collection has grown exponentially. CIA and FBI state that they have acquired highly valuable and often unique intelligence through Section 702 collection. Numerous real-life examples that demonstrate the broad range of important information that the Intelligence Community has obtained can be provided to the Committee in a classified setting. While these examples which identify specific targets and operations must remain classified, the following declassified example provides just one instance of the many contributions Section 702 has made to our national security.

Of course, the IC shouldn’t be permitted to present such things in secret, as so many of their cases have been shown to be bogus (or not provided 702 notice) in the past. It is now down to one unclassified case — Najibullah Zazi — where they used 702, and that wasn’t even all that central (which may be why they never did get 702 notice).

The other two are more interesting. They include:

  • What certificates the government has approved: “The Government will describe in a classified setting the certification or certifications under which the Government is currently acquiring foreign intelligence information.”
  • The contributions of Section 702 data to other kinds of foreign intelligence collection: “The Board further acknowledged the Section 702 program’s value in acquiring other foreign intelligence information, examples of which can be provided in a classified setting.”

Recall, as late as 2011, the IC was known to have 3 certificates a counterterrorism certificate, a counterproliferation one, and a foreign government one, which serves as a grab bag. Because it was so obvious the IC was using Section 702 for cybersecurity, I mistakenly claimed they had a cyber certificate, but as late as 2012, they had not yet obtained one. Perhaps the IC needed classified session to explain all this.

But how weird would it be to brief HJC on a Section 702 cyber certificate while DHS and DOJ are implementing OmniCISA, which will enable upstream searches for cyber signatures within the US? Perhaps that’s what they were doing, but it would be interesting timing.

Which makes me wonder, again, about whether there’s another kind of certificate, perhaps one targeted at Tor?

In any case, there is something significant about the set of certificates the IC has or is asking for (probably the former, given that it makes a big show here of releasing the documents tied to the 2014 certification process, but not those tied to the 2015 certification process).

I’m sure that’s not the only thing the IC wanted to brief HJC on in secret. But it does appear to be one thing they did brief in secret. (Side note: I have reason to believe the IC did not tell the truth, even within the IC, about what certificates they got at the beginning of the PRISM process, so at least this would suggest they’re now being more forthcoming.)

Share this entry

What Secrets Are the Spooks Telling HJC about Section 702?

/1 Comment/in /by

There’s a paper that has been making waves, claiming it has found a formula to debunk conspiracies based on the likelihood if they were real, they would have already been leaked. Never mind that people have already found fault with the math, the study has another glaring flaw. It treats the PRISM program — and not, say, the phone dragnet — as one of its “true” unknown conspiracies.

PRISM — one part of the surveillance program authorized by Section 702 of the FISA Amendments Act — was remarkable in that it was legislated in public. There are certainly parts of Section 702 that were not widely known, such as the details about the “upstream” collection from telecom switches, but even that got explained to us back in 2006 by Mark Klein. There are even details of how the PRISM collection worked — its reliance on network mapping, the full list of participants. There are details that were exposed, such as that the government was doing back door searches on content collected under it, but even those were logical guesses based on the public record of the legislative debates.

Which is why it is so remarkable that — as I noted here and here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to cover the program that has been the subject of open hearings going back to at least 2008.

The hearing is taking place as we speak with the following witnesses.

  • Mr. Robert S. Litt
    General Counsel
    Office of the Director of National Intelligence
  • Mr. Jon Darby
    Deputy Director for Analysis and Production, Signals Intelligence Directorate
    National Security Agency
  • Mr. Stuart J. Evans
    Deputy Assistant Attorney General for Intelligence, National Security Division
    U.S. Department of Justice
  • Mr. Michael B. Steinbach
    Assistant Director for Counterterrorism
    Federal Bureau of Investigation

This suggests there is either something about the program we don’t already know, or that the government is asking for changes to the program that would extend beyond the basic concept of spying on foreigners in the US using US provider help.

I guess we’re stuck wildarseguessing what those big new secrets are, given the Intelligence Community’s newfound secrecy about this program.

Some observations about the witnesses. First, between Litt and Evans, these are the lawyers that would oversee the yearly certification applications to FISC. That suggests the government may, in fact, be asking for new authorities or new interpretations of authorities.

Darby would be in charge of the technical side of this program. Since the PRISM as it currently exists is so (technologically) simple, that suggests the new secrets may involve a new application of what the government will request from providers. This might be an expansion of upstream, possibly to bring it closer to XKeyscore deployment overseas, possibly to better exploit Tor. Remember, too, that under USA Freedom Act, Congress authorized the use of data collected improperly, provided that it adheres to the new minimization procedures imposed by the FISC. This was almost certainly another upstream collection, which means there’s likely to be some exotic new upstream application that has caused the government some problems of late.

Note that the sole FBI witness oversees counterterrorism, not cybersecurity. That’s interesting because it would support my suspicions that the government is achieving its cybersecurity collection via other means now. But also that any new programs may be under the counterterrorism function. Remember, the NatSec bosses, including Jim Comey, just went to Silicon Valley to ask for help applying algorithms to identify terrorism content. Remember, too, that such applications would have been useless to prevent the San Bernardino attack if they were focused on the public social media content. So it may be that NSA and FBI want to apply algorithms identifying radicalizers to private content.

Finally, and critically, remember the Apple debate. In a public court case, Apple and the FBI are fighting over whether Apple can be required to decrypt its customers’ smart device communications. The government has argued this is within the legal notion of “assistance to law enforcement.” Apple disagrees. I think it quite possible that the FBI would try to ask for decryption help to be included under the definition of “assistance” under Section 702. Significantly, these witnesses are generally those (including Bob Litt and FBI counterterrorism) who would champion such an interpretation.

Share this entry

Jim Sensenbrenner Flip-Flops Wildly on Value of Classified Hearings

/in /by

Jenna McLaughlin has a report on what I noted here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to talk about Section 702 of the FISA Amendments Act on February 2. In it, she includes this unbelievable quote from Jim Sensenbrenner.

“Closed briefings are necessary for members of Congress to ask questions about classified information,” said Judiciary Committee member Jim Sensenbrenner, R-Wisc., in a statement to The Intercept. “However, I would support a subsequent open hearing on Section 702 of the Foreign Intelligence Surveillance Act because transparency and public discussion are critical to the reform and reauthorization of Section 702.”

It’s unbelievable because, after Sensenbrenner made some horseshit claims of ignorance immediately after Edward Snowden revealed the phone dragnet that had been authorized by legislation Sensenbrenner had authored, people started asking why he hadn’t gone to the classified hearings, at which DOJ briefed members about the dragnet (and FBI later lied about the abuses carried out in executing that dragnet).

Sensenbrenner’s spokesperson explained back in 2013 that he didn’t go to those classified hearing because he didn’t want to be restrained by confidentiality.

Asked whether his boss had attended any of those sessions during that period, Sensenbrenner spokesperson Ben Miller said the congressman “does not want to be limited by the restraints of confidentiality. Therefore, he believes in an open dialogue by which legislative solutions can be constructed and passed into law before the public.” Miller said Sensenbrenner had “attended confidential briefings in the past,” but didn’t say how many, which ones, or whether any dealt directly with the “sensitive” application of section 215.

[snip]

“While some members of Congress were briefed, particularly those on the intelligence committees, most, including myself, were not,” Sensenbrenner wrote in a column for The Guardian newspaper. Sensenbrenner did not disclose, as his spokesperson did for this story, that he chooses not to attend the briefings.

So back in 2013, when Sensenbrenner was disclaiming any responsibility for a dragnet, he didn’t to be restrained by what he gets told in a classified hearing.

But now, at a time when Congress might consider stopping FBI from doing its uncounted back door searches of people it has no evidence against, Sensenbrenner says “closed briefings are necessary.”

Given what 2013 Sensenbrenner said about the importance of conducting these discussions in the light of day, and given that Section 702 has always been debated in public, I would suggest Sensenbrenner’s support for closed hearings now suggests the fix is in.

One wonders what squeals of outrage Sensenbrenner will make in 2023 after new abuses of Section 702 get disclosed?

 

Share this entry

Silencing Whistleblowers, 12 Years Later

/4 Comments/in , /by

As reported by Zoe Tillman, Thomas Tamm, the first whistleblower to go to Eric Lichtblau with reports of Stellar Wind, is being investigated for ethical violations by the DC Bar. The complaint alleges he failed to report that people within DOJ were violating their legal obligations to superiors, up to and including the Attorney General, and that he took confidences of his client (which the complaint defines as DOJ) to the press.

The question, of course, is why the Bar is pursuing this now, years after Tamm’s actions became public. Tillman describes the complaint as having had some kind of virgin birth, from Bar members reading the news accounts rather than someone complaining.

D.C. Disciplinary Counsel Wallace Shipp Jr. declined to comment on the charges against Tamm. The ethics case was opened in 2009, but the charges weren’t filed until late December. The disciplinary counsel’s office has working in recent years to clear a backlog of old cases.

Shipp said the disciplinary counsel’s office launched the investigation after reading about Tamm’s case in news reports. It was opened under the office’s name, which generally means there is no outside complainant.

That’s a funny explanation, given that the complaint doesn’t reference the press reports, most notably Michael Isikoff’s 2008 report on Tamm’s whistleblowing, which describes Tamm going to two of his superiors (though not, admittedly, all the way to Attorney General Ashcroft).

It’s unclear to what extent Tamm’s office was aware of the origins of some of the information it was getting. But Tamm was puzzled by the unusual procedures—which sidestepped the normal FISA process—for requesting wiretaps on cases that involved program intelligence. He began pushing his supervisors to explain what was going on. Tamm says he found the whole thing especially curious since there was nothing in the special “program” wiretap requests that seemed any different from all the others. They looked and read the same. It seemed to Tamm there was a reason for this: the intelligence that came from the program was being disguised. He didn’t understand why. But whenever Tamm would ask questions about this within OIPR, “nobody wanted to talk about it.”

At one point, Tamm says, he approached Lisa Farabee, a senior counsel in OIPR who reviewed his work, and asked her directly, “Do you know what the program is?” According to Tamm, she replied: “Don’t even go there,” and then added, “I assume what they are doing is illegal.” Tamm says his immediate thought was, “I’m a law-enforcement officer and I’m participating in something that is illegal?” A few weeks later Tamm bumped into Mark Bradley, the deputy OIPR counsel, who told him the office had run into trouble with Colleen Kollar-Kotelly, the chief judge on the FISA court. Bradley seemed nervous, Tamm says. Kollar-Kotelly had raised objections to the special program wiretaps, and “the A.G.-only cases are being shut down,” Bradley told Tamm. He then added, “This may be [a time] the attorney general gets indicted,” according to Tamm. (Told of Tamm’s account, Justice spokesman Boyd said that Farabee and Bradley “have no comment for your story.”)

Compare that version with how the complaint describes Tamm doing precisely what the complaint says he failed to do.

Respondent learned that these applications involved special intelligence obtained from something referred to as “the program.” When he inquired about “the program” of other members of the Office of Intelligence Policy and Review, he was told by his colleagues that it was probably illegal.

Isikoff describes Tamm going to two of his superiors, “a senior counsel in OIPR who reviewed his work,” and “the deputy OIPR counsel,” the former of one of whom is the one who told him “I assume what they are doing is illegal.” The complaint rewrites that story — what ostensibly is the source of the complaint — and turns these superiors into “colleagues.”

Mind you, according to this story, there is one superior within OIPR to whom Tamm didn’t go: Counsel James Baker. He was the guy who was laundering applications to the FISC in ways Colleen Kollar-Kotelly found unacceptable.

Baker, of course, is currently the General Counsel of FBI, someone who reviews a slew of applications for larger programs, including those that go to FISC.

So 12 years after Tamm leaked DOJ’s secrets to the NYT, he is being investigated by the Bar because he didn’t go to the right superiors with his complaints, one of who just happens to be the FBI General Counsel.

Share this entry

After Lying in a Closed Surveillance Briefing in 2011, Intelligence Community Plans Another Closed Briefing

/6 Comments/in /by

On May 18, 2011, 48 members of the House (mostly Republicans, but also including MI’s Hansen Clarke) attended a closed briefing given by FBI Director Robert Mueller and General Counsel Valerie Caproni on the USA PATRIOT Act authorities up for reauthorization. The hearing would serve as the sole opportunity for newly elected members to learn about the phone and Internet dragnets conducted under the PATRIOT Act, given Mike Rogers’ decision not to distribute the letter provided by DOJ to inform members on the secret dragnets they were about to reauthorize.

During the hearing, someone asked,

Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

One of the briefers — the summary released under FOIA does not say who — responded,

To the FBI’s knowledge, those authorities have not been abused.

As a reminder, hearing witness Robert Mueller had to write and sign a declaration for the FISC two years earlier to justify resuming full authorization for the phone dragnet because, as Judge Reggie Walton had discovered, the NSA had conducted “daily violations of the minimization procedures” for over two years. “The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the FISC have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively,” Walton wrote in March 2009.

Now, I can imagine that whichever FBI witness claimed the FBI didn’t know about any “abuses” rationalized the answer to him or herself using the same claim the government has repeatedly made — that these were not willful abuses. But Walton stated then — and more evidence released since has made clear he was right since — that the government simply chose to subject the vast amount of US person data collected under the PATRIOT Act to EO 12333 standards, not more stringent PATRIOT Act ones. That is, the NSA, operating under FBI authorizations, made a willful choice to ignore the minimization procedures imposed by the 2006 reauthorization of the Act.

Whoever answered that question in 2011 lied, and lied all the more egregiously given that the questioner had no way of phrasing it to get an honest answer about violations of minimization procedures.

Which is why the House Judiciary Committee should pointedly refuse to permit the Intelligence Committee to conduct another such closed briefing, as they plan to do on Section 702 on February 2. Holding a hearing in secret permits the IC to lie to Congress, not to mention disinform some members in a venue where their colleagues can not correct the record (as Feingold might have done in 2011 had he learned what the FBI witnesses said in that briefing).

I mean, maybe HJC Chair Bob Goodlatte wants to be lied to? Otherwise, there’s no sound explanation for scheduling this entire hearing in closed session.

 

Share this entry

The FBI’s Two Weeks of Peddling Kiddie Porn and Section 702

/2 Comments/in /by

As you may have heard, from February 20 to March 4, 2015, the FBI was operating the world’s largest kiddie porn site, during which point it hacked the site and thereby IDed the IP address of up to 1,500 users, both in the US and abroad.

Ars reported on the first known bust here and Motherboard’s Joseph Cox was one of the first to report on the scope of this enforcement action.

A new bulletin board site on the dark web was launched in August 2014, on which users could sign up and then upload whatever images they wanted. According to court documents, the site’s primary purpose was “the advertisement and distribution of child pornography.” Documents in another case would later confirm that the site was called “Playpen.”

Just a month after launch, Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week. Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online.

An FBI complaint described the site as “the largest remaining known child pornography hidden service in the world.”

A month before this peak, in February 2015, the computer server running Playpen was seized by law enforcement from a web host in Lenoir, North Carolina, according to a complaint filed against Peter Ferrell, one of the accused in New York. (Data hosts in Lenoir contacted by Motherboard declined to comment. One of them, CentriLogic, wrote “We have no comment on the matter referenced by you. Our obligations to customers and law enforcement preclude us from responding to your inquiry.”)

But after Playpen was seized, it wasn’t immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.

The other day, the judge in one of these cases, Robert Bryan, ruled that he wasn’t all that bugged by FBI running the world’s largest kiddie porn site for almost two weeks. The NYT has posted a “room for debate” op-ed weighing whether it is ethical for the FBI to run a kiddie porn site.

I’ve got an entirely different question, though one that may affect the ethics of the question. Why did the government have to take over the site itself in the first place? Why couldn’t it have hacked the site while it was still being hosted by a web host in Lenoir, NC?

Which has me wondering whether the FBI’s operation of the world’s largest porn site was an effort to hide the earlier parts of this investigation, and the authorities it used.

The evidence against the men in the cases I’ve reviewed consists of three things: the IP addressed identified in the period when the FBI operated the site, sometimes physical evidence from a search of their home, and log files and other activity information going back to the period when the website was first set up, in August 2014.

While some of those log files might have been available when the FBI took the site over, it may not have been. Still, the FBI could have gotten those files with a subpoena from the earlier period, once they identified where the site was hosted.

Still, I’m struck by the timing of the sites existence, starting in August 2014, with FBI taking it over in February 2015.

That happens to coincide interestingly with two interesting dates in the life of Section 702. On August 24, 2014, Thomas Hogan approved an expansion of Section 702 minimization procedures to permit the sharing of Section 702 obtained information with the National Center for Missing and Exploited Children.

Hogan approved a change to the FBI minimization procedures that permitted dissemination of 702-collected information to the National Center for Missing and Exploited Children if it is “evidence of a crime related to child exploitation material, including child pornography,” or for the purpose of obtaining technical assistance (the NCMEC keeps databases of images of child porn to track when new images are released).

And on February 4, 2015, Bob Litt revealed in a speech the list of crimes for which the government could use Section 702 derived information to prosecute (and he did so, seemingly, to correct comments he had made the day before that such a list had not been approved).

[T]he government will use information acquired under Section 702 as evidence in a criminal case only in cases related to national security or for certain other enumerated serious crimes, and only when the Attorney General approves. And in that respect I just want to note that this morning’s press reports that the Director of National Intelligence’s General Counsel told reporters yesterday that we hadn’t devised the list of crimes yet. The General Counsel for the Director of National Intelligence forgot that in fact we had. And so today I want to say that in fact the list of crimes other than national security crimes for which we can use Section 702 information about U.S. persons is crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

Kiddie porn was, unsurprisingly, in that list.

Mind you, none of the defendants in this case have gotten any notice that Section 702 was used against them. But there are many conceivable ways it might have been, particularly given that, because it operated on Tor, would not have been identifiable, at first, as a US person site (and in any case, could have been “targeted” at other users on the site).

So the coincidence on the timing — with the minimization procedures changed just as the site opened up in 2014, and the authorization to use for prosecution of US persons made public just before FBI took over the site — does raise questions for me. One of which is this: did the FBI take over the server, rather than deploy the hack on it while it was running in North Carolina, to ensure that these 1,500 users wouldn’t get FISA notices?

Share this entry

FBI’s Open NSL Requests

/in , /by

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.

Update:

I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.

Share this entry