Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

Tuesday, November 24, 2009

Wikileaks to release over 500K text pager intercepts from 9/11

Wikileaks is releasing over 500,000 U.S. national text pager intercepts from September 11, 2001, over the next two days:
From 3AM on Wednesday November 25, 2009, until 3AM the following day (New York Time), WikiLeaks will release over half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 terrorist attacks in New York and Washington.

The first message, corresponding to 3AM September 11, 2001, five hours before the first attack, will be released at 3AM November 25, 2009 and the last, corresponding to 3AM September 12, 2001 at 3AM November 26, 2009.

Text pagers are mostly carried by persons operating in an official capacity. Messages in the collection range from Pentagon and New York Police Department exchanges, to computers reporting faults to their operators as the World Trade Center collapsed.
This is a significant and completely objective record of the defining moment of our time. We hope that its entry into the historical record will lead to a deeper and more nuanced understanding of how this tragedy and its aftermath may have been prevented.

While we are obligated by to protect our sources, it is clear that the information comes from an organization which has been intercepting and archiving national US telecommunications since prior to 9/11.
The Transparent Society getting closer, it appears...

Saturday, November 07, 2009

Robert B. Laughlin on "The Crime of Reason"

The 2009 Hogan and Hartson Jurimetrics Lecture in honor of Lee Loevinger was given on the afternoon of November 5 at Arizona State University's Sandra Day O'Connor School of Law by Robert B. Laughlin. Laughlin, the Ann T. and Robert M. Bass Professor of Physics at Stanford University and winner of the 1998 Nobel Prize in Physics (along with Horst L. Stormer and Daniel C. Tsui), spoke about his recent book, The Crime of Reason.

He began with a one-sentence summary of his talk: "A consequence of entering the information age is probably that we're going to lose a human right that we all thought we had but never did ..." The sentence went on but I couldn't keep up with him in my notes to get it verbatim, and I am not sure I could identify precisely what his thesis was after hearing the entire talk and Q&A session. The main gist, though, was that he thinks that a consequence of allowing manufacturing to go away and being a society based on information is that "Knowledge is dear, therefore there has to be less of it--we must prevent others from knowing what we know, or you can't make a living from it." And, he said, "People who learn on their own are terrorists and thieves," which I think was intentional hyperbole. I think his talk was loaded with overgeneralizations, some of which he retracted or qualified during the Q&A.

It certainly doesn't follow from knowledge being valuable that there must be less of it. Unlike currency, knowledge isn't a fungible commodity, so different bits of knowledge have different value to different people. There are also different kinds of knowledge--know-how vs. knowledge that, and making the latter freely available doesn't necessarily degrade the value of the former, which is why it's possible to have a business model that gives away software for free but makes money from consulting services. Further, the more knowledge there is, the more valuable it is to know where to find the particular bits of knowledge that are useful for a given purpose, and the less it is possible for a single person to be an expert across many domains. An increasing amount of knowledge means there's increasing value in various kinds of specializations, and more opportunities for individuals to develop forms of expertise in niches that aren't already full of experts.

Laughlin said that he is talking about "the human rights issue of the 21st century," that "learnign some things on your own is stealing from people. What we think of as our rights are in conflict with the law, just as slavery is in conflict with human rights." He said that Jefferson was conflicted on this very issue, sayng on the one hand that "knowledge is like fire--divinely designed to be copyable like a lit taper--I can light yours with mine, which in no way diminishes my own." This is the non-rival quality of information, that one person copying information from another doesn't deprive the other of their use of it, though that certainly may have an impact on the commercial market for the first person to sell their information.

"On the other hand," said Laughlin, "economics involves gambling. [Jefferson] favored legalized gambling. Making a living involves bluff and not sharing knowledge." He said that our intellectual property laws derive from English laws that people on the continent "thought ... were outrageous--charging people to know things."

He put up a photo of a fortune from a fortune cookie, that said "The only good is knowledge, and the only evil ignorance." He said this is what you might tell kids in school to get them to study, but there's something not right about it. He then put up a drawing of Dr. Frankenstein and his monster (Laughlin drew most of the slides himself). He said, we're all familiar with the Frankenstein myth. "The problem with open knowledge is that some of it is dangerous. In the U.S. some of it is off-limits, you can't use it in business or even talk about it. It's not what you do with it that's exclusive, but that you have it at all."

His example was atomic bomb secrets and the Atomic Energy Act of 1954, which makes it a federal felony to reveal "nuclear data" to the public, which has been defined very broadly in the courts. It includes numbers and principles of physics.

Laughlin returned to his fortune cookie example, and said there's another problem. He put up a drawing of a poker game. "If I peeked at one guy's cards and told everyone else, the poker game would stop. It involves bluffing, and open access to knowledge stops the game." He suggested that this is what happened last year with the world financial sector--that the "poker game in Wall Street stopped, everyone got afraid to bet, and the government handled it by giving out more chips and saying keep playing, which succeeded." I agree that this was a case where knowledge--specifically knowledge of the growing amounts of "toxic waste" in major world banks--caused things to freeze up, it wasn't the knowledge that was the ultimate cause, it was the fact that banks engaged in incredibly risky behavior that they shouldn't have. More knowledge earlier--and better oversight and regulation--could have prevented the problem.

Laughlin said "Economics is about bluff and secrecy, and open knowledge breaks it." I don't think I agree--what makes markets function is that price serves as a public signal about knowledge. There's always going to be local knowledge that isn't shared, not necessarily because of bluff and secrecy, but simply due to the limits of human capacities and the dynamics of social transactions. While trading on private knowledge can result in huge profits, trading the private knowledge itself can be classified as insider trading and is illegal. (Though perhaps it shouldn't be, since insider trading has the potential for making price signals more accurate more quickly to the public.)

Laughlin showed a painting of the death of Socrates (by Jacques-Louis David, not Laughlin this time), and said that in high school, you study Plato, Aristotle, and Descartes, and learn that knowledge is good. But, "as you get older, you learn there's a class system in knowledge." Plato etc. is classified as good, but working class technical knowledge, like how to build a motor, is not, he claimed. He went on to say, "If you think about it, that's exactly backwards." I'm not sure anyone is ever taught that technical knowledge is not valuable, especially these days, where computer skills seem to be nearly ubiquitous--and I disagree with both extremes. From my personal experience, I think some of my abstract thinking skills that I learned from studying philosophy have been among the most valuable skills I've used in both industry and academia, relevant to both theoretical and practical applications.

Laughlin said that "engines are complicated, and those who would teach you about it don't want to be clear about it. It's sequestered by those who own it, because it's valuable. The stuff we give away in schools isn't valuable, that's why we give it away." In the Q&A, a questioner observed that he can easily obtain all sorts of detailed information about how engines work, and that what makes it difficult to understand is the quantity and detail. Laughlin responded that sometimes the best way to hide things is to put them in plain sight (the Poe "purloined letter" point), as needles in a haystack. But I think that's a rather pat answer to something that is contradictory to his claim--the information really is freely available and easy to find, but the limiting factor is that it takes time to learn the relevant parts to have a full understanding. The limit isn't the availability of the knowledge or that some of it is somehow hidden. I'd also challenge his claim that the knowledge provided in schools is "given away." It's still being paid for, even if it's free to the student, and much of what's being paid for is the know-how of the educator, not just the knowledge-that of the specific facts, as well as special kinds of knowledge-that--the broader frameworks into which individual facts fit.

Laughlin went on to say, "You're going to have to pay to know the valuable information. Technical knowledge will disappear and become unavailable. The stuff you need to make a living is going away." He gave as examples defense-related technologies, computers, and genetics. He said that "people in the university sector are facing more and more intense moral criticism" for sharing information. "How life works--would we want that information to get out? We might want to burn those books. The 20th century was the age of physics, [some of which was] so dangerous we burned the books. It's not in the public domain. The 21st century is the age of biology. We're in the end game of the same thing. In genetics--e.g., how disease organisms work. The genetic structure of Ebola or polio." Here, Laughlin seems to be just wrong. The gene sequences of Ebola and polio have apparently been published (Sanchez, A., et al. (1993) "Sequence analysis of the Ebola virus genome: organization, genetic elements and comparison with the genome of Marburg virus," Virus Research 29, 215-240 and Stanway, G., et al. (1983) "The nucleotide sequence of poliovirus type 3 leon 12 a1b: comparison with poliovirus type 1," Nucleic Acids Res. 11(16), 5629-5643). (I don't claim to be knowledgeable about viruses, in the former case I am relying on the statement that "Sanchez et al (1993) has published the sequence of the complete genome of Ebola virus" from John Crowley and Ted Crusberg, "Ebola and Marburg Virus: Genomic Structure, Comparative and Molecular Biology."; in the latter case it may not be publication of the complete genome but is at least part.)

Laughlin talked about the famous issue of The Progressive magazine which featured an article by Howard Moreland titled "How H-Bombs Work." He showed the cover of the magazine, which read, "The H-Bomb Secret--How we got it--why we're telling it." Laughlin said that the DoJ enjoined the journal from publishing the article and took the issue into secret hearings. The argument was that it was a threat to national security and a violation of the Atomic Energy Act. The judge said that the rule against prior restraint doesn't apply because this is so dangerous that "no jurist in their right mind would put free speech above safety." Laughlin said, "Most people think the Bill of Rights protects you, but this case shows that it doesn't." After the judge forbid publication, it was leaked to a couple of "newspapers on the west coast," after which the DoJ dropped the case and the article was published. According to Laughlin, this was strategy, that he suspects they didn't prosecute the case because the outcome would have been to find the AEA unconstitutional. By dropping the case it kept the AEA as a potential weapon in future cases. He said there have only been two cases of the criminal provisions of the AEA prosecuted in the last 50 years, but it is "inconceivable that it was only violated twice. The country handles its unconstitutionality by not prosecuting." The U.S., he said, is like a weird hybrid of Athens and Sparta, favoring both being open and being war-like and secretive. These two positions have never been reconciled, so we live in an unstable situation that favors both.

He also discussed the case of Wen Ho Lee, a scientist from Taiwan who worked at Los Alamos National Laboratory, who took home items that were classified as "PARD" (protect as restricted data), even though everyone is trained repeatedly that you "Don't take PARD home." When he was caught, Laughlin said, he said "I didn't know it was wrong" and "I thought they were going to fire me, so I took something home to sell." The latter sounds like an admission of guilt. He was put into solitary confinement for a year (actually 9 months) and then the case of 50 counts of AEA violations was dropped. Laughlin characterized this as "extralegal punishment," and said "we abolish due process with respect to nuclear data." (Wen Ho Lee won a $1.5 million settlement from the U.S. government in 2006 before the Supreme Court could hear his case. Somehow, this doesn't seem to me to be a very effective deterrent.)

Laughlin said that we see a tradeoff between risk and benefit, not an absolute danger. The risk of buildings being blown up is low enough to allow diesel fuel and fertilizer to be legal. Bombs from ammonium nitrate and diesel fuel are very easy to make, and our protection isn't hiding technical knowledge, but that people just don't do it. But nuclear weapons are so much more dangerous that the technical details are counted as absolutely dangerous, no amount of benefit could possibly be enough. He said that he's writing a book about energy and "the possible nuclear renaissance unfolding" (as a result of need for non-carbon-emitting energy sources). He says the U.S. and Germany are both struggling with this legal morass around nuclear information. (Is the unavailability of nuclear knowledge really the main or even a significant issue about nuclear plant construction in the United States? General Electric (GE Energy) builds nuclear plants in other countries.)

Laughlin said that long pointy knives could be dangerous, and there's a movement in England to ban them. Everybody deals with technical issue of knowledge and where to draw lines. (Is it really feasible to ban knives, and does such a ban constitute a ban on knowledge? How hard is it to make a knife?)

At this point he moved on to biology, and showed a photograph of a fruit fly with legs for antennae. He said, "so maybe antennae are related to legs, and a switch in development determines which you get. The control machinery is way too complicated to understand right now." (Really?) "What if this was done with a dog, with legs instead of ears. Would the person who did that go to Stockholm? No, they'd probably lose their lab and be vilified. In the life sciences there are boundaries like we see in nuclear--things we shouldn't know." (I doubt that there is a switch that turns dog ears into legs, and this doesn't strike me as plausibly being described as a boundary on knowledge, but rather an ethical boundary on action.) He said, "There are so many things researchers would like to try, but can't, because funders are afraid." Again, I suspect that most of these cases are ethical boundaries about actions rather than knowledge, though of course there are cases where unethical actions might be required to gain certain sorts of knowledge.

He turned to stem cells. He said that the federal government effectively put a 10-year moratorium on stem cell research for ethical reasons. Again, these were putatively ethical reasons regarding treatment of embryos, but the ban was on federally funded research rather than any research at all. It certainly stifled research, but didn't eliminate it.

Next he discussed the "Millennium Digital Copyright Act" (sic). He said that "people who know computers laugh at the absurdity" of claiming that computer programs aren't formulas and are patentable. He said that if he writes a program that "has functionality or purpose similar to someone else's my writing it is a violation of the law." Perhaps in a very narrow case where there's patent protection, yes, but certainly not in general. If he was arguing that computer software patents are a bad idea, I'd agree. He said "Imagine if I reverse-engineered the latest Windows and then published the source code. It would be a violation of law." Yes, in that particular example, but there are lots of cases of legitimate reverse engineering, especially in the information security field. The people who come up with the signatures for anti-virus and intrusion detection and prevention do this routinely, and in some cases have actually released their own patches to Microsoft vulnerabilities because Microsoft was taking too long to do it themselves.

He said of Microsoft Word and PDF formats that they "are constantly morphing" because "if you can understand it you can steal it." But there are legal open source and competing proprietary software solutions that understand both of the formats in question--Open Office, Apple's Pages and Preview, Foxit Reader, etc. Laughlin said, "Intentional bypassing of encryption is a violation of the DMCA." Only if that encryption is circumvention of "a technological measure that effectively controls access to" copyrighted material and the circumvention is not done for the purposes of security research, which has a big exception carved out in the law. Arguably, breakable encryption doesn't "effectively control access," though the law has certainly been used to prosecute people who broke really poor excuses for encryption.

Laughlin put up a slide of the iconic smiley face, and said it has been patented by Unisys. "If you use it a lot, you'll be sued by Unisys." I'm not sure how you could patent an image, and while there are smiley face trademarks that have been used as a revenue source, it's by a company called SmileyWorld, not Unisys.

He returned to biology again, to talk briefly about gene patenting, which he says "galls biologists" but has been upheld by the courts. (Though perhaps not for many years longer, depending on how the Myriad Genetics case turns out.) Natural laws and discoveries aren't supposed to be patentable, so it's an implication of these court decisions that genes "aren't natural laws, but something else." The argument is that isolating them makes them into something different than what they are when they're part of an organism, which somehow constitutes an invention. I think that's a bad argument that could only justify patenting the isolation process, not the sequence.

Laughlin showed a slide of two photos, the cloned dog Snuppy and its mother on the left, and a Microsoft Word Professional box on the right. He said that Snuppy was cloned when he was in Korea, and that most Americans are "unhappy about puppy clones" because they fear the possibility of human clones. I thought he was going to say that he had purchased the Microsoft Word Professional box pictured in Korea at the same time, and that it was counterfeit, copied software (which was prevalent in Korea in past decades, if not still), but he had an entirely different point to make. He said, about the software, "The thing that's illegal is not cloning it. If I give you an altered version, I've tampered with something I'm not supposed to. There's a dichotomy between digital knowledge in living things and what you make, and they're different [in how we treat them?]. But they're manifestly not different. Our legal system['s rules] about protecting these things are therefore confused and mixed up." I think his argument and distinction was rather confused, and he didn't go on to use it in anything he said subsequently. It seems to me that the rules are pretty much on a par between the two cases--copying Microsoft Word Professional and giving it to other people would itself be copyright infringement; transforming it might or might not be a crime depending on what you did. If you turned it into a piece of malware and distributed that, it could be a crime. But if you sufficiently transformed it into something useful that was no longer recognizable as Microsoft Word Professional, that might well be fair use of the copyrighted software. In any case in between, I suspect the only legally actionable offense would be copyright infringement, in which case the wrongdoing is the copying, not the tampering.

He put up a slide of Lady Justice dressed in a clown suit, and said that "When you talk to young people about legal constraints on what they can do, they get angry, like you're getting angry at this image of Lady Law in a clown suit. She's not a law but an image, a logos. ... [It's the] root of our way of relating to each other. When you say logos is a clown, you've besmirched something very fundamental about who you want to be. ... Legal constraints on knowledge is part of the price we've paid for not making things anymore." (Not sure what to say about this.)

He returned to his earlier allusion to slavery. He said that was "a conflict between Judeo-Christian ethics and what you had to do to make a living. It got shakier and shakier until violence erupted. War was the only solution. I don't think that will happen in this case. [The] bigger picture is the same kind of tension. ... Once you make Descartes a joke, then you ask, why stay?" He put up a slide of a drawing of an astronaut on the moon, with the earth in the distance. "Why not go to the moon? What would drive a person off this planet? You'd have to be a lunatic to leave." (I thought he was going to make a moon-luna joke, but he didn't, unless that was it.) "Maybe intellectual freedom might be that thing. It's happened before, when people came to America." He went on to say that some brought their own religious baggage with them to America. Finally, he said that when he presents that moon example to graduate students, he always has many who say "Send me, I want to go."

And that's how his talk ended. I was rather disappointed--it seemed rather disjointed and rambling, and made lots of tendentious claims--it wasn't at all what I expected from a Nobel prizewinner.

The first question in the Q&A was one very much like I would have asked, about how he explains the free and open source software movement. Laughlin's answer was that he was personally a Linux user and has been since 1997, but that students starting software companies are "paranoid about having stuff stolen," and "free things, even in software, are potentially pernicious," and that he pays a price for using open source in that it takes more work to maintain it and he's constantly having to upgrade to deal with things like format changes in PDF and Word. There is certainly such a tradeoff for some open source software, but some of it is just as easy to maintain as commercial software, and there are distributions of Linux that are coming closer to the ease of use of Windows. And of course Mac OS X, based on an open source, FreeBSD-derived operating system, is probably easier for most people to use than Windows.

I think there was a lot of potentially interesting and provocative material in his talk, but it just wasn't formulated into a coherent and persuasive argument. If anyone has read his book, is it more tightly argued?

Tuesday, May 12, 2009

Tracking cyberspies through the web wilderness

Yesterday's New York Times has an interesting article about how security researchers at the University of Toronto have helped uncover online spy activity, apparently conducted by the Chinese government, against the Dalai Lama's office in India.

One odd comment in the article: "And why among the more than 1,200 compromised government computers representing 103 countries, were there no United States government systems?"

I find this particularly odd in that I've seen compromised U.S. government systems plenty of times in my information security career, including spam issued from military computers. I don't find it plausible that the U.S. government has recently improved the security of all of its computers and networks so that there are no more compromised systems.

In the context of the article, it's discussing more specifically compromises due to the particular spy ring being monitored. The preceding sentences point out that they weren't able to determine with certainty who was running it, and the immediately preceding sentence asks, "Why was the powerful eavesdropping system not password-protected, a weakness that made it easy for Mr. Villeneuve to determine how the system worked?"

The question should actually have asked why it wasn't encrypted, rather than "password-protected," but the possibilities suggested to me here are that (a) this particular activity is being run by amateurs or (b) this particular activity was intentionally detectible as either (i) a distraction from other, more hidden activity or (ii) to put the blame on China by somebody other than China.

Wednesday, August 27, 2008

DHS responds to my FOIA request for my travel dossier

On September 26, 2007, I submitted a request to the Department of Homeland Security requesting copies of information relating to me in the Automated Targeting System (ATS), a system that collects information about individuals who travel internationally. Travelers are then assigned a risk score; passengers who have higher scores are subjected to a higher level of screening, despite the fact that Congress has attached restrictions to its appropriations for passenger screening stating that "None of the funds provided in this or previous appropriations Acts may be utilized to develop or test algorithms assigning risk to passengers whose names are not on government watch lists."

Traveler risk scores are maintained for 40 years and individuals are not allowed to know their scores. The system has come under criticism for sometimes including information such as what books or magazines a passenger is carrying.

I followed the process suggested by The Identity Project, which stated that DHS was supposed to respond within 30 days. It took a little longer than expected--I just received my travel dossier today. It's fifteen pages of fairly cryptic documentation, with frequent short redactions. The redactions are each labeled with the section of 5 USC 552 which provides grounds for exemption from disclosure, (b)(2)(low), (b)(6), and (b)(7)(C). The first of those "exempts from disclosure records that are related to internal matters of a relatively trivial nature, such as internal administrative tracking," and accounts for the majority of the redactions. The other two are for "personnel or medical files and similar files the release of which would cause a clearly unwarranted invasion of personal privacy" and "records or information compiled for law enforcement purposes that could reasonably be expected to constitute an unwarranted invasion of personal privacy." I have a few of each of that type of redaction.

The documents include most--but not all--of my international air travel, including from as far back as 1984. There appear to be reports from two systems. There are four pages labeled "TECSII - PRIMARY QUERY HISTORY" and "PASSENGER ACTIVITY." TECS II is the Treasury Enforcement Communications System II, the primary database of IBIS, the Interagency Border Inspection System. This report lists a series of records of two lines each. The first line contains my name, date of birth, date and time of the query, the agency making a query, a result column (entirely redacted under (b)(2)), a column labeled "LNE TYP" that appears to use both of the two lines and has codes such as "API," "AIR," and "VEH." Finally on the first line are a completely redacted column labeled "TERM" and single-letter codes under the headings "API" and "DIM." The second line of each record contains airline flight numbers in some cases, and the name of the departure city in one case, a field labeled "DOC:" followed by a blank or my passport number, and, under the heading "LANE," the characters "INSP:" followed by a blank or a redacted field, probably the name of the agent making the query. At the bottom of each page of results are three or four lines that are completely redacted, probably part of a help screen or menu--the output looks like something from an IBM 3270 display terminal.

The other eleven pages of output look like IBM 3270-style output pasted into a single Word document that begins with my name and birthdate. It's divided into several sections, each headed with a date of travel and containing what appears to be passenger name records (PNR) taken directly from SABRE. The redactions in these sections seem to be somewhat haphazard--in one place part of my corporate email address was redacted, in another a different form of my corporate email addresses was not. My American Express card number is present, as is my Hertz #1 Club Gold membership number. It includes complete itineraries for the most recent travel, including hotel booking information (including type of room and bed), airline seat assignment information, and ticket price. There's less information for older travel, which is mostly obscure to me apart from dates and airport codes.

Next I'll have to check out my FBI file...

UPDATE (September 9, 2008): DHS has responded to charges that it is illegal for them to be recording and keeping certain border-crossing records in ATS by moving them to another database, called BCI.

UPDATE (December 31, 2008): DHS is in violation of its obligations to U.S. citizens under the Privacy Act, and to foreign nationals in Europe under the DHS-EU agreement on access to and use of Passenger Name Record (PNR) data. DHS has not been complying with requests for data in the legally required time periods, nor with all of the relevant data. Data has also been illegally copied into other databases. Not surprisingly, the DHS's own internal review claims, even as the evidence contradicts the claim, that it is in compliance with the law.

Edward Hasbrouck has posted about the difference between American and European attitudes towards privacy and surveillance, and notes that at least one European airline, KLM, had never developed processes for complying with the law for passenger requests of records.

UPDATE (July 19, 2014): An editor at Ars Technica has just discovered that his PNR contains full credit card numbers and IP addresses. Not exactly news, at this point...

Friday, August 01, 2008

Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure

I saw two articles this morning which I think invite comparison. First, Phil Dunkelberger, CEO of PGP Corporation, says people visiting China should take laptops with no data, or encrypt what data they have:

Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said.

He said that without data encryption, executives could have business plans or designs pilfered, while journalists' lists of contacts could be exposed, putting sources at risk.

Dunkelberger said that during unrest in Tibet in March, overseas Tibetan activists found their computer systems under heavy pressure from Chinese security agencies trying to trace digital communications.

"What the Chinese tried to do was infiltrate their security to see who in China the Tibet movement was talking to," he said.

...

Dunkelberger, whose firm serves many multinational corporations operating in China, said, "A lot of places in the world, including China, don't have the same view of personal space and privacy that we do in the United States."

"You've got to suspect that every place you're doing work is being monitored and being watched," he said.

Dunkelberger's advice is good as far as it goes. Of course, PGP Whole Disk Encryption won't help protect data in transit, and while PGP Email will protect the content of email messages, it won't conceal the source and destination. The threat described is one where traffic analysis enough can reveal a lot, and so you'd want to make use of a corporate VPN, some kind of proxy, or a system like TOR if you want to protect information about where your Internet traffic is ultimately going. PGP is a good company that makes great products; my employer uses PGP Whole Disk Encryption and Email products.

The second article, however, casts some doubt on the last part of what Dunkelberger says. It looks like the U.S., where the NSA engages in warrantless wiretapping with the assistance of the large incumbent telecoms (and a spineless Congress gives them immunity for violations of the law), the CIA spies on foreign visitors within the borders of the U.S. in conjunction with the FBI's counterintelligence division, isn't so different from other countries. It's now publicly admitted by DHS that Immigrations and Customs Enforcement officers have the right to seize laptops and other electronic devices from people entering the U.S. and hang on to them indefinitely in order to search them. Therefore Dunkelberger's advice should be taken by anyone coming into the U.S., as well--use blank laptops or laptops with encryption only. Some companies have begun to only allow employees to have a web browser and a VPN client on their laptops, and keep all data in the corporation, which can completely eliminate this particular governmental risk.

Tuesday, July 01, 2008

Keith Olbermann flip-flops on telecom immunity

How sad to see political partisanship turn him into an advocate for bad legislation. The telecoms shouldn't get civil or criminal immunity for violations of our constitutional rights.

UPDATE (July 8, 2008): Ed Brayton comments on Obama's attempt to explain his change of position on this issue.

Sunday, June 08, 2008

Venezuela moves closer to a police state

The June 7, 2008 issue of The Economist reports that Hugo Chavez issued a decree late last month which:
authorises police raids without warrant, the use of anonymous witnesses and secret evidence. Judges are obliged to collaborate with the intelligence services. Anyone caught investigating sensitive matters faces jail. The law contains no provision for any kind of oversight. It blurs the distinction between external threats and internal political dissent. It requires all citizens, foreigners and organisations to act in support of the intelligence system whenever required--or face jail terms of up to six years.
Though my employer operates in Venezuela, I think that's one South American country I'd rather not visit at the moment... I hope November's elections reduce Chavez's power and he steps down from power in 2013 as he's previously said that he would.

And Daniel Ortega has suspended elections in Nicaragua... another country to avoid.

Saturday, May 31, 2008

CIA operatives on trial in Italy

26 Americans, mostly CIA operatives, are currently on trial in absentia in Italy for the kidnapping and "extraordinary rendition" of a radical Muslim cleric, Abu Omar, who was taken to Egypt to be tortured. On Thursday, Italy's top counterterrorism official, Bruno Megale, explained in court how they identified the CIA operatives responsible for Omar's kidnapping:
Megale obtained records of all cellphone traffic from the transmission tower nearest the spot where Abu Omar was abducted, for a 2 1/2 -hour period around the time he disappeared. There were 2,000 calls.

Then, using a computer program, Megale was able to narrow down the pool by tracing the phones that had called each other, in other words, an indication of a group of people working together. Seventeen phone numbers, which showed intensifying use around the time of the abduction, were pinpointed. By following all other calls made from those phones, the investigators ultimately identified 60 numbers, including that of a CIA officer working undercover at the U.S. Embassy in Rome.

In his testimony, Megale revealed that one telephone number he recognized was that of Robert Seldon Lady, then-CIA station chief in Milan. Lady and Megale had worked together in counter-terrorism investigations. It was a number, Megale said somberly, that he and his team knew.

(Via Talking Points Memo.)

Wednesday, March 12, 2008

NSA's data mining and eavesdropping described

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.)

Saturday, February 16, 2008

Spies who love you

Mark Fiore helps teach kids about the importance of warrantless wiretapping.

(Hat tip to Bob Hagen.)

Friday, February 08, 2008

Tinfoil hat brigade generates fear about Infragard

An article in The Progressive by Matthew Rothschild worries that the FBI's InfraGard program is deputizing businesses, training them for martial law, and giving them a free pass to "shoot to kill." Rothschild writes:
The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does—and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to “shoot to kill” in the event of martial law.
Nonsense. I've been a member of the Phoenix InfraGard Members Alliance for years. It's a 501(c)(3) organization sponsored by the FBI whose members have been subjected to some rudimentary screening (comparable to what a non-cleared employee of the federal government would get). Most InfraGard meetings are open to the general public (contrary to Rothschild's statement that "InfraGard is not readily accessible to the general public"), but the organization facilitates communications between members about sensitive subjects like vulnerabilities in privately owned infrastructure and the changing landscape of threats. The FBI provides some reports of threat information to InfraGard members through a secure website, which is unclassified but potentially sensitive information. InfraGard members get no special "shoot to kill" or law enforcement powers of any kind--and membership in the organization is open to anyone who can pass the screening. As Rothschild notes in the first sentence of his article, there are over 23,000 members--that is a pretty large size for a conspiracy plot.

At one point in the article, Rothschild quotes InfraGard National Members Alliance chairman Phyllis Schneck referring to a "special telecommunications card that will enable your call to go through when others will not." This is referring to a GETS card, for the Government Emergency Telecommunications Service, which provides priority service for call completion in times of emergency or disaster to personnel who are working to support critical infrastructure. There is a similar service for wireless priority (Wireless Priority Service), and yet another for critical businesses and organizations (like hospitals) which need to have their telecommunications service re-established first after a loss of service due to disaster (Telecommunications Service Priority). These programs are government programs that are independent of InfraGard, though InfraGard has helped members who represent pieces of critical infrastructure obtain GETS cards.

The ACLU's concern about InfraGard being used as a tip line to turn businesses into spies is a more plausible but still, in my opinion, unfounded concern. Businesses are not under any pressure to provide information to InfraGard, other than normal reporting of criminal events to law enforcement. The only time I've been specifically asked to give information to InfraGard is when I've been asked to speak at a regular meeting, which I've done a few times in talks that have been open to the public about malware threats and botnets.

Check out the comments in The Progressive for some outright hysteria about fascism and martial law. I saw similar absurdity regarding the Department of Homeland Security's TOPOFF 4 exercise, which was a sensible emergency planning exercise. Some people apparently are unable to distinguish common-sense information sharing and planning in order to defend against genuine threats from the institution of a fascist dictatorship and martial law.

Now, I think there are plausible criticisms to be made of the federal government's use of non-governmental organizations--when they're used to sidestep laws and regulations like the Freedom of Information Act, to give lots of government grant money to organizations run by former government employees, to legally mandate funding of and reporting to private organizations and so forth. The FBI has created quite a few such organizations to do things like collect information about missing and exploited children, online crime, and so forth, typically staffed by former agents. But personally, I've not witnessed anything in InfraGard that has led me to have any concerns that it's being used to enlist private businesses into questionable activities--rather, it's been entirely devoted to sharing information that private businesses can use to shore up their own security and for law enforcement to prosecute criminals.

UPDATE (February 9, 2008): The irony is that Matthew Rothschild previously wrote, regarding 9/11 truthers:
We have enough proof that the Bush administration is a bunch of lying evildoers. We don't need to make it up.
He's right about that, but he's now helped spread nonsense about InfraGard and seriously damaged his own credibility. I find it interesting that people are so willing to conclude that InfraGard is a paramilitary organization, when it's actually an educational and information sharing organization that has no enforcement or even emergency, disaster, or incident response function (though certainly some of its members have emergency, disaster, and incident response functions for the organizations they work for).

UPDATE (February 10, 2008): I suspect tomorrow Christine Moerke of Alliant Energy will be getting calls from reporters asking what specifically she confirmed. I hope they ask for details about the conference in question, whether it was run by InfraGard or DHS, what the subject matter was, and who said what. If there's actually an InfraGard chapter endorsing the idea that InfraGard members form armed citizen patrols authorized to use deadly force in time of martial law, that's a chapter that needs to have its leadership removed. My suspicion, though, is that some statements about protection of infrastructure by their own security forces in times of disaster or emergency have been misconstrued. Alliant Energy operates nuclear plants, nuclear plants do have armed guards, and in Arizona, ARS 13-4903 describes the circumstances under which nuclear plant security officers are authorized to use deadly force. Those people, however, are thoroughly trained and regularly tested regarding the use of force and the use of deadly force in particular, which is not the case for InfraGard members.

UPDATE (February 11, 2008): Somehow, above, I neglected to make the most obvious point--that the FBI doesn't have the authority to grant immunity to prosecution for killing. If anyone from the FBI made that statement to InfraGard members, they were saying something that they have no authority to deliver on.

UPDATE (February 12, 2008): I've struck out part of the above about the ACLU's concern about spying being unfounded, as I think that's too strong of a denial. There is a potential slippery slope here. The 9/11 Commission Report pointed to various communication problems that led to the failure to prevent the 9/11 attacks. These problems included failure to share information (mainly from the CIA to the FBI and INS), failure to communicate information within the FBI (like Phoenix Special Agent Ken Williams' memo about suspicious Middle Easterners in flight schools), and failure to have enough resources to translate NSA intercepts (some specific chatter about the attacks was translated after the attacks had already occurred). As a result, the CIA has been working closely with the FBI on counterterrorism and counterintelligence at least since 2001. (Also see Dana Priest, "CIA Is Expanding Domestic Operations," The Washington Post, October 23, 2002, p. A02, which is no longer available on the Post's site but can be found elsewhere on the web, on sites whose other content is so nutty I refuse to link, as well as this January 2006 statement from FBI Director Robert Mueller on the InfraGard website, which includes the statement that "Today, the FBI and CIA are not only sharing information on a regular basis, we are exchanging employees and working together on cases every day.")

The slippery slope is this--the CIA is an organization which recruits and develops in its officers a sense of flexible ethics which has frequently resulted in incredible abuses, and which arguably has done more harm than good to U.S. interests. (My opinion on the CIA may be found in my posts on this blog labeled "CIA"; I highly recommend Tim Weiner's Legacy of Ashes: The History of the CIA.) Some of that ethical flexibility may well rub off on FBI agents who work closely with CIA case officers. (The FBI itself has also had a history of serious abuses, an objective account of which may be found in Ronald Kessler's book The Bureau: The Secret History of the FBI.) And then, that same ethical flexibility may rub off on InfraGard members as a result of their relationships with the FBI (and potentially relationships with the CIA, as well). The intelligence community seems to have a hunger for more and more information from more and more sources, but it is already awash in a sea of information that it has trouble processing today. (It doesn't help that the Army fires direly needed Arabic translators because they are gay.) The need is to accurately assess the information that it has, and ensure that bits and pieces aren't cherry-picked to produce desired conclusions, as well as ensure that information isn't sought or assembled to serve personal and political ends of particular interests rather than combatting genuine threats to the country and its citizens.

My recommendation is that all InfraGard members read Kessler's The Bureau, Weiner's Legacy of Ashes, and view the film that won the 2007 Academy Award for best foreign film, "The Lives of Others," to help innoculate them against such a slippery slope.

UPDATE: Amy Goodman interviewed Matt Rothschild for "Democracy Now!" on Wisconsin Public Television, in which it is pretty clear to me that Rothschild is exaggerating something he doesn't understand--what he cites as evidence doesn't support what he claims. Here's a key excerpt, see the link for the full transcript:
MR: [...] And one other member of InfraGard [Christine Moerke of Alliant Energy] confirmed to me that she had actually been at meetings and participated in meetings where the discussion of lethal force came up, as far as what businesspeople are entitled to do in times of an emergency to protect their little aspect of the infrastructure.
AG: But just to clarify, Matt Rothschild, who exactly is empowered to shoot to kill if martial law were declared? The business leaders themselves?
MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
[...]
You know, this is a secretive organization. They’re not supposed to talk to the press. You need to get vetted by the FBI before you can join it. They get almost daily information that the public doesn’t get. And then they have these extraordinary, really astonishing powers being vested in them by FBI and Homeland Security, shoot-to-kill powers. I mean, this is scary stuff.
MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
It looks to me like the following transformation has occurred:

1. At a DHS conference on emergency response, somebody asks if owners of critical pieces of infrastructure should be expected to use deadly force if necessary to protect it (e.g., a nuclear power plant).
2. Somebody at DHS answers yes. They may even add that in some cases the law provides specific justification for use of deadly force (as in the Arizona statute I cite above).
3. Matt turns that into a general right to "shoot-to-kill" in times of martial law by any InfraGard member.
4. The blogosphere turns that into roving citizen patrols unleashed on the nation as the Bush hit squad after declaration of martial law.

I don't see his key source--Christine Moerke--confirming anything beyond #1 and #2.

Note other exaggerations and contradictions--Rothschild claims that InfraGard is highly secretive and selective, yet has quickly grown to over 23,000 members and has multiple public websites. He fails to note that most InfraGard meetings are open to the general public, or that it has been discussed in many articles in the national press over the last decade. Rothschild speaks of "business leaders," which the blogosphere has turned into "CEOs," yet I suspect the most common "business leader" represented in InfraGard is an IT or physical security manager.

UPDATE (February 15, 2008): The FBI has issued an official response to Rothschild's Progressive article (PDF), which says, in part:
In short, the article's claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to "shoot to kill" than other civilians. The FBI encourages InfraGard members -- and all Americans -- to report crime and suspected terrorist activity to the appropriate authorities.
The FBI response also states that Rothschild has "refused even to identify when or where the claimed 'small meeting' occurred in which issues of martial law were discussed," and promises to follow up with further clarifying details if they get that information.

UPDATE (February 25, 2008): Here's another blogger with a rational response to The Progressive article.

UPDATE (March 2, 2008): Matthew Rothschild has responded to the FBI's response on Alex Jones' Info Wars blog, and he stands behind every word of his original article. He doesn't display any knowledge of or response to any of the criticisms I've offered.

Wednesday, December 26, 2007

Chinese intelligence was translating for the NSA

The Washington Times reported on December 21 that several years ago, Chinese intelligence successfully subverted the National Security Agency in Hawaii. First, by creating a company based in Hawaii to do Chinese translations which successfully obtained government contracts with the NSA to translate intercepted Chinese communications. The intercepted communications included sufficient information to identify the sources, giving the Chinese the ability to control what information was obtained by the NSA either by preventing significant information from being carried over by the compromised channel or by introducing disinformation.

This shows one of the problems that faces a world superpower whose own language is commonly used and which does little or nothing to encourage its citizens to learn other languages. Understanding communications in other languages require the assistance of translators who may be working for the enemy, and the enemy can almost get away with speaking freely anywhere while being overheard, since the likelihood of comprehension is so small. The more communications you need translated, the more translators you need, and the greater the likelihood of compromise.

UPDATE (January 2, 2008): Noah Schachtman at Wired and Jeffrey Carr at IntelFusion cast some doubt on this story.

Thursday, November 08, 2007

Congress grills Yahoo over Chinese subpoenas

Declan McCullagh live-blogged the U.S. House of Representatives hearing on "Yahoo Inc.'s Provision of False Information to Congress," which was about an incident in which Yahoo responded to a subpoena from the Chinese government for the identity of a subscriber who turned out to be a Chinese reporter, who was convicted of leaking "state secrets."

Anybody note anything ironic or hypocritical in these excerpts?
10:20 a.m. ET:
Apparently, the Beijing State Security Bureau provided a document to Yahoo--similar to the FBI's national security letters--to Yahoo China on April 24, 2004. It invoked the term "state secrets" when demanding information about Shi Tao. Callahan never saw the document, which was written in Chinese, before testifying last year. Lantos says Callahan should have demanded a translation before his testimony, and Yahoo should have known that any request invoking state secrets is suspect because "state secrets is a trick phrase used to fabricate phony but devastating (charges against an) innocent person who shares our values in an open and free society."

10:30 a.m. ET
Now the two Yahoo execs are being asked to apologize to Shi Tao's mother, who is sitting in a front row of the hearing room. Lantos: "I would urge you to beg the forgiveness of the mother whose son is languishing behind bars thanks to Yahoo's actions." I wonder if Lantos and other Patriot Act supporters will apologize to Americans like Brandon Mayfield (falsely jailed under the Patriot Act) or Sami al-Hussayen (a Webmaster who provided hyperlinks to Muslim sites and was prosecuted under the Patriot Act).

10:45 a.m. ET
Rep. Chris Smith, the New Jersey Republican who was chairman of the Foreign Affairs panel last year, is now speaking. He's saying that "Yahoo knew the police requests had to do with 'state secrets.'" That may not be as descriptive as he (and the other panelists) seem to think. It seems to me that it's a catchall term that's probably invoked regularly by China's security apparatchiks. It's not like the police requests said "give us this information so we can put an innocent journalist in jail."

12:20 p.m. ET
Now it's Rep. Dana Rohrabacher, a California Republican: "Were any of them fired?" He's referring to Yahoo employees. Rohrabacher again: "Are you going to comply with requests from authoritarian governments in the future?" Callahan replies: "We are looking at ways to operationally and legally structure the entity... so we would not have to do that."

12:52 p.m. ET
Lantos again, to Yahoo's Callahan, excerpted: "Morally you are pygmies... An appallingly disappointing performance. I think we cannot begin to tell you how disappointing Mr. Yang's and your performance was... attempt to obfuscate and divert... outrageous behavior."
Why don't we see some of this moral outrage from Congress directed at the executive branch of the United States, at a time when 64% of the country disapproves and 50% of the country strongly disapproves of the president's performance (beating Nixon's worst performance)?

Friday, October 19, 2007

Sheriff Joe arrests owners of New Times

The Maricopa County Sheriff's Office last night arrested Michael Lacey and Jim Larkin, owners of the Phoenix alternative newspaper New Times, for publishing a story under their bylines which revealed the contents of a grand jury subpoena received by the paper. Revealing the contents of a subpoena is a misdemeanor.

Lacey and Larkin, who have long battled with Maricopa County Sheriff Joe Arpaio and County Attorney Andrew Thomas, wrote a story about the subpoena because they considered it an attack on the freedom of the press. The subpoena demanded records relating to all visitors to the New Times website over the last four years, including information about what websites they visited prior to the New Times website (i.e., referral URLs)--essentially, the request is for the complete website logs for the newspaper's website for the last three years. It also demanded reporters' notes and any other documents pertaining to stories about Arpaio for the last three years.

Lacey and Larkin wrote that they believed their article to violate the law, but they published it as a form of civil disobedience in order to challenge the unconstitutional abuses of Arpaio, Thomas, and prosecutor Dennis Wilenchik.

The trigger for the events which led to the subpoena (and the apparent event of interest given the dates in the subpoena) appears to be a New Times article from July 8, 2004 which commented on Arpaio's commercial real estate investments and ended with Arpaio's home address, but the paper's criticism of Arpaio for mismanagement, inmate deaths, and grandstanding in front of TV cameras goes back many years more.

Sheriff Joe used to have a dialup Internet account with Primenet, my former employer. At one point one of his assistants, Lisa Allen, contacted Primenet to attempt to get information about a subscriber who had left a critical comment on his website, without a subpoena. We declined to provide such information without a subpoena.

UPDATE (October 19, 2007): County Attorney Andrew Thomas has announced that he has dropped the charges against New Times and dismissed special prosecutor Dennis Wilenchik.

UPDATE (November 13, 2007): New Times ran an October 25 followup story.

UPDATE (October 28, 2008): It has come out that the order for Lacey and Larkin's arrest was given by Arpaio's chief deputy David Hendershott, whom Arpaio allowed to retire so he could receive a $43,000/year pension, and hired him back as a civilian at his same $120,000/year salary. Hendershott now makes $177,486/year working for Arpaio.

Wednesday, September 05, 2007

Radical Honesty

There's an interesting and entertaining article at Esquire about Brad Blanton's Radical Honesty movement, which seems to me to take a good idea--being honest--too far into inappropriate sharing or "too much information." I think even little white lies (and especially "bullshit") can be extremely insidious, and should be avoided, but that doesn't mean removing all filters between thought and speech.

James Morrow wrote a 1992 novel called City of Truth in which he described a world where everyone always speaks the truth in a way quite similar to the radical honesty movement, but the main character finds a need to lie in order to save his son's life.

Plato and Machiavelli would agree with each other that no political leader could survive by adopting the radical honesty approach. I think that's disappointingly true.

(Via The Agitator.)

Sunday, August 19, 2007

Bush says FISA law change is just advisory

The Bush administration, commenting on Congress' expansion of the Executive branch's warrantless wiretapping powers without needing approval of the FISA Court, says that the legislation is "just advisory. The president can still do whatever he wants to do."

Constitution? What Constitution?

(Via Talking Points Memo.)

Friday, August 17, 2007

Lying at the Weekly Standard

Julian Sanchez points out the staggering misrepresentation by those arguing that the recent increase in wiretapping power amounts to nothing more than an update of FISA procedures to reflect current technology.

(Hat tip to Tim Lee at the Technology Liberation Front.)

Sunday, August 05, 2007

Congress approves expansion of presidential wiretapping powers

Both houses of Congress have passed a bill that updates the Foreign Intelligence Surveillance Act (FISA) to allow warrantless wiretapping when at least one party is a foreigner, without any requirement that the foreigner be suspected of having connections to terrorists. Wiretaps in such cases do not require approval of the FISA court, only of the attorney general and the director of national intelligence. As Tim Lee at Technology Liberation Front observes:
So let me get this straight: the White House says “we think we should be able to eavesdrop on virtually any domestic-to-foreign phone call without court oversight, based on the say-so of one of the president’s subordinates.” And the Democrats response was “Hell no! Warrantless spying should require the say-so of two of the president’s subordinates!”
Arizona's Congressmen voted along party lines except for Harry Mitchell, who sided with the Republicans in favor of the bill, which provides for this expansion of powers for the next six months. (UPDATE, August 8, 2007: Actually, McCain didn't vote on this bill at all, it's another of his no-shows.)

Kudos to Pastor, Grijalva, and Giffords for voting against this.

(Hat tip to Technology Liberation Front and Stranger Fruit.)

UPDATE (August 7, 2007): Ed Brayton at Dispatches from the Culture Wars has more on how this bill has gutted any oversight of what the Executive branch is doing.

Wednesday, August 01, 2007

Did Cheney send Gonzales and Card to Ashcroft's hospital room?

The New York Times editorialized that vice president Dick Cheney was the person who sent then White House counsel Alberto Gonzales and chief of staff Andrew Card to the hospital bedside of Attorney General John Ashcroft to try to get him to reauthorize the warrantless wiretapping program that the acting Attorney General James Comey and many Department of Justice staff (including Comey and FBI Director Robert Mueller) threatened to resign over.

Larry King asked Cheney about it, and his response is that he had no recollection of such an event, and besides, he didn't read the New York Times editorial. Sounds like a lie to me, and Larry King seems to suggest he thinks so as well.

Talking Points Memo thinks they've identified a Cheney "tell." (And no, it's not just that his lips are moving...)

Wednesday, May 16, 2007

Ashcroft refused to reauthorize warrantless wiretapping program

There's now much discussion in the blogosphere about former Deputy Attorney General James B. Comey's testimony before Congress. Comey related that in 2004, the warrantless wiretapping program had come up for reauthorization--the previous authorization was due to expire the following day. Comey, filling in for Attorney General John Ashcroft, who was in the hospital for emergency gall bladder surgery, refused to sign Bush's order for reauthorization. Bush secretly sent his White House Counsel Alberto Gonzales and Chief of Staff Andrew Card to Ashcroft's hospital bedside to get his signature, but an aide to Ashcroft tipped off Comey. Comey rushed to the hospital, and obtained from FBI Director Robert Mueller a directive to Ashcroft's security staff to not remove Comey even if Gonzales and Card insisted upon it.

At the hospital, Ashcroft also refused to sign the reauthorization directive. Comey related that the entire senior staff of the Department of Justice, including himself and FBI Director Mueller, were prepared to resign over the issue. Had that happened--in an election year, no less--perhaps the outcome of that election would have been different.

Bush consulted directly with Comey and Mueller, and gave them assurances that the program would be modified to comply with Department of Justice recommendations, and Comey signed the reauthorization several weeks later. It's not clear whether it continued to operate without authorization for that period of weeks.

A Talking Points Memo reader comments:

When the warrantless wiretap surveillance program came up for review in March of 2004, it had been running for two and a half years. We still don't know precisely what form the program took in that period, although some details have been leaked. But we now know, courtesy of Comey, that the program was so odious, so thoroughly at odds with any conception of constitutional liberties, that not a single senior official in the Bush administration's own Department of Justice was willing to sign off on it. In fact, Comey reveals, the entire top echelon of the Justice Department was prepared to resign rather than see the program reauthorized, even if its approval wasn't required. They just didn't want to be part of an administration that was running such a program.

This wasn't an emergency program; more than two years had elapsed, ample time to correct any initial deficiencies. It wasn’t a last minute crisis; Ashcroft and Comey had both been saying, for weeks, that they would withhold
approval. But at the eleventh hour, the President made one final push, dispatching his most senior aides to try to secure approval for a continuation of the program, unaltered.

...

I think it’s safe to assume that whatever they were fighting over, it was a matter of substance. When John Ashcroft is prepared to resign, and risk bringing down a Republican administration in the process, he’s not doing it for kicks. Similarly, when the President sends his aides to coerce a signature out of a desperately ill man, and only backs down when the senior leadership of a cabinet department threatens to depart en masse, he’s not just being stubborn.

It’s time that the Democrats in Congress blew the lid off of the NSA’s surveillance program. Whatever form it took for those years was blatantly illegal; so egregious that by 2004, not even the administration’s most partisan members could stomach it any longer. We have a right to know what went on then. We publicize the rules under which the government can obtain physical search warrants, and don’t consider revealing those rules to endanger security; there’s no reason we can’t do the same for electronic searches. The late-night drama makes for an interesting news story, but it’s really beside the point. The punchline here is that the President of the United States engaged in a prolonged and willful effort to violate the law, until senior members of his own administration forced him to stop. That’s the Congressional investigation that we ought to be having.

Jacob Sullum at Reason observes that Tony Snow's response to Comey's testimony (quoted in the New York Times) amounts to "the administration's position is that the program was always legal, became a little more legal after the changes demanded by Ashcroft, and is even more legal now."

UPDATE (May 17, 2007): The DOJ says Gonzales has no desire to modify or retract his statement in Congressional testimony that the warrantless wiretap program raised no controversy within the Bush administration, even though that is clearly contradicted by the above account.

FURTHER UPDATE (May 17): TPM Muckraker has gotten to the bottom of why this came to a head on March 10, 2004. The program had to be reauthorized by the Attorney General every 45 days, which Ashcroft had been signing off on. In June 2003, John Yoo left his position as Deputy Director of the Office of Legal Counsel. On October 3, 2003, Jack L. Goldsmith was confirmed by the Senate as the Assistant Attorney General for the OLC, and on December 11, 2003, James Comey was confirmed as Deputy Attorney General. Comey was authorized to have access to information about the warrantless wiretap program, and he put Goldsmith to work reviewing "what [Goldsmith] considered shaky legal reasoning in several crucial opinions, including some drafted by Deputy Assistant Attorney General John Yoo," to quote The New York Times. Comey brought his evidence to Ashcroft a week before the reauthorization date, and they both agreed that it could not continue as it had been. Now that the been reviewed by lawyers in the DOJ for the first time, it was found to be severely problematic, and neither was willing to reauthorize it.

Bush reauthorized it on March 11, 2004 without Attorney General approval, which led to threatened resignations from Ashcroft, Comey, Mueller, and others, at which point parts of the program were suspended and a DOJ audit of the program commenced.

As TPM Muckraker summarizes:

The warantless wiretap surveillance program stank. For two and a half years, Ashcroft signed off on the program every forty-five days without any real knowledge of what it entailed. In his defense, the advisors who were supposed to review such things on his behalf were denied access; to his everlasting shame, he did not press hard enough to have that corrected.

When Comey came on board, he insisted on being granted access, and had Goldsmith review the program. What they found was so repugnant to any notion of constitutional liberties that even Ashcroft, once briefed, was willing to resign rather than sign off again.

So what were they fighting over? Who knows. But there’s certainly evidence to suggest that the underlying issue was was whether constitutional or statutory protections of civil liberties ought to be binding on the president in a time of war. The entire fight, in other words, was driven by the expansive notion of executive power embraced by Cheney and Addington. And here's the kicker - it certainly sounds as if the program was fairly easily adjusted to comply with the law. It wasn't illegal because it had to be; it was illegal because the White House believed itself above the law.