<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Mar 15, 2016 at 7:20 PM, Bill Frantz <span dir="ltr"><<a href="mailto:frantz@pwpconsult.com" target="_blank">frantz@pwpconsult.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">On 3/15/16 at 5:56 PM, <a href="mailto:leichter@lrw.com" target="_blank">leichter@lrw.com</a> (Jerry Leichter) wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Of course, this is only relevant when the US (or, for that matter, the Germans) go through standard legal channels. The spies get their access behind the scenes, and when operating outside of their own borders (let's close our eyes to the stuff within their own borders, shall we?) can do pretty much whatever they can get away with - which is pretty much anything.<br>
</blockquote>
<br></span>
The traditional way of handling these situations is to ask some foreign agency to the collect the data, so it is operating outside its own borders. The word on the street is that GCHQ and NSA are good buddies with these arrangements. Of course, proof that it happens is much harder to get.<br>
<div class=""><div class="h5"></div></div></blockquote><div><br></div><div>Inserting the NSA a federal agency into this is interesting.<br>As a federal agency it has responsibilities to gather and to protect (both).<br></div><div>I believe any local, state and federal agency has a reporting obligation.<br><br></div><div>Never say anything has a clear reporting obligation. <br></div><div> <a href="https://w2.eff.org/Privacy/Key_escrow/Clipper/nsa.charter">https://w2.eff.org/Privacy/Key_escrow/Clipper/nsa.charter</a><br> See 1d. </div><div> "It shall be the duty of the Board to advise and make<br> recommendations to the Secretary of Defense, in accordance<br> with the following procedure, with respect to any matter<br> relating to communications intelligence which falls within<br> the jurisdiction of the Director of the NSA."</div><div>Defense -- there is DOD and DHS today.</div><div><br></div><div>Access via human intel. or human engineering is going to happen and the NSA and CIA </div><div>rightly so seem to qualify such as a useful universal bug. In the context of protecting the homeland (DHS) traffic </div><div>analysis that demonstrates transfers of corporate secrets and attacks of infrastructure </div><div>should trigger action.<br> <br>To me there seems to be a universal legal requirement to report and act on theft. </div><div>Data is little different than currency, gold, silver, oil, pharmaceuticals. When goods are stolen </div><div>the law has mandated action to report and stop the problem. If the theft is via a known flaw in </div><div>a locking device there is a social mandate to notify the lock manufacturer and the manufacturer </div><div>is expected to improve the product to address the theft. Vaults and safes went through iteration</div><div>after iteration to defend against fire, physical breach and even social breach (time locks). <br><br>I think I am observing an imbalance of attention on possession of contraband in contrast</div><div>to outright theft of data. Or creation of contraband... Sure a collection of images can </div><div>be sold a thousand times and 100-800 arrests made but without attention to the source</div><div>it is metric friendly to focus on the 100-800 and not on the single bad actor.<br><br>This imbalance of metrics needs attention.<br>The law enforcement is clearly focused on and has a mind set for hunting the 100-800 not </div><div>the 2-3 sources. The numbers and expansion of the distribution network are off by orders </div><div>of magnitude but the hundred arrests of corner drug dealers is vastly easier than the source. </div><div>Often "dealers" are cut deals by prosecutors for giving up underlings and get a </div><div>"get out of jail free card" for the easy conviction, often ignoring false arrest and </div><div>conviction of innocents.</div><div><br></div></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>