Senator Ron Wyden rarely asks a rhetorical question. In a March 2013 hearing, the Oregon Democrat asked the Director of National Intelligence whether the National Security Agency collected “any type of data at all on millions or hundreds of millions of Americans.” The director, James Clapper, replied, “No, sir,” but within weeks came the first in a series of news articles, based on documents from NSA whistleblower Edward Snowden, showing the agency had conducted surveillance on a breathtaking scale, with millions of Americans swept up.
Since then, Americans have looked to Wyden to defend privacy rights — often by asking pointed questions about secret issues known only within the intelligence community.
Last week, I spoke with Wyden about what questions he’s asking today. The senator packed a wide range of concerns into our brief phone interview, including whether coordinated Russian election hacking compromises “the legitimacy of [the U.S.] government,” how often the NSA has engaged in “warrantless backdoor queries of Americans,” the possibility that not just foreign but also domestic intelligence agencies might be exploiting a widespread vulnerability in cellular and landline communications — and a rare upcoming opportunity to reform government mass surveillance.
As a member of the Select Committee on Intelligence, Wyden has a busy 2017 ahead of him addressing these and other issues. Already this year, he’s become an outspoken player in the ongoing investigation into Trump’s Russia ties, but he’s also trying to scrutinize less sexy threats. In mid-March he and Rep. Ted Lieu of California wrote a letter to the FCC, asking for the agency to “address major security weaknesses” in SS7, the telephone networking standard that allows for fundamental cellphone capabilities like roaming and SMS messaging. Just a few weeks later, Wyden joined seven other senators in questioning the nation’s broadband providers about recently gutted privacy rules governing internet service providers, including one particularly esoteric query about whether ISPs would provide to intelligence agencies, under an administrative subpoena known as a National Security Letter, “netflow” data that captures streams of data flowing to and from customers.
The transcript below has been edited for clarity, and links have been added where appropriate.
The declassified copy of the Russian hacking report was criticized for failing to provide any evidence or arguments for Russian governmental attribution that wasn’t previously public. Do you agree with that assessment?
Yeah, I’ve been calling for more transparency and more declassification and more information for months and months now. Obama released [the declassified report], then I asked [FBI Director James] Comey in January at the open hearing about open source new information, what could he tell us about it, whether he was looking at it. He went, oh my goodness I can’t possibly talk about investigations. Then, after all the eye rolling was over — because he had plenty to talk about 11 days before the election — that’s generally seen as the motivating factor in our really getting… open hearings, and a look at the relationship between the Trump campaign and the Russians.
Should we expect more? Is there anything to be done to get that stuff declassified?
I have been urging the chairman and the vice chairman regularly to accelerate the pace of this effort. Right now people are getting their information from leaks, they’re getting their information from false tweets from the president, daily news stories, and we need to have more open hearings, we need to do more to get information declassified. We need status reports, in my view, particularly from people like James Comey, because this isn’t a traditional closed-box investigation like Watergate or some of the other intelligence matters, where once in a while something comes out. This is something where every 12 hours there’s a new story. So we need a lot more information made public, to bring the American people into this topic, which they know really goes right to the legitimacy of their government. And this information can be made available without compromising classified information sources and methods.
Would you support declassifying any signals intelligence related to the attribution?
I can’t really get into committee deliberations and things like that.
Speaking more generally do you think signals intelligence could or should ever be properly declassified for the public in extraordinary circumstances?
I think you’d have to take it case by case — yeah. In some circumstances, yes….as a general policy, should there be opportunities to declassify, I can think of some circumstances. I just can’t get into this case.
Multiple members of Congress, a former vice president, and a former Democratic National Committee chair have either raised the question or asserted outright that this Russian hacking should be considered an act of war. Do you think any online attack that doesn’t affect physical infrastructure should be considered an act of war?
Let me characterize it in my way… what was admitted in the fall, where [former Secretary of Homeland Security] Jeh Johnson and [former Director of National Intelligence James] Clapper said that the Russians were interfering with our election, is something so significant, and of such concern to our democratic institution, that we cannot look the other way. It has got to be met with a response. And that’s what the point of this inquiry is all about. Is getting out all of the details and when foreign powers interfere with our institution we don’t sweep it under the rug.
What kind of response would you deem appropriate in this case?
We’re in the middle of an inquiry and you don’t talk about possible responses right now.
Domestic and incidental collection has been a passionate subject for you. Do you have any response to those who are either upset by Susan Rice’s actions, or [by unmasking] in general?
Although the facts are far from clear, the media reports of the last week raise, in my view, very substantial questions about how information is collected on Americans and how it gets distributed and used. I have been trying to reform these practices for about a decade. Hopefully my Republican colleagues are now going to finally take this issue seriously. And there will be bipartisan support for the kinds of reforms that I’m seeking. I think we have to be given an accounting of the number of Americans’ communications collected under section 702 of FISA, the number of warrantless backdoor queries of Americans, how minimization of procedures work —because they are continually cited as why the status quo is good. All of those issues — communications collected under section 702, warrantless backdoor queries of communications, minimum procedures for how this system works — have to be given to the Congress so that Congress can start looking at how to reform surveillance authorities that expire at the end of this year.
How do you balance your desire for these reforms versus the need to get to the bottom of all the alleged Trump/Russia connections? If people close to him were involved and have been under surveillance, revelations of that nature would become public, and some unmasking would have to happen.
I’m going to be asking some more questions about some of these issues. You’ll recall that a few hours after Mr. Nunes began his back and forth with the White House and talking about classified documents, I said it looked like he may have released, wrongfully, classified documents, and that’s now being examined by the House ethics committee. When we make a judgment about a potential issue here, we’ve got a pretty fair track record of laying it out, much as when I warned the country on the floor of the Senate about issues they didn’t know about with respect to the government collecting all these millions of phone records. So there are a lot of issues to dig into here, and there’s no question that the reform cause has certainly generated a lot of awareness as a result of the last couple of weeks. That’s been good for us.
Do you think Republicans are genuinely interested in [FISA] reform, or simply upset because it’s affecting their own people, so to speak?
I won’t speak for all the Republicans, but I’ve talked to a number who have come up and said “I’ve learned more about what you’ve been talking about”
Do you think there’s a better chance than in years past of getting these reforms through?
Yes, I think there is, just on the basis of the additional awareness, people want to examine this as an issue, they start with some political judgment, as if often the case, and I tell them, hey, I took on overreach in the George W Bush administration, I took on overreach in the Barack Obama administration, I’m clearly tackling overreach in the Trump administration, and I think if you put it that way, you have an opportunity now to build a bipartisan coalition for reforms of FISA 702 that you wouldn’t have had six months ago…apparently [Virginia Republican Congressman] Bob Goodlatte and [Michigan Democrat Rep.] John Conyers even [on Friday] asked for the same thing I’ve been trying to get for almost a decade, the number of law abiding Americans who get swept up in searches. So I do think we are making progress.
You have recently been trying to draw attention to our country’s SS7 network vulnerabilities. Other than the press reports you’ve cited, why the urgency now?
I think when you’re talking about these kinds of vulnerabilities and cell phone company roaming agreements that allow all sorts of people to hack our devices, the first thing you think about is foreigners and hostile powers and Russians, and all kinds of other people.
Has there been any development over the past year or so that’s made 2017 the time to be vocal about SS7?
Well, experts have been warning about this vulnerability for over a decade, but I think what’s happened, Congressman [Ted] Lieu and I have pointed out that it seems to be growing, the ability of nation states and hackers to use this gap in the way cell networks are communicating and being used to track and tap and hack phones from miles away. It can’t be fixed quickly by just more software anti-virus, it’s a business and a process problem, and frankly I think in the past there’s been a fair amount of foot dragging at the federal agencies. What we’re trying to do with Homeland Security and the FCC — we’ve written letters and the like, we’ve been trying to get them to up the ante, and they’ve acknowledged that there’s a problem, but most of the carriers are unprepared to confront the threat.
Are you aware of any significant nation-state intrusions via SS7?
No. But what I can tell you is foreign powers are not ignorant of what goes on in these breaking areas, in these cutting-edge technologies and vulnerabilities, and certainly this would be a prime opportunity. The FCC has not been doing a good job of policing this. They’re the ones who are tasked with making sure our phones are secure and they ought to step up to the plate.
The issue also has relevance to encryption. Voice calls get placed over wireless networks, they aren’t secure. And there are a number of ways for foreign governments and hackers to intercept these cell phone calls. You’ve got encryption apps protecting these calls from interception. Given the poor security of U.S. phone networks, encryption apps with no backdoors are now more important than ever, and you have probably seen that there are a lot of powerful people in the Congress running around saying they’re for encryption backdoors…I will filibuster any and all efforts in the Congress, any and all efforts, to pass legislation requiring companies to build backdoors in their products.
Is this SS7 threat purely foreign, or do you have concerns about our own domestic collection via SS7?
It could be anybody.
Look, your readers are going to say, Why hasn’t this thing been fixed? We’ve been told it’s hard. One carrier said they’re handling 40 billion connection requests a day, and the vast majority of them are legit, this is really a business process problem. You’ve got too many carriers with too many agreements and it’s going to take more than a patch or some little group of super smart Silicon Valley programmers.
You’ve also recently expressed concern over so-called netflow data disclosure, especially given what’s happened with the FCC and ISP rules. Does the ISP rule change have implications for what data could be disclosed to the government?
That is basically what we’re asking them—we’re asking the carriers that very question.
Have you received any response yet?
Nope, but we’re going to ride them hard to get one.
Is there a certain kind of disclosure concern that prompted you to write that letter?
The way I’d carry it is it’s the same as a National Security Letter question… Suffice it to say with this new FCC, I’ve got plenty of reasons to be concerned.