The Snowden Reader
Page 6
Independent Reviews of the Meaning of Section 215
Two independent reviews sanctioned by the U.S. government of the NSA’s activities prompted by the Snowden disclosures concluded that the NSA lacked the authority to act as it did under Section 215. The Privacy and Civil Liberties Oversight Board (PCLOB), originally established by Congress in 2007 to exercise independent oversight of intelligence and homeland security activities, found “the government’s interpretation of the word ‘relevant’ in Section 215 to be unsupported by legal precedent and a subversion of the statute’s manifest intent.”6
But the PCLOB went further and identified four reasons for its conclusion that “Section 215 does not provide an adequate legal basis to support the program”:
First, the telephone records acquired under the program have no connection to any specific FBI investigation at the time of their collection. Second, because the records are collected in bulk—potentially encompassing all telephone calling records across the nation—they cannot be regarded as “relevant” to any FBI investigation as required by the statute without redefining the word relevant in a manner that is circular, unlimited in scope, and out of step with the case law from analogous legal contexts involving the production of records. Third, the program operates by putting telephone companies under an obligation to furnish new calling records on a daily basis as they are generated (instead of turning over records already in their possession)—an approach lacking foundation in the statute and one that is inconsistent with FISA as a whole. Fourth, the statute permits only the FBI to obtain items for use in its investigations; it does not authorize the NSA to collect anything.7
In addition, the PCLOB concluded that the metadata surveillance program violates the Electronic Communications Privacy Act: “That statute prohibits telephone companies from sharing customer records with the government except in response to specific enumerated circumstances, which do not include Section 215 orders.”
The other review was conducted by the President’s Review Group on Intelligence and Communications Technologies (Review Group), made up of legal and security professionals appointed by the president to examine surveillance activities and oversight in the wake of Snowden’s leaks. The Review Group took an equally negative view of the NSA’s use of Section 215:
In our view, the current storage by the government of bulk meta-data creates potential risks to public trust, personal privacy, and civil liberty. We recognize that the government might need access to such meta-data, which should be held instead either by private providers or by a private third party. This approach would allow the government access to the relevant information when such access is justified, and thus protect national security without unnecessarily threatening privacy and liberty.8
The Review Group endorsed “a broad principle for the future: as a general rule and without senior policy review, the government should not be permitted to collect and store mass, undigested, non-public personal information about US persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes.” And the Review Group recommended “important restrictions on the ability of the Foreign Intelligence Surveillance Court (FISC) to compel third parties (such as telephone service providers) to disclose private information to the government.”
The Candor of Government Officials
The documents disclosed by Snowden provide convincing and disturbing evidence that senior intelligence officials have not been honest with the public or with Congress. It is important to be clear here: Most of what happens with national security and intelligence is classified, and we are not told about it. While reasonable people might disagree about how much information should be classified, a great deal necessarily will be, and I believe this is reasonable and appropriate.
Respect for necessary secrecy, however, never justifies lying to the public or to Congress. Intelligence officials may say “no comment” or decline to answer difficult questions, but when they do speak, and especially when they speak under oath, they should tell the truth.
Snowden’s leaks cast serious doubt on the accuracy of numerous statements by senior intelligence officials. For example, James Clapper, director of national intelligence, testified before Congress in March 2013 that the NSA was not collecting data on U.S. persons, when in fact it was collecting data on billions of U.S. person calls every day.9 After the Snowden disclosures began, he tried to explain away the statement by saying it was the “least most untruthful” response possible,10 as if there is a meaningful difference between untrue statements and least untrue statements. Both the false statement and the explanation by the nation’s senior intelligence official were embarrassing.
General Keith Alexander, NSA director, testified before Congress in March 2012 for the explicit purpose of denying a Wired story claiming that the NSA was conducting surveillance on U.S. persons. He made the definitive statement, “We’re not authorized to do it [collect data on U.S. citizens], nor do we do it.”11 It turns out only the first part of his statement was true. In July 2012, General Alexander told an American Enterprise Institute audience that the NSA does not “hold data on U.S. citizens,”12 when, in fact, it did at the time and was collecting more every day. General Alexander spoke to the Reuters Cybersecurity Summit in May 2013 and said that “[t]he great irony is we’re the only ones not spying on the American people,”13 when we now know that the NSA has been conducting extensive surveillance involving data generated by U.S. citizens.
The occasional misstatement by government personnel is unavoidable, but a pattern of deceiving Congress and the public requires some official response. To date, however, the president has refused to prosecute, dismiss, or even reprimand any administration official for dishonest public statements.
The president could have sent a strong, and I think desirable, signal to the public, Congress, and our allies, which have been outraged by NSA surveillance of their leaders, had he said: “Dishonesty with the public and with Congress, which is constitutionally charged with oversight, is something this administration will not tolerate. You may not lie to Congress. You can say, ‘I cannot answer that question’ or ‘I can only answer it in a closed hearing,’ but you may not deceive or mislead Congress or the public.”
James Goodale, the attorney who represented the New York Times in the famed Pentagon Papers case, wrote that “[w]e expect the NSA to have a culture that lies to and deceives the enemy. But the American public is not the enemy.”14 He recommended that the president should “fire officials who lie.”
But that has not happened in the case of any senior official, nor in the case of NSA employees or Justice Department attorneys who the FISC found repeatedly misled the court.15 In one opinion, Judge Reggie B. Walton wrote that “[t]he government has compounded its noncompliance with the court’s orders by repeatedly submitting inaccurate descriptions of the alert list process” to the court.16 Yet the Justice Department declined even to investigate the misconduct, much less take action to punish it or create disincentives for similar conduct in the future.17
We have other examples resulting from Snowden’s disclosures that are equally troubling. For example, the FBI spent a fair amount of time in congressional testimony talking about the problem of the Internet going “dark”—what the FBI describes as “a potentially widening gap between our legal authority to intercept electronic communications pursuant to court order and our practical ability to actually intercept those communications.”18 It turns out that as a result of the NSA’s extraordinary access to digital communications, the Internet is not going dark for the government. We are left with two possibilities. First, the FBI officials who testified before Congress that this was a critical national security issue were not telling the truth. Second, the NSA had not told the FBI about the agency’s capabilities. Neither one is a very comfortable outcome—our national security officials are either not honest or are not cooperating with each other.
A final example concerns the U.S. negotiations with Euro
pean allies. It now turns out that the NSA was spying on some of our closest allies, such as German chancellor Angela Merkel, but while doing so were apparently misrepresenting our surveillance capabilities and activities. In 2010, for example, European officials objected to the U.S. Treasury Department’s sweeping, secret subpoenas requiring U.S. financial institutions to hand over transactional data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT). In response to these objections, the U.S. negotiated an agreement with the European Union providing for strict limits on American access to the SWIFT system. But disclosures by Snowden make clear that despite this agreement, the NSA was secretly collecting SWIFT data. Such disingenuousness has not done much to enhance our nation’s credibility with our allies and trading partners.
Hypocrisy on Cyber Espionage
A third problem falls under the term “hypocrisy.” Not only was the U.S. government misleading its allies, but it was also embarking on a foreign policy the Snowden revelations suggest is directly at odds with its own behavior. The first disclosure by Snowden, before we even knew his identity, occurred just before President Obama met with President Xi Jinping of China at a summit in California.
For months prior to the summit, the administration followed a carefully orchestrated plan making the case that China was the source of successful attacks on the Department of Defense (DOD) and other government agencies, major defense contractors, Google and other major technology companies, the International and U.S. Olympic Committees, the New York Times and other U.S. media, and human rights groups—a tactic The Economist described as “naming and shaming.”19 In May 2013, the DOD for the first time specifically named the Chinese government and military as the source of significant cyber attacks against the United States.20 On May 7, 2013, the New York Times, typical of many U.S. newspapers, editorialized about “China and Cyberwar,” arguing that “there seems little doubt that China’s computer hackers are engaged in an aggressive and increasingly threatening campaign of cyber espionage directed at a range of government and private systems in the United States.”21 All this effort was leading up to the first summit between President Xi and President Obama during the first week of June 2013, at which it was widely anticipated that the United States would air its long-standing grievances against Chinese surveillance and hacking activities.
Ultimately, Snowden’s early June 2013 leaks about the U.S. government’s own cyber attacks and online surveillance activities dampened the vigor with which the U.S. president pressed the topic.22 Ironically, the Chinese delegation refused to stay at the Sunnylands estate where the summit was held, reportedly out of fear that the U.S. government would spy on them.
The leaks that began immediately prior to the U.S.-China summit revealed U.S. surveillance activities around the world (including within the United States). They also exposed cyber exploits by the NSA designed to facilitate surveillance, launch cyber attacks, and interfere with online transactions. According to documents provided by Snowden and widely reported in the press, the United States has been attacking “hundreds” of targets in Hong Kong and mainland China as part of the U.S. government’s cyber attacks on sixty-one thousand targets worldwide.23 Those attacks include incursions into Chinese telecommunications companies, the owner of China’s most extensive fiber-optic submarine cable network, and Beijing University.24 One prominent target, according to documents reviewed by the New York Times, was Chinese telecommunications giant Huawei. The NSA installed back doors into networks operated by Huawei, which reportedly serve a third of the world’s population, not merely to collect information from the Chinese, but to surveil users in other countries that used Huawei’s networks and to conduct offensive cyber operations.25
“Load stations” operated by U.S. intelligence agencies around the world—including at least two in China26—allowed those agencies to interdict computers and related accessories, load malware or hardware components on to them, and then arrange for the delivery of the now-compromised equipment to their intended recipients.27 In addition, the NSA’s Tailored Access Operations (TAO) group used “covert implants”—“sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year,” with plans to expand exponentially.28 According to officials interviewed by BusinessWeek, TAO implants access two petabytes of data an hour, the equivalent of “hundreds of millions of pages of text.”29
The scope of the attacks is so vast that they are managed by an automated system—codenamed “TURBINE”—intended, according to leaked NSA documents, to provide “intelligent command and control capability” for “industrial-scale exploitation” by the NSA.30 The NSA documents tout TURBINE as a tool for increasing the agency’s ability to gather intelligence and disrupt, damage, or destroy systems through “potentially millions of implants.” The documents detail the agency’s ability to use the implants covertly to
• “take over a targeted computer’s microphone and record conversations taking place near the device”;
• “take over a computer’s webcam and snap photographs”;
• “record[] logs of Internet browsing histories and collect[] login details and passwords used to access websites and email accounts”;
• “log keystrokes”; and
• “exfiltrate[] data from removable flash drives that connect to an infected computer.”
Leaked NSA documents also describe the NSA infecting computers with malware to infiltrate data through “man-in-the-middle” attacks in which NSA servers impersonated real websites.
Even machines never connected to the Internet can be compromised, according to Snowden’s revelations, thanks to miniature technologies U.S. intelligence agencies install on target computers that transmit information by radio to nearby briefcase-sized relay stations. Targets include not only traditional computers, but also mobile phones and large network servers, including those made by the Chinese. Among frequent targets of the NSA’s sophisticated attacks reportedly is the Chinese army, which the United States accuses of launching cyber attacks against the U.S. government and the American private sector.31
U.S. officials have tried to argue that it only conducts cyber operations against governments to collect military and other government information, while the Chinese are hacking businesses for trade secrets and commercial information. But this argument has proved a tough sell. Revelations about U.S. cyber operations against Huawei and other networks in China and elsewhere, as well as leaked information about U.S. efforts to obtain information on Indonesian trade negotiations and Brazil’s largest energy company, Petrobas, cast doubt on U.S. claims. As Jack Goldsmith, former assistant attorney general and special counsel to the DOD during the George W. Bush administration, noted, “the Huawei revelations are devastating rebuttals to hypocritical U.S. complaints about Chinese penetration of U.S. networks, and also make USG [U.S. government] protestations about not stealing intellectual property to help U.S. firms’ competitiveness seem like the self-serving hairsplitting that it is.”32
Chinese officials and those from other nations do not see the clear divide that the United States is trying to articulate between espionage for national security and industrial espionage. Peter Singer of the Brookings Institution observed that “to the Chinese, gaining economic advantage is part of national security.”33 Moreover, the U.S. campaign against Huawei—prohibiting the company from operating in the United States, pressing U.S. companies not to purchase Huawei equipment, and lobbying other countries to exclude the company from their markets—has clear competitive and economic effects, whether or not it is motivated by national security concerns.34
There is also the question of whether the distinction between traditional espionage and economic espionage matters, especially in international law. “Economic espionage is expressly prohibited by U.S. domestic law, but is not prohibited by international law, written or unwritten, and it is widely practiced,” Goldsmith argues.35 U.S. complaints about
China engaging in the wrong type of espionage “amount to the claim that the Chinese are not playing by the rules that suit the USG [U.S. government].”36
Whatever the merits of the U.S. arguments, the unavoidable reality is that in the wake of months of Snowden revelations about U.S. surveillance and cyber operations, those arguments did not fare well. When President Obama raised the topic of hacking at the June 2013 summit, President Xi reportedly cited the Guardian’s first report on Snowden’s revelations as “proof that America should not be lecturing Beijing about abusive surveillance.”37 After the revelations about U.S. intrusions into Huawei’s networks, William Plummer, a senior Huawei executive, observed that “the irony is that exactly what they are doing to us is what they have always charged that the Chinese are doing through us.”38
Irrespective of distinctions about targeting government versus corporation information, and even of the accuracy of Chinese denials of involvement in cyber espionage, revelations about NSA activities have compromised the credibility and the effectiveness of U.S. claims about Chinese hacking, even as those attacks are reportedly increasing.39 “Snowden changed the argument from one of ‘The Chinese are doing this, it’s intolerable’ to ‘Look, the U.S. government spies, so everybody spies,’” according to Richard Bejtlich, former chief security officer at Mandiant, a private cybersecurity firm.40 Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, observed that “no one cares anymore about our whining about Chinese espionage. The time we had for making the case on that is long gone. Internationally, I don’t see how we recover.”41