How NSA Hunts Metadata “Content” in Search of Your Digital Tracks

Screen shot 2013-12-30 at 10.12.55 AMDer Speigel has posted a set of slides associated with their story on how NSA’s TAO hacks targets.

The slides explain how analysts can find identifiers (IPs, email addresses, or cookies) they can most easily use to run a Quantum attack.

Because NSA is most successful hacking Yahoo, Facebook, and static IPs, it walks analysts through how to use Marina (or “QFDs,” which may be Quantum specific databases) to find identifiers for their target on those platforms. If they can’t find one of them, it also notes, analysts can call on GCHQ to hack Gmail. Once they find other identifiers, they can see how often the identifier has been “heard,” and how recently, to assess whether it is a still-valid identifier.

The slides are fascinating for what they say about NSA’s hacking (and GCHQ’s apparent ability to bypass Google’s encryption, perhaps by accessing their own fiber). But they’re equally interesting for what they reveal about how the NSA is using Internet metadata.

The slides direct analysts to enter a known identifier, to find all the other known identifiers for that user, which are:

determined by linking content (logins/email registrations/etc). It is worth verifying that these are indeed selectors associated to your target. [my emphasis]

This confirms something — about Internet metadata, if not yet phone metadata — that has long been hinted. In addition to using metadata to track relationships, they’re also using it to identify multiple identities across programs.

This makes plenty of sense, since terrorists and other targets are known to use multiple accounts to hide their identities. Indeed, doing more robust such matching is one of the recommendations William Webster made after his investigation of Nidal Hasan’s contacts with Anwar al-Awlaki, in part because Hasan contacted Awlaki via different email addresses.

But it does raise some issues. First, how accurate are such matches? The NSA slides implicitly acknowledge they might not be accurate, but it provides no clues how analysts are supposed to “verify[] that these are indeed selectors associated to your target.” In phone metadata documents, there are hints that the FISC imposed additional minimization procedures for matches made with US person identifiers, but it’s not clear what kind of protection that provides.

Also, remember NSA was experiencing increased violation numbers in early 2012 in significant part because of database errors, and Marina errors made up 21% of those. If this matching process is not accurate, that may be one source of error.

Also, note that NSA itself calls this “content,” not metadata. It may be they’ve associated such content via other means, not just metadata collection, but given NSA’s “overcollection” of metadata under the Internet dragnet, almost certainly collecting routing data that count as content, it does reflect the possibility they themselves admit this goes beyond metadata. Moreover, this raises real challenges to NSA claims that they don’t know the “identity” of the people they track in metadata.

Now, none of this indicates US collection (though it does show that NSA continues to collect truly massive amounts of Internet traffic from some location). But the slide above does show NSA monitoring whether this particular user was “seen” at US-[redacted] in the last 14 days. US-[redacted] is presumably a US-associated SIGAD (collection point). (They’re looking for a SIGAD from which they can successfully launch Quantum attacks, so seeing if their target’s traffic uses that point commonly.) While that SIGAD may be offshore, and therefore outside US legal jurisdiction, it does suggest this monitoring takes place within the American ambit.

At least within the Internet context, Marina functions not just as a collection of known relationships, but also as a collection of known data intercepts, covering at least a subset of traffic. They likely do similar things with international phone dragnet collection and probably the results of US phone dragnet in the “corporate store” (which stores query results).

In other words, this begins to show how much more the NSA is doing with metadata than they let on in their public claims.

Update: 1/1/14, I’m just now watching Jacob Appelbaum’s keynote at CCC in Berlin. He addresses the Marina features at 22:00 and following. He hits on some of the same issues I do here.

Tweet about this on Twitter0Share on Reddit0Share on Facebook0Google+2Email to someone

38 Responses to How NSA Hunts Metadata “Content” in Search of Your Digital Tracks

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
Emptywheel Twitterverse
emptywheel The reason I ask is bc Daines just described himself as a Daddy of 4. https://t.co/JvbjmA9gw6
1mreplyretweetfavorite
emptywheel Has a female Senator ever described herself as a "mommy" on the Senate floor? Grandmother, mom, mother, sure. But "mommy"?
3mreplyretweetfavorite
emptywheel @PhilPerspective Plus he might like following in Holder's lucrative footsteps of not prosecuting the banksters. @Taniel
20mreplyretweetfavorite
emptywheel @PhilPerspective AG? Still pretty far down the list. Still, forgotten fact is that he was mentor to a lot of top lawyers. @Taniel
20mreplyretweetfavorite
emptywheel @PhilPerspective That's not in Presidential succession is it? Then ... no, that's not the one he had in mind. @Taniel
23mreplyretweetfavorite
emptywheel I mean, would Rudy Giuliani call Germany and ask the boys to make Merkel go easy on Trump? https://t.co/Uwa52RjY3i
26mreplyretweetfavorite
emptywheel Donald Trump is afraid of a few hard questions from a woman? https://t.co/Uwa52RjY3i
28mreplyretweetfavorite
emptywheel @somejustguy Hey, while we're at it, let's get the emails OVP destroyed from their server in 2003. All for it!
32mreplyretweetfavorite
bmaz From the No Shit Department:----> "Tom Brady shouldn’t ask for permission to appear in court by phone" http://t.co/rN47Dcvfg9
35mreplyretweetfavorite
emptywheel RT @davidgreene: NEW! Street Level Surveillance https://t.co/MlDC38yUdy portal for info legal & advocacy resources on hi-tech domestic law …
40mreplyretweetfavorite
emptywheel Shorter Trump's flunkies: as President, even Trump's phone records won't be accessible via FOIA. https://t.co/ScuVwn0yPp
53mreplyretweetfavorite
emptywheel Hey!! Brits actually sent a BANKSTER to PRISON!!!!!! Can you believed Banksters engage in "Conspiracy to defraud"??? http://t.co/dxcmRSJVDo
1hreplyretweetfavorite
December 2013
S M T W T F S
« Nov   Jan »
1234567
891011121314
15161718192021
22232425262728
293031