This is Stewart Baker's Typepad Profile.
Join Typepad and start following Stewart Baker's activity
Join Now!
Already a member? Sign In
Stewart Baker
Former government official now practicing law
Recent Activity
Edward Snowden cleared up a lot when he appeared on Vladimir Putin's "town hall" video program. His question for Putin was familiar to anyone who's followed Snowden's remarks in recent months: spying isn't bad, but "the mass surveillance of online communications and the bulk collection of private records " is evil. He trashes the US for programs that "unreasonably intrude on the private lives of ordinary citizen"' and asks, "Does Russia intercept, store or analyse in any way the communications of millions of individuals?" I've prepared and answered a lot of questions at hearings, and a compound question like that is almost always a setup: It begs for a categorical "No." And that's what it got. It sure looks as though Snowden is playing the Kremlin's game here, serving up a pre-arranged softball on demand. Equally interesting is the Russian government's implicit endorsement of the Snowden "mass surveillance" talking point. This television program is tightly scripted, and Snowden's question must have been approved at the highest levels of the Russian government to get past the screeners. So this is clearly a message that the Russian government wants to promote. I've suspected for a while that Snowden's objection to mass... Continue reading
Posted 2 days ago at Skating on Stilts
An army of researchers recently published a short study of a weakness that NSA is alleged to have introduced into a public security standard. Joseph Menn of Reuters gave the study lengthy and largely uncritical coverage; here's the gist: Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers. Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption. A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability. The allegation that NSA weakened the dual elliptic curve random number generator has been floating around for some time, and it has already had some policy impact. The... Continue reading
Posted Apr 3, 2014 at Skating on Stilts
According to the New York Times, the President has decided to kill the existing NSA phone metadata program and come up with a substitute that leaves the metadata with the phone companies. The decision will limit the government's ability to find older connections, since few companies hold records for three or more years; it will also be hard to construct a social graph that combines customers of different carriers. This may have been inevitable when large swaths of the Republican party decided to treat NSA as though it were an arm of Organizing for America. But even so, the President's decision is disappointing for other reasons. The key passage for the future is this passage in the NYT story: In recent days, attention in Congress has shifted to legislation developed by leaders of the House Intelligence Committee. That bill, according to people familiar with a draft proposal, would have the court issue an overarching order authorizing the program, but allow the N.S.A. to issue subpoenas for specific phone records without prior judicial approval. The Obama administration proposal, by contrast, would retain a judicial role in determining whether the standard of suspicion was met for a particular phone number before the... Continue reading
Posted Mar 25, 2014 at Skating on Stilts
For some reason, debates about Snowden are thick on the ground these days, and I've joined a couple of them. The most fun was the Oxford Union, which has been preparing future Parliamentarians (and Prime Ministers) all around the British Commonwealth since 1823. The Oxford Union debate was "This House would call Edward Snowden a Hero." My argument to the contrary is here: Highlights of the debate included the arguments of Jeffrey Toobin, with whom I agree on nothing but Snowden, and P.J. Crowley, lately of the Clinton State Department -- both of them well worth watching. I also thought Chris Huhne and Chris Hedges did particularly well in support of the motion. And Charlie Vaughan, the Aussie student who stepped in to support our side, already shows signs of being a formidable politician. They can all be found here. The motion carried, but narrowly (something like 212-175), which I thought a moral victory with a university audience outside the United States. (And an audience that thinks very highly of itself; Even at Harvard I would have expected a laugh when I declared that being a toady was the key to debating success and then immediately told the audience that... Continue reading
Posted Mar 23, 2014 at Skating on Stilts
A French court has upheld a government agency's order requiring that Google post a notice on its famously clean home page. The notice draws attention to the agency's ruling that Google violated French privacy law when it collected personal information under a consolidated privacy statement rather than using several different statements for its different business lines. Translated loosely from the French, then, the ruling is: "You have learned facts that the government did not want you to learn without first saying words that the government wanted you to say. To make sure you never do that again, the government will now require you to say other words that the government has written for you." And all in the name of human rights. Continue reading
Posted Feb 8, 2014 at Skating on Stilts
You've got to hand it to the Turks. Just when it seemed that the European Union would never see how abusive privacy laws can be, the Turkish Parliament adopted a privacy bill that caused even the EU to choke. According to the Wall Street Journal, the law is a prime candidate for a Privy -- a genuinely Dubious Achievement in Privacy Law: The law, which must be approved by President Abdullah Gül to take effect, would allow the agency charged with monitoring telecommunications to block access to Internet sites within four hours of receiving complaints about privacy violations. ... "The approach that the Internet is being banned, is being censored is wrong," Transport, Maritime Affairs and Communications Minister Lutfi Elvan said Thursday. The measure will prevent infringement of personal rights by bypassing lengthy court procedures that failed to protect privacy in a timely manner, he said. Shortly after the bill passed, the European Union, which Turkey seeks to join, criticized it for introducing restrictions on freedom of expression. Turkey has an estimated 40 million Internet users. "The Turkish public deserves more information and more transparency, not more restrictions," said Peter Stano, spokesman for the European Commissioner for Enlargement Stefan Füle.... Continue reading
Posted Feb 6, 2014 at Skating on Stilts
The press is still after James Clapper, Director of National Intelligence, for his statements in response to a question from Sen. Wyden (D OR) in March of last year. Wyden asked whether NSA was collecting data on millions of Americans. “Not wittingly,” Clapper responded. CNN's Jake Tapper asked President Obama on Friday whether he had concerns about Clapper's answer. Tapper got the Presidential equivalent of a shrug: "I think that Jim Clapper himself would acknowledge, and has acknowledged, that he should have been more careful about how he responded," Obama said. "His concern was that he had a classified program that he couldn't talk about, and he was in an open hearing in which he was asked, he was prompted to disclose a program, and so he felt he was caught between a rock and a hard place." The press keeps wondering why Clapper's response hasn't wrecked his career. Maybe a parable will help explain his survival. Imagine that the Senate is preparing to confirm the nomination of a well-known woman to an important administration job. The committee chairman loathes the nominee and her policies. But his investigators have turned up nothing against her – until they discover that she... Continue reading
Posted Feb 2, 2014 at Skating on Stilts
I interviewed David Medine this week in the course of Steptoe's latest podcast on technology, security, privacy, and government. The interview yielded a good overview of the Board's report, and not an uncritical one. I questioned the Board's decision to write a legal brief on the 215 program, as well as the Board's remarkable claim that it had found the unambiguous "plain meaning" of section 215 -- despite the fact that 15 judges disagreed. David is a fine lawyer, and he gave as good as he got. The exchange is interesting, and I think it digs deeper into the report than most news stories have. Continue reading
Posted Jan 28, 2014 at Skating on Stilts
Almost immediately after the Republican National Committee adopted an error-filled resolution attacking the NSA and its telephone metadata program, current and former GOP officials took a strong stand against the RNC resolution: [T]he RNC resolution threatens to do great damage to the security of the nation. It would be foolhardy to end the program without ensuring that we remain safe from attack. This database provides a uniquely valuable capability for discovering new phone numbers associated with international terrorist organizations, including numbers that may be used by terrorist cells within the United States. Former Deputy Director of the CIA Michael Morrell has testified that having this capability might have prevented 9/11 and could help to prevent the next 9/11. This is not a Democratic or a Republican program. Protecting Americans from terrorism should not be a partisan issue. The program was first launched under President George W. Bush. It was approved by Congressional leaders of both parties. And for good reason. It helps to keep Americans safe. It may be appropriate to modify the program in certain respects, if that can be done without a significant loss in effectiveness, but abolishing it without any idea how to close the intelligence gap... Continue reading
Posted Jan 26, 2014 at Skating on Stilts
In my experience, privacy law produces a remarkable number of foolish outcomes. The reason, I suspect, is that our notions of "privacy" evolve too quickly to be reduced to law. It's like writing a law codifying good manners. Over time, as our definition of good manners or privacy changes, the old code starts producing irrational results -- or it is enforced only selectively, to punish those who offend the powerful. That observation led to annual awards for Dubious Achievement in Privacy Law -- the Privies for short. The nominees from last year can be found here. It's a new year, but privacy law is already living down to my expectations, throwing off stupid or venal results at a rapid clip. It's time to open nominations for the 2015 Privies. Here is the first: Worst Use of Privacy Law to Serve Power and Privilege: University of North Carolina at Chapel Hill There's nobody more powerful at UNC than the big athletic programs. So when Mary Willingham, a UNC researcher, disclosed that 60% of the Tar Heel student-athletes she studied were reading at a level between the fourth grade and the eighth grade, she was asking for trouble. She got it. An... Continue reading
Posted Jan 25, 2014 at Skating on Stilts
I've been doing a regular weekly podcast with Michael Vatis and Jason Weinstein, two of my partners who share an interest in security, privacy, and technology, as well as a background in government. More recently, we've started inviting newsmakers to join us for a half-hour interview. Earlier this week, I interviewed Chris Inglis, the recently retired Deputy Director of the National Security Agency. It's a wide-ranging interview that touched on everything from NSA's morale to the changes in its culture that this crisis will demand. Chris Inglis flagged the Snowden disclosures he finds most disturbing and unjustifiable even on Snowden's terms but refused to accuse Snowden of working with Russia, saying he hadn't seen evidence of that. It's a useful contribution to the debate by an insider who is now free to be a bit more candid than before, within the limits imposed by classified information rules. Next week, I'll be interviewing David Medine, chairman of the Privacy and Civil Liberties Oversight Board, about the Board's report, which I've already panned here. It should be a civil but vigorous exchange of views! If you want to subscribe to the podcasts, the RSS feed is here. Continue reading
Posted Jan 23, 2014 at Skating on Stilts
I've now had a chance to look at the report of the Privacy and Civil Liberties Oversight Board on section 215 and the telephone metadata program. What a disappointment. The PCLOB declares by a bare majority that the program is unlawful and should be shut down. The report's 45-page (!) statutory analysis reads like an opinion written by a court that is bound and determined to reach a favored outcome. Elsewhere the PCLOB expresses enthusiasm for adversarial briefing and argument: "Our judicial system thrives on the adversarial presentation of views." The PCLOB majority, though, would apparently prefer to thrive without the hassle of, you know, briefs and arguments and stuff, especially if they might get in the way of its preferred legal determination. Rachel Brand in dissent gives the entire 45-page exegisis the back of her hand, and with justification: This legal question will be resolved by the courts, not by this Board, which does not have the benefit of traditional adversarial legal briefing and is not particularly well-suited to conducting de novo review of long-standing statutory interpretations. The other dissenter, Elisabeth Cook, similarly devotes only a sentence to the statutory issue and the Board's effort to play judge. I... Continue reading
Posted Jan 23, 2014 at Skating on Stilts
According to Charlie Savage at the NYT, the Privacy and Civil Liberties Oversight Board will issue today a report declaring that the NSA's telephone metadata program is illegal and should be ended. That is the conclusion of the three Democrats on the board; the two Republicans dissented. If you were wondering why it took the Obama administration three years to fill the board, you now have the answer. How does the board get around the fact that the statute was reauthorized by Congress twice after the metadata program began? The story hints at the PCLOB's view: Defenders of the program have argued that Congress acquiesced to that secret interpretation of the law by twice extending its expiration without changes. But the report rejects that idea as “both unsupported by legal precedent and unacceptable as a matter of democratic accountability.” I find it hard to believe that this position withstands analysis but I'll wait to see the full report. Continue reading
Posted Jan 23, 2014 at Skating on Stilts
Randy Barnett argues that NSA's metadata program is bad because the government will use the information to target people for their political views and to embrace mission creep. His solution is to leave the metadata in the hands of the phone company. But really, what good would that do? Suppose that, as Randy fears, Congress wakes up one day and decides to use phone metadata to suppress dissent and gun ownership across America. The fact that the data is stored in four or five phone companies' databases rather than NSA's will forestall the Dark Night of Fascism for, oh, about 90 minutes. For the sake of that speedbump, we should give up our ability to identify cross-border terror plots? Randy's solution to that problem is to overrule a line of Supreme Court cases (Smith v. Maryland) holding that no one has a reasonable expectation of privacy in information they've disclosed to a third party. With Smith v. Maryland set aside, the government would need a search warrant to see the metadata. Overruling existing Supreme Court precedent is a law professor's prerogative, but the rest of us don't have to go along. And in fact the Smith v. Maryland doctrine makes... Continue reading
Posted Jan 22, 2014 at Skating on Stilts
Ars Technica has published an article highlighting a recently declassified FIS court opinion. The opinion says in a footnote that "NSA expects that it will continue to provide on average approximately three telephone identifiers per day to the FBI." Earlier opinions say NSA is providing two identifiers a day. The opinions stop putting a number on NSA's referrals in 2009. This story is accurate up to a point, but it then veers off into weirdness and paranoia: Some experts speculated that this system of the NSA tipping off the FBI may be an unusual arrangement—analogous to the NSA’s giving information to the Drug Enforcement Agency to prosecute criminal cases. “I am not sure it tells us anything new but rather adds more confirmation to a widely suspected and occasionally confirmed technique of law enforcement following intelligence leads and then reverse-engineering a paper trail to use in court," Fred Cate, a law professor at Indiana University, told Ars. ... However, others pointed out that in the absence of further information as to how exactly the NSA’s information is sent to the FBI, and under what circumstances, it’s impossible to know precisely what’s going on. “Furthermore, given how broadly it's possible to... Continue reading
Posted Jan 21, 2014 at Skating on Stilts
The Committee on Foreign Investment in the United States, or CFIUS, reviews foreign investments for national security risks. It is now beyond doubt that Chinese investment is getting much closer scrutiny from CFIUS. A total of ten transactions failed to survive review in 2012, according to a just-released Treasury report. That may not sound like a lot, but in 2011, only two deals failed to make it through the process. At the time, two was a lot of deals to kill in a year, since CFIUS has sometimes gone a decade or more without deep-sixing any. When in government, I had a reputation as a CFIUS security hawk, but I doubt I ever recommended killing more than two deals in a year. This crowd is tough. Continue reading
Posted Jan 8, 2014 at Skating on Stilts
Matt Blaze, a well-known public cryptographer and NSA critic (but I repeat myself), offered what seemed like a modest concession in the relentless campaign against NSA intelligence gathering: The NSA's tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn't if you're a target, to be sure. But it means that there is no good reason to give in to demands that we weaken cryptography, put backdoors in communications networks, or otherwise make the infrastructure we depend on be more "wiretap friendly". The NSA will still be able to do its job, and the sun need not set on targeted intelligence gathering. Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we've learned recently about what the NSA has been doing. TAO is retail rather than wholesale. A day later he revealed just how modest... Continue reading
Posted Jan 8, 2014 at Skating on Stilts
Sen. Bernie Sanders (I-VT) has written a letter to NSA's director, asking whether the agency has spied on members of Congress. It sounds like he's uncovered a scandal, until you read the fine print. It turns out that Sen. Sanders is simply asking whether NSA collects Americans' telephone metadata, and every sentient American already knows that answer: NSA's program collects metadata for all US calls. So Sen. Sanders's letter isn't an inquiry, it's a stunt. The Guardian is an enthusiastic participant in the stunt, with Spencer Ackerman writing that NSA "did not deny collecting communications from legislators of the US Congress." Well, duh. Unfortunately, it looks as though Ted Cruz, who so far has avoided the worst fever swamps of NSA paranoia, also fell for the stunt, tweeting "@SenSanders asks ? millions of Americans would like answered: Are any law-abiding citizens safe from NSA spying?" At the risk of being repetitive, Sen. Cruz, we've all known the answer for months. NSA's 215 program collects all domestic call metadata, and it protects all that data by requiring that any search of the data be based on a reasonable suspicion of terrorism. All means all. All Americans' metadata is collected. All Americans'... Continue reading
Posted Jan 5, 2014 at Skating on Stilts
The New Yorker has a remarkably thought-provoking article on what some call the "neurobiology" of plants. That's a deliberately edgy way of pointing out just how much communicating and sensing and adapting plants do, all without anything resembling a brain. Some samples: Plants have evolved between fifteen and twenty distinct senses, including analogues of our five: smell and taste (they sense and respond to chemicals in the air or on their bodies); sight (they react differently to various wavelengths of light as well as to shadow); touch (a vine or a root “knows” when it encounters a solid object); and, it has been discovered, sound. In a recent experiment, Heidi Appel, a chemical ecologist at the University of Missouri, found that, when she played a recording of a caterpillar chomping a leaf for a plant that hadn’t been touched, the sound primed the plant’s genetic machinery to produce defense chemicals. Another experiment, done in Mancuso’s lab and not yet published, found that plant roots would seek out a buried pipe through which water was flowing even if the exterior of the pipe was dry, which suggested that plants somehow “hear” the sound of flowing water.... Mimosa pudica, also called the... Continue reading
Posted Jan 4, 2014 at Skating on Stilts
As 2013 ended and 2014 began, privacy professionals took a moment to look back and choose the year's most dubious achievements in privacy law. The dubious achievement awards, also known as the Privies, were dominated by officials of the Obama Administration. The awards are a light-hearted way of expressing skepticism about the effort to write evolving notions of privacy into law. Because concepts of what is private change rapidly while laws remain on the books for decades, unintended consequences are common. Outmoded privacy laws are often misused to protect the powerful or are invoked hypocritically to achieve other ends, and judicial applications of privacy statutes often make no sense to ordinary people, whose concepts of privacy have evolved faster than the law. The winners of the 2014 Privies exemplify all of these flaws. Health and Human Service Secretary Kathleen Sebelius was voted Privacy Hypocrite of the Year for imposing harsh penalties on private companies whose systems for handling personal health data had security weaknesses -- the same kind of weaknesses that HHS ignored when it rolled out the deeply flawed site. Agriculture Secretary Thomas Vilsack, meanwhile, won the prize for Worst Use of Privacy Law to Protect Power and... Continue reading
Posted Jan 1, 2014 at Skating on Stilts
I'm shocked to discover that the august Ninth Circuit has been tampering with the balloting for the Privies, perhaps hoping to save its own Judge Bybee from winning the award for "Dumbest Privacy Case" of 2014. The nomination was for a decision that exposed Google to liabilty for gathering wi-fi signals while driving by on the street. As we noted in the nomination, "the law exempts the capturing of radio broadcasts and publicly accessible communications; there's not much doubt that wi-fi uses radio waves and can be accessed by the public if it's not secured. But Judge Bybee of the Ninth Circuit wasn't deterred by either of the barriers to holding Google liable. He decided that radio communications are only those things we hear on the AM-FM dial. As for being publicly accessible, he writes, why that's ridiculous: if you listened to wi-fi signals on an AM radio, "they would sound indistinguishable from random noise." Now Judge Bybee seems ready to admit that he didn't really think that whole "how would the signals sound on an AM radio/" thing through. Responding to the imminent threat of a Privy Award (and Google's rehearing petition), the panel has modified the opinion to... Continue reading
Posted Dec 31, 2013 at Skating on Stilts
Voting for the 2014 Privy Awards for Dubious Achievement in Privacy Law will close at noon EST tomorrow, January 1, 2014. You can read the nominations here, and cast your vote here. There are still some tight races, whether in voting by the public or by privacy professionals. But there are differences between the two groups. The most interesting difference concerns the crucial vote for "Privacy Hypocrite of the Year." Among the public, the top two contenders are Rep. James Sensenbrenner, for deliberately skipping classified briefings and then complaining that he wasn't told about NSA's classified program, and Sec. Kathleen Sebelius, for launching without any of the security features her Department has penalized private health companies for failing to implement. But among privacy professionals, the race for top honors is between Secretary Sebelius and a little-known Brussels bureaucrat, European Commissioner (and Vice President) Viviane Reding, who is notorious for trying to regulate US intelligence activities while admitting that she has no authority to regulate European intelligence agencies. The votes of privacy professionals are weighted more heavily precisely to give obscure but outrageous abusers of privacy law a fair shot at winning, so privacy professionals with strong views on whether... Continue reading
Posted Dec 31, 2013 at Skating on Stilts
Quick reactions to a couple of books I had a chance to read over the Christmas break. I can highly recommend Company Man by John Rizzo. Rizzo was one of the first lawyers at the CIA, and he recounts a thirty year career there with grace and a remarkable absence of rancor, even though he was denied the ultimate promotion -- to General Counsel -- after a highly politicized confirmation hearing. (His offense was asking the Justice Department whether certain harsh interrogation techniques were legal, and not selling out the CIA officers who relied on Justice's advice by disavowing it when he got to the hearing.) Rizzo had a ringside seat at all the most dramatic political events involving the CIA from the 1970s to the Obama Administration. He brings self-deprecating wit and a lot of human insight to his portrayal of these events and the CIA directors he helped guide through them. It's available on January 5, 2014. (Disclosure: I got an early copy because John and I have been friends and colleagues for a long time. But in the interest of full disclosure, I have no incentive to overpraise his book, since I'm afraid it's actually better than... Continue reading
Posted Dec 30, 2013 at Skating on Stilts
Voting for the 2014 Dubious Achievements in Privacy Law is almost done, and the race is heating up. Who used privacy law most egregiously to serve power and privilege? There are plenty of candidates, but the leaders this year are two: On the one hand, the Chinese government, which adopted a privacy law and promptly brought criminal privacy charges against a Western investigator examining corporate misdeeds. And on the other, the Obama administration's Agriculture Department, which cited privacy grounds in refusing to name any of the beneficiaries of the notoriously fraud-ridden "Pigford" settlement. But if your favorite was a man who could afford both a naked five-hour, five-hooker sadomasochistic orgy and a litigation campaign to clear his name by proving that it was not a naked five-hour, five-hooker sadomasochistic orgy with a Nazi theme, well, Max Mosley isn't quite out of the running yet. With a surge of support, his privacy law campaign to force the Internet to forget pictures of his naked five-hour etcetera still could qualify as the worst use of privacy law to protect the privileged. If you're sure you know which of the candidates is abusing privacy law most egregiously to serve the powerful, and you... Continue reading
Posted Dec 30, 2013 at Skating on Stilts
Usually it takes a couple of stories. First foreign officials condemn reports that NSA has gathered intelligence on their government. Then, later, they have to admit that, well, yes, they do sometimes spy on the United States. But Israel has taken chutzpah to new heights -- simultaneously demanding that the United States stop spying on Israel and that it release the guy caught spying on the United States for Israel: Senior Israeli officials on Sunday demanded an end to U.S. spying on Israel, following revelations that the National Security Agency intercepted emails from the offices of the country’s top former leaders. It was the first time that Israeli officials have expressed anger since details of U.S. spying on Israel began to trickle out in documents leaked by former NSA contractor Edward Snowden. The scandal also spurred renewed calls for the release of Jonathan Pollard, a former American intelligence analyst who has been imprisoned in the U.S. for nearly three decades for spying on behalf of Israel. “This thing is not legitimate,” Israeli Intelligence Minister Yuval Steinitz told Israel Radio. He called for both countries to enter an agreement regarding espionage. “It’s quite embarrassing between countries who are allies,” Tourism Minister... Continue reading
Posted Dec 23, 2013 at Skating on Stilts