Month: June 2015

FBI web page and brochure on elicitation techniques (copied from FBI.gov)

The FBI website has had an informative page on elicitation techniques. In the spirit of LOCKSS, I hereby keep a copy below.

Elicitation Techniques

Download print version (.pdf)

This brochure is an introduction to elicitation and elicitation techniques. Understanding the techniques and the threat may help you detect and deflect elicitation attempts.

Elicitation is a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought. It is usually non-threatening, easy to disguise, deniable, and effective. The conversation can be in person, over the phone, or in writing.

Conducted by a skilled collector, elicitation will appear to be normal social or professional conversation. A person may never realize she was the target of elicitation or that she provided meaningful information.

Many competitive business intelligence collectors and foreign intelligence officers are trained in elicitation tactics. Their job is to obtain non-public information. A business competitor may want information in order to out-compete your company, or a foreign intelligence officer may want insider information or details on US defense technologies.

Elicitation Defined

The strategic use of conversation to extract information from people without giving them the feeling they are being interrogated.

Elicitation attempts can be simple, and sometimes are obvious. If they are obvious, it is easier to detect and deflect. On the other hand, elicitation may be imaginative, persistent, involve extensive planning, and may employ a co-conspirator. Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.

Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.

Elicitation can occur anywhere— at social gatherings, at conferences, over the phone, on the street, on the Internet, or in someone’s home.

Elicitation is Not Rare

  men talking

It is not uncommon for people to discover information about a person without letting on the purpose. For example, have you ever planned a surprise party for someone and needed to know their schedule, wish list, food likes and dislikes or other information without that person finding out you were collecting the information or for what purpose? The problem comes when a skilled elicitor is able to obtain valuable information from you, which you did not intend to share, because you did not recognize and divert the elicitation.

Why Elicitation Works

A trained elicitor understands certain human or cultural predispositions and uses techniques to exploit those. Natural tendencies an elicitor may try to exploit include:

  • A desire to be polite and helpful, even to strangers or new acquaintances
  • A desire to appear well informed, especially about our profession
  • A desire to feel appreciated and believe we are contributing to something important
  • A tendency to expand on a topic when given praise or encouragement; to show off
  • A tendency to gossip
  • A tendency to correct others
  • A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
  • A tendency to believe others are honest; a disinclination to be suspicious of others
  • A tendency to answer truthfully when asked an “honest” question
  • A desire to convert someone to our opinion

For example, you meet someone at a public function and the natural getting-to-know-you questions eventually turn to your work. You never mention the name of your organization. The new person asks questions about job satisfaction at your company, perhaps while complaining about his job. You may think, “He has no idea where I work or what I really do. He’s just making idle chat. There’s no harm in answering.” However, he may know exactly what you do but he relies on his anonymity, your desire to be honest and appear knowledgeable, and your disinclination to be suspicious to get the information he wants. He may be hunting for a disgruntled employee who he can entice to give him insider information.

Techniques

There are many elicitation techniques, and multiple techniques may be used in an elicitation attempt. The following are descriptions of some of those techniques.

Assumed Knowledge: Pretend to have knowledge or associations in common with a person. “According to the computer network guys I used to work with…”

Bracketing: Provide a high and low estimate in order to entice a more specific number. “I assume rates will have to go up soon. I’d guess between five and 15 dollars.” Response: “Probably around seven dollars.”

Can you top this? Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new product that is capable of …”

Confidential Bait: Pretend to divulge confidential information in hopes of receiving confidential information in return. “Just between you and me…” “Off the record…”

Criticism: Criticize an individual or organization in which the person has an interest in hopes the person will disclose information during a defense. “How did your company get that contract? Everybody knows Company B has better engineers for that type of work.”

  people seated at outdoor cafe

Deliberate False Statements / Denial of the Obvious: Say something wrong in the hopes that the person will correct your statement with true information. “Everybody knows that process won’t work—it’s just a DARPA dream project that will never get off the ground.”

Feigned Ignorance: Pretend to be ignorant of a topic in order to exploit the person’s tendency to educate. “I’m new to this field and could use all the help I can get.” “How does this thing work?”

Flattery: Use praise to coax a person into providing information. “I bet you were the key person in designing this new product.”

Good Listener: Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative). If a person feels they have someone to confide in, he/she may share more information.

The Leading Question: Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption. “Did you work with integrated systems testing before you left that company?” (As opposed to: “What were your responsibilities at your prior job?”)

Macro to Micro: Start a conversation on the macro level, and then gradually guide the person toward the topic of actual interest. Start talking about the economy, then government spending, then potential defense budget cuts, then “what will happen to your X program if there are budget cuts?” A good elicitor will then reverse the process taking the conversation back to macro topics.

Mutual Interest: Suggest you are similar to a person based on shared interests, hobbies, or experiences, as a way to obtain information or build a rapport before soliciting information. “Your brother served in the Iraq war? So did mine. Which unit was your brother with?”

Oblique Reference: Discuss one topic that may provide insight into a different topic. A question about the catering of a work party may actually be an attempt to understand the type of access outside vendors have to the facility.

Opposition/Feigned Incredulity: Indicate disbelief or opposition in order to prompt a person to offer information in defense of their position. “There’s no way you could design and produce this that fast!” “That’s good in theory, but…”

Provocative Statement: Entice the person to direct a question toward you, in order to set up the rest of the conversation. “I could kick myself for not taking that job offer.” Response: “Why didn’t you?” Since the other person is asking the question, it makes your part in the subsequent conversation more innocuous.

Questionnaires and Surveys: State a benign purpose for the survey. Surround a few questions you want answered with other logical questions. Or use a survey merely to get people to agree to talk with you.

Quote Reported Facts: Reference real or false information so the person believes that bit of information is in the public domain. “Will you comment on reports that your company is laying off employees?” “Did you read how analysts predict…”

Ruse Interviews: Someone pretending to be a headhunter calls and asks about your experience, qualifications, and recent projects.

Target the Outsider: Ask about an organization that the person does not belong to. Often friends, family, vendors, subsidiaries, or competitors know information but may not be sensitized about what not to share.

Volunteering Information / Quid Pro Quo: Give information in hopes that the person will reciprocate. “Our company’s infrared sensors are only accurate 80% of the time at that distance. Are yours any better?”

Word Repetition: Repeat core words or concepts to encourage a person to expand on what he/she already said. “3,000 meter range, huh? Interesting.”

Deflecting Elicitation Attempts

Know what information should not be shared, and be suspicious of people who seek such information. Do not tell people any information they are not authorized to know, to include personal information about you, your family, or your colleagues.

You can politely discourage conversation topics and deflect possible elicitations by:

  • Referring them to public sources (websites, press releases)
  • Ignoring any question or statement you think is improper and changing the topic
  • Deflecting a question with one of your own
  • Responding with “Why do you ask?”
  • Giving a nondescript answer
  • Stating that you do not know
  • Stating that you would have to clear such discussions with your security office
  • Stating that you cannot discuss the matter

If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.

 

 

 

EOF

25 recommendations on democratic and effective oversight of national security services, by the CoE Commissioner for Human Rights

The Council of Europe’s Commissioner for Human Rights published an issue paper entitled Democratic and effective oversight of national security services (.pdf, June 2015). The paper was prepared by Aiden Willis, who earlier co-authored a statement (.pdf) given before a hearing on November 7th 2013 at the LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens. The issue paper gives a comprehensive overview of best practices and makes recommendations. First take note of these remarks from p.7:

It is emphasised that there is no Council of Europe member state whose system of oversight comports with all of the internationally or regionally recognised principles and good practices discussed in this issue paper and that there is no one best approach to organising a system of security service oversight. Nevertheless, this issue paper seeks to highlight particular approaches or practices that offer significant advantages from the point of view of human rights protection.

The paper includes 25 recommendations, some of which explicitly make references to bulk interception and Computer Network Exploitation (CNE). The remainder of this post consists of a verbatim copy of the commissioner’s recommendations, for quick reference. To fully appreciate the recommendations, read the original report.

Taking into account the findings and conclusions of this issue paper, the Commissioner makes the following recommendations aimed at strengthening oversight of national security services and thereby improving human rights compliance in the work of security services.

In order to ensure that the operations, policies and regulations of security services comply with Convention rights and are subject to effective democratic oversight, the Commissioner calls on the member states of the Council of Europe to:

On general parameters for a system of oversight

  1. Establish or designate one or more bodies that are fully independent from the executive and the security services to oversee all aspects of security service regulations, policies, operations and administration. All references to oversight bodies in these recommendations are to independent oversight bodies as defined in these recommendations.
  2. Ensure that their systems for the oversight of security services comply with the minimum oversight requirements set out in the European Court of Human Rights’ jurisprudence, the UN compilation of good practices on intelligence agencies and their oversight, as well as the recommendations put forward by the [Council of Europe’s] Venice Commission (.pdf).

On the scope of oversight of security services

  1. Ensure that all aspects and phases of the collection (regardless of its method of collection or provenance), processing, storage, sharing, minimisation and deletion of personal data by security services are subject to oversight by at least one institution that is external to the security services and the executive.
  2. Ensure that the oversight of security services focuses not only on the lawfulness of security service activities that restrict the right to privacy and family life but also the rights to freedom of expression, assembly, association and religion, thought and conscience.
  3. Mandate oversight bodies to scrutinise the human rights compliance of security service co-operation with foreign bodies, including co-operation through the exchange of information, joint operations and the provision of equipment and training. External oversight of security service co-operation with foreign bodies should include but not be limited to examining:
    1. ministerial directives and internal regulations relating to international intelligence co-operation;
    2. human rights risk assessment and risk-management processes relating to relationships with specific foreign security services and to specific instances of operational co-operation;
    3. outgoing personal data and any caveats (conditions) attached thereto;
    4. security service requests made to foreign partners: (i) for information on specific persons; and (ii) to place specific persons under surveillance;
    5. intelligence co-operation agreements;
    6. joint surveillance operations and programmes undertaken with foreign partners.
  4. Require that security services obtain authorisation from a body that is independent from the security services and the executive, both in law and in practice, before engaging in any of the following activities either directly or through/in collaboration with private sector entities:
    1. conducting untargeted bulk surveillance measures regardless of the methods or technology used or the type of communications targeted;
    2. using selectors or key words to extract data from information collected through bulk surveillance, particularly when these selectors relate to identifiable persons;
    3. collecting communications/metadata directly or accessing it through requests made to third parties, including private companies;
    4. accessing personal data held by other state bodies;
    5. undertaking computer network exploitation.
  5. Ensure that, where security services engage in computer network exploitation, these activities are subject to the same level of external oversight as is required for surveillance measures that have equivalent human rights implications.
  6. Consider the introduction of security-cleared public interest advocates into surveillance authorisation processes, including both targeted and untargeted surveillance measures, to represent the interests of would-be targets of surveillance.
  7. Consider how surveillance authorisation processes can be kept under ex post facto review by an independent body that is empowered to examine decisions taken by the authorising body.
  8. Create or designate an external oversight body to receive and investigate complaints relating to all aspects of security service activity. Where such bodies are only empowered to issue non-binding recommendations, member states must ensure that complainants also have recourse to another institution that can provide remedies that are effective both in law and in practice.
  9. Give an external oversight body the power to quash surveillance warrants and discontinue surveillance measures undertaken without the need for a warrant when such activities are deemed to have been unlawful, as well as the power to require the deletion of any information obtained from the use of such measures.
  10. Ensure that the procedures of any institution tasked with adjudicating on complaints relating to matters that have been revealed to a complainant or otherwise made public comply with due process standards under European human rights law.

On the independence and democratic legitimacy of oversight bodies

  1. Consider strengthening the link between expert oversight bodies and parliament by taking the following steps:
    1. giving a designated parliamentary committee a role in the appointment of members;
    2. empowering parliament to task expert bodies to investigate particular matters;
    3. requiring that expert oversight bodies report and take part in hearings with a designated parliamentary committee.

On the effectiveness of oversight bodies

  1. Guarantee that all bodies responsible for overseeing security services have access to all information, regardless of its level of classification, which they deem to be relevant to the fulfillment of their mandates. Access to information by oversight bodies should be enshrined in law and supported by recourse to investigative powers and tools which ensure such access. Any attempts to restrict oversight bodies’ access to classified information should be prohibited and subject to sanction where appropriate.
  2. Ensure that security services are placed under a duty to be open and co-operative with their oversight bodies. Equally, oversight bodies have a responsibility to exercise their powers, including seeking and handling classified information, professionally and strictly for the purposes for which they are conferred by law.
  3. Ensure that access to information by oversight bodies is not restricted by or subject to the third party rule or the principle of originator control. This is essential for ensuring that democratic oversight is not subject to an effective veto by foreign bodies that have shared information with security services. Access to information by oversight bodies should extend to all relevant information held by security services including information provided by foreign bodies.
  4. Require security services to proactively disclose to overseers (without being requested) information relating to areas of activity that are deemed to present particular risks to human rights, as well as any information relating to the potential violation of human rights in the work of security services.
  5. Ensure that external oversight bodies – including parliamentary oversight committees and expert oversight bodies – are authorised by law to hire independent specialists whose expertise is deemed to be relevant. In particular, oversight bodies should have recourse to specialists in information and communications technology who can enable overseers to better comprehend and evaluate surveillance systems and thus to better understand the human rights implications of these activities.
  6. Make sure that all institutions responsible for the oversight of security services have the necessary human and financial resources to fulfill their mandates. This should include recourse to technological expertise that can enable overseers to navigate, understand and evaluate systems for the collection, processing and storage of information. The adequacy of such resources should be kept under review and consideration should be given as to whether increases in security service budgets necessitate parallel increases in overseers’ budgets.
  7. Ensure that all oversight bodies with access to classified information and personal data (regardless of whether it is classified) put in place measures to make sure that information is protected from being used or disclosed for any purpose that is outside the mandate of the oversight body.

On transparency and engagement with the public

  1. Require by law that external bodies responsible for scrutinising security services publish public versions of their periodic and investigation reports. Any such requirements should be accompanied by additional resources that enable oversight bodies to produce informative reports without undermining their core oversight functions.
  2. Ensure that security services and their oversight bodies are not exempt from the ambit of freedom of information legislation and instead require that decisions not to provide information are taken on a case-by-case basis, properly justified and subject to the supervision of an independent information/data commissioner.

On reviewing oversight bodies and systems

  1. Evaluate and review periodically the legal and institutional frameworks, procedures and practices for the oversight of security services. Evaluations should include but not be limited to examining:
    1. the legal mandate of oversight bodies;
    2. the effectiveness of oversight bodies in helping to ensure that security service policies, regulations and operations comply with national and international human rights standards;
    3. the efficacy of oversight bodies’ investigative techniques;
    4. the implications of new technologies for oversight;
    5. the protection of information by oversight bodies;
    6. the relations and co-operation between oversight bodies;
    7. reporting and public outreach.
  2. Review the adequacy of arrangements for the oversight of the collection and retention of personal data by private companies, including communications providers, for national security purposes, as well as the co-operation between private companies and security services.
  3. Review the legal framework for the oversight of computer network exploitation by security services and consider whether existing arrangements provide necessary safeguards under national and European human rights law.
 EOF

[Dutch] Weerbaarheid van de samenleving: overzicht van kapitalen en voorraden (TNO, 2014)

Nuttig als referentie: tabel 4-1 uit het TNO-rapport Meetmethoden Weerbaarheid (.pdf) dat ziet op methoden voor het meten van weerbaarheid van de samenleving. Dat rapport is het resultaat van onderzoek dat in opdracht van het WODC is uitgevoerd door TNO ten behoeve van de NCTV in de context van de ontwikkeling van een Nationale Weerbaarheidsmonitor. De onderzoekers onderscheiden kenmerken van een weerbare samenleving in kapitalen/voorraden, capaciteiten en vitale sectoren. Voor uitleg van die begrippen verwijs ik naar het rapport zelf, dat de moeite van het lezen waard is. Tabel 4-1 geeft het overzicht van kapitalen, met per kapitaal een indicatie van de voorraden. Om kwantitatieve en/of kwalitatieve analyse uit te voeren moeten de voorraden eerst nog worden geoperationaliseerd in geschikte indicatoren.

2014-TNO-Meetmethoden-Weerbaarheid-Table4-1

EOF

In 1998, Russia asked UN to devise int’l rules to prohibit Computer Network Attack (CNA)

In 1998, Russia apparently asked the UN to establish international rules to prohibit what has since the US DoD’s Joint Publication (JP) 3-13 — Information Operations (.pdf, 1998) become known as Computer Network Attack (CNA). Russia’s move was deflected by the White House under the Clinton administration. Citing from this letter (.pdf, Sep 1998) from the Minister for Foreign Affairs of the Russian Federation addressed to the Secretary-General of the UN:

For a number of years, the General Assembly has been considering at its sessions the item entitled “Role of science and technology in the context of international security, disarmament and other related fields”. We believe that this issue is still topical; moreover, it has recently begun to acquire new meaning as a result of the qualitatively new stage of the scientific and technological revolution that is occurring throughout the world: the rapid development and application of new information technologies and means of telecommunication.

The information revolution, which affects virtually all aspects of modern life, is opening up broad prospects for the rapid and harmonious development of world civilization, expanding opportunities for mutually advantageous cooperation among States and is sharply increasing mankind’s creative potential. Today it is possible to talk about the formation of a truly global information area for the international community, in which information is taking on the attributes of the most valuable element of both national and universal property, its strategic resource.

At the same time, it is essential to consider the – perhaps for the time being only potential but nevertheless serious – threat of developments in the information field being used for purposes incompatible with the objectives of maintaining international stability and security, the observance of the principles of non-use of force, non-interference in internal affairs and respect for human rights and freedoms. In our opinion, such a threat requires that preventive measures be taken today. We cannot permit the emergence of a fundamentally new area of international confrontation, which may lead to an escalation of the arms race based on the latest developments of the scientific and technological revolution and, as a result, divert an enormous amount of resources that are so necessary for peaceful creativity and development.

I am referring to the creation of information weapons and the threat of information wars, which we understand as actions taken by one country to damage the information resources and systems of another country while at the same time protecting its own infrastructure.

The unprecedented level of information available to the public and, at the same time, the vulnerability of a society’s information structure has lead to the risk of the emergence of such an information weapon, the destructive “effect” of which may be comparable to that of weapons of mass destruction.

In these circumstances, there is a real threat that information resources may be used for terrorist or criminal purposes, the consequences of which may be disastrous.

All these apprehensions lead us to the conclusion that the time has come for the question of international information security to be a topic for substantive and purposeful discussion in the United Nations.

I request that you consider this letter as an explanatory memorandum, in accordance with the rules of procedure of the General Assembly, and circulate it together with the attached draft resolution (see appendix) as a document of the General Assembly under agenda item 63.

EOF