December 20, 2015 | Posted in Air Force, Author, Blog, Classified, Classified Information, Congress, Cyber attack, Department of Defense, E.O. 12333, FISA, Intelligence, Law Enforcement, Leaks, NSA, PPD-28, President Obama, Privacy, Snowden, U.S. Code Title 10, U.S. Code Title 50, Writing | By Tom Wither
I hope you’ve had a great summer and fall, and are enjoying the holiday season. I’d like to extend my thanks for being fans of my work, and wish you happy holidays and a bright new year.
I’ve been busy crafting my next novel, a project I’ve named ROGUE SENTINEL, and I will finish the manuscript shortly after the New Year. ROGUE SENTINEL will see Shane Mathews take on a solo mission to Jordan to find and capture an Islamic State mission planner known only as ‘Al-Amriki’ – The American.
Up next, I’ll be resuming work on SWIFT JUSTICE, the third and concluding novel of the ‘Aziz Trilogy’ that started with THE INHERITOR and AUTUMN FIRE, with main characters Shane Mathews and Emily Thompson.
During the year I’ve written a few Op-Eds on current issues that have been published in the Baltimore Sun and in The Hill’s Congress Blog. Here’s a list so you can look at them if you’re interested.
‘The NSA data collection program isn’t criminal; ending it is’ – http://www.baltimoresun.com/news/opinion/oped/bs-ed-nsa-data-20151203-story.html
‘Open Letter from a cyber terrorist’ – http://thehill.com/blogs/congress-blog/homeland-security/255370-open-letter-from-a-cyber-terrorist
‘Stand with our watchers’ – http://thehill.com/blogs/congress-blog/homeland-security/261237-stand-with-our-watchers
‘Access to encrypted communication, a balancing act’ – http://www.baltimoresun.com/news/opinion/oped/bs-ed-encryption-data-20151001-story.html
‘Clinton E-mails: Who else was involved?’ – http://www.baltimoresun.com/news/opinion/oped/bs-ed-clinton-emails-20150908-story.html
‘The country is vulnerable without CISPA’ – http://www.baltimoresun.com/news/opinion/oped/bs-ed-cispa-redux-20150209-story.html
Thanks again for being fans of my stories, and feel free make them presents for the fiction reader on your holiday list – they can be purchased from Amazon or Barnes & Nobel as e-books or hardcopies in trade paperback. You can even contact me via email@example.com for a signed copy if you like.
Take care and Happy Holidays!
As the new Congress comes into session in January, it will have many issues to address. One of the most important will be changes and improvements to the Foreign Intelligence Surveillance Act, commonly known as FISA. Some of its Patriot Act created provisions, like the better known Section 215 used to collect bulk phone records, and the less well known Section 702 authority compelling telecommunication providers to provide the government non-U.S. person communications have been hotly debated in Congressional committee hearings and by the general public during 2014.
The Senate recently failed to advance ‘USA Freedom Act’ to change FISA, ensuring that the debate will be rekindled in the next Congress early in 2015. Hopefully, the next version of the bill will address some of the concerns that Judge John Bates (a federal district judge who has served on the FISA Court) described – laid out about the concerns the FISA Court might have, and challenges it might face in its processes, if that version of the USA Freedom Act had become law.
Congress will work its will in passing a final set of changes to FISA from these bills, enhancing existing privacy protections in light of the rapid advances in modern communications and the public outcry over government access and storage of telephone and internet activity by ordinary citizens.
Once signed into law, I am certain the professionals within NSA, both military and civilian, will comply with the changes to the FISA statute, whatever their final form. That compliance is not only an integral part of their oaths to the Constitution, it is also completely consistent with the professional attitudes of the many men and women at NSA I have worked with over the years.
However, in light of this long debate, three ‘lessons learned’ are abundantly clear in this era of rapidly evolving modern telecommunications and the ‘internet of things’:
The public needs a better understanding of exactly what information they surrender when they use communications technology. This is a difficult goal to attain given the technological complexity of modern personal communications devices and the limited time or desire someone may have to delve into the privacy related issues attendant to the device or service they use. Do you know what personal information the operating system on your mobile device stores when you use an application? During the INFOSEC 2014 conference in Orlando earlier this year, an iPhone demonstration proved that while the app you use may keep your personal information secure, the phone’s underlying operating system may be storing much of it in a very unsecure manner.
Next, Congress and local legislatures need to play a more active role in the oversight of law enforcement and intelligence activities where they involve modern telecommunications technology. Law enforcement and intelligence organizations operate within the laws they are given, and the law must keep pace with advances in technology. As such, laws like FISA must continue to have yearly ‘sunset’ clauses built into them to force legislatures to engage regularly and keep pace with the leaps forward in technology. Police and intelligence services will leverage new technologies to conduct their missions, and they need laws adopted at a quicker pace, not just to constrain their actions within our Constitutional principles, but also properly enable them to bring criminals to trial or monitor agents and actions of a foreign adversary.
Lastly, a level of increased transparency is required. The days of ‘No Such Agency’, borne from the Cold War era, are long over, and a new balance needs to be struck. I believe law enforcement and intelligence organs must have and foster public trust, but intelligence organs cannot operate effectively if operational means and methods are exposed to the whole of the American public, and therefore, our adversaries. Adversaries would exploit such knowledge to kill our citizens, damage or destroy our critical national infrastructure, or win in battles with our military. We have begun to see the first steps towards increased transparency with the release of unclassified versions of FISA Court opinions and reports of aggregate counts of FISA warrants and NSLs. Among other things, greater transparency can be achieved by: providing unclassified titles for the closed door briefings to intelligence oversight committees; including in the aggregate counts of FISA warrants actively in use by each government agency; and releasing unclassified versions of all damage assessments produced as a result of unauthorized leaks of classified information. The government cannot claim damage due to leaks, without backing the claim in a credible manner in a public forum – something I believe can be done without exposing sources and methods or risking lives.
U.S. intelligence and law enforcement agencies exist and operate from the bedrock of public confidence. More transparency, consistent with protecting sources, methods, operational intelligence, and our troops in the field, is achievable, and since the Snowden leaks and the misinformation that has stemmed from them, something I believe is now mandatory.
Tom Wither is the author of the military/intelligence thrillers: “The Inheritor” (Turner Publishing, June 2014) and “Autumn Fire” (Turner Publishing, September 2014). He is also a 25 year veteran of the intelligence community. The views and opinions expressed are his own and are not those of any organization or element of the intelligence community or Department of Defense. His email is Tom@TomWither.com.
July 27, 2014 | Posted in 4th Amendment, Department of Defense, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, Leaks, NSA, PPD-28, Privacy, Snowden, U.S. Code Title 50 | By Tom Wither
Over the last year, some media outlets have used the leaked classified material from Edward Snowden to write news stories that imply NSA has either: allegedly violated the privacy rights of ‘every American’ or exceeded its authorities. In every one of these stories, what is usually missing is a SIGINT professional’s level of understanding on the part of the journalist, admittedly difficult to gain when SIGINT operational training is classified.
Signals intelligence, referred to as SIGINT, is both technically complex due to the nature of modern communications technologies, and legally complex, due to the heavy legal and Constitutional burdens placed on the professionals at NSA who conduct it.
These professionals spend months and oftentimes years during a career training in the operational, technical, and legal aspects of conducting SIGINT – which includes training in the protection of U.S. person privacy.
For example, a recent Washington Post article on July 11th, ‘How 160,000 intercepted communications led to our latest NSA story’; written to amplify its July 5th story ‘Non-targets far outnumber targets in NSA data collection’, states that the rules for ‘minimization’ of U.S. person information are ‘opaque’ – in fact, they are not opaque at all.
The minimization rules come in two forms, both of which are written in black and white for anyone to read, now that they have been declassified. They are contained in the Foreign Intelligence Surveillance Court’s minimization instructions as part of its numerous court rulings, and United States Signals Intelligence Directive 18 (USSID 18). USSIDs provide implementation guidance and direction to NSA’s civilian and military workforce, ensuring our Constitutional principles, current laws, Executive Orders, and binding court orders are implemented and enforced within the entire United States SIGINT System. For the purposes of this blog post, we’ll focus on USSID 18.
USSID 18 is titled, “Legal Compliance and U.S. Persons Minimization Procedures”, and is fifty-two pages long. Naturally, portions of many paragraphs are blanked out as part of the declassification process, but the direction in, and intent of USSID 18 are very clear, and I can tell you from my experience in the intelligence community that it is binding and followed by all SIGINT professionals.
Discussing all the limits USSID 18 places on SIGINT operations would take several blog posts worth of space, but we can look at one instance where USSID 18 applies in the Washington Post’s July 5th story.
The Post’s story states that, in the sample of surveillance files it reviewed, ‘NSA analysts masked, or “minimized,” more than 65,000 [references to U.S. citizens or residents], but the Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S. residents.’ This line is clearly meant to bolster the implication that U.S. person identities or identifiers incidentally collected under the legally authorized, and court monitored FISA Amendments Act (the Patriot Act) Section 702 program are not properly minimized.
If this element of the Post’s story is accurate, that translates to a 98.7% accuracy rate (based on (900 / 65,900) x 100) of minimization, as required under USSID 18 – an operational standard that many U.S. corporations would envy. The Post didn’t word it that way, but it is example of how the professionals at NSA take protection of U.S. person privacy seriously, rather than supporting the Post’s implication that NSA treats U.S. person data in a cavalier manner.
The Post’s explanatory piece on the 11th also expresses its concern about the volume and nature of incidental collection, the Director of National Intelligence’s assertion that it is unable to estimate how many Americans are affected, and that no outside watchdog – the Congress, courts, or the President’s Privacy and Civil Liberties Oversight Board have access to the content to judge for themselves.
The reason for this is obvious to a professional. Although the Post could traipse at will through its purported pile of 160,000 intercepts (reviewing U.S. citizen’s private information under the comforting blanket of the 1st Amendment) – the government cannot legally look through incidental collection to identify and characterize it because laws, and both executive and court orders forbid it. Laws and orders every American citizen, including those working at NSA, must obey.
At this stage of the debate, I had hoped to see stories covering how NSA adheres to law and policy to conduct their assigned foreign intelligence mission, using background interviews with NSA’s professionals and managers in a more transparent environment. Instead, we continue to see stories from some members of the media filled with a selected set of ‘facts’ provided by a man charged with theft and violations of the espionage act, filtered through well-intended, but only partially educated journalist guesswork, resulting in implications or insinuations of impropriety or illegality. There is more to the story than just what Mr. Snowden, or the journalists who support him, would have you believe.
This is a very informative and interesting session that occurred at Penn Law last November. Not only is Mr. Inglis, the recently retired Deputy Director of NSA, giving a keynote address that provides an excellent insight into the technological environment NSA operates in, and the constraints it operates under; the Q&A session provides pretty direct answers to some of the questions many Americans may have since the Snowden Leaks. I think it’s worth your time.
You Tube – Chris Inglis Keynote and Q&A at Penn Law
December 15, 2013 | Posted in 4th Amendment, Director of National Intelligence, E.O. 12333, FBI, FISA, FISC, Intelligence, Law Enforcement, NSA, Privacy, U.S. Code Title 10, U.S. Code Title 50 | By Tom Wither
Absolutely not. A nation where every move of every American citizen is recorded, cataloged and data based by the government runs counter to the privacy rights each citizen of the United States expects, and would be an abhorrent infringement upon one of the principle freedoms of our democracy. Protecting those rights is something I swore to do as a member of the intelligence community, and was required to do as a civil servant and uniformed member of the armed forces.
In light of the ‘Snowden revelations’ and the plethora of news stories (few of those stories entirely accurate and not jaundiced by sensationalism), many Americans are concerned about invasions of their privacy by the government. I share those concerns, but mine are tempered by the testimony offered before the House and Senate Intelligence and Judiciary committees, the declassified documents posted on the IConTheRecord tumbler site, and my own professional experiences within the intelligence community.
Much like the majority of the 100,000+ members of the intelligence community, I have a lifetime obligation to protect the classified material I’ve been exposed to. I understand the valid reasons for that secrecy, and I respect them. I was also made fully aware early in my career of the myriad of mechanisms in place to report perceived illegal or improper acts, from IG reporting through classified channels to include arranging closed door testimony before the relevant Congressional committees if needed. For the record, in my more than twenty-five years in the intelligence community, I never encountered any instance of willful or intentional misuse of the tools, capabilities, or authorities any of my colleagues or I operated under, had access to, or could utilize. Certainly honest errors were made, as they would be in any human endeavor, and those errors were reported through the proper mechanisms, and corrected.
At this point, let me point out some of the facts now available for every citizen to evaluate when deciding for themselves if the government is violating your privacy rights, and temper that with a few other thoughts. Using just the FISA 215 program as an example, all of what follows is either from declassified documentation/information released by the ODNI, or provided as testimony on public session in front of the intelligence or judiciary committees by the senior leaders of the intelligence community. See the ODNI’s IC on the Record website for the details on the FISA 702 program.
The FISA 215 Program
- Gathers and centralizes at NSA, telephone call records from various U.S. telecommunications companies
- The telephone companies are compelled to provide the information to the government by a FISA Court order
- The FISA Court approves the orders based on the law and precedent (e.g. Smith v. Maryland, the FISA Law Congress passed twice, etc.) subsequent to receiving an application for the order by the government (usually the FBI, after coordination with the NSA, ODNI, and the National Security branch of the DoJ)
- The FISA Court requires the government to store, access, and utilize the call records obtained under the order in a specific manner outlined by the Court, and report all deviations from those orders
- The only records provided to the government by the telephone companies are:
Date & Time of the Call
Duration of the Call
- For example: Phone number 203-555-1212 called phone number 203-555-1414 at 0900 on the 10 Oct 2012 and the call lasted 10 minutes
- No names, no addresses, or other identifying information is provided by the telephone companies under the FISA Court’s order
- The content of conversations are not collected under this program – other warrants are required to collect content, and NSA says it currently has only 60 active warrants for content collection against U.S. persons
- Searches of the call records under this authority can only be conducted with a ‘seed phone number’ that can be reasonably and articulately described, in writing, as being terrorism related
- The written articulation must be signed off on by an NSA manager (an intelligence professional, not a political appointee) before a query is run against the records in the database
- ALL queries of the database are recorded, tracked, and audited to ensure the FISA Court’s instructions are not violated
- The returned call records meeting the intelligence need (i.e. not all of the returned records) are turned over to the FBI for any follow-up action
- If the government wishes to wiretap any number based on the call records NSA provides, it must apply to the appropriate court for a warrant
Laws, Executive Orders, and Congressional Oversight
The United States intelligence community operates under several enabling laws, Executive Orders from the President, and Congressional Oversight. These laws, orders, and oversight apply to every intelligence program conducted by the United States government. Some of the most notable of these are, USC Title 10, USC Title 50, Executive Order 12333, the Foreign Intelligence Surveillance Act of 1978 (as amended), and the oversight of the Senate Permanent Select Committee on Intelligence, the House Permanent Select Committee on Intelligence, and the Senate and House Committees on the Judiciary. Within the SIGINT system specifically, the primary instruction for the protection of U.S. citizen’s 4th Amendment rights is outlined in USSID 18.
The recently declassified United States SIGINT Intelligence Directive (USSID) 18, Legal Compliance and U.S. Persons Minimization Procedures, dated 25 January 2011, describes the U.S. person privacy protections all elements of the NSA are obligated and required to follow. Paragraphs 1.1 – 1.4 show that U.S. person privacy protections required by the 4th Amendment were in place long before Mr. Snowden’s massive leaks of classified material made the subject of U.S. person privacy a daily staple of newspaper front pages and legitimate public concern. USSID 18 has been in existence since at least 1993. In addition, the ODNI has made the training materials used by NSA to teach their analysts what is allowed and what is not allowed when dealing with FISA 215 data available for you to see.
Corporate America is ‘Spying’ on You All the Time – And you let them
Every time you make a purchase at a store, they know what you buy, and how often. That frequent shoppers card you use at the checkout ties you to every item on your shopping list – vegetables, meats, shampoos, bakery products, gluten free items, condoms, feminine hygiene items, etc. How many, which brands, how often, and which charge card you used. Think about the ‘pattern of life’ information that offers the company that owns that store about you and your family. You even surrendered it willingly. Companies use the information to target advertising, sending you e-mails and paper circulars featuring the products you buy most often using a process called data mining. You may not mind that, but what else are they using it for? Reporting to the FDA about how much red meat a family consumes in a year? How far you travel to get to the store? How many times a week you go? At what times of day? If you have children and how old they are? Are you under a doctor’s care or do you have an annoying hemorrhoid problem? The list is practically endless.
Your credit card company shares your purchasing habits with marketing companies. They may offer you the option to opt out, but I recently received a notice from one of my credit card companies telling me that they shared my personal information and purchase history with eight other companies, only offering me the opportunity to ‘opt out’ of the sharing with two of those companies.
How many video or still cameras did you appear on today as you went about your ‘private’ business? Did you even notice them? Did you notice the ones in every store you walk into, each ATM you passed, and the cell phone everyone you passed on the street was carrying? How many of those cell phone captured videos or still images were forwarded to a friend, lover, relative, or business colleague by the shutterbug/videographer? Do you know that there is a copy of that video or image on the telecommunication’s company’s servers or systems? Do you know how long it stays there or what is done with it? Are they kept for hours or years? By whom? How and where are they stored? Are they ever deleted? How can you be sure?
Oh, and those private phone calls you make, or e-mails you send? The telecommunications companies can mine those records as needed to improve their infrastructure, determine what services to market, or even re-direct your communications through the network. In doing so, do to the technical sophistication of today’s communications networks, the e-mail from your wife or husband in Cleveland, OH, just may have been routed through Vladivostok, Russia, where a copy was left on a server in Russia. Are the Russian security services scanning that e-mail for information it might find of interest? Do you honestly think they care about your privacy as a U.S. citizen? Maybe they think that picture of your significant other in her new Victoria’s Secret undies is pretty hot and keep a few copies.
Internal to these companies, what are the company’s restrictions or policies on which employees can access, review or share that information? Do those employees go through any kind of background check before they are hired? What kind of oversight is there on the use or access to the data?
Just Who Might be Invading Your Privacy – The U.S. Government, a Corporation, or a Foreign Government?
Should we be reasonably concerned about U.S. Government overreach and invasion of privacy? Yes. It’s our government and we should keep an eye on it. But I’m less concerned about the U.S. intelligence community’s activities than I am about a telecommunications provider (especially a foreign one) or foreign government’s respect for ‘privacy’ as we perceive it.
In the U.S., the intelligence community’s motivations, codified in both law and executive order, and overseen by Congress and the Courts, is at least grounded in a desire to preserve, protect, and defend the Constitution and the nation. The professionals in that community undergo deep background checks, polygraph examinations, and in many cases, submit to financial disclosure requirements and psychiatric examinations before being exposed to intelligence operations or activities that may impact a U.S. person’s privacy in the modern digital age. Moreover, they seem, based on the information released by the ODNI, to be rigorously trained to protect the 4th Amendment rights of U.S. persons, and there is at least one directive in place at NSA that requires that U.S. person privacy is protected.
Corporations (U.S. or foreign) are motivated by a desire to make a profit for their shareholders, and they never have to go to a judge for a warrant to see data that might invade someone’s privacy. They also don’t have Congress and the Courts looking over their shoulder to be sure they aren’t using ‘private’ data to profile a person’s life, purchasing habits, or travel.
Foreign governments may not care at all about your privacy. France just passed a surveillance law that, according to the story in the NYT, “…defines the conditions under which intelligence agencies may gain access to or record telephone conversations, emails, Internet activity, personal location data and other electronic communications. The law provides for no judicial oversight and allows electronic surveillance for a broad range of purposes, including “national security,” the protection of France’s “scientific and economic potential” and prevention of “terrorism” or “criminality.””
Mr. Inglis, Deputy Director of NSA, made a statement during a Q&A session at Penn Law’s Center for Ethics and the Rule of Law Conference that I think is very relevant. He based it on the number of NSA employees and affiliates who have died since 9/11 and the twelve internally reported ‘willful abuses’ during the conduct of its SIGINT operations – “… it’s three times more likely that you’ll die for your country if you work for NSA than you are to abuse the [U.S. SIGINT] system.”
For myself, while I accept that there is always room to improve a process, law, and oversight; I put more trust in the professionals in the U.S. intelligence community, the laws and policies that govern their activities, the internal controls, and the oversight mechanisms in place in the courts and congress when it comes to protecting my 4th Amendment rights.