Yes, Verizon, We Can Hear You Now

/14 Comments/in , /by

Screen shot 2014-01-20 at 3.20.11 AMApparently, James Clapper does not believe the information in the screenshot to the right to be classified. The name, Verizon, was left unredacted in one of the Primary Orders released last Friday (the one dated January 20, 2011). (h/t Michael)

The paragraph is boilerplate that appears, in some form, in all the Primary Orders for the phone dragnet. I had always thought the word behind the redaction was something like “the telecoms.”

Screen shot 2014-01-20 at 3.24.16 AMIt wasn’t. It appears that this Primary Order, which applies to all providers for the dragnet, applies only to Verizon.

That appears to suggest that, at least in January 2011, Verizon was the only dragnet provider.

(See below for an updated explanation: they just broke out Verizon into it’s own paragraph to limit any collection from their foreign metadata. I assume the earlier paragraph applies to the other providers.)

Now, I’m not sure what this means (I’ve got some theories, but I’m still mulling them), but it may explain why NSA Review Group member Geoffrey Stone has claimed the government get substantially less than 75% of all US traffic, but DOJ keeps telling courts that they get the whole haystack of phone records in the US. Verizon’s traffic, by itself, doesn’t constitute 75% of US traffic. But its circuits would have access to far more than just Verizon traffic. (A whistleblower has described  a wide-open Verizon circuit at Quantico.)

stormbrew-01Remember, contrary to the “Business Records” moniker, the records the NSA collects are not real billing records for much of the telecom traffic; no one has to bill for local calls for land lines, after all. So at least some of what the government obtains must be created for it. But it’s possible that Verizon strips some portion of the nation’s call metadata as it traverses its backbones.

Furthermore, if Verizon provides all this data, it explains why the providers are balking it retaining the dragnet data themselves. Not only would Verizon have to store far more than they currently do (they don’t store as much as AT&T), but it would have to fiddle with the dragnet data of other carriers, including performing the data integrity role that gives direct access to raw data.

In any case, if Verizon is still the sole provider of this dragnet data, it means it may be easier to force the end of its collection.

Update: Okay, I think I have an explanation for this now.

Up until at least March 5, 2009, all the telecoms were addressed in one paragraph starting, “the Custodian of Records.” Starting on May 29, 2009, that’s split out into two paragraphs, with the original Custodian of Records paragraph and the one we know to be specific to Verizon. We don’t have the following order, dated July 8, 2009, but we know that order shut down production from one provider because it was also producing foreign-to-foreign data; that production was restarted on September 3, 2009.

So what appears to have happened is in the End to End review, they realized that Verizon was also turning over foreign data (perhaps from Vodaphone?); this apparently was a big problem, but I’m not sure why. So they appear to have recognized they had to specify that they didn’t want (I’m guessing) Verizon’s foreign call data, at least not this way.

I assume the other paragraph names AT&T and TMobile or something like that after all.

Share this entry

The Tech Back Door in Obama’s New Spying Policy

/29 Comments/in /by

I haven’t had time to do a full post on the Presidential Policy Directive Obama rolled out with his speech the other day (besides pointing out how Obama sets it up to be disappeared when inconvenient). But Bart Gelllman noted something I had also noticed (in addition to noting that Obama embraced Big Data in his speech — his whole story is wroth reading).

In another significant footnote, Obama said the limits he ordered “shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.” Signals intelligence development, or “sigdev” in NSA parlance, is the discovery of untapped communication flows and the invention of new surveillance methods to exploit them.

For example, NSA Director Keith Alexander revealed last summer that his agency had collected location data from mobile phones in the United States.

Here’s the language in question.

Consistent with this historical practice, this d irective articulates principles to guide why, whether, when, and how the United States conducts signals intelligence activities for authorized foreign intelligence and counterintelligence purposes. 3
3 Unless otherwise specified, this directive shall apply to signals intelligence activities conducted in order to collect communications or information about communications, except that it shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.

This is something we’re seeing throughout the NSA programs (and we’re not seeing any real auditing or checks on this activity) as I have been noting with respect to the data integrity analysts who have access to the phone dragnet. The NSA uses real data to develop its new toys. And while there are some limits on the finished intelligence products that can be produced from such development, there doesn’t seem to be any protection for the data that gets used.

You’d think, in the wake of a rather powerful demonstration of the power of techs, there’d be some awareness of how dangerous creating such exceptions for the techs. But you’d be wrong.

One more note: Obama explicitly imposes these limits only on communications data, not on things like bank data or pressure cooker purchase data. A reporter actually asked the White House, rather persistently, about all this Section 215 (or NSL) collection, and they basically admitted they’re not going to provide the same protections (judicial review of queries) because no one is talking about it.

Which tells you what they’re really concerned about.

Share this entry

The Phone Metadata Program Metadata

/4 Comments/in , /by

ODNI released a bunch of the remaining phone dragnet primary orders (and amendments) here. I will have more to say about this later. Of particular note, though, they seem to be withholding the BR 09-15 primary order, which was right in the middle of PATRIOT reauthorization, when NSA kept disseminating results in violation of Reggie Walton’s orders.

  1. Howard, Malcolm BR 06-05 (5/24/06)
  2. Howard, Malcolm BR 06-08 (8/18/06)
  3. Scullin, Frederick, BR 06-12 (11/15/06)
  4. Broomfield, Robert, BR 07-04 (2/02/07)
  5. Gorton, Nathaniel, BR 07-10 (5/03/07)
  6. Gorton, Nathaniel, BR 07-14 (7/23/07)
  7. Vinson, Roger, BR 07-16 (10/18/07)
  8. Howard, Malcolm, BR 08-01 (1/?/08)
  9. Kollar-Kotelly, Colleen, BR 08-04 (4/3/08)
  10. Zagel, James, BR 08-07 (6/26/08)
  11. Zagel, James, BR 08-08 (8/19/08) [or 9/19/08]
  12. Walton, Reggie, BR 08-13 (12/12/08)
  13. Walton, Reggie, BR 09-01 (3/5/09)
  14. Walton, Reggie, BR 09-06 (5/29/09)
  15. Walton, Reggie (?) BR 09-09 (7/8/09) [see also]
  16. Walton, Reggie, BR 09-13 (9/3/09)
  17. Walton, Reggie (?) BR 09-15 (10/30/09) [See also]
  18. Walton, Reggie (?) BR 09-19 [see also]
  19. Walton, Reggie, BR 10-10 (2/26/10)
  20. Walton, Reggie, BR 10-17 (5/14/10)
  21. Walton, Reggie, BR 10-49 (8/04/10)
  22. Walton, Reggie, BR 10-70 (10/29/10)
  23. Bates, John, BR, 11-07 (1/20/11)
  24. Feldman, Martin, BR 11-57 (4/13/11)
  25. Bates, John, BR 11-107 (6/22/11)
  26. ~9/20/11?
  27. BR-11-191 [see also]
  28. ~1/29/12?
  29. ~4/29/12?
  30. ~7/28/12?
  31. ~10/26/12?
  32. ~1/25/13?
  33. Vinson, Roger, BR 13-80, (4/25/13)
  34. Eagan, Claire, BR 13-109, (7/18/13)
  35. McLaughlin, Mary, BR 13-158 (10/11/13)
  36. 1/3/14

1/19: Updated to add the 7/9/09 order and BR 09-19.

1/20: There is one more missing primary order. In an NSA declaration dated November 12, SID Director Theresa Shea said there had been 34 approvals. As shown above, the McLaughlin order is the 33rd of identified orders.

1/26: I think I’ve corrected all the date errors I originally hate (the date stamp is not all that accurate). For the 2011-2013 dates, I’ve worked backwards of the 4/25/13 order.

Share this entry

The Misplaced Enthusiasm for Obama’s 2-Hop “Change”

/9 Comments/in , /by

I’m seeing a lot of enthusiasm about President Obama’s promise to limit the NSA to 2 hops on its phone dragnet.

Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of three.

But it’s not that big of a limit.

As far back as 2011, the NSA had standardized on 2-hops, only permitting a 3rd with special approval. (See page 13.)

While the BR Order permits contact chaining for up to three hops, NSA has decided to limit contact chaining to only two hops away from the RAS-approved identifier without prior approval from your Division management to chain the third hop.

So in effect, Obama has replaced the NSA’s internal directive limiting the hops to 2 with his own directive (which can be pixie dusted with no notice) limiting the hops to 2.

Also, can anyone explain what the word “pursue” means in Obama’s promise?

The concerns about the dragnet arise, in large part, from other things: the audit-free access of the data integrity analysts, the opacity of whether they do what they claim they do (which has as much impact on the extent of the spying as the number of hops), and what they do with it afterwards. Not to mention the sheer hubris of even creating that database of every American’s phone-based relationships.

Don’t get me wrong: given a choice, I’d take 2-hops over 3 (or 4, as could be kluged until 2009).

But it is largely a continuation of the dragnet in its current form, not any end to the dragnet itself.

Share this entry

Obama’s Presidential Policy Directive: Pixie Dust 2.0

/18 Comments/in , /by

Back when John Yoo was finding ways to authorize President Bush’s illegal wiretap program — especially spying on Americans who were not agents of a foreign power — he changed the meaning of certain limits in EO 12333 without rewriting EO 12333. The President didn’t have to change EO 12333 to reflect actual practice, Yoo determined (relying on an Iran-Contra precedent), because ignoring EO 12333 amounted to modifying it.

An executive order cannot limit a President. There is no constitutional requirement for a President to issue a new executive order whenever he wishes to depart from the terms of a previous executive order. Rather than violate an executive order, the President has instead modified or waived it.

I call this pixie-dusting, where the Executive makes his own orders and directives disappear in secret.

Poof!

The use of pixie-dust — so recently used to justify spying on people while pretending not to spy on them — ought to give you pause when you read this passage from President Obama’s Presidential Policy Directive limiting US spying overseas (or, frankly, everything he said today, which all consists of the Executive exercising its prerogative to change and oversee Executive actions, but in no way includes any teeth to sustain such changes).

Nothing in this directive shall be construed to prevent me from exercising my constitutional authority, including as Commander in Chief, Chief Executive, and in the conduct of foreign affairs, as well as my statutory authority. Consistent with this principle, a recipient of this directive may at any time recommend to me, through the APNSA, a change to the policies and procedures contained in this directive.

Effectively Obama is laying out his prerogative to pixie dust this PPD.

And while the President admittedly would always have such prerogative, he didn’t include such a paragraph in his cyberwar PPD (which, of course, wasn’t meant to be public).

This PPD was designed to be ignored.

And I suspect our friends and adversaries know that.

Share this entry

Obama’s Speech, Annotated Version

/30 Comments/in /by

Obama’s speech as written is below, with my comments (no indent) included.

At the dawn of our Republic, a small, secret surveillance committee borne out of the “The Sons of Liberty” was established in Boston. The group’s members included Paul Revere, and at night they would patrol the streets, reporting back any signs that the British were preparing raids against America’s early Patriots.

As I noted, raising Paul Revere is a really problematic analogy, because had the Brits done metadata analysis on Revere the way the government does on people who might also be called dissidents, we would still be eating kidney pie and hailing Queen Elizabeth.

Throughout American history, intelligence has helped secure our country and our freedoms. In the Civil War, Union balloon reconnaissance tracked the size of Confederate armies by counting the number of camp fires. In World War II, code-breaking gave us insight into Japanese war plans, and when Patton marched across Europe, intercepted communications helped save the lives of his troops. After the war, the rise of the Iron Curtain and nuclear weapons only increased the need for sustained intelligence-gathering. And so, in the early days of the Cold War, President Truman created the National Security Agency to give us insight into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.

Note that Obama presumes a war footing, even while 2 of the 3 primary foreign intelligence objectives he discussed (and others, as I’ll note) have nothing to do with war.

Note that this history lesson does not explain what higher purpose the wars — and therefore the intelligence — served. That’s important, because at the end of his speech he says it served to defend the Constitution, when in fact it was defending what we now call “the Homeland.”

Throughout this evolution, we benefited from both our Constitution and traditions of limited government. U.S. intelligence agencies were anchored in our system of checks and balances – with oversight from elected leaders, and protections for ordinary citizens.

So here the Constitution becomes not what we defend, but a limit we use when fighting wars.

Meanwhile, totalitarian states like East Germany offered a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers, and persecuted people for what they said in the privacy of their own homes.

A nod to Angela Merkel. Also, I’d be curious how many Muslims the Obama Administration has not just persecuted, but prosecuted, for what they said in the privacy of their own homes?

In fact even the United States proved not to be immune to the abuse of surveillance. In the 1960s, government spied on civil rights leaders and critics of the Vietnam War. Partly in response to these revelations, additional laws were established in the 1970s to ensure that our intelligence capabilities could not be misused against our citizens. In the long, twilight struggle against Communism, we had been reminded that the very liberties that we sought to preserve could not be sacrificed at the altar of national security.

As I note relentlessly, according to the NSA itself, it had 3 different “present examples” of such abuses in 2009. This is not the distant past. It’s just the as-yet undisclosed immediate past.

If the fall of the Soviet Union left America without a competing superpower, emerging threats from terrorist groups, and the proliferation of weapons of mass destruction placed new – and, in some ways more complicated – demands on our intelligence agencies.

Note that throughout this passage, Obama only mentions 2 of the 3 main targets we use Section 702 for: terrorism and counterproliferation, making not mention of cybersecurity. That allows him to rationalize what he gets very close to admitting is domestic spying using the prior example of terrorism, even while cybersecurity was already an issue in 2011.

Globalization and the Internet made these threats more acute, as technology erased borders and empowered individuals to project great violence, as well as great good. Moreover, these new threats raised new legal and policy questions. For while few doubted the legitimacy of spying on hostile states, our framework of laws was not fully adapted to prevent terrorist attacks by individuals acting on their own, or acting in small, ideologically driven groups rather than on behalf of a foreign power.
The horror of September 11th brought these issues to the fore. Across the political spectrum, Americans recognized that we had to adapt to a world in which a bomb could be built in a basement, and our electric grid could be shut down by operators an ocean away.

See how quickly he inserts cybersecurity into the terrorism framework?

We were shaken by the signs we had missed leading up to the attacks – how the hijackers had made phone calls to known extremists, and travelled to suspicious places.

No mention of the information sharing of data collected that didn’t occur.

So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack.

It is hard to overstate the transformation America’s intelligence community had to go through after 9/11. Our agencies suddenly needed to do far more than the traditional mission of monitoring hostile powers and gathering information for policymakers – instead, they were asked to identify and target plotters in some of the most remote parts of the world, and to anticipate the actions of networks that, by their very nature, cannot be easily penetrated with spies or informants.

And it is a testimony to the hard work and dedication of the men and women in our intelligence community that over the past decade, we made enormous strides in fulfilling this mission. Today, new capabilities allow intelligence agencies to track who a terrorist is in contact with, and follow the trail of his travel or funding.

And again, Obama focuses on terrorism, when precisely the same tactics (and then some) are used against cybertargets.

New laws allow information to be collected and shared more quickly between federal agencies, and state and local law enforcement.

Does Obama’s mention of “state and local law enforcement agencies” in conjunction with nods to the PATRIOT Act make you more comfortable about all this data sharing of bulk data?

Read more

Share this entry

First Impressions, Obama’s Speech

/16 Comments/in /by

I will write far more on the President’s speech and new Directive. But here are some early thoughts.

Obama used the example of Paul Revere as an example of the importance of intelligence over the life of “our country.” Of course, Paul Revere is actually a better example that, if the Brits had done metadata analysis akin to what he preserved today, we would still be eating Kidney pies under British rule.

Obama made no mention, at all, of NSA’s weakening encryption and hoarding zero days. None.

With the sole exception of consulting with Congress on how to resolve the Section 215 dragnet (something that will happen during next year’s PATRIOT Act Reauthorization if not before) these changes are all Executive Branch self-limitations. Even the role of a FISC advocate fell by the wayside. In other words, while Obama did call for some useful changes (limiting the gag order on NSLs, adding limits on the way back door searches can be used for criminal investigations), they’re all self-limitations that can’t be enforced or overseen.

At one point, Obama justified our dragnet by saying we have special responsibilities as the only Superpower. Now, China is getting big enough they might object to that whole claim. More importantly, it demonstrates the degree to which a presumption of exceptionalism underlies our entire approach to spying.

See below for speech as written.

Read more

Share this entry

Things Barack Obama Doesn’t Consider “Abuse”

/7 Comments/in , /by

Unauthorized suspected terroristsPresident Obama will shortly give a speech in which he’ll make cosmetic changes to the NSA dragnet, but will continue, in many ways, the accessing of personal data from Americans with no probable cause.

As part of his cosmetic effort, he will also say there has been no evidence of abuse in these programs. That means he does not consider any of the following abuse:

  • The NSA spied on the porn and phone sex habits of ideological opponents, including those with no significant ties to extremists, and including a US person.
  • According to the NSA in 2009, it had a program similar to Project Minaret — the tracking of anti-war opponents in the 1970s — in which it spied on people in the US in the guise of counterterrorism without approval. We still don’t have details of this abuse.
  • When the NSA got FISC approval for the Internet (2004) and phone (2006) dragnets, NSA did not turn off features of Bush’s illegal program that did not comply with the FISC authorization. These abuses continued until 2009 (one of them, the collection of Internet metadata that qualified as content, continued even after 2004 identification of those abuses).
  • Even after the FISC spent 9 months reining in some of this abuse, the NSA continued to ignore limits on disseminating US person data. Similarly, the NSA and FBI never complied with PATRIOT Act requirements to develop minimization procedures for the Section 215 program (in part, probably, because NSA’s role in the phone dragnet would violate any compliant minimization procedures).
  • The NSA has twice — in 2009 and 2011 — admitted to collecting US person content in the United States in bulk after having done so for years. It tried to claim (and still claims publicly in spite of legal rulings to the contrary) this US person content did not count as intentionally-collected US person content (FISC disagreed both times), and has succeeded in continuing some of it by refusing to count it, so it can claim it doesn’t know it is happening.
  • As recently as spring 2012, 9% of the NSA’s violations involved analysts breaking standard operating procedures they know. NSA doesn’t report these as willful violations, however, because they’ve deemed any rule-breaking in pursuit of “the mission” not to be willful violations.
  • In 2008, Congress passed a law allowing bulk collection of foreign-targeted content in the US, Section 702, to end the NSA’s practice of stealing Internet company data from telecom cables. Yet in spite of having a legal way to acquire such data, the NSA (through GCHQ) continues to steal data from some of the same companies, this time overseas, from their own cables. Arguably this is a violation of Section 702 of FISA.
  • NSA may intentionally collect US person content (including Internet metadata that legally qualifies as content) overseas (it won’t count this data, so we don’t know how systematic it is). If it does, it may be a violation of Section 703 of FISA.

Rather than discussing any of these violations, the NSA has waved around a few cases of LOVEINT (most, if not all, of which have not been prosecuted) as part of a successful ploy to distract from much more systemic abuses of its authority, affecting far more Americans.

But there has been abuse, even beyond practices (like back door searches) that gut the Fourth Amendment or (like NSA’s approach to encryption) that hurt Americans’ security.

President Obama will spend a lot of time saying there have been no abuses. He’s wrong.

Share this entry

Big Text Message

/15 Comments/in /by

Screen shot 2014-01-16 at 5.24.18 PMThe Guardian today reported a story that presents a bigger issue for Brits than Americans: the NSA is capturing 200 million text messages a day and then mining their content for metadata. While the Guardian states that documents say American text messages are minimized, GCHQ does search on this information without a warrant.

The documents also reveal the UK spy agency GCHQ has made use of the NSA database to search the metadata of “untargeted and unwarranted” communications belonging to people in the UK.

[snip]

Communications from US phone numbers, the documents suggest, were removed (or “minimized”) from the database – but those of other countries, including the UK, were retained.

But I think the story and accompanying document is most telling for the kinds of information they’re mining in a program called PREFER.  By mining the content of SMS text messages, NSA is getting information:

  • Tying Emails and phone numbers together
  • Tying handsets together (reflecting a SIM card being moved)
  • Showing a range of location and travel information, including itineraries
  • Providing limited password information
  • Tracking smaller, text-based financial transactions

And all of this is tied to someone’s phone-based ID.

I’m not surprised they’re doing it. What they’re calling “Metacontent” (a lot of it involved XML tagging) is, like Metadata, more valuable than actual content (and much less of it needs to be translated.

But it provides the beginning of an explanation of how NSA is build dossiers on people around this world; it turns out their text messages may serve as one piece of glue to bring it all together.

One more point: I noticed in last year’s 702 compliance report that the number of phone targets under 702 have been going up since 2012 after having declined between 2009 and 2012 (see page 16). I’ve been wondering why that was. The rapid reliance on text messaging and the NSA’s ability to mine it more thoroughly may provide one possible explanation (though there are others).

Share this entry

The Section 215 Phone Dragnet Is Just a Fraction of the Dragnet

/4 Comments/in , /by

I’ve been harping on the Review Group (and Leahy-Sensenbrenner’s) recommendation to end bulk collection with National Security Letters. I’ve also noted the Review Group’s nod to EO 12333 in its use of the phrase “or under any other authority” when recommending limits to Section 702.

So I wanted to draw attention to this language from Tuesday’s Senate Judiciary Committee hearing with the Review Group, in which Chris Coons asks Richard Clarke what other authorities the Review Group had considered. Clarke notes that the phone dragnet provides a small fraction of the data collected.

COONS: The review, if I might, Mr. Clarke, my last question, it looks at two authorities, Section 702 and Section 215. And these are both sections about which there’s been a lot of public debate and discussion.

But the review group also recommends greater government disclosure about these and other surveillance authorities it possesses. But the report, appropriately and understandably, does not itself disclose any additional programs.

What review, if any, did the group make of undisclosed programs or could you at least comment about whether lessons learned from such review is, in fact, reflected in the report?

CLARKE: Well, there was a great deal of metadata collected by the national security letter program. And we do speak to that in the recommendations.

There was also a great deal of communications-related information collected under the executive order 12333.

Public attention is focused on 215, but 215 produces a small percentage of the overall data that’s collected.

That’s consistent with what this post shows — that the US based metadata collection is just a small fraction of a large collection of metadata, and the 12333 collected data is at least partly duplicative of (but not subject to the same protections as) the Section 215 dragnet (and NSLs are subject to even less protection).

But I’m glad to see someone like Clarke echoing the warnings I’ve been giving.

Share this entry