The Unaudited Tech Analyst Access to US Person Data
In addition to its exposure of the sheer senselessness of much of the spying NSA engages in, yesterday’s WaPo story also shows that the government’s assurances that Edward Snowden could not access raw data have been misplaced.
For close to a year, NSA and other government officials have appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.
As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.
“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”
“The operational data?” the reporter asked.
“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”
Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about “raw” intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.
“We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access,” Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”
In the interview, Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.
No one should ever have believed those assurances.
That’s because the documentation on the Section 215 program makes it clear how little oversight there is over tech people just like Snowden. The current phone dragnet order, for example, makes it clear that:
- Tech personnel may access the phone dragnet data to tweak it in preparation for contact-chaining
- Unlike intelligence analysts, tech personnel may query the phone dragnet data with selectors that have not been RAS-approved
- Tech personnel may also conduct regular queries using RAS-approved selectors
- Tech personnel may access the dragnet data to search for high volume numbers — this may require access to raw data
- Some of the tech personnel (those in charge of infrastructure and receiving data from the telecoms) are exempt from special training on the phone dragnet data
The audit language in the dragnet order applies only to “foreign intelligence analysis purposes or using foreign intelligence analysis tools,” suggesting the tech analysis role access to the dragnet data is not audited.
Language in the order defining “NSA” suggests contractors may access the data (though it’s unclear whether they do so in a technical or intelligence analysis function); something made explicit in Dianne Feinstein’s bill.
That is, it is at least possible that Booz analysts are currently conducting audit-free tech massaging of the raw phone dragnet data.
And NSA knew this access was a vulnerability. As recently as 2012, tech analysts were found to have 3,000 files worth of phone dragnet data (it’s unclear how much data each file included) on an improper server past its required destruction date. NSA destroyed that data before definitively researching what it was doing there.
Thus, the risk of tech analyst breach is very real, and no one — not NSA, and not Congress, which has only codified this arrangement — seems to be addressing it.
Indeed, it is likely that some kind of Booz-type contractors will continue to have direct access to this data after it gets outsourced to the telecoms, otherwise USA Freedumber would not extend immunity to such second-level contractors.
For months, intelligence officials claimed not only that Snowden had not accessed raw data, but could not. That was always a dubious claim; even if Snowden couldn’t have accessed that data, other contractors just like him could and still can, with less oversight than NSA’s intelligence analysts get.
But it turns out Snowden could and did. And thanks to that, we now know many of the other claims made by government witnesses are also false.
So by my count, the past few days we’ve had three major revelations regarding the contents of Snowdens archive — all closely held secrets until now.
1. Unfettered access to FISC materials.
2. A copy of the XKEYSCORE selector database.
3. Access to actual traffic intercepts.
Someone must be shittin’ in their boots…
hey, america you can relie on us.
we are in the know – ALWAYS **
we are in control – ALWAYS **
**well, mostly.
“..And thanks to that, we now know many of the other claims made by government witnesses are also false…”
question for moral philosophers:
if a government witness lies during a government hearing on national security matter, is that really a lie?
question for legal philosophers:
if a government witness lies during a government hearing on national security matter, does that lie merit legal action?
The reason that nobody is acknowledging this is simple. The only way to eliminate the risk is to not collect the data.
Ingesting data into big-data databases remains an unsolved problem. Nobody’s figured out how to automate the data clean up at scale, so it always requires human intervention.
And it’s a deep problem. You can only assess the cleanliness of data in the context of how you wish to analyze it. A new analytic framework will expose issues that you haven’t considered and you’ll have to go clean stuff up again.
As a technical matter, you have to trust somebody, or not collect the data in the first place.
Yep. I’m somewhat aware of that. And it’s gonna still have to happen at the telecoms. Which is worse, bc then it’ll be a Booz contractor doing it at the telecoms.
Hopefully there is at least one Hollywood producer reading this blog. The potential for movie plots in this ongoing soap opera is enormous. One possible title for a movie: The Pink Panther and the Selfie Generation. In this upcoming addition to the Pink Panther series, Inspector Clouseau is getting ready to retire and is training a young Edward Snowden on the finer points of signal intelligence.
The Snowden revelations are slowly unmasking the absurd, but deadly serious, nature of the security apparatus developed by the NSA over recent years. What started out as a serious attempt to track and monitor actual or potential terrorists has become a farcical bureaucratic monster bogged down in monitoring the selfies or sextings of ordinary people. Even worse for the NSA, there are tech-savvy people all over the planet who are taking steps to neutralize the systems they have developed.
I don’t know if I should be alarmed or reassured by what is going on. I keep reminding myself that the government didn’t stop people from consuming alcohol during prohibition, and it hasn’t stopped people from consuming illicit drugs since the advent of the war on drugs in the Nixon Administration. So I try (at times unsuccessfully) not to become too alarmed when I read the postings on this and similar sites. Humans are ingenious, and they will figure out ways to defeat the pervasive surveillance system the government has created. I’m just hoping the countermeasures come before too much damage has been done to our constitution and bill of rights.
“Nobody is reading your email!”
–
(And by Nobody I mean any unaudited Tech Analyst.)
Ben Wittes says
There you have it. NSA defender Wittes is throwing the 4th amendment under the bus because it will have operational consequences.
–
More Wittes:
Sure, Ben. Blame Snowden for why these innocuous files were still in the USG databases.
i keep wondering if ben wittes is this stupid or whether “1984” was era and society where he comfortably lives in his imagination:
“..Snowden did not keep personal identifying details from the Post. He basically outed thousands of people—innocent and not—and left them to the tender mercies of journalists. This is itself a huge civil liberties violation…”
– a wittless syllogism:
government collects personal data on individuals it has no right to collect that data on.
nsa super-analyst snowden copies this data from nsa files as unimpeachable evidence of government intrusion and misconduct. snowden then provides it to newspapers.
therefore,
snowden committed a huge civil liberties violation.
Yeah, contemplated making fun of this.
People who are perfectly fine w/minimization are now squawking at journalists minimizing data in one discrete episode and to make generalizations rather than detailed reports and rather than over time.
Interesting. Sort of a ‘fruit of the poisonous tree’ conundrum, isn’t it?
I find this a wonderful govt. service in the fact if my email gets lost in the tubes I can ask nsa for a copy. Then again I won’t need to pay my Doc. office for my health care records because I can ask nsa for free copies because they are a so-called govt. service owned by the people of Amerika right?
WOW I’m so happy this happening in Amerika a full service govt.
Money for war nothing for Main Street, my only hope as the empire fails does it take everyone down with it? Yep that’s how are mean the .01% are. Sad
Thanks EW for the news and truth
I sat in a doctor’s waiting room a week ago, forced to watch FOX News during which their talking heads whined and puled at length about the scandal of the missing emails at IRS.
Um, hello? Maybe FOX’s NSA fan club could ask the NSA to recover the emails?
And while we’re at it, maybe some unaudited likely-subcontractor analysts could tell us what they did with that so-much-smaller scandal, the missing Bush/Cheney White House emails?
Crazy balancing act Wittes et al are doing, trying not to be pro-Obama but pro-NSA at the same time, while avoiding any technical questions about preserving the 4th Amendment.
.
Just to refresh your memory,
.
http://www.cnn.com/2008/US/10/09/spying.on.americans/index.html
.
What was not released is any transcripts of the ‘salacious’ calls. Whilest the news in the link I put up there a few lines earlier caused the apologists to come out of the bushes to spew out lyrical distortions of ‘ahah and ahem’, the fallout was mostly brushed aside with a few worried grimaces.
.
Same thing still going on. Only it is inside the US, and it is aimed at US-not-even-remotely-terrorist folks. I wonder when some transcript of folks chatting will make it onto the front pages… there is a lot more than metadata being captured, stored and analyzed. Reading someone’s private chat is way different than reading they were monitored.
.
Somebody in the tech area always has access to the raw data. I’ve been saying this all along. In fact, I’ve been saying it for decades as I watched companies stupidly outsource their IT functions. The kind of access I’ve had to data bases over the years… when I was in charge of various systems. Somebody has to have access to the production data bases because if something goes wrong, somebody has to fix it and if the data gets botched, sometimes someone has to go in and, using admin tools, fix it, or write programs or scripts to fix it, or the world stops going round, so to speak. In most situations, the whole tech team won’t have access to the production data bases. That kind of security will be reserved for high level tech. But somebody always has it. I’m sure the govt/intel is no different. They are still computer systems. Not magic.
As Marcy or somebody mentioned, people who work on the feeds from telecoms and big tech companies no doubt have access to that raw data too. Whenever you interface with other companies and organizations, things go wrong with data feeds, or when changes to systems are made, things get out of synch or there are issues with the handshake or the understanding of what each side will do. It’s the sausage making in the tech world. From the outside it looks like things just hum along. But it’s not magic. Shit happens, especially in a fast moving world of a gazillion details and as much as everyone tries to anticipate and code for exceptions, shit happens.
In a prior life, one system I wrote was for data scrubbers in the Wall St world. We took in the data feeds because we sold stock broker terminals w/ data, news headlines, research, etc. For all the big firms. There was a room full of people who watched those feeds and fixed problematic data and sent it along on its way, or removed it from the feed if it was garbage. Because it happens. I wrote a little data monitoring and massaging app for the person who was in charge of some new international data feeds and research we were ingesting and then providing as a new service on our broker terminals.