Nyet! La Voila! Los Bad Hombres! 🕵 🗽 🤡 – Part III

A new awareness of governments’ capabilities in collecting and monitoring vast amounts of information in great detail has raised concerns over privacy, civil, legal and human rights implications. The list of the outraged goes from liberal activist groups to the media and the right including the President.

In (Part I) and (Part II) I set up the dynamics leading to an area that is a greater domain of risk. To get a few points across, it is useful to recall/review risk. Risk is assessed on 2 dimensions: probability and impact. We do not waste resources or energy on high probability/low impact (yapping noise at Starbucks) and low probability/low impact (rain on sunny days) outcomes. We avoid (or should if we know) high probability/high impact ones.

The danger lies in low probability/high impact outcomes. We build safeguards into infrastructure, systems and environments where adverse impact can be high (prevention) and try to reduce or eliminate the probability where it is high (transform, disrupt.) The more complex a system (organization, machine, etc.) the more difficult it is to keep track of dependencies and secure weak links if each have their own probability of failure/compromise and cascading affects.

As the safeguards become ubiquitous we take them for granted and the risk is not reduced per se but carefully managed and maintained at an acceptable level. Flying in a 1,000,000 lb pressurized cabin of metal at 33,000 feet is not inherently safe — it is made safe by rigorous application of experience, science, engineering and quality control processes in design, manufacturing and maintenance.

The current fixation with the NSA is somewhat biased and in 2 aspects (too many to go into here but some typical ones exploited in Information Warfare and propaganda: anchoring/confirmation/Post hoc ergo propter hoc/Illusory correlation/Description-experience gap/bandwagon/fundamental attribution/backfire/bandwagon/framing biases, affects and errors.) First — notwithstanding a healthy distrust in authority, the populist de facto acceptance of conspiracy theories, leaks, and already acknowledged errors — data collection, storage and dissemination systems (physical, legal, process and human) are by-and-large sound. BTW recent leaks have also demonstrated underlying value. Agreement with the law and policy being a separate issue, the DNI’s section 702 release, the transparency report and EFF FOIA request show no violations of rights and the inability to fully minimize led the NSA to drop the “about” collection method. Talking about lack of transparency in such closed conspiratorial system we have!

Second, the mission, culture and incentives at the national security level are focused on building national and international towers and moats and not sinking some poor sob’s boats. I do rhyme! The same goes for Five Eyes (same level) sharing which is again not absolutely unrestricted in either direction.

So, based on oversight checks and balances and all evidence and logic, the mass hysteria following Snowden and other leaks about (no pun here) violation of individual and Constitutional rights has little basis in relevant facts, inference or a remotely reasonable conclusion. The risk is extremely low if there at all.

One note on leaks and risk — you control what you can control which is much easier with environment, hardware, technology than people and human nature. The clearance processes, training, monitoring, and audit trails are controls for that risk. May be they can change or be improved but they are there.

Done with where the risks are low and onto where they are and why — not just naughty but oh so nasty!

And I expected to put the last nail in that coffin in 3 parts — alas the story of my life is going longer and beyond expectations. At least keeping it interesting and real. Hopefully we can reuse or dispose of the coffin for a burning-man style spectacle.

Nyet! La Voila! Los Bad Hombres! 🕵 🗽 🤡 – Part II

In (Part I) I wondered — kinda between humming and out-loud —  about the limited scope of ACLU’s FOIA request from NSA, CIA, ODNI, FBI and DOD for “all agreements … other arrangements with foreign countries concerning the sharing … of foreign-intelligence surveillance data” which is “acquired through or derived from electronic surveillance.”

Limited because the risk to civil/constitutional rights the request attempts to assess is less in routine sharing of national security data and more inherent to cross border law enforcement operations. FBI is the only agency in the FOIA request; its CD investigations are separate from criminal investigations and outside the scope of the request. Note that any IC element, not just the FBI, can get raw NSA SIGINT (here for a quick and dirty and may be slightly arousing and not nauseating summary) which it can use/share/abuse outside of the scope of FOIA request. This nicely segues to cross the border law enforcement activities.

Mutual Law Enforcement Agreements (MLA) and MLA under Treaties (MLAT) have recently come under scrutiny for the potential to bypass judicial control of international surveillance requests. Hey — ACLU where is thy head buried?!

That is just the legally permissive information flow/chain from national security grade safeguards to IC element (although not all NSA or SCI/need to know data is raw or shared wholesale with every element) to non-intelligence side of every member.

From there, that and any other data (including US citizens’) held by any of those agencies can get entangled in, or pass through an MLA or MLAT sanctioned operation where data sharing procedural and judicial controls are practically nill due to lack of accountability, audit trails and a number of domestic and international weak links .

The risks areas can be broken down into process, misalignment of  mission/purpose/goals, culture and incentives. The impact though can be grave with severe national and international repercussions for national security, human life, crime, law and order, and diplomatic relations.

And above all: integrity, trust and credibility, a hardly and often never recoverable from damage. Which makes part III very interesting. Not that this one wasn’t.

I thought I can fit it all in 2 parts but it is 3. 2 or 3 what is in a number — or 2 anyways?

GOP Data Firm Accidentally Leaks Personal Details of Nearly 200 Million American Voters

Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server.

Source: GOP Data Firm Accidentally Leaks Personal Details of Nearly 200 Million American Voters

Nyet! La Voila! Los Bad Hombres! 🕵 🗽 🤡 – Part I

A recent Atlantic article about intelligence sharing with foreign governments (What Spy Agencies Tell Foreign Governments About Americans – The Atlantic) articulates concerns about lack of accountability and the potential to violate civil and Constitutional rights.  ACLU’s FOIA request asks for “all agreements, memoranda of understanding, or other arrangements with foreign countries concerning the sharing between the United States and any other country of foreign-intelligence surveillance data.”

The Russian election meddling investigation, Snowden leaks and Cyberwar related discussions have sparked debates highlighting some legal and practical dilemmas. Namely CT vs. CI vs. criminal investigations purpose and tools, Section 702 and minimization procedures, unmasking of citizens, and Title 10 vs. Title 50 applications and necessary overlaps between NSA and Cybercom. Add to that non-SIGNIT, human and other covert, espionage, informants (pssst Confidential Sources and more on that in part II) and otherwise acquired/stolen/gifted/inherited information — and there are many sources and agencies that possess all sorts of data relevant to the request.

All of this makes me wonder why the FOIA is limited to “data acquired through or derived from electronic surveillance” (footnote 11) and only from NSA, CIA, ODNI, FBI and DOD.

And to pour salt over the injury — that is one degree above adding insult to and talking about my emotional state with ACLU missing this and not any one else — a more disconcerting danger to privacy and civil/constitutional rights does not come from NSA or CIA level sharing of electronic sourced intelligence data but a much more error, leak, self-service, and corruption prone process or kind of relationship: law enforcement operations that either circumvent or bypass  MLAs, MLATs, State Department, masquerade as coordinated stings, or are entirely off-the-books. Which makes part II very interesting.