Ex-NSA Official Indicted For Leaks To Newspaper

Hugh Pickens writes "The Baltimore Sun reports that in a rare legal action against a government employee accused of leaking secrets, a grand jury has indicted Thomas A. Drake, a former senior National Security Agency official, on charges of providing classified information to a newspaper reporter in hundreds of e-mail messages in 2006 and 2007. Federal law prohibits government employees from disclosing classified information which could be 'expected to cause damage to national security.' The indictment (PDF) does not name either the reporter or the newspaper that received the information, but the description applies to articles written by Siobhan Gorman, then a reporter for The Baltimore Sun, that examined in detail the failings of several major NSA programs, costing billions of dollars, that were plagued with technical flaws and cost overruns. Gorman's stories did not focus on the substance of the electronic intelligence information the agency gathers and analyzes but exposed management and programmatic troubles within the agency." Adds reader metrometro: "Of note: the government says the alleged NSA mole uses Hushmail, which is all the endorsement I need for a security system." Perhaps Mr. Drake was unaware of Hushmail's past cooperation with the US government?

Burn him at the stake!

[MeNotU]

"exposed management and programmatic troubles within the agency."! Can't have management look bad!

Look forward, not backward

[dkleinsc]

Check out Glenn Greenwald's post on this exact issue. He raises an extremely important point:

- Illegally wiretapping US citizens, and/or ordering illegal wiretapping of US citizens: No problem, we have to look forwards, not backwards.
- Exposing illegal and inefficient workings of the NSA: throw the book at 'em.

Something is very very rotten.

The real problem

[amiga3D]

The real problem here is that officials use the security system to hide their fuck ups. By making all kinds of crap classified that shouldn't be they clog the system and reduce the efficiency. It's impossible to run a security system when you flood it with tons of info that is only classified because it's embarrassing to the morons in management.

Re:The real problem

[Thanshin]

By making all kinds of crap classified that shouldn't be they clog the system and reduce the efficiency. It's impossible to run a security system when you flood it with tons of info that is only classified because it's embarrassing to the morons in management.

Au contraire! My friend.

Imagine being a spy trying to find some interesting piece of information. You spend a couple of days seducing the secretary, a week finding a geek to crack the codes, another week to go to Italy to replace the suit you just ruined while chasing, on motorboat, the guy who had the passkeys, etc...

Two months later, the information you just got is random useless crap about a lowly manager fucking up his job in various ways and you just lost your best opportunity of novelizing your adventures.

Re:The real problem

[Gary+W.+Longsine]

Agreed. When I heard this story on NPR last night the first thing I thought was that this person might be a protected whistleblower, as it appears that the "state secrets" that were leaked don't relate to national security as much as bureaucratic incompetence and governmental inefficiency. The NPR story doesn't seem to mention the idea that this person might be considered a whistle-blower (admittedly I didn't catch all of the story.) The infamous "most Americans" oh heck, maybe even most Americans (not just the Slashdot libertarian geeks and the teabaggers hanging on Glenn Beck's every utterance) might well wind up thinking something rather different than the government expects them to. If Americans decide he was a whistleblower on billions of dollars of waste fraud and mismanagement, Thomas Drake might wind up as a folk hero and a commentator on the Sunday morning talk circuit. Presumably he'll seek some legal shelter under the Federal Whistleblower Protection Act. However, since he blew the whistle on the NSA and not the park service, that shelter might be pretty thin.

On the brighter side, it will be highly amusing to watch Fox News try to figure out how to present this story, what with it's spooky quantum both a particle and a wave nature (he's a dangerous spy... and a hard working taxpayer folk hero!") We'll get to revive the Shimmer dessert topping and floor wax meme for this one.

Can You Say "Paper Trail"?

[WrongSizeGlass]

charges of providing classified information to a newspaper reporter in hundreds of e-mail messages in 2006 and 2007

How is it that a guy dumb enough to use e-mail for this was a senior NSA official?

Re:Can You Say "Paper Trail"?

[muckracer]

> > > charges of providing classified information to a newspaper reporter in hundreds of e-mail messages in 2006 and 2007

> > How is it that a guy dumb enough to use e-mail for this was a senior NSA official?

I think you meant it the other way around (the diff is not just cosmetic):

How is it that a senior NSA official was dumb enough to use e-mail for this?

Re:Can You Say "Paper Trail"?

I heard on NPR yesterday they both used Hushmail to email the classified documents.

Re:Can You Say "Paper Trail"?

[physicsphairy]

I fail to see what would be wrong with sending encrypted emails backed by chained proxies, Tor, etc. It's not like the information is even secret--the whole point was to have it disclosed in a newspaper. Given that he might come under occasional (or constant) investigation by the authorities simply because of the nature of his job, avoiding a physical presence as well as any unusual behavior is a must. What would you recommend as an alternative?

I think the real problem was simply that he sent "hundreds of messages" to the same guy. As soon as the NSA points their attention at that guy, they have access to everything, no matter the medium of communication. Before that they already probably have their list of culprits narrowed down significantly based on the info that was being disclosed. Once they know where to get the unencrypted messages they can analyze them for writing characteristics (such as word frequencies) which correspond to one of their employees, assuming their aren't much more blatant clues slipped in. It may even be at some point he simply had no choice but to reveal details about his identity/job to convince the reporter he was a legitimate leak--I mean, if you perfectly anonymize yourself how do you convince anyone you aren't just a hoaxer? Even if the reporter can successfully destroy any evidence of the content of such communications, that doesn't mean he won't squeal when some scary guys from the government pick him up off the street and tell him horror stories about what might happen to him if it doesn't. (the fact they wouldn't mention who the reporter was could be evidence of his cutting a deal)

Perhaps this guy will soon have an "accident" ...

It's what they'd do in Russia.

Of course, in Soviet Russia, accident would have YOU.

the guy was a whistle blower

[circletimessquare]

he was exposing government waste

if he were exposing state secrets, let him rot in jail

but that's all sound and fury surrounding the real issue of what was actually disclosed, and why

the substance of his disclosures and what motivated him: wasted tax payer dollars on lame NSA projects

as far as i am concerned, for his actions, this guy is a hero. we need MORE government employees like this. and his timing is impeccable, government waste is pissing off the country like never before right now: perhaps the tax party can make him some sort of patron saint?

Forget Hushmail

[Obyron]

Hushmail is notorious in certain circles for sharing people's PGP keys with investigators who come knocking. This was in relation to DEA and Customs investigations in Operation Web Tryp to crack down on people using the internet to get ahold of research chemical indoleethylamines and phenethylamines (read: designer psychedelics). A lot of these people were using Hushmail, and when the investigators went to Hushmail, the provider burned their users. If they'll rat you out to the DEA and Customs, bet your sweet ass they'll rat you out to the NSA. Fuck, read this article at Cryptome.

If you need any expectation at all of ACTUAL privacy (the kind that'll keep you out of prison), don't use Hushmail. Someone people actually trust, like maybe the people behind Wikileaks, should start a real anonymous mail network.

Re:Forget Hushmail

[metrometro]

If you need any expectation at all of ACTUAL privacy (the kind that'll keep you out of prison), don't use Hushmail.

As noted in the prior /. thread on this, Hushmail uses two mode: stupid and secure. They explain as much when you sign on.

In stupid, they do all the work for you, webmail style, which means they have a copy of your key. You are now screwed.

In secure, encryption is done in a Java applet, which is open source. That means (barring any man in the middle weirdness with the Java download) they do not have access to your keys, because they are never sent. While they would certainly "rat you out" if they don't have the goods, they can cheerfully comply with the law (or the NSA pseudo legal equivalent) without providing much of value: just encrypted emails. This appears the be the basis of the government's evidence: the alleged leaker sent a lot of encrypted email. Their indictment, however, did not mention the specific contents of that email, probably because they can't read it.

Alternatively, FireGPG seems like a good option for webmail. More secure systems exist, but as always, in the real world security balances against user experience and people sure seem to like this webmail thing.

Re:Forget Hushmail

[Zak3056]

If you need any expectation at all of ACTUAL privacy (the kind that'll keep you out of prison), don't use Hushmail. Someone people actually trust, like maybe the people behind Wikileaks, should start a real anonymous mail network.

I don't trust Wikileaks--they have an agenda, and it isn't simply informing people about things which are unlawfully/immorally kept hidden. I will grant that they are serving an important function right now, and I am grateful for this... but trust? No way.

Re:Forget Hushmail

[gknoy]

In secure, encryption is done in a Java applet.... they do not have access to your keys, because they are never sent. While they would certainly "rat you out" if they don't have the goods, they can cheerfully comply with the law (or the NSA pseudo legal equivalent) without providing much of value: just encrypted emails.

The NSA is one of the few organizations that I would expect to be able to break the encryption on a mass of encrypted e-mails -- not by brute forcing it, but by awesome cryptanalysis. I'd be surprised if the Java applet didn't have some implementation errors, or the data being encrypted had enough recognizable patterns in it to allow some work with known plaintexts.

That said, Hushmail giving them a copy of all your (encrypted) e-mail is not a whole lot different than your normal e-mail provider doing the same. About the only significantly different situation (that I can think of) would be if they were to have physical access to your drives... but for that they'd (we assume) need a warrant.

Re:Guilty Of Embarrassing Them

[castironpigeon]

This is about the fact that someone exposed the fact that they are wasting money in a highly incompetent manner.

Actually the government is quite competent at wasting money!

Unfriggin believable

[Syntroxis]

Can anyone say Valerie Plame?

Bahahah

[copponex]

Oh my god. This is the funniest post I've read in years.

Tell me, which article of the Constitution permits

1) unreasonable searches and seizures by
2) agencies under no or very little congressional oversight
3) which have secret budgets?

I think you and the tea partiers will be slightly disappointed once you get around to understanding the constitution instead of reading it for selective applications of your own biases.

Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

Re:Bahahah

[copponex]

Your point 1 requires evidence. What unreasonable searches and seizures do you refer to?

Have you read a single newspaper in the last eight years?

http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy

What exactly do you think the NSA does? Are you really that credulous?

If you want to make a case that all budgets must be entirely disclosed at some given level of detail, I'd love to hear it.

Article 1, Section 9: No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law; and a regular Statement and Account of the Receipts and Expenditures of all public Money shall be published from time to time.

Are you disputing the government's authority to operate clandestine intelligence agencies? If so, I'd love to hear the argument for that, too.

They have shown repeatedly that they are incapable of controlling themselves when there is no oversight. The NSA and CIA and FBI have repeatedly operated outside the law. We are supposed to be a nation of laws.

But the solution for that is not turning a blind eye while people spill our secrets in wartime.

Do you think you're channelling Thomas Jefferson or Stalin with that kind of outlook?

Why suspend the habeas corpus in insurrections and rebellions? Examine the history of England. See how few of the cases of the suspension of the habeas corpus law have been worthy of that suspension. They have been either real treasons, wherein the parties might as well have been charged at once, or sham plots, where it was shameful they should ever have been suspected. Yet for the few cases wherein the suspension of the habeas corpus has done real good, that operation is now become habitual and the minds of the nation almost prepared to live under its constant suspension. -Thomas Jefferson

Re:Bahahah

[copponex]

By pointing to Wikipedia, you undermine your own argument.

By pointing to nothing, you fail to make an argument. I check the sources.

The budget is published, with certain details redacted for national security purposes.

Here's sworn testimony from the Director of the CIA that contradicts your claims:

Finally, in evaluating whether to release the total intelligence appropriation, I have to consider whether a release could add to information that is already available to hostile individuals in a way that could reasonably be expected to reveal or lead to identification of other information that could damage the national security. Information that is in the public domain is not, in fact, entirely accurate. Where official release of the budget total, even if it does not itself reveal all the sensitivities of the intelligence Community, would provide valuable analytic benchmarks or clues to make our sensitive intelligence activities, sources, or methods more readily and precisely identifiable by hostile services and groups, then official release reasonably could be expected to damage the national security.

http://www.fas.org/sgp/foia/2002/tenet.html

No budget is published. There is nothing to redact, and any redaction would be a violation of providing a regular statement of account, notwithstanding the direct violation of taking money out of the treasury for unlawful purposes. Not being aware of the facts undermines your argument pretty seriously, don't you think?

Your Jefferson quote does not support your position.

The word you're missing is context. Medcalf tried to make the assertion that wartime is an excuse for breaking the laws of our country. I demonstrated that this belief was not shared by at least one of our founding fathers.

This ignores the fact that the war on terrorism is just like the war on jealousy - it's never going to end, and it will be an eternal excuse for abuses of power.

Re:Bahahah

[copponex]

By Wikipedia's own admission, anyone can edit an article at any time, therefore the information in the article can not be trusted at any point in time.

Unless you check the sources. Are you aware of how research works? How would you treat Wikipedia differently from Encyclopedia Brittanica? I mean, besides prancing around red herrings.

Maybe you should try researching the federal budget and the budget process.

At no point is there a clear accounting of money spent on intelligence agencies. This violates the constitution. You're free to pretend otherwise; I imagine it's necessary to fill in the holes that your alternate reality requires.

Is there any other power center you'd like to shill for? No, I'm serious. I'd love to see how badly you would do for the Pentagon. Maybe you could take a crack at defending extraordinary renditions?

In other words, your quote actually argues against your point because Drake was breaking the law. The information Drake released did not show any illegal acts, merely failed projects the nature and existence of which were classified. Drake violated the law and was indicted by a grand jury. Your quote does not help your cause in the least.

Aww boo. Oh wait! Here's one:

If a law is unjust, a man is not only right to disobey it, he is obligated to do so. -Thomas Jefferson

Score one for reading the founding fathers, and a second point for understanding the empire they were fighting against.

Re:Guilty Of Embarrassing Them

[idontgno]

That money got wasted in a highly incompetent way is not news.

That someone is getting in trouble for whistleblowing is not especially news.

But this kind of whistleblowing is always going to end badly for the whistleblower, because even if a legitimate transparency function is served (calling attention to wasteful and inefficient program administration), the programs themselves are classified. In the public eyes, they're not supposed to even exist. To praise them in public would also be a breach of classification. So, this is the hardest class of whistleblowing on the books: even if 99% of the classification decisions on the program can be written off as cover-up, there's still a critical core of legitimate secrecy which gets violated. Trends and techniques used in espionage get exposed. Adversaries are tipped off. Whole lines of intelligence gathering dry up, fail, or have to be abandoned.

It's an unpleasant situation.

Re:Whistleblower

[kilfarsnar]

Yeah, that's right.

We have a whistle-blower law to protect the American taxpayer, but if it's deemed classified, all bets are off.

Great, just great! So, if I want to be a crooked government official, I just need to be able to classify it as "Secret" and "National Security" and I'm off to the Bahamas!

Yeah, that pretty much sums it up. One need look no further than United States v. Reynolds to see that classification will be abused.

well there's state secrets, and then state secrets

[circletimessquare]

for example: the security apparatus around nuclear power plants, that should not be exposed and anyone who does should be punished. that's what i was talking about

but something like bush and cheney's end runs around the constitution: yeah, that should be exposed

so i apologize, you are correct:

i should have qualified my comments better, as i was only really talking about the kind of state secrets like missile launch sequences, that should never be divulged publicly. but you are correct to take issue with my blanket comment, it was unqualified, plenty of "state secrets" need to be divulged

Not inefficient

I agree that over-classification is a problem from a transparency point of view. However, I disagree that it decreases efficiency - in fact efficiency and convenience is one of the big reasons that documents are unnecessarily classified to begin with. When you work on a classified system (like a computer) any documents you generate are automatically treated as classified at the highest level that the system is approved to process. Decreasing or declassifying a document requires you to go through a formal process.

If you are working a a project that is mostly unclassified with a view classified elements, then people spend most of their time working on the unclassified systems, and moving over to classified is a hassle that is only done when needed. As the amount of classified increases, it becomes more of a hassle as you have to split your work between two systems, generate tons of one-time-use CD-Rs for transferring unclassified data to the classified system (which must be immediately marked as classified and appropriately destroyed or tracked). After a point where most of the documents you generate are classified, it is just easier to do everything on the classified system, treat everything as classified, and just go through the review process when you legitimately need the document to be unclassified. In addition to decreasing the amount of data transfer that needs to take place, you also relieve yourself of the worry of accidentally including classified information in an unclassified document (or more likely, indirectly relieving classified information by the association of various unclassified information).

Finally, there often are legitimate reasons why things like schedules and budgets need to be classified. For example, if they include production quantities that are classified. I have worked on projects where the vast majority of our work was unclassified, but we still had both classified and unclassified versions of the budget. I can imagine project where it would be easier to only have a classified version.

All that said, not knowing the details of this case, I can't say whether the information release was legitimately harmful to National Security, or just a gross violation of procedure for good reasons.

Posted anonymously not because any of this is sensitive, but to avoid attracting unwanted attention to myself, by advertising to the work that I work on classified projects.

Lock Him Up and Throw Away The Key

[Necron69]

One of the very first things you have to do before getting a security clearance is sign a document acknowledging that revealing classified information is punishable by a fine of $10,000 or 10 years in prison or both. If you can't handle that from the outset, you have no business having a security clearance.

Make no mistake: this was a very serious crime. While I applaud this guy's intent, the proper place for his complaint was either the Senate Select Committee on Intelligence, or the House Permanent Select Committee on Intelligence. From that point on, it is the responsibility of those Congressional committees to follow up on the information. No person other than the Director of Central Intelligence or the President has the authority to release classified information.

If you think that sucks, then imagine the situation where everyone with a clearance got to decide on their own whether that information should be kept secret or not. There wouldn't be any point to having classified information, and you might as well give it all away to the Chinese/Russians, etc. Do you think they'll reciprocate?

Necron69

wow, good link

[circletimessquare]

yeah, again, i utterly fail in the comment qualification department

anyone who divulges a LACK OF security like this guy should get the congressional medal of honor

anyone who divulges the OPERATING DETAILS of a genuine security apparatus should get a cold cell

Re:Whistleblower

[stewbacca]

Except for the fact that not just any government official can classify something. This is a typical slashdot rant, and one that most people on slashdot don't understand.

Executive Order 12356:

Sec. 1.2 Classification Authority.

(a) Top Secret. The authority to classify information originally as
Top Secret may be exercised only by:

(1) the President; (2) agency heads and officials designated by the
President in the Federal Register; and (3) officials delegated this
authority pursuant to Section 1.2(d). (b) Secret. The authority to
classify information originally as Secret may be exercised only by: (1)
agency heads and officials designated by the President in the Federal
Register; (2) officials with original Top Secret classification
authority;