Author Archive | Stewart Baker

I’m going to try live blogging the President’s remarks today on NSA.  I’ve never done this before, so don’t be surprised if the whole thing comes crashing down in the middle.

11:15:  The President gives us a few history lessons and a tour of intelligence policies of the last quarter century.

11:19 The President summarizes the impact of 9/11 and the success of the intelligence community in hunting terrorists.  The changes in our intelligence programs has been successful, but the risk of abuse grew too.

11:21 The President trashes the past excesses of the previous administration.

11:24 America’s capabilities are unique, President claims.  This is not correct.  Lots of governments use big data for intelligence collection.

11:25 President appeals to the left, claiming to have stopped abuses and instituted new restraints, then to the right, by saying that the government, including NSA, has not abused its power and has consistently followed protocols to protect privacy.

11:27  “Now that I’m done with drones, it’s time to reform our intelligence community too” Unfortunately, President suggests, Snowden and his sensationalizing leaks have distorted the debate.

11:30 The basic approach guided by this principle: “We must retain the trust of the American people and people around the world.”

11:32 Basic observations:  We do have real enemies and we need intelligence to protect the American people.  We can’t unilaterally disarm.  We’re targeted even by some of the nations that “feigned surprise” and international critics also recognize our special responsibilities.   Second, inteligence community understands the risk of abuse.  Third, we can’t rely on just the good intentions of government officials.

So far, this is a pretty good lecture, in the Obama style of rejecting straw men and seeking a middle ground at a high level of abstraction.

11:36 The reforms:

A presidential directive setting policy for [...]

Will Baude’s post on commandeering  prompts me to revisit the doctrine after a twenty-year absence.  I have fond memories of the doctrine, because it can be traced directly to an amicus brief that I wrote for the Council of State Governments in New York v. United States, 505 U.S. 144 (1992).

The original understanding of the founders was not a principal focus of the amicus brief or of the decision in New York v. United States itself — probably because the entire brief was written on a budget of $10 thousand, and I couldn’t afford an associate to check citations, let alone slog through all the ratification debates.  (The doctrine’s origin in an obscure amicus brief may also explain why lawyers speak of the Printz doctrine rather than the New York v. United States doctrine.  Although it came five years later than New York v. United States,  Printz was the Solicitor General’s first opportunity for a full-scale counterattack, which in turn forced the Court to develop more clearly the rationale for its earlier holding.)

New York v. United States was based not so much on an original understanding as on a practical political concern — that federal commandeering makes it less clear which level of government is responsible for a particular policy — and thus which officeholders should be voted out in the next election.  That governance rationale is independent of the ratification debates; indeed, in an odd way it seems to me that the article Will Baude cites may actually bolster the original rationale for New York v. United States.  Because, as the article makes clear, the Anti-Federalists wanted the federal government to rely on state enforcement in order to weaken federal authority.  That is, they hoped that  state authorities could use their enforcement power to [...]

The Committee on Foreign Investment in the United States, or CFIUS, reviews foreign investments for national security risks.  It is now beyond doubt that Chinese investment is getting much closer scrutiny from CFIUS.  A total of ten transactions failed to survive review in 2012, according to a just-released Treasury report.

That may not sound like a lot, but in 2011, only two deals failed to make it through the process.  At the time, two was a lot of deals to kill in a year, since CFIUS has sometimes gone a decade or more without deep-sixing any.  When in government, I had a reputation as a CFIUS security hawk, but I doubt I ever recommended killing more than two deals in a year.

This crowd is tough. [...]

Matt Blaze, a well-known public cryptographer and NSA critic (but I repeat myself), offered what seemed like a modest concession in the relentless campaign against NSA intelligence gathering:

The NSA’s tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn’t if you’re a target, to be sure. But it means that there is no good reason to give in to demands that we weaken cryptography, put backdoors in communications networks, or otherwise make the infrastructure we depend on be more “wiretap friendly”. The NSA will still be able to do its job, and the sun need not set on targeted intelligence gathering.

Don’t get me wrong, as a security specialist, the NSA’s Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we’ve learned recently about what the NSA has been doing.

TAO is retail rather than wholesale.

A day later he revealed just how modest this olive branch was, making clear that he wants to take away the NSA’s best hacking tools.  He told the Washington Post today that NSA should be required to surrender any undiscovered vulnerability it finds:

Among the weapons in the NSA’s arsenal are “zero day” exploits, tools that take advantage of previously unknown vulnerabilities in software and hardware to break into a computer system. The panel recommended that U.S. policy aim to block zero-day attacks by having the NSA and other government agencies alert companies to vulnerabilities in their hardware and software. That recommendation has drawn praise from security

Sen. Bernie Sanders (I-VT) has written a letter to NSA’s director, asking whether the agency has spied on members of Congress.  It sounds like he’s uncovered a scandal, until you read the fine print.  It turns out that Sen. Sanders is simply asking whether NSA collects the metadata for calls made by members of Congress, and every sentient American already knows that answer: NSA’s program collects metadata for all US calls.  So Sen. Sanders’s letter isn’t an inquiry, it’s a stunt.

The Guardian is an enthusiastic participant in the stunt, with Spencer Ackerman writing that NSA “did not deny collecting communications from legislators of the US Congress.” Well, duh.  Unfortunately, it looks as though Ted Cruz, who so far has avoided the worst fever swamps of NSA paranoia, also fell for the stunt, tweeting “@SenSanders asks ? millions of Americans would like answered: Are any law-abiding citizens safe from NSA spying?”

At the risk of being repetitive, Sen. Cruz, we’ve all known the answer for months.  NSA’s 215 program collects all domestic call metadata, and it protects all that data by requiring that any search of the data be based on a reasonable suspicion of terrorism.  All means all.  All Americans’ metadata is collected.  All Americans’ privacy is protected by the minimization requirements.  Sen. Sanders’s stunt adds precisely nothing to what we know about the program, or to the debate.

But as long as the press covers the stunt as though it were a story, I think we can predict the next batch of letters that Sen. Sanders will send to NSA:

• Is the agency “spying on” Sarah Palin?
• Is the agency “spying on” Hilary Clinton?
• Is the agency “spying on” the Rev. Billy Graham?
• Is the agency “spying on” Clint Eastwood?
• Is the agency “spying on” Oprah

The New Yorker has a remarkably thought-provoking article on what some call the “neurobiology” of plants.  That’s a deliberately edgy way of pointing out just how much communicating and sensing and adapting plants do, all without anything resembling a brain. Some samples:

Plants have evolved between fifteen and twenty distinct senses, including analogues of our five: smell and taste (they sense and respond to chemicals in the air or on their bodies); sight (they react differently to various wavelengths of light as well as to shadow); touch (a vine or a root “knows” when it encounters a solid object); and, it has been discovered, sound. In a recent experiment, Heidi Appel, a chemical ecologist at the University of Missouri, found that, when she played a recording of a caterpillar chomping a leaf for a plant that hadn’t been touched, the sound primed the plant’s genetic machinery to produce defense chemicals. Another experiment, done in Mancuso’s lab and not yet published, found that plant roots would seek out a buried pipe through which water was flowing even if the exterior of the pipe was dry, which suggested that plants somehow “hear” the sound of flowing water….

Mimosa pudica, also called the “sensitive plant,” is that rare plant species with a behavior so speedy and visible that animals can observe it; the … mimosa also collapses its leaves when the plant is dropped or jostled. Gagliano potted fifty-six mimosa plants and rigged a system to drop them from a height of fifteen centimetres every five seconds. Each “training session” involved sixty drops. She reported that some of the mimosas started to reopen their leaves after just four, five, or six drops, as if they had concluded that the stimulus could be safely ignored. “By the end, they were completely open,” Gagliano

As 2013 ended and 2014 began, privacy professionals took a moment to look back and choose the year’s most dubious achievements in privacy law.

The dubious achievement awards, also known as the Privies, were dominated by officials of the Obama Administration.

The awards are a light-hearted way of expressing skepticism about the effort to write evolving notions of privacy into law. Because concepts of what is private change rapidly while laws remain on the books for decades, unintended consequences are common. Outmoded privacy laws are often misused to protect the powerful or are invoked hypocritically to achieve other ends, and judicial applications of privacy statutes often make no sense to ordinary people, whose concepts of privacy have evolved faster than the law.

The winners of the 2014 Privies exemplify all of these flaws.

Health and Human Service Secretary Kathleen Sebelius was voted Privacy Hypocrite of the Year for imposing harsh penalties on private companies whose systems for handling personal health data had security weaknesses — the same kind of weaknesses that HHS ignored when it rolled out the deeply flawed healthcare.gov site. 

Agriculture Secretary Thomas Vilsack, meanwhile, won the prize for Worst Use of Privacy Law to Protect Power and Privilege. Vilsack’s Agriculture Department invoked privacy law to prevent the New York Times from checking the names and addresses of people who made questionable claims for federal funds in the “Pigford” scandal. Since media attention to fraud in the program would have cast doubt on the department’s stewardship of taxpayer funds, most voters thought the government was actually applying a common government understanding of privacy: “Privacy Law Protects You From Anything That Might Embarrass Me.”

Finally, in the one category where no executive branch candidates were nominated, the award for Dumbest Privacy Case of the Year went to U.S. District [...]

I’m shocked to discover that the august Ninth Circuit has been tampering with the balloting for the Privies, perhaps hoping to save its own Judge Bybee from winning the award for “Dumbest Privacy Case” of 2014.

The nomination was for a decision that exposed Google to liabilty for gathering wi-fi signals while driving by on the street.

As we noted in the nomination, “the law exempts the capturing of radio broadcasts and publicly accessible communications; there’s not much doubt that wi-fi uses radio waves and can be accessed by the public if it’s not secured.  But Judge Bybee of the Ninth Circuit wasn’t deterred by either of the barriers to holding Google liable.  He decided that radio communications are only those things we hear on the AM-FM dial.  As for being publicly accessible, he writes, why that’s ridiculous: if you listened to wi-fi signals on an AM radio, “they would sound indistinguishable from random noise.”

Now Judge Bybee seems ready to admit that he didn’t really think that whole “how would the signals sound on an AM radio/” thing through. Responding to the imminent threat of a Privy Award (and, okay, Google’s rehearing petition), the panel has modified the opinion to make it less, well, dumb. It has granted rehearing and dropped the entire discussion about what is and is not publicly accessible, leaving the definition of “publicly accessible” to be argued before the district court in the first instance. [...]

Voting for the 2014 Privy Awards for Dubious Achievement in Privacy Law will close at noon EST tomorrow, January 1, 2014.  You can read the nominations here, and cast your vote here.

There are still some tight races, whether in voting by the public or by privacy professionals.  But there are differences between the two groups.  The most interesting difference concerns the crucial vote for “Privacy Hypocrite of the Year.”  Among the public, the top two contenders are Rep. James Sensenbrenner, for deliberately skipping classified briefings and then complaining that he wasn’t told about NSA’s classified program, and Sec. Kathleen Sebelius, for launching healthcare.gov without any of the security features her Department has penalized private health companies for failing to implement.

But among privacy professionals, the race for top honors is between Secretary Sebelius and a little-known Brussels bureaucrat, European Commissioner (and Vice President) Viviane Reding, who is notorious for trying to regulate US intelligence activities while admitting that she has no authority to regulate European intelligence agencies.

The votes of privacy professionals are weighted more heavily precisely to give obscure but outrageous abusers of privacy law a fair shot at winning, so privacy professionals with strong views on whether Commissioner Reding deserves the prize need to weigh in now.

You have only 24 hours to make your vote count. [...]

Quick reactions to a couple of books I had a chance to read over the Christmas break.
I can  recommend Company Man by John Rizzo.  Rizzo was one of the first lawyers at the CIA, and he recounts a thirty year career there with grace and a remarkable absence of rancor, even though he was denied the ultimate promotion —  to General Counsel — after a highly politicized confirmation hearing.  (His offense was asking the Justice Department whether certain harsh interrogation techniques were legal, and not selling out the CIA officers who relied on Justice’s advice by disavowing it when he got to the hearing.)

Rizzo had a ringside seat at all the most dramatic political events involving the CIA from the 1970s to the Obama Administration.  He brings self-deprecating wit and a lot of human insight to his portrayal of these events and the CIA directors he helped guide through them. It’s available on January 5, 2014. (Disclosure: I got an early copy because John and I have been friends and colleagues for a long time. But in the interest of full disclosure, I have no incentive to overpraise his book, since I’m afraid it’s actually better than mine.)

In contrast, The Frackers by Gregory Zuckerman was a disappointment.  The book is getting praise from the right blogosphere because it tells the story of fracking straight, with only occasional flaming faucets and with considerable attention to the remarkable contribution that the frackers have made to the nation’s energy independence.  I tend to agree that that’s the right take on the industry, but as a read, the book is benefiting from conservative affirmative action. It’s long, dense, and full of characters whose stories are admirable but pretty much indistinguishable. Wait, which founder nearly went bankrupt and which one [...]

Voting for the 2014 Dubious Achievements in Privacy Law is almost done, and the race is heating up.  Who used privacy law most egregiously to serve power and privilege?  There are plenty of candidates, but the leaders this year are two:  On the one hand, the Chinese government, which adopted a privacy law and promptly brought criminal privacy charges against a Western investigator examining corporate misdeeds. And on the other, the Obama administration’s Agriculture Department, which cited privacy grounds in refusing to name any of the beneficiaries of the notoriously fraud-ridden “Pigford” settlement.

But if your favorite was a man who could afford both a naked five-hour, five-hooker sadomasochistic orgy and a litigation campaign to clear his name by proving that it was not a naked five-hour, five-hooker sadomasochistic orgy with a Nazi theme, well, Max Mosley isn’t quite out of the running yet.  With a surge of support, his privacy law campaign to force the Internet to forget  pictures of his naked five-hour etcetera still could qualify as the worst use of privacy law to protect the privileged.

If you’re sure you know which of the candidates is abusing privacy law most egregiously to serve the powerful, and you haven’t already voted, now is the time to review the candidates and then to cast your ballot. [...]

Usually it takes a couple of stories.  First foreign officials condemn reports that NSA has gathered intelligence on their government.  Then, later, they have to admit that, well, yes, they do sometimes spy on the United States.

But Israel has taken chutzpah to new heights — simultaneously demanding that the United States stop spying on Israel and that it release the guy caught spying on the United States for Israel:

Senior Israeli officials on Sunday demanded an end to U.S. spying on Israel, following revelations that the National Security Agency intercepted emails from the offices of the country’s top former leaders.

It was the first time that Israeli officials have expressed anger since details of U.S. spying on Israel began to trickle out in documents leaked by former NSA contractor Edward Snowden. The scandal also spurred renewed calls for the release of Jonathan Pollard, a former American intelligence analyst who has been imprisoned in the U.S. for nearly three decades for spying on behalf of Israel.

“This thing is not legitimate,” Israeli Intelligence Minister Yuval Steinitz told Israel Radio. He called for both countries to enter an agreement regarding espionage.

“It’s quite embarrassing between countries who are allies,” Tourism Minister Uzi Landau said. “It’s this moment more than any other moment that Jonathan Pollard (should) be released.”

Unfortunately, while voting for the 2014 Privacy Hypocrite of the Year is still open, it is too late for Israel to overcome the lead of nominees like Kathleen Sebelius, Jim Sensenbrenner, and Francois Hollande. [...]

As voting continues for the 2014 Privy Awards, here’s a peek at another closely watched matchup.  Which judge will win the coveted Privy for having written the dumbest privacy decision of the year? Just to make it interesting, the two judicial candidates are both from San Francisco, but Jay Bybee is a Republican appointee to the court of appeals while Lucy Koh is a Democratic appointee to the district court.

So, who is going to prevail in the race to the bottom for least persuasive privacy opinion of the year? Judging from the public vote so far, Judge Koh has a modest lead.  But she could easily be spared the ignominy of losing to Judge Bybee.  All she needs is the support of .0000001% of the 425 million Gmail subscribers she says were unfairly tricked into allowing Google to illegally wiretap their Gmail accounts for advertising purposes.

If you have a view but haven’t voted, balloting is still open.  Start here for a list of the candidates.  Go here to cast your vote.  And remember, the votes of privacy professionals will be weighted most heavily, so check to see if you qualify before you vote. [...]

Voting continues in the Privy Award for Privacy Hypocrite of the Year, which features a partisan matchup. One nominee is Republican James (“You Hid Information From Me By Disclosing It at Briefings I Refused to Attend”)Sensenbrener. Another is Kathleen (“Harsh Privacy Penalties for Thee, But Not For Me”) Sebelius.

Voting isn’t over, and the contest still could go either way (or one of the European candidates might prevail), but I know there’s interest in this matchup, so I’m leaking partial hints to inspire further participation.

The short answer is that, despite a strong campaign by Ben Wittes of Lawfare, Kathleen Sebelius currently leads Jim Sensenbrenner in the public voting.  There is lots of time left (voting won’t close until early January), and the privacy professional vote will count most.  But if your candidate is Jim Sensenbrenner and you haven’t voted, it’s time to get on the stick.  And if you like Secretary Sebelius for the honor, better do the same; her lead is not safe. [...]

The Associated Press recently ran a long story about Robert Levinson,  a former FBI agent who disappeared while in Iran.  Levinson later showed up in Internet photos suggesting he was a hostage.  The AP story made clear that the former agent had a long relationship with the CIA and was likely working on a CIA project when he went to Iran.

That means the AP story was a potential death sentence for Levinson.  How did AP decide whether to release such dangerous information?  Well, here’s what its executive editor said (emphasis added):

In the absence of any solid information about Levinson’s whereabouts, it has been impossible to judge whether publication would put him at risk. It is almost certain that his captors already know about the CIA connection but without knowing exactly who the captors are, it is difficult to know whether publication of Levinson’s CIA mission would make a difference to them. That does not mean there is no risk. But with no more leads to follow, we have concluded that the importance of the story justifies publication.

Short version: Unless someone proves this story will kill Levinson, it’s too good to sit on.

I’m often tough on the New York Times, but its handling of the same problem contrasts sharply with AP’s.  Here’s what it said [paywall] when the AP story seemed to have scooped the Gray Lady:

The New York Times has known about the former agent’s C.I.A. ties since late 2007, when a lawyer for the family gave a reporter access to Mr. Levinson’s files and emails. The Times withheld that information to avoid jeopardizing his safety or the efforts to free him.

I can’t help noting that the New York Times could also have been influenced by a relatively recent law [...]