Skip to content

Fourth Circuit Decision in Lavabit

Wednesday, April 16, 2014 at 2:33 PM

Readers will recall the Lavabit case in the Fourth Circuit, which I earlier described here, and here.  Lavabit ran an encrypted email service allegedly used for communication by Edward Snowden.  As part of its investigation, the US government sought to have Lavabit turn over the private encryption SSL key that would have decrypted Snowden’s mail (and also the mail of all 400,000 other Lavabit users).  Lavabit complied but in an obstructive manner (giving the SSL key on an 11-page 4 pt printout) and simultaneously shut down its service.  Lavabit and its founder Ladar Levinson were held in contempt and appealed that contempt citation to the Fourth Circuit.

Today, the Fourth Circuit affirmed the contempt decision.  But the decision is less than it seems.  The case was tee-ed up as an opportunity to decide whether government investigative demands could trump encryption/privacy concerns.  Rather than decide the question, the court ruled that Lavabit and Levinson had failed to raise the substantial statutory and constitutional arguments when objecting to the investigative demands in the district court.  Having concluded that Lavabit waived the most important legal challenges, the court rather readily found the contempt citation to be justified.   Which proves, yet again, that bad lawyering loses every time.

Jennifer Granick and Orin Kerr have similar thoughts with some useful links.

Today’s Headlines and Commentary

Wednesday, April 16, 2014 at 1:39 PM

Yesterday evening, the NYPD announced that it would shutter the Demographics Unit, the controversial program that sent plainclothes detectives to collect information about Muslim communities in the New York City area. The program has been largely inactive since the NYPD’s new police commissioner, Bill Bratton, took over in January.

Speaking of shuttering the unpopular, Abu Ghraib is no more and its 2,400 prisoners have been relocated.

Unrest in Eastern Ukraine continues. The Ukrainian military (very cautiously) launched an offensive against pro-Russian militants yesterday, but met some resistance when separatists in Kramatorsk seized Ukrainian army vehicles, report the Wall Street Journal and BBC. In Donetsk, Ukrainian troops defected to the side of the separatists, who seized the city hall, the Washington Post tells us.

NATO announced that it would increase military support and personnel to Ukraine in response to Russia’s actions in the country—and EU defense ministers said they would increase cooperation with NATO. Gen. Wesley K. Clark and Philip A. Karber, a former NATO commander and a former Pentagon official, respectively, believe that nonlethal military assistance is key to supporting the Ukrainian military.

Talks in Geneva begin tomorrow between Russian Foreign Minister Sergei Lavrov, Ukraine’s acting Foreign Minister Andriy Deshchytsia, Secretary of State John Kerry, and EU Foreign Policy head Catherine Ashton. The New York Times editorial board argues that the Americans and Europeans must be “prepared to be touch with Russia” at the talks.

The State Department’s spokeswoman Jen Psaki says the United States is debating more sanctions against Russia. Wonder if she knew how Senator John McCain felt about that.

In other news, a NATO airstrike in Afghanistan killed a woman and two children yesterday.

The Journal reports that the Australian and New Zealand governments have confirmed that two of their citizens were killed in Yemen in a counterterrorism operation in November 2013.

Al Qaeda released a video showing an outdoor meeting of militants in Yemen led by Nasser al-Wuhayshi, Al Qaeda’s second-in-command, and the head of AQAP.

DNI James Clapper delivered the keynote address at the world’s biggest intelligence conference, GEOINT 2013, at which he announced his recommendation to the White House that it approve significantly higher resolution imagery for commercial spy satellites. Watch his full speech here.

Conor Friedersdorf of the Atlantic hated Ben’s post yesterday dinging the Pulitzer Prize winners.

The Times reports on the kerfuffle over denying the Iranian ambassador to the U.N. an American visa. The piece quotes John’s Lawfare post from Sunday.

Some schmuck named Kevin Edson dropped a backpack containing a rice cooker filled with confetti near the finish line yesterday; he will “appear in court Wednesday and will face charges of purporting a hoax and disturbing the peace.” The Christian Science Monitor has more.

Thomas Joscelyn writes about the lingering questions surrounding the Boston Marathon bombers in the Daily Beast.

Josh Levs of CNN covered the memorial ceremony of the bombing in Boston, at which Vice President Joe Biden spoke. President Obama issued this statement on the anniversary of the Boston Marathon bombing, and Secretary of State John Kerry issued this one. 

Email the Roundup Team noteworthy law and security-related articles to include, and follow us on Twitter and Facebook for additional commentary on these issues. Sign up to receive Lawfare in your inbox. Visit our Events Calendar to learn about upcoming national security events, and check out relevant job openings on our Job Board.

Steptoe Cyberlaw Podcast, Episode #15: An Interview with Daniel Sutherland

Wednesday, April 16, 2014 at 12:30 PM

In this week’s episode, we explore the latest FOIA tussle between the FBI and ACLU over NSA and the dog-bites-man story of Larry Klayman losing another long-shot appeal. This Week in NSA focuses on the Bloomberg story claiming that the agency is exploiting the Heartbleed flaw. Kudos to NSA for managing to persuasively deny the thinly sourced and dubious story before the day’s news cycle was complete. Even so, the White House defensively rolls out a new policy on zero-days.  We chew on the critical question:  Can you win a Pulitzer for writing a false story if it prompts a new White House policy?

Jason notes the largely unsurprising result in the Wyndham case and the FTC’s effort to lock Facebook and Whatsapp into their current privacy policies. And just to show that we don’t always harsh on the FTC, Jason describes the commission’s charges against a site that really lived up to its name –

The European Court of Justice makes news, striking down parts of the data retention directive that have long distinguished Europe as a far less privacy-protective jurisdiction than the United States.  Maury Shenk, our European correspondent, has the analysis.

Continuing a tutorial in class action tactics, Jason talks about the Target litigation being consolidated in Minnesota.

The Justice Department and the FTC issue antitrust guidance designed to ease the fears of companies that sharing cybersecurity information will create antitrust liability. It doesn’t say anything that couldn’t have been said fourteen years ago – and was. I’d call it Groundhog Day II but I think that’s recursive.

International cyberdiplomacy is slowly recovering from the Snowden leaks, though successes are still thin on the ground.  The US tries a creative (if rather handwringing) response to Iran’s DOS attacks on banks, and it tries candor (without much success) on China.

Our special guest, Dan Sutherland, served under all four DHS secretaries and is now the chief lawyer for the DHS component charged with cybersecurity, biometrics, and telecommunications.  He comments on the antitrust agencies information-sharing guidance and conveys DHS’s latest thinking on how regulatory agencies will use the NIST cybersecurity framework to incentivize better network hygiene.

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Metadata, Cellphone Geolocation Tracking, and Innocence

Wednesday, April 16, 2014 at 7:49 AM

In the current discussions of NSA surveillance, we often talk as though metadata and cell phone tracking are simple creatures of government power. It is government, after all, that collects bulk metadata. And it is government that runs the surveillance programs that scare us most. But it is worth remembering that actual use of this sort of data—and the winners and losers associated with its collection, retention, and use—is far more complicated than that. Yesterday, I got such a reminder.

I received a call from an old friend, Steve Benjamin. Benjamin is a Richmond defense lawyer, with whom—a number of years ago—I worked on the grotesque case of a man with no prior criminal record who was serving a lifetime in prison for a crime he pretty clearly did not commit. Because of the Byzantine rules of post-conviction review in Virginia at the time, there was no obvious way to get Jeff Cox’s innocence claims before a court—even though, by that point, the FBI doubted the integrity of the conviction and was investigating other people for the crime for which Cox was serving time. I wrote a string of editorials about the case, and over the succeeding few years, I also wrote a long series of editorials about the procedural rules in Virginia that made it so hard to free Cox (which did, by the way, eventually happen). Some of those rules have since been relaxed. It was a case that arouses intense feelings in everyone who played a role in setting it right—including, by the way, a then-federal prosecutor in Virginia named James Comey. So it was with some emotion that I heard Steve say, “we have another Jeff Cox situation.”

The situation Steve described is not normal Lawfare fare: his client, one Mark Weiner, was prosecuted and convicted in Albemarle County for abducting a woman and is now awaiting imposition of what will be a lengthy prison sentence. For a variety of reasons, Steve and his redoubtable partner, Betty Layne DesPortes, believe that the victim fabricated the crime, and they have filed a motion to set aside the verdict in the trial court. What may catch the eye of Lawfare readers is that much of the evidence they cite that Weiner could not have committed the crime in question involves telephony metadata and cell phone location data of precisely the type whose use and collection is so controversial when NSA handles it.

The victim had testified that her cell phone was dead, so she could not call 911 or respond to calls from the police during the episode. The records, according to the motion, show that she used the phone while it was supposedly dead to call her boyfriend, to take a call from him, and to retrieve a voicemail message from the 911 dispatcher. What’s more, her phone was accessing cell towers near her mother’s apartment, the motion alleges, but never accessed the cell towers near the abandoned house where she claims to have been held. The phone of the alleged perpetrator also generated data that Benjamin and DesPortes claim is inconsistent with the prosecution’s theory of the case: GPS data from his phone shows it would have been at least 17 miles from the abandoned house. The motion is a compelling read, and the reason it’s compelling is precisely because the cell site data and call records data are powerful stuff.

My point here is not that Mark Weiner is innocent, as Benjamin claims. I have not studied the case with the intensity it would require for me to have an opinion about that—other than the strong feeling that Benjamin and DesPortes have raised serious questions that I would hope any good trial judge would take very seriously.

My point, rather, is simply to illustrate both that this sort of data can be enormously probative and that it can work to rebut government theories, as well as to bolster them. That’s not a controversial point. And it’s not necessarily an argument for broad collection authorities either. It is a reminder, however, that data, even Big Data, is not the enemy. Big Data is a tool that cannot be evaluated until someone picks it up to use it. Sometimes, that tool will represent a boon to government surveillance practices and a threat to individual liberties, but sometimes it will be a scrappy pair of defense lawyers who wield it on behalf of a client they want to convince a court was convicted of a fictitious crime. When AT&T purges metadata and cell-site data, it isn’t just NSA and the FBI whose interests suffer. Mark Weiner’s do too. If you doubt that, read this motion and imagine trying to write it without recourse to any of the telephony data Weiner’s lawyers cite.

Today’s Headlines and Commentary

Tuesday, April 15, 2014 at 12:15 PM

Today is the anniversary of the Boston Marathon bombing. The New York Times gives us an update on Dzhokar Tsarnaev and the ongoing preparations for his November trial.

The search for the missing Malaysian Airlines flight went underwater yesterday, although the submarine’s first look at the seabed of the Indian Ocean was cut short because of depth restrictions. It has been a week since any pings have been detected. Meanwhile, China has been on the receiving end of some ire from the international community for false reports and misleading information, which has thrown the search effort off course.

Shocker! The Washington Post and the Guardian won Pulitzer Prizes for public service for their reporting on NSA surveillance. The Washington Post covers the story—and, minimally, the controversy. It also comes as no surprise that Ben dissents on the matter.

Speaking of Bens, the Associated Press’ Ben Fox writes about the thick veil of secrecy surrounding Guantanamo’s Camp 7. Unsurprisingly, Fox strongly implies that the degree of secrecy is excessive and perhaps nefarious.

Hearings at Guantanamo Bay on United States v. Mohammed et. al. ground to a sudden halt yesterday as defense attorneys alleged that FBI agents had sought to enlist the help of members of defendant Ramzi bin al-Shibh’s defense team. Spencer Ackerman of the Guardian reports on yesterday’s proceedings, and Carol Rosenberg of the Miami Herald covers today’s. Wells was almost-there, covering it almost-live, until today’s public proceedings also ground to a halt.

The Hill reports that the U.S. Army has denied an appeal from Chelsea (formerly Bradley) Manning, as convening authority Maj. Gen. Jeffrey S. Buchanan approved the finding and sentencing of the court. Josh Gerstein of Politico also has the story.

As Jane noted yesterday, a massive bomb blast has killed at least 72 and injured over 164 more in the largest terrorist attack in the Nigerian capital of Abuja. Islamic militants are assumed responsible.

Despite significant delays, Syria’s recent delivery of chemical weapons brings the total percentage of weapons that the Assad regime has surrendered close to two thirds. Originally, the surrender and destruction of the weapons was supposed to be completed by mid-February. The Times has more.

The Times editorial board discusses the futility of the Israeli-Palestinian peace talks, and argues that it is time to move on from the Middle East.

We move on, then, to the latest from Ukraine. The Wall Street Journal informs us that Ukrainian troops have moved to retake cities in the eastern part of the country. There has been at least one clash between the military and pro-Russian forces so far. President Vladimir Putin wanted to talk to President Obama last night; the latter said a diplomatic solution was still possible.

MIT Technology Review has a brief interview with Eugene Kaspersky, founder of the Moscow-based computer security firm Kaspersky Labs, on issues related to cyber—including a brief comment on the state of the cyber conflict in Ukraine.

Forbes has a piece on the implications of Google’s recent acquisition of Titan Aerospace, a producer of high-altitude drones. Business Insider takes a closer look at the drones themselves.

Email the Roundup Team noteworthy law and security-related articles to include, and follow us on Twitter and Facebook for additional commentary on these issues. Sign up to receive Lawfare in your inbox. Visit our Events Calendar to learn about upcoming national security events, and check out relevant job openings on our Job Board.

9/11 Defense Counsel on the FBI’s Contacts with Defense Team Members

Tuesday, April 15, 2014 at 9:29 AM

Defense lawyers for 9/11 accused Ammar al-Baluchi had this to say yesterday, about an emergency defense filing in the 9/11 case concerning alleged FBI contacts with a member of another accused’s defense team:

GUANTANAMO BAY, CUBA Today, defense attorneys in the 9/11 military commission revealed that the FBI had interrogated a Defense Security Officer, and required him to sign an agreement establishing a “special relationship” between the defense team member and the FBI.

“The U.S. government’s breach of the integrity of the defense teams is outrageous,” said Lt Col Sterling R. Thomas, USAF, a former prosecutor now detailed to defend Ammar al Baluchi.

Under Military Commission Protective Order #1, most recently amended in December 2013, a “Defense Security Officer is, for limited purposes associated with this case, a member of the Defense Team, and therefore shall not disclose to any person any information provided by the Defense, other than information provided in a filing with the Military Commission.”  The duties of a Defense Security Officer are:

(1)    Assist the Defense with applying classification guides, including reviewing pleadings and other papers prepared by the defense to ensure they are unclassified or properly marked as classified;

(2)    Assist the Defense in performing their duty to apply derivative classification markings pursuant to E.O. 13526 § 2.1(b).

(3)    Ensure compliance with the provisions of any Protective Order.

9/11 Case Motions Hearing: April 15 Session

Tuesday, April 15, 2014 at 8:48 AM

Tax day is upon us; so is day two in a four-day, pre-trial motions hearing in United States v. Mohammed et al.  (You can find coverage of yesterday’s quite brief open session here.)

As always, Lawfare will file mini-updates on the hearing throughout the day, in our “Events Coverage” section—and link to those updates here.

4/15 Session #1: Housekeeping, and FBI Things

4/15 Session #2: What Sorts of Evidence, Part One

4/15 Session #3: What Sorts of Evidence, Part Two (And a Recess)

Update [11:30 a.m.]: proceedings have concluded for the day; no court will be held tomorrow. Stay tuned for a possible resumption of the hearing on Thursday.

The Washington Post and Guardian Pulitzers: I Dissent

Tuesday, April 15, 2014 at 8:30 AM

I know it is rude and churlish to offer anything but warm congratulations when former colleagues win a major prize—much less journalism’s most prestigious award. I know I am courting a barrage of hostile tweets and emails with these words. I know as well that I am on the losing end of elite opinion on these subjects—that we are settling on a narrative that makes a public interest triumph out of journalism I regard as shoddy and beneath the great names of the organizations that produced it. But for whatever it’s worth (not much) and to whomever, I dissent from the Pulitzer Committee’s decision to give its public service award to either the Guardian or the Washington Post.

The Pulitzer Board’s citation to these two organizations has a faintly comic air. The Post the board congratulates not merely for “its revelation of widespread secret surveillance by the National Security Agency” but for “authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security.” For the Guardian, by contrast, the board rather conspicuously omits any reference to authority or to insight, noting only that the paper had “help[ed] through aggressive reporting to spark a debate about the relationship between the government and the public over issues of security and privacy.”

The latter is at least true. The commendation to the Post, by contrast, involves an assertion of fact that is, at a minimum, highly contestable. The Post got big things wrong in the stories the board honors. It reported that NSA has access to the servers of internet companies—a fact it then changed in the story without running a correction, for example. It grossly misreported, using entirely true facts, on a compliance audit so as to present it as suggesting nearly the opposite of what it actually shows. And it frequently reported on the most routine sort of overseas intelligence collection, collection of precisely the sort the law authorizes, in breathless tones suggestive of gross impropriety. The Post‘s reporting has indeed been authoritative, though not because it has been good or consistently accurate; its authority has been part of the problem. Its coverage has often been the opposite of insightful. And it has in fact served to help the public misunderstand the issues on which it was intended to shed light.

As to the Guardian, well, if sparking a debate is enough to earn the Pulitzer’s coveted public service medal, then sure. Congrats. I would note, however, that merely sparking a debate is an exceedingly low standard.

There was a time, and it wasn’t very long ago, when this medal meant something more, when “aggressive reporting” meant more than being a vehicle to shovel leaked documents to the public, with stops along the way for obligatory government comment, for fawning characterizations of one’s own sources, and for tendentious claims about what those documents say.

In 1999 and 2000, when I was a young editorial writer at the Post, the Post won the public service medal two years running. In 1999, it was for a series analyzing and reinvestigating a series of police shootings in D.C. The following year, it was for the incredibly moving work of Kate Boo in investigating abuse in D.C. group homes for the mentally disabled. I remember the meetings in the Post newsroom the days those awards were announced, partly because I was personally close to several of the reporters involved but also because the work was journalism at its very finest craft and a source of huge institutional pride for the paper for which I worked. They passed a test much higher than the “sparked a debate” test, a test that the Westboro Baptist Church and the Church of Scientology, I might add, pass with some regularity, and they were not merely transit stops for leaks from others. They passed a test that involved building a story and reporting it richly for the public out of what was not previously there.

This kind of journalism still exists. This year’s Pulitzer finalist, according to the board’s citations, went to Newsday, for “its use of in-depth reporting and digital tools to expose shootings, beatings and other concealed misconduct by some Long Island police officers, leading to the formation of a grand jury and an official review of police accountability.” How sad it is that such work today comes in second—and how much sadder what now defeats it.

Today’s Headlines and Commentary

Monday, April 14, 2014 at 12:12 PM

Last night, the UN Security Council held an emergency meeting to discuss the worsening crisis in Ukraine, reports CNN. The Ukrainian government set a Monday 9 a.m. deadline for pro-Russian militants to vacate buildings across eastern Ukraine, reports the New York Times; the deadline was ignored. The country’s acting President Oleksandr Turchynov has requested the deployment of UN peacekeeping troops for an “anti-terrorist operation” to be conducted jointly with Ukrainian security forces against the insurgents, reports the Associated Press.

On Friday the White House announced it would block Iran’s proposed envoy to the UN, Hamid Aboutalebi, from entering the United States, one day after the House of Representatives voted unanimously to bar entry to those involved in terrorism or deemed a threat to U.S. security; Aboutalebi was allegedly involved in the 1979 seizure of the U.S. Embassy in Tehran. The Washington Post has more. Iran has officially lodged a complaint with the UN over the ban, reports Reuters.

The sanctions relief promised as part of the temporary nuclear accord between Iran and major world powers has translated into little economic relief for Iranians. The NY Times speculates as to what that means for Iran’s willingness to negotiate a permanent deal by the July 20 deadline.
In an address at Damascus University, Syrian President Bashar al-Assad claimed to have reached a “turning point” in the country’s three-year civil war, noting that his army was winning “the war against terror.” The BBC reports.
Libya’s interim prime minister, Abdullah al-Thinni, announced on Sunday that he is stepping down. His announcement came a day after Thinni and his family were allegedly attacked in a residential neighborhood, possibly by militiamen, writes the New York Times.
Where is Sharif Mobley? The American jailed for over four years in Yemen has disappeared after allegedly making contact with an American-born radical preacher and being grabbed off the street by Yemeni security agents in 2010; his attorneys have not seen him since late February. Here‘s the Washington Post story.
Two bombs blasted through Nyanya motor park in Nigeria’s capital on Monday. No one has officially claimed responsibility, but bus stations have been a major target for the country’s Islamist militants. At least 71 are dead, reports the Associated Press.
Former Ku Klux Klan leader Frazier Glenn Cross, the subject of a 1987 federal manhunt, has been arrested for allegedly gunning down three people at a Jewish community center and Jewish retirement complex near Kansas City, reports the AP. Attorney General Eric Holder has instructed the DOJ to determine whether the shootings broke federal hate crimes law. See the AP by way of ABC.
Last night Guantanamo defense lawyers filed for an urgent hearing on the grounds that FBI agents turned a security officer on Yemeni detainee Ramzi bin al Shibh into a “confidential informant,” creating a conflict-of-interest in the 9/11 case. The Miami Herald has the story.
The Heartbleed security nightmare is shedding light on how NSA exploits zero days to access secure networks, says the Wall Street Journal. On Friday, Bloomberg reported that NSA knew about the flaw for at least two years, prompting a flat denial from ODNI: “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.”
Al Jazeera America is reporting that the fine print of a $1.5 billion contract between USAID and a firm contracted by the U.S. government to help set up a Twitter-style social network in Cuba suggested some classified work could be involved.
The Pentagon will be turning old drones into wi-fi hotspots, reports the BBC. Darpa has just completed the first of three test phases, but not everybody is happy about it. According to Chris Cole, editor of Drone Wars UK, “Regardless of whether drones are delivering weapons or wi-fi it seems that the growing use of unmanned systems simply means more war and less overall security in the future.”
Email the Roundup Team noteworthy law and security-related articles to include, and follow us on Twitter and Facebook for additional commentary on these issues. Sign up to receive Lawfare in your inbox. Visit our Events Calendar to learn about upcoming national security events, and check out relevant job openings on our Job Board.

The Policy Tension on Zero-Days Will Not Go Away

Monday, April 14, 2014 at 11:32 AM

The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters.  It is based on at least two false assumptions.  The first is that the number of zero-days is finite, or, if not finite, then at least small enough that, at prevailing market prices, the United States could clear the market without either bankrupting the Treasury or creating inflation of Argentine dimensions.  Someone should do the math on this, but surely the assumption is incorrect.  The number of zero-days is unknowably huge and will continue to grow as long as people write software.  Markets are notoriously difficult to corner.  Consequently, one must always assume that there are (1) undiscovered zero-days and (2) zero-days that have been and will continue to be discovered by adversaries but not by us.

The second false assumption is that the Russians, the Chinese, the Iranians, and other cyber-capable actors would adopt the same disarmament policy.  Indeed, our unilateral adoption of that policy would make it less likely they would follow.

The sigint vs. security tension has existed at NSA for many years.  When I arrived at NSA in 2002, sigint nearly always had the upper hand over defense.  As I have observed the agency, the balance since then has shifted significantly in favor of defense.   I cannot quantify this observation, however, and I do not know precisely how this tension is now being managed.  What I do know is that the tension will not go away, and that pretending otherwise would lead to a very dangerous policy.

9/11 Case Motions Hearing: April 14 Session

Monday, April 14, 2014 at 8:43 AM

Today marks the beginning of a four-day hearing in the 9/11 case, a.k.a. United States v. Mohammed et al.   Lawfare will cover the session, with almost-live updates from a Closed Circuit TV viewing facility located at Maryland’s Fort Meade.

Throughout the day, we’ll publish each post over at our Events Coverage page, and link to them below.  We expect the gavel bang at 0900—and extensive litigation over the competency of 9/11 accused Ramzi Binalshibh.

4/14 Session #1: Ex Parte Hearings, FBI Investigations, and a Recess

UPDATE [10:00 a.m.]: open proceedings stand in recess until tomorrow.

The Week That Will Be

Monday, April 14, 2014 at 12:00 AM

Event Announcements (More details on the Events Calendar)

  • Mon, April 14 – Thurs, April 17: United States v. KSM et. al. motions hearing.
  • Mon, April 14 at 2:00 pm: The Brookings Institution hosts “Challenges to Further Nuclear Arms Reductions.“ The Arms Control and Non-Proliferation Initiative at Brookings and the Heinrich Böll Foundation North America will hold a discussion on the challenges that inhibit further nuclear reductions.
  • Mon, April 14 at 7:00 pm: Georgetown University Law Center hosts “Allies at War: Legal Issues in Multinational Security Operations.” The discussion will focus on legal considerations in conducting multinational security operations including issues of interoperability, targeting, and detention, as viewed through the lens of Afghanistan, Libya, and counter-piracy operations in the Indian Ocean.
  • Wed, April 16 at 8:30 am: The Atlantic Council hosts “Beyond Data Breaches: Global Interconnections of Cyber Risk.” This event is the release of a new report written by the Atlantic Council’s Jason Healey, which “seeks to prepare the public and private sectors to endure these cyber shocks of tomorrow and bounce back quickly.”

Statement of the Chief Prosecutor on This Week’s Hearing in the 9/11 Case

Sunday, April 13, 2014 at 9:19 PM

You’ll find it here.

And that’s as good a reminder as any that, tomorrow, Lawfare will resume coverage of pretrial motions hearings in United States v. Mohammed et. al.  This week’s four-day session will feature (among other things) litigation over the competence of accused 9/11 co-conspirator Ramzi Binalshibh to take part in the proceedings.

In his written remarks, the Chief Prosecutor, Brig. Gen. Mark Martins, discussed a variety of subjects, including transparency:

Part of an Open and Accountable Process that Considers All Relevant Facts

Recently, a victim family member asked me why critics continue to claim the process is too secretive. Her perspective about the proceedings is an informed one, as she has visited Guantanamo, has viewed military commissions as well as federal civilian trials, and has, on occasion, obtained transcripts and briefs from the military commissions website. Indeed, a thesis that persists in the blogs and talking points of certain private advocacy groups—despite a mounting record contradicting it—is that in military commission trials, allegations of past misconduct by officials or agents of the government can be kept secret. It is even darkly suggested that secrecy and alleged overclassification of information may be a reason for using military commissions. While I acknowledge and respect the desire for scrutiny of government action that seems to lay behind some of the criticism, this secrecy or intentional overclassification thesis, as applied to trials ultimately held under the Military Commissions Act of 2009 (the “Act”), is difficult to reconcile with fundamental truths. Read more »

The Aboutalebi Visa Denial: U.S. Law and Historical Precedents

Sunday, April 13, 2014 at 4:11 PM

President Obama’s decision to deny a visa to Iran’s would-be Ambassador to the United Nations, Hamid Aboutalebi, is based on U.S. law dating back to 1947 and has numerous historical precedents.  Although the U.N. and other countries have occasionally criticized the U.S. for refusing to grant visas to individuals to come to the U.N., it is not clear that other countries will want to make an issue over the denial of a visa to Aboutalebi, who played at least some role, even if small, in the most egregious violation of diplomatic law and the security of diplomatic personnel in modern times.

The U.S. obligation to admit foreign nationals, including representatives of U.N. member states, to the United States to come to the U.N. is set forth in the so-called U.N. Headquarters Agreement, which was signed on June 26, 1947 by then Secretary of State George Marshall and then U.N. Secretary General Trygve Lie.  Section 11 of the Headquarters Agreement prohibits the United States from imposing any restrictions on travel to the U.N. by representatives of U.N. members (and certain other persons coming to the U.N.).

Although the Headquarters Agreement itself does not contain any exceptions to this prohibition, Section 6 of the Joint Resolution of Congress of August 4, 1947 (for text scroll down below the Headquarters Agreement) , which authorized President Truman to enter into the Headquarters Agreement, provides as follows:

Nothing in the agreement shall be construed as in any way diminishing, abridging, or weakening the right of the United States to safeguard its own security and completely to control the entrance of aliens into any territory of the United States other than the headquarters district and its immediate vicinity, as to be defined and fixed in a supplementary agreement between the Government of the United States and the United Nations in pursuance of section 13 (3) (e) of the agreement, and such areas as it is reasonably necessary to traverse in transit between the same and foreign countries.

Thus, under this so-called “security reservation,” Congress limited the U.S. obligation to allow representatives of other U.N. members to enter the U.S. if necessary to “safeguard its own security.”  Some observers, including my friend Kevin Heller over at Opinio Juris, have read Section 6 as reserving the authority of the Executive branch only to control the travel of foreign nationals into areas of the United States outside the U.N. “headquarters district” and not to deny absolutely the entrance of foreign nationals into the United States.   Although this is one possible reading of Section 6, an equally plausible reading of Section 6 is that it reserves a general and absolute right for the U.S. to “safeguard its own security” as well as a more specific right to limit travel outside the U.N. district.   It is hard for me to believe that Congress in 1947 would have acceded to an unfettered obligation to allow any foreign national to come to the U.N. headquarters district, as long as they did not travel outside that district. Read more »

The Foreign Policy Essay: Preventing the Proliferation of Armed Drones

Sunday, April 13, 2014 at 10:00 AM

Editor’s Note: Drone warfare and its many implications is a favorite subject for Lawfare readers. Yet even as the United States develops policies for the use of drones on and off the battlefield, it must contend with their proliferation to other countries. Indeed, while many voices continue to call for limiting this new form of warfare, the market for drones, especially U.S. drones, is expanding. Sarah Kreps, a professor at Cornell and author of the forthcoming book Drone Warfare, presents us with several questions to consider as we ponder U.S. export policies on drones. She argues that drones are a destabilizing technology and that the United States should foster nonproliferation norms and build institutions to counter their spread.


Despite lingering questions about whether armed drone strikes are legal or ethical, a number of countries have indicated that they want what the United States has and are trying to import American technology. After all, what’s not to like about the capacity to conduct counterterrorism missions without incurring meaningful risk? To date, the United States has only exported armed drones to the United Kingdom, but a question under consideration by an interagency review process set up by the Obama administration is whether the United States should liberalize its exports. Especially in an era of declining defense budgets at home, the prospect of selling more armed drones abroad looks attractive as a way to prop up the U.S. industrial base. Whether it should or not depends on the answers to three questions.

First, are drones qualitatively different from other weapons platforms and is this technology destabilizing? Yes, drones should be treated as a distinct class of weapons and yes, their attributes can cause them to be used in ways that are potentially destabilizing. The main difference between drones and other platforms is that they are unmanned and therefore pose no risk to those operating them. For the United States, this means that drones have expanded the military’s range of operations to include many that would have been too risky to attempt with other platforms. Of the estimated 465 non-battlefield targeted killings undertaken by the United States since November 2002, approximately 98 percent were carried out by drones. If the U.S. experience is any guide, states equipped with armed drones will be more willing to use force in ways and in areas they might not otherwise have. Armed drone proliferation in regions that are already crisis prone such as the Middle East, the Caucasus, or East Asia could potentially lower the threshold for using force, making these combustible regions even more volatile.

Sarah Kreps photoSecond, is drone proliferation inevitable? If so, it makes little sense to worry about whether American export policy is liberal or stringent and, in fact, U.S. businesses may as well prosper. But there are good reasons to think that the technology will not otherwise seamlessly diffuse. In some countries, such as Germany, the domestic political environment is hostile towards acquiring armed drones and has put a pause on previous plans to acquire drones. A bigger reason is technological. While one can go onto and buy a rudimentary drone (basically just a remote-controlled airplane), constructing an advanced armed drone is no small feat. U.S. armed drones require sophisticated beyond-line-of-sight communications, access to satellite bandwidth, and systems engineering—from internal fire control to ground control stations—that are currently beyond the reach of most states.

Even countries that have relatively advanced aerospace programs—such as Russia, France, and Italy—have struggled to develop and deploy this systematic architecture of capabilities and processes. Russia, which has experienced a number of setbacks in its aerospace industry since the end of the Cold War, has been frustrated in its efforts to develop more advanced drones. In January 2010, an armed drone prototype of Russia’s Stork Unmanned Aerial Vehicle (UAV) crashed and burned as it attempted to take off, providing further evidence that Russia is decades behind the United States in UAV technology. France and Italy have not been able to produce the requisite technology indigenously and have therefore been limited to purchasing unarmed versions of the United States’ MQ-9 Reaper. Despite many countries expressing an interest in drones, only Israel, China, and perhaps Iran have indigenously produced advanced armed drones. This is not a story of rampant armed drone proliferation.

Third, what is the status of a nonproliferation norm when it comes to armed drones? Currently, the Missile Technology Control Regime (MTCR) regulates the transfer of unmanned aerial vehicles. But drones are a bolt-on to a regime that was intended to restrict the spread of nuclear weapons delivery systems. The regime was far from perfect in this original function since it was a non-legally binding agreement among 34 countries, most of whom are advanced industrialized countries. Excluded are countries such as China, India, Iran, and Israel (although Israel purports to adhere unilaterally). Read more »

More on USG Policy on Cyber Vulnerabilities

Saturday, April 12, 2014 at 9:04 PM

This morning I wondered why the USG could not say more about its policy (assuming it had one) on stockpiling v. revealing computer software vulnerabilities.  Today two senior administration officials told David Sanger of the NYT that President Obama decided in January that “when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks.”  This statement implies two exceptions: (1) not every software vulnerability constitutes a “major flaw in Internet security,” and thus those vulnerabilities that do not rise to that level need not be disclosed, and (2) the phrase “in most circumstances” implies that sometimes the NSA will not reveal even a major flaw in Internet security.  Also, the same officials told Sanger that the President “carved a broad exception for ‘a clear national security or law enforcement need,’” a loophole that Sanger says “is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.”  Sanger also reports that NSC spokeswoman Caitlin Hayden says that “[t]his process is biased toward responsibly disclosing such vulnerabilities.”

It is impossible to tell from the Sanger story whether any of this is a change from prior practice, or whether the President’s January decision will have any effect on NSA capabilities and operations going forward.  As Sanger notes, our adversaries will continue to develop or buy vulnerabilities.  That fact makes me think that the President’s decision, with its seemingly large exceptions, will have no practical impact.  But who knows?

Exploring the Effect of NSA Disclosures on the U.S. Technology Industry

Saturday, April 12, 2014 at 4:00 PM

This past Monday, I had the honor of moderating a panel organized by students at the American University Washington College of Law’s National Security Law Brief, on Understanding the Global Implications of the NSA Disclosures on the U.S. Technology Industry. The panel (Elizabeth Banker (ZwillGen), David Fagan (Covington), Joseph Moreno (Cadwalader), Gerard Stegmaier (Wilson Sonsoni) and Lawrence Greenberg (Motley Fool)) was stacked with practitioners who are navigating, on a daily basis, issues related to data privacy, transparency, and cooperation with law enforcement/government requests, among other related issues. As we explored during the discussion, there are a number of recent media and other reports describing the “fallout” for U.S. industry as a result of the disclosures. So, at least two questions arise: first, are the reports to be believed, and second, if so, will there be a lasting impact, or is this only temporary?

The short answer is that it is too soon to judge. But, as we all read these reports, such as this one produced by NTT Communications and cited in Guardian article late last month, it will be important to look at the source and potential motivations behind them before drawing firm conclusions about the state of U.S. industry.

Of interest, several of the panelists suggested that the reactions to the recent disclosures perhaps represent the tipping point of what was already a growing discomfort with, if not outright opposition to, changes to the law in the national security area since the USA Patriot Act of October 2001. Another panelist noted that despite the reports of dramatic effects, stock prices of certain affected U.S. technology companies have gone up in recent months (while some others have gone down). It is an important point: drawing conclusions about the long term effects on U.S. industry will take careful study, over a sustained period of time. In the meantime, I intend to spend more time looking into this issue. It seems to me that, given that foreign intelligence surveillance activities conducted by the United States are subject to more laws, rules, procedures and oversight than any other nation, the rush – if there is one – to displace U.S. companies, may be misguided. There just may be a different story to tell.

Lawfare Podcast, Episode #70: Bruce Schneier on Technology and Privacy

Saturday, April 12, 2014 at 1:55 PM

Bruce Schneier of the Berkman Center for Internet and Society at Harvard Law School gave a keynote address at the National Security Agency at the Crossroads conference Bobby put together at UT-Austin last week. Schneier spoke about the challenges to maintaining privacy in the evolving digital environment, and had provocative and interesting insights about the big picture that has emerged from almost a year of NSA revelations. We linked to audio of the rest of the conference sessions earlier; be sure to check it out.

The Week That Was

Saturday, April 12, 2014 at 9:55 AM

Once again, FISA was front and center on Laware this week.

Tim Edgar gave us a lesson in intelligence surveillance law 101, defining terms like “incidental collection” and “collection over the wire.” Chris Donesa, former chief counsel for the House intelligence committee, lamented the piecemeal, “band-aid” approach of recent attempts at FISA reform and called for a bolder and more comprehensive public debate about intelligence and national security policy. Lauren updated us on the ongoing metadata preservation saga, explaining that the government’s failure to notify the FISC of applicable preservation orders was—at least according to the government—an oversight.

Wells posted this week’s Lawfare Podcast, a wide-ranging conversation between Ben and NSA Deputy Director John “Chris” Inglis. Ben and Bobby then followed up with a veritable treasure trove of audio from a recent conference, “The National Security Agency at a Crossroads.” Recorded sessions include panels on the changing role of the media, NSA in historical and diplomatic perspective, the future of the Fourth Amendment, metadata collection, content collection, current reform efforts, compliance and oversight, and an opening speech from former NSA director Admiral Bob Inman.

For an internationalist perspective on metadata collection, Hugo Teufel III analyzed the ECJ’s decision striking down the EU’s 2006 Data Retention Directive as exceeding the limits of “proportionality.” He noted that individual member states’ data retention law remain unaffected for the moment, but worries that communications providers are being forced into a privacy versus security is a zero-sum game where they will likely receive conflicting orders.

Ben and Jack both responded to a Bloomberg report on Friday that NSA knew about and exploited the Heartbleed OpenSSL bug—and to the government’s denials of the claim. Wrote Jack: “the government faces a difficult choice: It can hoard a zero-day for offensive purposes but leave all computer systems affected by the zero-day vulnerable to exploitation or attack; or it can disclose the vulnerability and allow it to be patched, enhancing defense at the cost of a potential offensive tool.”

And Joel Brenner wrote a piece about the statement this week by the FTC and the Justice Department’s Antitrust Division on cybersecurity and antitrust.

In this week’s foreign policy essay, Brookings scholar William McCants analyzes the waning fortunes of the Muslim Brotherhood as Saudi Arabia recently appears to have turned on Brotherhood affiliates forcefully.

Zachary flagged last week’s executive order authorizing the Treasure Department to impose sanctions on individuals and organizations responsible for the ongoing bloodshed in South Sudan.

Paul noted some wishful thinking in Defense Secretary Hagel’s recent attempt to encourage reciprocal transparency with China on cyberdefense doctrine. Jack responded, suggesting that there are benefits even to a unilateral disclosure if it allows the Chinese to interpret US actions accurately and thereby avoid a mistaken escalation. At the same time, he also questioned whether the Chinese have any reason to believe us.

And while we’re discussing the Chinese, Lauren analyzed some of the issues at play in Ralls Corp. v. CFIUS, a case probing the extent of Presidential discretion to block foreign companies from buying businesses and property in the US on national security grounds. The case, involving a Chinese-owned firm, will be heard by the DC Circuit on May 5th.

Paul gave us two more installments of his “bits and bytes” feature. In the first, he noted an Israeli INSS report on the development of Iran’s cyber program, an army war college bibliography on cyber, a guide on cyber for Joint Forces commanders, a Foreign Affairs piece on the “internet of things.” In the second, he flagged the New York Times story on the Open SSL bug.

Paul also flagged US District Judge Esther Salas’ decision in the “most important cybersecurity case you’ve never heard of,” Wyndham v. FTC. Denying a motion to dismiss, Salas ruled that FTC’s general power to regulate “unfair” business practices includes authority to compel businesses to adopt cybersecurity practices.

Stewart Baker posted the next installment of the Steptoe Cyberlaw Podcast, featuring special guest . . . Benjamin Wittes. The usual gang discussed NSA’s influence on encryption standards, a rise in judicially imposed limits on computer search warrants, FISA reform and more.

Lawfare also went to the Hill this week: On Monday, I flagged two congressional hearings this week featuring contributors. On Tuesday, Ben testified before a House Foreign Affairs subcommittee on the continuing necessity of the AUMF and the FISA 702 program, and on Thursday, Paul testified about the transfer of the IANA function to ICANN.  Ben gave us a summary version of his testimony, while Ritika flagged the actual hearing and posted the testimony of all witnesses. And in turn, Paul linked to his testimony, and posted some general reflections on the hearing itself.

In the targeted killing department, Matt Danzer summarized U.S. District Court Judge Rosemary Collyer’s decision granting the government’s motion to dismiss a Bivens suit brought by the family of Anwar al-Aulaqi, his son, and Samir Khan—all of whom were killed in U.S. drone strikes in Yemen. Collyer found the suit justiciable but reprimanded the government for failing to produce classified documents; she ruled that “special factors” precluded the extension of Bivens liability to such cases.

Peter Margulies summarized some of the discussion at a recent Yale Information Society Project Symposium.

Bobby noted a conversation happening at the ICRC DC blog, intercross, on IHL’s applicability in connection with the 2001 AUMF that includes contributions from Gary Brown, Jen Daskal and Bobby himself. And on Friday, he flagged a Washington Post story discussing the intense cooperation between JSOC and the FBI, including FBI participation in JSOC raids and firefights.

And that was the week that was.

Cyber Paradox: Every Offensive Weapon is a (Potential) Chink in Our Defense — and Vice Versa

Saturday, April 12, 2014 at 7:37 AM

As Ben notes, the USG denied a Bloomberg News report that the “U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence.”  The NYT story on this denial says:

James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said that the claim that the N.S.A. knew about the Heartbleed bug and stockpiled it for its own purposes was not in keeping with the agency’s policy.

“In this case, it would be weird for the N.S.A. to let this one go if they thought there was such a widespread risk,” he said.

I do not know what the NSA “policy” is on this matter.  But there is an important and very hard and not-much-discussed issue lurking here.

Public reports suggest that the NSA engineers or discovers or purchases, and then stores, zero-day vulnerabilities (i.e. software defects unknown to the vendor and to others).  Zero-days assist NSA and Cyber Command in their cyber-exploitations and cyberattacks.  (For example, Stuxnet reportedly used four zero-day vulnerabilities.)  Zero-days are useful in building offensive exploits only to the extent that they unknown and unpatched.  But if the NSA stockpiles such vulnerabilities, and if the vulnerabilities persist in generally available software, then another party besides the NSA might discover the vulnerability and use it offensively – including against USG and U.S.-firm and U.S.-person computer systems.  And so the government faces a difficult choice: It can hoard a zero-day for offensive purposes but leave all computer systems affected by the zero-day vulnerable to exploitation or attack; or it can disclose the vulnerability and allow it to be patched, enhancing defense at the cost of a potential offensive tool.  Former NSA Director Michael Hayden described this as a “perennial” question of signals intelligence: “What do you do with a vulnerability, do you patch it or do you exploit it?” (See embedded video, about 2:20.)

Presumably the policy that James Lewis is referring to is one that explains how the USG decides which zero-days to keep secret and unpatched and which ones to make public and patchable.  (Note that Former White House cybersecurity advisor and President’s Review Group member Richard Clarke has said that there is no such policy: “There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn’t.”)  There are obviously significant tradeoffs here.  How to think about them? Read more »