FISA Archives - Page 79 of 179

The “McCain Committee” Would Be Full of NSA Defenders

February 5, 2014/17 Comments/in Cybersecurity, FISA /by emptywheel

Imagine a McCain Committee as the inheritor of the tradition of Frank Church and Otis Pike.

(Yes, I did that to make bmaz’ head explode.)

That seems to be what John McCain intends with his resolution calling for a Committee to Investigate the Dragnet. (h/t Steven Aftergood)

Only, McCain proposes to investigate not just whether NSA has engaged in things it was not authorized to do. But also to investigate Snowden’s leaks themselves and the potential role of contractors in making leaks more likely.

All that said, I might be excited about McCain’s proposal to review the dragnet, as described:

(3) The nature and scope of National Security Agency intelligence-collection programs, operations, and activities, including intelligence-collection programs affecting Americans, that were the subject matter of the unauthorized disclosure, including–

(A) the extent of domestic surveillance authorized by law;

(B) the legal authority that served as the basis for the National Security Agency intelligence-collection programs, operations, and activities that are the subject matter of those disclosures;

(C) the extent to which such programs, operations, and activities that were the subject matter of such unauthorized disclosures may have gone beyond what was authorized by law or permitted under the Constitution of the United States;

(D) the extent and sufficiency of oversight of such programs, operations, and activities by Congress and the Executive Branch; and

(E) the need for greater transparency and more effective congressional oversight of intelligence community activities.

There’s just one problem with McCain’s proposal.

Here’s the list of the people who would be on the Committee (he provides titles, I’m providing names):

Diane Feinstein
Saxby Chambliss
Carl Levin
Jim Inhofe
Tom Carper
Tom Coburn
Robert Menendez
Bob Corker
Pat Leahy
Chuck Grassley
Jello Jay Rockefeller
John Thune
A Harry Reid pick
A Mitch McConnell pick

There are a number of very big NSA defenders on this list — in addition to DiFi and Saxby, both Jello Jay and Coburn are Intel Committee members who have never questioned the dragnet (indeed, Coburn has called for getting rid of the controls on the phone dragnet!). Chuck Grassley, too, has generally been supportive of the dragnet in SJC hearings on the subject. Most of the rest are simply not the caliber of people who might critically assess the dragnet much less show real interest in Americans’ privacy. Only Carl Levin and Pat Leahy, alone among the 12 named members, have been explicitly skeptical of the dragnet at all.

McCain proposes a Select Committee to investigate the dragnet. And he proposes to fill it with people who are really happy with the dragnet as it currently exists.

Update: Just to give a sense of how terrible this make-up for a Select Committee is, compare it with the bipartisan list of 26 Senators who asked James Clapper for more information on other uses of Section 215 last June. Just one Senator from that list — Pat Leahy — would be on McCain’s committee.

Update: Haha! Via Matt Sledge, DiFi shot McCain’s idea down pretty quickly.

Density within Legal Density

February 5, 2014/1 Comment/in Cybersecurity, FISA /by emptywheel

Ben Wittes has a long post trying to explain the NSA’s job in such a way as to “tell a young student what intelligence collection under the rule of law looks like” without inducing “a sense of betrayal.”

I have no problem with Wittes’ attempt to develop such an explanation, nor any great gripe with his effort. I’m not going to accuse Wittes of being naked this time.

But I want to raise three details that show the problem behind the effort.

First, Wittes’ entire statement reads,

NSA does not, except in emergencies, intentionally target for collection the communications of specific Americans without seeking a court order first, and it does not intentionally target for collection the communications of individuals known to be in the United States. It does, however, routinely acquire and store the communications of US persons and some domestic communications as a necessary incident to its broad collection directed at targets overseas—and it then has rules restricting the retention and use of this material to the extent it does not have foreign intelligence value. What’s more, NSA routinely acquires in bulk the records, but not the contents, of domestic telephone communications, which it uses for narrow counterterrorism purposes.

With the caveat that most people’s definition of “target” is not as specific as NSA’s is, I don’t have a big issue with this statement.

Except that it is false to say the phone dragnet is only used “for narrow counterterrroism purposes.” As Dianne Feinstein stated and Keith Alexander confirmed back in June, the dragnet is used with al Qaeda related groups and with Iran.

It can only look at that data after a showing that there is a reasonable, articulable that a specific individual is involved in terrorism, actually related to al Qaeda or Iran.

Now, perhaps in reality the dragnet is used against Hizballah, which the US, at least, treats as a terrorist organization. But to the extent that the dragnet is used against specific individuals from Iran “involved in terrorism,” then the entire notion of “narrow counterterrorism purposes” goes out the window, because accusing Iran of engaging in terrorism, even in the context of Iraq (where I suspect such usage derives from) is problematic. That’s true not just because Iran has been the target of what might count as terrorist acts, including assassinations of civilians, but also because those whom we’ve listed as terrorists (including members of the Republican Guard and its bank) are engaged in what ought to be considered legitimate defense of a sovereign nation.

So even if you agree with the approach the US has adopted with Iran, including it among the terrorists you can use the phone dragnet against moves beyond “narrow” counterterrorism into counterterrorism as a tactical tool wielded against a state adversary. And that such definitions can happen in secret (Iran’s listings on Treasury’s terrorism list are not secret, but the choice to include it among the two general targets of the dragnet was secret until June) means there’s no reason to trust that the phone dragnet will remain narrowly targeted.

Then there’s the notion our targets are all overseas. They’re not. Hacking targets are in the US, and there’s good reason to believe the upstream collection is used against them (we do know there’s a cybersecurity certification for Section 702). NSA presumably manages to conduct this domestic spying in the guise of foreign intelligence by noting how difficult it is to attribute hacks (that’s also presumably how it justifies holding all encrypted communications indefinitely). In other words, what we’re seeing is a redefinition of “foreign” to incorporate more and more that is domestic, which in part amounts to using intelligence rather than law enforcement tools against criminal activity because some but not all of that criminal activity is propagated by states. (Note, in yesterday’s hearing Peter Swire suggested NSA’s info assurance function is where it serves as a domestic security agency.)

Then there’s this statement from Wittes:

We want a robust foreign intelligence capability. We don’t want our domestic relations between citizens and government conditioned by an intelligence agency—which necessarily uses secrecy, deceit and trade-craft that has no part in domestic governance.

This is why I harp constantly about the use of the dragnet to identify potential informants. Because it is precisely through that application of the dragnet where NSA’s activities lead directly to the the interjection of secrecy, deceit, and trade-craft in domestic governance. Sure, FBI (that hybrid intelligence/law enforcement agency) carries out that secrecy, deceit, and trade-craft, not NSA. But the power of the dragnet makes all that deceit potentially far worse (because it provides a way to exploit the secrets of innocent citizens to coerce them to become informants). That NSA is one step removed from this troubling approach does not mean it is not party to it.

Again, these are details, details which don’t necessarily invalidate Wittes’ larger point, but show that even within the larger framework, NSA has secretly violated those principles Wittes would like to believe.

The State Monopoly on DDoS

February 5, 2014/4 Comments/in FISA, WikiLeaks /by emptywheel

One reason I harped on the way Ken Dilanian referred to the “official position” that hacking other governments was acceptable was because I suspected the government does what NBC just reported they do: engage in hacking against other targets, in this case, hackers like Anonymous.

[A] division of Government Communications Headquarters Communications (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.

As I noted on Twitter, the report that GCHQ targeted Anonymous should raise questions (that have already been raised) whether either GCHQ or NSA was behind the DDoS attack on noted publishing site WikiLeaks in 2010.

So the NSA (and GCHQ) believe some hacks are legitimate and some are not. But in addition, both are effectively asserting that the state should have a monopoly on hacking, just as it asserts a monopoly on violence. As some of the people involved have been commenting on Twitter, they got charged for DDoSing, even as the Brits were engaging in precisely the same behavior. Particularly troubling, there’s no indication NSA or GCHQ believe they need warrants to exercise their monopoly on hacks against their own citizens (FBI has in the past gotten a warrant to bring down a botnet, so there is precedent).

Of course, therein lies part of the problem: that intelligence is bleeding into law enforcement, and the tools of inter-state spying are being wielded against criminals (and dissidents).

None of this is surprising. It arises directly out of the way the government has gone after terrorists, and this treatment of an IRC channel is directly parallel to the same kind of guilt by association used against terrorists.

James Clapper Confirms NSA Engages in Domestic Surveillance

February 4, 2014/9 Comments/in FISA /by emptywheel

In today’s threat hearing, Jim Langevin tried to get James Clapperto provider him with talkingp points he could use in radio interviews about the seriousness of the Snowden leaks. (39:15 and following)

One problem with that — as Clapper readily admitted — is that the Intelligence Community doesn’t know what Snowden has (in spite of their repeated leaked claims that he has 1.7 million documents).

Clapper: We don’t really know the full extent or the full impact of these revelations.

Langevin pressed, asking Clapper to quantify in some way what he had briefed the committee that the “vast majority of data that’s been stolen, that we’ve been able to assess to date, has had very little to do with just surveillance.”

Clapper hedged and hedged, until Langevin got him to say that “less than 10% of what Snowden might potentially have taken (but they don’t know one way or another) has to do with domestic surveillance.”

Clapper: That’s also difficult. I can just say that the vast vast majority of what has been potentially compromised — as I indicated in my oral statement — goes way way beyond the revelations about domestic surveillance which I was given to understand that was his primary concern. What he potentially — what he accessed, what he scraped, what he potentially made off with is, uh, transcends that. So it’s quite serious.

Langevin: Can you say–

Clapper: It’s hard pressed to ascribe a number.

Langevin: Can you give a, is it 10% or,

Clapper: I would say that probably less than 10% has to do with domestic surveillance.

Now, there’s a lot that’s telling about this exchange. I have noted months ago that the government would have been better served providing Snowden a way to cooperate with their investigation, as former actual spies would. But they chose to strand him in Russia, leaving them perpetually uncertain about what Snowden has and what the Russians might get, and therefore responding not just to what does get released, but to everything they think he might potentially have taken.

Then there’s Clapper’s suggestion that all Snowden might want to expose only “domestic surveillance.” The notion that US corruption of encryption standards, or US collection of US person data overseas, or Five Eyes creation of the architecture of tyranny (turnkey tyranny and architecture of oppression are terms Snowden has used), is not every bit as important as exposing the dragnet, he misunderstands the power of the dragnets he oversees.

But finally, there’s Clapper’s use of the term “domestic surveillance” (which in his opening statement he called “so-called domestic surveillance”) and his suggestion that less than 10% of Snowden’s leaks address it.

The NSA has been telling us for months and months they don’t engage in domestic surveillance.

James Clapper apparently admits they do.

Contractors Already Have Access to the Phone Dragnet

February 4, 2014/5 Comments/in Contractors, FISA /by emptywheel

In today’s HJC hearing on the NSA, there was extensive discussion about the risks of outsourcing the dragnet to the telecoms or — especially, to a third party holding all the data. It’s a concern I share.

That said, not a single person at the hearing seemed to be aware of this footnote, which has been in the phone dragnet primary orders since at least last April.

5 For purposes of this Order, “National Security Agency” and “NSA personnel” are defined as any employees of the National Security Agency/Central Security Service (“NSA/CSS” or “NSA”) and any other personnel engaged in Signals Intelligence (SIGINT) operations authorized pursuant to FISA if such operations are executed under the direction, authority, or control of the Director, NSA/Chief, CSS (DIRNSA).

If this language left any doubt that it permits contractors to directly query the database of every single phone-based relationship in the US, this language from Dianne Feinstein’s Fake FISA Fix bill report (which aims to codify the status quo) should eliminate them.

The Committee believes that, to the greatest extent practicable, all queries conducted to the authorities established under this section should be performed by Federal employees. Nonetheless, the Committee acknowledges that it may be necessary in some cases to use contractors to perform such queries. By using the term “government personnel” the Committee does not intend to prohibit such contractor use.

Contractors already have access to the dragnet.

If it presents a security threat to have contractors from Booz Allen Hamilton or some other intelligence contractor to have direct access to the dragnet, then we need to shut the dragnet down.

Because they’ve already got it.

Mike Rogers Aims to Criminalize One of the Main Things that Affords Journalists Protections: Getting Paid

February 4, 2014/15 Comments/in FISA, Press and Media /by emptywheel

Remember DOJ’s efforts to placate journalists (rather stunningly, in retrospect, rolled out a month after the first Edward Snowden leaks)?

As I noted at the time, DOJ’s new protections for the press applied not to the act of journalism, but rather to members of the news media. DOJ’s own Domestic Investigations and Operations Guide requires institutional affiliation before they’ll treat someone as a journalist.

“News media” includes persons and organizations that gather, report or publish news, whether through traditional means (e.g., newspapers, radio, magazines, news service) or the on-line or wireless equivalent. A “member of the media” is a person who gathers, reports, or publishes news through the news media.

[snip]

As the term is used in the DIOG, “news media” is not intended to include persons and entities that simply make information available. Instead, it is intended to apply to a person or entity that gathers information of potential interest to a segment of the general public, uses editorial skills to turn raw materials into a distinct work, and distributes that work to an audience, as a journalism professional. [my emphasis]

According to the DOJ, then, you have to get paid (preferably by an institution recognized to be a press) to be afforded heightened First Amendment protection as a journalist.

Except now House Intelligence Chair Mike Rogers wants to criminalize that — one of the main things that warrants you protection by DOJ as a journalist, getting paid — by calling it “fencing stolen material.”

REP. ROGERS: You — there have been discussions about selling of access to this material to both newspaper outlets and other places. Mr. Comey, to the best of your knowledge, is fencing stolen material — is that a crime?

DIRECTOR JAMES COMEY: Yes, it is.

REP. ROGERS: And would be selling the access of classified material that is stolen from the United States government — would that be a crime?

DIR. COMEY: It would be. It’s an issue that can be complicated if it involves a news-gathering and news promulgation function, but in general, fencing or selling stolen property is a crime.

REP. ROGERS: So if I’m a newspaper reporter for — fill in the blank — and I sell stolen material, is that legal because I’m a newspaper reporter?

[snip]

REP. ROGERS: And if I’m hocking stolen classified material that I’m not legally in possession of for personal gain and profit, is that not a crime?

DIR. COMEY: I think that’s a harder question because it involves a news-gathering functions — could have First Amendment implications. It’s something that probably would be better answered by the Department of Justice.

REP. ROGERS: So entering into a commercial enterprise to sell stolen material is acceptable to a legitimate news organization?

DIR. COMEY: I’m not sure I’m able to answer that question in the abstract.

REP. ROGERS: It’s something we ought to think about, is it not?

DIR. COMEY: Certainly.

So you’re not a journalist (and get no protections) if you don’t get paid. But if you do get paid, you’re fencing stolen property.

I do hope the traditional press recognizes the danger in this stance.

The “Foreign Intelligence” Dragnet May Not Be about “Foreign Intelligence”

February 4, 2014/7 Comments/in FISA /by emptywheel

There’s one more totally weedy change in the phone dragnet orders I wanted to point out: the flimsy way the program has, over time, tied into “foreign intelligence.”

To follow along, it’s helpful to use the searchable versions of the phone dragnet orders ACLU has posted.

Start by searching on this order — from December 11, 2008, just before FISC started cleaning up the dragnet problems — for “foreign intelligence” (all the earlier orders are, I believe, identical in this respect). You should find 5 instances: 3 references to the FISC, a reference to the language from the Section 215 statute requiring the tangible things be either for foreign intelligence or to protect against international terrorism (¶1 on page 2), and a discussion tying dissemination of US person data to understanding foreign intelligence (¶(3)D on page 9).

In the last instance, the order introduces foreign intelligence, but then drops it. The very next sentence shifts the measure of whether the US person information can be disseminated from “foreign intelligence” to “counterterrorism” — and counterterrorism here is not explicitly tied to international terrorism, although the statute requires it to be.

Before information identifying a U.S. person may be disseminated outside of NSA, a judgment must be made that the identity of the U.S. person is necessary to understand the foreign intelligence information or to assess its importance. Prior to the dissemination of any U.S. person identifying information, the Chief of Information Sharing Services in the Signals Intelligence Directorate must determine that the information identifying the U.S. person is in fact related to counterterrorism information and that it is necessary to understand the counterterrorism information or assess its importance.

Significantly, ¶(3)C on page 8 — the main paragraph restricting NSA’s access to the dragnet data — says nothing about foreign intelligence.

This language would, I believe, have permitted the government to search on and disseminate US person information for reasons without a foreign nexus (and they played word games with other language in the original orders, notably with the word “archives”).

Now check out the next order, dated March 5, 2009. In this — the first of the primary orders dealing with the dragnet problems — the language potentially tying the FBI investigation to foreign intelligence is eliminated (I talked about that change here).The language on dissemination remains the same — that is, the paragraph does not tie dissemination of US person information to terrorism with an international nexus. But ¶(3)C — the key paragraph regulating access — now specifies that NSA can only “query the BR metadata for purposes of obtaining foreign intelligence.”

In the process of very narrowly limiting what NSA could do with the phone dragnet, Judge Reggie Walton added language limiting queries to foreign intelligence purposes, not just terrorism purposes (though I believe it still could be read as permitting dissemination of information without a foreign nexus).

As a reminder, during the interim period, the government had admitted to tracking 3,000 US persons without submitting them to a First Amendment review.

The orders for the following year changed regularly (and the Administration has withheld what are surely the most interesting orders from that year), but they retained that restriction on queries to foreign intelligence purposes.

But now look what that language in ¶(3)C has since evolved into, starting with the order dated October 29, 2010, though the language below comes from the April 25, 2013 order (the October 29 one has “raw data” hand-written into it, making it clear these requirements, including auditability, only applies to the collection store, not the corporate store).

NSA shall access the BR metadata for purposes of obtaining foreign intelligence information only through contact chaining queries of the BR metadata as described in paragraph 17 of the [redacted] Declaration attached to the application as Exhibit A, using selection terms approved as “seeds” pursuant to the RAS approval process described below.5 NSA shall ensure, through adequate and appropriate technical and management controls, that queries of the BR metadata for intelligence analysis purposes will be initiated using only a selection term that has been RAS-approved. Whenever the BR metadata is accessed for foreign intelligence analysis purposes or using foreign intelligence analysis query tools, an auditable record of the activity shall be generated.

At first glance, this paragraph would seem to add protections that weren’t in the orders previously, ensuring that the phone dragnet only be accessed for foreign, not domestic, intelligence.

But it’s actually only partly a protection.

In fact, the “foreign intelligence” language here serves to distinguish this controlled access from the “data integrity” access (though they no longer call it that), which is described in the previous paragraph.

Appropriately trained and authorized tedmical personnel may access the BR metadata to perform those processes needed to make it usable for intelligence analysis. Technical personnel may query the BR metadata using selection terms4 that have not been RAS-approved (described below) for those purposes described above, and may share the results of those queries with other authorized personnel responsible for these purposes, but the results of any such queries will not be used for intelligence analysis purposes. An authorized technician may access the BR metadata to ascertain those identifiers that may be high volume identifiers. The technician may share the results of any such access, i.e., the identifiers and the fact that they are high volume identifiers, with authorized personnel (including those responsible for the identification and defeat of high volume and other unwanted BR metadata from any 9f NSA’ s various metadata repositories), but may not share any other information from the results of that access for intelligence analysis purposes. In addition, authorized technical personnel may access the BR metadata for purposes of obtaining foreign intelligence information pursuant to the requirements of subparagraph (3)C below.

Footnote 4, discussing “selection terms” is a fairly long, entirely redacted paragraph. And the last sentence, allowing these technical personnel to also conduct foreign intelligence information queries, is fairly recent.

This language would seem to describe the data integrity role more than it had previously been, specifying the search for high volume numbers, plus whatever appears in footnote 4. And it would seem to limit the use of such information, since it doesn’t permit “intelligence analysis” (notwithstanding the fact that figuring out which selectors are high volume is intelligence analysis, to say nothing about the underlying technical decisions that shape automated search functions). But the first use of the dragnet in current descriptions pertains not to contact chaining at all, but as a resource for tech personnel to identify certain characteristics of call patterns using raw data.

Further, these tech personnel now get to double dip: access raw data in intelligible form to get it ready for querying and something else, and access it to conduct queries. That they even have that authority — explicitly — ought to raise alarm bells. Anything data integrity analysts see while doing data integrity, they can run as a query to access in a form that can be disseminated.

Now, perhaps this alarming structural issue is not being abused or exploited. Perhaps it shouldn’t concern us that a dragnet purportedly serving “foreign intelligence” purposes seems to serve, even before that, a different role entirely, not only tied to any foreign purpose.

But we have had assurances over and over in the last 8 months that the NSA can only access this database for certain narrowly defined foreign intelligence purposes. That wasn’t, by letter of the order, at least, true for the first three years. And by the letter of the order, it’s not true now.

Is Google Sharing 9,500 Users’ Data, or 65,000?

February 3, 2014/in FISA /by emptywheel

Google just released its shiny new transparency numbers reflecting DOJ’s new transparency rules.

While they tell us some interesting things, the numbers show how many questions the transparency system raises. I’ve raised the questions below, linked to my discussion by bolded number.

Google is using option 1 (perhaps because they had already reported their NSL numbers), in which they break out NSLs separately from FISA orders, but must report in bands of 1000.

Note that Google starts this timeline in 2009, whereas their criminal process numbers pertaining to user accounts only start in 2011. Either because they had these FISA numbers ready at hand, or because they made the effort to go back and get them (whereas they haven’t done the same for pre-2011 criminal process numbers), they’re giving us more history on their FISA orders than they did on criminal process. They probably did this to show the entire period during which they’ve been involved in PRISM, which started on January 14, 2009.

Google gets relatively few non-content requests, and the number — which could be zero! — has not risen appreciably since they got involved in PRISM.(1) (I suspect we’re going to see fairly high non-content requests from Microsoft, because they pushed to break these two categories out).

US Official Position Says Hacking Is Permissible?

February 3, 2014/1 Comment/in Cybersecurity, FISA /by emptywheel

According to LAT’s Ken Dilanian, it is the “official position” of the US government that some kinds of hacking are “permissible.”

The official U.S. position — that governments hacking governments for military and other official secrets is permissible, but governments hacking businesses for trade secrets is not — is a tougher sell these days.

He makes the claim in an article that originally claimed Edward Snowden’s leaks have set back cybersecurity efforts, but then had to issue a correction acknowledging CISPA probably wasn’t going to happen anyway.

An article in the Feb. 2 Section A on the effects of Edward Snowden’s leaks of National Security Agency secrets said the White House backed the Cyber Intelligence Sharing and Protection Act, a cybersecurity measure. The White House threatened to veto the proposed bill in April. —

I take from this correction that Dilanian was fairly uncritically repeating the claims of NSA boosters — as other reporters have credulously repeated claims about the way Snowden’s leaks will affect cybersecurity initiatives.

Which is why I find his description of this “official position” so interesting.

I’m not aware of the US endorsing any official (public) policy on the kinds of hacks NSA (and CyberCommand) are permitted. Congress has tried to put some limits on it — or at least get briefing on it. And Keith Alexander successfully fought for a lot more autonomy over the hacks he could do.

The Executive does, however, have an official policy on SIGINT: President Obama’s recent Presidential Policy Directive. But a SIGINT official position and a hacking policy are not necessarily the same thing. While hacking is one way we collect SIGINT (though I don’t think NSA has admitted to that), we also conduct hacking for offensive purposes.

Even assuming they were the same thing, Dilanian’s characterization would be a misstatement of the policy in any case.

The actual policy permits the collection of SIGINT for broadly defined foreign intelligence purposes.

Thus, ” foreign intelligence ” means ” information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations, foreign persons, or international terrorists,

Of course, corporations are, under US law, both “organizations” and “persons,” so this definition permits spying on foreign corporations (other intelligence documents lay this out explicitly).

And the PPD does permit the collection of foreign private commercial information to protect US and allies’ national security.

The collection of foreign private commercial information or trade secrets is authorized only to protect the national security of the United States or its partners an d allies. It is not an authorized foreign intelligence or counterintelligence purpose to collect such information to afford a competitive advantage 4 to U.S. companies and U.S. business sectors commercially.

This is, frankly, where our hypocrisy on hacking (and SIGINT) begins to fall apart, given that China would maintain that stealing our military (and energy and tech) secrets are a matter of national security, and the fact that our government maintains more nominal separation from the companies that develop such things than China does should not shield those companies from spying.

And then, finally, the limits on data collection don’t apply when the NSA is working to develop SIGINT capabilities.

it shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.

Given that some of our alleged hacking seems to support efforts to develop new hacking capabilities, this exception could prove infinitely recursive, especially given the rules on information collection in the name of cyberdefense and attacks. And of course, when we exploited Siemens’ SCADA industrial control systems to attack Iran, we used a corporate competitor’s trade secrets in the name of national security.

That is, even ignoring how America’s self-interested standard simply defines our national security in terms that legitimize our own hacking, when you get into the interaction of our intelligence to hack which serves to collect intelligence, the rules on SIGINT basically fall apart.

But hey. If the US says hacking of official government secrets is “permissible,” then maybe DOJ will withdraw the charges against Edward Snowden?

For the Purposes of Analytical Efficiency, Making Copies of the Dragnet

February 3, 2014/2 Comments/in FISA /by emptywheel

In 2008, NSA started (or started telling the FISA Court) it was copying the dragnet.

Starting with the January docket BR 08-01 (the date is illegible but it should be around January 4, 2008), the orders added a footnote saying,

5 The Court understands that for the purposes of analytical efficiency a copy of meta data obtained pursuant to the Court’s Orders in this matter will be stored in the same database with data obtained pursuant to other NSA authorities and data provided to NSA from other sources. Access to such records shall be strictly limited in accordance with the procedures set forth in paragraphs A – G.

The footnote would appear in four more orders that year: BR 08-04 4/3/08; BR 08-07 6/26/08; BR 08-08 9/19/08?. Then it disappeared in the December 11, 2008 docket, BR 08-13 12/11/08. It did not appear in any other orders, though starting with the October 29, 2010 docket BR 10-70, a different footnote noted that “NSA will maintain the BR metadata in recovery back-up systems.”

The change almost certainly relates to the federated query system, in which all the data from EO 12333 collection (and, given the reference to “data provided to NSA from other sources,” probably GCHQ collection) was and, at least until 2011, remained accessible from one interface.

The footnote almost certainly does reflect a change in the way NSA handled the data (that is, in this case NSA informed FISC in timely fashion), because by April of that year, 31 “newly trained” NSA analysts were caught querying domestic phone data using 2,373 identifiers without knowing they were doing so, which seems to indicate the “newly trained” analysts just kept querying metadata as they would have using EO 12333 collected data. Though NSA didn’t tell FISC about that until 6 months later. In the interim (in August 2008), NSA also told FISC about how it correlated numbers — which we know works across data sources, not exclusively within the domestic data collection.

In other words, NSA was slowly integrating the phone dragnet in with its larger metadata collection, and informing — perhaps even more slowly — FISC what that meant.

In spite of the disappearance of the footnote in the first orders dealing with the dragnet problems in 2009, the NSA did not segregate the data from the federated interface. That’s clear from a memorandum of understanding NSA issued sometime after March 18, 2009 indicating that access to one metadata repository had been shut down, but four were still accessible:

SIGINT dating back to 1998
[redacted — which could be STELLAR WIND data or could be foreign-supplied data]
BRFISA dating back to May 2006
PR/TT dating back to a redacted date that public records show to be July 2004

Given the previous inclusion of 3,000 US persons in with other queries, it’s possible the newly excluded collection consisted of GCHQ collected data that included significant US person data.

I raise all this to point out one of the inherent dangers with the dragnet. A program that was billed as a simple collection designed to serve FBI needs got integrated within 2 years of inception, creating a great deal of problems, without reconsideration of whether the stated purpose of the dragnet still matched what the by-then clearly different intent was. And this from a program that was supposed to be closely minimized.

Oh by the way, NSA told the FISC, we made an extra copy of the database of all phone-based relationships in the United States. Because it’s more efficient to have two databases.