53 comments

[ 3.2 ms ] story [ 108 ms ] thread
Why are we even mentioning a "NSA review panel"?

Stating the obvious: This panel is not about solving the issue at hand.

Another example: Was anyone really satisfied with the "9/11 commission"?

Bush and Cheney and their administration sure were satisfied.
> Was anyone really satisfied with the "9/11 commission"?

Actually, that commission produced a number of recommendations (http://govinfo.library.unt.edu/911/report/index.htm) which were welcomed by many in Congress and some of which were actually implemented. They included such issues as requiring government security agencies to share data with each other and reorganizing the reporting structure to ensure that would happen.

The analogy fails in this case though, because the 9/11 commission was independent and had members from various backgrounds.

Why aren’t there any technologists on the NSA review panel?

Because the last thing the NSA wants on a panel reviewing them is someone technically competent.

(comment deleted)
Ignoring the 'they won't do anything so it doesn't matter who is on it' part of things -

> review government surveillance policies

Because they're not needed to review policy. You honestly don't need to understand technology, and therefore don't need a technology expert, for most things that happen in the world.

Do you expect a technology expert on a medical review board? The doctor is after all going to be using technology ...

One might be useful to help extract the extent of the surveillance - one might incorrectly assume certain information is untrackable for example.
If it's a medical review board looking at deaths caused by software failures, then yes, I'd expect at least one technology expert on there. And to the credit of the medical community, that's usually the case.

This review board is supposedly trying to establish how bad the NSA surveillance -- clearly a technologically-sophisticated system -- is. If you have people on there who don't even understand how the Internet works (i.e., most politicians), then how in the hell are they going to audit an Internet surveillance system?

But yeah, I agree with you in that it doesn't matter in the long run. This is a rubber-stamp review.

(comment deleted)
People who do not understand technology seem to treat technology as a magic bullet that can be adapted to implement policy. It doesn't work that way.

You need to understand technology in order to understand the implications of what applying particular policy may lead to, and thus whether the policy itself is sane. In the real world, there are major implications when technology fails to implement policy because it fundamentally cannot do so.

For example: in the UK, David Cameron's attitude towards Internet censorship seems to be "It doesn't work. You're smart; make it work." and completely ignores the fact that it is technically impossible to do what he would like. Yet he continues to demand it anyway.

> People who do not understand technology seem to treat technology as a magic bullet that can be adapted to implement policy

Pretending you need experts in 'technology' to do anything that ever comes in the same room as a computer enforces this view, it doesn't change it.

Policy should be written in such a way that it is abstracted from the implementation detail. To the point, it shouldn't matter if I am talking on the phone, writing a letter or IM'ing someone over the internet, the NSA should have to hit the same requirements to look at it.

> completely ignores the fact that it is technically impossible to do what he would like. Yet he continues to demand it anyway

"Idiots doing idiot things because they're idiots." He has been told, many times, by 'technologists' that what he want's can't really be done. It doesn't seem to matter now, does it.

Let's say that I work at a bank and that the bank policy is to put all the money in the vault and as a result, the money will not be stolen. Then one day, the money is stolen.

Turns out that the reason the money was stolen is because the vault has no door. Just because the bank has a "money in the vault can't be stolen" policy on paper doesn't cause that vision of how the world SHOULD be to become REALITY. In order to winnow out the truth in this situation the review panel would need to have someone who knows something about security and vault construction on it. Also who perhaps would be allowed to inspect said vault to verify it's intact.

This is 100% analogous to the NSA review panel as all the folks in government are crowing about how it's policy that you can't look at such-and-such without a reason, but in fact there's no technological enforcement of said policy. Analysts can look at whatever they want provided that they give (type into a text field) some kind of ostensible reason, but that reason is only for auditing purposes. A bad reason typed into a field doesn't prevent the search as there's no review of said reason prior to the search running.

It's a bank vault with a door where the "lock" is a "sign in, sign out" sheet taped to the wall near the handle. And no security guard ensuring that people do in fact sign in and sign out. And definitely not checking to see that the money everyone's leaving with is in fact for the regular operations of the bank and not for their own personal gain.

Those are handled by reports via required experts. Or did you also need an architect on the policy board because it involved a building? They probably plan to print the policy out, I guess we need the engineer who designed the printer on the board as well.

Just because it uses something does not mean a subject matter expert on that thing needs to be involved in every part of the policy surrounding it.

On top of that, this specific group is concerned with the legality of what the NSA is doing. This is the realm of lawyers and constitutional experts. The fact that they are using a computer instead of pads of paper doesn't change that.

Or did they need representatives from the paper mill before?

> in fact there's no technological enforcement of said policy

Oh, and policy writers are often not policy implementers and never are in government, a review board of the policy won't change that.

Do you really think that the NSA is going to allow non-NSA experts to review and audit their systems for what the access controls are? I'm not optimistic on the odds.

We've seen before that the NSA can't be trusted to tell the truth about their systems. That means that their experts, reporting on their systems, also can't be trusted.

Furthermore the legality does in fact hinge on the implementation. If the NSA records everything but encrypts it with something that they themselves can't crack and different judges are given the encryption keys for their respective regions of authority and better still there are multiple judges for each region and its randomly decided which judge gets the key on a given day, you might actually convince me that the NSA hasn't yet performed a search.

So let's suppose for a minute that the NSA would claim exactly that. And let's suppose that the panel decides that given the system described, it is in fact constitutional. We would still need an independent auditor to examine the systems in question and ascertain if in fact the NSA is telling the truth. Because what matters isn't the WRITTEN policy, it's the ENFORCED policy. If all we're doing is finding out the legality of the written policy, it's a total joke.

Because the review panel is a joke.

First, they wanted Clapper to do the independent review. [1] This is the man that openly lied to congress and remains scott-free to this day.

Next they picked Michael Morell. [2] This dude was the acting director for the CIA until March of this very year. Clearly he has the capacity to conduct an independent review of his NSA buddies.

Joining this luminary will be Cass Sunstein [3], author of such classics like "Democracy and the Problem of Free Speech", and the person who proposed the government should infiltrate what he deems "conspiracy theory groups":

However, our main policy idea is that government should engage in cognitive infiltration of the groups that produce conspiracy theories [4, page 14]

Supporting these brains is Richard Clarke, who built his personal career on pushing the "war on terror" after 9/11. He also recently added "cyberwar" to his extensive portfolio of things he has absolutely no clue of. His views on privacy protections and large scale surveillance are well known:

If given the proper authorization, the United States government could stop files in the process of being stolen from getting to the Chinese hackers. If government agencies were authorized to create a major program to grab stolen data leaving the country, they could drastically reduce today’s wholesale theft of American corporate secrets. [5]

(It doesn't take a genius to realize this is the proposal of a person that probably doesn't even have internet access.)

Of course, all of these people work in some capacity for the Obama administration. It didn't even occur to the government morons running this show that maybe, just maybe, they should not pick people with an obvious and direct conflict of interest. They don't even bother to give the impression of caring.

[1]: https://www.techdirt.com/articles/20130812/13512624147/presi...

[2]: http://abcnews.go.com/blogs/politics/2013/08/white-house-pic...

[3]: http://en.wikipedia.org/wiki/Cass_Sunstein

[4]: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084585

[5]: http://www.nytimes.com/2012/04/03/opinion/how-china-steals-o...

> Because the review panel is a joke.

This is exactly right. This is a case of the government reviewing itself by packing the review board with insiders and sympathizers. Nobody who disagrees with the NSA's behavior has been selected for this panel.

Blogger Emptywheel has been following this much more closely than the general media:

Advocate of Secret Infiltration, Cass Sunstein, on Obama’s “Committee To Make Us Trust the Dragnet” [1]

The No-Technologist Technology Review Panel [2]

3 Tech Issues the Non-Technologist NSA Technical Committee Needs to Address [3]

[1] http://www.emptywheel.net/2013/08/22/advocate-of-secret-infi...

[2] http://www.emptywheel.net/2013/08/27/the-no-technologist-tec...

[3] http://www.emptywheel.net/2013/08/28/3-tech-issues-the-non-t...

Of course the panel is a joke but how many technologist put themselves in situations where they'd be in politics?
Cass Sunstein is among the most famous living constitutional law scholars.

Richard Clarke built his post-government career (after being the most senior counterterrorism official in the Clinton administration) as a critic of the way the "war on terror" had been prosecuted, and has been working on "cyberwar" subjects for over a decade.

I don't like Clarke much and I don't agree with everything Cass Sunstein proposes but your dismissive tone harms your argument.

Cass Sunstein is among the most famous living constitutional law scholars.

Obama himself graduated magna cum laude with a masters degree in law from Harvard and then lectured on constitutional law for 12 years at the University of Chicago Law School. Expertise in constitutional law doesn't necessarily translate to skepticism here. The constitution is not a moral authority on privacy.

Richard Clarke

He wrote an interesting op-ed before he was named to this committee. It appears to be critical of the NSA's operation, but a closer reading suggests his problem is about the degree, he's fine with massive record keeping, he just wants it in the hands of the telcos.

http://www.nydailynews.com/opinion/worry-nsa-article-1.13697...

Sunstein is a much more highly regarded legal scholar. Obama was a lecturer at UChicago. Sunstein was a professor. They're not in the same league. Sunstein is up there with Tribe.

I'm not sure where "moral authority on privacy" enters the picture. The question is how the program comports with the Constitution and the American system of governance.

Academic credentials are great and all, but don't they need to be applied to the real world before we can say that they know how to use any of it? The simple saying "the proof is in the pudding" comes to mind.
Then why didn't they pick Tribe? The problem isn't that Sunstein doesn't have the legal chops. The problem is that Sunstein has gone on record (and written a book) supporting governmental overreach. You're hiring yes-men to do your "independent review".
This is the "purity test" theory of public policy. It's easy to be the kind of scholar that Obama (or Bush) can put on any panel; just shut up. Don't write anything ambitious or controversial.

The idea that Cass Sunstein is a "yes man" for Obama is laughable. If anything, it's the other way around.

You will also find in the work of most constitutional scholars something to upset any message board anarcho-libertarian, because very few of them believe in the black-letter absolutism that anarcho-libertarians choose to evaluate the Constitution in. You think there's nothing in Tribe's record to argue with? He's a gun control supporter, for one. You think pundits wouldn't be calling him an "Obama yes-man"?

You're right. I concede that Cass Sunstein is not the problem on the panel. And acknowledge the very troubling "shut up and say nothing" outcomes that my viewpoint has on anyone with any sort of ambition of public office.

But I'm still not convinced that the panel is anywhere near independent given the rest of the crew such as Morell and Richard Clarke.

I don't think the panel is ideologically independent at all, and rather doubt such independence was a goal of the panel to begin with. I don't think the panel is being run for "your" benefit.

(I appreciate how gracious your comment was. Thank you.)

I don't think the critique is whether they are a "Yes Man for Obama," but what their body of work shows about their inclinations regarding the topic at hand, that they and Obama are both pointers to the addresses of these activities and the goal is to prevent the activities from being garbage-collected. In a manner of speaking, and metaphors are lossy.
Ok, just to be clear, the comment I actually replied to ends with You're hiring yes-men to do your "independent review".
Right, and your rhetorical leap was in applying the concept of a yes-man to Obama himself. The quote:

The problem is that Sunstein has gone on record (and written a book) supporting governmental overreach. You're hiring yes-men to do your "independent review".

An issue at hand is whether the group will merely be researching means by which the ends can be maintained, that they are yes-men for the activities, the same way Obama appears to be. It's reasonable to question whether they have the same master, that they aren't truly independent.

The panel isn't a referendum on the morality of the NSA surveillance. It's an investigation into the legality of the NSA surveillance.
Its a good thing that we can trust people to never let their clear policy preferences and similar biases impact their judgements of legality when the facts that they are investigating are not publicly reviewable in a way which would let their analysis be questioned.

No, wait, that's angels -- people can't really be trusted that way. If they could, we wouldn't need this panel in the first place.

(comment deleted)
It's also an appeal to authority to think because he is an expert at infosec, he's also some sort of expert on presidential review groups :) I agree with tptacek on crypto and as it turns out very little else.
It looks like you're a throwaway, but I'll bite. If you follow the conversation, you see that 'tptacek isn't using appeal to authority to defend an argument. Rather, he was responding to an abrupt dismissal of two people. He also clarified that he doesn't necessarily like or agree with either of them.

There's no appeal to authority here. If the parent had actually made a strong argument, Thomas might have responded with an actual argument as well.

There is no such thing as an "appeal to authority defense fallacy".
> Cass Sunstein is among the most famous living constitutional law scholars.

He is a person who has expressed views supportive of an extremely active role of government in covertly surveilling and infiltrating with the intent of moderating domestic political groups whose views are unwelcome to the government.

This clearly makes him a extremely problematic pick for a review board whose role (as overtly stated by the President) is to instill confidence that the NSA is not taking an actions that are excessive, unconstitutional, and illegal under statute law in terms of covert domestic surveillance, no matter how "famous" he is.

It makes him problematic if you think the charter of the panel is an adversarial interrogation of NSA. But maybe the point of the panel isn't to reassure the public, but rather to reassure Obama, who after all is the person whose opinion counts most here, that NSA's actions aren't setting him up for 2 years of constant legal headaches.
> It makes him problematic if you think the charter of the panel is an adversarial interrogation of NSA.

It makes him problematic if you think that the panel has any purpose suitable to a public panel at all.

* If it is a PR effort, its problematic because Sunstein's known biases make it easy to discount his opinion when the underlying facts aren't reviewable.

* If it is a serious effort to get to the bottom of what is going on at the NSA, it is problematic because Sunstein's known biases make it unlikely that he will be interested in probing to deeply.

* If it is a private effort to reassure Obama about legality, that doesn't make sense for a public panel of this type at all, no matter what the composition is.

My guess is that it's the third bullet, but that someone in the administration thought it might serve some PR purpose, or that the administration felt like convening such a panel without announcing it would indicate doubts about the program that don't really exist.

The reality, of course, is that hardly anyone knows who any of these people are.

Have you read much of Sunstein's stuff? What's the thing you found most problematic? Surely it isn't Nudge (a great book! but not particularly indicative of Sunstein's legal philosophy.)

Cass Sunstein is among the most famous living constitutional law scholars.

Way to go! Replying to the grand parent's (revelation's) solid argument by using vague statements. Just what does the most famous living constitutional law scholar even mean? Besides being meaningless statement like the most beautiful woman in the world it is also almost irrelevant - almost nonsensical - to the current discussion. Just because a person has had a successful career - particularly in politics, bureaucracy and fields like that - doesn't mean the person doesn't have an agenda and vested interest. In fact some would argue it is quite the opposite as - unlike some tech/hard science luminaries, for example - their success is likely correlated with their other - rather nefarious - traits than pure merit alone.

Your next paragraph about Richard Clarke is in similar vein.

Corporate secrets being stolen digitally is obviously a big problem, but saying that the government should fix it is obviously yet more corporate socialism.

  Why aren’t there any technologists on the NSA review panel? 
Because they might ask sane questions of course.
(comment deleted)
They should just put Snowden on the panel and be done with it :D
Because Obama doesn't see this as a technology issue. It's a security versus legal rights issue. Technology is involved merely incidentally. Hence a panel that involves two intelligence people (Morell and Clarke), and three law professors (Sunstein, Swire, and Stone).

The professors aren't ideologically diverse, but they're hardly intelligence community insiders like the article is trying to make them out to be. Swire was Chief Counselor for Privacy in the OMB under Clinton. Stone writes a lot on subjects like preserving free speech rights during wartime. None of these guys are anarcho-libertarians, but they're not John Woo "security first" guys either. They pretty much represent the views of the "mainstream left."

Hypothesis: what people want is not someone who knows "how to run a packet sniffer." There is nothing complicated about the underlying technology that can't be explained adequately to a bunch of intelligent people. What people are really mad about is the lack of any representation of the political views of technologists: people who put a very high ideological priority on free information and protecting communications online. Because that is the thing you can't explain in a whitepaper.

"There is nothing complicated about the underlying technology that can't be explained adequately to a bunch of intelligent people."

Assuming the underlying technology and it's implications are explained adequately at all. We already know how they try to explain metadata, so how are they going to explain the stuff we still don't know about?

Metadata is actually a good example. I'd bet that everyone on that panel understands perfectly well what metadata is and is not. The relevant part of the metadata issue isn't technical, it's legal: can it be protected by the 4th amendment, when it's sitting on AT&T's servers? What sophisticated technical understanding is needed to answer this question? Indeed, arguably better technical understanding undermines the argument for protecting it. When you understand that the metadata is something that's generated by AT&T and not you or your phone, that's less of an argument for protecting it.
"There is nothing complicated about the underlying technology that can't be explained adequately to a bunch of intelligent people"

Explained by...? I would have thought that having a technologist on the panel would at least serve the purpose of explaining technology issues to the rest of the panel's members.

That's generally not how panels work. They'll commission expert reports, etc.
Because no relevant technologist wants to sit on a panel that is inevitably going to conclude that some degree of SIGINT will need to impact Google. They've got to keep working in this industry, after all.
If having a technologist was important, there would be a technologist there. I'm sure there are many who would accept a position if it was offered. Much more likely is that it wasn't considered a technology matter at all. The technology is just there to do what its told after all.
That is, as a matter of fact, true.
Having a technologist like Felten on the panel could provide much-needed insight into the broader technical implications of government surveillance practices. For example, the National Security Agency (NSA) has claimed a data collection practice later ruled unconstitutional by the Foreign Intelligence Surveillance Act (FISA) Court was the result of a complex technical problem rather than an overreach by the NSA during a press call. Someone with technical training would be well-positioned to evaluate the technical merits of this claim.

When the government is doing something bad, it's not relevant whether it came from technical problems rather than cultural.

All we need to know is that the government has been doing something bad. The evidence that this has occurred, for any reason, should be sufficient to shut it down.

Because the goal isn't an unbiased review, but a stamp of political approval? Did you really think the government as a whole is self-critical?

Read Feynman's account of being on the Challenger review panel. He was the token scientist among politicians and PR people, and they tried to steer him away from doing any actual investigations. They tried to agree, before doing any investigation into why the shuttle blew up, not to blame NASA and to indeed give it vote of confidence.

The goal is to deflect blame from the government while making the status quo look hunky dory. Any actual investigation is counterproductive and I guarantee it won't actually happen to the NSA. This is a PR campaign, period.