SPCMA and ICREACH

Within weeks of Michael Mukasey’s confirmation as Attorney General in November 2007, Assistant Attorney General Ken Wainstein started pitching him to weaken protections then in place for US person metadata collected overseas; Mukasey did so, under an authority that would come to be known as SPCMA, on January 3, 2008.

In 2007, Wainstein explained the need to start including US person data in its metadata analysis, in part, because CIA wanted to get to the data — and had been trying to get to it since 2004.

(3) The Central Intelligence Agency’s (CIA) Interest in Conducting Similar Communications Metadata Analysis. On July 20, 2004 [days after CIA had helped NSA get the PRTT dragnet approved], the General Counsel of CIA wrote to the General Counsel ofNSA and to the Counsel for Intelligence Policy asking that CIA receive from NSA United States communications metadata that NSA does not currently provide to CIA. The letter from CIA is attached at Tab C. Although the proposed Supplemental Procedures do not directly address the CIA’s request, they do resolve a significant legal obstacle to the dissemination of this metadata from NSA to CIA. (S//SII/NF)

Wainstein also noted other DOD entities might access the information.

That’s important background to the Intercept’s latest on ICREACH, data sharing middleware that permits other intelligence agencies to access NSA’s metadata directly — and probably goes some way to answer Jennifer Granick’s questions about the story.

As the documents released by the Intercept make clear, ICREACH arose out of an effort to solve a data sharing effort (though I suspect it is partly an effort to return to access available under Bush’s illegal program, in addition to expanding it). A CIA platform, PROTON, had been the common platform for information sharing in the IC. NSA was already providing 30% of the data, but could not provide some of the types of data it had (such as email metadata) and could not adequately protect some of it. Nevertheless, CIA was making repeated requests for more data. So starting in 2005, NSA  proposed ICREACH, a middleware platform that would provide access to both other IC Agencies as well as 2nd parties (Five Eyes members). By June 2007, NSA was piloting the program.

Right in that same time period, NSA’s Acting General Counsel Vito Potenza, Acting OLC head Steven Bradbury, and Wainstein started changing the rules on contact chaining including US person metadata. They did so through some word games that gave the data a legal virgin birth as stored data that was therefore exempt from DOD’s existing rules defining the interception or selection of a communication.

For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

See this post for more on this amazing legal virgin birth.

Significantly, they would define metadata the same way ICREACH did (page 4), deeming certain login information to be metadata rather than content.

“Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account.

It would take several years to roll out SPCMA (remember, that’s the authority to chain on US person data, as distinct from the sharing platform); a pilot started in NSA’s biggest analytical unit in 2009. When it did, NSA made it clear that personnel could access this data to conduct analysis, but that existing dissemination rules remained the same (which is consistent with the 2006-2008 proposed activity).

Additionally, the analyst must remain cognizant of minimization procedures associated with retention and dissemination of US person information. SPCMA covers analytic procedures and does not affect existing procedures for collection, retention or dissemination of US person information. [emphasis original]

Accessing data in a database to do analysis, NSA appears to have argued, was different than disseminating it (which is a really convenient stance when you’re giving access to other agencies and trying to hide the use of such analysis).

Of course, the pitch to Mukasey only nodded to direct access to this data by CIA (and through them and PROTON, the rest of the IC) and other parts of DOD. In what we’ve seen in yesterday’s documents from the Intercept and earlier documents on SPCMA, NSA wasn’t highlighting that CIA would also get direct access to this data under the new SPCMA authority, and therefore the data would be disseminated via analysis outside the NSA. (Note, I don’t think SPCMA data is the only place NSA uses this gimmick, and as I suggested I think it dates back at least to the illegal dragnet.)

In response to yesterday’s Intercept story, Jennifer Granick suggested that by defining this metadata as something other than communication, it allows the NSA to bypass its minimization procedures.

The same is true of the USSID18 procedures. If the IC excludes unshared stored data and other user information from the definition of communications, no minimization rules at all apply to protect American privacy with regard to metadata NSA collects, either under 12333 or section 702.

[snip]

NSA may nevertheless call this “minimized”, in that the minimization rules, which require nothing to be done, have been applied to the data in question. But the data would not be “minimized” in that it would not be redacted, withheld, or deleted. 

Given what we’ve seen in SPCMA — the authority permitting the analysis of expansively defined metadata to include US person data — she’s partly right — that the NSA has defined this metadata as something other than communication “selection” — but partly missing one of NSA’s gimmicks — that NSA distinguishes “analysis” from “dissemination.”

And if a bunch of agencies can access this data directly, then it sort of makes the word “dissemination” meaningless. 


June 2004: DCID 8/1 mandates that all IC agencies share data as soon as it might be comprehensible.

July 20, 2004: Scott Muller writes NSA GC (Potenza?) and OIPR Counsel, asking for US person metadata.

March 10, 2005: CIA requests additional data for PROTON

May 26, 2005: NSA/CSS Policy 1-9: Information Sharing implements DCID 1/8

July 6, 2005: Recommendation NSA make PROTON available on GLOBALREACH; this would become ICREACH

September 28, 2006: NSA Acting General Counsel first asks James Baker to permit contact chaining through US person data overseas

FY 2007: Rollout and training of ICREACH

FY 2008: Add second party and PROTON brokers to ICREACH

June 2007: ICREACH pilot begins

~July 2009: SPCMA pilot

January 2011: SPCMA expands across NSA

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9 replies
  1. bloopie2 says:

    I’m sensing that we will eventually have in hand the documents needed to show that Everything that is collected (our term, not theirs) is freely shared with Anyone who wants to see it. Fuck. Are the courts the only possible limiting factor here?

      • wallace says:

        quote”Some fiction is better than others, when it comes to keeping your disbelief suspended.”unquote

        Engraved on PJ Evans tombstone. Meanwhile, 140 years later, his grand children’s grand children are debating whether or not to spit on it in recognition he did nothing but suspend his decision to pick up a weapon and change their future or pursue his own belief that someone else will.

        • orionATL says:

          wallace,

          you are a very tiresome blowhard whose comments clog up this website with inane, unintelligible commentary.

          you bombard readers with comment after comment after comment that merely quotes the work of others and then repetitively claims the government is “coming to get us”.

          your writing is just trash; your “thinking” consists of one paranoid theme repeated over and over

          there is no more worthless, boring commenter on this weblog than you.

          get lost, dumbass.

  2. wallace says:

    quote”Right in that same time period, NSA’s Acting General Counsel Vito Potenza, quote”Acting OLC head Steven Bradbury, and Wainstein started changing the rules on contact chaining including US person metadata. They did so through some word games that gave the data a legal virgin birth as stored data that was therefore exempt from DOD’s existing rules defining the interception or selection of a communication.”unquote

    Word games. right. I told you OOD had a crossword expert working for them.

    quote”Accessing data in a database to do analysis, NSA appears to have argued, was different than disseminating it (which is a really convenient stance when you’re giving access to other agencies and trying to hide the use of such analysis).”unquote

    “Different”= OOD gimmick for Disseminating.

    Wait!! OMG…. I see OOD has added another letter to their acronym! They’re now OODG.. Office of Obfuscation, Doublespeak and Gimmicks!

    Before you know it the OODG will be hiring ventriloquists too.

    sheeezushcrist. These bastards never cease redefining the boundaries of obfuscation.

  3. wallace says:

    quote”See this post for more on this amazing legal virgin birth.”quote
    Legal virgin birth. right. We’re not talking God here. In this case, your words suggest a goddamned Rosemary’s baby with Acting General Counsel Vito Potenza, Acting OLC head Steven Bradbury, and Wainstein as fucking midwifes.

    quote”In response to yesterday’s Intercept story, Jennifer Granick suggested that by defining this metadata as something other than communication, it allows the NSA to bypass its minimization procedures.”unquote

    Well, I think you mean this passage?

    quote”Given the confusing ways NSA uses language, to put it nicely, I wouldn’t put it past the agency to have misled the PCLOB.”unquote

    I just wish all the people analyzing these scumbags, would quit using niceties..like..”misled”, and start calling it what if fucking is. LIES. Goddamned, unequivocal LIES. I mean, I’ve had it with this “least un-truthful bullshit.

    Look, were talking about the scum of the USG trying to usurp the Constitution while building exactly what Senator Church warned us about. As far as I’m concerned, these bastards don’t deserve one iota of respect, notwithstanding facing prosecution for TREASON. They don’t give a flying fuck about the Constitution, civil rights, your privacy, or lying to a judge. Like Bill Binney says…in reality, these authoritarian tyrants only care about one thing. TOTAL POPULATION CONTROL. PERIOD. So WHY do you spare them with “civility”. In reality, the only thing they deserve is total verbal beheading.

  4. What Constitution? says:

    Witness the virtually complete success of the “baffle them with complexity” strategy. Put another way, if one presumes that EW has laid this out as plainly and efficiently as she usually does, just how is somebody like DiFi supposed to understand — let alone “oversee” — this kind of maze of disingenuous and malevolent obfuscation? I can see her now:

  5. Dream On Mother Mary and Daughter Son says:

    “God said,” as some scoffed, “All things are naked and open in the eyes of Him with whom we have to do.”

    Did anyone think there would not be such a way?

    How electronic communication merely the beginning?

    Well, accountability becomes real in a widespread way and then what?

    Anyway …

Comments are closed.