Posts

Verizon VP: Company-Based Transparency Reports Don’t Help Consumers

/in /by

There was a fascinating panel of Telecom execs and bloggers discussing human rights at RightsCon yesterday. Among others, Verizon Executive Vice President and General Counsel Randal Milch spoke.

As I noted in passing, Verizon published an update to their Transparency Report the other day. Particularly as compared to AT&T’s bogus report, the Verizon report was laudable for its explanation of what it couldn’t show, such as when it acknowledged that its report did not include the hundreds of millions of customers whose records got turned over under Section 215.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

It also acknowledged something obvious but that which should be explicit: when the government obtains content from Verizon, it sometimes gets metadata as well.

Some FISA orders that seek content also seek non-content; we counted those as FISA orders for content and to avoid double counting have not also counted them as FISA orders for non-content.

All this is useful information that lends the report itself credibility.

So when I first approached Milch, I thanked him for the quality of his report.

Which is why I was so surprised when he said the government should be in the business of transparency reports, not the providers. I challenged that, noting that an easy comparison of AT&T and Verizon’s reports strongly suggests that Verizon demands more legal process for requests than AT&T. He dismissed that, suggesting any differences arise from the different kind of client base the providers have.

Granted, Milch was talking about your average consumer, not … me.

But it seemed bizarre. Or perhaps it was a testament that Milch and Verizon generally don’t want to have to compete in this front.

Milch answered one other question of mine: I asked whether the Verizon/Vodaphone split affected Verizon’s obligations to the UK (that is, to GCHQ). He claims it didn’t affect it at all, that it was more an investment stake and that none of Verizon’s cell call records were in the UK. (No, I didn’t point out that the records are right where GCHQ wants them, in places accessible under Tempora).

So at least according to Milch’s claims, my theory laid out here is wrong.

Did GCHQ and NSA Lose an Eye Today?

/in /by

As the business press is crowing, Vodaphone and Verizon are officially divorced.

After pulling off the $130 billion sale, Vodafone will drop from the world’s second-biggest phone company to the fourth, measured by market value, behind China Mobile Ltd., AT&T Inc. and Verizon Communications Inc. (VZ), data compiled by Bloomberg showed. Vodafone’s weighting in share indexes such as the FTSE 100 in London will be cut approximately in half.

Shareholders will get a return of about 102 pence ($1.70) per share. That’s about $23.9 billion in cash and about $58.6 billion in Verizon Communications shares.

Vodafone’s shares rose 2.8 percent to 236.10 pence at 2:45 p.m. in London. Verizon slipped 0.3 percent to $47.97 in New York.

“This is a great day for Verizon,” Verizon CEO Lowell McAdam said in a statement. “The new Verizon now has full ownership of the U.S. wireless industry leader in network performance, profitability and cash flow.”

The deal will help Vodafone pay off debt and help fund 7 billion pounds of additional network investments by March 2016, adding high-speed broadband and wireless coverage across its largest markets.

And rejoicing was heard on both sides of the Atlantic!

Curiously, though, I seem to be the only one asking what seems to be an obvious question: how will this high level British-US breakup affect the Five Eyes dragnet?

Particularly given reports that Verizon is (was?) one of 7 Tempora providers, I wonder whether splitting with Vodaphone has permitted Verizon to withdraw from compliance with GCHQ data requests.

Back in 2006, USA Today’s report that the NSA had a database of all of AT&T, Verizon, and BellSouth’s phone records caused one of the telecoms to refuse to turn over data without being legally obligated (and for a number of reasons, it is unlikely AT&T was the provider that demanded an order).

The publication of the Verizon Secondary Order on June 5, 2013 exposed Verizon far more than that 2006 story. And it exposed Verizon uniquely, in a way AT&T and Sprint hadn’t been exposed. ODNI exacerbated that exposure further when it released another document with Verizon’s name unredacted.

If I were Verizon, I would be doing nothing more than the government(s) legally requred me to do. And as of today, Verizon may have one less government with the ability to make such requirements.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on Verizon’s obligations to the US.

AT&T’s “Transparency” Report: Polite Requests Versus Demands

/5 Comments/in /by

Screen Shot 2014-02-18 at 1.40.24 PMI want to make two more points about AT&T’s “Transparency” Report which, as I mentioned earlier, shows how deceitful “transparency” reports can be.

First, compare the number of subpoenas AT&T shows, total, compared to the rough numbers provided for requests to AT&T under Hemisphere for the prior year.

In 2012, 3 cities — Atlanta, Houston, and  Los Angeles — submitted a total of 2,770 requests to Hemisphere. In 2012 to 2013 (see the following slide), 7 HIDTAs plus two parts of the Southwest Border HIDTA submitted 838 requests to Hemisphere. While I suspect other HIDTAs also have access to Hemisphere, those numbers are still just a tiny fraction of the total subpoenas AT&T got the following year — using the larger number, just slightly more than 1% of the 223,659 criminal subpoenas AT&T received in 2013.

Even assuming the number is 3 times that across all DEA requests, that seems like a miniscule number, probably even a miniscule number of the requests submitted in drug investigations.

We are to believe, then, that AT&T keeps up this database just to feed as what might be less than 4% of its total requests?

Which is one reason I suspect Hemisphere is also serving other purposes.

And that, of course actually assumes (I’m in a generous mood) that AT&T receives a subpoena for all its Hemisphere requests, in spite of references in the Hemisphere presentation to emails and despite the past history of AT&T (or another telecom) providing phone records in response to requests on Post-It notes.

Which makes me really wonder, given another little detail in AT&T’s “Transparency” Report, whether AT&T responds to as data requests, rather than formal demands.

Here are the categories for the data requests it gets:

  • National Security Demands
  • Total U.S. Criminal & Civil Litigation Demands
  • Location Demands
  • Emergency Requests
  • International Demands [my emphasis]

Remarkably, AT&T has just 22 International Demands, counting both law enforcement and URL blocking. Verizon, by contrast, got 2,396 law enforcement demands and 1,663 block requests, though some of that may reflect Vodapone exposure and it also implies there were other requests that it funneled through MLAT processing.

I raise this because, in his paper on the dragnet, David Kris repeatedly suggested the NSA gets some bulk metadata via voluntary production of foreign data.

Alternative methods of collection would include non-bulk FISA orders, or what prior NSA Directors in the past have referred to as “vacuum cleaner” surveillance outside the ambit of FISA, under Executive Order 12333 and its subordinate procedures, such as DOD 5240-1.R, and perhaps voluntary production if not otherwise prohibited by law. See NSA End-to-End Review at 15; August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); cf. 18 U.S.C. § 2511(2)(f) otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).(“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).

If AT&T is voluntarily providing data in response to requests, without insisting on getting a demand, it might explain some of the numbers (not to mention its far greater skew towards subpoenas rather than warrants, as compared to Verizon — though this “demand” “request” language necessarily appears at Verizon, too).

Don’t get me wrong: if AT&T wants to just give out customer information in response to data requests without asking for a demand, I’ll just assume it’s being polite to those in authority. But if it is, those requests should be in its transparency report too.

AT&T: Anti-Transparency and Trickery

/4 Comments/in /by

I noted last month that Verizon released its transparency report before the Tech Company transparency deal, which gave it a way to avoid revealing this embarrassing detail:

Had Verizon released a transparency report yesterday, it would have added at least the following two details:

Non-Content FISA orders:

4 orders affecting 107,700,000 customers

Content FISA orders:

? orders affecting ? selectors (probably measuring the number of search terms — maybe something like “250″ — Verizon searches for off its upstream collection affecting millions of people)

It would have painted a very different picture.

AT&T wasn’t as smart as Verizon, only now releasing its so-called transparency report. (h/t Kash Hill)

Here’s how it communicated to its customers that it provides all their call records and sucks up Internet data off its switches using search terms.

Screen shot 2014-02-18 at 9.26.06 AM

 

You see, it’s supposed to reveal all of its FISA Court orders, not just the orders it gets under the Foreign Intelligence Surveillance Act, which is a different thing. While the number of non-content orders might still be quite small: just 4 orders, presumably, plus some exotic ones thrown in. The number of customer accounts affected would be “all.”

Moreover, in the content section, AT&T is supposed to describe “customer selectors.” This is different than accounts, because, in AT&T’s case, it also includes the number of search terms is sucks right off the circuits (which affects millions of accounts).

Congratulations, AT&T, you have demonstrated definitively these transparency guidelines are not about transparency at all.

Keith Alexander Refutes Claims NSA Doesn’t Get Cell Data

/1 Comment/in , , /by

Eight days ago, the country’s four major newspapers reported a claim that the NSA collected 33% or less of US phone records (under the Section 215 program, they should have specified, but did not) because it couldn’t collect most cell phone metadata:

  • “[I]t doesn’t cover records for most cellphones,” (WSJ)
  • “[T]he agency has struggled to prepare its database to handle vast amounts of cellphone data,” (WaPo)
  • “[I]t has struggled to take in cellphone data,” (NYT)
  • “[T]he NSA is gathering toll records from most domestic land line calls, but is incapable of collecting those from most cellphone or Internet calls.” (LAT)

Since that time, I have pointed to a number of pieces of evidence that suggest these claims are only narrowly true:

  • A WSJ article from June made it clear the cell gap, such as it existed, existed primarily for Verizon and T-Mobile, but their calls were collected via other means (the WaPo and NYT both noted this in their stories without considering how WSJ’s earlier claim it was still near-comprehensive contradicted the 33% claim)
  • The NSA’s claimed Section 215 dragnet successes — Basaaly Moalin, Najibullah Zazi, Tsarnaev brothers — all involved cell users
  • Identifying Moalin via the dragnet likely would have been impossible if NSA didn’t have access to T-Mobile cell data
  • The phone dragnet orders specifically included cell phone identifiers starting in 2008
  • Also since 2008, phone dragnet orders seem to explicitly allow contact-chaining on cell identifiers, and several of the tools they use with phone dragnet data specifically pertain to cell phones

Now you don’t have to take my word for it. Here’s what Keith Alexander had to say about the claim Friday:

Responding to a question about recent reports that the NSA collects data on only 20% to 30% of calls involving U.S. numbers, Alexander acknowledged that the agency doesn’t have full coverage of those calls. He wouldn’t say what fraction of the calls NSA gets information on, but specifically denied that the agency is completely missing data on calls made with cell phones.

“That part is not true,” he said. “We don’t get it all. We don’t get 100% of the data. It’s not where we want it to be, but it has been sufficient to go after the key targets that we’re going after.” [my emphasis]

Admittedly, Alexander is not always entirely honest, so it’s possible he’s just trying to dissuade terrorists from using cellphones while the NSA isn’t tracking them. But he points to the same evidence I did — that NSA has gotten key targets who use cell phones.

There’s something else Alexander said that might better explain the slew of claims that it can’t collect cell phone data.

The NSA director, who is expected to retire within weeks, indicated that some of the gaps in coverage are due to the fact that the NSA “paused any changes to the program” during the recent controversy and discussions about restructuring the effort.

The NSA has paused changes to the program.

This echoes WaPo and WSJ reports that crises (they cited both the 2009 and current crisis) delayed some work on integrating cell data, but suggests that NSA was already making changes when the Snowden leaks started.

There is evidence the pause — or at least part of it — extends back to before the Snowden leak. As I reported last week, even though the NSA has had authority to conduct a new auto-alert on the phone dragnet since November 2012, they’ve never been able to use it because of technical reasons.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes.

This description actually came from DOJ, not the FISC, and I suspect the issue is rather that NSA has not solved some technical issues that would allow it to perform the auto-alert within the legal limits laid out by the FISC (we don’t know what those limits are because the Administration is withholding the Primary Order Supplement that would describe it, and redacting the description of the search itself in all subsequent orders).

That said, there are plenty of reasons to believe there are new reasons why NSA is having problems collecting cell phone data because it includes cell location, which is far different than claiming (abundant evidence to the contrary) they haven’t been collecting cell data all this time. In addition to whatever reason NSA decided to stop its cell location pilot in 2011 and the evolving understanding of how the US v. Jones decision might affect NSA’s phone dragnet program, 3 more things have happened since the beginning of the Snowden leaks:

  • On July 19, Claire Eagan specifically excluded the collection of cell site location information under the Section 215 authority
  • On September 1, NYT exposed AT&T’s Hemisphere program; not only might this give AT&T reason to stop collating such data, but if Hemisphere is the underlying source for AT&T’s Section 215 response, then it includes cell location data that is now prohibited
  • On September 2, Verizon announced plans to split from Vodaphone, which might affect how much of its data, including phone metadata, is available to NSA via GCHQ under the Tempora program; that change legally takes effect February 21

Remember, too, there’s a February 2013 FISC Section 215 opinion the Administration is also still withholding, which also might explain some of the “technical-meaning-legal” problems they’re having.

Underlying this all (and assuredly underlying the problems with collecting VOIP calls, which are far easier to understand and has been mentioned in some of this reporting, including the LAT story) is a restriction arising from using an ill-suited law like Section 215 to collect a phone dragnet: telecoms can only be obligated to turn over records they actually “already generate,” as described by NSA’s SID Director Theresa Shea.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

To the extent telecoms use SS7 data, which includes cell location, to fulfill their Section 215 obligation (after all, what telecoms need billing records on a daily basis?), it probably does introduce problems.

Which, I suspect, will mean that Alexander and the rest of the dragnet defenders will recommend that a third party collate and store all this data, the worst of all solutions. They need to have a comprehensive source (like Hemisphere apparently plays for the DEA), one that will shield the government from necessarily having collected cell location data that is increasingly legally suspect to obtain. And they’ll celebrate it as a great sop to the civil libertarians, too, when in fact, they’ve probably reached the point where it is clear Section 215 can’t legally authorize what it is they want it to do.

The issue, more and more evidence suggests, is that they can’t collect the dragnet data without a law designed to construct the dragnet. Which is another way of saying the dragnet, as intended to function, is illegal.

On the Definition of Dragnet “Identifier”

/in /by

Last month, I noted that ODNI failed to redact a reference to Verizon in one of the phone dragnet primary orders, which helped to confirm that Verizon was the provider ordered to provide only its domestic or one-end domestic call records to NSA under this order.

I’d like to look at another redaction fail (also, IIRC, pointed out to me Michael) from that document dump.

In the February 25, 2010 order, part of the footnote describing what identifiers NSA can use to contact chain was left unredacted.

Screen Shot 2014-02-15 at 12.42.04 PM

The footnote starts on the previous page; this is the end of the description (the big redaction below it modifies one of the terms in the list of terror groups associations).

Given all the discussion about whether NSA does or does not collect cell phone data, I think it of particular interest that IMSI and IMEI — two ways to identify cell phone users — appear in this footnote. It’s actually not clear whether their inclusions mean they can or cannot be used as identifiers.

But there’s reason to believe the footnote says they can be used as identifiers.

The footnote first appeared in the March 5, 2009 order — the first written after Judge Reggie Walton started trying to clean up the dragnet mess. Screen Shot 2014-02-15 at 1.01.28 PM

By that point, NSA had informed Walton that an additional querying tool had regularly accessed the 215 dragnet to perform analysis of certain identifiers.

If an analyst conducted research supported by [redacted] the analyst would receive a generic notification that NSA’s signals intelligence (“SIGINT”) databases contained one or more references to the telephone identifier in which the analyst was interested; a count of how many times the identifier was present in SIGINT databases; the dates of the first and last call events associated with the identifier; a count of how many other unique telephone identifiers had direct contact with the identifier that was the subject of the analyst’s research; the total number of calls made to or from the telephone identifier that was the subject of the analyst’s research; the ratio of the count of total calls to the count of unique contacts; and the amount of time it took to process the analyst’s query.

But this was before NSA explained it treated all correlated identifiers for a particular RAS-approved person as RAS-approved,

The end-to-end review revealed the fact that NSA’s practice of using correlated selectors to query the BR FISA metadata had not been fully described to the Court. A communications address or selector, is considered correlated with other communications addresses when each additional address is shown to identify the same communicant(s) as the original address.

Though it had provided some kind of description of this practice in an August 18, 2008 filing that almost certainly served as back-up for the August 19, 2008 order that first started specifically ordering IMSI and IMEI data.

A description of how [redacted] is used to correlate [redacted] was included in the government’s 18 August 2008 filing to the FISA Court, While NSA previously described to the FISC the ractice of using correlated selectors as seeds, the FISC never addressed whether [redacted] correlated selectors met the RAS standard when any one of the correlated selectors met the RAS standard. A notice was filed with the FISC can this issue on 15 June 2009.

 

All of which is to say that several of the items discussed during the 2009 review pertained to how NSA tracked identities over time, particularly phone-based identities that spanned multiple cell phones.

Which would explain why it would want to track both phone numbers themselves, but especially the handset and SIM identifiers (though in the case of burner phone “correlation,” those details wouldn’t help to make a match).

None of this should be surprising. As I said, it would be shocking if the nation’s counterterrorism professionals accepted a dragnet with less functionality than the one available to DEA under AT&T’s Hemisphere program, and a key part of that program involves matching cell phone identities (though remember, Hemisphere at least used to permit tracking of geolocation, too).

But assuming that footnote defining “identifier” affirmatively includes IMSI and IMEI as potential identifiers, which would seem logical, it’s yet one more data point showing how central the use of cell phones is to the dragnet.

That still doesn’t mean the NSA collected cell phone data, or collected it from providers besides AT&T and Sprint. But it sure seems to indicate an priority on such data.

Is Hemisphere Creating Problems for the Phone Dragnet?

/2 Comments/in , /by

Screen Shot 2014-02-12 at 4.39.40 PMYou are all probably bored with my repeated posts about why the claim that NSA only collects 30% of US data is probably only narrowly true.

So I won’t discuss how absurd it would be to argue that the terrorist dragnet drawing on the records of at least 3 phone companies was less comprehensive than Hemisphere, the similar AT&T-specific database it makes available to hunt drug crime.

I just want to raise a methodological issue.

In her declaration submitted in support of the suits challenging the Section 215 dragnet, Theresa Shea emphasized something implicit in the Business Records order: the telecoms are only turning over records they already have.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

Presumably, AT&T provides precisely this same data to the NSA for its master phone dragnet. That is, to the extent that AT&T compiles this data in particular form, that may well be the form it hands onto NSA.

And that’s interesting for several reasons.

Hemisphere includes not just AT&T call records. It includes records from “CDRs for any telephone carrier that uses an AT&T switch to process a telephone call.” It gets 4 billion call records a day, including international ones and cell ones. As Scott Shane explained,

AT&T operates what are called switches, through which telephone calls travel all around the country. And what AT&T does in this program is it collects all the—what are called the CDRs, the call data records, the so-called metadata from the calls that we’ve heard about in the NSA context. This is the phone number—phone numbers involved in a call, its time, its duration, and in this case it’s also the location. Some are cellphone calls; some are land line calls. Anything that travels through an AT&T switch, even if it’s not made by an AT&T customer—for example, if you’re using your T-Mobile cellphone but your call travels through an AT&T switch somewhere in the country, it will be picked up by this project and dumped into this database.

Which supports the report from last summer that the government can get T-Mobile calls off AT&T’s records. These are the pre-existing records that NSA can come get and they include T-Mobile calls.

There’s another interesting part of that. As I noted the first two phone dragnet orders provided for compensation to the providers, even though the statute doesn’t envision that. That would bring you to November 2006; Hemisphere started in 2007, with funding from ONCDP, the White House Drug Czar. Remember, too, that FBI had the equivalent of Hemisphere onsite until late 2007-2008. That is, one thing Hemisphere does is pay for one provider to store what serves as a good baseline dragnet that can then be handed over to the NSA. That’s significant especially given Geoffrey Stone’s claims that the dragnet is not comprehensive because the cost involved: there should be no cost, but somehow it’s driving decisions.

In any case, as luck would have it, Hemisphere got exposed at the same time as the dragnet.

Hemisphere operates with different legal problems than the NSA phone dragnet. At least with the phone dragnet, after all, AT&T has been compelled to turn over records; with Hemisphere they’re effectively retaining them voluntarily to turn surveillance into a profit center (though they do get compelled on an order-by-order basis). Moreover, AT&T’s far more exposed by the publication on Hemisphere than it is on the NSA dragnet (or perhaps, than even Verizon is under the phone dragnet). The exposure of Hemisphere might make AT&T more hesitant to “voluntarily” retain this data.

Finally, there’as the amicus challenge EFF and ACLU submitted in a criminal case in Northern California notes, Hemisphere includes precisely the data the NSA is struggling with: cell location data.

Hemisphere goes even further than the NSA’s mass call-tracking program, as the CDRs stored in the Hemisphere database contain location information about callers (see Hemisphere Slide Deck at 3, 13), thus implicating the specific concerns raised by five Justices in Jones. See 132 S. Ct. at 955 (Sotomayor, J., concurring) (“wealth of detail about [a person’s] familial, political, professional, religious, and sexual associations” revealed through “trips to the psychiatrist, the plastic surgeon, the abortion clinic,” etc.) (internal quotation marks, citation omitted); id. at 964 (Alito, J., concurring).

The FISC has created all sorts of problems for NSA to store cell location data, most explicitly with Claire Eagan’s order in July specifically prohibiting it.

But here AT&T is, creating the opportunity for the perfect challenge to use Jones to challenge location in a dragnet specifically.

Which is all a way of saying that the tensions with the phone dragnet may not be entirely unrelated from the fact that Hemisphere also got challenged.

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

/2 Comments/in , /by

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

James Clapper Claims Publicly Acknowledged Details Are State Secrets While Boasting of Transparency

/14 Comments/in , , /by

Between documents leaked by Edward Snowden, official court submissions, and official public statements, we know at least the following about the surveillance system set up after 9/11 and maintained virtually intact to this day:

  • Around of 8-14% of the content collected under Bush’s illegal program was domestic content (page 15 of the NSA IG Report says this constituted 8% of all the illegal wiretap targets but the percentage works out to be higher)
  • Some of the content collected via ongoing upstream collection currently includes intentionally-collected domestic content (NSA refuses to count this, even for the FISA Court)
  • Bush’s illegal wiretap program targeted Iraqi Intelligence Service targets, as well as targets affiliated with al Qaeda and its associates (see page 8)
  • NSA uses the phone metadata program with Iranian targets, as well as targets affiliated with al Qaeda and its associates
  • Both the illegal wiretap program and the Internet dragnet authorized under Pen Register/Trap and Trace in 2004 collected information that (because of the way TCP/IP works) would be legally content if treated as electronic surveillance
  • The NSA still conducts an Internet dragnet via collection overseas, which not only would permit the metadata-as-content collection, but would permit far more collection on US persons; that collection is seamlessly linked to the domestic dragnet collection
  • NSA uses the dragnets to decide which of content the telecoms have briefly indiscriminately collected to read

That is, the surveillance system is not so much discrete metadata programs and content programs directed overseas, directed exclusively against al Qaeda or even terrorists. Rather, it is a system in which network analysis plays a central role in selecting which collected content to read. That content includes entirely domestic communication. And targets of the system have not always been — and were not as recently as June — limited to terrorists.

These details of the surveillance system — along with the fact that AT&T and Verizon played the crucial role of collecting content and “metadata” off domestic switches — are among the details James “Least Untruthful” Clapper, with backup from acting Deputy Director of NSA Frances Fleisch, declared to still be state secrets on Friday, in spite of their public (and in many cases, official) acknowledgement.

In doing so, they are attempting to end the last remaining lawsuits for illegal wiretapping dating to 2006 by prohibiting discussion of the central issue at hand: the government has repeatedly and fairly consistently collected the content of US persons from within the US, at times without even the justification of terrorism. (For more background on Jewel v. AT&T, see here.)

Here’s how Clapper, with a nod to Fleisch, lays out the rebuttal of the Jewel plaintiffs.

the NSA’s collection of the content of communications under the TSP was directed at international communications in which a participant was reasonably believed to be associated with al-Qa’ida or an affiliated organization. Thus, as the U.S. Government has previously stated, plaintiff’s allegation that the NSA has indiscriminately collected the content of millions of communications sent or received by people inside the United States after September 11, 2001, under the TSP is false.

There are several weasel parts of this claim.

The “Terrorist Surveillance Program” and the “Other Target Surveillance Program”

First, to make this claim, Clapper (and Fleisch) revert to use of “Terrorist Surveillance Program,” a term invented to segment off the part of the larger illegal wiretap program that George Bush was willing to confess to in December 2005, that involving international communications with a suspected al Qaeda figure. But as Fleisch admits — but doesn’t explain — at ¶20, the TSP is just a subset of the larger Presidential Surveillance Program.  Read more

Will Obama Attempt to Co-Opt the Internet Companies?

/17 Comments/in /by

Of late, Keith Alexander has added a new thing to his public schtick: inviting tech companies to come up with a way to dragnet more effectively. In the middle of discussions of why NSA must retain the phone dragnet, he’ll stop, and say, if the tech companies can come up with a way to do it better (not just to do the same thing as effectively, mind you, but better), he wants to hear it.

At a minimum, that new schtick should alert you that in 2011 when they “ended” the Internet dragnet, they didn’t end it, they just found a way to do it better, because that’s how Alexander speaks of that decision in this context.

But you might also keep this shift in Alexander’s schtick in mind as you read Matthew Aid’s story about how the President whitewash became a graywash.

At the same time, the agency’s once harmonious relationship with this country’s largest high-tech companies, such as Microsoft, Google and Yahoo, is now a shattered smoking ruin, NSA officials fret. Only the “big three” American telecommunications companies—AT&T, Verizon and Sprint—appear to remain firmly supportive, and even they are beginning to put some distance between themselves and the NSA as shareholders ask pointed questions about their clandestine relationship with the agency.

In this political climate, it was perhaps inevitable that the Review Group would recommend making substantive changes in the way the NSA operates. “We had to go this route,” a Review Group staffer told me in an interview. “If we did not recommend placing some additional controls and checks and balances on the NSA’s operations, the high-tech companies were going to kill us and Congress was going to burn the house down. Besides, our report is non-binding, so who knows what the White House is going to accept and what they are going to toss out.”

Frankly, I think the relationship with some tech companies (Microsoft) has been more harmonious than with others (Yahoo and to some extent Google). And it was never the same as the telecoms enjoy, not least because the telecoms have been stealing the tech companies’ data on and off at the government’s behest for a decade now.

But I’m not at all surprised that citizen outrage had no effect on the Review Group and Administration, but Internet company outrage did.

Fast forward to today, where Obama’s got a meeting with a curious group of CEOs.

  • Tim Cook, CEO, Apple
  • Dick Costolo, CEO, Twitter
  • Chad Dickerson, CEO, Etsy
  • Reed Hastings, co-founder and CEO, Netflix
  • Drew Houston, founder and CEO, Dropbox
  • Marissa Mayer, president and CEO, Yahoo!
  • Burke Norton, chief legal officer, Salesforce
  • Mark Pincus, founder, chief product officer and chairman, Zynga
  • Shervin Pishevar, co-founder and co-CEO, Sherpa Global
  • Brian Roberts, chairman and CEO, Comcast
  • Erika Rottenberg, vice president, general counsel and secretary, LinkedIn
  • Sheryl Sandberg, COO, Facebook
  • Eric Schmidt, executive chairman, Google
  • Brad Smith, executive vice president and general counsel, Microsoft
  • Randall Stephenson, chairman and CEO, AT&T

As WaPo’s piece on this points out, the meeting mixes the leaders of the Internet companies calling for more transparency — Yahoo, Google, and Microsoft, to a lesser extent Apple, LinkedIn, and Facebook, as well as Dropbox — and AT&T, the company that has been stealing from the critics. In addition, Comcast, which almost certainly has joined AT&T in that more harmonious role, will attend.

The initial reports on the meeting dubbed it an effort for the President to discuss — and try to fix — Federal IT contracting in the wake of the ObamaCare website.

But the critics have issued a statement making it clear they intend to talk about surveillance.

So let’s consider the dynamic to expect at this meeting. You’ve got a lot of Internet bigwigs, two Toobz bigwigs, and some smaller CEOs. That dynamic, right away, should prevent a truly candid conversation (because of the differing interests of all the parties).

And against that dynamic, the President will be discussing how to make it easier to contract with real software companies, rather than bloated federal software contractors.

There will be the stilted conversation about NSA (and AT&T) stealing from Internet companies. And a far less stilted conversation about the federal government expanding its contracting with private sector Internet companies.

They’ll have a stilted conversation about reining in government, and a less stilted conversation about putting more government dollars in Internet company pockets.

Update: Changed title to reflect these are Internet companies, not software, and fixed some syntax.

Update: Meanwhile, Obama has named a Microsoft Exec to be his new ObamaCare fixer, which should make it easier to send more business Microsoft’s way.