Levitation: Inspire-Ing Work from CSE

Screen shot 2015-01-29 at 11.33.43 AMThe Intercept and CBC have a joint story on a Canadian Security Establishment project called Levitation that seems to confirm suspicions I’ve had since before the Snowden leaks. It targets people based on their web behavior (the story focuses on downloads from free file upload sites, but one page of the PPT makes it clear they’re also tracking web search terms and other behaviors), and once it finds behavior of suspicion (such as accessing bomb-making instructions; it calls these “events”) it uses SIGINT tools, including NSA’s MARINA, to work backwards off those accessing those materials to get IPs, cookies, facebook IDs, and the like to identify a suspect.

The PPT is the most detailed explanation that I’ve seen of how the SIGINT agencies do “correlations” — a function about which I believe ODNI continues to hide an August 20, 2008 FISC opinion. It appears to do so in two ways: first, by tracking known correlations. But also, by analyzing similar activities from around the same time from the same IP, then coming up with other identifiers that, with varying degrees of probability, are probably the same user. This serves, in part, to come up with new identifiers to track.

I’ve argued the NSA does similar analysis using known codes tied to Inspire (not the URL, necessarily, but possibly the encryption code included in each Inspire edition) on upstream collection, which would basically identify the people within the US who had downloaded AQAP’s propaganda magazine. One reason I’m so confident NSA does this is because of the high number of FBI sting operations that seem to arise from some 20-year old downloading Inspire, which them appears to get sent out to a local FBI office for further research into online activities and ultimately approaches by a paid informant or undercover officer.

Screen shot 2015-01-29 at 11.46.15 AMIn other words, this kind of analysis seems to lie at the heart of a lot of the stings FBI initiates.

But as the “Scoreboard” slide in this presentation makes clear, what this process gives you is not validated IDs, but rather probabilistic matches (which FISC appears to deal with using minimization procedures, suggesting they let NSA collect on these probabilistic matches with the understanding they have to treat the data in some certain way if it ends up being a false positive).

That’s important not just for the young men whom FBI decides might make worthwhile targets (even if they’re being targeted, largely, on their First Amendment activities).

It’s important, too, for the false negatives, by far the most important of which I believe to be the Tsarnaev brothers, both of whom reportedly had downloaded multiple episodes of Inspire, as well as other similar jihadist material, and on whom NSA had collected data it never accessed until after the attack, but neither of whom got targeted off this correlation process before they attacked the Boston Marathon.

That is, this really important possible false negative, just as much as the dubious positives that end up getting unbalanced young men targeted by the FBI, may say as much about the reliability of this process as anything else.

This CSE PPT is not yet proof that my suspicions are entirely accurate (though my claims here about correlations are based on officially released documents). But they strongly suggest my suspicions have been correct.

And — particularly given ODNI’s refusal to release what appears to be a key opinion describing the terms on which FISC permits the use of these correlations — this ought to elicit far more conversations about how NSA and its Five Eye partners “correlate” identities and how those correlations get used.

The 5-Eyes Tippecanoe — Er, Tipping & Cueing

Screen shot 2014-01-31 at 9.05.56 AMCBC has a scathing report about a pilot project their SIGINT agency, CSEC, did in 2012, tracking the free WiFi in Canadian airports. The article — with lots of quotes from furious people describing how illegal this is under Canadian law — is here, and the backup document is here.

The PowerPoint is just as interesting for the methodological details as it is for the fact that CSEC is collecting off of airport (and hotel and other public) WiFi sites and doing so to hunt imagined kidnappers, not to find terrorists.

It shows how a joint 5-Eyes “Tipping and Cueing Task Force” is working on ways to track IP-based identities across many sites. (As a reminder, “5-Eyes” refers to the UK, US, Canadian, Australian, New Zealand intelligence partnership.)

Tipping and Cueing Task Force (TCTF)

  • a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of events of interest
  • alert to: target country location changes, webmail logins with time-limited cookies etc.

I’m particularly interested in the name: “Tipping and Cueing.”

I’m interested in it for one more reason. We’ve heard the term “tipper” before — it’s what NSA calls query results that get sent to FBI from the phone dragnet. The term implies that data analysis shows something new, which then gets shared with other intelligence agencies and law enforcement.

But this presentation makes it clear that, unsurprisingly, it’s a two way street. This dragnet process serves not only to identify new leads, but also as a panopticon tracking identified “targets.”

I raise this for one more reason. At least as early as February 25, 2010, the language used to describe the information shared with FBI from the dragnet changed.

Previously, it had used the term “tipped” (and when this whole Snowden process started, that’s what NSA defenders used to describe the information — tippers).

Screen shot 2014-01-31 at 9.18.25 AM

The dragnet orders started referring to the information shared more generically: “any information the FBI receives as a result of this Order.”

Screen shot 2014-01-31 at 9.12.46 AM

Again, none of this is surprising. The existence of the “alert” list that caused all the troubles in 2009 made it clear this functions as part of a panopticon as much as it does a lead generation tool.

But it’s worth noting that the 5-Eyes are actually fighting a losing battle against “the Natives”* that is far more intrusive than all that.

Update: I noted above CSEC ran this test on an imagined kidnapper, not a terrorist. The Globe and Mail reports that the number of Mounty requests for help from CSEC is going up, and it may be a way to bypass warrant requirements.

* [Update] This was meant to be a joke that both the Battle of Tippecanoe and the 5-Eyes’ Tipping and Cueing target “natives” by deeming us foreign to our own land. Given joanneleon’s comment I realize I was being too subtle.