During last week’s AusCERT conference I did a 50 minute talk that reflected on a 15 year career writing about information security. It was a repeat of the talk I did at BSides Canberra in March.
It covered thoughts on attribution, fake activist groups (Guardians of Peace, Cutting Sword of Justice etc), the possible motivations of high-impact leakers (Mark Felt, Chelsea Manning, Edward Snowden) and the need to create norms around acceptable state behaviour when it comes to computer network operations.
In the leakers section I got a detail wrong and I want to correct it. Hopefully I’ll convince you that in context of what I was talking about the error doesn’t actually change all that much.
That whole section of the talk was really written to put forward the case that leakers have complicated motives. Even when leaks are in the public interest, it doesn’t mean that the leakers’ motives are as pure as the driven snow.
I speculated that perhaps FBI deputy director Mark Felt, better known as Watergate source Deep Throat, might have been tactically leaking against people who stood in between him and the FBI directorship. He loathed both Nixon and FBI director L Patrick Gray (no relation) and only lasted another month at the bureau after Gray got the knife and was replaced by William Ruckelshaus.
So that’s a theory: His leaks brought down the people in his path, but in the end he didn’t get the top job, so he resigned. I wasn’t trying to prove Felt was motivated by self interest, just that it’s a plausible motivator.
I also spoke about Chelsea Manning. She was relentlessly bullied during her time in the army, frequently clashing with both her superiors and the rank and file. I have no doubt that Manning is indeed, as she claims, a pacifist. But I also have no doubt that the relentless bullying influenced her decision to leak. She was isolated and miserable, but found a friend in Wikileaks’ Julian Assange. I sincerely believe there was an element of rage underpinning those leaks. Some revenge. (And honestly? Fair enough. The military failed her, big time.)
Eventually I boil the whole thing down to these factors: Self interest, public interest, ego, rage and combinations of the four.
To explore ego as a possible motivator, I spoke about Edward Snowden. Snowden always strived for great things but didn’t quite make the grade. He wanted to be a special forces soldier, he failed. He wanted to be NSA TAO, he failed. But when he leaked massive amounts of NSA documents, he could invent himself as anything he wanted, and he has. But a bunch of his public statements about his experience at NSA seem pretty shaky, bordering on outright bullshit.
It’s been nearly four years since Snowden went public with his leaks. In the talk I said it feels to me like something is off about the guy. Details have filtered out through the grapevine, and they tend to clash with his public statements.
It’s clear, for example, that he massively overstated his seniority at NSA. And parts of his story just don’t line up. I’m not talking about the conspiracy theories that a foreign power put him up to it or he was some sort of spy – I think that’s really, really unlikely – it’s more that he mislead on things that are basically inconsequential, like his reason for washing out of his military training. He also failed to correct some really shitty reporting on his leaks.
We’re getting to the mistake, hang in there.
As an example of Snowden coming across as less than totally honest I cited his non-reaction to an article written for The Guardian about the so-called PRISM program in 2013. In that piece, Greenwald writes: “The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.”
In my talk I described that as totally wrong, but it’s actually only mostly wrong.
There was no “direct access” and NSA did actually have to request this material from the service providers. That’s been established. The part I got wrong is NSA doesn’t actually have to obtain an individual court order for every selector tasked from a court. In my talk I said it did.
Selectors are created under FISC oversight, but the court’s job is to ensure the compliance of those selectors to the rules it established and maintains, not to green-light each selector.
Over the last few years I’ve chatted with people who are familiar with this program. For their part, the technology companies mentioned in the PRISM program stories were all baffled when the story broke, both publicly and privately. Greenwald made it seem that the NSA had unfettered access to their servers. Their response, in most cases, is that they would only hand over data to the authorities if there was a valid court order.
So, over the years I’ve asked some people who’d know to tell me about the process that NSA goes through to “task” collection on an individual using PRISM.
They said that in order to obtain information from a company like, say, Facebook, they’d have to start by preparing a “FISA package”. This means they’d have to put together a case that could show the proposed target isn’t a US citizen, is not in the USA, and that intercepting their data is likely to reveal something of importance to national security.
These packages are worked up – that process involves senior NSA staff – then the package is sent up the chain for authorisation. When authorisation is granted, it’s the FBI, not the NSA, that approaches the technology company and asks it to hand over the data.
And here’s where I made the mistake: The tech companies said they hand over data based on court orders. People familiar with the NSA side of this program described the authorisation process for each individual target. I mistook these two data points as meaning the FISA court was authorising each individual collection. They don’t.
The package is actually sent off to the Office of the Director of National Intelligence (ODNI) and Department of Justice (DoJ) for post-tasking review. You can read about that process here. That’s the detail I got wrong.
But the FISA court is involved. It oversees and mandates the process through which the validity of selectors is determined, and there was regular review of the rules around tasking. Everyone tells me these rules were strict and adhered to rigidly. That’s not to say mistakes aren’t made. In a post-Snowden review, NSA found 0.4% of PRISM tasking accidentally collected the information of people who were either located in the USA (not allowed) or US citizens (also not allowed).
I realised I got this detail wrong when fellow AusCERT attendee Troy Hunt posted a picture of my slide that referenced FISC authorisations for individual selectors. Just looking at that slide in isolation I had a funny feeling.
So I went back to my notes and some source documents and realised I’d made the mistake. I asked Troy to remove the Tweet, not because I’m trying to hide my mistake, but because I don’t want people to believe something that isn’t true. It was a typical case of a non-lawyer getting something law-related wrong.
That said, I don’t think it really changes my argument with regard to Snowden. Even though some people may see ODNI and DoJ selector authorisation as inferior to direct authorisation by a court, albeit a secret one, the fact remains that none of the reporting even acknowledged any oversight or even a process for tasking.
Take this Ed Snowden quote: “I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President, if I had a personal e-mail,” he told The Guardian.
No, Ed, you didn’t.
In the case of PRISM I’m pretty sure the NSA senior staff might object, given collection against US citizens is verboten under 702. If they didn’t then ODNI or DoJ might have some feelings about it. And if they let it through my guess is the FBI might actually think something was wrong if you were trying to task collection on the US president.
Even if he wasn’t talking specifically about the PRISM program in that instance, everyone I’ve ever known who spent any time at a five eyes SIGINT agency tells me the same thing – everyone’s searches are logged and audited no matter what the program. The compliance hurdles and internal rules are universally described as a pretty serious (but necessary) pain in the ass.
This next part is important: I’m not an expert in intelligence oversight, and I can’t say whether the NSA’s oversight is appropriate or not. But I can say that it’s just crazy to write up stories about these programs without even mentioning the tasking procedures, auditing and oversight. These stories have convinced people that individual NSA operators could simply spy on whoever they like, using direct access to the back-end servers of major Internet companies. It’s just not correct.
My argument is Snowden’s silence following the publication of some of these stories is a massive red flag when it comes to his credibility.
But because he painted himself as a truth-telling whistleblower, Snowden was able to convince some journalists and many among the public that he was the only source who could be trusted when it came to discussing these programs. Everything else, his supporters say, is disinformation.
Of course, there has been legitimate public interest in Snowden’s disclosures. The NSA had been doing some pretty shady shit, most notably the (since discontinued) 215 phone metadata collection program. But that doesn’t make Snowden himself a saint. He’s not. He is what I’d charitably describe as “properly weird”.
In telling that story, I did get a detail about oversight wrong. Sorry about that!