Google’s Payoff from DOD: 20 Cheap Fuel Flights to Tortola

/9 Comments/in , /by

Screen shot 2013-09-13 at 1.47.45 PMGiven that I’m very interested in the carrots and sticks the government uses to get tech companies to help spy on us, I find it rather interesting that from 2007 until August 31, DOD was allowing Google to pay for jet fuel at Moffett Field near Google’s HQ in Mountain View at DOD’s substantially discounted rate.

Granted, this arose because Google provided a light airplane to perform scientific flights for Ames Research Center.

NASA officials have pointed to a related agreement by the Google executives to perform scientific flights and other NASA-related transport. That mostly has involved flights by an Alpha jet, a small trainer bought by the Google executives and used by NASA to measure atmospheric greenhouse gases and ozone.

[snip]

[T]he contract between H211 and the Pentagon stated that the fuel was supposed to be used only “for performance of a U.S. government contract, charter or other approved use,” and said violations could trigger civil or criminal penalties. There is no indication of any such investigation.

Flight records from the Federal Aviation Administration suggest that the vast bulk of the flights by the Google executives’ fleet have been for non-NASA purposes.

The main jets in the fleet—a Boeing 767, Boeing 757 and four Gulfstream V’s—have departed from Moffett a total of 710 times since 2007, FAA records show. The most frequent destinations were Los Angeles and New York, but the planes also flew 20 times to the Caribbean island of Tortola; 17 to Hawaii; 16 to Nantucket, Mass.; and 15 to Tahiti.

This agreement went into place before Google joined PRISM, for example (though I’m sure Google was already helping NSA on its storage challenges before that). Though I really look forward to Google defending these fuel purchases because so much of what they do is “for performance of a U.S. government contract.”

This is peanuts to a company as rich as Google; access to the airport is probably worth more to Google execs than the cheap gas.

Still, it’s a perk. The kind of perk that might explain why Eric Schmidt believes all this spying is just the nature of society. (h/t Kevin Gosztola)

There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgment on that, it’s the nature of our society.

Spying is the nature of society in the same way as special perks for those who help in it, after all.

ACLU [and congress] Has Standing to Know What It Is Debating

/8 Comments/in , /by

It is fundraising week(ish) here at Emptywheel. If you can, please support the site

In superb news, the FISA Court has agreed to release to ACLU whatever Section 215 opinions are not already covered by a 2011 FOIA suit ACLU filed in Southern District of New York.

 In an important decision, the Foreign Intelligence Surveillance Court ordered the government to review for release the court’s opinions on the meaning, scope, and constitutionality of Section 215 of the Patriot Act. The ruling is on a motion filed by the American Civil Liberties Union, the ACLU of the Nation’s Capital, and Yale Law School’s Media Freedom and Access Information Clinic. Section 215, which authorizes the government to obtain “any tangible things” relevant to foreign-intelligence or terrorism investigations, is the claimed legal basis for the NSA’s mass phone records collection program.

“We are pleased that the surveillance court has recognized the importance of transparency to the ongoing public debate about the NSA’s spying,” said Alex Abdo, staff attorney with the ACLU National Security Project. “For too long, the NSA’s sweeping surveillance of Americans has been shrouded in unjustified secrecy. Today’s ruling is an overdue rebuke of that practice. Secret law has no place in our democracy.”

The decision was based on a determination that, since ACLU is so central in these debates, it has standing to make such a request.

The Court ordinarily would not look beyond information presented by the parties to find that a claimant has Article III standing. In this case, however, the ACLU’s active participation in the legislative and public debates about the proper scope of Section 215 and the advisability of amending that provision is obvious from the public record and not reasonably in dispute. 11 Nor is it disputed that access to the Section 215 Opinions would assist the ACLU in that debate. The Court therefore concludes that the ACLU has satisfied that requirement. See, Ohio Citizen Action v. City of Englewood, 671 F.3d 564, 579 (6th Cir. 2012). Accordingly, the Court finds that the withholding from the ACLU of the Section 215 Opinions constitutes a concrete and particularized injury in fact to the ACLU for purposes of Article III standing.

11 See e.g., Michelle Richardson, Legislative Counsel, ACLU Washington Legislative Office, Misdirection: The House Intelligence Committee’s Misleading Patriot Act Talking Points (June 20, 2013) (https://www.aclu.org/blog/national-security/misdirection-house-intelligencecommittees-misleading-patriot-act-talking); Testimony of Jameel Jaffer, Deputy Legal Director of the ACLU Foundation, and Laura W. Murphy, Director, Washington Legislative Office, ACLU, before the Senate Judiciary Committee Hearing on Strengthening Privacy Rights and National Security:

In truth, after Monday’s document dump, this decision may be more about precedent than expanded releases. Because it is limited to substantive decisions on Section 215 — and wouldn’t include every time a judge pulls more hair out upon being informed of yet another “violation” — there may not be many more decisions to release (unless, as I have wondered, there have been significant violations since 2009).

But there is another part of this decision that may be even more important, from the standpoint of precedent. It gives this brief nod to the amici, calling out the Members of Congress specifically (the other amici were journalism organizations, which, like the third party with ACLU, Media Freedom and Information Access Clinic, might have been denied standing), for its claim to standing.

Assuming that there are such Section 215 Opinions that are not at issue in the FOIA litigation, movants and amici have presented several substantial reasons why the public interest might be served by their publication.

[snip]

Congressional amici emphasize the value of public information and debate in representing their constituents and discharging their legislative responsibilities.

Remember, the Congressional amici argued they can’t do their job without being able to discuss public FISC opinions.

Notwithstanding the compelling public interest in an open debate about the scope and propriety of government surveillance programs authorized under FISA, even the amici — Members of the U.S. Congress — cannot meaningfully participate in that public debate so long as this Court’s relevant decisions and interpretations of law remain secret. Read more

Imagine the Administration Lying to Congress about the Dragnet

/11 Comments/in , /by

As fundraising week comes to a close, please support this site

In a piece bemoaning the possibility that the dragnet programs created in secret might be scaled back now that citizens know what they entail, Ben Wittes lets his imagination run wild.

Imagine you were a high-level decision-maker in a clandestine intelligence agency. Imagine that you had played by the rules Congress had laid out for you, worked with oversight mechanisms to fix errors when they happened, and erected strict compliance regimes to minimize mistakes in a mind-bogglingly complex system of signals intelligence collection. Imagine further that when the programs became public, there was a firestorm anyway. Imagine that nearly half of the House of Representatives, pretending it had no idea what you had been doing, voted to end key collection activity. Imagine that in response to the firestorm, the President of the United States—after initially defending the intelligence community—said that what was really needed was more transparency and described the debate as healthy. Imagine that journalists construed every fact they learned in light of the need to keep feeding at the trough of a source who had stolen a huge volume of highly classified materials and taken it to China and Russia. [my emphasis]

Now, Ben sets up a few straw men here: journalists may have gotten some details wrong, but they’re probably doing better on accuracy than the Agencies that have all the information at hand, which continue to tell easily demonstrable lies. He suggests Obama is interested in debate, abundant evidence to the contrary. He excuses the NSA’s compliance problems because of complexity, when they introduced that complexity to make programs do what they legally weren’t supposed to (for example, allowing illegal access via 3 other systems and by 3 other agencies and inventing a pre-archive archive to skirt the rules in the case of the phone dragnet program). He suggests the NSA played by Congress’ rules, when in fact the FISC sets rules, and it says the government has repeatedly violated those rules and “misrepresented” claims about doing so.

But those straw men are nothing compared to the claim that those in the House who voted to defund the phone dragnet were “pretending it had no idea what you had been doing.”

The record shows that the 2011 PATRIOT Act extension was passed with the support of 65 people — enough to make the difference in the vote — who had had no opportunity to learn about the Section 215 dragnet except at hearings that didn’t provide notice of what they would present. Moreover, the record shows that when someone at one of (the only one of?) those hearings asked a question specifically designed to learn about problems with the dragnet, here’s what happened.

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

Then FBI Director Robert Mueller and then-General Counsel Valerie Caproni (the Administration waited to release the dragnet materials Monday almost until the second Caproni got confirmed to lifetime tenure as a judge) gave that answer in spite of the fact that Mueller had to submit a declaration to Judge Reggie Walton to explain why the program was important enough to keep in spite of the many abuses. Walton ordered that declaration, in part, because the government’s explanations about their gross violations “strain[] credulity,” according to Walton. And one of the abuses involved FBI getting access to this data directly.

But FBI knows nothing, Colonel Klink.

And even in what notice the government made somewhat available to Congress (but which Mike Rogers did not pass on), it provided just a one paragraph description of the abuses that would take a page to lay out in skeleton bullet form.

In other words, the record shows that many of those who voted against the dragnet in fact had no idea what the government had been doing, both about the dragnet itself, and about the abuses of the dragnet program.

And note, when almost half the House voted to defund the dragnet, they still hadn’t been informed of the full extent of these abuses (because the Administration was withholding the relevant opinions).

Congress is moving to rein in a program that the Executive Branch operated illegally for 5 years, then operated with FISC sanction for 7 years while abusing the terms of that sanction for at least 3 years. In Wittes imagination, that’s a bad thing.

Update: Also note Valerie Caproni got briefed on these abuses January 23, 2009.

Obama’s James Clapper’s Committee To Make You Love the Dragnet Has a Kiddie Table

/15 Comments/in /by

Spencer Ackerman has a review of how the first two meetings of Obama’s Non-Tech Tech Review panel have gone. And while they went about as horribly as I suspected — certainly there was no talk of actually fixing obvious problems with the dragnet — there are a few details that show how “most exceptional” this effort is.

The White House, having taken pains to pretend James Clapper is not in charge of the Director of National Intelligence Review Group on Intelligence and Communications Technologies, referred comment to James Clapper.

The White House deferred comment to the Office of the Director of National Intelligence, which did not respond.

The Non-Tech Tech Review Panel comes with a kiddie table — or rather, a conference room almost two miles away from the White House, where the tech giants got to eat.

During its first round of meetings, the panel, known as the Review Group on Intelligence and Communications Technology, separated two groups of outside advisers. One group included civil libertarian organizations such as the ACLU and the Electronic Privacy Information Center. It met in a conference room on K and 20th Streets. Morrell and Clarke did not attend.

The other, which met in the White House Conference Center, included technology companies that have participated – sometimes uneasily and at court behest – in NSA surveillance. All five panel members participated.

I’m not surprised the CIA’s representative on the Committee to Make You Love the Dragnet refused to be seen at the kiddie table with civil libertarians. But Richard Clarke?

Finally, the tech companies appear not to have sent tech experts.

The meeting itself struck [New America Foundation VP Sascha] Meinrath as bizarre. Representatives from the technology firms were identified around the table not by their names, but by placards listing their employers. There was minimal technical discussion of surveillance mechanisms despite the presence of technology companies; Meinrath took the representatives to be lawyers, not technologists.

When it appeared like the meeting would discuss a surveillance issue in a sophisticated way, participants and commissioners suggested it be done in a classified meeting.

Apparently, Cass Sunstein didn’t even have to get caught proposing weird conspiracy theories to make this thing a laughingstock.

NSA’s Corruption of Cryptography and Its Methods of Coercion

/9 Comments/in , /by

Just one more day to give as part of Emptywheel’s fundraising week.

I want to return to last week’s Edward Snowden related scoop (Guardian, ProPublica/NYT) that the NSA has corrupted cryptography. Remember, there are several reasons the story was important:

  • NSA lost the battle for the Clipper Chip and turned instead to achieve the same goals via means with less legal sanction
  • NSA broke some companies’ encryption by “surreptitiously stealing their encryption keys or altering their software or hardware”
  • NSA also worked to “deliberately weaken[] the international encryption standards adopted by developers”

One key result of this — as Rayne and Julian Sanchez have emphasized — is to make everyone more exposed to hackers.

This is a bit like publishing faulty medical research just to prevent a particular foreign dictator from being cured. It makes everyone on the Internet more vulnerable, increasing the chances that dissidents will be uncovered by despotic regimes and that corporations will fall victim to cybercriminals.

[snip]

Bear this in mind the next time you see people on Capitol Hill wringing their hands about the threat of a possible “Digital Pearl Harbor”—especially if they think the solution is to give more data and authority to the NSA. Because the agency is apparently perfectly happy to hand weapons to criminals and hostile governments, as long as it gets to keep spying too.

And since then, the NSA has responded to rampant cyberattacks and threats of them against targets it cares about by demanding yet more access to those targets’ data, as explained by Shane Harris in a Keith Alexander profile.

Under the Defense Industrial Base initiative, also known as the DIB, the NSA provides the companies with intelligence about the cyberthreats it’s tracking. In return, the companies report back about what they see on their networks and share intelligence with each other.

Pentagon officials say the program has helped stop some cyber-espionage. But many corporate participants say Alexander’s primary motive has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies — to make them the NSA’s digital scouts. What is billed as an information-sharing arrangement has sometimes seemed more like a one-way street, leading straight to the NSA’s headquarters at Fort Meade.

“We wanted companies to be able to share information with each other,” says the former administration official, “to create a picture about the threats against them. The NSA wanted the picture.”

After the DIB was up and running, Alexander proposed going further. “He wanted to create a wall around other sensitive institutions in America, to include financial institutions, and to install equipment to monitor their networks,” says the former administration official. “He wanted this to be running in every Wall Street bank.”

That aspect of the plan has never been fully implemented, largely due to legal concerns. If a company allowed the government to install monitoring equipment on its systems, a court could decide that the company was acting as an agent of the government. And if surveillance were conducted without a warrant or legitimate connection to an investigation, the company could be accused of violating the Fourth Amendment. Warrantless surveillance can be unconstitutional regardless of whether the NSA or Google or Goldman Sachs is doing it.

“That’s a subtle point, and that subtlety was often lost on NSA,” says the former administration official. “Alexander has ignored that Fourth Amendment concern.”

With all that as background, I want to return to a post I did months ago, laying out the methods the Presidential Policy Directive on Cyberwar envisioned for getting cooperation from private companies. It defines four kinds of access to private computer networks:

  • Network defense, which is what network owners do or USG (or contractors) do at their behest to protect key networks. I assume this like anti-virus software on steroids.
  • Cyber collection that, regardless of where it occurs, is done in secret. This is basically intelligence gathering about networks.
  • Nonintrusive Defensive Countermeausres, which is more active defensive attacks, but ones that can or are done with the permission of the network owners. This appears to be the subset of Defensive Cybereffects Operations that, because they don’t require non-consensual network access, present fewer concerns about blowback and legality.
  • Defensive Cybereffects Operations, which are the entire category of more active defensive attacks, though the use of the acronym DCEO appears to be limited to those defensive attacks that require non-consensual access to networks and therefore might cause problems. The implication is they’re generally targeted outside of the US, but if there is an imminent threat (that phrase again!) they can be targeted in the US.

In the area of cyberdefense or offense (remember, this is an overlapping part of NSA’s mission with cryptography) the government envisions collecting information (because cryptography overlaps with this mission, this might be included in that secret data collection) without a network owner’s consent, conducting defensive measures with a network owner’s consent, or conducting defensive measures without a network owner’s consent (the latter is only supposed to happen in the US with the President’s authorization).

Read more

Information Sharing with Israel Raises Questions about Efficacy of NSA’s Minimization Procedures

/24 Comments/in , /by

Pulling weeds is hard work! Please support my hard work by making a donation

The Guardian’s latest Edward Snowden story yesterday reported that an information sharing Memorandum of Understanding written sometime after March 2009 laid out the sharing of unminimized US collections with Israel. The agreement appears to newly share such unminimized content based on unenforceable assurances from Israel that it will minimize US person data and destroy any communication involving a US government official.

Whatever else this story may do, it casts serious questions on the efficacy of the minimization procedures that lie at the core of FISA Court oversight over the government’s spying program.

NSA’s minimization procedures in place (per a date stamp) on July 29, 2009 only allow the government distribution of unminimized data to foreign governments for cyrptoanalysis or translation. And it requires the foreign government to return the data once it has provided assistance.

Dissemination to foreign governments will be solely for translation or analysis of such information or communications, and assisting foreign governments will make no use of any information or communication of or concerning any person except to provide technical and linguistic assistance to NSA.

[snip]

Upon the conclusion of such technical or linguistic assistance to NSA, computer disks, tape recordings, transcripts, or other items or information disseminated to foreign governments will either be returned to NSA or be destroyed with an accounting of such destruction made to NSA.

But the information sharing agreement with Israel not only envisions it keeping this data (with the requirement that it “strictly limit access … to properly cleared ISNU personnel and properly cleared members of Israeli intelligence services”) but also circulating it, so long as it complies with an unenforceable promise to minimize US person data.

Disseminate foreign intelligence information concerning U.S. persons derived from raw SIGINT provided by NSA — to include any release outside ISNU in the form of reports, transcripts, gists, memoranda, or any other form of written oral document or transmission — on in a manner that does not identify the U.S. person.

The only data that the US requires Israel destroy is that involving US government personnel.

Destroy upon recognition any communication contained in raw SIGINT provided by NSA that is either to or from an official of the U.S. Government. “U.S. Government officials” include officials of the Executive Branch (including the White House, Cabinet Departments, and independent agencies); the U.S. House of Representatives and Senate (members and staff); and the U.S. Federal Court system (including, but not limited to the Supreme Court).

So unless the government canceled this agreement just 4 months after it reached it, it means the NSA misrepresented to the FISA Court the legal and privacy implications of the collection the court approved based on those minimization procedures. The court approved broad collections based on the understanding minimization would be strictly enforced, but here we learn it has been outsourced to a foreign government in terms that don’t seem to abide by the minimization procedures themselves.

Read more

Working Thread: Section 215 Dragnet Document Dump, Part II

/2 Comments/in , /by

It’s fundraising week. Please support the work I do with a donation.

This is part of a working thread on yesterday’s Section 215 dragnet. Part I is here. The documents are here.

IG Report

(i) Note that the cover letter was signed by the Acting IG, Brian McAndrew, but the report itself was signed by Joel Brenner.

(3) The IG Report uses a lot of passive voice where it should assign some responsibility for implementing controls.

(4) Note this recommendation is redacted but almost certainly is S 215 or S 332, based on the distribution list.

(4) Note the definition of processing.

(8) Note the finding the info assurance was adequate turned out to be wrong, as people were just wandering into this database.

(9) The audits OIG was supposed to conduct didn’t happen, per the description on page 31 of the Alexander declaration. This is sort of a big deal. Was OIG excluded (as they had been under the illegal program)? Or did they just not do their job?

(13) Note the review started immediately after the program started and by its own admission “did not conduct a full range of compliance and/or substantive testing.”

(18) Curious whether NSA introduced the word “archive” in the table.

(19) The language on metadata retention is another tell: they describe not “keeping” the data but “keeping it online” while avoiding mention of archive.

Compliance Incidents, Feb 26, 2009 & Supplemental Alexader

(4) Three different analysts querying databases. Again the timing on this is interesting, from day after election to day after transferring power. Note there’s still no discussion of where all those other identifiers went.

(SAlexander 2) Note the reference to telecoms remains unredacted.

Read more

Keith Alexander’s Ignorance By Design

/8 Comments/in , /by

Oops! Forgot to encourage you all to support this work with a donation

One of the most publicized lines from yesterday’s FOIA disclosures comes from Keith Alexander’s declaration to Reggie Walton on how the Section 215 dragnet went so horribly awry. He claims — without explaining the basis for his knowledge — that no one knew how all this worked.

Furthermore, from a technical standpoint, there was no single person who had a complete technical understanding of the BR FISA system architecture. (Alexander 19)

The comment comes amidst a section that discusses not system architecture, but simple legal compliance, in which Alexander describes how,

  • NSA’s lawyers consistently gave incorrect data to FISC over 3 years time
  • NSA’s lawyers exempted a whole class of data — that not yet “archived” — from the plain meaning of the law

At the beginning of this particular section, he says his knowledge comes from,

Reviews of NSA records and discussions with relevant NSA personnel (Alexander 16)

But at the beginning of Alexander’s declaration, he states his statements,

are based on my personal knowledge, information provided to me by my subordinates in the course of my official duties, advice of counsel, and conclusions reached in accordance therewith. (Alexander 2)

That is, for the declaration overall, Alexander says he only spoke to “counsel” and other NSA people in “the course of [his] official duties,” and there only with subordinates. Admittedly, all NSA personnel should be his subordinates, but it is curious he doesn’t describe the NSA personnel he spoke with as such.

That’s important, because throughout this section, Alexander’s statements are caveated with “it appears” introductions.

… the inaccurate description of the BR FISA alert list initially appears to have occurred to a mistaken belief …(Alexander 17)

… Therefore, it appears there was never a complete understanding among the key personnel who reviewed the report … (Alexander 18)

… Nevertheless, it appears clear in hindsight from discussions with the relevant personnel as well as reviews of NSA’s internal records that the focus was almost always on whether analysts were contact chaining the Agency’s repository of BR FISA data in compliance … (Alexander 18)

Now perhaps Alexander spoke to the people who actually knew what went on. It turns out they would, in significant part, be lawyers. Counsel.

Though that’s rarely reflected in his descriptions. In perhaps just one sentence, he makes an assertion about what the SIGINT Directorate and the OGC [counsel] “realized,” though note he doesn’t specify a single human subject for that realization.

Or perhaps he spoke only to “relevant personnel” who provided him information in the course of his normal duties.

But one thing is clear: he either doesn’t claim actual knowledge about the subject he is addressing beyond what actually got documented, the most important topic in his declaration. Or he does, but for some reason he was, in this matter alone, uncomfortable asserting that as a clear fact.

Yet somehow, having spoken to remarkably few people, he somehow feels confident claiming no one knew about the entire architecture (an irrelevant issue to the legal and management problem at hand)?

I would suggest Alexander’s lawyers [counsel!] — the very people who provided false information to the court and false advice to NSA personnel — might have a good deal more certainty about what happened than Alexander. But somehow they managed to avoid making sworn declarations to the court about those subjects.

Update: The list of people who knew about this stuff on Alexander 25-26 is of particular interest. Two OGC lawyers and 3 program managers had access to both what was allowed to analysts and what was reported to the court (though Alexander helpfully notes, “[t]his does not mean that an individual who was on distribution for the reports was actually familiar with the contents of the reports.”

Alexander also says he had conversations with the people on distribution of the original email drafting language for the court.

Alexander goes on to note there were a lot of people that knew of how the alerts worked but, “[b]ased on information available to me, I conclude it is unlikely that this category of personnel knew how the Agency had described the alert process to the Court.”

 

Imagine the Informants You Can Coerce When You Can Spy on Every Single American

/23 Comments/in , , , /by

Please consider supporting my fundraiser so I can continue to do this kind of work. 

Two years ago, I noted a chilling exchange from a 2002 FISA suit argued by Ted Olson. Laurence Silberman was trying to come up with a scenario in which some criminal information might not have any relevance to terrorism. When he suggested rape, Olson suggested we might use evidence of a rape to get someone to inform for us.

JUDGE SILBERMAN: Try rape. That’s unlikely to have a foreign intelligence component.

SOLICITOR GENERAL OLSON: It’s unlikely, but you could go to that individual and say we’ve got this information and we’re prosecuting and you might be able to help us.

It’s chilling not just because it suggests rapists have gone free in exchange for trumping up terrorist cases for the government, but because it makes clear the kinds of dirt the government sought using — in this case — traditional FISA wiretaps.

Now consider this passage from the government’s 2009 case that it should be able to sustain the Section 215 dragnet.

Specifically, using contact chaining [redacted] NSA may be able to discover previously unknown terrorist operatives, to identify hubs or common contacts between targets of interest who were previously thought to be unconnected, and potentially to discover individuals willing to become U.S. Government assets.

Remember, while the government downplayed this fact, until Barack Obama won the 2008 election, the government permitted analysts to contact chain off of 27,090 identifiers, going deeper than 3 hops in. That very easily encompasses every single American.

The ability to track the relationships of every single American, and they were using it to find informants.

In the 7 years since this program (now allegedly scaled back significantly, but still very very broad) has existed, the dragnet has only helped, however indirectly, to capture 12 terrorists in the US (and by terrorist, they also include people sending money to protect their country against US-backed invasion).

Which means the real utility of this program has been about something else.

The ability to track the relationships of every single American. And they were using it to find informants.

Even while the number of terrorists this program discovered has been minimal, the number of FBI informants has ballooned, to 15,000. And those informants are trumping up increasingly ridiculous plots in the name of fighting terrorism.

The ability to track the relationships of every single American (or now, a huge subset of Americans, focusing largely on Muslims and those with international ties). And they were (and presumably still are) using it to find informants.

Update: Note how in Keith Alexander’s description of the alert list, the standard to be on it is “the identifier is likely to produce information of foreign intelligence value” that are “associated with” one of the BR targets (Alexander 33). This is very similar to the language Olson used to justify getting data that didn’t directly relate to terrorism.

Also note this language (Alexander 34):

In particular, Section 1.7(c) of Executive Order 12333 specifically authorizes NSA to “Collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information for foreign intelligence and counterintelligence purposes to support national and departmental missions.” However, when executing its SIGINT mission, NSA is only authorized to collect, retain or disseminate information concerning United States persons in accordance with procedures approved by the Attorney General.

Again, this emphasizes a foreign intelligence and CI purpose for collection that by law is limited to terrorism. Which could mean they think they can collect info to coerce people to turn informant.

The AG guidelines on informants are, not surprisingly, redacted.

How Many People Are Included in Contact Chaining with 27,090 Numbers?

/18 Comments/in , /by

I’ve decided that if I could have a nickel for every time I’ve said “I told the apologists so” as I’ve read these documents, I’d be Warren Buffet. But I don’t get a nickel for predicting the NSA is as bad as it is. So I could use your help to keep doing what I do. 

One of the most stunning revelations from ODNI’s conference call with Officials Who Can’t Be Quoted Because They Might Be Lying is that only 11% of the numbers the NSA was comparing daily business record collections against should have been included.

Those numbers are presented in the government’s first response to Reggie Walton’s order for more information.

In short, the system was designed to compare both SIGINT and BR metadata against the identifiers on the alert list but only to permit alerts generated from RAS-approved identifiers to be used to conduct contact chaining [redacted] of the BR metadata. As a result, the majority of telephone identifiers compared against the incoming BR metadata in the rebuilt alert list were not RAS-approved. See id. at 4, 7-8. For example, as of January 15, 2009, the date of NSD’s first notice to the Court regarding this issue, only 1,935 of the 17,835 identifiers on the alert list were RAS-approved. (10-11)

This means that every day, the NSA was comparing names they thought maybe might could be terrorist numbers, as well as numbers they actually had reason to believe actually were, with all the phone records in the US to see if Americans were talking to these people. [Update: And to clarify, the 89% on the list who were “compared” to the daily business record take weren’t contact chained — NSA just checked to see if they should look further.]

As I said, per the Officials Who Can’t Be Quoted Because They Might Be Lying who gave today’s conference call, that’s as bad as it gets.

But it appears to get worse.

You see, as NSA was confessing all this to DOJ’s National Security Division, they were also cleaning up their lists (the January 15 numbers come from a week after NSD first got involved). And it appears that before they started their confessional process (in the days before Obama took over from George Bush), they had far more people on their list. And they were contact-chaining those numbers.

At the meeting on January 9, 2009, NSA and NSA also identified that the reports filed with the Court have incorrectly stated the number of identifiers on the alert list. Each report included the number of telephone identifiers purported on the alert list. See, e.g., NSA 120-Day Report to the FISC (Dec. 11, 2008), docket number BR 08-08 (Ex. B to the Government’s application in docket number BR 08-13), at 11 (“As of November 2, 2008, the last day of the reporting period herein, NSA had included a total of 27,090 telephone identifiers on the alert list . . . .”). In fact, NSA reports that these numbers did not reflect the total number of identifiers on the alert list; they actually represented the total number of identifiers included on the “station table” (NSA’s historical record of RAS determinations) as currently RAS-approved) (i.e., approved for contact chaining [redacted]

This appears to mean the NSA could (they don’t say whether they did) conduct chaining two or three degrees deep on all these potential maybe might could be terrorists.

If those 27,090 talked to 10 people in the US, and those 270,090 people in the US regularly talked to 40 people in the US, and those people talked to 40, then it would potentially incorporate 433 millio–oh wait! That’s more people than live in the US!

That is, there’s a potential that, by contact chaining that many people, this actually represented a comprehensive dragnet of all the networked relationships in the US until the days before Obama became President.

And they lied to Reggie Walton about it as they got their first real legal review of the program.

But honest, all this was really just unintentional.

Update: Later in the filing, the government admits they were doing more than 3 hops until early 2009.

Second, NSA is implementing software changes to its system that will limit to three the number of “hops” permitted from a RAS-approved seed identifier.

This means those 27,090 identifiers that were in use on November 1, 2008 (at which point it became clear Obama would win the election) could have been contact chained far deeper into American contacts. This makes it very likely that that “contact chaining” actually did include everyone in the US.