As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”
The claim is almost certainly bullshit, true in only the narrowest sense.
Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.
As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:
As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself. In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.
While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.
Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.” His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011″ (as well as a “22932293” number that he bizarrely claimed was a call to Iran). Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)
To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.
Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.
Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.
First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.
Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).
All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.
I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).
USAT’s story on this dragnet suggests the data all comes from telephone companies.
It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)
Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.
Former officials said the operation included records from AT&T and other telecom companies.
But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).
And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.
Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques). In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).
The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.
Mieke Eoyang, the Director of Third Way’s National Security Program, has what Ben Wittes bills as a “disruptive” idea: to make US law the exclusive means to conduct all surveillance involving US companies.
But reforming these programs doesn’t address another range of problems—those that relate to allegations of overseas collection from US companies without their cooperation.
Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”
As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform. Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.
How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.
As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas.
Now, I have nothing against this proposal. It seems necessary but wholly inadequate to restoring trust between the government and (some) Internet companies. Indeed, it represents what should have been the practice in any case.
Let me first take a detour and mention a few difficulties with this. First, while I suspect this might be workable for content collection, remember that the government was not just collecting content from Google and Yahoo overseas — they were also using their software to hack people. NSA is going to still want the authority to hack people using weaknesses in such software, such as it exists (and other software companies probably still are amenable to sharing those weaknesses). That points to the necessity to start talking about a legal regime for hacking as much as anything else — one that parallels what is going on with the FBI domestically.
Also, this idea would not cover the metadata collection from telecoms which are domestically covered by Section 215, which will surely increasingly involve cloud data that more closely parallels the data provided by FAA providers but that would be treated as EO 12333 overseas (because thus far metadata is still treated under the Third Party doctrine here). This extends to the Google and Yahoo metadata taken off switches overseas. So, such a solution would be either limited or (if and when courts domestically embrace a mosaic theory approach to data, including for national security applications) temporary, because some of the most revealing data is being handed over willingly by telecoms overseas.
Back in 1993, cartoonist Peter Steiner famously captured a largely held belief about the Internet: “On the Internet, no one knows you’re a dog.”
According to a fascinating new study from Pew, that’s no longer true.
Just 24% of adults “agree” (20%) or “strongly agree” (3%) with the statement: “It is easy for me to be anonymous when I am online.” By contrast, 74% “disagree” (52%) or “strongly disagree” (22%) that it is easy for them to be anonymous.
The poll suggests this is partly because of coverage of government spying, and partly because of corporate spying.
I find two other things about this most interesting. First, the demographics on the specific answers are very fascinating. Just as one example, more affluent people are more likely to check how they come up on Internet searches.
Self-searching activity varies greatly across different groups, particularly by age, income, and household education. Adults under the age of 50 are far more likely to be “self-searchers” than those ages 50 and older, and adults with higher levels of household income and education stand out as especially likely to check up on their own digital footprints.
But I can imagine that’s because they live more of their life online (and they’re more apt to use things like Linked In to apply for jobs). There are also demographic differences in what people find sensitive (see differences in sensitivity about email content at 50, for example). Again, that may reflect the degree to which these tools are available, and therefore are likely to include sensitive communications.
The other thing, however, is that people appear far less worried about metadata than they should be. I get why people are almost universally worried about social security privacy — and this likely reflects the fact that the most immediate threat to everyone is identity theft, not government spying or abuse from Google. But in both government and commercial hands, metadata have become more revealing than content. Respondents don’t seem to worry about it though.
At his Brookings event yesterday, Jim Comey claimed that there is a misperception, in the wake of the Snowden releases, about how much data the government obtains.
In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications. That is not true. And unfortunately, the idea that the government has access to all communications at all times has extended—unfairly—to the investigations of law enforcement agencies that obtain individual warrants, approved by judges, to intercept the communications of suspected criminals.
It frustrates me, because I want people to understand that law enforcement needs to be able to access communications and information to bring people to justice. We do so pursuant to the rule of law, with clear guidance and strict oversight.
He goes onto pretend that Apple and Google are default encrypting their phone solely as a marketing gimmick, some arbitrary thing crazy users want.
Both companies are run by good people, responding to what they perceive is a market demand. But the place they are leading us is one we shouldn’t go to without careful thought and debate as a country.
Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?
He ends with a plea that “our private sector partners … consider changing course.”
But we have to find a way to help these companies understand what we need, why we need it, and how they can help, while still protecting privacy rights and providing network security and innovation. We need our private sector partners to take a step back, to pause, and to consider changing course.
There’s something missing from Comey’s tale.
An explanation of why the FBI has not pursued the sophisticated criminals who stole Google’s data overseas.
At a recent event with Ron Wyden, the Senator asked Schmidt to weigh in on the phone encryption “kerfuffle.” And Schmidt was quite clear: the reason Google and Apple are doing this is because the NSA’s partners in the UK stole their data, even while they had access to it via PRISM.
The people who are criticizing this should have expected this. After Google was attacked by the British version of the NSA, we were annoyed and so we put end-to-end encryption at rest, as well as through our systems, making it essentially impossible for interlopers — of any kind — to get that information.
Schmidt describes the default encryption on the iPhone, notes that it has been available for the last 3 years on Android phones, and will soon be standard, just like it is on iPhone.
Law enforcement has many many ways of getting information that they need to provide this without having to do it without court orders and with the possible snooping conversation. The problem when they do it randomly as opposed to through a judicial process is it erodes user trust.
If everything Comey said were true, if this were only about law enforcement getting data with warrants, Apple — and Google especially — might not have offered their customers the privacy they deserved. But it turns out Comey’s fellow intelligence agency decided to just go take what they wanted.
And FBI did nothing to solve that terrific hack and theft of data.
I guess FBI isn’t as interested in rule of law as Comey says.
The tech industry has issued a letter urging the Senate to hurry up and
give them immunity and compensation pass USA Freedom Act.
The letter is actually pretty funny. The letter claims:
The revelations about the U.S. government’s surveillance programs that began in June of 2013 have led to an erosion of public trust in the U.S. government and the U.S. technology sector. In an effort to begin restoring that trust, the USA FREEDOM Act will prevent the bulk collection of Internet metadata, call detail records, and other tangible things in a manner that both enhances privacy and protects national security.
I mean, it’s not funny that the NSA has fucked with the tech companies’ business model. The funny part is the bill doesn’t do what the tech companies say it does!
It only limits the bulk collection of Internet metadata — to the extent it does do that — via the use of Pen Register or Section 215 authorities. It doesn’t do anything about the bulky collection of Internet metadata (and content) through PRISM. And it definitely doesn’t do anything to end the biggest part of bulk Internet metadata collection, which happens overseas. Hell, this doesn’t even give the Internet companies any more assurances they won’t have their data stolen overseas (though some at least are making that more difficult by encrypting their data).
Then the letter makes this claim.
As a result of the surveillance program revelations, U.S. technology companies have experienced negative economic implications in overseas markets. In addition, other countries are considering proposals that would limit data flows between countries, which would have a negative impact on the efficiencies upon which the borderless Internet relies. The transparency measures in the USA FREEDOM Act are designed to alleviate some of the concerns behind such actions by allowing companies to be more transparent about the orders they receive from the government to its surveillance authorities.
Now, it is true that the law tweaks the agreement the government previously made with the Internet companies so they can show more about what they do. That’s a good thing.
But the “transparency” provisions in the bill are actually designed to obscure key details about surveillance. They hide how many Americans will be exposed to most Section 215 orders (though will reveal the total people exposed) because FBI, which will get most of the orders, is exempted from that reporting. They hide the FBI’s use of “back door searches” of Internet metadata collected under PRISM. And it may (though I’m less sure about this) hide requests for PRISM metadata searches executed by the CIA for foreign governments.
All hidden right there in the “transparency” procedures.
Finally, I’m not sure why the tech companies think their foreign customers will be impressed with deceptive “transparency” provisions that leave the bulk (in all senses of the word) of the collection the US is doing against foreigners still hidden.
But hey! I can imagine why the tech companies want their absurdly broad immunity and compensation for spying, which this bill does give them.
Oddly, the letter doesn’t emphasize that part of it.
According to the new DOJ IG report on FBI’s use of NSLs, there are some Internet companies that have been refusing NSLs for some data since 2009 (this discussion appears on pages 71- 73).
The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.
Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).
For a number of reasons I wonder whether this pertains to Internet searches, rather than email communication.
In any case, because the Internet companies have apparently been successful at refusing these NSLs (there’s zero discussion in the unredacted section of court challenges, but they must have happened), FBI has been getting Section 215 orders instead. As a result, the bulk of the Section 215 orders in recent years have been for these kinds of Internet transaction records.
In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.
In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.
The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.
We asked whether the disagreement and uncertainty over electronic communication transactional records has negatively affected national security investigations. An Assistant General Counsel in NSLB told us that the additional time it takes to obtain transactional records through a Section 215 application slows down national security investigations, all of which he said are time-sensitive. He said that an investigative subject can cease activities or move out of the country within the time-frame now necessary to obtain a FISA order. [my emphasis]
And bizarrely, the IG report doesn’t discuss the pending USA Freedom legislation — not even what appears retrospectively like HPSCI’s effort to turn this kind of production into programmatic orders.
There’s still a lot I don’t get from this discussion. But the explanation that the explosion of 215 orders (remember — with their attached minimization procedures) since 2009 stems from a couple of Internet companies sure is interesting.
Update: Page 124 reveals what the Administration wanted ECPA to include.
The proposed amendment would authorize the FBI to obtain name, address, local and long distance connection records (or sessions times and durations), length and types of service, telephone or instrument number (or other subscriber number or identity, including any temporarily assigned network address), means and source of payment (including credit card or bank account number), and records identifying the origin, routing, or destination of electronic communications.
I was asked to participate in a CATO debate about where we are a year post Snowden. My contribution to that debate — in which I argue any big drama going forward will come from the newly adversarial relationship between Google and the NSA — is here.
As part of that, I argued that the government made a choice after Snowden: to double down on hard power over soft power.
The conflict between Google and its home country embodies another trend that has accelerated since the start of the Snowden leaks. As the President of the Computer & Communications Industry Association, Edward Black, testified before the Senate last year, the disclosure of NSA overreach did not just damage some of America’s most successful companies, it also undermined the key role the Internet plays in America’s soft power projection around the world: as the leader in Internet governance, and as the forum for open speech and exchange once associated so positively with the United States.
The U.S. response to Snowden’s leaks has, to a significant degree, been to double down on hard power, on the imperative to “collect it all” and the insistence that the best cyberdefense is an aggressive cyberoffense. While President Obama paid lip service to stopping short of spying “because we can,” the Executive Branch has refused to do anything – especially legislatively – that would impose real controls on the surveillance system that undergirds raw power.
And that will likely bring additional costs, not just to America’s economic position in the world, but in the need to invest in programs to maintain that raw power advantage. Particularly given the paltry results the NSA has to show for its domestic phone dragnet – the single Somali taxi driver donating to al-Shabaab that Sanchez described. It’s not clear that the additional costs from doubling down on hard power bring the United States any greater security.
Because I was writing this essay, that’s largely where my mind has been as we debate getting re-involved in Iraq.
In the 3 or 4 wars we’ve waged in the Middle East/South Asia since 9/11 (counting Afghanistan, Iraq, Libya, and Syria), we’ve only managed to further destabilize the region. That was largely driven by a belligerence that goes well beyond our imperative to collect it all.
But I do think both the Snowden anniversary and the Iraq clusterfuck should focus far more energy on how we try to serve American interests through persuasion rather than bombs and dragnets.
Josh Gerstein already wrote about some of this Mike Rogers blather. But I wanted to transcribe the whole thing to display how utterly full of shit he is.
At a conference at Georgetown the other day, (see video 3), Rogers laid into the tech companies for opposing USA Freedumber, which he badly misrepresented just before this. The context of European opportunism beings at 1:06, the quote begins after 1:08.
We should be very mad at Google, and Microsoft, and Facebook, because they’re doing a very interesting, and I think, very dangerous thing. They’ve come out and said, “well, we oppose this new FISA bill because it doesn’t go far enough.” When you peel that onion back a little bit, and why are you doing this, this is a good bill, it’s safe, bipartisan, it’s rational, it meets all the requirements for Fourth Amendment protection, privacy protection, and allowing the system to work,
Rogers claims they’re doing so solely because they’re afraid to lose European business. And Rogers — a Republican! — is furious that corporations prioritize their profits (note, Rogers has never complained that some of these same companies use European tax shelters to cheat the tax man).
And they say, “well, we have to do this because we have to make sure we don’t lose our European business.” I don’t know about the rest of you, that offends me from the word, “European business.” Think about what they’re doing. They’re willing, in their minds, to justify the importance of their next quarter’s earnings in Europe, versus the National Security of the United States. Everybody on those boards should be embarrassed, and their CEOs should be embarrassed, and their stockholders should be embarrassed.That one quarter cannot be worth the National Security of the United States for the next 10 generations. And if we don’t get this part turned around very quickly, it will likely get a little ugly, and that emotional piece that we got by is going to be right back in the center of the room to no good advantage to our ability to protect the United States.
Mostly, he seems pissed because he knows the collective weight of the tech companies may give those of us trying to defeat USA Freedumber a fighting chance, which is what Rogers considers an emotional place because Democracy.
But Rogers’ rant gets truly bizarre later in the same video (after 1:23) where he explains what the security interest is:
We have one particular financial institution that clears, somewhere about $7 trillion dollars in global financial transactions every single day. Imagine if tomorrow that place gets in there and through an attack of which we know does exist, the potential does exist where the information is destroyed and manipulated, now you don’t know who owes what money, some of that may have lost transactions completely forever, imagine what that does to the economy, $7 trillion. Gone — right? Gone. It’s that serious.
Mind you, Rogers appears unaware that a banks shuffling of money — while an incredibly ripe target for hackers — does not really contribute to the American economy. This kind of daily volume is churn that only the very very rich benefit from. And one big reason it’s a target is because it is an inherently fragile thing.
To make all this even more hysterical, Rogers talks about risk driving insurance driving proper defensive measures from the target companies … yet he seems not to apply those rules to banks.
Mike Rogers, it seems, would rather kill Google’s business than permit this rickety vitality killing bank to feel the full brunt of the risk of its own business model.
Accompanying a new story on GCHQ/NSA cooperation yesterday, the Intercept released one of the most revealing documents about NSA spying yet. It describes efforts to use Identifier Scoreboard to triage leads such that analysts spend manual time only with the most promising leads. Basically, the NSA aims to use this process to differentiate the 75% of metadata they collect that is interesting but not of high interest into different categories for further analysis.
It does so by checking the leads — which are identifiers like email addresses and phone numbers — against collected data (and this extends beyond just stuff collected on the wires; it includes captured media) to see what kind of contacts with existing targets there have been. Not only does the system pull up what prior contacts of interest exist, but also what time frame those occurred and in what number. From there, the analyst can link directly to either the collected knowledge about a target or the content.
Before I get into the significance, a few details.
First, the system works with both phone and Internet metadata. That’s not surprising, and it does not yet prove they’re chaining across platforms. But it is another piece of evidence supporting that conclusion.
More importantly, look at the authorities in question:
First, FAA. The CP and CT are almost certainly certificates, the authority to collect on counterproliferation and counterterrorism targets. But note what’s not there? Cybersecurity, the third known certificate (there was a third certificate reapproved in 2011, so it was active at this time). Which says they may be using that certificate differently (which might make sense, given that you’d be more interested in forensic flows, but this triage system is used with things like TAO which presumably include cyber targets).
There is, however, a second kind of FAA, “FG.” That may be upstream or it may be something else (FG could certainly stand for “Foreign Government, which would be consistent with a great deal of other data). If it’s something else, it supports the notion that there’s some quirk to how the government is using FAA that differs from what they’ve told PCLOB and the Presidential Review Group, which have both said there are just those 3 certificates.
Then there’s FAA 704/705B. This is collection on US person overseas. Note that FAA 703 (collection on US person who is located overseas but the collection on whom is in the US) is not included. Again, this shows something about how they use these authorities.
Finally, there are two EO12333s. In other slides, we’ve seen an EO12333 and an EO123333 SPCMA (which means you can collect and chain through Americans), and that may be what this is. Update: One other possibility is that this distinguishes between EO12333 data collected by the US and by second parties (the Five Eyes).
Now go to what happens when an identifier has had contact with a target — and remember, these identifiers are just random IDs at this point.
The triage program automatically pulls up prior contacts with targets. Realize what this is? It’s a backdoor search, conducted off an identifier about which the NSA has little knowledge.
And the triage provides a link directly from that the metadata describing when the contact occurred and who initiated it to the content.
When James Clapper and Theresa Shea describe the metadata serving as a kind of index that helps prioritize what content they read, this is part of what they’re referring to. That — for communications involving people who have already been targeted under whatever legal regime — the metadata leads directly to the content. (Note, this triage does not apparently include BR FISA or PRTT data — that is, metadata collected in the US — which says there are interim steps before such data will lead directly to content, though if that data can be replicated under EO 12333, as analysts are trained to do, it could more directly lead to this content.)
So they find the identifiers, search on prior contact with targets, then pull up that data, at least in the case of EO12333 data. (Another caution, these screens date from a period when NSA was just rolling out its back door search authorities for US persons, and there’s nothing here that indicates these were US persons, though it does make clear why — as last year’s audit shows — NSA has had numerous instances where they’ve done back door searches on US person identifiers they didn’t know were US person identifiers.)
Finally, look at the sources. The communications identified here all came off EO12333 communications (interestingly, this screen doesn’t ID whether we’re looking at EO12333_X or _S data). As was noted to me this morning, the SIGADS that are known here are offshore. But significantly, they include MUSCULAR, where NSA steals from Google overseas.
That is, this screen shows NSA matching metadata with metadata and content that they otherwise might get under FAA, legally, within the US. They’re identifying that as EO12333 data. EO12333 data, of course, gets little of the oversight that FAA does.
At the very least, this shows the NSA engaging in such tracking, including back door searches, off a bunch of US providers, yet identifying it as EO12333 collection.
Update: Two more things on this. Remember NSA has been trying, unsuccessfully, to replace its phone dragnet “alert” function since 2009 when the function was a big part of its violations (a process got approved in 2012, but the NSA has not been able to meet the terms of it technically, as of the last 215 order). This triage process is similar — a process to use with fairly nondescript identifiers to determine whether they’re worth more analysis. So we should assume that, while BR FISA (US collected phone dragnet) information is not yet involved in this, the NSA aspires to do so. There are a number of reasons to believe that moving to having the providers do the initial sort (as both the RuppRoge plan offered by the House Intelligence Committee and Obama’s plan do) would bring us closer to that point.
Finally, consider what this says about probable cause (especially if I’m correct that EO12333_S is the SPMCA that includes US persons). Underlying all this triage is a theory of what constitutes risk. It measures risk in terms of conversations –how often, how long, how many times — with “dangerous” people. While that may well be a fair measure in some cases, it may not be (I’ve suggested, for example, that people who don’t know they may be at risk are more likely to speak openly and at length, and those conversations then serve as a kind of camouflage for the truly interesting, rare by operational security conversations). But this theory (though not this particular tool) likely lies behind a lot of the young men who’ve been targeted by FBI.
I said the other day, most of NSA’s Civil Liberties and Privacy Office comment to the Privacy and Civil Liberties Oversight Board on Section 702 was disappointing boilerplate, less descriptive than numerous other statements already in the public record.
In the passage on back door searches I looked at, however, there was one new detail that is very suggestive. It said NSA does more back door searches on metadata than on content under Section 702.
NSA distinguishes between queries of communications content and communications metadata. NSA analysts must provide justification and receive additional approval before a content query using a U.S. person identifier can occur. To date, NSA analysts have queried Section 702 content with U.S. person identifiers less frequently than Section 702 metadata.
Consider what this means. NSA collects content from a selector — say, all the Hotmail communications of ScaryAQAPTerrorist. That content of course includes metadata (setting aside the question of whether this is legally metadata or content for the moment): the emails and IPs of people who were in communication with that scary terrorist.
The NSA is saying that the greater part of their back door searches on US person identifiers — say, searching on the email, “[email protected]” — is just for metadata.
Given the timing, it seems that they’re using back door searches as one of two known replacements for the PRTT Internet dragnet shut down around October 30, 2009, turned on again between July and October 2010, then shut down for good in 2011 (the other being the SPCMA contact chaining of EO 12333 collected data through US person identifiers).
Recall that NSA and CIA first asked for these back door searches in April 2011. That was somewhere between 6 to 9 months after John Bates had permitted NSA to turn the Internet dragnet back on in 2010 under sharply restricted terms. NSA was still implementing their rules for using back door searches in early 2012, just months after NSA had shut down the (domestic) Internet dragnet once and for all.
And then NSA started using 702 collection for a very similar function: to identify whether suspicious identifiers were in contact with known suspicious people.
There are many parts of this practice that are far preferable to the old Internet dragnet.
For starters, it has the benefit of being legal, which the Internet dragnet never was!
Congress and the FISC have authorized NSA to collect this data from the actual service providers targeting on overseas targets. Rather than collecting content-as-metadata from the telecoms — which no matter how hard they tried, NSA couldn’t make both legal and effective — NSA collected the data from Yahoo and Microsoft and Google. Since the data was collected as content, it solves the content-as-metadata problem.
And this approach should limit the number of innocent Americans whose records are implicated. While everyone in contact with ScaryAQAPTerrorist will potentially be identified via a backdoor search, that’s still less intrusive than having every Americans’ contacts collected (though if we can believe the NSA’s public statements, the Internet dragnet always collected on fewer people than the phone dragnet).
That said, the fact that the NSA is presumably using this as a replacement may lead it to task on much broader selectors than they otherwise might have: all of Yemen, perhaps, rather than just certain provinces, which would have largely the same effect as the old Internet dragnet did.
In addition, this seems to reverse the structure of the old dragnet (or rather, replicate some of the problems of the alert system that set off the phone dragnet problems in 2009). It seems an analyst might test a US person identifier — remember, the analyst doesn’t even need reasonable articulable suspicion to do a back door search — against the collected metadata of scary terrorist types, to see if the US person is a baddie. And I bet you a quarter this is automated, so that identifiers that come up in, say, a phone dragnet search are then run against all the baddies to see if they also email at the press of a button. And at that point, you’re just one more internal approval step away from getting the US person content.
In short, this would seem to encourage a kind of wild goose chase, to use Internet metadata of overseas contact to judge whether a particular American is suspicious. These searches have a far lower standard than the phone and Internet dragnets did (as far as we know, neither the original collection nor the back door search ever require an assertion of RAS). And the FISC is far less involved; John Bates has admitted he doesn’t know how or how often NSA is using this.
But it is, as far as we know, legal.