Spy vs. Spy, Theresa Shea vs. Theresa Shea

/6 Comments/in , /by

The government has submitted its response to ACLU’s appeal of its lawsuit challenging the Section 215 dragnet.

This passage, which reminded me of the old Mad Magazine Spy vs. Spy comic, made me pee my pants in laughter.

Various details of the program remain classified, precluding further explanation here of its scope, but the absence of those details cannot justify unsupported assumptions. For example, the record does not support the conclusion that the program collects “virtually all telephony metadata” about telephone calls made or received in the United States. SPA 32, quoted in Pl. Br. 12; see also, e.g., Pl. Br. 1-2, 23, 24, 25, 48, 58. Nor is that conclusion correct. See Supp. Decl. of Teresa H. Shea ¶ 7, First Unitarian Church of Los Angeles v. NSA, No. 4:13cv3287 (filed Feb. 21, 2014).3

3 The precise scope of the program is immaterial, however, because, as we explain, the government should prevail as a matter of law even if the scope of the program were as plaintiffs describe. [my emphasis]

Note that they’re citing a declaration from SIGINT Director Theresa Shea submitted in another case, the EFF challenge to the phone dragnet? They’re citing that Shea declaration rather than the one Shea submitted in this very case.

In her declaration submitted in this case in October, Shea said NSA collected all the call records from the providers subject to Section 215.

Pursuant to Section 215, the FBI obtains from the FISC directing certain telecommunications service providers to produce all business records created by them (known as call detail records) that contain information about communications between telephone numbers, generally relating to telephone calls made between the U.S. and a foreign country and calls made entirely within the U.S. (¶14) [my emphasis]

Not all providers. But for the providers in question, “all business records.”

Remember, ACLU is suing on their own behalf, and they are Verizon customers. We know Verizon is one of the providers in question, and Shea has told us that providers in question, of which Verizon is one, provide “all business records.”

Theresa Shea, in a declaration submitted in the suit in question: “All.”

Rather than citing the declaration submitted in this suit, the government instead cites a declaration Shea submitted all the way across the country in the EFF suit, one she submitted four months later, after both the ACLU and Judicial Watch suits had been decided at the District level.

Ostensibly written to describe the changes in scope the President rolled out in January, Shea submitted a new claim about the scope of the program in which she insisted that the program (ignoring, of course, that Section 215 is just a small part of the larger dragnet) does not collect “all.”

Although there has been speculation that the NSA, under this program, acquires metadata relating to all telephone calls to, from, or within the United States, that is not the case. The Government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S. See In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], Dkt. No. BR13-109 Amended Mem. Op. at 4 n.5 (F.I.S.C. Aug. 29, 2013) (publicly released, unclassified version) (“The production of all call detail records of all persons in the States has never occurred under under this program.“) And while the Government has also acknowledged that one provider was the recipient of a now-expired April 23, 2013, Secondary Order from the FISC (Exhibit B to my earlier declaration), the identities of the carriers participating in the program(either now, or at any time in the past) otherwise remain classified. [my emphasis]

I explained in detail how dishonest a citation Theresa Shea’s newfound embrace of “not-all” is.

Here, she’s selectively citing the declassified August 29, 2013 version of Claire Eagan’s July 19, 2013 opinion. The latter date is significant, given that the day the government submitted the application tied to that order, NSA General Counsel Raj De made it clearthere were 3 providers in the program (see after 18:00 in the third video). These are understood to be AT&T, Sprint, and Verizon.

Shea selectively focuses on language that describes some limits on the dragnet. She could also note that Eagan’s opinion quoted language suggesting the dragnet (at least in 2011) collected “substantially all” of the phone records from the providers in question, but she doesn’t, perhaps because it would present problems for her “virtually all” claim.

Moreover, Shea’s reference to “production of all call detail records” appears to have a different meaning than she suggests it has when read in context. Here’s what the actual language of the opinion says.

Specifically, the government requested Orders from this Court to obtain certain business records of specified telephone service providers. Those telephone company business records consist of a very large volume of each company’s call detail records or telephony metadata, but expressly exclude the contents of any communication; the name, address, or financial information of any subscriber or customer; or any cell site location information (CSLI). Primary Ord. at 3 n.l.5

5 In the event that the government seeks the production of CSLI as part of the bulk production of call detail records in the future, the government would be required to provide notice and briefing to this Court pursuant to FISC Rule 11. The production of all call detail records of all persons in the United States has never occurred under this program. For example, the government [redacted][my emphasis]

In context, the reference discusses not just whether the records of all the calls from all US telecom providers (AT&T, Sprint, and Verizon, which participated in this program on the date Eagan wrote the opinion, but also T-Mobile and Cricket, plus VOIP providers like Microsoft, owner of Skype, which did not) are turned over, but also whether each provider that does participate (AT&T, Sprint, and Verizon) turns over all the records on each call. The passage makes clear they don’t do the latter; AT&T, Sprint, and Verizon don’t turn over financial data, name, or cell location, for example! And since we know that at the time Eagan wrote this opinion, there were just those 3 providers participating, clearly the records of providers that didn’t use the backbone of those 3 providers or, in the case of Skype, would be inaccessible, would be missed. So not all call detail records from the providers that do provide records, nor records covering all the people in the US. But still a “very large volume” from AT&T, Sprint, and Verizon, the providers that happen to be covered by the suit.

That is, in context, the “all call detail records of all persons in the United States has never occurred” claim meant that even for the providers obligated under the order in question — AT&T, Sprint, and Verizon — there were parts of the call records (like the financial information) they didn’t turn over, though they turned over records for all calls. That’s consistent with Eagan’s quotation of the “virtually all” records with respect to the providers in question.

But by citing it disingenuously, Shea utterly changes the meaning Eagan accorded it.

Theresa Shea, disingenuously citing a declaration submitted in another suit: “Not all.”

It’s like the hilarity of Mad Magazine’s old Spy vs. Spy comics. Only in this case, it pits top spy Theresa Shea against top spy Theresa Shea.

Share this entry

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

/10 Comments/in , , /by

On Thursday, the Inspectors General of the Intelligence Community, DOJ, CIA, and DHS (but not NSA) released their report on the Marathon Bombing. While the public release was just a very condensed summary, included the redaction of both classified and “sensitive” information, and made no attempt to reconstruct data government agencies had or could have had on Dzhokhar Tsarnaev, the report did show that the NSA had data on Tamerlan Tsarnaev and that the FBI found information on his computers that NSA might have gotten via other means.

On Friday, prosecutors in the case against Dzhokhar refused to tell him what they collected under FISA.

Before I get into the government’s refusal on FISA notice — some of which has repercussions for other cases — let’s go over what electronic communications the government did have or could have had.

First, the IG Report (which did not specifically involve NSA’s IG and did not include Dzhokhar in its scope) nevertheless points to information NSA collected in 2012 that was not turned over to FBI until after the attack.

Screen Shot 2014-04-12 at 12.37.13 PM

The report also points to communications dating to January 2011, which is entirely redacted. This probably refers to communications the Russians intercepted, not the NSA (indeed, the report discusses NSA data, above, later in the same section, which indicates the earlier redaction doesn’t pertain to NSA). Though there’s no indication whether the NSA received notice of these communications, including the non-US person interlocutor located overseas involved in them, who would have been a legal NSA target.

Read more

Share this entry

Working Thread on the Combined Marathon IG Report

/7 Comments/in , /by

I started reading the Combined IG Report on the Marathon attack (including the DOJ, CIA, DHS, and Intelligence Community IGs, but not NSA). And the whole thing looked so bogus from the start, I figured a working thread was in order.

One thing to remember here: we’ve only got a 32-page summary that includes 5 pages of agency (but not CIA) response and a title page. We’re getting a mere fraction of the 168-page report.

To make things worse, some things are redacted that aren’t even classified, they’re just sensitive.

Redactions in this document are the result of classification and sensitivity designations we received from agencies and departments that provided information to the OIGs for this review. As to several of these classification and sensitivity designations, the OIGs disagreed with the bases asserted. We are requesting that the relevant entities reconsider those designations so that we can unredact those portions and make this information available to the public.

(PDF 2) Several things in this passage:

Law enforcement officials identified brothers Tamerlan and Dzhokhar Tsarnaev as primary suspects in the bombings. After an extensive search for the then unidentified suspects, law enforcement officials encountered Tamerlan and Dzhokhar Tsarnaev in Watertown, Massachusetts. Tamerlan Tsarnaev was shot during the encounter and was pronounced dead shortly thereafter.

First, they don’t say what law enforcement officials IDed the brothers. That sentence precedes one which claims there were “unidentified suspects,” which suggests they had suspicions before they were “IDed.” The word “encountered” is awfully suspicious, given that explanations of how the shootout in Watertown happened have been contradictory. And note they don’t say whether Tamerlan died immediately or not–again, an issue about which there’s some contention.

(PDF 2) Note they tell us Anzor’s ethnicity, but not his wife’s (who is more central to this narrative)?

(PDF 2) The report dodges legitimate questions about why the family got refugee status by referring only to “an immigration benefit.” Given reports the uncle had ties to the CIA, that benefit may be more than a simple asylum request.

(PDF 3) Note that, after having previously said the brothers were ID’ed by LE, they now specify FBI [Actually, I think that’s wrong: this is still ambiguous about who IDed them]. But the timing is crazy: it says FBI reviewed its records by April 19, but never says when they were IDed, and doesn’t say whether they were reviewed during a period of suspicion.

By April 19, 2013, after the Tsarnaev brothers were identified as suspects in the bombings, the FBI reviewed its records and determined that in early 2011 it had received lead information from the FSB about Tamerlan Tsarnaev, had conducted an assessment of him, and had closed the assessment after finding no link or “nexus” to terrorism.

(PDF 4) This seems very broad. I wonder what they’re including? Online communications?

As a result, the scope of this review included not only information that was in the possession of the U.S. government prior to the bombings, but also information that existed during that time and that the federal government reasonably could have been expected to have known before the bombings.

(PDF 4) This passage and footnote are huge dodges, making the entire report meaningless.

We carefully tailored our requests for information and interviews to focus on information available before the bombings and, where appropriate, coordinated with the U.S. Attorney’s Office conducting the prosecution of alleged bomber Dzhokhar Tsarnaev.1

1 The initial lead information from the FSB in March 2011 focused on Tamerlan Tsarnaev, and to a lesser extent his mother Zubeidat Tsarnaeva. Accordingly, the FBI and other agencies did not investigate Dzhokhar Tsarnaev’s possible nexus to terrorism before the bombings, and the OIGs did not review what if any investigative steps could have been taken with respect to Dzhokhar Tsarnaev.

I’ll come back to this. But the indictment lists a number of things that the FBI, in their stings, have found and used to identify easy marks. They did not do so here, with Dzhokhar. Which raises real questions about why they chose not to pursue him when they’ve pursued so many other young men like Dzhokhar?

(PDF 4) Here’s who was included in this review:

We also requested other federal agencies to identify relevant information they may have had prior to the bombings. These agencies included the Department of Defense (including the National Security Agency (NSA)), Department of State, Department of the Treasury, Department of Energy, and the Drug Enforcement Administration.

There has been little discussion of DEA’s likely awareness of the brothers, but it is likely, given that they were dealing drugs with potential ties to organized crime. And NSA, but I harp on that too much. I’m curious what role DOE might have.

(PDF 4) Again, they specify they’re only looking at pre-attack data. Which dodges what they could have collected but didn’t.

Additionally, each OIG conducted or directed its component agencies to conduct database searches to identify relevant pre-bombing information.

(PDF 4-5) As with HHSC’s report, the FBI stalled here.

As described in more detail in the classified report, the DOJ OIG’s access to certain information was significantly delayed at the outset of the review by disagreements with FBI officials over whether certain requests fell outside the scope of the review or could cause harm to the criminal investigation. Only after many months of discussions were these issues resolved, and time that otherwise could have been devoted to completing this review was instead spent on resolving these matters.

(PDF 5) The 12333 passage makes it clear NSA had a big role here. But, again, its IG did not conduct an investigation.

(PDF 6-7) The CIA section is very thin. I assume some stuff is missing.

(PDF 8) Note the importance of NSA’s sharing with FBI here?

Of particular relevance to this review are the relationships between the FBI, CIA, and DHS, as well as the relationship between the FBI and the NSA, and the NCTC’s relationships throughout the Intelligence Community.

(PDF 8) This makes clear that the transcription and birthdate errors were in both FSB warnings; it’s just that CIA didn’t fix the second one.

Importantly, the memorandum included two incorrect dates of birth (October 21, 1987 or 1988) for Tamerlan Tsarnaev, and the English translation used by the FBI transliterated their last names as Tsarnayev and Tsarnayeva, respectively.

(PDF 10) This passage seems to admit that FBI could have, but did not, search FISA related databases. It also suggests there was a “certain telephone database,” which might include the Hemisphere database, which performs the same function as the NSA claims (falsely) the phone dragnet does. Note, too, that they’ve only checked for the Tsarnaevs in FBI databases. I’ll come back to these databases in a later post.

Additionally, the DOJ OIG determined that the CT Agent did not use every relevant search term known or available at the time to query the FBI systems, including certain telephone databases and databases that include information collected under authority of the Foreign Intelligence Surveillance Act (FISA). However, searches of FBI databases conducted at the direction of the DOJ OIG during this review produced little information beyond that identified by the CT Agent during the assessment, with the exception of additional travel-related data for Zubeidat Tsarnaeva.

(PDF 11) Note that the second FBI letter to FSB, dated October 7, 2011, postdated the FSB notice to CIA. But it also comes at a time when Boston area law enforcement were conducting an investigation into the murder of Tamerlan’s best friend. The Waltham murders are not mentioned at all in the unclassified report.

(PDF 12) The IG Report does not tell us the date in September when FSB provided notice to CIA. Given that Tamerlan may have just been or was about to be involved in a grisly murder, I find that omission very notable.

(PDF 12) Note you can be watchlisted without derogatory information. This seems to be because of the exception mentioned in FN 10. But fat lot of good it did in this case. Per the footnote, that exception subsequently got disqualified, though I bet it has been qualified again.

(PDF 12) The IG Report doesn’t even acknowledge there was some other kind of difference between the first and the later watchlist entries as indicated on pp 33-4 of the HHSAC Committee report, which suggests that discussion may be redacted entirely.

(PDF 16) Note that, as happens with all Legal Permanent Residents, Tamerlan was photographed (and fingerprinted) during immigration. I’m surprised there isn’t more discussion of this (though it may be classified). But one big point of this relatively new border protocol is to have recent pictures on hand in case, say, you need to do facial recognition on pictures from a terrorist attack. Were they used?

(PDF 19) Note the big redaction describing intercepted communications. This may simply describe what the Russians had collected, which led to their tip. But I do wonder whether NSA collected its own version, not least because details of the Russian intercept has been widely reported.

(PDF 20) Note that the discussion of Tamerlan’s (remember, Dzhokhar is not included here) computer materials is described solely in terms of what FBI could do. That’s different from what both DHS does (they track public online speech) and NSA. It’s unclear whether they could have found some of this using methods available to them, but the report’s silence on that point is notable.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.”

[snip]

The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

The passage goes on to report the 7 copies of Inspire on one of the computers used by Tamerlan (again, there’s no mention of Dzhokhar here).

Something they’re not saying, but we know to be true.  Had they picked up Inspire either through a 702 upstream search or XKeyscore, they would have had identifiers that could have pegged Tsarnaev’s identity and tied it to all his other identities, regardless of the fact Tamerlan used an alias until February 2013.

And note the big redaction: NSA had information that dated to 2012, which may well have been the intercepts with Plotnikov.

Finally, note that FBI never turned over most of the information about Tamerlan’s Google accounts. The excuse (as noted above) was the ongoing investigation. But I wonder whether that’s ongoing investigation into the Waltham murder or the Marathon attack.

(PDF 25) Note the discussion of enhancement in the 2nd-to-last bullet. I believe this suggests that transliteration questions are only addressed with this enhancement.

(PDF 25) Note that they at least used to delete US person travel info after 6 months unless it represents terrorism information. This would arise from NCTC’s minimization procedures.

(PDF 32) As noted above, we don’t get John Brennan’s response to this, though he presumably sent one. I suspect that means there are classified recommendations for the Agency and that his response reflects that. While it’s not clear what the foreign target would be in this context (perhaps an investigation of the person to whom Zubeidat was speaking about Tamerlan wanting to join jihad?) but there seems to have been some.

Share this entry

Fingerprints and the Phone Dragnet’s Secret “Correlations” Order

/22 Comments/in , , /by

Yesterday, I noted that ODNI is withholding a supplemental opinion approved on August 20, 2008 that almost certainly approved the tracking of “correlations” among the phone dragnet (though this surely extends to the Internet dragnet as well).

I pointed out that documents released by Edward Snowden suggest the use of correlations extends well beyond the search for “burner” phones.

At almost precisely the same time, Snowden was testifying to the EU. The first question he answered served to clarify what “fingerprints” are and how XKeyscore uses them to track a range of innocent activities. (This starts after 11:16, transcription mine.)

It has been reported that the NSA’s XKeyscore for interacting with the raw signals intercepted by mass surveillance programs allow for the creation of something that is called “fingerprints.”

I’d like to explain what that really means. The answer will be somewhat technical for a parliamentary setting, but these fingerprints can be used to construct a kind of unique signature for any individual or group’s communications which are often comprised of a collection of “selectors” such as email addresses, phone numbers, or user names.

This allows State Security Bureaus to instantly identify the movements and activities of you, your computers, or other devices, your personal Internet accounts, or even key words or other uncommon strings that indicate an individual or group, out of all the communications they intercept in the world are associated with that particular communication. Much like a fingerprint that you would leave on a handle of your door or your steering wheel for your car and so on.

However, though that has been reported, that is the smallest part of the NSA’s fingerprinting capability. You must first understand that any kind of Internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol agnostic manner — metadata and content, both. And it can be today, right now, searched not only with very little effort, via a complex regular expression, which is a type of shorthand programming. But also via any algorithm an analyst can implement in popular high level programming languages. Now, this is very common for technicians. It not a significant work load, it’s quite easy.

This provides a capability for analysts to do things like associate unique identifiers assigned to untargeted individuals via unencrypted commercial advertising networks through cookies or other trackers — common tracking means used by businesses everyday on the Internet — with personal details, such as individuals’ precise identity, personal identity, their geographic location, their political affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests, and so on and so forth. There are very few practical limitations to the kind of analysis that can be technically performed in this manner, short of the actual imagination of the analysts themselves.

And this kind of complex analysis is in fact performed today using these systems. I can say, with authority, that the US government’s claim that “keyword filters,” searches, or “about” analysis, had not been performed by its intelligence agencies are, in fact, false. I know this because I have personally executed such searches with the explicit authorization of US government officials. And I can personally attest that these kind of searches may scrutinize communications of both American and European Union citizens without involvement of any judicial warrants or other prior legal review.

What this means in non-technical terms, more generally, is that I, an analyst working at NSA, or, more concerningly, an analyst working for a more authoritarian government elsewhere, can without the issue of any warrant, create an algorithm that for any given time period, with or without human involvement, sets aside the communications of not only targeted individuals, but even a class of individual, and that just indications of an activity — or even just indications of an activity that I as the analyst don’t approve of — something that I consider to be nefarious, or to indicate nefarious thoughts, or pre-criminal activity, even if there’s no evidence or indication that’s in fact what’s happening. that it’s not innocent behavior. Read more

Share this entry

James Clapper Doesn’t Want You To Know about Verizon’s Foreign Metadata Problem He Already Told You About

/3 Comments/in , /by

Screen shot 2014-01-20 at 3.20.11 AM

Back in September, I noted that the September 3, 2009 phone dragnet Order turned production from a particular telecom back on; it had been turned off in the July 8, 2009 Primary Order.

In addition, the Custodian of Records of [redacted] shall produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by [redacted] for the period from 5:11 p.m. on July 9, 2009 to the date of this Order, to the extent those records still exist.

In January, after ODNI exposed Verizon’s name as the provider directed in all Primary Orders since May 2009 to provide only its non-foreign call records, I laid out when and how the problem of one provider’s foreign data records appears in FISA dragnet orders.

Up until at least March 5, 2009, all the telecoms were addressed in one paragraph starting, “the Custodian of Records.” Starting on May 29, 2009, that’s split out into two paragraphs, with the original Custodian of Records paragraph and the one we know to be specific to Verizon. We don’t have the following order, dated July 8, 2009, but we know that order shut down production from one provider because it was also producing foreign-to-foreign data; that production was restarted on September 3, 2009.

EFF apparently asked ODNI to formally declassify the parts of that September 3 order, and ODNI unsurprisingly objects.

Though, if it were not already clear this is Verizon we’re talking about, a footnote explains,

All Secondary Orders have been withheld in their entirety as any attempt to redact the identity of the service providers in these Secondary Orders, in compilation with other documents that have been declassified, i.e., the BR 13-80 Primary Order and Verizon Secondary Order, would allow a reader to ascertain the identity of the provider simply by looking at the size of the redacted/blocked material, or comparing any redacted Secondary Order with other classified documents.

The only Secondary Order we have is for Verizon. And as a fairly accomplished redaction comparer, I can confirm that comparing redactions and text blocks only works for the same text. So this footnote only makes sense if the provider in question is Verizon.

In spite of the fact that ODNI already (briefly) released Verizon’s name as the provider in question and exacerbated it with this footnote I’m not surprised they’re trying to deny this request.

I am, however, intrigued by the language they use to fight the request, given that we’re talking about whether Verizon provides foreign call records under a domestic program.

The identity of any company ordered to provide call detail records to the NSA clearly relates to “any function of the National Security Agency,” 50 U.S.C. §3605. Indeed, it relates to relates to one of the NSA’s primary functions, its SIGINT mission. NSA’s SIGINT responsibilities include establishing and operating an effective unified organization to conduct SIGINT activities as set forth in E.O. 12333, section 1.7(c), as amended. In performing its SIGINT mission, NSA exploits foreign electromagnetic signals to obtain intelligence information necessary to the national defense, national security, and the conduct of foreign affairs. NSA has developed a sophisticated worldwide SIGINT collection network that acquires, among other things, foreign and international electronic communications. The technological infrastructure that supports NSA’s foreign intelligence information collection network has taken years to develop at a cost of billions of dollars and untold human effort. It relies on sophisticated collection and processing technology.

Pursuant to its SIGINT mission, and as authorized by the FISC, NSA quickly analyzes past connections and chains communications through telephony metadata collected pursuant to Section 215. Unless the data is aggregated, it may not be feasible to detect chains of communications that cross communication networks. The ability to query accumulated telephony metadata significantly increases the NSA’s ability to rapidly detect persons affiliated with the identified foreign terrorist organizations who might otherwise go undetected.

From there, ODNI’s declaration goes on to claim that if Verizon’s name were made public, the bad guys would know to avoid Verizon. Which is sort of nonsense, given the reports that Verizon provides not just their own customers’ records, but also those that transit their backbone.

But I do find it interesting that, in a discussion about hiding the name of a telecom that was accidentally turning over some significant amount of entirely foreign call records under a program that — because it was targeted at domestic users — subjected those records to greater oversight than the foreign records turned over under EO 12333, ODNI started with a discussion of its EO 12333 authorized overseas collection. Particularly given that we know Verizon provides an enormous amount of that overseas collection.

That is, ODNI says that they can’t reveal Verizon was the provider that accidentally provided foreign call records under a domestic order — in spite of the fact that they already did — because if they do it will endanger its overseas collection.

Share this entry

The August 20, 2008 Correlations Opinion

/8 Comments/in , /by

Screen Shot 2014-04-08 at 10.18.39 AMOn August 18, 2008, the government described to the FISA Court how it used a particular tool to establish correlations between identifiers. (see page 12)

A description of how [name of correlations tool] is used to correlate [description of scope of metadata included] was included in the government’s 18 August 2008 filing to the FISA Court,

 

On August 20, 2008, the FISC issued a supplemental opinion approving the use of “a specific intelligence method in the conduct of queries (term “searches”) of telephony metadata or call detail records obtained pursuant to the FISC’s orders under the BR FISA program.” The government claims that it cannot release any part of that August 20, 2008 opinion, which given the timing (which closely tracks with the timing of other submissions and approvals before the FISC) and the reference to both telephony metadata and call detail records almost certainly approves the use of the dragnet — and probably not just the phone dragnet — to establish correlations between a target’s multiple communications identifiers.

As ODNI’s Jennifer Hudson described in a declaration in the EFF suit, the government maintains that it cannot release this opinion, in spite of (or likely because of) ample description of the correlations function elsewhere in declassified documents.

The opinion is only six pages in length and the specific intelligence method is discussed at great length in every paragraph of this opinion, including the title. Upon review of this opinion, I have determined that there is no meaningful, segregable, non-exempt information that can be released to the plaintiff as the entire opinion focuses on this intelligence method. Even if the name of the intelligence method was redacted, the method itself could be deduced, given other information that the DNI has declassified pursuant to the President’s transparency initiative and the sophistication of our Nation’s adversaries [Ed: did she just call me an “adversary”?!?] and foreign intelligence services.

[snip]

The intelligence method is used to conduct queries of the bulk metadata, and if NSA were no longer able to use this method because it had been compromised, NSA’s ability to analyze bulk metadata would itself be compromised. A lost or reduced ability to detect communications chains that link to identifiers associated with known and suspected terrorist operatives, which can lead to the identification of previously unknown persons of interest in support of anti-terrorism efforts both within the United States and abroad, would greatly impact the effectiveness of this program as there is no way to know in advance which numbers will be responsive to the authorized queries.

ACLU’s snazzy new searchable database shows that this correlations function was discussed in at least three of the officially released documents thus far: in the June 25, 2009 End-to-End Review, in a June 29, 2009 Notice to the House Intelligence Committee, and in the August 19, 2009 filing submitting the End-to-End Review to the FISC.

In addition to making it clear this practice was explained to the FISC just before the Supplemental Opinion in question, these documents also describe a bit about the practice.

They define what a correlated address is (and note, this passage, as well as other passages, do not limit correlations to telephone metadata — indeed, the use of “address” suggests correlations include Internet identifiers).

The analysis of SIGINT relies on many techniques to more fully understand the data. One technique commonly used is correlated selectors. A communications address, or selector, is considered correlated with other communications addresses when each additional address is shown to identify the same communicant as the original address.

They describe how the NSA establishes correlations via many means, but primarily through one particular database.

NSA obtained [redacted] correlations from a variety of sources to include Intelligence Community reporting, but the tool that the analysts authorized to query the BR FISA metadata primarily used to make correlations is called [redacted].

[redacted] — a database that holds correlations [redacted] between identifiers of interest, to include results from [redacted] was the primary means by which [redacted] correlated identifiers were used to query the BR FISA metadata.

They make clear that NSA treated all correlated identifiers as RAS approved so long as one identifier from that user was RAS approved.

In other words, if there: was a successful RAS determination made on any one of the selectors in the correlation, all were considered .AS-a. ,)roved for purposes of the query because they were all associated with the same [redacted] account

And they reveal that until February 6, 2009, this tool provided “automated correlation results to BR FISA-authorized analysts.” While the practice was shut down in February 2009, the filings make clear NSA intended to get the automated correlation functions working again, and Hudson’s declaration protecting an ongoing intelligence method (assuming the August 20, 2008 opinion does treat correlations) suggests they have subsequently done so.

When this language about correlations first got released, it seemed it extended only so far as the practice  — also used in AT&T’s Hemisphere program — of  matching call circles and patterns across phones to identify new “burner” phones adopted by the same user. That is, it seemed to be limited to a known law enforcement approach to deal with the ability to switch phones quickly.

But both discussions of the things included among dragnet identifiers — including calling card numbers, handset and SIM card IDs — as well as slides released in stories on NSA and GCHQ’s hacking operations (see above) make it clear NSA maps correlations very broadly, including multiple online platforms and cookies. Remember, too, that NSA analysts access contact chaining for both phone and Internet metadata from the same interface, suggesting they may be able to contact chain across content type. Indeed, NSA presentations describe how the advent of smart phones completely breaks down the distinction between phone and Internet metadata.

In addition to mapping contact chains and identifying traffic patterns NSA can hack, this correlations process almost certainly serves as the glue in the dossiers of people NSA creates of individual targets (this likely only happens via contact-chaining after query records are dumped into the corporate store).

Now it’s unclear how much of this Internet correlation the phone dragnet immediately taps into. And my assertion that the August 20, 2008 opinion approved the use of correlations is based solely on … temporal correlation. Yet it seems that ODNI’s unwillingness to release this opinion serves to hide a scope not revealed in the discussions of correlations already released.

Which is sort or ridiculous, because far more detail on correlations have been released elsewhere.

Share this entry

The Torture Apologists Raise Brennan’s Torture-Derived Scary Memos

/4 Comments/in , /by

Some time in mid-2004, 8 high ranking National Security officials gave then presiding FISA Court Judge Colleen Kollar-Kotelly a briefing. Their goal was to convince her the then halted and now-discontinued Internet dragnet program was so important, and the terrorist threat against the US so great, she should write a shoddy legal opinion authorizing NSA to restart the program under the authority of the FISA Pen Register statute.

As part of the briefing, they replicated a process they had used for Bush’s illegal wiretap program: to have CIA’s analytical people write what they called a “scary memo” explaining why al Qaeda was so dangerous we had to continue that dragnet.

After the terrorism analysts completed their portion of the memoranda, the DCI Chief of Staff added a paragraph at the end of the memoranda stating that the individuals and organizations involved in global terrorism (and discussed in the memoranda) possessed the capability and intention to’ undertake further terrorist attacks within the United States. The DCI Chief of Staff recalled that the paragraph was provided to him initially by a senior White House official. The paragraph included the DCI’s recommendation to the President that he authorize the NSA to conduct surveillance activities under the PSP. CIA Office of General Counsel (OGC) attorneys reviewed the draft threat assessment memoranda to determine whether they contained sufficient threat information and a compelling case for reauthorization of the PSP. [my emphasis]

As head of the Terrorist Threat Integration Center (and later as head of the nascent National Counterterrorism Center), John Brennan oversaw that “scary memo.”

Last year, John Brennan admitted that he used information derived from the torture program (he calls it the detention and interrogation  program) for those “scary memos.”

Burr: I’m still not clear on whether you think the information from CIA interrogations saved lives.  Have you ever made a representation to a court, including the FISA court, about the type and importance of information learned from detainees including detainees in the CIA detention and interrogation program?

Brennan: Ahm, first of all, in the first part of your question, as to you’re not sure whether I believe that there has been information … I don’t know myself.

Burr: I said I wasn’t clear whether I understood, whether whether I was clear.

Brennan: And I’m not clear at this time either because I read a report that calls into question a lot of the information that I was provided earlier on, my impressions. Um. There, when I was in the government as the head of the national counterterrorism center I know that I had signed out a number of um affirmations related to the uh continuation of certain programs uh based on the analysis and intelligence that was available to analysts. I don’t know exactly what it was at the time, but we can take a look at that.

Burr: But the committee can assume that you had faith if you made that claim to a court or including the FISA court, you had faith in the documents in the information that was supplied to you to make that declaration.

Brennan: Absolutely. At the time if I had made any such affirmation, i would have had faith that the information I was provided was an accurate representation. [my emphasis]

We can imagine the kind of things Brennan might have used in his “scary memos” and that briefing to Kollar-Kotelly, on which the entire FISC-authorized dragnet .

Hassan Ghul — whom CIA tortured even after he provided critical information about Osama bin Laden’s courier — was already in custody, and given uncertainty about when his torture started, may have provided such information.

Read more

Share this entry

US Trade Rep Complains Other Countries Aren’t Letting NSA Spy

/3 Comments/in , , /by

In the NYT, David Sanger describes US efforts to develop some common understanding over cyberattacks with China by briefing it on what our escalation process would be. Unsurprisingly, China (which hasn’t had a massive data leak as an excuse to admit to information now in the public domain) has no reciprocated.

And while Sanger makes it clear the US is still not admitting to StuxNet, his US sources are coming to understand that the rationalizations we use to excuse our spying aren’t really as meaningful as we like to tell ourselves.

Mr. Obama told the Chinese president that the United States, unlike China, did not use its technological powers to steal corporate data and give it to its own companies; its spying, one of Mr. Obama’s aides later told reporters, is solely for “national security priorities.” But to the Chinese, for whom national and economic security are one, that argument carries little weight.

“We clearly don’t occupy the moral high ground that we once thought we did,” said one senior administration official.

I especially love the spectacle of an SAO coming to grips with this, but doing so anonymously.

Yet this anonymous admission will not stop the US from imposing such double standards. On Friday, the US Trade Representative issued  its yearly report on barriers to trade in telecom and related industries.  (Reuters reported on the report here.) None of these complaints are explicitly about the NSA. And some of USTR’s demands — that Turkey stop shutting down services like Twitter — would make it harder for other countries to spy on their own citizens.

But many of the USTR’s complaints single out measures that are either deliberately meant to undermine NSA’s spying advantages, or would have the effect of doing so. So these complaints also amount to whining that other countries are making NSA’s job harder.

Consider some of the complaints against China, whose top equipment manufacturer Huawei the US has excluded from not only the US, but also Korea and Australia.

It complains about China’s limits on telecom providers — and pretends this is exclusively a trade issue, not a national security issue.

Moreover, the Chinese Government still owns and controls the three major basic telecom operators in the telecommunications industry, and appears to see these entities as important tools in broader industrial policy goals, such as promoting indigenous standards for network equipment.

USTR criticizes China’s categorization of business that can be used for spying — such as cloud computing firms — as a telecoms subject to licensing restrictions.

China’s equity restrictions on foreign participation constitute a major impediment to market access in China. These restrictions are compounded by China’s broad interpretation of services requiring a telecommunications license (and thus subject to equity caps) and narrow interpretation of the specific services foreign firms can offer in these sub-sectors.

[snip]

Several VAS definitions in the draft Catalog also raise trade restriction concerns. First, the draft Catalog created a new category of “Internet Resource Collaboration Services” that appears to covers all aspects of cloud computing. (Cloud computing is a computer service or software delivery model, and should not be misclassified as a telecommunications service.) MIIT approach to cloud computing generally raises a host of broad concerns. Second, the draft Catalog significantly expanded the definition of “Information Services” to include software application stores, software delivery platforms, social networking websites, blogs, podcasts, computer security products, and a number of other Internet and computing services. These services simply use the Internet as a platform for providing business and information to customers, and thus should not be considered as telecommunications services.

USTR complains about Chinese requirements for encryption both for information systems tied to critical infrastructure.

Starting in 2012, both bilaterally and during meetings of the WTO’s Committee on Technical Barriers to Trade, the United States raised its concerns with China about framework regulations for information security in critical infrastructure known as the Multi-Level Protection Scheme (MLPS), first issued in June 2007 by the Ministry of Public Security (MPS) and the Ministry of Industry and Information Technology (MIIT). The MLPS regulations put in place guidelines to categorize information systems according to the extent of damage a breach in the system could pose to social order, public interest, and national security. The MLPS regulations also appear to require buyers to comply with certain information security technical regulations and encryption regulations that are referenced within the MLPS regulations. If China issues implementing rules for the MLPS regulations and applies the rules broadly to commercial sector networks and IT infrastructure, they could adversely affect sales by U.S. information security technology providers in China.

And for providers on its 4G network.

At the end of 2011 and into 2012, China released a Chinese government-developed 4G Long-Term Evolution (LTE) encryption algorithm known as the ZUC standard. The European Telecommunication Standards Institute (ETSI) 3rd Generation Partnership Project (3GPP) had approved ZUC as a voluntary LTE encryption standard in September 2011. According to U.S. industry reports, MIIT, in concert with the State Encryption Management Bureau (SEMB), informally announced in early 2012 that only domestically developed encryption algorithms, such as ZUC, would be allowed for the network equipment and mobile devices comprising 4G TD-LTE networks in China. It also appeared that burdensome and invasive testing procedures threatening companies’ sensitive intellectual property could be required.

In response to U.S. industry concerns, USTR urged China not to mandate any particular encryption standard for 4G LTE telecommunications equipment, in line with its bilateral commitments and the global practice of allowing commercial telecommunications services providers to work with equipment vendors to determine which security standards to incorporate into their networks.

Finally, USTR dubs China’s limits on outsider VOIP services a trade restriction.

Restrictions on VoIP services imposed by certain countries, such as prohibiting VoIP services, requiring a VoIP provider to partner with a domestic supplier, or imposing onerous licensing requirements have the effect of restricting legitimate trade or creating a preference for local suppliers, typically former monopoly suppliers.

All of these complaints, of course, can be viewed narrowly as a trade problem. But the underlying motivation on China’s part is almost certainly about keeping the US out of its telecom networks, both to prevent spying and to sustain speech restraints behind the Great Firewall.

It’s not just China about which USTR complains. It issues similar dual purpose (trade and spying) complaints against India and Colombia, among others.

And of course, it finds European plans to require intra-EU transit limits — a plan done largely to combat US spying — a ‘draconian” trade restriction.

In particular, Deutsche Telekom AG (DTAG), Germany’s biggest phone company, is publicly advocating for EU-wide statutory requirements that electronic transmissions between EU residents stay within the territory of the EU, in the name of stronger privacy protection. Specifically, DTAG has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU;

[snip]

The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers.

Meanwhile, even as I was writing this, one of the EU’s top Data Privacy figures, Paul Nemitz, just floated making the reverse accusation against America, that its NSA spying is a trade impediment to European businesses trying to do business in the US.

Fun stuff.

Share this entry

Dragnet FOIA, Hiding the Dragnet Numbers and Providers from Congress

/10 Comments/in /by

Unrelated, but Rosemary Collyer threw out the Awlaki wrongful death suit, meaning the government can kill its own citizens (including the innocent 16-year olds) with no due process with impunity. I’ll write about this ruling later. 

Last Saturday, I did a post on the three releases I Con the Record released as a Friday night document dump. It turns out ODNI also released an unintentionally revealing declaration that helps explain those and a number of other documents.

In this post I’ll provide some general comments about what the declaration says. In a follow-up post, I’ll describe that the declaration suggests about Verizon’s foreign record problems and a correlation function that permits matching burner cells and so much more.

As far as last week’s documents:

  • The single solitary new thing unclassified in the March 2, 2009 order is to disclose the words “those providers” on the first page. DOJ, it seems, believed not only that there were multiple providers was secret, but was ignorant of the many details already declassified that make that clear.
  • The only new things in the June 22, 2009 order — besides combining the Internet and phone version that had been previously released — were the paltry number of reports issued from the Internet dragnet (117) on page 3 and the phrase “high volume” selector which I talk about incessantly. ODNI claims it was an administrative error to release the document in two versions previously; I suspect it was an even bigger screw-up, especially given that DOJ admits it is trying to hide the Internet dragnet dates from us for reasons that don’t stand up to scrutiny.
  • The BR 10-82 financial order that makes up the bulk of the description apparently applied only to an FBI investigation of a specific counterterrorism target which is still on-going. The declaration describes the scope of this being super secret, so even though this is presumably not everyone’s credit card records, it may well be a lot of people’s. And the reason we got it is because the supplemental order was a significant legal interpretation, one they can of course use over and over now. I will return to this one at a future date.

In addition to these details, this document reveals that the government is hiding the dragnet numbers and providers from Congress.

EFF and ACLU FOIAed DOJ, not NSA for these documents. As a result, a lot of the documents in their possession either probably had personal notes (those are reflected in the Vaughn Index, not this declaration) or were the redacted version provided to Congress under FAA. Interestingly, those documents for Congress came pre-redacted (potentially meaning not even the National Security Division technically has the original information). And just two things get redacted: the numbers showing the scale of the dragnet, and the provider names.

Hiding the dragnet numbers from Congress is particularly interesting, because it would explain why some people (like Richard Blumenthal) claim to have just learned the “fact” that NSA only collects about 30% of the call data in the US. But it also means the NSA can hide the true scale of how the dragnet gets apportioned around different authorities.

 

Share this entry

Turns Out the NSA “May” Destroy Evidence of Crimes before 5 Years Elapse

/6 Comments/in /by

The metadata collected under this order may be kept online (that is, accessible for queries by cleared analysts) for five years, at which point it shall be destroyed. — Phone dragnet order, December 12, 2008

The Government “takes its preservation obligations with the utmost seriousness,” said a filing signed by Assistant Attorneys General John Carlin and Stuart Delery submitted Thursday in response to Presiding FISA Court Judge Reggie Walton’s accusation they had made material misstatements to him regarding the question of destroying phone dragnet data.

Recognizing that data collected pursuant to the Section 215 program could be potentially relevant to, and subject to preservation obligations in, a number of cases challenging the legality of the program, including First Unitarian Church of Los Angeles  v. NSA,

… Signals Intelligence Division Director Theresa Shea wrote in her March 17 declaration (starting at page 81) explaining what the government has actually done to protect data under those suits.

At which point Shea proceeded to admit that the government hadn’t been preserving the data they recognized was potentially relevant to the suits at hand.

… since the inception of the FISC-authorized bulk telephony metadata program in 2006, the FISC’s orders authorizing the bulk collection of telephony metadata under FISA Section 501 (known also as the Section 215 program) require that metadata obtained by the NSA under this authority be destroyed no later than five years after their collection. In 2011, the NSA began compliance with this requirement (when the first metadata collected under the FISC authority was ready to be aged off) and continued to comply with it until this Court’s March 10 order and the subsequent March 12, 2014 order of the FISC.

Thursday’s filing added to that clarity, not only saying so in a footnote, but then submitting another filing to make sure the footnote was crystal clear.

Footnote 6 on page 5 was intended to convey that “[c]onsistent with the Government’s understanding of these orders in Jewel and Shubert, prior to the filing of the Government’s Motion for Second Amendment to Primary Order, the Government complied with this Court’s requirements that metadata obtained by the NSA under Section 215 authority be destroyed no later than five years after their collection.”

The significance seems clear. The Government admits it could potentially have a preservation obligation from the filing of the first Section 215 suit, Klayman v. Obama, on June 6, 2013. But nevertheless, it destroyed data for 9 months during which it recognized it could potentially have a preservation obligation.  That means data through at least March 9, 2009 and perhaps as late as September 10, 2009 may already be destroyed, assuming reports of biannual purging is correct. Which would perhaps not coincidentally cover almost all of the phone dragnet violations discovered over the course of 2009. It would also cover all, or almost all, of the period (probably)  NSA did not have adequate means of identifying the source of its data (meaning that Section 215 data may have gotten treated with the lesser protections of EO 12333 data).

And the amount of data may be greater, given that NSA now describes in its 5 year age-off requirement no affirmative  obligation to keep data five years.

This all means the government apparently has already destroyed data that might be implicated in the scenario Judge Jeffrey White (hypothetically) raised in a hearing on March 19, in which he imagined practices of graver Constitutional concern than the program as it currently operates five years ago.

THE COURT: Well, what if the NSA was doing something, say, five years ago that was broader in scope, and more problematical from the constitutional perspective, and those documents are now aged out? And — because now under the FISC or the orders of the FISC Court, the activities of the NSA have — I mean, again, this is all hypothetical — have narrowed. And wouldn’t the Government — wouldn’t the plaintiffs then be deprived of that evidence, if it existed, of a broader, maybe more constitutionally problematic evidence, if you will?

MR. GILLIGAN: There — we submit a twofold answer to that, Your Honor.

We submit that there are documents that — and this goes to Your Honor’s Question 5B, perhaps. There are documents that could shed light on the Plaintiffs’ standing, whether we’ve actually collected information about their communications, even in the absence of those data.

As far as — as Your Honor’s hypothetical goes, it’s a question that I am very hesitant to discuss on the public record; but I can say if this is something that the Court wishes to explore, we could we could make a further classified ex parte submission to Your Honor on that point.

According to the NSA’s own admissions, until just over 5 years ago, the NSA was watchlisting as many as 3,000 Americans without doing the requisite First Amendment review required by law. And that evidence — and potentially the derivative queries that arose from it — is apparently now gone.

Which puts a new spin on the narratives offered in the press about DOJ’s delay in deciding what to do with this evidence. WSJ described the semiannual age-off and suggested the issue with destroying evidence might pertain to standing.

As the NSA program currently works, the database holds about five years of data, according to officials and some declassified court opinions. About twice a year, any call record more than five years old is purged from the system, officials said.

A particular concern, according to one official, is that the older records may give certain parties legal standing to pursue their cases, and that deleting the data could erase evidence that the phone records of those individuals or groups were swept up in the data dragnet.

FP’s sources suggested DOJ was running up against that semiannual deadline.

A U.S. official familiar with the legal process said the question about what to do with the phone records needn’t have been handled at practically the last minute. “The government was coming up on a five-year deadline to delete the data. Lawsuits were pending. The Justice Department could have approached the FISC months ago to resolve this,” the official said, referring to the Foreign Intelligence Surveillance Court.

There should be no February to March deadline. Assuming the semiannual age-off were timed to March 1, there should have already been a September 1 deadline, at which point NSA presumably would have destroyed everything moving forward to March 1, 2009.

Which may mean NSA and DOJ put it off to permit some interim age-off, all the out of control violations from 2009.

We shall see. EFF and DOJ will still litigate this going forward. But as I look more closely at the timing of all this, DOJ’s very belated effort to attempt to preserve data in February seems to have served, instead, to put off dealing with preservation orders until the most potentially damning data got destroyed.

All of this is separate from the dispute over whether DOJ violated the preservation order in Jewel, and that case may be coming up on the 5 year destruction of the last violative Internet metadata, which might be aged off by April 30 (based on the assumption the Internet dragnet got shut down on October 30, 2009).

But even for he more narrow question of the phone dragnet, for which the government admits it may have data retention obligations, the government seems to have already violated those obligations and, in the process, destroyed some of the most damning data about the program. 

Share this entry