SPCMA and ICREACH

Within weeks of Michael Mukasey’s confirmation as Attorney General in November 2007, Assistant Attorney General Ken Wainstein started pitching him to weaken protections then in place for US person metadata collected overseas; Mukasey did so, under an authority that would come to be known as SPCMA, on January 3, 2008.

In 2007, Wainstein explained the need to start including US person data in its metadata analysis, in part, because CIA wanted to get to the data — and had been trying to get to it since 2004.

(3) The Central Intelligence Agency’s (CIA) Interest in Conducting Similar Communications Metadata Analysis. On July 20, 2004 [days after CIA had helped NSA get the PRTT dragnet approved], the General Counsel of CIA wrote to the General Counsel ofNSA and to the Counsel for Intelligence Policy asking that CIA receive from NSA United States communications metadata that NSA does not currently provide to CIA. The letter from CIA is attached at Tab C. Although the proposed Supplemental Procedures do not directly address the CIA’s request, they do resolve a significant legal obstacle to the dissemination of this metadata from NSA to CIA. (S//SII/NF)

Wainstein also noted other DOD entities might access the information.

That’s important background to the Intercept’s latest on ICREACH, data sharing middleware that permits other intelligence agencies to access NSA’s metadata directly — and probably goes some way to answer Jennifer Granick’s questions about the story.

As the documents released by the Intercept make clear, ICREACH arose out of an effort to solve a data sharing effort (though I suspect it is partly an effort to return to access available under Bush’s illegal program, in addition to expanding it). A CIA platform, PROTON, had been the common platform for information sharing in the IC. NSA was already providing 30% of the data, but could not provide some of the types of data it had (such as email metadata) and could not adequately protect some of it. Nevertheless, CIA was making repeated requests for more data. So starting in 2005, NSA  proposed ICREACH, a middleware platform that would provide access to both other IC Agencies as well as 2nd parties (Five Eyes members). By June 2007, NSA was piloting the program.

Right in that same time period, NSA’s Acting General Counsel Vito Potenza, Acting OLC head Steven Bradbury, and Wainstein started changing the rules on contact chaining including US person metadata. They did so through some word games that gave the data a legal virgin birth as stored data that was therefore exempt from DOD’s existing rules defining the interception or selection of a communication.

For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

See this post for more on this amazing legal virgin birth.

Significantly, they would define metadata the same way ICREACH did (page 4), deeming certain login information to be metadata rather than content.

“Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account.

It would take several years to roll out SPCMA (remember, that’s the authority to chain on US person data, as distinct from the sharing platform); a pilot started in NSA’s biggest analytical unit in 2009. When it did, NSA made it clear that personnel could access this data to conduct analysis, but that existing dissemination rules remained the same (which is consistent with the 2006-2008 proposed activity).

Additionally, the analyst must remain cognizant of minimization procedures associated with retention and dissemination of US person information. SPCMA covers analytic procedures and does not affect existing procedures for collection, retention or dissemination of US person information. [emphasis original]

Accessing data in a database to do analysis, NSA appears to have argued, was different than disseminating it (which is a really convenient stance when you’re giving access to other agencies and trying to hide the use of such analysis).

Of course, the pitch to Mukasey only nodded to direct access to this data by CIA (and through them and PROTON, the rest of the IC) and other parts of DOD. In what we’ve seen in yesterday’s documents from the Intercept and earlier documents on SPCMA, NSA wasn’t highlighting that CIA would also get direct access to this data under the new SPCMA authority, and therefore the data would be disseminated via analysis outside the NSA. (Note, I don’t think SPCMA data is the only place NSA uses this gimmick, and as I suggested I think it dates back at least to the illegal dragnet.)

In response to yesterday’s Intercept story, Jennifer Granick suggested that by defining this metadata as something other than communication, it allows the NSA to bypass its minimization procedures.

The same is true of the USSID18 procedures. If the IC excludes unshared stored data and other user information from the definition of communications, no minimization rules at all apply to protect American privacy with regard to metadata NSA collects, either under 12333 or section 702.

[snip]

NSA may nevertheless call this “minimized”, in that the minimization rules, which require nothing to be done, have been applied to the data in question. But the data would not be “minimized” in that it would not be redacted, withheld, or deleted. 

Given what we’ve seen in SPCMA — the authority permitting the analysis of expansively defined metadata to include US person data — she’s partly right — that the NSA has defined this metadata as something other than communication “selection” — but partly missing one of NSA’s gimmicks — that NSA distinguishes “analysis” from “dissemination.”

And if a bunch of agencies can access this data directly, then it sort of makes the word “dissemination” meaningless. 


June 2004: DCID 8/1 mandates that all IC agencies share data as soon as it might be comprehensible.

July 20, 2004: Scott Muller writes NSA GC (Potenza?) and OIPR Counsel, asking for US person metadata.

March 10, 2005: CIA requests additional data for PROTON

May 26, 2005: NSA/CSS Policy 1-9: Information Sharing implements DCID 1/8

July 6, 2005: Recommendation NSA make PROTON available on GLOBALREACH; this would become ICREACH

September 28, 2006: NSA Acting General Counsel first asks James Baker to permit contact chaining through US person data overseas

FY 2007: Rollout and training of ICREACH

FY 2008: Add second party and PROTON brokers to ICREACH

June 2007: ICREACH pilot begins

~July 2009: SPCMA pilot

January 2011: SPCMA expands across NSA

Tweet about this on Twitter0Share on Reddit0Share on Facebook0Google+1Email to someone

9 Responses to SPCMA and ICREACH

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
Emptywheel Twitterverse
bmaz @randiego2 @JennyMehlow Good grief, those are handsome dudes! My wife says I am not even competent to comment. But, https://t.co/cJVxsDV434
1hreplyretweetfavorite
bmaz @Adobe What other bullshit fronts on which do you internet geniuses wish to cravenly defend? I will be waiting for an answer fellow liberals
1hreplyretweetfavorite
bmaz So, @adobe are giant worthless pieces of shit. Unless they deign to respond, the rest of us will suffer from their jackassedness.
1hreplyretweetfavorite
bmaz Yo, @Adobe all I can say is I hope you fuck off and die from the way you have, in last 24hrs, affected the way I interact with the internet
1hreplyretweetfavorite
bmaz So @AdobeFlash is the biggest of pieces of shits in the world for the way they jerk off innocent people on the internist. #FuckThoseAssholes
2hreplyretweetfavorite
bmaz @JasonLeopold Uh, I;d have gone to THAT!
2hreplyretweetfavorite
bmaz @JasonLeopold Yolo dude, but, still, check out the last paragraph from very early this morning: https://t.co/cJVxsDV434
2hreplyretweetfavorite
bmaz It's amazing that @ESPN can't quite get the feed on the ASU/Huskies game right for squat, but they can always, oh so easily, parrot Goodell.
2hreplyretweetfavorite
bmaz RT @teddysanfran: @bmaz I wonder if she saw it coming? http://t.co/sTrMmqBMB4
2hreplyretweetfavorite
bmaz Say what you will about Obamacare, but internet+media fanboys saying Dems losing ground in both House+Senate is "winning" issue are insane.
3hreplyretweetfavorite
JimWhiteGNV RT @WilliamsJon: CDC: Health Care Workers volunteering to combat #Ebola epidemic in West Africa are heroes. We must treat them with respect…
3hreplyretweetfavorite
JimWhiteGNV RT @ninatypewriter: I'm just gonna keep on tweeting about this until @MSF_USA nurse Kaci Hickox is out of that fucking tent.
3hreplyretweetfavorite
August 2014
S M T W T F S
« Jul   Sep »
 12
3456789
10111213141516
17181920212223
24252627282930
31