NSA as Massa of the Global Sigint Plantation

Craig Murray caused quite a fuss in 2004 when, as UK ambassador to Uzbekistan, he openly criticized the systemic and severe human rights abuses of the Karimov regime.  He was publicly and pointedly stomped on by the British government, with the full encouragement of the Bush administration, for complicating Western access to the Karshi-Khanabad airbase and queering the Global War on Terror pitch.

Murray subsequently wrote an extremely interesting and disarming memoir, Murder in Samarkand (published in the US as Dirty Diplomacy, so I’ll throw in a link to Dirty Wars as well so readers can savor the full dirty spectrum).  In his book, Murray discusses his extensive travels inside Uzbekistan, his contacts with embattled activists, and what he saw and heard and said  (and drank--see under index subject Craig Murray—personal life—alcohol, pages 90-2, 93, 236, 250, 251, 253, 256, 263, 265, 272, 282, 290, and 315--and lusted after—see under the index subject Craig Murray—personal life—women, attraction to, pages 18, 92, 118-19, 121, 128-9, 164-5, 250-1, 252, 253, 256, 263, 264-6, 268, 269, 305-6) in order to place in context the determined efforts of the UK government to smear his reputation. 

Uzbekistan presents an interesting conundrum for liberal human rights activists, not because of its human rights violations, which are undeniably ghastly, but because of its rather bizarre status as a private, for-profit operation of the Karimov family and its allies.

Per my reading of Murray’s book, Uzbekistan looks like a slice of the antebellum US South, and not just because of its total commitment to the cotton culture that dominates the economy and lives of its people, and has also dried up the Aral Sea and otherwise devastated the ecology of Central Asia.  There is so much money to be made off dominating the state-controlled cotton industry (and mining out the gigantic lump of gold that Uzbekistan is fortuitously perched upon) that there is little incentive for Karimov to cultivate the diversified, urbanized market-driven economy that nurtures feisty bourgeoisie and the contentious democratic forces beloved by liberal reformers.

Plantation systems are bad for integrated economies and immiserated citizenry, be they slaves in the South or Uzbeki citizens ordered into the fields for the harvest, but they can be very profitable for plantation owners.  The key point is to foreclose employment alternatives and maintain access to an underpaid, immobile, and docile workforce.  That was certainly the situation in the South, and not only in the pre-Civil War period.  With property-rights conscious Northerners unwilling to attack the foundations of the plantation system through confiscation and redistribution of land to freemen to introduce competition into the market in land and labor, the ability to enforce a local employment monopoly was preserved and the captive-worker system immediately reconstituted itself, first with the Black Codes—which explicitly tied freedmen to the plantations through the implementation of restrictive labor contracts (and also mandated fines for landowners seeking to lure workers away from their existing employment with offers of higher wages)—and then the debt peonage of the sharecropping system, which persisted well into the 20^th century.

Unless the Karimov family is interested in encouraging a revolutionary rumpus by aware, empowered, and aggrieved workers, I expect similar conditions to obtain in Uzbekistan and the local oligarchy will display little interest in market reforms or development of new economic sectors unless their revenues can be safely and ferociously extracted.  And with Karimov trampling on local discontent quite ruthlessly and playing the “indispensable ally in battle against Islamicist terrorists” card rather effectively, don’t look for a new Lincoln to apply external pressure on behalf of the Uzbek masses.

Anyway, I was struck with a passage in Murray’s book in which he speculates on the reason why the Blair government attacked him so intemperately, and went to inordinate lengths to 86 his career.

Murray had complained that intel provided by the Uzbek government through the CIA to the UK was tainted by the fact that it was obtained through torture.  Beyond the fact that tortured detainees often provide false information in order to stop their mistreatment, the UK is a signatory to the UN Convention Against Torture and, by the interpretation of Murray and others, was precluded from possessing (as well as using in a court of law) evidence obtained under torture.

The UK government begged to differ, for reasons that might have had little to do with the quality and morality of torture-extracted intel.  In 2006, Murray wrote:

I now believe that in protesting about intelligence obtained by torture in Uzbekistan I had hit an even more sensitive point than I had realized…I had also been hitting at the foundations of the UK-US intelligence sharing agreement.  This was put in place by Churchill and Roosevelt, and under it the CIA and MI6 exchange everything, as do the US National Security Agency (NSA) and UK General Communications Headquarters (GCHQ).  As the US have four times the volume of intelligence that we do, our intelligence services view this agreement as of the highest importance and are particularly anxious that there should be no derogation from the principle that everything should always be shared…Therefore, if the CIA gets information from torture, we have to accept it in order to maintain the integrity of the agreement and the principle that everything is always shared…

Murray was, in Brit-speak, spot on concerning British anxieties about the US relationship, as the Snowden trove confirmed.  In August of last year, the Guardian printed this account of GCHQ groveling to the NSA (undoubtedly amplified by the fact that the NSA had underwritten over $100 million of GCHQ projects over the last three years):

The leaked papers reveal that the UK's biggest fear is that "US perceptions of the … partnership diminish, leading to loss of access, and/or reduction in investment … to the UK".

…

GCHQ seems desperate to please its American benefactor and the NSA does not hold back when it fails to get what it wants. On one project, GCHQ feared if it failed to deliver it would "diminish NSA's confidence in GCHQ's ability to meet minimum NSA requirements". Another document warned: "The NSA ask is not static and retaining 'equability' will remain a challenge for the near future."
…
The overriding necessity to keep on the right side of the US was revealed in a UK government paper that set out the views of GCHQ in the wake of the 2010 strategic defence and security review. The document was called: "GCHQ's international alliances and partnerships: helping to maintain Britain's standing and influence in the world." It said: "Our key partnership is with the US. We need to keep this relationship healthy. The relationship remains strong but is not sentimental. GCHQ must pull its weight and be seen to pull its weight."

Astonishingly, the document admitted that 60% of the UK's high-value intelligence "is based on either NSA end-product or derived from NSA collection". End product means official reports that are distillations of the best raw intelligence.

One side of the story is the UK’s poodlicious commitment to serving as the US intelligence community’s most eager and able overseas partner.  And the need to placate the US and buttress Britain’s standing as a meaningful player in the world power game goes a certain way to explaining why it would engage in a bizarre stunt like yanking Glenn Greenwald’s partner into temporary custody in order to rummage through his belongings while he was transiting London.

But I’m also struck by the implications for the senior partner in the process, the United States.  The intimidating character of US demands are best backed up if the US is the indispensable superpower, the hegemon, if you will, in the global intelligence space.  If the UK is reliant on US intel for the majority of its own intelligence product, that’s good for the US in terms of the cooperation it can elicit from the UK on a broad range of policy matters beyond intel sharing.  

Massive surveillance isn’t just a question of catching the “bad guys”.  It’s also a question of getting the “good guys” to do what we say.  It’s a matter of power, not just security.

If, on the other hand, it looks like international outrage and public concern over the massive character of US data collection is going to put a crimp into the NSA’s style, the US loses a valuable weapon in its arsenal—for encouraging compliance by its state allies as well as adversaries.

And that’s why it is unsurprising that President Obama hesitates to impose any meaningful restrictions on the NSA’s activities.  The idea that the US “gets it all”—and friendly governments are dependent upon the US for their own intelligence needs—is a useful strategic asset.  That’s a case that the US security services have to make continuously, both in day to day clandestine performance and in occasional hegemonistic chest-thumping in the public sphere.

Just as Karimov wants to maintain control over the cotton business in Uzbekistan, President Obama wants to assert domination over the Western world’s intel production—and convince the world it has no alternative but to work on America’s digital plantation.  

However, given the massive mission bloat, inefficiencies, and risks inherent in a commitment to maintaining the “getting it all” monopoly, it is an interesting and unanswerable question as to whether the genuine security needs of other nations in particular and the world in general—and the US itself--are well served under the system.

I Spy on the Five-Eye

Well, the guy who said this was full of crap:

David Skillicorn, a professor in the School of Computing at Queen’s University, says this is one piece of the data-sharing relationship "that has always been carefully constructed."

"The Americans will not use Canadians to collect data on U.S. persons, nor will any of the other Five Eyes countries," Skillicorn says.

"In fact, in practice, it’s as if the five countries’ citizens were one large, collective group, and their mutual communications are not intercepted by any in the Five Eyes community."

Actual situation, as per the Guardian today, the NSA honored its no-spy-on-five-eye pledge in the breach:

Britain and the US are the main two partners in the 'Five-Eyes' intelligence-sharing alliance, which also includes Australia, New Zealand and Canada. Until now, it had been generally understood that the citizens of each country were protected from surveillance by any of the others.

But the Snowden material reveals that:

• In 2007, the rules were changed to allow the NSA to analyse and retain any British citizens' mobile phone and fax numbers, emails and IP addresses swept up by its dragnet. Previously, this data had been stripped out of NSA databases – "minimized", in intelligence agency parlance – under rules agreed between the two countries.

• These communications were "incidentally collected" by the NSA, meaning the individuals were not the initial targets of surveillance operations and therefore were not suspected of wrongdoing.

• The NSA has been using the UK data to conduct so-called "pattern of life" or "contact-chaining" analyses, under which the agency can look up to three "hops" away from a target of interest – examining the communications of a friend of a friend of a friend. Guardian analysis suggests three hops for a typical Facebook user could pull the data of more than 5 million people into the dragnet.

• A separate draft memo, marked top-secret and dated from 2005, reveals a proposed NSA procedure for spying on the citizens of the UK and other Five-Eyes nations, even where the partner government has explicitly denied the US permission to do so. The memo makes clear that partner countries must not be informed about this surveillance, or even the procedure itself.

When intelligence community apologists get wrongfooted by these kinds of revelations, one is inclined to wonder: is the so-called security insider who is allaying (and in some cases ridiculing) the public’s anxieties over government surveillance practices a clueless dupe or a duplicitous shill? 

Inquiring minds want to know.

The most recent revelation is tantalizing as it relates to my own personal hobbyhorse, as discussed in a previous post with the theme Blame Canada: did the NSA diddle with traffic patterns through its corporate buddies on the North American backbone and route US persons’ data to Five Eyes partners—like maybe Canada--for storage, collection, and processing, and thereby receive its tittle-tattle on interesting Americans second hand via a foreign intelligence agency, thereby not violating the letter of the U.S. law prohibiting these kinds of interception without a warrant?

With this background, the most interesting element for me was one that the Guardian didn’t even bother to report on.  It only appears in the Guardian’s reproduction of the 2007 memo (click on the image at the head of the article for the full text) authorizing collection of UK persons’ info.  The memo baldly stated that “unmasked” UK data—if I understand it correctly, this simply means in this case “metadata that has been revealed as relating to a UK person” is not only fair game for review by NSA analysts; it may also be dumped into a database for access by GCHQ:

“[US Analysts] Are not required to forward unmasked UK contact identifiers to GCHQ unless specifically requested by GCHQ.  GCHQ should receive all unmasked UK contact identifiers via established or mutually agreed forwarding means or the contact identifiers should be available in the GCHQ-accessible five-eyes [deleted] database, the [deleted] access to [deleted], or other GCHQ-accessible metadata stores.”

Hmmm.  Certainly sounds like the NSA was not only collecting UK data; it was making it available to GCHQ.  If that was the case, one would assume it worked the other way around as well.

There’s probably more onion to be peeled.  Maybe a couple more layers down we’ll find out if we can really {drumroll} “blame Canada.”

If this scenario is determined, I reserve the right to name the illicit, escalating signint exchange with our neighbor in the Great White North "snowballing".  In honor of Kevin Smith, of course.

Crypto's Dance

[Alert Reader pointed out the correct name for the Google Maps program as developed by the US government is "Keyhole", not "Keystone".  Herewith corrected.  Thank you, AR.]

On the rational left, Edward Snowden is close to losing the support of Kevin Drum because the most recent revelation—that the government has all sorts of ways and means to break ordinary encryption—alerted the bad guys to start being more careful with their crypto.

And if you’ve lost Kevin Drum, there’s little left on the left but China Matters and the rest of the fringe!

But…

Earlier today, in a post about the latest Edward Snowden leak, I wrote that "I'm a lot less certain that this one should have seen the light of day." After some further thought and conversation, I'm now a lot less certain I should have said that.

Here's the problem. The Guardian and New York Times stories basically revealed two things:

• The NSA has been working to deliberately weaken commercial crypto standards and insert back doors that only they have privileged access to. This is horrific public policy for at least a couple of reasons. First, the NSA tried to do this publicly in the mid-90s with the Clipper chip and export restrictions on crypto technology, and they lost. Now they're covertly doing what Congress refused to let them do overtly. Second, deliberately weakening commercial crypto exposes everyone who uses it to possible interception from bad actors who manage to discover the NSA's handiwork. There's no way the NSA can guarantee that other groups won't learn the weaknesses it's introduced (indeed, it's already happened in some cases) or somehow get access to its back doors. I have no problem at all with the Times and the Guardian disclosing this, and I'd very much like Congress to put a stop to it. 
• In addition, the NSA has been working to to improve its decryption capabilities in ways that don't degrade commercial crypto for anyone else. The details are unclear. It might involve new mathematical techniques. It might involve new computational techniques or improved computational power. It might involve old school hacking. It might involve stealing encryption keys or getting companies to give them up. It might involve the discovery of weaknesses that already exist. This is all stuff that NSA is chartered to do, and it does nothing to harm general use of commercial cryptography. However, revealing the extent of NSA's success in this area might indeed warn terrorists and others away from commercial crypto that they thought was safe, and thus degrade NSA's ability to track them. I have a hard time believing that the public interest in this outweighs the damage done to U.S. intelligence efforts.

As a practical matter, I’m not convinced that Snowden crossed the line.

The US interest in reading encrypted messages is well-known, as are its efforts to crack crypto.

The government has a publicly announced obsession with cracking crypto, which includes all sorts of projects to leverage the capabilities of networked computers, better software, and various cheats to brute force current weak cryptography.

US efforts to diddle with crypto, for instance by corrupting the open source algorithm used to generate random numbers for the keys to make encryption easier to crack, had already been reported.

If and when we get a quantum computer, it will be because the US government will spend a gazillion dollars developing the technology as the magic bullet for cracking 256 bit strong crypto.

Absent quantum computing, the government’s priority is to universalize chickenshit crypto—the kind of crypto that is breakable with a variety of tricks.  Industry is government’s willing handmaiden in this matter, as Glenn Greenwald’s piece in the Guardian reveals:

The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role. 

It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".

A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".

Certainly, with B2B and consumer cloud computing via encrypted links on top of every tech company’s wet dream agenda, nobody wants to get tarred with the decryption brush, as a related British GCHQ guideline conveys:

A 2009 GCHQ document spells out the significant potential consequences of any leaks, including "damage to industry relationships".

"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," intelligence workers were told.

Excuse me, please step aside as Google—a key member of President Obama’s brain trust, supplier of Andrew McLaughlin to serve as the White House’s Deputy Chief Technology Officer, and the people who 1) bought Keyhole global imaging technology from the CIA 2) renamed it Google Maps and 2) sells the data back to the US government—runs squealing to the front of the line to announce its existential commitment to customer security and privacy:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

Thank you, Google.  Let us continue.

More to the point, when somebody’s communications are targeted by the government, there are other tools available—like putting a keylogger on the computer—to find out what’s getting typed.

Add to that my personal suspicion that, if you encrypt your e-mail, you attract the special attention of the government on general principles and the investigatory gears start grinding, whether or not your encryption is broken.

So I would say if you are tippy-tappying at your computer with the expectation that encryption is keeping your communications—and you-- perfectly safe, you haven’t been paying attention.

So Edward Snowden’s most recent revelation serves only to give clues to the clueless.

What interested me is how quickly the “Internet freedom to connect” theme was submerged by the “national security” narrative.

Even though it is open to question who’s doing a sloppy job with the nation’s secrets: according to the Guardian, Edward Snowden was one of …850,000…individuals with top security clearance and he got a gander at this secret info.

850,000.

Just in the United States.

It could also have been argued that Snowden did dissidents and activists a public service by alerting them that encrypted communications may not be secure.

As Kevin Drum pointed out, “bad guys” might be able to exploit the backdoors the government is slotting into systems in order to read encrypted communications.

As for the free world’s ability to manage and control these tools, does anybody remember the Google furor over hacked Chinese dissident e-mail accounts (which, as you undoubtedly recall, was the justification for Sergei Brin’s retreat in high dudgeon from the Chinese search engine market)?  I do:

Bruce Schneier, a well-known US cyber security expert, made waves in the IT community with an op-ed on CNN on January 23 asserting that the e-mail hacker had obtained the e-mail information by accessing Google's own internal intercept system - a program designed to enable Google to collect user information in response to US government demands.

If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.

If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.

This passage—from January 2010!—should evoke feelings of intense nostalgia for those halcyon days—of August 2013—when Snowden’s first revelations were pooh-poohed as “it’s just metadata”, just the “address on the outside of the envelope” a.k.a. no big deal.

Now it’s the whole fricking encrypted enchilada.

Therefore, ineluctably, the framing slides from “It’s no big deal, don’t pay attention” to “It’s a big frickin’ deal, it must be suppressed.”

But the idea that Chinese dissidents might be grateful for the heads up that encryption might not be secure (and, in fact, the FBI has infiltrated and subverted the precious TOR network for anonymizing communications), and be more careful as a result hasn’t gained any traction yet.

And how about the security of VPNs?

Documents show that [UK GCHQ’s] Edgehill's initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.

While we’re at it, given Snowden’s *ahem* impressive knowledge of the NSA’s decryption capabilities, would anybody care to walk back those “narcissistic naif who unwittingly had his hard drives drained by Russian and Chinese intelligence” memes that were spread in the early Snowden-bashing days?