The New Transparency Guidelines

DOJ and the tech companies just came to a deal on new transparency reporting. (h/t Mike Scarcella) It is a big improvement over what the government offered last year which was:

Option One: Provide total number of requests (criminal NSL, FISA) and total number of accounts targeted, broken out by 1000s

Option Two: Provide exact number of criminal requests and accounts affected, and number of NSLs received and accounts affected, broken out by 1000s, without providing any numbers on FISC service

This approach basically permitted the government to hide the FISC surveillance, by ensuring it only ever appeared lumped into the larger universe of criminal requests, along with other bulk requests. In addition, it didn’t let providers say whether they were mostly handing over metadata (NSLs would be limited to metadata, though FISC requests might include both metadata and content) or content in a national security context.

The new solution is:

Option One: Biannual production, with a 6-month delay on FISC reporting

  1. Criminal process, subject to no restrictions
  2. NSLs and the number of customer accounts affected by NSLs, reported in bands of 1000, starting at 0-999
  3. FISA orders for content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999
  4. FISA orders for non-content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999*

This option subjects a two-year delay on new (internally developed or purchased) platforms, products, or services. So for example, if Google started to get Nest orders today, Google couldn’t include it in their reporting until 2 years from now.

Option Two:

  1. Criminal process, subject to no restrictions
  2. Total national security process, including NSLs and FISA lumped together, reported in bands of 250, starting at 0-250
  3. Total customer selectors targeted under all national security requests, reported in bands of 250, starting at 0-250

* The order has a footnote basically saying the government hasn’t ceded the issue of reporting on the phone dragnet yet (though only tech companies were parties to this, and their only telecom production would be VOIP).

So my thoughts:

First, you can sort of see what the government really wants to hide with these schemes. They don’t want you to know if they submit a single NSL or 215 order affecting 1000 customers, which it’s possible might appear without the bands.They don’t want you to see if there’s a provider getting almost no requests (which would be hidden by the initial bands).

And obviously, they don’t want you to know when they bring new capabilities online, in the way they didn’t want users to know they had broken Skype. Though at this point, what kind of half-assed terrorist wouldn’t just assume the NSA has everything?

I think the biggest shell game might arise from the distinction between account (say, my entire Google identity) and selector (my various GMail email addresses, Blogger ID, etc). By permitting reporting on selectors, not users, this could obscure whether a report affects 30 identities of one customer or the accounts of 30 customers. Further, there’s a lot we still don’t know about what FISC might consider a selector (they have, in the past, considered entire telecom switches to be).

But it will begin to give us an outline of how often they’re using NatSec process as opposed to criminal process, which providers are getting primarily NSL orders and which are getting potentially more exotic FISC orders. Further, it will tell us more about what the government gets through the PRISM program, particularly with regard to metadata versus content.

Update: Apple’s right out of the gate with their report of fewer than 250 orders affecting fewer than 250 “accounts,” which doesn’t seem how they’re supposed to report using that option.

Update: Remember, Verizon issued a transparency report itself, just 5 days ago. Reporting under these new guidelines wouldn’t help them much as the government has bracketed whether it could release phone dragnet information. Moreover, Verizon is almost certainly one of the telecoms that provide upstream content; that would likely show up as just one selector, but it’s not clear how it gets reported.

6 Years Later, Are the Internet Companies Trying to Expose Telecoms Stealing Their Data, Again?

Update: And now this, too, has been halted because of the shutdown (h/t Mike Scarcella). This motion suggests the government asked the Internet companies for a stay on Friday. This one suggests the Internet companies asked the government for access to the classified information in the government filing, but the government told them they can’t consider that during the shut-down. 

As Time lays out, unlike several of the other NSA-related transparency lawsuits, the fight between the government and some Internet companies (Google, Yahoo, Facebook, Microsoft, and LinkedIn, with Dropbox as amicus) continues even under government shut-down. The government’s brief and declaration opposing the Internet bid for more transparency is now available on the FISA Court docket.

Those documents — along with an evolving understanding of how EO 12333 collection works with FISA collection — raise new questions about the reasons behind the government’s opposition.

When the Internet companies originally demanded the government permit them to provide somewhat detailed numbers on how much information they provide the government, I thought some companies — Google and Yahoo, I imagined — aimed to show they were much less helpful to the government than others, like Microsoft. But, Microsoft joined in, and it has become instead a showdown with Internet companies together challenging the government.

Meanwhile, the phone companies are asking for no such transparency, though one Verizon Exec explicitly accused the Internet companies of grandstanding.

In a media briefing in Tokyo, Stratton, the former chief operating officer of Verizon Wireless, said the company is “compelled” to abide by the law in each country that it operates in, and accused companies such as Microsoft, Google, and Yahoo of playing up to their customers’ indignation at the information contained in the continuing Snowden leak saga.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

Stratton said the larger issue that failed to be addressed in the actions of the companies is of keeping security and liberty in balance.

“There is another question that needs to be kept in the balance, which is a question of civil liberty and the rights of the individual citizen in the context of that broader set of protections that the government seeks to create in its society.”

With that in mind, consider these fascinating details from the government filings.

  • The FBI — not the NSA — is named as the classification authority and submits the declaration (from Acting Executive Assistant Director Andrew McCabe) defending the government’s secrecy claims
  • The government seems concerned about breaking out metadata numbers from content (or non-content from non-content and content, as Microsoft describes it), even while suggesting this is about providing our “adversaries” hints about how to avoid surveillance
  • The government suggests some of what the Internet companies might disclose doesn’t fall under FISC’s jurisdiction

All of these details lead me to suspect (and this is a wildarsed guess) that what the government is really trying to hide here is how they use upstream metadata collection under 12333 to develop relatively pinpointed requests for content from Internet companies. If the Internet companies disclosed that, it would not only make their response seem much more circumscribed than what we’ve learned about PRISM, but more importantly, it would reveal how the upstream, unsupervised collection of metadata off telecom switches serves to target this collection.

The FBI as declarant

Begin with the fact that the FBI — and not NSA or ODNI — is the declarant here. I can think of two possible reasons for this.

One, that much of the collection from Internet companies is done via NSL or another statute for which the FBI, not the NSA, would submit the request. There are a number of references to NSLs in the filings that might support this reading. [Correction: FBI is not required to submit NSLs in all cases, but they are in 18 USC 2709, which applies here.]

It’s also possible, though, that the Internet companies only turn over information if it involves US persons, and that the government gets all other content under EO 12333. As with NSLs, the FBI submits applications specifically for US person data, not the NSA. But if that’s the case, then this might point to massive parallel construction, hiding that much of the US person data they collect comes without FISC supervision.

And remember — the FBI seems to have had the authority to search incidentally collected (presumably, via whatever means) US person data before the NSA asked for such authority in 2011.

There may be other possibilities, but whatever it is, it seems that the FBI would only be the classification authority appropriate to respond here if they are the primary interlocutor with the Internet companies — at least within the context of collection achieved under the FISA Court’s authority.

Breaking out metadata from content numbers and revealing “timing”

While the government makes an argument that revealing provider specific information would help “adversaries” to avoid surveillance, two other issues seem to be of more acute concern.

First, it suggests Google and Microsoft’s request to break out requests by FISA provision — and especially Microsoft’s request to “disclose separate categories for ‘non-content’ requests and ‘content and non-content requests” — brought negotiations to a head (see 2-3). This suggests we would see a pretty surprising imbalance there — perhaps (if my theory that the FBI goes to Internet companies only for US person data is correct) primarily specific orders (though that would seem to contradict the PRISM slide that suggested it operated under Section 702). It also suggests that the Internet companies may be providing either primarily content or primarily metadata, not both (as we might expect under PRISM).

The government is also concerned about revealing “the timing of when the Government acquires certain surveillance capabilities.” (see brief 19; the brief references McCabe’s discussion of timing, but the discussion is entirely redacted). That’s interesting because these are to a large extent (though not exclusively) storage companies. It may suggest the government is only asking for data stored in the Internet companies’ servers, not data that is in transit.

The FISC may not have jurisdiction over all this

Then there are hints that the FISC may not have jurisdiction over all the collection involving the Internet companies. That shows up in several ways.

First, in one spot (page 17) the government refers to the subject of its brief as “FISA proceedings and foreign intelligence collection.” In other documents, we’ve seen the government distinguish FISC-governed collection from collection conducted under other authorities — at least EO 12333. Naming both may suggest that part of the jurisdictional issue is that the collection takes place under EO 12333.

There’s another interesting reference to the FISC’s jurisdiction, where the government says it wants to reveal information on the programs “overseen by this Court.”

Although the Government has attempted to release as much information as possible about the intelligence collection activities overseen by this Court, the public debate about surveillance does not give the companies the First Amendment right to disclose information that the Government has determined must remain classified.

I’m increasingly convinced that the government is trying to do a limited hangout with the Edward Snowden leaks, revealing only the stuff authorized by FISC, while refusing to talk about the collection authorized under other statutes (this likely also serves to hide the role of GCHQ). If this passage suggests — as I think it might — that the Government is only attempting to release that information overseen by the FISC, then it suggests that part of what the Internet companies would reveal does not fall under FISC.

Then there are the two additional threats the government uses — in addition to gags tied to FISA orders — to ensure the Internet personnel not reveal this information: nondisclosure agreements and the Espionage Act.

I’m not certain whether the government is arguing whether these two issues — even if formulated in conjunction with FISA Orders — are simply outside the mandate of the FISC, or if it is saying that it uses these threats to gag people engaged in intelligence collection not covered by FISA order gags.

The review and construction of nondisclosure agreements and other prohibitions on disclosure unrelated to FISA or the Courts rules and orders fall far outside the powers that “necessarily result to [this Court] from the nature of [the] institution,” and therefore fall outside the Court’s inherent jurisdiction.

Whichever it is (it could be both), the government seems intent on staving off FISC-mandated transparency by insisting that such transparency on these issues is outside the jurisdiction of the Court.

There there’s this odd detail. Note that McCabe’s declaration is not sworn under oath, but is sworn under penalty of perjury under 18 USC 1746 (see the redaction at the very beginning of the declaration) . Is that another way of saying the FISA Court doesn’t have jurisdiction over this matter? [Update: One possibility is that this is shut-down related–that DOJ’s notaries who validate sworn documents aren’t considered essential.]

The PRISM companies and the poisoned upstream fruit

One more thing to remember. Though we don’t know why, the government had to pay the PRISM companies — that is, the same ones suing for more transparency — lots of money to comply with a series of new orders after John Bates imposed new restrictions on the use of upstream data. I’ve suggested that might be because existing orders were based on poisoned fruit, the illegally collected US person data collected at telecom switches.

That, too, may explain why PRISM company disclosure of the orders they receive would reveal unwanted details about the methods the government uses: there seems to be some relation between this upstream collection and the requests the Internet companies that is particularly sensitive.

As I have repeatedly recalled, back in 2007, these very same Internet companies tried to prevent the telecoms from getting retroactive immunity for their actions under Bush’s illegal wiretap program. That may have been because the telecoms were turning over the Internet companies’ data to the government.

They appear to be doing so again. And this push for transparency seems to be an effort to expose that fact.

Update: Microsoft’s Amended Motion — the one asking to break out orders by statute — raises the initial reports on PRISM, reports on XKeyscore, and on the aftermath of the 2011 upstream problems (which I noted above). It doesn’t talk about any story specifically tying Microsoft to Section 215. However, it lists these statutes among those it’d like to break out.

1These authorities could include electronic surveillance orders, see 50 U.S.C. §§ 1801-1812; phyasical search orders, see 50 U.S.C. §§ 1821-1829; pen register and trap and trace orders, see 50 U.S.C. §§ 1841-1846; business records orders, see 50 U.S.C. §§ 1861-1862; and orders and directives targeting certain persons outside the United States, see 50 U.S.C. §§ 1881-1881g. [my emphasis]

If I’m not mistaken, the motion doesn’t reference this article, which described how the government accessed Skype and Outlook, which you’d think would be one of the ones MSFT would most want to refute, if it could. But I’ve also been insisting that they must get Skype info for the phone dragnet, otherwise they couldn’t very well claim to have the whole “phone” haystack.

But the mention of Section 215 suggests they may be included in that order.

Also, we keep seeing physical search orders included in a communication arena. I wonder if that’s a storage issue.

Update: One more note about the MSFT Amended Motion. It lists where the people involved got their TS security clearances. MSFT’s General Counsels is tied to DOD; the lawyers on the brief all are tied to FBI.

One final detail on MSFT. Though the government brief doesn’t say this, MSFT is also looking to release the number of accounts affected by various orders, not just the number of targets (which is what the government wants to release). That’s a huge difference.

Also, the Nail Polish Remover Lobby Didn’t Challenge Section 215 Orders

The takeaway from the FISC opinion released today from about 6 outlets seems to be that no telecom has ever challenged a Section 215 order.

But the opinion actually says more than that. It says,

To date, no holder of records who has received an Order to produce bulk telephony has challenged the legality of such an Order. Indeed, no recipient of any Section 215 Order has challenged the legality of such an Order, despite the explicit statutory mechanism for doing so.

Now, if your bullshit antennae aren’t buzzing when you read that formulation, “no holder of records,” then you need to have them checked. Because it sure seems to allow for the possibility that someone whose customers had their records seized via someone deemed the actual holder of them objected. That entity, after all, wouldn’t be a Section 215 Order recipient, and therefore would have no standing to object, regardless of the statutory mechanism for doing so. (Plus, both EPIC and ACLU have — and had, by the time this order was written — objected. But they don’t count because they’re the actual customers.)

But remember, as far as we know, Section 215 has not been used for Internet metadata (except for subscriber information for the first 2 years of the program; see Verizon’s CEO bitching about the email companies his company stole data from for years complaining publicly about the dragnet). The one other big “customer base” we know has been targeted by bulk-ish orders are hydrogen peroxide and nail polish remover (acetone) purchasers.

However, there, too, like Internet providers whose data gets sucked up at a telecom provider’s switch, the actual beauty supply companies are unlikely to be the “holder of records.” The beauty of the Third Party doctrine, for the government, is it can always look elsewhere for people who have “records” that betray customers’ interests.

If only we had a powerful nail polish remover lobby we might be able to combat the dragnet.

Microsoft, Google, as Unimpressed as I Am with I Con’s New Data Release Promise

I showed earlier that the Director of National Intelligence’s promise to release certain information — much of which they’re already obligated to release — wasn’t all that impressive. As part of that, I noted that the DNI wasn’t providing data specific to each provider.

Moreover, the government doesn’t, apparently plan to release the number Google and Yahoo would like it to release, numbers which likely show how much more enthusiastic the well-lubricated telecoms are about providing this material than the less-well lubricated Internet providers. That is, the government isn’t going to (or hasn’t yet agreed to) provide numbers that show corporations have some leeway on how much of our data they turn over to the government.

It turns out, Microsoft and Google agree with me that the promised new release is none too impressive.

More importantly, they view it as a refusal — after serial delays from the government — to release that provider specific and content type specific information they want to release.

Yesterday, the Government announced that it would begin publishing the total number of national security requests for customer data for the past 12 months and do so going forward once a year.  The Government’s decision represents a good start.  But the public deserves and the Constitution guarantees more than this first step.  Read more

Not-So-Trusted Computing: German Government Worried About Windows 8 Risks

Microsoft’s “trusted computing platform.”

Microsoft’s “secure boot” technology.

The doublespeak almost writes itself these days. Whose “trusted computing”? Whose “platform”? And whose “secure boot”?

At least one government has expressed concerns in internal documents, buttressed by an unusual public statement in response to reports about the leaked documents.

According to German news outlet Die Zeit, internal documents from the Bundesamt fur Sicherheit in der Informationstechnik (Germany’s Federal Office for information Security – BSI) warn that Microsoft Windows 8’s Trusted Computing Platform poses a security risk.

The BSI issued a response, the first paragraph of which acknowledges the news reports; it also refers to an internal paper by the Bundeswirtschaftsministeriums (Germany’s Federal Ministry of Economics and Technology – BMWi) advising caution in using the Trusted Computing Platform. This may not be the first cautionary communication by the BMWi as it is not clear whether the paper referenced by the BSI today is the same internal paper issued on the subject in early 2012.

In the second paragraph, BSI denies it has issued any warning to private or public sector users, though this announcement doesn’t deny a warning might be warranted since government agencies are warning each other internally.

The third paragraph says that the Win 8 TCP (using Trusted Platform Module TPM 2.0) might offer improved security for some groups, though transparency should be offered by the manufacturer.

But the kicker is the fourth paragraph:

“From the BSI’s perspective, the use of Windows 8 combined with TPM 2.0 is accompanied by a loss of control over the operating system and the hardware used. As a result, new risks arise for the user, especially for the federal government and for those providing critical infrastructure. In particular, on hardware running Windows 8 that employs TPM 2.0, unintentional errors of hardware or the operating system, but also errors made by the owner of the IT system, could create conditions that prevent further operation of the system. This can even lead to both the operating system and the hardware employed becoming permanently unusable. Such a situation would not be acceptable for either the federal authorities or for other users. In addition, the newly-established mechanisms can also be used for sabotage by third parties. These risks must to be addressed.”[1]

“Loss of control over the operating system” isn’t a minor trifle. This suggests that any and all computers with this “feature” could go rogue and operate in contravention to the owners’ instructions, at the direction of some unseen entity on a network or by injection of an application through thumb drive, disk drive, CD, etc.

This also suggests that a Win 8 system using TPM 2.0 might well reject any attempts to use an alternative operating system — a so-called “secure boot” might cut off any application other than Win 8. For all intents and purposes, a machine with Win 8 and TPM 2.0 will operate to Microsoft’s orders and to the orders of whomever is ordering Microsoft these days. It’s not out of the question that Win 8 systems lacking valid TPM 2.0 might be prevented from accessing the internet or any other network.

Which begs the question: if Windows 8 and TPM 2.0 are installed, whose computer is it? Read more

The Shell Game: What is Microsoft Doing?

[graphic: Google Finance]

[graphic: Google Finance]

What is this so-called tech company doing?

Microsoft sees itself as going head-to-head with Apple and Google. The 10-year chart above comparing Microsoft, Apple, and Google stock tells us this has been a delusional perception.

It also sees itself in competition with IBM. Yet IBM surpassed it in market value two years ago, even after nearly a decade of ubiquity across personal computers in the U.S. and in much of the world. (IBM is included in that chart above, too.)

One might expect a sea change to improve performance, but is the shell game shuffling of Microsoft executives really designed to deliver results to the bottom line?

Tech and business sector folks are asking as well what is going on in Redmond; even the executive assignments seemed off-kilter. One keen analysis by former Microsoft employee Ben Thompson picked apart the company’s reorganization announcement last Thursday — coincidentally the same day the Guardian published a report that Microsoft had “collaborated closely” with the National Security Agency — noting that the restructuring doesn’t make sense.

The new organization pulls everything related to Windows 8 under a single leader, from desktop to mobile devices using the same operating system, migrating to a functional structure from a divisional structure. There are several flaws in this strategy Thompson notes, but a key problem is accountability.

To tech industry analysts, the new functional structure makes it difficult to follow a trail of failure in design and implementation for any single product under this functional umbrella.

To business analysts, the lack of accountability means outcomes of successful products hide failed products under the functional umbrella, diluting overall traceability of financial performance.

But something altogether different might be happening beneath the umbrella of Windows 8.

There’s only one product now, regardless of device — one ring to rule them all. It’s reasonable to expect that every single desktop, netbook, tablet, cellphone running on Windows 8 will now substantially be the same software.

Which means going forward there’s only one application they need to allow the NSA to access for a multitude of devices.

We’ve already learned from a Microsoft spokesman that the company informs the NSA about bugs or holes in its applications BEFORE it notifies the public.

It’s been reported for years about numerous backdoors and holes built intentionally and unintentionally into Microsoft’s operating systems, from Windows 98 forward, used by the NSA and other law enforcement entities.

Now Skype has likewise been compromised after Microsoft’s acquisition of the communications application and infrastructure for the purposes of gathering content and eavesdropping by the NSA, included in the PRISM program.

Given these backdoors, holes, and bugs, Microsoft’s Patch Tuesday — in addition to its product registration methodology requiring online validation of equipment — certainly look very different when one considers each opportunity Microsoft uses to reach out and touch business and private computers for security enhancements and product key validations.

Why shouldn’t anyone believe that the true purpose of Microsoft’s reorganization is to serve the NSA’s needs?

Tech magazine The Verge noted with the promotion of Terry Myerson to lead Windows — it’s said Myerson “crumples under the spotlight and is ungenerous with the press” — Microsoft doesn’t appear eager to answer questions about Windows.

As ComputerworldUK’s Glyn Moody asked with regard to collaboration with the NSA, “How can any company ever trust Microsoft again?”

If a company can’t trust them, why should the public?

The capper, existing outside Microsoft’s Windows 8 product: Xbox One’s Kinect feature is always on, in order to sense possible commands in the area where Kinect is installed.

ACLU’s senior policy analyst Chris Sogohian tweeted last Thursday, “… who in their right mind would trust an always-on Microsoft-controlled Xbox camera in their living room?”

One might wonder how often the question of trust will be raised before serious change is made with regard to Microsoft’s relationship with the NSA. With political strategist Mark Penn handling marketing for the corporation and Steve Ballmer still at the helm as CEO, don’t hold your breath.

Spying on Americans: A “Team Sport” Since 2004

Screen shot 2013-07-11 at 6.25.06 PMOne of the more colorful revelations in today’s Guardian scoop is the newsletter piece that describes increased sharing of PRISM (Section 702) data with FBI and CIA.

The information the NSA collects from Prism is routinely shared with both the FBI and CIA. A 3 August 2012 newsletter describes how the NSA has recently expanded sharing with the other two agencies.

The NSA, the entry reveals, has even automated the sharing of aspects of Prism, using software that “enables our partners to see which selectors [search terms] the National Security Agency has tasked to Prism”.

The document continues: “The FBI and CIA then can request a copy ofPrism collection of any selector…” As a result, the author notes: “these two activities underscore the point that Prism is a team sport!”

But that’s something that has actually been built into the program for years. While the Joint IG Report on the illegal wiretap program claimed,

NSA also was responsible for conducting the actual collection of information under the PSP and disseminating intelligence reports to other agencies such as the Federal Bureau of Investigation (FBI), the Central Intelligence Agency (CIA), and the Office of the Director of National Intelligence (ODNI) National Counterterrorism Center (NCTC) for analysis and possible investigation.

The Draft NSA IG Report explained,

Coordination with FBI and CIA. By 2004, four FBI integrees and two CIA integrees, operating under SIGINT authorities in accordance with written agreements, were co-located with NSA PSP-cleared analysts. The purpose of co-locating these individuals was to improve collaborative analytic efforts.

And the minimization procedures released by the Guardian (which date to 2009), make it clear NSA can provided unminimized content to CIA and FBI on whatever selectors they request.


(1) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will process any such unminimized communications received from NSA in accordance with CIA minimization procedures adopted by the Attorney General, in consultation with the Director of National Intelligence, pursuant to subsection 702(e) of the Act.

(2) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. FBI will process any such unminimized communications received from NSA in accordance with FBI minimization procedures  adopted by the Attorney General, in consultation with the Director of National Intelligence, pursuant to subsection 702(e) of the Act.

And none of that should be surprising, given the tasking slide — above — that was first published by the WaPo. FBI, at least, is solidly in the midst of this collection, for a program deemed to be foreign intelligence collection.

There have been a variety of claims about all this team sport participation. But I’m not convinced any of them explain how all this works.

And in perhaps related news, the Fifth Circuit today said that Nidal Hasan could not have access to the FISA material on him, in spite of the fact that William Webster published a 150 page report on it last year. Legally, that material should be utterly distinct from PRISM, since a wiretap on Anwar al-Awlaki would require a specific FISA warrant (and the latest Guardian scoop refers to expanded cooperation since 2012). But I suspect the reason Hasan, the FISA evidence against whom has already been extensively discussed, can’t see it is because we would see what this actually looks like from the FBI side.

DOJ has to protect its team, you know.

The Evil Empire

Screen shot 2013-07-11 at 2.39.09 PM
The Guardian has its latest scoop on NSA spying, describing the extent to which Microsoft helps the government spy on its customers. This bullet list is just some of what the article reveals.

  • Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new portal;
  • The agency already had pre-encryption stage access to email on, including Hotmail;
  • The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
  • Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in that allows users to create email aliases;
  • Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio;
  • Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

But I’m as interested in some of the details about the cooperation as the impact of that cooperation.

For example, the story describes that this cooperation takes place through the Special Source Operations unit.

The latest documents come from the NSA’s Special Source Operations (SSO) division, described by Snowden as the “crown jewel” of the agency. It is responsible for all programs aimed at US communications systems through corporate partnerships such as Prism.

But we saw that when NSA approached (presumably) Microsoft in 2002, it did not approach via SSO; it used a more formal approach through counsel.

In addition, note how Skype increased cooperation in the months before Microsoft purchased it for what was then considered a hugely inflated price, and what is now being called (in other legal jurisdictions) so dominant that it doesn’t have to cooperate with others.

One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” it says.

Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.

According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.

The NSA was able to start tasking Skype communications the following day, and collection began on 6 February. “Feedback indicated that a collected Skype call was very clear and the metadata looked complete,” the document stated, praising the co-operation between NSA teams and the FBI. “Collaborative teamwork was the key to the successful addition of another provider to the Prism system.”

While this isn’t as obvious as Verizon’s MCI purchase — which for the first time led that carrier to hand over Internet data — it does seem that those companies that cooperate with the NSA end up taking over their rivals.


Remember, the Department of Commerce plays some kind of role in ensuring that companies cooperate in protecting our critical infrastructure.

As of 2:30, Microsoft stock is at a high on the day.

Yahoo, the Law-Abiding Free Email Provider

[NSA presentation, PRISM collection dates, via Washington Post]The FISA Court has officially agreed to declassify that Yahoo was the company that challenged a Protect Amendment Act order in 2007.

Once this PRISM slide was published, it was always pretty likely that Yahoo — or maybe Google — was the company in question. Yahoo started complying around the time the FISC decision was reached; Google joined in after the FISCR decision was unsealed.

Which leaves … Microsoft, which started cooperating before the law and then the FISA Court forced it to (though collection may not have begun until after PAA passed and, as Rayne has pointed out, Microsoft’s code was being exploited by the government for entirely different purposes in precisely that timeframe).

Now might be a good time to review what happened with the 7 companies the government asked to participate in an illegal wiretap program based solely on the President’s say-so. Per the 2009 NSA Draft IG Report, the companies are:

  • Telecoms A, B, and C (probably AT&T, Verizon, and — definitely– MCI, respectively, since they were the 3 telecoms working onsite at FBI’s direct access office under another program). These companies were approached by people from NSA’s Special Source Operations unit as soon as the program was approved, and they agreed to participate “voluntarily.” In 2003, MCI got cold feet and demanded a letter from John Ashcroft stating that the request was lawful, in which he “directed” them to comply with NSA’s requests.
  • Telecom E (Qwest). It was approached by SSO personnel in 2002, purportedly for collections related to the Olympics. After some discussion, Qwest’s General Counsel decided to not support the operation.
  • Internet Provider D (probably Microsoft). This company was approached by “NSA legal and operational personnel” (not SSO) in September 2002. In response, this company provided “minimal” support, spanning roughly from October 9, 2002 through just after September 11, 2003. No person at this company was ever cleared to store letters from the NSA.
  • Internet Provider F (probably Yahoo). This company was approached in October 2002 by NSA legal and operational personnel. In response to NSA’s request, Internet Provider F asked for a letter from Attorney General Ashcroft certifying the legality of the program. While in December 2002, NSA’s Commercial Technologies Group through Internet Provider F was participating, NSA’s GC says they did not because of corporate liability concerns.
  • Private Sector Company G. This company was approached in April 2003 by NSA legal and operational personnel. This company’s GC said he or she wanted to consult outside counsel. NSA chose to drop the request. I have no idea what company this would be (CISCO?); any thoughts?

Here’s what these companies provided:

Screen shot 2013-06-29 at 3.33.46 PM

This table tells us a great deal about the program–and also the legal problems behind it.

Internet provider D — the one of two that cooperated — only did so for 7 months in 2003, and only provided Internet content (probably primarily Hotmail emails), not metadata.

Which left the government to get the other Internet data off of AT&T and Verizon’s switches (we know C is MCI because February 2005 is when Verizon bought it, which explains why it started handing over Internet content and metadata then). As the IG Report explains,

A, B, and C provided access to the content of Al Qaeda and Al Qaeda-affiliate email from communication links they owned and operated.


The last category of private sector assistance was access to Internet Protocol (IP) metadata associated with communications of al Qaeda (and affiliates) from data links owned or operated by COMPANIES A, B, and C.

In other words, Microsoft and Yahoo, the biggest free email providers, were not crazy about providing content (though one, probably Microsoft, did for a period). And they were completely unwilling to provide IP metadata.

So the government just went to AT&T and Verizon’s switches and took it there.

Read more

Why Would You Segregate the FISA Orders, But Not the Directives?

The FBI, according to Eli Lake, thinks someone besides Edward Snowden may be responsible for leaking the Section 215 order to Verizon ordering them to turn over the metadata on all their American customers’ calls. They claim to think so because digital copies of such orders exist in only two places: computers at the FISA Court and FBI’s National Security Division that are segregated from the Internet. (Note: where Lake says “warrant” in this passage, he means “order.”)

Those who receive the warrant—the first of its kind to be publicly disclosed—are not allowed “to disclose to any other person” except to carry out its terms or receive legal advice about it, and any person seeing it for those reasons is also legally bound not to disclose the order. The officials say phone companies like Verizon are not allowed to store a digital copy of the warrant, and that the documents are not accessible on most NSA internal classified computer networks or on the Joint Worldwide Intelligence Communications System, the top-secret internet used by the U.S. intelligence community.

The warrants reside on two computer systems affiliated with the Foreign Intelligence Surveillance Court and the National Security Division of the Department of Justice. Both systems are physically separated from other government-wide computer networks and employ sophisticated encryption technology, the officials said. Even lawmakers and staff lawyers on the House and Senate intelligence committees can only view the warrants in the presence of Justice Department attorneys, and are prohibited from taking notes on the documents.

Now, when the order first leaked, I actually suspected the leaker might be in this general vicinity. If that’s right, then I also suspect the FBI is interested in finding this person because he or she would be reacting to the FBI’s own wrong-doing on another matter. Heck, the FBI could conduct a manhunt in this general vicinity just for fun to make sure their own wrong-doing doesn’t get exposed.

Such is the beauty of secret counterintelligence investigations.

That said, Lake’s reporting is an example of something I suggested in the first day of this leak: we’re going to learn more about how the NSA works from leaks about the investigation of it than from the leaks themselves.

And this story provides a lot of evidence that the government guards its generalized surveillance plans more jealously than it guards it particularized surveillance targets. (See this post for a description of the difference between orders and directives specifying targets.)

Consider what kinds of documents the FISA Court produces:

  • Standing Section 215 orders such as the Verizon one in question
  • Particularized Section 215 orders; an example might be an order for credit card companies and Big Box stores to turn over details on all purchases of pressure cookers in the country
  • FISA Amendments Act orders generally mapping out the FAA collection (we don’t know how detailed they are; they might describe collection programs at the “al Qaeda” and “Chinese hacker” level, or might be slightly more specific, but are necessarily pretty general)
  • Particularized FISA warrants, targeted at individual US persons (though most of this spying, Marc Ambinder and others have claimed, is conducted by the FBI under Title III)

Aside from those particularized warrants naming US persons, FISA Court doesn’t, however, produce (or even oversee) lists of the great bulk of people who are being spied on. Those are the directives NSA analysts draw up on their own, without court supervision. Those directives presumably have to be shared with the service providers in some form, though all the reporting on it suggests they don’t see much of it. But, Lake’s remainder that Google’s list of surveillance targets had been hacked by China to identify which of its agents in the US we had identified and were surveilling makes it clear they do get the list in some form.

In April, quoted Microsoft’s Dave Aucsmith, the senior director of the company’s Institute for Advanced Technology in Governments, saying a 2009 hack of major U.S. Internet companies was a Chinese plot to learn the targets of email and electronic surveillance by the U.S. government. In May, the Washington Post reported Chinese hackers had accessed a Google database that gave it access to years’ worth of federal U.S. surveillance records of counter-intelligence targets.

But the prior hack makes obvious something that has been apparent since the Verizon order leaked: China doesn’t have much use for information that shows NSA is compiling a database of all calls made in the US. It does, however, have a great use for the list of its spies we’ve identified.

What this report seems to suggest, among other things (including that the Congressional committees don’t have enough scrutiny over these orders because they’re not allowed to keep their own copy of them), is that details on the particularized spying is more widely dispersed, in part because it has to be. Someone’s got to implement that particularized spying, after all, and that requires communication that traverses multiple servers.

But the generalized stuff — the stuff the FISA Court actually oversees — is locked up in a vault like the family jewels.

You might ask yourself why the government would go to greater lengths to lock up the generalized stuff — the stuff that makes it clear the government is spying on Americans — and not the particularized stuff that has far more value for our adversaries.

Update: After the hearing today, Keith Alexander said Snowden is the source of the order, and he got it during training at Fort Meade.

Alexander told reporters after a House Intelligence Committee hearing that the man who’s acknowledged being the source of the recent leaks, Booz Allen Hamilton information technology specialist Edward Snowden, had access to the Foreign Intelligence Surveillance Court order and related materials during an orientation at NSA.

“The FISA warrant was on a web server that he had access to as an analyst coming into the Threat Operations Center,” Alexander said. “It was in a special classified section that as he was getting his training he went to.”

Which suggests the leaking about someone in the FISA Court may, as I thought, be an effort to impugn people in the vicinity of the court the FBI would like to shut up.