Metadata Oversight: “A Banner”!!!!!

The Guardian has their next big NSA scoop, and it is meatier than the earlier ones. The headline is that President Obama continued a 2-degrees of separation analysis of Internet metadata under Section 702 for two years after he came into office. The practice morphed into something else in 2011, making it highly likely the October 3, 2011 FISC opinion finding FAA 702 activities violated the Fourth Amendment pertained to this practice.

Along with their story, the released two documents, one of which has two appendices. Altogether they’ve released:

I’ll have far, far more to say going forward.

But I wanted to point to language that reinforces my fears about how they’re controlling the still extant database of US person telephone metadata.

The documents describe the great oversight of the Internet metadata twice. First in the November 20, 2007 letter itself:

When logging into the electronic data system users will view a banner that re-emphasizes key points regarding use of the data, chaining tools, and proper dissemination of results. NSA will also create an audit trail of every query made in each database containing U.S. communications metadata, and a network of auditors will spot-check activities in the database to ensure compliance with all procedures. In addition, the NSA Oversight and Compliance Office will conduct periodic super audits to verify that activities remain properly controlled. Finally, NSA will report any misuse of the information to the NSA’s Inspector General and Office of GEneral Counsel for inclusion in existing or future reporting mechanisms related to NSA’s signals intelligence activities.

And in the September 28, 2006 Amendment:

5. Before accessing the data, users will view a banner, displayed upon login and positively acknowledged by the user, that re-emphasizes the key points regarding use of the data and chaining tools, and proper dissemination of any results obtained.

6. NSA creates audit trails of every query made in each database containing U.S. communications metadata, and has a network of auditors who will be responsible for spot-checking activities in the database to ensure that activities remain compliant with the procedures described for the data’s use. The Oversight and Compliance Office conducts periodic super audits to verify that activities remain properly controlled.

7. NSA will report any misuse of the information to NSA’s Inspector General and Office of General Counsel for inclusion in existing or future reporting mechanisms relating to NSA’s signals intelligence activities.

These descriptions are consistent with what we’ve been told still exists with the telephone metadata, so it is likely (though not certain) the process remains the same.

There are two big problems, as I see it. First, note that the Oversight and Compliance Office appears to be within NSA’s operational division, not part of the Inspector General’s Office. This means it reports up through the normal chain of command. And, presumably, its actions are not required to be shared with Congress. The IG, by contrast, has some statutory independence. And its activities get briefed to Congress.

In other words, this initial check on the metadata usage appears to be subject to managerial control.

But my other worry is even bigger. See where the descriptions talk about the fancy banner? The description says nothing about how that log-in process relates to the audit trail created for these searches. Indeed, in both of these documents, “the NSA” “creates” the audit trails. They don’t appear to be generated automatically, as they easily could be and should be.

That is, it appears (and this is something that has always been left vague in these descriptions) that these are manual audit trails, not automatic ones. (Though I hope they go back and compare them with keystrokes.)

When FBI had this kind of access to similar data, they simply didn’t record a lot of what they were doing, which means we have almost no way of knowing whether there’s improper usage.

This may have changed. These “audit trails” may have been automatically generated at this time (though that’s not what the process describes). Though the NSA IG’s inability to come up with a number of how many US person records are access suggests there’s nothing automated about it.

And if that’s true, still true, then the telephone metadata still in place is an invitation for abuse.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

20 replies
  1. eh says:

    5. Before accessing the data, users will view a banner, displayed upon login and positively acknowledged by the user, that re-emphasizes the key points regarding use of the data and chaining tools, and proper dissemination of any results obtained.

    Hey, it worked for Microsoft Word, why not for surveillance data?!

    As for auditing, the ability for close auditing is an absolute requirement for operating systems to even be considered for this kind of work. This is covered in what’s called “The Common Criteria” (formerly Orange Book):

    Various refs that describe these features, though also imply that the criteria do not necessarily mandate file-level auditability. NSA, etc. “policy” likely rears its head here:
    https://ssl.apple.com/support/security/commoncriteria/
    http://technet.microsoft.com/library/dd277459.aspx
    http://answers.yahoo.com/question/index?qid=20080809195645AA5klcY
    http://investors.redhat.com/releasedetail.cfm?ReleaseID=716807

  2. Hmmm says:

    Yup. And even if these standard tools were to fully implement automated safeguards, separate sysadmin or database admin tools might circumvent them.

    Like the 70-something former Stasi manager said in today’s McClatchy article, the only way to guarantee government won’t abuse records of citizens’ communications is not to collect the data in the first place. Tossing the raw goods into some sort of deep-freeze may at first seem to create a Schrodinger’s-Cat scenario where it’s not ‘collected’ until actually retrieved from the deep-freeze and looked at by authorized personnel with legal authority… but in the long run the idea fails. Because of the impossibility of guaranteeing that nobody will sneak an illegal peek, it’s just word games around the legally defined term ‘collection’ vs. the common meaning.

  3. Garrett says:

    If the NSA really cooks up “creates” an audit trail, that’s amazing.

    But “create an audit trail” is pretty standard tech language for a real one.

    The “create” usage might derive from the SQL used to create an automatic audit trail.

    Since there are a lot of suggestions that they don’t have them, though, I don’t know what to think.

  4. kgb999 says:

    I think we’ve got to bear in mind one very important thing. This discussion is important – but I think it’s important for the exact reason highlighted here. To show that there has been absolutely no need for a FISA-monitored authority to run as many targeted queries as an agent wants. There’s no oversight of the sort the administration narrative is trying to imply.

    It really feels like this leak appears to be from the administration itself to serve the sole purpose of planting one idea:

    [“The program was discontinued by the executive branch as the result of an interagency review,” Turner continued. He would not elaborate further]

    This is to allow all the supporters to re-establish the meme that Obama has ended the nasty Bush programs … what did you expect him to fix everything IMMEDIATELY? While we all navel-gaze at the meta-question if the most illegal mass-collection of American records in history are audited in “manual” or “automatic” fashion. As if that matters. What is going on would still be unacceptable with auditing in full-auto high grain detail … why go down that road?

    They really are still doing this – it’s probably simply gotten worse now. To a large extent, they’re probably just copying it in from the GCHQ … what with the 850,000 NSA analysts who now browse those databases. Oooops, did your traffic just magically take hop to UK en route to final destination? Congratulations, according the the UK, your records are guaranteed to be “foreign” … and the NSA didn’t even collect them.

    IMO, it’s pretty dangerous to play the “ZOMG he did it for TWO YEARS AFTER BUSH?!?!???” game at all if we really want accountability.

  5. P J Evans says:

    Banners are so useful for tracking people and what they access…not.
    The audit trail should start automagically at login, and continue until logout.

  6. mzchief says:

    WWBBD (What Would Bill Black Do?) Offhand I see a magic blackbox which outputs politically purposed, made-up stuff (“fixing facts to the policy”). The more obvious version of that called the #TXLege was just on display in Austin re SB5.

  7. C says:

    6. NSA creates audit trails of every query made in each database containing U.S. communications metadata, and has a network of auditors who will be responsible for spot-checking activities in the database to ensure that activities remain compliant with the procedures described for the data’s use. The Oversight and Compliance Office conducts periodic super audits to verify that activities remain properly controlled.

    So two things clearly fall out of that:
    If counting the number of American communications tapped counts as violating privacy then they have a whole department devoted to doing that.
    And either:
    they have the numbers on use and refuse to share them with Congress and are lying when they say they don’t have it;
    OR their auditing system is crap.

    Counting the number of American communications tapped counts as violating privacy and their auditing department violates American privacy every day but lies to Congress about it.

  8. eh says:

    @C: Not only that, but it doesn’t speak to access to the *results* of those queries. I’m not familiar with the details of the process, but what comes to mind is that the results of authorized queries could be shared with people without privileges to perform those queries themselves.

  9. jerryy says:

    @P J Evans: ehh.

    Audit trails are useful for showing your boss that you have been busy doing something. “Look I really was there like you asked me to.”

    But as a security tool for stopping bad things from happening… not so much.

    Whomever controls the logging can control the system, even if it is triple encrypted and you have to say ‘Mother May I Please’ just to be in the room where the keyboard is. Whomever can run a duplicate admin tool can control the system… whomever can, etc. etc.

    This sounds more like they are trying to say ‘Now that you know we are doing this, well that makes it okay. Get ready for more’.

  10. P J Evans says:

    @jerryy:
    A really thorough one would track everything you did. (I suspect that companies don’t tell employees about that level of tracking.)

  11. jerryy says:

    @P J Evans: Keystroke loggers, et al send their data somewhere.

    The gatekeeper directing traffic in the lobby may not know all of the security measures, but the person supervising the janitorial staff knows quite a bit more. (This is not to suggest some movie plot, but to illustrate a point)

    Even hardened systems fall prey to outside crackers and penetrators — and some only leave traces by bragging about it. A hacker on the inside can cut through the logs if they need to. Root is called superuser for a reason. Not to mention that software never stops at version 1.0, the vendors are always putting out bug-fixes and patches.

    Here is a bit of irony for you:

    http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

  12. orionATL says:

    @jerryy:

    down at the bottom:

    “defending our nation, securing our future”

    does nsa view “the future” as if it were a military beachhead?

    this is “sucker-born-every-miinute” p.r.

  13. c says:

    @eh: True that is a whole other can of worms that is open for debate. I would suspect, given what we’ve seen thus far, that the level of control on those results is somewehere around zip.

  14. jerryy says:

    @orionATL: There are some big bucks at stake, they cannot afford to let the other agencies get those congressional grant dollars. :^)

    A very short while back I mentioned to Marcy that it is not necesary to have nicely formattted email messages in front of you when you can do deep packet inspections while you are sitting on the internet gateways. Here is a timely article showing an example:

    http://www.pcworld.com/article/2043095/heres-what-an-eavesdropper-sees-when-you-use-an-unsecured-wi-fi-hotspot.html

  15. orionATL says:

    @jerryy:

    thanks.

    i wonder if people who travel extensively with government or corporate phones and laptops can have their devices secured even if the site, e.g., hotel “business lounge”, is not?

Comments are closed.