From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: sci.crypt Subject: Re: National Security Nightmare? Date: Sun, 3 Jun 2001 09:23:08 +0000 (UTC) Organization: University of California, Berkeley Lines: 80 Message-ID: <9fcvls$38b$1@agate.berkeley.edu> References: <20010213231146.05431.00001257@ng-ch1.aol.com> <3B16C2EB.E30F6AF@null.net> <9f6khv$1sd$1@agate.berkeley.edu> <3B17A278.D7BE5D50@null.net> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: agate.berkeley.edu 991560188 3339 128.32.45.153 (3 Jun 2001 09:23:08 GMT) X-Complaints-To: usenet@agate.berkeley.edu NNTP-Posting-Date: Sun, 3 Jun 2001 09:23:08 +0000 (UTC) Bcc: daw@cs.berkeley.edu X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Thank you for being willing to discuss this. However, I must report that I have carefully read the documents you referred to, and as far as I can see, they do not say what you thought (with the possible exception of one case that is unclear at best). See my detailed analysis below. In particular, I couldn't find any prohibition against the "GCHQ backdoor", i.e., a gentleman's agreement between the NSA and GCHQ to spy on each other's citizens and swap intercepts. If it is the policy of the NSA that such conduct is forbidden, how can I tell? I would warmly welcome any specific pointers. I guess my challenge still stands. If it is the policy of the US to protect US communications, no matter who or how they were collected, where is this clearly stated? Where are the excerpts from the NSA's training manuals that describe these procedures? It does not sound like an entirely unreasonable request. At present, the guiding policy and procedures are apparently classified (see below). If US policy prohibits the "GCHQ backdoor", what national security reason could one have for keeping the relevant excerpts of the policy secret? I'd be grateful for any help in understanding this puzzling state of affairs. I hope you can see why this does not provide much reassurance. Quite likely there is nothing all that nefarious going on in much of the NSA today, but it does not seem unreasonable to ask for something better than the above. Here's the detailed analysis. I'll go through each of the documents you referred to. If I overlooked anything, I'd be grateful for a correction. - 50 USC 1801-1829. This creates a new way under which US agencies can be authorized to spy on people. However, nothing says it is the only way. As far as I can see, it only adds to the things the NSA is allowed to do---it doesn't restrict them. (By the way, FISA is hardly a shining example of civil rights protection, IMHO. If FISA is intended to be representative of the way the national intelligence community treats US citizens, I think outsiders might be right to be somewhat concerned.) - Executive Order 12139. I can't see the relevance. - Executive Order 11905. Once upon a time, this did give explicit protection against the "GCHQ backdoor": see Sections 5(a)(1) and 5(b)(7). I agree that this would be an excellent model for policy on this issue. However, 11905 has been superseded (see below), and sadly, those prohibitions are apparently now gone. - Executive Order 12333. No prohibitions against the "GCHQ backdoor". The relevant protections in 11905 disappeared. Has a reference to nebulous procedures established by the head of the agency, but these procedures are _classified_ and apparently are subject to change at any time. Also, 12333 seems to explicitly permit collecting intercepts on US people: see Sections 2.3(c) and 2.3(h), which permit agencies to intercept US communications if they are gathered as part of a larger operation whose purpose is not solely for intercepting US communications. But this is exactly the sort of scenario we should be worried about. As a minor note, there are no obvious prohibitions in 12333 against passing our intercepts of British citizens to the GCQH. http://www.reagan.utexas.edu/resource/speeches/1981/120481d.htm - Hayden's testimony (12 Apr 2000). Says US agencies are forbidden by 12333 to ask GCHQ to spy on US citizens: I'm prepared to accept this for the purposes of argument. What Hayden does _not_ say is that it's only forbidden to ask; if GCHQ does it without asking (or if there is an unspoken gentleman's agreement), it is not at all clear that this would be a violation of 12333 Sec 2.12. Hayden also says 12333 requires "no information [...] about a U.S. person may be retained unless the information is necessary to understand a particular piece of foreign intelligence or assess its importance." That would be a truly laudable policy... except that I cannot see where in 12333 he is finding this requirement. (This is the exception I mentioned above.) Am I missing something?