Shaping Traffic and Spying on Americans

Screen Shot 2016-06-29 at 8.07.56 AMAt the Intercept earlier this week, Peter Maass described an interview he had with a former NSA hacker he calls Lamb of God — this is the guy who did the presentation boasting “I hunt SysAdmins.” On the interview, I agree with Bruce Schneier that it would have been nice to hear more from Lamb of God’s side of things.

But the Intercept posted a number of documents that should have been posted long, long ago, covering how the NSA “shapes” Internet traffic and how it identifies those using Tor and other anonymizers.

I’m particularly interested in the presentations on shaping traffic — which is summarized in the hand-written document to the right and laid out in more detail in this presentation.

Both describe how the NSA will force Internet traffic to cross switches where it has collection capabilities. We’ve known they do this. Beyond just the logic of it, some descriptions of NSA’s hacking include descriptions of tracking traffic to places where a particular account can be hacked.

But the acknowledgement that they do this and discussions of how they do so is worth closer attention.

That’s true, first of all, because of wider discussions of cable maps. In discussing the various ways to make Internet traffic cross switches to which the NSA has access, Lamb of God facetiously (as is his style) suggests you could bomb or cut all the cable lines that feed links to which the NSA doesn’t have access.

Screen Shot 2016-07-01 at 9.13.22 AM

Lamb of God dismisses this possibility as “fun to think about, but not very reasonable.”

But we know that cable lines do get cut. Back in 2008, for example, there were a slew of cables coming into the Middle East that got cut at one time (though that may have been designed to cut Internet communication more generally). Then there’s the time in 2012 when NSA tried to insert an exploit into a Syrian route, only to knock out almost all of the country’s Internet traffic.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

Again, we’ve known this happened, which is why it would have been nice to have this presentation three years ago, if only to explain the concept to those who don’t factor it into considerations of how the NSA works.

The other reason this is important is because of the possibility the NSA could deliberately shape traffic to take it out of FISA-controlled domestic space and into EO 12333-governed international space, a possibility envisioned in a 2015 paper. The slides from the paper present the same techniques laid out in the NSA presentation as hypothetical. And, as their more accessible write up explains, the NSA’s denials about this practice don’t actually address their underlying argument, which is that 1) the technology would make this easy, 2) the legal regime is outdated and thereby tolerates such loopholes, and 3) the parts of declassified versions of USSID-18 that might address it are all redacted.

In the paper, we reveal known and new legal and technical loopholes that enable internet traffic shaping by intelligence authorities to circumvent constitutional safeguards for Americans. The paper is in some ways a classic exercise in threat modeling, but what’s rather new is our combination of descriptive legal analysis with methods from computer science. Thus, we’re able to identify interdependent legal and technical loopholes, mostly in internet routing. We’ll definitely be pursuing similar projects in the future and hope we get other folks to adopt such multidisciplinary methods too.

As to the media coverage, the CBS News piece contains some outstanding reporting and an official NSA statement that seeks – but fails – to debunk our analysis:

However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News.

“Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.

The NSA statement sidetracks our analysis by re-framing the issue to construct a legal situation that conveniently evades the main argument of our paper. Notice how the NSA concentrates on the legality of targeting U.S. persons, while we argue that these loopholes exist when i) surveillance is conducted abroad and ii) when the authorities do not “intentionally target a U.S. person.” The NSA statement, however, only talks about situations in which U.S. persons are “targeted” in the legal sense.

As we describe at length in our paper, there are several situations in which authorities don’t intentionally target a U.S. person according to the legal definition, but the internet traffic of many Americans can in fact be affected.

Once you’re collecting in bulk overseas, you have access to US person communications with a far lower bar than you do under the FISA regime (which is what John Napier Tye strongly suggested he had seen).

This is one of the reasons I think the NSA’s decision not to answer obvious questions about where FISA ends and EO 12333 begins, in the context of concerns Snowden raised at precisely the time he was learning about this traffic shaping, to be very newsworthy. Using traffic shaping to access US person content even if it’s only in bulk (in the same way that hacking Google cables overseas) clearly bypasses the FISA regime. We don’t know that they do this intentionally for US traffic. But we do know it would be technically trivial for the NSA to pull off, and we do know that multiple NSA documents make it clear they were playing in that gray area at least until 2013 (and probably 2014, when Tye came forward).

The traffic shaping paper ultimately tries to point out how our legal regime fails to account for obvious technical possibilities, technical possibilities we know NSA exploits, at least overseas. Particularly as ODNI threatens to permit the sharing EO 12333 data more broadly — along with access to back door searches — this possibility needs to be more broadly discussed.

Important: Changes to Section 215 Dragnet Will Not Change Treatment of EO 12333 Metadata

In their Angry Birds stories, both the Guardian and NYT make what I believe is a significant error. They suggest changes in the handling of the Section 215-collected phone metadata will change the way NSA handles EO 12333-collected phone metadata.


Data collected from smartphone apps is subject to the same laws and minimisation procedures as all other NSA activity – procedures which US president Barack Obama suggested may be subject to reform in a speech 10 days ago. But the president focused largely on the NSA’s collection of the metadata from US phone calls and made no mention in his address of the large amounts of data the agency collects from smartphone apps.


President Obama announced new restrictions this month to better protect the privacy of ordinary Americans and foreigners from government surveillance, including limits on how the N.S.A. can view “metadata” of Americans’ phone calls — the routing information, time stamps and other data associated with calls. But he did not address the avalanche of information that the intelligence agencies get from leaky apps and other smartphone functions.

Here’s what the President actually said, in part, about phone metadata:

I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk meta-data.

That is, Obama was speaking only about NSA’s treatment of Section 215 metadata, not the data — which includes a great amount of US person data — collected under Executive Order 12333.

To be clear, both Guardian and NYT were distinguishing Obama’s promises from the treatment extended to the leaky mobile data app. But they incorrectly suggested that all phone metadata, regardless of how it was collected, receives the same protections.

Section 215 metadata has different and significantly higher protections than EO 12333 phone metadata because of specific minimization procedures imposed by the FISC (arguably, the program doesn’t even meet the minimization procedure requirements mandated by the law). We’ve seen the implications of that, for example, when the NSA responded to being caught watch-listing 3,000 US persons without extending First Amendment protection not by stopping that tracking, but simply cutting off the watch-list’s ability to draw on Section 215 data.

Basically, the way NSA treats data collected under FISC-overseen programs (including both Section 215 and FISA Amendments Act) is to throw the data in with data collected under EO 12333, but add query screens tied to the more strict FISC-regulations governing production under it. This post on federated queries explains how it works in practice. As recently as 2012 at least one analyst improperly searched on US person FAA-collected content because she didn’t hit the right filter on her query screen.

[T]he NSA analyst conducted a federated query using a known United States person identifier, but forgot to filter out Section 702-acquired data while conducting the federated query.

That’s it. If the data is accessed via one of the FISC-overseen programs, US persons benefit from the additional subject matter, dissemination, and First Amendment protections of those laws or FISC’s implementation of them (and would benefit from the minor changes Obama has promised to both Section 215 and FAA).

But if NSA collected the data via one of its EO 12333 programs, it does not get get those protections. To be clear, it does get some dissemination protection and can only be accessed with a foreign intelligence purpose, but that is much less than what the FISC programs get. Which leaves the NSA a fair amount of leeway to spy on US persons, so long as it hasn’t collected the data to do so under the programs overseen by FISC. And when it collects data under EO 12333, it is a lot easier for the NSA to spy on Americans.

The metadata from leaky mobile apps almost certainly comes from EO 12333 collection, not least given the role of GCHQ and CSEC (Canada’s Five Eyes’ partner) to the collection. The Facebook and YouTube data GCHQ collects (just reported by Glenn Greenwald working with NBC) surely counts as EO 12333 collection.

NSA’s spokeswoman will say over and over that “everyday” or “ordinary” Americans don’t have to worry about their favorite software being sucked up by NSA. But to the extent that collection happens under EO 12333, they have relatively little protection.

The Impasse on Executive Spying

In an important post the other day, Steve Vladeck described what he believed to be the most important lesson Edward Snowden has taught us.

They miss the single most important lesson we’ve learned — or should have learned — from Snowden, i.e., that the grand bargain has broken down. Intelligence oversight just ain’t what it used to be, and the FISA Court, as an institution, seemed to have been far better suited to handle individualized warrant applications under the pre-2001 FISA regime than it has been to reviewing mass and programmatic surveillance under section 215 of the USA PATRIOT Act and section 702, as added by the FISA Amendments Act of 2008.

Thus, even if one can point to specific individual programs the disclosure of which probably has not advanced the ongoing public policy conversation, all of the disclosures therefore illuminate a more fundamental issue of public concern — and one that should be (and, arguably, has been) driving the reform agenda: Whatever surveillance authorities the government is going to have going forward, we need to rethink the structure of oversight, both internally within the Executive Branch, and externally via Congress and the courts. That’s not because the existing oversight and accountability mechanisms have been unlawful; it’s because so many of these disclosures have revealed them to be inadequate and/or ineffective. And inasmuch as such reforms may strengthen not just mechanisms of democratic accountability for our intelligence community, but also their own confidence in the propriety and forward-looking validity of their authorities, they will make all of us — including the NSA — stronger in the long term.

While I agree with Vladeck that’s an important lesson from Snowden, I don’t think it has been admitted by those who most need the lesson: most members of Congress (most of all, the Intelligence Committees) and the FISA Court, as well as the other Article III judges who are quickly becoming dragnet experts.

But I’m hopeful PCLOB — which is already under attack even from Susan Collins for having the audacity to conduct independent oversight — will press the issue.

As I have noted in the past, PCLOB has a better understanding of how the Executive uses EO 12333 than any other entity I’ve seen (I think the Review Group may have a similar understanding, but they won’t verbalize it).

That’s why I find their treatment of FISA as a compromise to put questions about separation of powers on hold so interesting.

In essence, FISA represented an agreement between the executive and legislative branches to leave that debate aside 600 and establish a special court to oversee foreign intelligence collection . While the statute has required periodic updates, national security officials have agreed that it created an appropriate balance among the interests at stake, and that judicial review provides an important mechanism regulating the use of very powerful and effective techniques vital to the protection of the country. 601

600 “[T]he bill does not recognize, ratify, or deny the existence of any Presidential power to authorize warrantless surveillance in the United States n the absence of the legislation. It would, rather, moot the debate over the existence or non – existence of this power[.]” HPSCI Report at 24. This agreement between Congress and the executive branch to involve the judiciary in the regulation of intelligence collection activities did not and could not resolve constitutional questions regarding the relationship between legislative and presidential powers in the area of national security . See In re: Sealed Case , 310 F.3d 717, 742 (FISA Ct. Rev. 2002) (“We take for granted that the President does have that authority [inherent authority to conduct warrantless searches to obtain foreign intelligence information] and, assuming that is so, FISA could not encroach on the President ’ s constitutional power.”).

When NSA chose to avoid First Amendment review on the 3,000 US persons it had been watch-listing by simply moving them onto a new list, when it refused to tell John Bates how much US person content it collects domestically off telecom switches, when it had GCHQ break into Google’s cables to get content it ought to be able to obtain through FISA 702, when it rolled out an Internet dragnet contact-chaining program overseas in part because it gave access to US person data it couldn’t legally have here, NSA made it clear it will only fulfill its side of the compromise so long as no one dares to limit what it can do.

That is, Snowden has made it clear that the “compromise” never was one. It was just a facade to make Congress and the Courts believe they had salvaged some scrap of separation of powers.

NSA has made it clear it doesn’t much care what its overseers in Congress or the Court think. It’ll do what it wants, whether it’s in the FISC  or at a telecom switch just off the US shore. And thus far, Obama seems to agree with them.

Which means we’re going to have to start talking about whether this country believes the Executive Branch should have relatively unfettered ability to spy on Americans. We’re going to have to take a step back and talk about separation of powers again.

Project Minaret 2.0: Now, with 58% More Illegal Targeting!

Screen shot 2014-01-06 at 1.03.11 PM

For weeks, I have been trying to figure out why the NSA, in a training program it created in August 2009, likened one of its “present abuses” to Project Minaret. What “unauthorized targeting of suspected terrorists in the US” had they been doing, I wondered, that was like “watch-listing U.S. people for evidence of foreign influence.”

Until, in a fit of only marginally related geekdom, I re-read the following passage in Keith Alexander’s declaration accompanying the End-to-End review submitted to the FISA Court on August 19, 2009 (that is, around the same time as the training program).

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies. 7

7 The alerts generated by the Telephony Activity Detection Process did not then and does not now, feed the NSA counterterrorism target knowledge database described in Part I.A.3 below. [my emphasis]

As I’ll explain below, this passage means 3,000 US persons were watch-listed without the NSA confirming that they hadn’t been watch-listed because of their speech, religion, or political activity.

Here’s the explanation.

Read more

The Section 215 Phone Dragnet Is Just a Fraction of the Dragnet

I’ve been harping on the Review Group (and Leahy-Sensenbrenner’s) recommendation to end bulk collection with National Security Letters. I’ve also noted the Review Group’s nod to EO 12333 in its use of the phrase “or under any other authority” when recommending limits to Section 702.

So I wanted to draw attention to this language from Tuesday’s Senate Judiciary Committee hearing with the Review Group, in which Chris Coons asks Richard Clarke what other authorities the Review Group had considered. Clarke notes that the phone dragnet provides a small fraction of the data collected.

COONS: The review, if I might, Mr. Clarke, my last question, it looks at two authorities, Section 702 and Section 215. And these are both sections about which there’s been a lot of public debate and discussion.

But the review group also recommends greater government disclosure about these and other surveillance authorities it possesses. But the report, appropriately and understandably, does not itself disclose any additional programs.

What review, if any, did the group make of undisclosed programs or could you at least comment about whether lessons learned from such review is, in fact, reflected in the report?

CLARKE: Well, there was a great deal of metadata collected by the national security letter program. And we do speak to that in the recommendations.

There was also a great deal of communications-related information collected under the executive order 12333.

Public attention is focused on 215, but 215 produces a small percentage of the overall data that’s collected.

That’s consistent with what this post shows — that the US based metadata collection is just a small fraction of a large collection of metadata, and the 12333 collected data is at least partly duplicative of (but not subject to the same protections as) the Section 215 dragnet (and NSLs are subject to even less protection).

But I’m glad to see someone like Clarke echoing the warnings I’ve been giving.

Is PCLOB Holding Out for EO 12,333 Information?

As you know, I’ve been tracking the way President Obama seems to want to game the various legislative and review group recommendations with his own.

Which is why I’m interested in this anonymous complaint, from someone in the White House, that PCLOB has not yet released its report.

Before making his final decisions, the president was supposed to receive a separate report from a semi-independent commission known as the Privacy and Civil Liberties Oversight Board, which was created by Congress. However, that panel’s report has been delayed without explanation until at least late January, meaning it won’t reach the president until after he makes his decisions public.

Members of that oversight board met with the president on Wednesday and have briefed other administration officials on some of their preliminary findings. In a statement, the five-member panel said its meeting with the Mr. Obama focused on the NSA phone collection program and the Foreign Intelligence Surveillance Court, which oversees the data sweeps.

It’s unclear why the president will announce his recommendations before receiving the report from the privacy and civil liberties board. One official familiar with the review process said some White House officials were puzzled by the board’s delay. The report would still be available to Congress, where legislators are grappling with several bills aimed at dismantling or preserving the NSA’s authority. [my emphasis]

The complaint is interesting not just because it betrays some consternation that the White House won’t be able to control the timing on all of this.

Last we heard from PCLOB on November 4, they said publicly that that report would focus on just Section 215 and 702 programs, the two programs the Administration has been trying to provide a limited hangout on since June (though in their Semi-Annual Report from November 3, they also said they were focusing on 12333 guidelines).

But different board members were also focusing on EO 12333 activities. PCLOB Chair David Medine asked about the theft of Google and Yahoo data off their fiber in Europe; Patricia Wald asked whether EO 12333 guidelines legally governed the dissemination of Section 215 data even if the FISC imposed more stringent guidelines; Medine asked whether searches of the corporate store (phone dragnet query results) are governed by EO 12333; and James Dempsey asked what governs the back door searches of data collected under EO 12333.

PCLOB board members clearly get that they can’t understand the NSA’s activities without understanding what goes on under EO 12333. Yet on one occasion (in response to the Google and Yahoo question), NSA’s General Counsel Raj De tried to defer any answer because it was not a Section 215 or 702 question.

MR. DE: Even by the terms of the article itself there is no connection to the 702 or 215 programs that we are here to discuss. I would suggest though that any implication which seemed to be made in some of the press coverage of this issue that NSA uses Executive Order 12333 to undermine, or circumvent or get around the Foreign Intelligence Surveillance Act is simply inaccurate.

Later, Dempsey asked ODNI’s General Counsel Robert Litt when PCLOB was going to get the guidelines NSA used for “other types of collection,” meaning that collected under EO 12333.

MR. DEMPSEY: We have asked about, in fact months ago, several months ago we asked about guidelines for other types of collection, and where do we stand on getting feedback on that? Because you said 18, for example, is the minimization provisions for collection outside the United States, and that’s pretty old. Where do we stand on looking at how that data is treated?

MR. LITT: I think we’re setting up a briefing for you on that. I believe we’re setting up a briefing for you on that. We did lose a few weeks.

MR. DEMPSEY: No, I understand. I was wondering if you could go beyond saying we’re setting up a briefing.

MR. LITT: Well, I mean we’re in the process of reviewing and updating guidelines for all agencies under 12333. It’s an arduous process. You know, it’s something that we’ve been working on for some time and we’re continuing to work on it.

They’re referring to a letter PCLOB sent back in August about outdated guidelines limiting the dissemination of US person data, a James Clapper response a month later promising and a follow-up 10 days later, on October 3,  reminding PCLOB had asked for a briefing and updates on agencies’ EO 12333 procedures.

And a month later, PCLOB still had not gotten either the briefing or the written description of where agencies were.

During that entire time, it was becoming more and more clear that the NSA might be moving programs overseas (and therefore under EO 12333) that had been governed by FISA. If that is happening, it’s a matter of significant concern.

Reports on Obama’s review say he wants to roll out reforms that might cover any disclosures to come.

Obama is expected to deliver a national address announcing a set of intelligence-gathering changes. His aim is to set in place guidelines that will convince critics he is serious about reform and that will withstand future disclosures.


“The bulk of the work on this is the policy review, not reacting to what the next story is,” said another senior administration official, who requested anonymity to discuss the internal deliberations. “We don’t know what the next thing will be, and we do have to deal with what comes next. But getting the policy right is what’s important so that as new things come, we’ve addressed the core of it.

I’m of the opinion that the disclosures to come will continue to focus attention on what the NSA does under EO 12333.

So is that what’s holding up PCLOB?

Obama: My Overseas Spying Not Constrained by the Law I Passed as Senator

In a democracy in which separation of powers still functioned as intended, this would be a deliberate provocation (my transcription):

The Snowden disclosures have identified areas of legitimate concern. Some of it has also been highly sensationalized and has been painted in a way that’s not accurate. I’ve said before and I will say again: the NSA actually does a very good job about not engaging in domestic surveillance. Not reading people’s emails, not listening to the content of their phone calls. Outside of our borders, the NSA is more aggressive. It’s not constrained by laws. And part of what we’re trying to do over the next month or so is having done an independent review — brought a bunch of folks, civil libertarians, lawyers, and others, to examine what’s being done — I’ll be proposing some self-restraint on the NSA and to initiate some reforms that can give people some more confidence.

Where to start?

First, it is false to say NSA does a very good job of not engaging in domestic surveillance. They’ve been caught doing so, on a programmatic scale, under Obama’s Administration, twice. At least one of those programs simply moved overseas after being caught. The President basically said that being caught twice illegally wiretapping thousands (under the upstream collection) and millions (under the Internet dragnet) of Americans domestically is a good job!

Add in the fact that NSA can read the content of collected US person communications with no Reasonable Articulable Suspicion, with no reporting requirements. That certainly amounts to the authority to conduct fairly unlimited amounts of domestic surveillance via the back door loophole.

And to suggest NSA is “not constrained by laws” overseas is equally false.

First, there’s the Constitution. Under that, even EO 12333 activity should come at the direction of the President. In this passage, the President says Snowden’s disclosures have raised legitimate concerns. I know ODNI and NSA will point to the National Intelligence Priorities Framework as their authorization on these activities the President now finds problematic. But if they’re doing things overseas that raise concerns, then it is an admission from the White House it has inadequate control of the NSA.

More importantly, it is false to say even that NSA is not constrained by mere laws overseas. Section 703 of the FISA Amendments Act — a law which Obama played a crucially important role in passing as a Senator — says NSA can’t wiretap Americans overseas without specific authority from FISC. Section 704 limits physical searches, which NSA uses to authorize collection from servers. As far as I know, no one has considered whether the deliberate collection of US person content overseas — albeit in bulk — complies with Section 703 and 704. But it at least lays out some limits on NSA’s overseas spying.

To all this, Obama’s solution is to propose self-restraint on the NSA.

Again, it is the role of the President — and the White House more generally — to oversee activities conducted under Article II authority. The language Obama uses here suggests an NSA unbound by his control, one he “proposes” to rein in rather than “orders” to do so.

That equates to NSA operating beyond the law, both here and abroad.

Federated Queries and EO 12333 FISC Workaround

Particularly given the evidence NSA started expanding its dragnet collection overseas as soon as the FISA Court discovered it had been breaking the law for years, I’ve been focusing closely on the relationship between the FISA Court-authorized dragnets (which NSA calls BR FISA — Business Records FISA — and PR/TT — Pen Register/Trap and Trace — after the authorities used to collect the data) and those authorized under Executive Order 12333.

This document — Module 4 of a training program storyboard that dates to late 2011 — provides some insight of how NSA trained its analysts to use international collections to be able to share data otherwise restricted by FISC.

The module lays out who has access to what data, then describes how analysts look up both the Reasonable Articulable Suspicion (RAS) determinations of identifiers they want to query on, as well as the BR and PR/TT credentials of those they might share query results with. It also describes how “EAR” prevents an analyst from querying BR or PR/TT data with any non-RAS approved identifier. So a chunk of the module shows how software checks should help to ensure the US-collected data is treated according to the controls imposed by FISC.

But the module also describes how a software interface (almost certainly MARINA, the metadata database) manages all the metadata collected from all over the world.

All of it, in one database.

So if you do what’s called a “federated” query with full BR and/or PR/TT credentials — meaning it searches on all collections the analyst has credentials for, with BR and PR/TT being the most restrictive — you may pull metadata collected via a range of different programs. Alternately, you can choose just to search some of the collections.

When launching analysts with [redacted] the appropriate BR or PR/TT credentials have the option to check a box if they wish to include BR or PR/TT metadata in their queries. If an analyst checks the “FISABR Mode” or “PENREGISTRY Mode” box when logging into [redacted] will perform a federated query. This means that in addition to either BR or PR/TT metadata, [redacted] will also query data collected under additional collection authorities, depending on the analyst’s credentials. Therefore, when performing a query of the BR or PR/TT metadata, analysts will potentially receive results from all of the above collection sources. Users of more recent versions of [redacted] do have the option, however, to “unfederate” the query, and pick and choose amongst the collection sources that they would like to query (10)

Back in 2009, when NSA was still working through disclosures of dragnet problems to FISC, analysts apparently had to guess where the data they were querying came from (which of course is an implicit admission that BR data had been improperly treated with weaker EO 12333 protections for years). But by 2011 they had worked it out so queries showed both what SIGAD (collection point) the metadata came from, as well as (using a classification mark) its highest classification.

It is possible to determine the collection source or sources of each result within the chain by examining the Producer Designator Digraph (PDDG)/SIGINT Activity Designator (SIGAD) and collection source(s) at the end of the line.

If at least one source of a result is BR or PR/TT metadata, the classification at the beginning of the line will contain the phrases FISABR or PR/TT, respectively. In addition, in the source information at the end of the line, the SIGAD [redacted] BR data can be recognized by SIGADs beginning with [redacted] For PR/TT, data collected after October 2010 is found [redacted] For a comprehensive listing of all the BR and PR/TT SIGADs as well as information on PR/TT data collected prior to November of 2009, contact your organization’s management or subject matter expert.

Since it is possible that one communication event will be collected under multiple collection authorities (and multiple collection sources), not all of the results will be unique to one collection authority (or collection source). Keep in mind that the classification at the beginning of each result only indicates the highest level classification of that result, and does not necessarily reflect whether a result was unique to one collection authority (or collection source). If a result was obtained under multiple authorities (or sources), you will see more [redacted] (15-16)

In other words, analysts will be able to see from their results where the results come from. If a query result includes data only from BR or PR/TT sources, then the analyst can’t share the result with anyone not cleared into those programs without jumping some hoops. But if a query result showed other means to come up with the same results from a BR or PR/TT search (that is, if EO 12333 data would return the same result), then the result would not be considered a BR- or PR/TT-unique result, meaning the result could be shared far more widely. (Note, this passage also provides more details about the timing of the Internet metadata shutdown, suggesting it may have lasted from November 2009 to October 2010.)

Sharing restrictions in the FISC Orders only apply to unique BR or PR/TT query results. If query results are derived from multiple sources and are not unique to BR and PR/TT alone, the rules governing the other collection authority would apply. (17)

After noting this, the training storyboard spends 5 pages describing the restrictions on dissemination or further data analysis of BR and PR/TT results, even summaries of those results.

Then it returns to the point that such restrictions only hold for BR- or PR/TT-unique results and encourages analysts to run queries under EO 12333 so as to be able to get a result that can be shared and further exploited.

 However, as we’ve discussed, not all BR or PR/TT results are unique. If a query result indicates it was derived from another collection source in addition to BR or PR/TT, the rules governing the other collection authority would apply to the handling an d sharing of that query result. For example, this result came from both BR and E.O. 12333 collection; therefore, because it is not unique to BR information, it would be ok to inform non- BR cleared individuals of the fact of this communication, as well as task, query, and report this information according to standard E.O. 12333 guidelines.

In summary, if a query result has multiple collection authorities, analysts should source and/or report the non-BR or PR/TT version of that query result according to the rules governing the other authority. But if it is unique to either the BR or PR/TT authority then it is a unique query result with all of the applicable BR and PR/TT restrictions placed on it. In both cases, however, analysts should not share the actual chain containing BR or PR/TT results with analysts who do not have the credentials to receive or view BR or PR/TT information. In such an instance, if it is necessary to share the chain, analysts should re-run the query in the non-BR or non-PR/TT areas of [redacted] and share that .cml. (22)

Let me be clear: none of this appears to be illegal (except insofar as it involves a recognition it is collecting US person data overseas, which may raise issues under a number of statutes). It’s just a kluge designed to use the US-based dragnet programs to pinpoint results, then use EO 12333 results to disseminate widely.

It does, obviously, raise big questions about whether the numbers reported to Congress on dragnet searches reflect the real number of searches and/or results, which will get more pressing if new information sharing laws get passed.

Mostly, though, it shows how NSA uses overseas collection to collect the same data on Americans without the restrictions on sharing it.

There are a lot of likely reasons to explain why the NSA stopped collecting Internet metadata in the US in 2011 (seemingly weeks after this version of the storyboard, though they would still be able to access the PR/TT metadata for 5 years Update 11/20/14: they destroyed the PRTT data in December 2011). But it is clear the overseas collection serves, in part, to get around FISC restrictions on dissemination and further analysis.

Updated: Added explanation for BR FISA and PR/TT abbreviations.

The Leahy-Sensenbrenner Language on Back Door Searches Improves But Doesn’t Eliminate the Back Door

As the top Intelligence Community lawyers have made clear, the IC maintains it can search US person data incidentally collected under Section 702 without any suspicion, as well as for the purposes of making algorithms, cracking encryption, and to protect property.

The Leahy-Sensenbrenner bill tries to rein in this problem. And its fix is far better than what we’ve got now. But it almost certainly won’t fix the underlying problem.

Here’s what the law would do to the “Limitations” section of Section 702. The underlined language is new.

(b) Limitations

(1) IN GENERAL.—An acquisition

(A) may not intentionally target any person known at the time of acquisition to be located in the United States;

(B) may not intentionally target a person reasonably believed to be located outside the United States if a significant purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;

(C) may not intentionally target a United States person reasonably believed to be located outside the United States;

(D) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and

(E) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.


(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).

Read more

The Intelligence Community’s Wide Open, Unprotected Back Door to All Your Content

PCLOB has posted the transcript from the first part of its hearing on Monday. So I want to return to the issue I raised here: both Director of National Intelligence General Counsel Robert Litt and NSA General Counsel Raj De admit that there are almost no limits on Intelligence Community searches of incidentally collection US person data (we know that FBI, NSA, and CIA have this authority, and I suspect National Counterterrorism Center does as well).

This discussion starts when PCLOB Chair David Medine asks whether the IC would consider getting a warrant before searching on incidentally collected data.

MR. MEDINE: And so turning to the protections for U.S. persons, as I understand it under the 702 program when you may target a non-U.S. person overseas you may capture communications where a U.S. person in the United States is on the other end of the communication. Would you be open to a warrant requirement for searching that data when your focus is on the U.S. person on the theory that they would be entitled to Fourth Amendment rights for the search of information about that U.S. person?

MR. DE: Do you want me to take this?

MR. LITT: Thanks, Raj. Raj is always easy, he raises his hands for all the easy ones.

MR. DE: I can speak for NSA but this obviously has implications beyond just NSA as well.

MR. LITT: I think that’s really an unusual and extraordinary step to take with respect to information that has been lawfully required.

I mean I started out as a prosecutor. There were all sorts of circumstances in which information is lawfully acquired that relates to persons who are not the subject of investigations. You can be overheard on a Title III wiretap, you can overheard on a Title I FISA wiretap. Somebody’s computer can be seized and there may be information about you on it.

The general rule and premise has been that information that’s lawfully acquired can be used by the government in the proper exercise of authorities.

Now we do have rules that limit our ability to collect, retain and disseminate information about U.S. persons. Those rules, as know, are fairly detailed. But generally speaking, we can’t do that except for foreign intelligence purposes, or when there’s evidence of a crime, or so on and so forth. But what we can’t do under Section 702 is go out and affirmatively use the collection authority for the purpose of getting information about U.S. persons. Once we have that information I don’t think it makes sense to say, you know, a year later if something comes up we need to go back and get a warrant to search that information. [my emphasis]

Litt compares finding incidental information on a laptop, presumably seized using a warrant, with searching for incidental information on a digital collection that includes very few limits on specificity. Remember, NSA can and has claimed a targeted “facility” may mean all the Internet traffic from a particular country or at least a region of a country. This is petabytes of data obtained with a directive, not gigabytes obtained with a specific warrant.

Read more