Privacy Impact of Internet Security is Classified, NSA Says

New technologies could be used to improve internet security but the impact of those technologies on personal privacy is classified information, the director of the National Security Agency told Congress last week.

“How could the Internet be designed differently to provide much greater inherent security?” the Senate Armed Services Committee asked Lt. General Keith Alexander, who has been nominated to lead the new U.S. Cyber Command.

“The design of the Internet is – and will continue to evolve – based on technological advancements. These new technologies will enhance mobility and, if properly implemented, security,” replied Gen. Alexander in his written answers (pdf) in advance of an April 15 Committee hearing.

“What would the impact be on privacy, both pro and con?” the Committee continued.

The answer to that question was “provided in the classified supplement” to the General’s response, and was not made public (see question 27).

“It is astounding that Lt. Gen. Alexander’s remarks on the impact on privacy of future modifications to the Internet under his command should be withheld from the public,” wrote Jared Kaprove and John Verdi of the Electronic Privacy Information Center (EPIC), especially given the President’s declared commitment to upholding privacy protection in the nation’s cybersecurity policy.

Consequently, EPIC filed a Freedom of Information Act request seeking disclosure of the classified supplement to General Alexander’s answers.  “There is a clear public interest in making known the Director’s views on this critical topic,” EPIC wrote in its request (pdf).

Activities of the Senate Intelligence Committee, 1976-2009

The Senate Intelligence Committee has posted a collection of its biennial public reports on the Committee’s activities, from the first report in 1976 to the latest in 2009, providing a retrospective survey of intelligence controversies past and present.

“The committee has unintentionally produced a profoundly biased political document,” complained the late Sen. Daniel P. Moynihan in a statement appended to the very first report (pdf) in 1976.  “The committee reports on a world in which very simply, the values which the United States hopefully stands for do not seem to be threatened by any activity save the activities of the U.S. Government…. Nowhere is the Committee for State Security of the Soviet Union (the KGB) even alluded to. There is a pattern of avoidance of the reality of totalitarian threat throughout this document.”

“I believe that my colleague misses the point,” replied Sen. Joseph Biden in the same 1976 report.  “At the heart of what is wrong with the intelligence community and what indeed has caused many of the abuses we have seen is the fact that most officials of the intelligence community do not know what they should and should not be doing…. We will not solve that problem by restating the obvious, that the Soviets operate a very effective intelligence service, unfettered by the restrictions of a vibrant constitution.”

DHS Says It Cannot Stop Private Posting of Sensitive Info

The law does not authorize the Department of Homeland Security to regulate or penalize the publication of sensitive transportation security-related information on private websites, the Department advised Congress (pdf) recently.

Last December, the Transportation Security Administration inadvertently posted a manual marked “sensitive security information” that described procedures for screening of airline passengers.  Following its discovery, the manual was removed from government websites, but it had already been mirrored on non-governmental websites that continue to host the document.

What is DHS going to do about that?, several members of Congress wanted to know.  The answer is this: nothing.

“How has the Department of Homeland Security and the Transportation Security Administration addressed the repeated reposting of this security manual to other websites and what legal action, if any, can be taken to compel its removal?” wrote Reps. Peter T. King (R-NY), Charles W. Dent (R-PA) and Gus M. Bilirakis (R-FL) on December 9 (pdf).

“No action has been initiated by the agency to address reposting on other web sites,” DHS replied in a February 7 response that was released this month under the Freedom of Information Act.  Existing “statutes do not provide specific authority to remedy the dissemination of SSI [sensitive security information] by noncovered persons [who are not subject to DHS jurisdiction].”

If Congress wanted to try to compel removal of such material from public websites, DHS said, “specific new statutory authority… would be necessary to provide enhanced legal support to pursue the full range of civil and criminal remedies against unauthorized dissemination of SSI by persons who are not covered persons as defined by 49 C.F.R. §1520.7.”

“Torture and the OLC,” and Other New Hearing Volumes

By authorizing extreme interrogation methods and defining them as legally permissible, the Bush Administration’s Office of Legal Counsel enabled “our country’s descent into torture,” said Sen. Sheldon Whitehouse (D-RI) last year at a contentious hearing of a Senate Judiciary Subcommittee that he chaired.  The hearing presented contrasting views on a range of related issues, including whether or not the Bush Administration’s “enhanced interrogation” program constituted torture under international law.  The 695 page record of the hearing was published late last month, with voluminous attachments and submissions for the record. See “What Went Wrong: Torture and the Office of Legal Counsel in the Bush Administration,” May 13, 2009.

Other noteworthy new congressional hearing volumes include the following (both pdf).

“The Proposed U.S.-UAE Agreement on Civilian Nuclear Cooperation,” Senate Foreign Relations Committee, October 7, 2009 (published March 2010).

“The Impact of U.S. Export Controls on National Security, Science and Technological Leadership,” House Foreign Affairs Committee, January 15, 2010 (published March 2010).

ODNI Report on Data Mining: We Don’t Do It

The Office of the Director of National Intelligence says it does not practice data mining in the narrow sense of searching databases to find anomalous patterns that could be indicative of terrorist activity.  So the latest ODNI annual report to Congress (pdf) on data mining programs (the third such report) has little new information to offer.

Instead of data mining, narrowly defined, the ODNI and other intelligence agencies use “link analysis,” which involves searches that begin with a known or suspected terrorist or intelligence target and work backwards and forwards from there.  But such “link analysis” is outside the strict definition of “data mining,” ODNI says, and so it is not discussed further in the new annual report.

Secrecy System Churned Along in 2009

The national security classification system hit some new highs as well as some new lows over the last year, the Information Security Oversight Office (ISOO) disclosed in its latest annual report to the President (pdf).

The total number of reported national security classification actions skyrocketed to a record 54.8 million classifications last year, a startling 135 percent increase over the year before, the ISOO report said.  But this rise was largely due to a change in reporting practices to include email and other electronic products that were excluded from previous reports, ISOO said, and so it “does not reflect an increase in classification activity.”

In fact, wrote ISOO Director William J. Bosanko in his transmittal letter to the President, “There were several positive developments this year” in terms of limiting classification activity.

The actual number of wholly new secrets, or “original classification actions,” decreased by 10 percent to 183,224 classification decisions.  (The large majority of classification actions are known as “derivative classifications,” which means that they incorporate or reproduce in a new document information that has previously been classified.)

The number of “original classification authorities” — the individuals who are authorized to designate information as classified in the first place — also decreased by 37% to 2,557, which is the lowest number of authorized classifiers ever reported, since ISOO began keeping statistics 30 years ago.

And agencies assigned a maximum duration for classification of ten years or less to 67 percent of newly classified records, the highest fraction ever.

Disappointingly from a public access point of view, however, the number of pages that were declassified declined by 8 percent in 2009, to 28.8 million pages, although the number of pages that were reviewed (52 million pages) actually increased slightly.

See the Information Security Oversight Office (ISOO) Report to the President for Fiscal Year 2009, transmitted March 31, 2010 and made public today.

The ISOO annual report is a touchstone for assessing the state of national security secrecy each year since it provides a unique public compilation of agency data on classification activity. Unfortunately, the underlying data are of questionable validity, and they may be completely unreliable.

So, for example, the latest report states that the CIA was responsible for no more than four original classification actions last year, and the Office of the Director of National Intelligence generated only two.  That seems doubtful, to say the least.  At the other extreme, the Army reported over 75,000 original classifications in 2009.  Based on this disparity in the numbers, it seems unlikely that agencies are using the standard terminology in the same way.  Or as the ISOO report put it, “We question whether many of these are truly original decisions.”

In short, there is still plenty of room for improvement in collection methodology and quality control in assessing classification activity.

Also, there are at least two categories of data that are not currently available which could be usefully reported in the future.

ISOO reports the number of classification challenges that are filed by authorized persons who dispute the classification of particular items of information (of which there were 365 in FY2009).  But it does not indicate the outcome of those challenges, i.e. whether they led to a change in classification status or not.  This information would be helpful in determining whether the official classification challenge procedure is a meaningful one, or a pointless exercise.

Another significant category of information that could be reported by ISOO in the future is the number of categories of classified information that are removed from existing classification guides and declassified as a consequence of the upcoming Fundamental Classification Guidance Review.  This Review, which is supposed to take place over the next two years, is the Obama Administration’s most important and most systematic effort to combat the problem of overclassification.  Although agencies are supposed to generate their own public reports of the Review results, a consolidated account and evaluation by ISOO would provide an early indication of whether the President’s plan to fight overclassification is working or not.

Former Official Indicted for Mishandling Classified Info

Thomas A. Drake, a former National Security Agency official, was indicted yesterday after allegedly having disclosed classified information to a reporter for a national newspaper “who wrote newspaper articles about the NSA and its intelligence activities in 2006 and 2007.”  The reporter and the newspaper were not named.

Mr. Drake allegedly provided classified documents to the reporter and assisted him or her with researching stories about the NSA that were published between February 27, 2006 and November 28, 2007.  “Defendant DRAKE served as a source for many of these newspaper articles, including articles that contained SIGINT information,” the April 14 indictment (pdf) stated.

“Our national security demands that the sort of conduct alleged here — violating the government’s trust by illegally retaining and disclosing classified information — be prosecuted and prosecuted vigorously,” said Assistant Attorney General Lanny A. Breuer in a Justice Department news release.

Interestingly, Mr. Drake was not specifically charged with unauthorized disclosure of classified information, nor was he charged at all under the “SIGINT” statute, 18 USC 798.  Instead, according to the indictment, he was charged under 18 USC 793 with unlawful retention of classified information, as well as with obstruction of justice and making false statements.

Economic Impacts of Prison Growth, and More from CRS

“The historic, sustained rise in [the U.S. prison population] has broad implications, not just for the criminal justice system, but for the larger economy. About 770,000 people worked in the corrections sector in 2008 [and this number is expected to grow]…. By comparison, in 2008 there were 880,000 workers in the entire U.S. auto manufacturing sector.”  See “Economic Impacts of Prison Growth” (pdf), April 13, 2010.

Other noteworthy new CRS reports obtained by Secrecy News that Congress has not made readily available to the public include the following (all pdf).

“The Role of the Senate in Judicial Impeachment Proceedings: Procedure, Practice, and Data,” April 9, 2010.

“Military Personnel and Freedom of Religious Expression: Selected Legal Issues,” April 8, 2010.

“Multilateral Development Banks: Overview and Issues for Congress,” April 9, 2010.

“Foreign Aid Reform, National Strategy, and the Quadrennial Review,” April 12, 2010.

“Supreme Court Appointment Process: Roles of the President, Judiciary Committee, and Senate,” February 19, 2010.