March 16, 2017 / by emptywheel


Dianne Feinstein Discovers Its Not “Just” Metadata

Over the course of years of defending the NSA’s bulk metadata programs, Dianne Feinstein made a series of statements to suggest that massive collection of metadata — including aspiring to collect the phone records of every American — was no big deal because it didn’t include content.

June 6, 2013:

[T]his is just metadata. There is no content involved.

October 20, 2013:

The call-records program is not surveillance. It does not collect the content of any communication,

May 18, 2014:

It’s not a surveillance program, it’s a data-collection program.

But it appears Senator Feinstein no longer believes that the bulk collection of metadata is a minor issue. In response to yesterday’s unsealing of the indictment against 4 Russian hackers for targeting Yahoo, Feinstein had this to say:

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

500 million user accounts didn’t get hacked. Upwards of 6,500 accounts got hacked for content, and the contacts of another 30 million were harvested for spam marketing. The 500 million number refers to the theft of a database of metadata. The indictment made clear that this was non-content data:

21. Beginning no later than 2014, the conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion. The theft of user data was part of a larger intrusion into Yahoo’s computer network, which continued to and including at least September 2016. As part of this intrusion, malicious files and software tools were downloaded onto Yahoo’s computer network, and used to gain and maintain further unauthorized access to Yahoo’s network and to conceal the extent of such access.

22. The user data referenced in the preceding paragraph was held in Yahoo’s User Database (“UDB”). The UDB was, and contained, proprietary and confidential Yahoo technology and information, including, among other data, subscriber information, such as: account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”, further described below. Some of the information in the UDB was stored in an encrypted form.

Feinstein has long insisted that so long as content is not collected, it doesn’t amount to surveillance.

Now, I’ll grant you: the Yahoo database included far richer metadata than NSA got under the bulk phone and Internet metadata programs that Feinstein long championed. It includes names, alternate contacts, password hints, and that nonce (which is what the Russians used to break into email accounts themselves).

But we know that NSA’s phone and Internet dragnet programs correlated collected metadata with other information it had to develop this kind of profile of targeted users. We know it has the ability (and so therefore, presumably does) collect such data — as metadata — overseas. The definition of EO 12333 collected metadata that can be shared freely between intelligence agencies remains silent on whether it includes things like names. And even the modified phone dragnet program rolled out under USA Freedom Act correlates data — meaning it will pull from all known instances of the identifier — even before requesting data from providers.

So NSA is still collecting metadata — in quantities greater than what Russia stole from Yahoo — including metadata on US persons.

Perhaps given Feinstein’s newfound discovery of how compromising such information can be, she’ll be a little more attentive to NSA and FBI’s own use of bulk metadata?

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @