NSA Tried to Roll Out Its Automated Query Program Between Debates about Killing It

/in /by

As I noted earlier, after reporting in November that there was a debate in 2009 about ending the phone dragnet…

To address their concerns, the former senior official and other NSA dissenters in 2009 came up with a plan that tracks closely with the Obama proposal that the Senate failed to pass on Tuesday. The officials wanted the NSA to stop collecting the records, and instead fashion a system for the agency to quickly send queries to the telephone companies as needed, letting the companies store the records as they are required to do under telecommunications rules.

In a departure from the bill that failed Tuesday, however, they wanted to require the companies to provide the metadata in a standardized manner, to allow speedy processing and analysis in cases of an imminent terror plot. The lack of such a provision was among the reasons many Republicans and former intelligence officials said they opposed the 2014 legislation.

By the end of 2009, Justice Department lawyers had concluded there was no way short of a change in law to make the program work while keeping the records in the hands of the companies, the former officials said.

The AP reported today that there was also a debate about ending the dragnet in 2013 (and if I’m not mistaken, the story has been updated to note that these were two separate debates)….

The proposal to halt phone records collection that was circulating in 2013 was separate from a 2009 examination of the program by NSA, sparked by objections from a senior NSA official, reported in November by The Associated Press. In that case, a senior NSA code breaker learned about the program and concluded it was wrong for the agency to collect and store American records. The NSA enlisted the Justice Department in an examination of whether the search function could be preserved with the records stores by the phone companies.

That would not work without a change in the law, the review concluded. Alexander, who retired in March 2014, opted to continue the program as is.

But the internal debate continued, current and former officials say, and critics within the NSA pressed their case against the program. To them, the program had become an expensive insurance policy with an increasing number of loopholes, given the lack of mobile data. They also knew it would be deeply controversial if made public.

By 2013, some NSA officials were ready to stop the bulk collection even though they knew they would lose the ability to search a database of U.S. calling records. As always, the FBI still would be able to obtain the phone records of suspects through a court order.

Between these two debates (indeed, between the time the NSA shut down the PATRIOT-authorized Internet dragnet and the second debate), on November 8, 2012, the NSA got FISC to approve an automated query.

In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”

The ultimate result of the automated query process is a repository, the corporate store, containing the records of all telephone calls that are within three “hops” of every currently approved selection term.69 Authorized analysts looking to conduct intelligence analysis may then use the records in the corporate store, instead of searching the full repository of records.70

The January 3, 2014 dragnet order revealed that over the year-plus since FISC authorized this automated query, NSA still had not gotten it working.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

On March 27, 2014, Obama said he would move the dragnet to the telecoms.

The reauthorization signed the following day — dated March 28, 2014 — eliminated all approval for automated queries.

I suggested then — and given these stories, suspect may have been correct — that Obama agreed to move the dragnet to the telecoms because NSA never managed to do what they wanted to do (and probably, had done until 2009), automated queries, but they could achieve the same desired result by moving production to the telecoms.

All proposed plans to move production to the telecoms shared several features, including the compelled assistance of the telecoms (like Section 702, in some ways), production of records in the form the government wanted, expansive immunity, and compensation. All also used “connection chaining” that didn’t explicitly describe what made a (non-call or text) connection or how the telecom would establish such connections. I speculated last year that may have permitted the government to make use of the telecoms’ access to geolocation in a way they couldn’t do at NSA. I increasingly believe they also want telecoms to match all chaining through smart phones in what they’ve adopted as “connection chaining;” automated correlations, specifically, is something the government shut down in 2009 but which would be very productive if it could draw on everything the telecoms have.

None of that explains why the NSA wasn’t able to ingest some cell phone production. But it may explain why NSA accepts moving the phone dragnet to the telecoms.

The AP’s Recycled “We Don’t Need a Phone Dragnet” Story Lays the Groundwork for Swapping Section 215 for CISA

/3 Comments/in , , /by

The AP has a story that it calls an “Exclusive” and says “has not been reported before” reporting that the NSA considered killing the phone dragnet back before Edward Snowden disclosed it.

The National Security Agency considered abandoning its secret program to collect and store American calling records in the months before leaker Edward Snowden revealed the practice, current and former intelligence officials say, because some officials believed the costs outweighed the meager counterterrorism benefits.

After the leak and the collective surprise around the world, NSA leaders strongly defended the phone records program to Congress and the public, but without disclosing the internal debate.

The proposal to kill the program was circulating among top managers but had not yet reached the desk of Gen. Keith Alexander, then the NSA director, according to current and former intelligence officials who would not be quoted because the details are sensitive. Two former senior NSA officials say they doubt Alexander would have approved it.

Still, the behind-the-scenes NSA concerns, which have not been reported previously, could be relevant as Congress decides whether to renew or modify the phone records collection when the law authorizing it expires in June.

The story looks a lot like (though has mostly different dates) this AP story, published just after USA Freedom Act failed in the Senate in November.

Years before Edward Snowden sparked a public outcry with the disclosure that the National Security Agency had been secretly collecting American telephone records, some NSA executives voiced strong objections to the program, current and former intelligence officials say. The program exceeded the agency’s mandate to focus on foreign spying and would do little to stop terror plots, the executives argued.

The 2009 dissent, led by a senior NSA official and embraced by others at the agency, prompted the Obama administration to consider, but ultimately abandon, a plan to stop gathering the records.

The secret internal debate has not been previously reported. The Senate on Tuesday rejected an administration proposal that would have curbed the program and left the records in the hands of telephone companies rather than the government. That would be an arrangement similar to the one the administration quietly rejected in 2009.

The unquestioned claim that the program doesn’t get cell data — presented even as the Dzhokhar Tsarnaev case makes clear it does* — appears in both (indeed, this most recent version inaccurately references T-Mobile cell phone user Basaaly Moalin’s case — getting the monetary amounts wrong — without realizing that that case, too, disproves the cell claim).

Most importantly, however, both stories report these previous questions about the efficacy of the phone dragnet in the context of questions about whether the program will be reauthorized after June.

Perhaps the most telling detail, however, is that this new story inaccurately describes what happened to the Internet dragnet in 2011.

There was a precedent for ending collection cold turkey. Two years earlier, the NSA cited similar cost-benefit calculations when it stopped another secret program under which it was collecting Americans’ email metadata — information showing who was communicating with whom, but not the content of the messages. That decision was made public via the Snowden leaks.

The NSA in no way went “cold turkey” in 2011. Starting in 2009, just before it finally confessed to DOJ it had been violating collection rules for the life of the program, it rolled out the SPCMA program that allowed the government to do precisely the same thing, from precisely the same user interface, with any Internet data accessible through EO 12333. SPCMA was made available to all units within NSA in early 2011, well before NSA “went cold turkey.” And, at the same time, NSA moved some of its Internet dragnet to PRISM production, with the added benefit that it had few of the data sharing limits that the PRTT dragnet did.

That is, rather than going “cold turkey” the NSA moved the production under different authorities, which came with the added benefits of weaker FISC oversight, application for uses beyond counterterrorism, and far, far more permissive dissemination rules.

That AP’s sources claimed — and AP credulously reported — that this is about “cold turkey” is a pretty glaring hint that the NSA and FBI are preparing to do something very similar with the phone dragnet. As with the Internet dragnet, SPCMA permits phone chaining for any EO 12333 phone collection, under far looser rules. And under CISA, anyone who “voluntarily” wants to share this data (which always includes AT&T and likely includes other backbone providers) can share promiscuously and with greater secrecy (because it is protected by both Trade Secret and FOIA exemption). Some of this production, done under PRISM, would permit the government to get “connection” chaining information more easily than under a phone dragnet. And as with the Internet dragnet, any move of Section 215 production to CISA production evades existing FISC oversight.

A year ago, Keith Alexander testified that if they just had a classified data sharing program — like CISA — they could live without the dragnet. A year ago, basically, Alexander said he’d be willing to swap CISA for the phone dragnet.

Remarkably, these inaccurate AP stories always seem to serve that story, all while fostering a laughable myth that “ending the phone dragnet” would in any way end the practice of a phone dragnet.

*Update 3/30: My claim that the Marathon case proves they got cell call data relies only on FBI claims they were able to use the dragnet to good effect. I actually think that FBI used an AT&T specific dragnet — not the complete phone dragnet — to identify the brothers’ phones (while the government has offered conflicting testimony on this account, I’m fairly certain all of Dzhokhar’s phones and Tamerlan’s pre-paid phone discussed at Dzhokhar’s trial were T-Mobile phones). But if that’s the case, then FBI lied outright when making those earlier claims. I’m perfectly willing to believe that, but if that’s the now-operative story I’d love for someone to confirm it.

The NSL to 215 Collection: Data Flows AND URLs

/2 Comments/in /by

Since last summer, I have been noting that majority of Section 215 production now consists of Internet data the government used to collect using National Security Letters but — after the Internet companies successfully refused compliance under NSLs anymore in light of an Office of Legal Counsel ruling limiting what could be obtained under NSLs — the government started using Section 215 to obtain.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

The FISA Court imposed minimization procedures on this production, meaning it was fairly bulky. That led me to speculate — particularly given Claire McCaskill questions confirming Section 215 might be used for the purpose — the collection obtained URL search information. More recently, particularly when the FBI claimed (which, sadly, coming from the FBI can never be assumed to be true) it used Section 215 for cyber investigations, I became convinced it involved data flow records.

Meanwhile, in January 2014, Nicholas Merrill, the first person to fight an NSL order when he received one in 2004, started fighting to overturn the gag order that had been imposed on him a decade earlier (this came at the same time as President Obama claimed he would move FBI to end its forever gags on NSLs). And while the FBI agreed to let Merrill tell the target of the NSL about it, it ordered him to keep most of what he had been ordered to turn over secret.  He is currently permitted to reveal the following:

Screen Shot 2015-03-29 at 8.36.05 AM

In other words, while FBI is okay with Merrill telling the target of a decade-old investigation he or she was targeted, he can’t tell us what — as far back as 2004 — FBI claimed was included under ECPA’s definition of electronic communication transactional records.

In December, Merrill sued to be able to tell us that. And on March 20, a redacted version of his declaration in that suit was released. While the government redacted what they had asked of him (and bizarrely, redacted language in his lawyer’s declaration that appeared unredacted in documents they included as exhibits; see this Cryptome document for the full packet), Merrill provided a pretty good sense of what might have been included in those 15 (of 16!) redacted or partly redacted orders from a decade ago. First, he described all the records he had:

Calyx Internet Access, like most ISPs, collected a wide array of information about its clients. For a given client, we may have collected their [1] name, [2] address and [3] telephone number; [4] other addresses associated with the account; [5] email addresses associated with the account; [6] IP addresses associated with the account; [7] Uniform Resource Locator (URL) addresses assigned to the account; [8] activity logs for the account; [9] logs tracking visitors to the client’s website; [10] the content of a client’s electronic communications; [11] data files residing on Calyx’s server; [12] the client’s customer list; [13] the client’s bank account and [14] credit card numbers; [15] records relating to merchandise bought and sold; and the [16] date the account was opened or closed. [numbers 1 through 16 added]

Of all those 16 things, the only thing that should have been impossible to be included among the 16 requests the FBI made in its NSL demand on Merrill 11 years ago is the actual content of the client’s communication, item 10 (though see my caveat below, explaining that they may well have demanded that too).

In addition to describing the kinds of things he had — which therefore might be among the 16 things FBI demanded of him — Merrill described the kinds of things ISPs might have that the FBI might want. He includes URL searches and IP-based identifiers.

Electronic communication service providers can maintain records of the IP addresses assigned to particular individuals and of the electronic communications involving that IP address. These records can identify, among other things, the identity of an otherwise anonymous individual communicating on the Internet, the identities of individuals in communication with one another, and the web sites (or other Internet content) that an individual has accessed.

Electronic communication service providers can also monitor and store information regarding web transactions by their users. These transaction logs can be very detailed, including the name of every web page accessed, information about the page’s content, the names of accounts accessed, and sometimes username and password combinations. This monitoring can occur by routing all of a user’s traffic through a proxy server or by using a network monitoring system.

[snip]

Web servers also often maintain logs of every request that they receive and every web page that is served. This could include a complete list of all web pages seen by an individual, all search terms, names of email accounts, passwords, purchases made, names of other individuals with whom the user has communicated, and so on.

And he described flow data — the kinds of things FBI might use in a hacking investigation.

Electronic communication service providers can also record internet “NetFlow” data. This data consists of a set of packets that travel between two points. Routers can be set to automatically record a list of all the NetFlows that they see, or all the NetFlows to or from a specific IP ,address. This NetFlow data can essentially provide a complete history of each electronic communications service used by a particular Internet user.

In short, Merrill is strongly hinting that he was asked for both URL information and NetFlow information. Merrill is hinting that the FBI was using NSLs to obtain detailed descriptions of all of the Internet activities for targets of NSLs.

Merrill also suggests that email subject lines — now considered content — might be demanded. That’s interesting because he got served his NSL before the hospital confrontation in 2004, and the government (specifically Michael Hayden) has claimed that subject lines were metadata, not content. So he may be indicating that back in 2004, the FBI was treating subject lines as an electronic communication transactional record (and given that FBI did not withdraw the substance of his NSL until 2006, perhaps continued to do so).

So back in 2004, at least, the FBI was making vast demands for records of all of a target’s Internet activity.

There’s good reason to believe that this is precisely the kind of production (at least some) Internet companies successfully moved to Section 215 orders in 2009. That’s true, in part, because in the NSL IG Report describing all the crazy requests FBI had been making under ECPA, the most substantive ongoing crazy requests appeared to be connected to AT&T production. Seven types of records from a provider that is almost certainly AT&T were redacted in that IG Report. So while it’s likely the FISC now reviews and minimizes that same kind of requests to ISPs as part of Section 215 orders, it probably doesn’t from telecoms.

That said, all that might change if the Cybersecurity Information Sharing Act passes. That bill would pre-empt existing laws, including ECPA, for sharing of cybersecurity, leak, or IP theft investigations (and can be used to investigate a broad array of serious crimes). So CISA would provide the legal cover for ISPs to share such information, at least for any ISPs who would “voluntarily” share such data. For that reason, we should look much more closely at the terms of that “voluntary” production.

That’s the subject of another post, however.

For now, take Merrill’s declaration as pretty strong confirmation that the FBI at least was obtaining both URL search information and data flow information using nothing more than an NSL. Its desire to get such expansive data again is likely at least as pressing an issue behind current surveillance legislation debates as its desire to continue a dragnet of all our phone records.

 

Tamerlan’s Search on Remote Control Car Info

/5 Comments/in , /by

I want to do a quick post about details defense attorney Timothy Watkins snuck into today’s testimony at the Dzhokhar Tsarnaev trial. FBI Supervisory Special Agent Edward Knapp testified at length about how he investigated the bombs used in the attacks. At the end of direct, the government had him show how closely the bombs — both the elbow pipe bombs used at Watertown and the pressure cooker bombs — resembled bomb instructions included in Inspire Magazine.

The effort was, as so much of this trial has been, a carefully scripted effort to tell a narrative that probably doesn’t reflect the full truth of how the brothers got or made the bombs using what propaganda. Judge George O’Toole had, earlier in the trial, prevented the defense from entering evidence about the Russian bomb making materials on Tamerlan’s hard drive. Knapp focused on the bombs that most closely resembled Inspire bombs (focusing on the elbow pipe bomb, for example, and not the straight one also used in Watertown). He didn’t get into really big detail about the trigger used for the bombs used at the race. Knapp even focused on a green Christmas light in one of the bombs to show it was just like the green Christmas light in the Inspire recipe.

Ultimately, it was about how the bombs could have been made from the recipes in Inspire magazine.

In addition to trying, unsuccessfully, to get Knapp to reveal what fingerprint evidence had shown about the bomb materials (they almost certainly show that Tamerlan handled the bombs, not Dzhokhar), Watkins asked,

Watkins: Inspire Magazine doesn’t mention RC cars as a bomb component, does it? Knapp: I don’t think so.

In the midst of an objection, Watkins sneaks in question…did u know Tamerlan searched internet for RC car info? Objection, sustained.

The question, if permitted as evidence, would have shown several things: that Tamerlan didn’t follow Inspire exactly for the bombs used at the race, that Tamerlan was the one putting them together, and — possibly — that Tamerlan was at least partly using a Russian model for the bomb, not Inspire’s model. (One detail defense revealed yesterday is that there was nitroglycerine at the Cambridge apartment which was stronger than the firecrackers used in the pressure cookers.)

That, by itself is notable: once again, the government’s pat narrative is almost certainly not a description of what actually happened.

But the detail also raised questions about why Tamerlan’s searches for what ultimately were bomb parts were not found by the FBI or NSA.

There are several answers.

1) These were searches for toy parts, not bomb parts. While FBI might now trigger on remote controllers, they probably didn’t then, even if they had a dragnet. FBI appears to keep expanding its dragnets as terrorists use certain tools.

2) While FBI should have done a back door search on Tamerlan when they did the assessment of him in 2011, nothing we know of would have triggered a new assessment in the interim, even if they did dragnet on remote controllers which I doubt.

3) I do strongly suspect that NSA had picked up the brothers’ downloads of Inspire, which I suspect is triggered to the encryption codes included in the magazine and not to any key word content of the magazines or even the URL. If I’m right (and that’s just a guess), then the NSA would have had data on the brothers. In fact, we know the NSA did have data on one or both of the brothers that didn’t get read until after the attack. If it was Inspire, I think they probably didn’t attract attention because they weren’t 2-degrees of someone interesting or hadn’t been found in one of the more targeted chat rooms. It would also mean that FBI didn’t then share Tamerlan’s identifiers they identified during their 2011 assessment of him with NSA for future mapping (I don’t necessarily think they should, but if they had, then NSA might have paid more attention to whatever data they did have on the brothers, potentially eliciting a second look once they collected it). Also remember, the brother may not even have been downloading Inspire until after the FBI stopped investigating Tamerlan.

4) While XKeyscore certainly has the ability to do searches on “remote car controllers” it’s not clear that would pull off content collected in the US, so it would only show up if the server Tamerlan went to was overseas; they were probably local and Amazon. Who knows? Maybe now FBI has also started an Amazon dragnet on remote controllers. But again, you’d need something else to trigger interest in Tamerlan’s identifier doing the search.

5) I suspect that what Watkins was referring to came from a subpoena to Tamerlan’s ISP for all his web searches. So that they had the searches are themselves unsurprising.

Update: Here’s the shipping bill for some of the remote control supplies he bought, from a site called NitroRCX which appears to be in the metro Los Angeles area. I believe the other one was from Amazon.

Details on the Pressure Cooker Dragnet

/15 Comments/in /by
Screen Shot 2015-03-25 at 4.14.58 PM

Tamerlan walking out of Target after having purchased the backpacks used in attack.

In this morning’s Tsarnaev trial testimony, FBI’s Christian Fierabend testified to the evidence about purchases leading up to the attack (h/t to CBS’s Jim Armstrong among others for the live-tweeting). As much as possible, he tried to show both GPS coordinates from one of the Tsarnaevs’ cars and some kind of purchase record for the the attack equipment (things like BBs, backpacks, and the remote car detonator).

Some of this was easy because a number of the receipts (such as for the backpacks used to carry the bombs) were sitting in Tamerlan’s wallet, which the government retrieved from Dzhokhar’s Civic at the Watertown scene. Some, such as remote controlled cars, were online purchases involving credit cards.

But in spite of the fact that Tamerlan Tsarnaev purchased some of his supplies using a credit card, according to Fierabend, the pressure cookers, Fagor Elites sold exclusively at Macys, which currently sell for $50 to $60 apiece, were purchased with cash. According to Fieraband, the government obtained records of all the Fagor Elites purchased in the US between August 2012 and April 2013. Of the 74 pressure cookers sold in the Northwest in that period, just 5 pressure cookers were purchased in cash, just 3 in MA.

According to rather remarkable testimony, Macys has no  surveillance video of those purchases.

The government did, however, cross-reference the purchases to the Tsarnaevs through use of a portable GPS that was ultimately apparently retrieved from the Mercedes the brothers hijacked.

In other words, the implication is one of the Tsarnaevs or someone else used cash to purchase pressure cookers, which you would thing would be an attempt to hide the identity of the purchaser, but not only do it while running a portable GPS that tracked back to their Cambridge home, but then bring that portable GPS into the getaway car they hijacked.

That’s all the more crazy given that the last pressure cooker wasn’t purchased until March, and Tamerlan appeared to be prepping to die, given that he sent his mother $900 the day before the attack (unless she had funded the attack specifically). If you’re going to ID yourself with a GPS, then pay with a credit card and get it for free.

All that said, I’m cognizant Tamerlan left his wallet, with receipts, in the Civic, along with some other identifying documents, and also by carrying that GPS at least made himself appear to be the purchaser of the pressure cooker, whether or not he was. Tamerlan wasn’t hiding his identity.

And yet someone paid cash for the pressure cookers.

The one other nifty detail in all this is that if you also bought a Fagor Elite pressure cooker in this period, you’re likely to be in an FBI database until 2043.

Update: One more thing about the pressure cookers. There was part of a lid and a gasket from a pressure cooker at the apartment, which means there must be one more pressure cooker. That one, then, might be unaccounted by the purchase records evidence.

Update: Here are the exhibits from today’s testimony. Unless I’m mistaken, the government only entered purchase records from one of the pressure cooker purchases, the purchase of two from the Boston store on January 31, 2013 (this is the one they tied to the portable GPS device). So there should be two more pressure cookers — the second 6 quart one used in the race attack, and the one from which the lid and the gasket were taken in the Cambridge apartment.

Devin Nunes Thinks Congress Needs More Classified Briefings to Understand Phone Dragnet

/4 Comments/in /by

In an article describing the current state of play on the Section 215 sunset, WaPo quotes Devin Nunes claiming that the poor maligned phone dragnet is just misunderstood. So he plans on having more briefings (curiously, just for the Republican caucus).

“NSA programs, including the bulk telephone metadata program, are crucial anti-terror and foreign intelligence tools that should be reauthorized,” said Rep. Devin Nunes (R-Calif.), chairman of the House Intelligence Committee.

He told reporters on Tuesday that he felt the program has been misunderstood and that he would hold classified briefings for the GOP caucus.

I don’t mean to mock Nunes. After all, I’ve been saying for well over a year that the public assessments of the phone dragnet don’t actually measure how the government really uses it (below the rule I’ve copied the part of this post that describes other ways we know they use it). And that was before the phone dragnet orders replaced “contact chaining” with “connection chaining” over a year ago, which presumably adds a correlating function to the mix (that is, the government also uses the phone dragnet to identify a person’s multiple phone-based identities, potentially including smart phone identities).

But I do think it worth noting two things.

First, Nunes’ decision to tell Republicans more, coming relatively soon after he took over the House Intelligence Chair from Mike Rogers, suggests that Mike Rogers was never fully forthcoming — not even in the secret briefings he gave in lieu of passing on Executive Branch explanations of the phone dragnet — about what it did.

But Nunes’ response is not to require the government to itself explain publicly what it’s really doing with the phone dragnet. But instead to hold classified briefings that often serve as a means to buy silence from those who attend.

In any case, that story you’ve been told for almost two years about how the phone dragnet identifies who is two degrees away from Osama bin Laden? Unsurprisingly, it’s nowhere near the full story.

[A]ssessments of the phone dragnet […] don’t even take the IC at its word in its other, quieter admissions of how it uses the dragnet (notably, in none of Stone’s five posts on the dragnet does he mention any of these — one, two, three, four,five — raising questions whether he ever learned or considered them). These uses include:

  • Corporate store
  • “Data integrity” analysis
  • Informants
  • Index

Corporate store: As the minimization procedures and a few FISC documents make clear, once the NSA has run a query, the results of that query are placed in a “corporate store,” a database of all previous query results.

ACLU’s Patrick Toomey has described this in depth, but the key takeaways are once data gets into the corporate store, NSA can use “the full range of SIGINT analytic tradecraft” on it, and none of that activity is audited.

NSA would have you believe very few Americans’ data gets into that corporate store, but even if the NSA treats queries it says it does, it could well be in the millions. Worse, if NSA doesn’t do what they say they do in removing high volume numbers like telemarketers, pizza joints, and cell voice mail numbers, literally everyone could be in the corporate store. As far as I’ve seen, the metrics measuring the phone dragnet only involve tips going out to FBI and not the gross number of Americans’ data going into the corporate store and therefore subject to “the full range of analytic tradecraft,” so we (and probably even the FISC) don’t know how many Americans get sucked into it. Worse, we don’t know what’s included in “the full range of SIGINT analytic tradecraft” (see this post for some of what they do with Internet metadata), but we should assume it includes the data mining the government says it’s not doing on the database itself.

The government doesn’t datamine phone records in the main dragnet database, but they’re legally permitted to datamine anyone’s phone records who has come within 3 degrees of separation from someone suspected of having ties to terrorism.

“Data integrity” analysis: As noted, the NSA claims that before analysts start doing more formal queries of the phone dragnet data, “data integrity” analysts standardize it and do something (it’s unclear whether they delete or just suppress) “high volume numbers.” They also — and the details on this are even sketchier — use this live data to develop algorithms. This has the possibility of significantly changing the dragnet and what it does; at the very least, it risks eliminating precisely the numbers that might be most valuable (as in the Boston Marathon case, where a pizza joint plays a central role in the Tsarnaev brothers’ activities). The auditing on this activity has varied over time, but Dianne Feinstein’s bill would eliminate it by statute. Without such oversight, data integrity analysts have in the past, moved chunks of data, disaggregated them from any identifying (collection date and source) information, and done … we don’t know what with it. So one question about the data integrity analyst position is how narrowly scoped the high volume numbers are (if it’s not narrow, then everyone’s in the corporate store); an even bigger is what they do with the data in often unaudited behavior before it’s place into the main database.

Informants: Then there’s the very specific, admitted use of the dragnet that no one besides me (as far as I know) has spoken about: to find potential informants. From thevery start of the FISC-approved program, the government maintained the dragnet “may help to discover individuals willing to become FBI assets,” and given that the government repeated that claim 3 years later, it does seem to have been used to find informants.

This is an example of a use that would support “connecting the dots” (as the program’s defenders all claim it does) but that could ruin the lives of people who have no tie to actual terrorists (aside from speaking on the phone to someone one or two degrees away from a suspected terror affiliate). The government has in the past told FISCR it might use FISA data to find evidence of other crimes — even rape — to coerce people to become informants, and in some cases, metadata (especially that in the corporate store, enhanced by “the full range of analytic tradecraft”) could pinpoint not just potential criminals, but people whose visa violations and extramarital affairs might make them amenable to narcing on the people in their mosque (with the additional side effect of building distrust within a worship community). There’s not all that much oversight over FBI’s use of informants in any case (aside from permitting us to learn that they’re letting their informants commit more and more crimes), so it’s pretty safe to assume no one is tracking the efficacy of the informants recruited using the powerful tools of the phone dragnet.

Index: Finally, there’s the NSA’s use of this metadata as a Dewey Decimal System (to useJames Clapper’s description) to pull already-collected content off the shelf to listen to — a use even alluded to in the NSA’s declarations in suits trying to shut down the dragnet.

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

Don’t get me wrong. Given how poorly the NSA has addressed its longterm failure to hire enough translators in target languages, I can understand how much easier it must be to pick what to read based on metadata analysis (though see my concerns, above, about whether the NSA’s assessment techniques are valid). But when the NSA says, “non-US persons” here, what they mean is “content collected by targeting non-US persons,” which includes a great deal of content of US persons.

Which is another way of saying the dragnet serves as an excuse to read US person content.

On CISA the Surveillance Bill

/4 Comments/in /by

After the Senate Intelligence Committee passed CISA, its sole opponent, Ron Wyden, said, “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill – it’s a surveillance bill by another name.” Robert Graham, an expert on intrusion-prevention, argues, “This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.”

Clearly, some people who have reason to know think this bill doesn’t do what it says, but instead does a lot of what it isn’t admitting.

I want to look at several aspects of the bill from that perspective (this post primarily deals with the SSCI version but the HPSCI version is very similar).

Can our ISPs take countermeasures against us?

First, whom it affects. Ron Wyden has been warning about the common commercial service OLC memo and its impact on the cybersecurity debate for years, suggesting that still secret memo conflicted public’s understanding of “the law” (though he doesn’t say what law that is). While it’s unclear what that OLC memo says, Wyden seems to suggest that Americans have been subject to cybersecurity surveillance that they didn’t know about (perhaps because OLC had interpreted consent where it didn’t exist).

So I think it’s important that at the center of a series of definitions of “entities” in CISA is a definition that would include us, as private entities.

IN GENERAL.—Except as otherwise provided in this paragraph, the term ‘‘private entity’’ means any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof.

That’s important because the law permits both monitoring…

(1) IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor—

(A) an information system of such private entity;

(B) an information system of another entity, upon the authorization and written consent of such other entity;

And defensive measures (what the bill has renamed the largely otherwise indistinguishable “countermeasures”) against a private entity that has provided consent to another private entity.

(B) EXCLUSION.—The term ‘‘defensive measure’’ does not include a measure that destroys, renders unusable, or substantially harms an information system or data on an information system not belonging to—

(i) the private entity operating the measure; or

(ii) another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.

At a minimum, I think this should raise questions about whether Terms of Service of cable companies and Internet Service Providers and banks and telecoms amount to consent for this kind of monitoring and — in the name of cybersecurity — countermeasures.

Researching more crimes in name of cybersecurity than in name of terror

This is important, because CISA actually permits the use of information collected in the name of “cybersecurity” to be used for more uses than the NSA is permitted to refer it under foreign intelligence collection (though once FBI is permitted to back door search everything, that distinction admittedly disappears). In addition to its use for cybersecurity — which is itself defined broadly enough to mean, in addition, leak and Intellectual Property policing — this “cybersecurity” information can be used for a variety of other crimes.

(iv) the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;

(v) the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or

(vi) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iv) or any of the offenses listed in— (I) section 3559(c)(2)(F) of title 18, United States Code (relating to serious violent felonies); (II) sections 1028 through 1030 of such title (relating to fraud and identity theft); (III) chapter 37 of such title (relating to espionage and censorship); and (IV) chapter 90 of such title (relating to protection of trade secrets).

As a number of people have noted, for CISA data to be used for the purposes suggest both private entities — upon sharing — and the government — on intake —  actually will be leaving a fair amount of data in place.

Why does domestic spying have less stringent minimization than foreign spying?

Which brings me to the purported “privacy and civil liberties guidelines” the bill has. The bill mandates that the Attorney General come up with guidelines to protect privacy that will,

(A) limit the impact on privacy and civil liberties of activities by the Federal Government under this Act;

(B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of or identifying specific persons, including by establishing—

(i) a process for the timely destruction of such information that is known not to be directly related to uses authorized under this Act; and

(ii) specific limitations on the length of any period in which a cyber threat indicator may be retained;

(C) include requirements to safeguard cyber threat indicators containing personal information of or identifying specific persons from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;

(D) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;

(E) protect the confidentiality of cyberthreat indicators containing personal information of or identifying specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this Act; and

(F) include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.

It’s worth comparing what would happen here to what happens under both Section 215 (which FBI claims to use for cybersecurity) and FAA (which ODNI has admitted to using for cybersecurity — and indeed, which uses upstream searches to find the very same kind of signatures).

With the former, the FISC had imposed minimization procedures and required the government report on compliance with them. The FISC, not the AG, has set retention periods. And at least for the NSA’s use of Section 215 (which should be the comparison here, since NSA will be one of the agencies getting the data), data must be presumptively minimized. Also, unlikely the phone dragnet data, at least, where data must be certified according to a counterterrorism use, here, data is shared across multiple agencies in real time.

FAA’s minimization procedures also get reviewed by the FISC (though reports back are probably not as stringent, though they are checked yearly). And there’s a whole slew of reporting.

While there is some reporting here, it is bifurcated so that PCLOB, which has no subpoena power, does the actual privacy assessment, whereas the Inspectors General, which are assured they can get information they need (even if DOJ’s Inspector General keeps getting denied data they should get), report solely on numbers and types of usage, without a privacy or even compliance assessment.

One of my favorite parts of CISA (this is true of both bills) is that while the bills mandate an auditing ability, they don’t actual mandate audits (the word appears exactly once in both bills).

In other words, Congress is about to adopt a more permissive collection of data for domestic spying than it does for foreign spying. Or, in the context of Section 215, it may be adopting more permissive treatment of data voluntarily turned over to the government than that data turned over in response to an order.

And all that’s before you consider data flowing in the reverse direction. While the bills do require penalties if a government employee or agent (which hopefully includes the contractors this bill will spawn) abuses this data sharing, it does not for private entities. (The House version also has a 2 year statute of limitations for this provision, which all but guarantees it will never be used, given that it would never be discovered in that period, particularly given the way FOIA and Trade Secret exemptions make this data sharing less accessible even than spying data.)

Perhaps my very favorite part of this bill appears only in the House version (which of course came after the Senate version elicited pretty universal complaints that it was a surveillance bill from civil libertarians). It has several versions of this clause.

(a) PROHIBITION OF SURVEILLANCE.—Nothing in this Act or the amendments made by this Act shall be construed to authorize the Department of Defense or the National Security Agency or any other element of the intelligence community to target a person for surveillance.

The word “surveillance,” divorced from the modifier “electronic” is pretty meaningless in this context. And it’s not defined here.

So basically HPSCI, having seen how many people correctly ID this as a surveillance bill, has just taken a completely undefined term “surveillance” and prohibited that under this bill. So you can collect all the content you want under this bill with no warrant, to you can supersede ECPA all you want too, but just don’t call it surveillance.

In Which the National Security Council Discovers the Grand Jury Subpoena

/3 Comments/in /by

Back when Jim Comey ate 20 journalists for lunch, he said that if Congress imposed more controls on National Security Letters, FBI would just get more grand jury subpoenas, which require fewer approvals than NSLs anyway.

Which is one reason I find National Security Council spokesperson Ned Price’s promise that if Section 215 lapses, “a critical national security tool” used in other contexts would be lost to be so interesting.

NSC spokesman Ned Price told Reuters the administration had decided to stop bulk collection of domestic call metadata unless Congress re-authorizes it.

Some legal experts have suggested that even if Congress does not extend the law the administration might be able to convince the Foreign Intelligence Surveillance Court to authorize collection under other authorities.

Price made clear the administration does not intend to do so. The administration is encouraging Congress to enact legislation in the coming weeks that would allow collection to continue.

“If Section 215 (of the law which covers the collection) sunsets, we will not continue the bulk telephony metadata program,” he said.

“Allowing Section 215 to sunset would result in the loss, going forward, of a critical national security tool that is used in a variety of additional contexts that do not involve the collection of bulk data.”

This reaffirms what Bob Litt said last month at Brookings, that the government claims it won’t continue the phone dragnet under Section 215 under a grandfather approach. But it also emphasizes the stuff journalists often ignore or don’t understand: that most Section 215 orders are for other things, and the government may or may not find those sufficiently important to panic over.

Still, at least some of what the government is doing with those other Section 215 orders could be done with grand jury subpoenas.

Or maybe it couldn’t. Maybe they’re collecting this stuff without the underlying predicate for an investigation, and therefore need to do it via Section 215?? Maybe the collection is so Constitutionally problematic that data collected using a subpoena — with the greater chance it would be reviewed by a judge in an adversarial proceeding — would get thrown out?

But if so, perhaps we should revisit the collection?

Or, just as provocatively, if this other collection is so important and cannot be done with a grand jury subpoena, then maybe the government should ditch the phone dragnet — it could do it instead in limited form with NSLs — so it can save the other programs it doesn’t want to talk about?

Would the government be willing to trade the phone dragnet — which has never IDed any plot — for the other programs Section 215 supports?

Correlations and FBI Claims in the Marathon Trial

/6 Comments/in /by

Kevin Swindon, the FBI Supervisory Special Agent in charge of computer forensics for the Boston Marathon attack just finished testimony. His testimony raised more questions than it answered. That’s true, in part, because the government had him testify rather than some of the Agents who report to him who did the actual analysis on the many devices related to the investigation. So for key questions, he had to answer he didn’t know. He also dodged explaining who cherry picked the files to present to the jury that made Dzhokhar Tsarnaev look singularly focused on jihad when his computer showed he was more interested in pop music and something else — probably sexual? — that young men are often interested in.

On cross, Dzhokhar’s attorney William Fick tried to direct Swindon to describe more about a laptop found at Watertown that apparently belonged to Tamerlan. Swindon admitted the laptop — unlike all the computers Dzhokhar used — used strong encryption and also had a goodly number of Russian language documents on explosives. But over and over Swindon claimed he had only taken a “cursory” look at that computer.

I’m betting the person who did the more than cursory analysis of it would be a far more interesting witness and that’s why we didn’t hear from him or her. Not only will we not get to hear from that witness, apparently, but Judge George O’Toole upheld a prosecution objection to ask further questions about it.

Before that, prosecutor Aloke Chakravarty led Swindon through a very bizarre exercise. He had Swindon show how the same songs that were one one of Dzhokhar’s devices showed up on another. He showed continuity between an iPod, a Samsung phone, and the Sony found at his dorm room. In other words, the government used common songs as a means to correlate these computers, rather than actual forensic evidence that Swindon surely could have presented. I find that really problematic. Sure, the government probably wants to pretend it doesn’t do such correlations forensically, but to suggest that someone’s musical downloads shows common ownership seems really problematic.

All the more so given that for another of the computers (I’m not sure if this is Dzhokhar’s college computer or the HP at Tsarnaev house in Cambridge, but it may not matter as Dzhokhar’s computer dated to when he still lived at home) there was evidence of multiple Skype users, though Swindon claimed to be unaware of that fact. We know the government correlates using such things, and the fact that evidence of others users was deliberately not presented (probably through choice of witness more than through deceit) is really problematic.

The defense also showed that the thumb drive found in the computer that Dzhokhar’s buddies had thrown out had a rental application from his sister-in-law, showing that whether or not he used these devices in common, plenty of other people were using them as well.

In short, the government wanted to use really problematic correlations mapping to prove that Dzhokhar was accessing jihadist material (even though a question about whether one of the computers had ever searched on the term was not permitted), but they can’t even prove who was using any of the computers when, and pointedly avoided using real forensics means to do so.

If FISC Consults Technical Experts and Nobody Sees It, Does It Really Happen?

/2 Comments/in /by

Back in January, PCLOB released a progress report on the reports it released, describing whether the government has taken up its recommendations. There’s a detail in it I’ve been meaning to call attention to:

Recommendation 5: Take Full Advantage of Existing Opportunities for Outside Legal and Technical Input in FISC Matters

[snip]

The FISC should take full advantage of existing authorities to obtain technical assistance and expand opportunities for legal input from outside parties.

[snip]

Discussion of Status: As noted in the Board’s report, prior to the issuance of the Board’s recommendation the FISC had on one occasion accepted an amicus brief from an outside party (relating to the legality of a publicly known FISA surveillance program), and the PCLOB is aware of specific instances in classified matters in which the FISC has since taken action consistent with this recommendation.

It was always clear (as the amicus permitted under In re Sealed Case showed) that FISC could ask for help. Apparently, having been called out for never seeking out opinions outside of the government (which repeatedly got caught being less than forthcoming), FISC has now sought help.

It might be additional legal views. It might be technical help. Who knows?

If I had to wildarseguess, I’d imagine FISC has considered what to do about location tracking programs in light of various circuit decisions over the last year. If that’s right (and it just a wildarseguess), it might be technical assistance.

But given the kind of people — like Michael Hayden — pitched as technical experts in DC, what good does that do? Unless the community can vet the technical expertise the FISC calls on for help, it doesn’t add to the Court’ legitimacy. Nor does it help FISC ensure it’s really getting what it needs when it seeks outside advice.