NSA Only Finds 59% of Its Targeting of US Persons

/4 Comments/in /by

This will be a minor point, but one that should be made.

The Privacies and Civil Liberties Oversight Board report on Section 702 included this little detail:

In 2013, the DOJ undertook a review designed to assess how often the foreignness determinations that the NSA made under the targeting procedures as described above turned out to be wrong — i.e., how often the NSA tasked a selector and subsequently realized after receiving collection from the provider that a user of the tasked selector was either a U.S. person or was located in the United States. The DOJ reviewed one year of data and determined that 0.4% of NSA’s targeting decisions resulted in the tasking of a selector that, as of the date of tasking, had a user in the United States or who was a U.S. person. As is discussed in further detail below, data from such taskings in most instances must be purged. The purpose of the review was to identify how often the NSA’s foreignness determinations proved to be incorrect. Therefore, the DOJ’s percentage does not include instances where the NSA correctly determined that a target was located outside the United States, but post-tasking, the target subsequently traveled to the United States.

0.4% of NSA’s targeting decisions falsely determine someone is a foreigner who is in fact a US person.

That’s a pretty low amount. Though based on ODNI’s number — showing 89,138 people were targeted in 2013 — that means 356 US persons get wrongly targeted each year. Again, still not a huge number, but it compares rather interestingly with the 1,144 people targeted under FISA each year. Those wrongly targeted under Section 702 actually make up 24% of those targeted in a year.

Just as interesting is comparing the NSA’s internal audit (see page 6)  with DOJ’s results. For a period presumably covering some of the same time period, NSA discovered 20 US persons tasked (for some reason there was a big increase in this number for the last quarter of the report) and 191 incidences of “other inadvertent” tasking violations, which are described as, “situations where targets were believed to be foreign but who later turn out to be U.S. persons and other incidents that do not fit into the previously identified categories” (my emphasis). Not all of those 191 incidents should be counted as wrongly targeted US persons — the description includes other inadvertent targeting. But even counting them all as such, that means NSA only found 211 of the potential wrongly targeted US persons in a year, while DOJ found 356.

Again, in a country of 310 million people, these numbers are small, particularly as compared to the collection of US person communications under upstream collection, which is thousands of times higher.

But it does say that NSA’s internal reviews don’t find all the Americans who get wrongly targeted.

Correction: I originally mistranscribed DOJ’s number as .o4%–though I had calculated using .4%.

Share this entry

Anonymous Pushback Emphasizes that Surveillance Leads to Informants

/9 Comments/in , /by

I’ve already suggested I suspect the government falsely claimed it didn’t have a a FISA warrant on CAIR’s Executive Director Nihad Awad in an attempt to gain an advantage in EFF’s suit challenging the phone dragnet.

The conflicting denials anonymous officials gave to ABC about the story — with one senior official implying the people the Intercept profiled actually were profiled, but other current and former officials claiming the Intercept may have misunderstood what they were looking at — don’t change that suspicion in the least.

A senior government official said without knowing the underlying probable cause presented to a federal judge from the FISA court in each case, Greenwald and The Intercept cannot know why the e-mails of the purported targets were collected.

As a result, the official said, Greenwald and Snowden cannot know whether the surveillance revealed evidence or intelligence in each case that was incriminating or exculpatory — or whether some targets later cooperated with the FBI. Several officials said it was “irresponsible” to name individuals as surveillance targets when no public court record exists. The identified targets could be guilty or innocent or even cooperating with the government, the officials said.

You don’t know if somebody was later approached to become an informant,” the senior official said. “To the extent any of these people were targets, [The Intercept report] is a serious compromise. And if they weren’t targets, they shouldn’t be named.”

The Intercept said many of the emails on the spreadsheet titled “FISA Recap,” which they said Snowden provided, “appear to belong to foreigners whom the government believes are linked to al Qaeda, Hamas and Hezbollah.” But the report says their three-month investigation showed that “in practice, the system for authorizing NSA surveillance affords the government wide latitude in spying on U.S. citizens.”

However, current and former U.S. officials told ABC News that Snowden or Greenwald may have misunderstood some of the NSA documents, which they reported are spreadsheets with 7,485 email addresses, including many among multiple accounts by individuals.

“You should not assume all of the names Glenn Greenwald has were targets of surveillance,” a senior official familiar with Snowden’s pilfered cache told ABC News last week.

A former senior official once closely involved in the FISA warrant process told ABC News that The Intercept’s reporters were repeatedly warned by him that they “were getting it wrong” in how they interpreted what the NSA spreadsheets from Snowden signified. The documents also were curiously absent of the markings secret files typically carry which denote its specific level of classification and distribution limitations.

“The documents indicated to me that they were not targets,” the former official said. [brackets original, emphasis mine]

Surely DOJ will point to any doubts about the document in an effort to prevent it from being used to obtain standing to sue.

I’m just as interested in the logic the anonymous senior official used to say these names shouldn’t be released: that the person might have been approached to be an informant!

Sure, I get why the FBI probably wouldn’t want its informants exposed (though more and more GWOT era informants have exposed themselves without being harmed).

But I’m particularly interested in how quickly this official talked about informants. As Ted Olson did, more obliquely, back in 2002.

NSA has offered hint after hint that its surveillance does serve to identify people to coerce into informing. I find it odd that this official, hiding behind the veil of anonymity, introduces it with such little self-awareness.

Share this entry

All These Muslim Organizations Have Probably Been Associationally Mapped

/11 Comments/in /by

The Intercept has published their long-awaited story profiling a number of Muslim-American leaders who have been targeted by the FBI and NSA. It shows that:

  • American Muslim Council consultant Faisal Gill was surveilled from April 17, 2006 to February 8, 2008
  • al-Haramain lawyer Asim Ghafoor was surveilled under FISA (after having been surveilled illegally) starting March 9, 2005; that surveillance was sustained past March 27, 2008
  • American Muslim Alliance founder Agha Saeed was surveilled starting June 27, 2007; that surveillance was sustained past May 23, 2008
  • CAIR founder Nihad Awad was surveilled from July 17, 2006 to February 1, 2008
  • American Iranian Council founder Hooshang Amirahmadi was surveilled from August 17, 2006 to May 16, 2008

In other words, the leaders of a number of different Muslim civil society organizations were wiretapped for years under a program that should require a judge agreeing they represent agents of a foreign power.

But they probably weren’t just wiretapped. They probably were also used as seeds for the phone and Internet dragnets, resulting in the associational mapping of their organizations’ entire structure.

On August 18, 2006, the phone dragnet primary order added language deeming “telephone numbers that are currently the subject of FISA authorized electronic surveillance … approved for meta data querying without approval of an NSA official due to the FISA authorization.”

Given the way the phone and Internet dragnet programs parallel each other (and indeed, intersect in federated queries starting at least by 2008), a similar authorization was almost certainly included in the Internet dragnet at least by 2006.

That means as soon as these men were approved for surveillance by FISA, the NSA also had the authority to run 3-degree contact chaining on their email and phone numbers. All their contacts, all their contacts’ contacts, and all their contacts’ contacts’ contacts would have been collected and dumped into the corporate store for further NSA analysis.

Not only that, but all these men were surveilled during the period (which continued until 2009) when the NSA was running automated queries on people and their contacts, to track day-to-day communications of RAS-approved identifiers.

So it is probably reasonable to assume that, at least for the period during which these men were under FISA-authorized surveillance, the NSA has an associational map of their organizations and their affiliates.

Which is why I find it interesting that DOJ refused to comment on this story, but told other reporters that FBI had never had a FISA warrant for CAIR founder Nihad Awad specifically.

The Justice Department did not respond to repeated requests for comment on this story, or for clarification about why the five men’s email addresses appear on the list. But in the weeks before the story was published, The Intercept learned that officials from the department were reaching out to Muslim-American leaders across the country to warn them that the piece would contain errors and misrepresentations, even though it had not yet been written.

Prior to publication, current and former government officials who knew about the story in advance also told another news outlet that no FISA warrant had been obtained against Awad during the period cited. When The Intercept delayed publication to investigate further, the NSA and the Office of the Director of National Intelligence refused to confirm or deny the claim, or to address why any of the men’s names appear on the FISA spreadsheet.

Awad’s organization, CAIR, is a named plaintiff in the EFF’s suit challenging the phone dragnet. They are suing about the constitutionality of a program that — the EFF suit also happens to allege — illegally mapped out associational relations that should be protected by the Constitution.

CAIR now has very good reason to believe their allegations in the suit — that all their relationships have been mapped — are absolutely correct.

Update: EFF released this statement on the Intercept story, reading, in part,

Surveillance based on First Amendment-protected activity was a stain on our nation then and continues to be today. These disclosures yet again demonstrate the need for ongoing public attention to the government’s activities to ensure that its surveillance stays within the bounds of law and the Constitution. And they once again demonstrate the need for immediate and comprehensive surveillance law reform.

We look forward to continuing to represent CAIR in fighting for its rights, as well as the rights of all citizens, to be free from unconstitutional government surveillance.

EFF represents CAIR Foundation and two of its regional affiliates, CAIR-California and CAIR-Ohio, in a case challenging the NSA’s mass collection of Americans’ call records. More information about that case is available at: First Unitarian Church of Los Angeles v. NSA.

Share this entry

WaPo and PCLOB Agree: NSA Does Not Comply with Its Minimization Procedures

/1 Comment/in /by

There are a number of issues with Marc Ambinder’s interpretation of the WaPo’s analysis of the content of NSA’s 702 collections as a “bust.” Ambinder:

  • Overstates the specificity of the certifications, particularly in light of the general “foreign government” one recently revealed by WaPo
  • Makes the same email rather than overwhelmingly IM mistake Stewart Baker made
  • Doesn’t deal with the fact that the bulk of US identifiers that got minimized — the largest category, constituting over 57,000 instances — is IP address, which presents different privacy concerns than what he addresses
  • Suggests this collection includes traditional FISA warrants; WaPo suggests it is all 702 collection, which ought to mean it includes less US person content (but apparently doesn’t)
  • Ignores how readily the NSA provides unaudited access to raw data for tech personnel and SIGDEV, and therefore how (in)secure we should expect this data to be in practice

But the most troublesome problem with it is Ambinder’s treatment of the NSA’s minimization obligations and practices. Here are some statements Ambinder makes about NSA’s minimization requirements.

Ok, so: having run the data through an automatic minimization system of some sort, the NSA analysts are required to minimize every U.S.-person communication that they see. Minimize does not “to get rid of.” It means to anonymize the U.S.-based non-target source.

[snip]

Maybe I could be a customer service representative from the pizza place that got his order wrong, and I’m e-mailing him to apologize for it. The NSA and the FBI are required by statute to minimize the communication if they determine it has no intelligence value. (And why would the NSA waste time reading a conversation about pizza anyway?)

[snip]

The analyst’s judgment can be subjective. On the first instance, the analyst has to figure out whether the communication is relevant to a foreign intelligence purpose.

First he states that minimization does not mean “get rid of,” then states NSA is required by statute to get rid of communications that have no intelligence value, then notes an analyst has to determine whether a communication has foreign intelligence value. Overall, though, Ambinder suggests that NSA does get rid of communications involving US persons without foreign intelligence value.

Ambinder is absolutely right the law requires the government to get rid of US person data that has no foreign intelligence value.

Here’s what one version of the minimization requirements say:

(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;

(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

And here’s how that translates into the minimization procedures approved in 2011.

Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information); or, as not containing evidence of a crime which may be disseminated under these procedures. Except as provided for in subsection 3(c)(2) below, such inadvertently acquired communications of or concerning a United States person may be retained no longer than five years from the expiration date of the certification authorizing the collection in any event.

Both the law and the minimization procedures approved by the FISC require NSA to get rid of US person communications that have no foreign intelligence purpose.

But here’s what the WaPo reveals about what NSA analysts do when they determine collection has no foreign intelligence value (note, however, these passages do not specify how many of these conversations include US person communications, though almost half of these communications involve US person identifiers).

Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.

[snip]

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst. [my emphasis]

While these passages are not quantifiable — both because WaPo didn’t say how many files NSA had determined to be “useless” and because WaPo didn’t identify how many of those include US persons — they do suggest that NSA is not complying with the legal requirement that they destroy communications involving US persons that don’t have foreign intelligence value. Not even for communications they describe as “useless” or “not relevant.”

That’s not surprising. As I noted the other day, PCLOB found that NSA “rarely” complies with this requirement and CIA and FBI never do.

[A]lthough a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

Ambinder is absolutely right that WaPo’s sample shows that NSA is pretty good, but not perfect, at masking US person identities in their data.

But both WaPo’s detailed analysis and PCLOB’s general review show that NSA does not comply with another key part of its legally required minimization obligations, to destroy communications involving US persons that have no foreign intelligence value. US person identifiers may be masked, but many of them shouldn’t be in the NSA’s databases at all. That needs to be acknowledged in any discussion of the NSA’s minimization procedures. The law requires them to get rid of US person communications with no intelligence value. But they don’t.

That’s why the sheer volume of very personal information in this sample is of concern (aside from the concern we should have for foreigners’ privacy; though again, WaPo doesn’t say how much of the US person data includes that personal information). Because the NSA and FBI and CIA can access this data without needing any suspicion of wrongdoing.

Share this entry

Keith Alexander Has Finance Worried about Being Zeroed Out, Just Like President’s Review Group

/5 Comments/in , /by

Keith Alexander’s clients in the finance industry are proposing what he proposed to them: a government-finance industry council to protect against cyberthreats.

Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity Inc., for as much as $1 million per month, according to two people briefed on the talks.

He has made much the same argument to Sifma as the association is now making to the government about the emergence of new kinds of software assaults.

How tidy.

I’ll have more to say about their plot in a follow-up. But for the moment, look at what the consider one of the threats to the industry.

The next wave of attacks “in the near-medium term” is likely to be more destructive and could result in “account balances and books and records being converted to zeros,” while recovering the lost information “would be difficult and slow,” according to the Sifma document.

“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks,” the document says.

This seems like tacit admission that the finance industry doesn’t create enough backups, but instead of doing that, they apparently prefer setting up this government-finance council.

It’s great to see Keith Alexander creating such a profitable panic among the richest industry.

But I can’t help but note that this fear mimics one the President’s Review Group raised in an oblique recommendation.

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise  manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

So are these seeming parallel worries based on classified information? If so, has Keith Alexander already started leaking classified information, as Alan Grayson raised concerns about?

Share this entry

Stewart Baker’s IM-y Numbers

/6 Comments/in /by

Screen shot 2014-07-08 at 9.11.30 AMStewart Baker accuses Bart Gellman and colleagues of inventing a phony statistic when they note that 89% of the communications collected under Section 702 were non-targets. He does some math to prove why they’re wrong in their interpretation of the scope of this.

The story is built around the implied claim that 90% of NSA intercept data is about innocent people.  I think the statistic is a phony.  Especially in an article that later holds up US law enforcement practice as a superior model.

What’s wrong with the statistic?  Well, let’s take an example from law enforcement.  Suppose I become the target of a government investigation.  The government gets a warrant and seizes a year’s worth of my email.  Looking at my email patterns, that’s about 35,000 messages.  About twenty percent – say 7500 –are one-off messages that I can handle with a short reply (or by ignoring the message).  Either way, I’ll never hear from that person again.  And maybe a quarter are from about 500 people I hear from at least once a week.  The remainder are a mix — people I trade emails with for a while and then stop, or infrequent correspondents that can show up any time.  Conservatively, let’s say that about 25 people are responsible for the portion of my annual correspondence that falls into that category.  In sum, the total number of correspondents in my stored email is 7500+500+25 = 8000 or so.  So the criminal investigators who seized and stored my messages from me, their investigative target, and over 8000 people who aren’t targets.

Or, as the Washington Post might put it “7999 out of 8000 account holders found in a large cache of communications seized by law enforcement were not the intended surveillance target but were caught in a net the investigators had cast for somebody else.”

I agree that the numbers would be impressive — if they actually were what Baker claims they are.

But they aren’t.

First, remember that these are minimized communications. And while the NSA is keeping data that has no foreign intelligence value, it is almost certainly not keeping spam (we know this because other NSA documents talk about defeating spam). So eliminate that 20% — or likely higher — or so right off.

Furthermore, the 9/10 ratio does not reflect all the communications WaPo examined. It doesn’t include the minimized US person ones. Almost half of the communications NSA identified as US person communications — that’s somewhat clear from the graphics, but Gellman stated that on Twitter.

So the actual number is closer to 95% of communications not being targets, not 89%.

But Baker also doesn’t consider what he’s dealing with. For the most part it’s not email, it’s IMs.

Screen shot 2014-07-08 at 9.18.42 AM

 

76% of this sample is IMs. Just 14% are emails.

So while Baker’s email example is nifty, it’s largely off point. Because he’d need to look at his IM patterns (or those of a 25 year old, who is more likely to resemble a target), not his email patterns.

It would still be a low number, if you’re considering pre-processed communications. It makes more sense when you realize that’s not what you’re considering.

Share this entry

NYT Mischaracterizes PCLOB Report While Transcribing NSA Pushback to WaPo

/2 Comments/in /by

The NYT has a story transcribing Administration efforts to “play down new disclosures” from the WaPo showing that the bulk of people whose communications were collected in a sample provided by Edward Snowden were not targets. The key claim NYT transcribes is that NSA “filters out” US person communications.

Administration officials said the agency routinely filters out the communications of Americans and information that is clearly of no intelligence value.

In addition, the NYT claims that PCLOB had no problems with the way the government minimized all this data.

Just days before the Post article, an independent federal privacy board had largely endorsed the N.S.A.’s execution of the program. The Privacy and Civil Liberties Oversight Board concluded last week that the “minimizing” of that data was largely successful, at least under the current law, which Congress passed six years ago.

Um, no.

I hope to explain this at more length, but the WaPo suggests that the government did not comply with targeting and minimization requirements in two ways: first, because the standards for foreignness were not as stringent as witnesses have claimed for a year (something which NYT’s sources apparently don’t even try to rebut). But also, WaPo showed the NSA was not destroying communications that — at least from their own and even some of the analysts’ own descriptions of it — had no foreign intelligence value. Here are some analysts judging the data collected irrelevant.

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst.

It’s this second detail NYT’s sources attempt to rebut.

But NYT’s claim that PCLOB concluded minimization “was largely successful” ignores a number of concerns they raised about it, a number of which pertain to back door searches and upstream collection.

In addition to those concerns (which about four of PCLOB’s recommendations address), PCLOB raised this issue:

Therefore, although a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

A communication must be destroyed upon recognition if it’s a US person communication with no intelligence value — PCLOB restates the standard that NYT’s sources claim is actually used. But after laying out that standard, PCLOB immediately says meeting that requirement “rarely happens.”

NYT’s sources say it routinely happens. PCLOB says it rarely happens at NSA, and not at all at CIA and FBI.

PCLOB, incidentally, recommends addressing this issue by having FISC review what tasking standards are actually used and then reviewing a subset of the data returned — precisely what the WaPo just did, though we have no way of knowing if WaPo had a representative sample.

But the story here should have been, “Administration’s rebuttal has already been refuted by PCLOB’s independent review.”

PCLOB and WaPo disagree about the tasking — PCLOB sides with past Administration witnesses on the assiduousness of NSA’s targeting.

But PCLOB entirely backs WaPo on how many worthless communications NSA is keeping and documenting.

Share this entry

The Unaudited Tech Analyst Access to US Person Data

/16 Comments/in /by

In addition to its exposure of the sheer senselessness of much of the spying NSA engages in, yesterday’s WaPo story also shows that the government’s assurances that Edward Snowden could not access raw data have been misplaced.

For close to a year, NSA and other government officials have appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.

As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.

“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”

“The operational data?” the reporter asked.

“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”

Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about “raw” intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.

“We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access,” Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”

In the interview, Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.

No one should ever have believed those assurances.

That’s because the documentation on the Section 215 program makes it clear how little oversight there is over tech people just like Snowden. The current phone dragnet order, for example, makes it clear that:

  • Tech personnel may access the phone dragnet data to tweak it in preparation for contact-chaining
  • Unlike intelligence analysts, tech personnel may query the phone dragnet data with selectors that have not been RAS-approved
  • Tech personnel may also conduct regular queries using RAS-approved selectors
  • Tech personnel may access the dragnet data to search for high volume numbers — this may require access to raw data
  • Some of the tech personnel (those in charge of infrastructure and receiving data from the telecoms) are exempt from special training on the phone dragnet data

The audit language in the dragnet order applies only to “foreign intelligence analysis purposes or using foreign intelligence analysis tools,” suggesting the tech analysis role access to the dragnet data is not audited.

Language in the order defining “NSA” suggests contractors may access the data (though it’s unclear whether they do so in a technical or intelligence analysis function); something made explicit in Dianne Feinstein’s bill.

That is, it is at least possible that Booz analysts are currently conducting audit-free tech massaging of the raw phone dragnet data.

And NSA knew this access was a vulnerability. As recently as 2012, tech analysts were found to have 3,000 files worth of phone dragnet data (it’s unclear how much data each file included) on an improper server past its required destruction date. NSA destroyed that data before definitively researching what it was doing there.

Thus, the risk of tech analyst breach is very real, and no one — not NSA, and not Congress, which has only codified this arrangement — seems to be addressing it.

Indeed, it is likely that some kind of Booz-type contractors will continue to have direct access to this data after it gets outsourced to the telecoms, otherwise USA Freedumber would not extend immunity to such second-level contractors.

For months, intelligence officials claimed not only that Snowden had not accessed raw data, but could not. That was always a dubious claim; even if Snowden couldn’t have accessed that data, other contractors just like him could and still can, with less oversight than NSA’s intelligence analysts get.

But it turns out Snowden could and did. And thanks to that, we now know many of the other claims made by government witnesses are also false.

Share this entry

NSA’s Spying: Medical Records, Resumés … and [about] Obama

/7 Comments/in /by

The WaPo has been working for months to understand a chunk of incidentally collected data Edward Snowden took from the NSA. They discovered the bulk of people being spied on — who were for the most part incidentally collected — were innocent people living their everyday lives.

No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects — not only from its targets but from people who may cross a target’s path.

Among the latter are medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

Most alarming (but something they bury in the story) is that President Obama was spied on both before and after he was inaugurated. [Correction: That’s not right. What they spied on were conversations about Obama, and they kept them but masked them in foolish fashion.]

Some of them border on the absurd, using titles that could apply to only one man. A “minimized U.S. president-elect” begins to appear in the files in early 2009, and references to the current “minimized U.S. president” appear 1,227 times in the following four years.

WaPo then tries to apply the ratio of target to incidental they discovered to the number of targets to which the government admitted.

 In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.

And all of this is available for back door search, for both “intelligence” and criminal purposes.

Share this entry

What Happened to Obama’s Ordered Restrictions on Back Door Searches?

/3 Comments/in /by

In the wake of yesterday’s PCLOB Report, Presidential Review Board Member Geoffrey Stone reminded that Obama’s hand-picked group recommended requiring warrants before accessing US person data collected via Section 702.

In effect, the Review Group recommended that backdoor searches for communications involving American citizens should be prohibited unless the government has probable cause and a warrant. This is essentially what the recently enacted House amendment endorsed.

The Review Group concluded that the situation under section 702 is distinguishable from the situation when the government lawfully intercepts a communication when it has probable cause and a warrant. This is so because, in the section 702 situation, the government is not required to have either probable cause or a warrant to intercept the communication. Because section 702 was not intended to enable the government to intercept the communications of American citizens, because our recommended reform would leave the government free to use section 702 to obtain the types of information it was designed and intended to acquire—the communications of non-U.S. citizens, and because the recommended reform would substantially reduce the temptation the government might otherwise have to use section 702 impermissibly in an effort intentionally to intercept the communications of American citizens, we concluded that this reform was both wise and essential.

But there’s a forgotten detail from ancient history of greater interest. Even the President ordered up changes for back door searches in criminal contexts.

Specifically, I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases, communications between Americans and foreign citizens incidentally collected under Section 702.

Yet in spite of the fact the President asked the Attorney General and DNI to place additional restrictions on the government’s ability to keep, search, and use Section 702 collected information in criminal cases, here’s what we learned yesterday.

[A]lthough a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

[snip]

FBI requires that metadata queries, like content queries, be reasonably designed to return foreign intelligence or evidence of a crime. As noted above, however, the FBI does not separately track which of its queries involve U.S. person identifiers, and so the number of such metadata queries is not known.

As illustrated above, rules and oversight mechanisms are in place to prevent U.S. person queries from being abused for reasons other than searching for foreign intelligence or, in the FBI’s case, for evidence of a crime. In pursuit of the agencies’ legitimate missions, however, government analysts may use queries to digitally compile the entire body of communications that have been incidentally collected under Section 702 that involve a particular U.S. person’s email address, telephone number, or other identifier, with the exception that Internet communications acquired through upstream collection may not be queried using U.S. person identifiers.540 In addition, the manner in which the FBI is employing U.S. person queries, while subject to genuine efforts at executive branch oversight, is difficult to evaluate, as is the CIA’s use of metadata queries.

And the best estimate we’ve been given for how many of these FBI queries take places is a “substantial” amount.

It has been 6 months since the President ordered changes. And the FBI still can’t even count its US person queries, much less quantify them. PCLOB calls it “difficult to evaluate.”

Um, did James Clapper and Eric Holder just blow off the President’s order in January? Because it sure looks like FBI’s back door searches remain a relatively unregulated mess.

Share this entry