Posts

Ron Wyden Hints at How the Intelligence Community Hides Its Web Tracking Under Section 215

/2 Comments/in /by

Ron Wyden had an amendment to Section 215 that would have limited the use of that provision to obtain web traffic information that fell one vote short in the Senate, partly because Nancy Pelosi whipped Tom Carper against it and partly because two Senators (Bernie Sanders and Patty Murray) didn’t get back for a vote. In an effort to resuscitate the amendment in the House under Zoe Lofgren and Warren Davidson’s leadership (which would surely pass if Section 215 got bounced back to the Senate), Ron Wyden released a letter to Ric Grenell trying to force some transparency about how the IC hides the scope of the use of Section 215 to get web search and Internet traffic information.

The letter asks Grenell to explain how Section 215 orders served on IP addresses, rather than email addresses, might get counted in transparency provisions.

How would the government apply the public reporting requirements for Section 215 to web browsing and internet searches? In this context, would the target or “unique identifier” be an IP address?

If the target or “unique identifier” is an IP address, would the government differentiate among multiple individuals using the same IP address, such as family members and roommates using the same Wi-Fi network, or could numerous users appear as a single target or “unique identifier”?

If the government were to collect web browsing information about everyone who visited a particular website, would those visitors be considered targets or “unique identifiers” for purposes of the public reporting? Would the public reporting data capture every internet user whose access to that website was collected by the government?

If the government were to collect web browsing and internet searches associated with a single user, would the public reporting requirement capture the scope of the collection? In other words, how would the public reporting requirement distinguish between the government collecting information about a single visit to a website or a single search by one person and a month or a year of a person’s internet use?

Wyden here lays out three use cases for how the IC might (one should assume does) use Section 215 to get web traffic.

  • An order in which an IP address used by multiple people is the target
  • An order collecting all the people who visit a particular website
  • An order collecting all the web browsing and internet searches of a single user

The government is required to report:

(5)the total number of orders issued pursuant to applications made under section 1861(b)(2)(B) of this title and a good faith estimate of—

(A)the number of targets of such orders; and

(B)the number of unique identifiers used to communicate information collected pursuant to such orders;

Taking each of his three scenarios, here’s what I believe the government would report.

An order in which an IP address used by multiple people is the target

In the first scenario, the government is trying to obtain everyone who “uses” a particular IP address. The scenario laid out by Wyden is a WiFi router used by family or friends, but both because the House Report prohibited such things in 2015 and because DOJ IG has raised questions about targeting everyone who uses a Friends and Family plan, I doubt that’s what the IC really does.

Rather, I suspect this is about VPNs and other servers that facilitate operational security. The government could hypothetically obtain four orders a year getting “VPNs,” requiring providers of each of the 10 major VPNs in the country to provide the IP addresses of all the incoming traffic, which would show the IP addresses of everyone who was using their location obscuring traffic.

In such a case, the targeted VPN IP addresses wouldn’t be communicating information at all. The users would get no information back. Therefore, the IC would only report the number of targets of such orders. If the “target” were defined as VPN, the number would be reported as 4 (for each of the 4 orders); if the “target” were defined as the specific VPN providers, the number of targets would be reported as 10.

The IC would entirely hide the number of individual Americans affected.

An order collecting all the people who visit a particular website

This application would seek to learn who visited a particular website. The classic case would be Inspire magazine, the AQAP propaganda. But I could also see how the IC might want to collect people who visit WikiLeaks’ submission page, or any number of sites that would offer information of interest to foreign spies (even DNI’s report on surveillance collection!). In such a use case, the government might ask not for the information provided to the user, but instead the incoming IP addresses of every request to the website. Again, this would not reflect a communication of information (and certainly not to the end user), so would not be reported under 5B.

If the targets were defined as “AQAP propaganda sites,” Inspire and all its affiliates might be reported as just one target (or might even be counted on a more generalized 215 order targeting AQAP or WikiLeaks, and so not as a unique 215 order at all).

The end users here would, again, not be counted if the collection request deliberately asked for something that did not “communicate information,” though I’m not sure precisely what technical language the government would use to accomplish this.

An order collecting all the web browsing and internet searches of a single user

This use case would ask how a 215 order targeting an individualized target (like Carter Page) shows up in transparency reports. If this were an order served on Google targeting a single account identifier for Google (say, Page’s Gmail account), the government might treat that Gmail identifier as the unique identifier, even though the government was getting information on every time this unique identifier obtained information.

Even in the criminal context, prosecutors don’t always target Google histories (for example, they did not with Joshua Schulte, and so got Google searches going back to before he joined the CIA). In the intelligence context, the FBI is given even more leeway to obtain everything, based off the logic that it’s harder to find clandestine activity.

In other words, Wyden has pointed to three use cases, all of which the IC is surely using, which existing transparency reporting requirements would entirely obscure the impact of.

Tuesday Morning: Chasing the Clouds Away

/9 Comments/in , , /by

Hope by this afternoon all the major thoroughfares are clear and transportation nearly back to normal along the east coast. You’d think by now we’d have developed and installed self-maintaining highways that melt ice and snow, right?

For now, let’s dig.

A former Goldman Sachs exec parts company with CenturyLink
They called it “creating an environment that was unproductive,” and maybe it was — a diversified telecom organization may not be a great fit for an investment banker, leading to some less-than-productive discussions. But a nearly unanimous vote said Joseph Zimmel, retired GS exec, should not apply for re-election to CenturyLink’s board of directors. Wonder if the rumored-but-not-completed acquisition of Rackspace had anything to do with this rocky situation?

Retail Mixed Bag: Wal-Mart retrenches, Staples rethinks, Shoes.com kicks butt
The Arkansas-based retailer is closing up its 102 Wal-Mart Express stores, as well as a few of its full-sized stores. Were the smaller stores simply too much overhead, or were they cannibalizing sales from larger stores, or did Amazon finally cut into Wal-Mart’s sales enough that Wal-Mart needed to reduce?

Staples, one of the two largest big box office supply retailers, changed up some of its senior management while indicating it may back out of its proposed merger with the other mega office supply retailer, Office Depot. The merger has not received approval yet from the USDOJ. This unresolved deal may be a bigger liability in terms of expense by now, especially when all retail sales have slowed down.

Shoes.com is looking for cash to make some acquisitions. This Canadian online shoe retailer is bucking the retail trend with a strong uptick in sales in spite of stiff competition from Zappos and Amazon.

All three retailers mirror a turn-down in consumption — even Shoes.com. If retail was doing well, there’d be less need to close brick-and-mortar stores or buy up market share.

Six GOP Senators suck up to ISPs while annoying broadband users
Quel surprise: a handful of GOP Senators sent a letter to the FCC saying that standard broadband speeds are arbitrary, and most users don’t need the current baseline speed.

I’d like to know why some tech media won’t name names. Fortunately, The Hill listed the signatories. Senators Roy Blunt (MO), Steve Daines (MT), Deb Fischer (NE), Cory Gardner (CO), Ron Johnson (WI) and Roger Wicker (MS) wrote,

“Looking at the market for broadband applications, we are aware of few applications that require download speeds of 25 Mbps … Netflix, for example, recommends a download speed of 5 Mbps to receive high-definition streaming video, and Amazon recommends a speed of 3.5 Mbps.”

The stupid, it burns almost as much as the visible corporate whoring. Like nobody in their world has multiple users in a household sharing service or online gamers or emerging technology which does need increasingly higher speeds. Hope these folks aren’t on committees for cybersecurity issues — wait, what? Every one of these six dipschitz is on the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet. ~screaming into pillow~

I can’t with this. I must change gears or go insane. Keep the wheels on the road, kids.