[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Surveillance Whack-a-Mole, Section 215 to Section 702 Edition

As it happens, I and others covered the report that NSA purportedly has not restarted its use of the Section 215 CDR program in the wake of finding serious over-collection on the same day that I Con the Record released another Semiannual report on 702, the one completed in October 2018, which covers December 2016 to May 2017.

In my post on the Section 215 CDR claim, I suggested that function probably hasn’t shut down, but likely moved instead to a different authority, probably EO 12333.

The NSA almost never gives up a function they like. Instead, they make sure they don’t have any adverse court rulings telling them they’ve broken the law, and move the function some place else. Given that the government withdrew several applications last year after FISC threatened to appoint an amicus, and given that the government now has broadened 12333 sharing, they may have just moved something legally problematic somewhere else.

In Ellen Nakashima’s report on the 215 CDR shutdown, she suggested that NSA may not longer need the 215 CDR function because “terrorists” (this program was never just about terrorists) increasingly use secure apps which “don’t always create metadata.”

But these days, terrorists generally are not coordinating via phone calls or standard text messages, but communicate by using secure apps that don’t always create metadata trails, analysts said.

That is, the suggestion is that because “terrorists” are using encrypted apps like Signal and WhatsApp rather than AT&T or Verizon’s own SMS apps, getting the latter via the CDR program is not as useful.

But perhaps that explains the over-collection issue behind all this.

From the start of the USA Freedom Act debate, I have noted that the definition used in the law — session identifier — did not match the intent of most members of Congress: that is, to track telephony contacts. Telephony contacts are just an increasingly minimal subset of the session identifiers than any mobile phone user will generate. And in the age of super-cookies, providers increasingly track these other session identifiers. If providers collect it, spooks and law enforcement will try to use it, and the expanded universe of session identifiers is no exception.

One of several likely explanations for the over-collection that led the government to destroy all its records last year is that the FISA Court wrote something that distinguished between the two (basically, establishing a precedent that made fudging the issue legally problematic), leading NSA to “discover” the over-collection and quickly start deleting records before any overseer found the proof that it was no accident.

At least, that same pattern has happened numerous times before.

Anyway, back to surveillance whack-a-mole.

When this has happened in the past, the NSA didn’t actually shut down the function. It instead moved it to another authority, preferably one with less court oversight. Of particular note, when NSA shut down the PRTT dragnet in 2011, it moved some of that function to EO 12333 (NSA had resumed a practice shut down during the Stellar Wind shutdown allowing the agency to chain on Americans) and Section 702.

That’s why I want to point to something in the most recent Section 702 Semiannual Report (which, remember, reflects really dated reviews of Section 702 use. On top of being really dated, the report is, as all of these are, heavily redacted and largely boilerplate. Nevertheless, a close read of it (I do think I’m the only one who actually reads these!) can point to trends that can sometimes help identify problems on the same timeline that NSA’s Inspector General does.

And this most recent Semiannual report, from the period mid-way into implementation of the new USAF CDR function, has this passage (which — I believe — includes a typo).

This passage is not reporting a decrease, as the last clause of the paragraph claims; it is reporting an increase in the number of times Section 702 data appears in serialized (that is, finished) reports. The typo appears to be the result of retaining the claim that this is “the first and only decrease of for these ten reporting periods” from the prior report.

What is likely true of this passage, however, is that it is reporting a new trend: “expanded use of Section 702” for some function.

There are several likely candidates for the time period (early 2017). The increasing use of the 2014 exception, the ongoing shift of the old PRTT function (obtaining email metadata) are two.

But another would be to use 702 — such that it is technically feasible — to obtain what metadata exists for encrypted apps. Notably, during precisely this period, Facebook was moving to more closely integrate WhatsApp with its platform generally. And this would give it access (but not content) of chats. Since then, it has probably become easier for Verizon and AT&T to identify who is using Signal by matching the individual keys generated for each contact (just as an example, you can set Verizon to show this or not, meaning they’ve got visibility onto it one way or another). Using 702 to get encrypted app metadata would only give you one degree of separation from a foreign target. But you’d get it with far less oversight than NSA undergoes with Section 215.

Here’s the dirty secret about FISA. It is far easier for NSA to use Section 702 to get content and metadata than it is for NSA to use Section 215 to get just session identifiers.

Section 702 couldn’t replace all of what Section 215 — if it were collecting on the session identifiers associated with encrypted chat apps — gets. But what it could get might be far more voluminous than the 500 million session identifiers collected in 2017.

Update: Bobby Chesney — who seems to know more than he’s letting on — weighs in on the news here.

10 replies
  1. PR says:

    The NSA or IDA or any of its “companies” will collect whatever they wish to collect; any legal proceedings are for show purposes only. Post 911 we live in a privacy-free, security-diminished era.

    Republicans in Congress are now the BIGGEST threat to national security. McConnell is worse than Flynn or Manafort.

    The American people have been fooled. They engage in self-surveillance by over-documenting and sharing all aspects of geolocation, tastes, trips, thoughts, social networks, leaving nearly nothing to the imagination. Splunk, Palantir et al. aggregate these data points w. financials and POW: you’re naked before the NSA. Surprise the cameras are always on – SmartTVs, phones, PCs, etc.

    If you’re (un)lucky, the NSA will show up in person. Trust me.

    To some degree, I get why they do it (because I’m gifted that way), but it’s so misapplied. Gamification of self-surveillance and of socialization itself is actually a national security risk. We need people who can keep secrets, right? Isn’t that the point?

    Porn? Check. Shopping? Check. Snark? Check. Drama? Check. After awhile, isn’t it all passe? Who cares vis-a-vis national security? It’s a waste of resources. Even if we were to have the world engage in the same culture-based actions, it would leave us and our allies weaker.

    What we need are people w. special abilities who do NOT get hounded, but get respected instead. Maybe then you can truly see what you’re missing.

    Palantir. So cute. Imagine if you actually had special abilities. Those who do, don’t respond to threats.

    • PR says:

      All the posters
      All the fake schools
      All the molestation jokes
      All the druggings
      All the fake schools

      Send your 3rd rate psychologist away
      Those who RAN AWAY are not looking for more abuse

      Time for apologies and compensation.

      -Oxford Comma

  2. bjet says:

    On Junior’s blocked number calls before the “Crown Prosecutor” meeting, Swalwell said it might be too late to get that info from providers by the time HPSCI was up & running.

    Did this NSA data dump prevent presidential record recovery & archiving, or acquisition of records from Kushner & other former & current members of Trump Admin by House oversight committees?

    I’m referring to their rather openly defying PRA requirements in early 2017, or appearing to be; saying that they were communicating by DM on burners -or the equivalent, & ‘joking’ about it.

  3. x174 says:

    i for one greatly appreciate your reading these often heavily redacted documents and sharing some of their seemingly relevant excerpts. when i try to incorporate your investigations and insights into what I’ve been looking at, the emergent trends and technological advances seem potentially informative.

    Deep learning to automatically process facial and auditory information are among the top successful applications of cutting edge computing in the us (see, for example, Oak Ridge National Lab’s 200 petaflop machine Summit, poised to process exabyte level tasks) and the growing ability of social media to link all kinds of session id information with images. what I’m getting at is the idea of constraining the ostensible legal restrictions–thanks btw for the Chelsey link–with on-going needs and capabilities.

    the technical capabilities seem to be beyond the ability of the legal requirements. the telecommunications revolution is exactly that, revolutionary. Section 215 and 702 seem behind the times. furthermore, in the face of a perceived need, the gloves come off, if they weren’t already. take these geneological database analyses combined with DNA samples from possible suspects’ relatives. if they say that they have apprehended a mass murderer or serial rapist, few would argue about the problematic legal aspects. the law is malleable in the face of perceived/actual threats. just look at the patriot and freedom acts.

    confronting statutory law with the facts on the ground–though highly technical and geopolitically and geoeconomically challenging seem to be eminently good ways to constrain what the laws say what can be done with what in fact is done b/c we have the capability or the (perceived/actual) need.

    thanks again for educating and enlightening us about the legal skullduggery of our national security standards/legerdemain.

  4. SICK says:


    I’m on two different ones now, (PIA and ExpressVPN) but both are dropping my connections more and more frequently.

    Maybe I should switch…???

  5. Mark Ospeck says:

    >serious over-collection
    > several likely explanations
    >led the government to destroy all its records last year
    >Telephony contacts are just an increasingly minimal subset of the session identifiers
    >has happened in the past
    >NSA didn’t actually shut down the function
    >moved to another authority with less court oversight

    Standing tough under stars and stripes We can tell This dream’s in sight You’ve got to admit it At this point in time that it’s clear The future looks bright On that train all graphite and glitter Undersea by rail Ninety minutes from New York to Paris Well by seventy-six we’ll be A.O.K. What a beautiful world this will be What a glorious time to be free Get your ticket to that wheel in space While there’s time The fix is in You’ll be a witness To that game of chance in the sky You know we’ve got to win Here at home we’ll play in the city Powered by the sun Perfect weather for a streamlined world There’ll be spandex jackets one for everyone What a beautiful world this will be What a glorious time to be free On that train all graphite and glitter Undersea by rail Ninety minutes from New York to Paris (More leisure time for artists everywhere) A just machine to make big decisions Programmed by fellows with compassion and vision We’ll be clean when their work is done We’ll be eternally free yes and eternally young What a beautiful world this will be What a glorious time to be free

  6. Savage Librarian says:

    Kith and Tell

    On a quiet day, on a quiet post, from a quiet profession, this is a comment about how we might try to connect outside our silos. More specifically, it is a reaction to something Bobby Chesney stated in the article from the link EW provided in the Surveillance Whack-a-Mole post on 3/6/19. The link is in the update at the bottom of the post.

    Mr. Chesney states:
    “…interpretation of 50 U.S.C. §1861—a statute known variously as “Section 215,” the “business records” provision, “FISA BR” or even the “libraries provision” (a rather misleadingly selective moniker but a rhetorically effective one all the same).”

    My comment is to address the reference to libraries. My intent is to show how easily we may misunderstand each other. And we sometimes undervalue and underestimate each other.

    Just as with other words, “library” evokes a stereotype. It has always been this way, but may be even more pronounced today. Yet, in truth, libraries serve society by providing and promoting access to the human record, in all its diverse forms.

    Many library employees and customers think of this institution as representing the cornerstones of democracy. Libraries share many traits with journalism and the transparency community. All of these have interests in constitutional rights and privacy. And all of them have individuals who have gone to extraordinary lengths to protect these concerns.

    It takes a vast amount of work behind the scenes to make libraries effective, especially in a metropolitan setting. And every library represents a microcosm of the community. Diversity is its essence.

    That means there are also innumerable issues to handle. Among these are a vast array of societal concerns (including voting), building problems, data and collection management, customer service requests, criminal behavior, threats to privacy, and the list goes on.

    As most know, libraries provide internet access for customers, as well as telephone and in-person answers to questions, not to mention materials for check out. The “Library Bill of Rights” is a BIG deal in the governance of privacy and access for all customers.

    So, getting back to Section 215, I have to wonder how much Bobby Chesney knows about libraries. I can only hope the comment he made about libraries was not meant to be dismissive.

    I know librarians who have made great sacrifices for the sake of democratic principles. And I hope they continue to do so. For purposes of illustration, here is an article that shows only one such instance of this.

    “Baseless Hysteria”?
    ALA’s opposition to Section 215 of the USA Patriot Act”


Comments are closed.