Fingerprints and the Phone Dragnet’s Secret “Correlations” Order

Yesterday, I noted that ODNI is withholding a supplemental opinion approved on August 20, 2008 that almost certainly approved the tracking of “correlations” among the phone dragnet (though this surely extends to the Internet dragnet as well).

I pointed out that documents released by Edward Snowden suggest the use of correlations extends well beyond the search for “burner” phones.

At almost precisely the same time, Snowden was testifying to the EU. The first question he answered served to clarify what “fingerprints” are and how XKeyscore uses them to track a range of innocent activities. (This starts after 11:16, transcription mine.)

It has been reported that the NSA’s XKeyscore for interacting with the raw signals intercepted by mass surveillance programs allow for the creation of something that is called “fingerprints.”

I’d like to explain what that really means. The answer will be somewhat technical for a parliamentary setting, but these fingerprints can be used to construct a kind of unique signature for any individual or group’s communications which are often comprised of a collection of “selectors” such as email addresses, phone numbers, or user names.

This allows State Security Bureaus to instantly identify the movements and activities of you, your computers, or other devices, your personal Internet accounts, or even key words or other uncommon strings that indicate an individual or group, out of all the communications they intercept in the world are associated with that particular communication. Much like a fingerprint that you would leave on a handle of your door or your steering wheel for your car and so on.

However, though that has been reported, that is the smallest part of the NSA’s fingerprinting capability. You must first understand that any kind of Internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol agnostic manner — metadata and content, both. And it can be today, right now, searched not only with very little effort, via a complex regular expression, which is a type of shorthand programming. But also via any algorithm an analyst can implement in popular high level programming languages. Now, this is very common for technicians. It not a significant work load, it’s quite easy.

This provides a capability for analysts to do things like associate unique identifiers assigned to untargeted individuals via unencrypted commercial advertising networks through cookies or other trackers — common tracking means used by businesses everyday on the Internet — with personal details, such as individuals’ precise identity, personal identity, their geographic location, their political affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests, and so on and so forth. There are very few practical limitations to the kind of analysis that can be technically performed in this manner, short of the actual imagination of the analysts themselves.

And this kind of complex analysis is in fact performed today using these systems. I can say, with authority, that the US government’s claim that “keyword filters,” searches, or “about” analysis, had not been performed by its intelligence agencies are, in fact, false. I know this because I have personally executed such searches with the explicit authorization of US government officials. And I can personally attest that these kind of searches may scrutinize communications of both American and European Union citizens without involvement of any judicial warrants or other prior legal review.

What this means in non-technical terms, more generally, is that I, an analyst working at NSA, or, more concerningly, an analyst working for a more authoritarian government elsewhere, can without the issue of any warrant, create an algorithm that for any given time period, with or without human involvement, sets aside the communications of not only targeted individuals, but even a class of individual, and that just indications of an activity — or even just indications of an activity that I as the analyst don’t approve of — something that I consider to be nefarious, or to indicate nefarious thoughts, or pre-criminal activity, even if there’s no evidence or indication that’s in fact what’s happening. that it’s not innocent behavior. The nature of the mass surveillance — of these mass surveillance technologies — create a de facto policy of assigning guilt by association rather than on the basis of specific investigations based on reasonable suspicion.

Specifically, mass surveillance systems like XKeyscore provide organizations such as the NSA with the technical ability to trivially track entire populations of individuals who share any trait that is discoverable from unencrypted communications. For example, these include religious beliefs, political affiliations, sexual orientations, contact with a disfavored individual or group, history of donating to specific or general causes, interactions of transactions with certain private businesses, or even private gun ownership. It is a trivial task, for example, to generate lists of home addresses for people matching the target criteria. Or to collect their phone numbers, to discover their friends, or even, to analyze the proximity and location of their social connections by automating the detection of factors such as who they share pictures of their children with, which is capable of machine analysis.

I would hope that this goes without saying, but let me be clear that the NSA is not engaged in any sort of nightmare scenarios, such as actively compiling lists of homosexual individuals to round them up and send them into camps, or anything of that sort. However, they still deeply implicate our human rights. We have to recognize that the infrastructure for such activities has been built, and is within reach of not just the United States and its allies, but of any country today. And that includes even private organizations that are not associated with governments.

Accordingly, we have an obligation to develop international standards, to protect against the routine and substantial abuse of this technology, abuses that are ongoing today. I urge the committee in the strongest terms to bear in mind that this is not just a problem for the United States, or the European Union, but that this is in fact a global problem, not an isolated issue of Europe versus the Five Eyes or any other [unclear]. These technical capabilities don’t merely exist, they’re already in place and actively being used without the issue of any judicial warrant. I state that these capabilities are not yet being used to create lists of all the Christians in Egypt, but let’s talk about what they are used for, at least in a general sense, based on actual real world cases that I can assert are in fact true.

Fingerprints — for example, the kind used of XKeyscore — have been used — I have specific knowledge that they have been used — to track and intercept, to track, intercept, and monitor the travels of innocent citizens, who are not suspected of anything worse than booking a flight. This was done, in Europe, against EU citizens but it is of course not limited to that geographic region, nor that population. Fingerprints have also been used to monitor untold masses of people whose communications transit the entire country of Switzerland over specific routes. They’re used to identify people — Fingerprints are used to identify people who have had the bad luck to follow the wrong link on an Internet site, on an Internet forum, or even to download the wrong file. They’ve been used to identify people who simply visit an Internet sex forum. They’ve also been used to monitor French citizens who have never done anything wrong other than logging into a network that’s suspected of activity that’s associated with a behavior that the National Security Agency does not approve of.

This mass surveillance network, constructed by the NSA, which, as I pointed out, is an Agency of the US military Department of Defense, not a civilian agency, and is also enabled by agreements with countries such as the United Kingdom, Australia, and even Germany, is not restricted for being used strictly for national security purposes, for the prevention of terrorism, or even for foreign intelligence more broadly.

XKeyscore is today secretly being used for law enforcement purposes, for the detection of even non-violent offenses, and yet this practice has never been declared to any defendant or to any open court.

We need to be clear with our language. These practices are abusive. This is clearly a disproportionate use of an extraordinarily invasive authority, an extraordinarily invasive means of investigation, taken against entire populations, rather than the traditional investigative standard of using the least intrusive means or investigating specifically named targets, individuals, or groups. The screening of trillions — I  mean that literally, trillions — of private communications for the vaguest indications of associations or some other nebulous pre-criminal activity is a violation of the human right to be free from unwarranted interference, to be secure in our communications and our private affairs, and it must be addressed. These activities — routine, I point out, unexceptional activities that happen every day — are only a tiny portion of what the Five Eyes are secretly doing behind closed doors, without the review, consent, or approval of  any public body. This technology represents the most significant — what I consider the most significant.new threat to civil rights in modern times.

Now, this doesn’t guarantee that the NSA correlates identifiers to dump them into XKeyscore (which is, as far as I know, used only on data collected outside the US; the “about” 702 collection is a more limited version of what is done in the US, with returned data likely dumped into databases used with XKeyscore). But Snowden makes it clear such fingerprints involve precisely the identifiers, including phone numbers, used in the domestic dragnets.

Moreover, we know that data in the corporate store — all those people who are two or three degrees away from someone who has been digitally stop-and-frisked — is subject to all the analytical authorities the NSA uses, which clearly includes fingerprinting and use in XKeyscore.

“Correlations” — as the NSA uses in language with the FISC and Congress — are almost certainly either fingerprints, or subset of the fingerprinting process.

And this is, almost certainly, what the government is hiding in that August 20, 2008 order.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

22 replies
  1. P J Evans says:

    Another reason – if not the main one – why the US government wants Snowden silenced.

  2. Jeff A. Taylor says:

    “XKeyscore is today secretly being used for law enforcement purposes, for the detection of even non-violent offenses, and yet this practice has never been declared to any defendant or to any open court.”

    This is all that matters.

    This points to the creation of informants in order to win criminal convictions. There is no other purpose to mass spying.

    The failure of public employees to deliver honest services (convictions won via serial illegal means translated into promotions, bonuses, and other material compensation) is a felony. All that is needed now is one honest US Attorney. Unfortunately, we need one honest US Attorney.

  3. Saul Tannenbaum says:

    What we see in Snowden’s description is the ability to create virtual dossiers on people based not just on who they are (“Get me everything on Joe”) but any class of activity detected by the dragnet (“Get me everything on everybody who called Gerry’s Pizza”). We shouldn’t be surprised. Why else collect this stuff? But next time somebody tries to defend this by saying that it’s not like J Edgar Hoover creating dossiers, the answer is: They don’t need dossiers anymore, they’ve got better technology.

    • emptywheel says:

      Yep. A name is meaningless up until you write the arrest warrant. And most of these people won’t be arrested.

  4. Snoopdido says:

    Though I agree with him, Snowden’s use of the term “fingerprints” is too old school for my liking.
    .
    Instead I would refer to the same creation as “Digital DNA”. This Digital DNA is the unique identification of you. Like physical DNA, it can identify almost all aspects of you and your life. Your past. Your present. And in many ways, it can allow some to attempt to predict your future.
    .
    And it is not just the intelligence agencies of the US government, the Five Eyes, Germany, Russia, China, etc. as Snowden rightly explains. It is all governmental bodies from your local police department all the way up to national government organizations.
    .
    If there is any solace to this collection of our Digital DNA, is something I’d expect someone like author William Gibson to explore. It hasn’t happened yet, or at least has not been publicly reported, but the fact is that Digital DNA can be manufactured.
    .
    Since it is all ones and zeroes, it is possible to artificially create, modify, and manipulate all things digital including Digital DNA.
    .
    Will we someday hear or read about someone assuming another’s Digital DNA identity? I’m sure we will!

  5. orionATL says:

    “We need to be clear with our language…” – edward snowden

    indeed we do.

    communications theft is communications theft, whether performed by some common thief in a coffee shop or by the u.s. government’s national security agency.

    let me ask in this context, “who are the group least clear with their language, most blatantly evasive, deceitful, mendacious?”

    why, the high-level officials and lawyers of the u.s. government’s dept of justice, fbi, national security administration, central intelligence agency, dhs, dea …

    public lying by these american public officials is epidemic these days,

    yet lying all the while, they ply us with pleas to trust them and their “transparency”.

  6. Snoopdido says:

    This is off topic. From Jason Leopold at Al Jazeera America, more leakage of the Torture Report details – Revealed: Senate report contains new details on CIA black sites – http://america.aljazeera.com/articles/2014/4/9/senate-cia-torture.html
    .
    Some lowlights:
    .
    “A Senate Intelligence Committee report provides the first official confirmation that the CIA secretly operated a black site prison out of Guantánamo Bay, two U.S. officials who have read portions of the report have told Al Jazeera.
    .
    The officials — who spoke on condition of anonymity because the 6,600-page report on the CIA’s detention and interrogation program remains classified — said top-secret agency documents reveal that at least 10 high-value targets were secretly held and interrogated at Guantánamo’s Camp Echo at various times from late 2003 to 2004. They were then flown to Rabat, Morocco, before being officially sent to the U.S. military’s detention facility at Guantánamo in September 2006.”
    .
    And:
    .
    “The Senate report, according to Al Jazeera’s sources, says that the CIA detained some high-value suspects on Diego Garcia, an Indian Ocean island controlled by the United Kingdom and leased to the United States. The classified CIA documents say the black site arrangement at Diego Garcia was made with the “full cooperation” of the British government.”
    .
    And more:
    .
    “The report allegedly singles out a top CIA official for botching a handful of renditions and outlines agency efforts to cover up the mistakes.”
    .
    As the saying goes, read it and weep.

    • P J Evans says:

      And in related news
      Lawyers seek details on CIA rendition program (Miami Herald via SFGate)

      Just-released transcripts of a secret session at the Guantanamo war court show defense lawyers want a list of the countries where the CIA secretly jailed the alleged USS Cole bomber, and the names of people who worked at the agency’s “black sites.” But the prosecution won’t provide them.

      The tug-of-war over transparency emerged days after the Senate voted to declassify a portion of an investigation of the so-called CIA Torture Program that could contain some of the answers sought by lawyers for Saudi Abd al Rahim al Nashiri before his death penalty trial.

      Defense lawyers have security clearances that allow them to know certain aspects of the still-secret CIA Rendition, Detention and Interrogation program. But they aren’t entitled to a list of nations and names as they prepare for Nashiri’s Dec. 4 death penalty tribunal, case prosecutor Navy Cmdr Andrea Lockhart said in a transcript of the closed Feb. 22 Guantanamo hearing posted on the Pentagon’s war court website Friday evening.

      Lockhart told the judge, Army Col. James L. Pohl, the defense does not have the right to “double-check the government’s work, and they certainly don’t have the right to do their own independent investigation” of what happened to Nashiri.

      The prosecution is probably afraid of the dots being connected, more than anything else.

    • ess emm says:

      The report allegedly singles out a top CIA official for botching a handful of renditions

      Probably Robert Lady.

  7. lefty665 says:

    “…logging into a network that’s suspected of activity that’s associated with a behavior that the National Security Agency does not approve of.”
    .
    EW, I feel sure that while NSA appreciates you (good analysis is good analysis), it may not approve of all you do (or some of the rest of us for that matter).
    .
    Pleased to be swept up with you. Thanks for the opportunity. Keep up the good work.

  8. ess emm says:

    emptywheel:Now, this doesn’t guarantee that the NSA correlates identifiers to dump them into XKeyscore

    Why do we need a guarantee? It’s the purpose of Xkeyscore. And Snowden’s personally executed the searches with the explicit authorization of USG officials (which sounds like much higher than his immediate supervisor). That should be enough.

  9. Garrett says:

    “Fingerprints” is a bad metaphor, if I understand this right. Hair color is better.

    Fingerprints have also been used to monitor untold masses of people whose communications transit the entire country of Switzerland over specific routes.

    These people don’t match the fingerprint, a unique signature, of someone they are looking for. They match a general haircolor.

  10. bloopie2 says:

    Suggestion for the Senators: Next time you hold a hearing into NSA spying, don’t have Clapper, et al. testify. They only mislead, knowing they won’t get prosecuted. Instead, call some lower-level workers to testify – analysts, managers, etc. – who really do know what exactly they do with all those capabilities, and who will know that their freedom (from jail) is in jeopardy if they don’t tell the truth.

    • P J Evans says:

      If the Senate does call someone like Clapper … make sure they’re sworn before they testify. And charge them when they lie.

  11. orionATL says:

    THIS is why i am so strongly opposed to allowing tbe nsa to continue to operate as it has been operating and to be organized as it has been organized:

    “..Specifically, mass surveillance systems like XKeyscore provide organizations such as the NSA with the technical ability to trivially track entire populations of individuals who share any trait that is discoverable from unencrypted communications. For example, these include religious beliefs, political affiliations, sexual orientations, contact with a disfavored individual or group, history of donating to specific or general causes, interactions of transactions with certain private businesses, or even private gun ownership. It is a trivial task, for example, to generate lists of home addresses for people matching the target criteria. Or to collect their phone numbers, to discover their friends, or even, to analyze the proximity and location of their social connections by automating the detection of factors such as who they share pictures of their children with, which is capable of machine analysis…”

    this social machine can become the cold, hard eyes of totalitarian tyranny.

    once birthed (say, by generals who sincerely feel that we, the usa, are “drifting”), it will extremely difficult to kill.

    • chronicle says:

      quote”this social machine can become the cold, hard eyes of totalitarian tyranny.

      once birthed (say, by generals who sincerely feel that we, the usa, are “drifting”), it will extremely difficult to kill.”unquote

      As opposed to NSA/CIA employees…?

      On a side note, I know this site isn’t usually concerned with States rights/2nd Amendment issues, but there is a current event going viral in regards to a family in Nevada who’s been fighting the Bureau of Land Management for a long time. And now it’s come to a head…so much so that even Kevin Gostola at The Dissenter posted the story today.

      http://dissenter.firedoglake.com/

      And, as usual, the story was first reported by Mike Vanderbough of Fast and Furious fame, on his site…Sipsey Street Irregulars.

      http://sipseystreetirregulars.blogspot.com/2014/04/oath-keepers-to-help-with-bundy-protest.html

      http://sipseystreetirregulars.blogspot.com/2014/04/just-received-this-link-from-nevada.html

      Keep your eye on this. This has all the potential for Waco2. If DHS steps over this line in the sand…there will be bloodshed. Make no mistake. These people will NOT stand down. If anything, this could trigger a war between the Oath Keepers and the Feds. No matter, things are on the verge of going out of control.

      • P J Evans says:

        All because the rancher won’t pay the minimal grazing fees he owes to the country. He’s on the wrong side.

  12. GKJames says:

    Agreed that it’s not guaranteed, but from what we now know, courtesy of Snowden and this site, surely we have enough to go on to form the reasonable conclusion that correlating identifiers to dump them into XKeyscore is precisely what they’re doing. I surmise that they do so because (a) they can; (b) no one’s stopping them; and (c) it’s so easy as to be irresistible.

  13. bevin says:

    Reluctant though I am to sound apolcalyptic notes, can there be any doubt that this architecture of surveillance means that society has changed profoundly and irrevocably? The Panopticon was no more than a Heath Robinson nightmare compared to this.
    Nor does there seem any realistic possibility of winding this new “transparency” back, unless society itself consciously decides to choose individual dignity and privacy over the emerging dystopia.
    To make such a choice there would have to be not merely an entirely new relationship between state and citizen but a dismantling of the state as we know it.
    This is a moment in which the ghost of Rosa Luxemburg looks very much like that of John Taylor, late of Caroline County in Virginia.

  14. john francis lee says:

    What Snowden is describing are the ‘signatures’ for Obama/Brennan ‘signature’ drone strikes.

    Our USA is murdering the world’s poorest people at fantastic cost from a great distance base on some analysts’ intuitions. At random – in other words.

    It’s OK though … Obama has a Nobel Peace Prize – the ultimate license to kill.

    We haven’t stopped the murderous criminals at the very top of our government,

    We’re no different at all from the Germans of the Third Reich.

Comments are closed.