Posts

Would NSA’s New Big Social Media Data Approach Have Noticed the Arab Spring?

Screen Shot 2014-01-27 at 10.02.29 PMSometime in 2011, I was on a panel with the Democracy Now’s Sharif Kouddous — whose tweeting from Tahrir Square played an important role in keeping the world informed after Hosni Mubarak shut down the Internet. I mentioned that DiFi had been bitching for months because the CIA and other intelligence agencies had missed the Arab Spring.

Who had followed Sharif on Twitter, I asked? (Probably half the rather large room raised their hands.) Because if you had, you knew more about the Arab Spring than the CIA did.

Which is the underlying context to the NBC/Greenwald report that GCHQ collects data from Facebook and YouTube to try to monitor the mood of the world.

The demonstration showed that by using tools including a version of commercially available analytic software called Splunk, GCHQ could extract information from the torrent of electronic data that moves across fiber optic cable and display it graphically on a computer dashboard. The presentation showed that analysts could determine which videos were popular among residents of specific cities, but did not provide information on individual social media users.

The presenters gave an example of their real-time monitoring capability, showing the Americans how they pulled trend information from YouTube, Facebook and blog posts on Feb. 13, 2012, in advance of an anti-government protest in Bahrain the following day.

More than a year prior to the demonstration, in a 2012 annual report, members of Parliament had complained that the U.K.’s intelligence agencies had missed the warning signs of the uprisings that became the Arab Spring of 2011, and had expressed the wish to improve “global” intelligence collection.

During the presentation, according to a note on the documents, the presenters noted for their audience that “Squeaky Dolphin” was not intended for spying on specific people and their internet behavior. The note reads, “Not interested in individuals just broad trends!”

What we’re seeing is how NSA would go about amassing public data to try to learn what the rest of us can read by following Twitter attentively. [see update]

I won’t comment much on the technical ability here (which involve contractors to collect the data), and I’ll only applaud that Facebook has finally been exposed as the perfect surveillance app it is.

But there seem to be several problems with the analysis they’re doing (though MSNBC did not include the script for its PowerPoint). Aside from what seems to be an Orientalism built into the analysis…

Screen Shot 2014-01-27 at 10.29.41 PM

And some half-assed PsychoLOLogy…

Screen Shot 2014-01-27 at 10.32.51 PM

Nowhere does this presentation distinguish between the propaganda social media accounts and the legitimate ones — a known problem of social media analysis going back years (which has, because of the all the competing parties involved, been particularly acute in Syria). Perhaps they deal with this, but this analysis seems ripe for spamming by propaganda, particularly if it came from frenemies who know GCHQ and NSA use such analysis.

Now, presumably someone somewhere else in the combined Intelligence Communities of the US and UK would actually sit down and read the social media of a potential hotspot, which is the way a bunch of Tweeps in their pajamas can get a sense of what’s going on without collecting all the social media data for an entire country first. Such an approach uses the hive mind you acquire on social media, with the built in assurances from trusted interlocutors.

After the Arab Spring, the Intelligence Communities of a number of nations got their asses kicked because none of them are well suited to figure out what non-elites are doing. But from the looks of things, they just hired some contractors with bad attitudes to have something to offer up, no matter how dubiously effective.

Update: My statement was inaccurate. They got this data by tapping the cables.

Important: Changes to Section 215 Dragnet Will Not Change Treatment of EO 12333 Metadata

In their Angry Birds stories, both the Guardian and NYT make what I believe is a significant error. They suggest changes in the handling of the Section 215-collected phone metadata will change the way NSA handles EO 12333-collected phone metadata.

Guardian:

Data collected from smartphone apps is subject to the same laws and minimisation procedures as all other NSA activity – procedures which US president Barack Obama suggested may be subject to reform in a speech 10 days ago. But the president focused largely on the NSA’s collection of the metadata from US phone calls and made no mention in his address of the large amounts of data the agency collects from smartphone apps.

NYT:

President Obama announced new restrictions this month to better protect the privacy of ordinary Americans and foreigners from government surveillance, including limits on how the N.S.A. can view “metadata” of Americans’ phone calls — the routing information, time stamps and other data associated with calls. But he did not address the avalanche of information that the intelligence agencies get from leaky apps and other smartphone functions.

Here’s what the President actually said, in part, about phone metadata:

I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk meta-data.

That is, Obama was speaking only about NSA’s treatment of Section 215 metadata, not the data — which includes a great amount of US person data — collected under Executive Order 12333.

To be clear, both Guardian and NYT were distinguishing Obama’s promises from the treatment extended to the leaky mobile data app. But they incorrectly suggested that all phone metadata, regardless of how it was collected, receives the same protections.

Section 215 metadata has different and significantly higher protections than EO 12333 phone metadata because of specific minimization procedures imposed by the FISC (arguably, the program doesn’t even meet the minimization procedure requirements mandated by the law). We’ve seen the implications of that, for example, when the NSA responded to being caught watch-listing 3,000 US persons without extending First Amendment protection not by stopping that tracking, but simply cutting off the watch-list’s ability to draw on Section 215 data.

Basically, the way NSA treats data collected under FISC-overseen programs (including both Section 215 and FISA Amendments Act) is to throw the data in with data collected under EO 12333, but add query screens tied to the more strict FISC-regulations governing production under it. This post on federated queries explains how it works in practice. As recently as 2012 at least one analyst improperly searched on US person FAA-collected content because she didn’t hit the right filter on her query screen.

[T]he NSA analyst conducted a federated query using a known United States person identifier, but forgot to filter out Section 702-acquired data while conducting the federated query.

That’s it. If the data is accessed via one of the FISC-overseen programs, US persons benefit from the additional subject matter, dissemination, and First Amendment protections of those laws or FISC’s implementation of them (and would benefit from the minor changes Obama has promised to both Section 215 and FAA).

But if NSA collected the data via one of its EO 12333 programs, it does not get get those protections. To be clear, it does get some dissemination protection and can only be accessed with a foreign intelligence purpose, but that is much less than what the FISC programs get. Which leaves the NSA a fair amount of leeway to spy on US persons, so long as it hasn’t collected the data to do so under the programs overseen by FISC. And when it collects data under EO 12333, it is a lot easier for the NSA to spy on Americans.

The metadata from leaky mobile apps almost certainly comes from EO 12333 collection, not least given the role of GCHQ and CSEC (Canada’s Five Eyes’ partner) to the collection. The Facebook and YouTube data GCHQ collects (just reported by Glenn Greenwald working with NBC) surely counts as EO 12333 collection.

NSA’s spokeswoman will say over and over that “everyday” or “ordinary” Americans don’t have to worry about their favorite software being sucked up by NSA. But to the extent that collection happens under EO 12333, they have relatively little protection.

Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.

Date

NSA/Business

Cyber Attacks

11-SEP-2007

Access to MSFT servers acquired

15-NOV-2007

Stuxnet 0.5 discovered in wild

XX-DEC-2007

File name of Flame’s main component observed

12-MAR-2008

Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.

11-JAN-2009

Stuxnet 0.5 “ends” calls home

14-JAN-2009

Access to Google servers acquired

Mid-2009

Operation Aurora attacks begin; dozens of large corporations confirming they were targets.

03-JUN-2009

Access to Facebook servers acquired

22-JUN-2009

Date Stuxnet version 1.001 compiled

04-JUL-2009

Stuxnet 0.5 terminates infection process

07-DEC-2009

Access to PalTalk servers acquired

XX-DEC-2009

Operation Aurora attacks continue through Dec 2009

12-JAN-2010

Google discloses existence of Operation Aurora, said attacks began in mid-December 2009

13-JAN-2010

Iranian physicist killed by motorcycle bomb

XX-FEB-2010

Flame operating in wild

10-MAR-2010

Date Stuxnet version 1.100 compiled

14-APR-2010

Date Stuxnet version 1.101 compiled

15-JUL-2010

Langner first heard about Stuxnet

19-SEP-2010

DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”

24-SEP-2010

Access to YouTube servers acquired

29-NOV-2010

Iranian scientist killed by car bomb

06-FEB-2011

Access to Skype servers acquired

07-FEB-2011

AOL announces agreement to buy HuffingtonPost

31-MAR-2011

Access to AOL servers acquired

01-SEP-2011

Duqu worm discovered

XX-MAY-2012

Flame identified

08-JUN-2012

Date on/about “suicide” command issued to Flame-infected machines

24-JUN-2012

Stuxnet versions 1.X terminate infection processes

XX-OCT-2012

Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?

Political Giving and Willingness to Cave to Law Enforcement

When Jason Leopold linked to a WSJ report titled, “Obama breaks bread with Silicon Valley execs,” I quipped, “otherwise known as, Obama breaks bread w/our partners in domestic surveillance.” After all, some of the companies represented–Google, Facebook, Yahoo–are among those that have been willingly sharing customer data with federal law enforcement officials.

Which is why I found this Sunlight report listing lobbying and political donations of the companies so interesting.

Lobbying (2010) Contributions to Obama (2008)
Apple $1,610,000.00 $92,141.00
Google $5,160,000.00 $803,436.00
Facebook $351,390.00 $34,850.00
Yahoo $2,230,000.00 $164,051.00
Cisco Systems $2,010,000.00 $187,472.00
Twitter $0.00 $750.00
Oracle $4,850,000.00 $243,194.00
NetFlix $130,000.00 $19,485.00
Stanford University $370,000.00 $448,720.00
Genentech $4,922,368.00 $97,761.00
Westly Group $0.00 $0.00

Just one of the companies represented at the meeting, after all, has recently challenged the government’s order in its pursuit of WikiLeaks to turn over years of data on its users: Twitter. And the difference between Twitter’s giving and the others’ is stark.

Does Twitter have the independence to challenge the government WikiLeaks order because it hasn’t asked or owed anyone anything, politically?

Mind you, there’s probably an interim relationship in play here, as well. Those companies that invest a lot in politics also have issues–often regulatory, but sometimes even their own legal exposure–that they believe warrant big political investments. Which in turn gives the government some issue with which to bargain on.

Maybe this is all a coinkydink. And maybe having broken bread with Obama, Twitter will cave on further government orders.

But I do wonder whether there’s a correlation between those telecommunication companies that try to buy political favors and those that offer federal law enforcement favors in return.

Our Diplomats Need to Spend More Time Surfing the Toobz!

As I noted in my last post, DiFi is accusing the intelligence community of having missed the potential volatility of Middle Eastern unrest because they’ve been paying too little attention to social media.

So I decided to check the WikiLeaks State cables to see whether DiFi’s complaint bears out.

Obviously, this is a totally insufficient test. Not only is State not the primary member of the intelligence community that should be tracking these things, we have no idea how representative the cables are of all State communication. (Though there are obviously intelligence community members working under official cover at the Embassy, and one would hope a good deal of our specialists on any particular country’s dialects are stationed in that country.) Nevertheless, it gives an idea of how attentively our Embassies track opposition viewpoints expressed in social media, and how they view social media as a source of information.

And DiFi may well be right.

There are just 14 WikiLeak cables in this database mentioning both Egypt and bloggers (out of 325 that mention Egypt) but just one–dated March 30, 2009–that talks in detail about the actual content of blogs rather than Mubarak’s persecution of them as a human rights issue. (This cable notes that bloggers and other journalists cover torture complaints and a few others refer to specific types of bloggers being persecuted.) The March 30 cable assesses,

KEY POINTS —

(C) Egypt’s bloggers are playing an increasingly important role in broadening the scope of acceptable political and social discourse, and self-expression. —

(C) Bloggers’ discussions of sensitive issues, such as sexual harassment, sectarian tension and the military, represent a significant change from five years ago, and have influenced society and the media. —

(C) The role of bloggers as a cohesive activist movement has largely disappeared, due to a more restrictive political climate, GOE counter-measures, and tensions among bloggers. —

(C) However, individual bloggers have continued to work to expose problems such as police brutality and corporate malfeasance.

[snip]

(C) Egypt has an estimated 160,000 bloggers who write in Arabic, and sometimes in English, about a wide variety of topics, from social life to politics to literature. One can view posts ranging from videos of alleged police brutality (ref B), to comments about the GOE’s foreign policy, to complaints about separate lines for men and women in government offices distributing drivers’ licenses. One NGO contact estimated for us that a solid majority of bloggers are between 20 and 35 years old, and that about 30 percent of blogs focus on politics. Blogs have spread throughout the population to become vehicles for a wide range of activists, students, journalists and ordinary citizens to express their views on almost any issue they choose. As such, the blogs have significantly broadened the range of topics that Egyptians are able to discuss publicly.

It’s not clear whether anyone at the Embassy made an independent assessment of the blogs themselves; the cable is heavily reliant on the viewpoints of at least three different sources, as well as the comments of “two young upper middle-class bloggers” and one female political blogger not identified demographically.

Meanwhile, just 5 cables mention both Facebook and Egypt (two cables appear in both searches). Two of these cables simply count the growing number of Mohamed el Baradei Facebook fans. One of them–an April 16, 2008 cable titled, “Mahalla Riots: Isolated Incident or Tip of an Iceberg?” and reviewing the April 6, 2008 events–probably should have alerted US authorities to track Facebook more closely.

(C) April 6 brought together disparate opposition forces together with numerous non-activist Egyptians, with the Facebook calls for a strike attracting 70,000 people on-line, and garnering widespread national attention. The nexus of the upper and middle-class Facebook users, and their poorer counterparts in the factories of Mahalla, craeated a new dynamic. One senior insider mused, “Who could have imagined that a few kids on the internet could foment a buzz that the entire country noticed? I wish we could do that in the National Democratic Party.”

Though the reference to the “senior insider” complaining that Egypt’s NDP couldn’t foment as much buzz as “a few kids on the internet” suggests the assessment of the importance of Facebook to the movement may have come from Egyptians, not from any analysis conducted in the Embassy itself.

Just as tellingly, most of the 7 cables on Egypt and April 6 are among those that discuss social media (that is, State knew or should have known that social media was an important tool for the April 6 movement).

Meanwhile, it’s even worse for Tunisia. Just one cable (out of 81) mentions Tunisia and either blogger or Facebook–and that’s a report on the Embassy’s own use of Facebook!

At least in the case of Egypt, the Embassy had both warning that Mubarak’s government considers bloggers enough of a threat to persecute, as well as some sense that social media has served an organizing function.

Yet even with that warning, Embassy staffers don’t appear to have spent much time learning from social media.

Letter from Nigeria Goldman

FROM: Mr. Lloyd Blankfein

200 West Street

New York, New York

202-555-MOTU

TO: CEO

Chump City, ForeignLand

Dear Sir:

I have been requested by the Facebook Company to contact you for assistance in resolving a matter. The Facebook Company has recently concluded new agreements to share its users’ identities. The contracts have immediately produced moneys equaling US$50,000,000,000. The Facebook Company is desirous of harvesting user identities in other parts of the world, however, because of certain regulations of the Securities and Exchange Commission, it is unable to move these funds to another region.

You assistance is requested as a non-American citizen to assist the Facebook Company, and also the Goldman Sachs, in moving these funds out of America. If the funds can be transferred to your name, in your non-United States account, then you can forward the funds as directed by the Facebook Company. In exchange for your accommodating services, the Facebook Company would agree to allow you to retain 10%, or US$5 billion of this amount.

However, to be a legitimate transferee of these moneys according to American law, you must presently be a depositor of at least US$1,000,000 in a Special Purpose Vehicle which is regulated by the Goldman Sachs.

If it will be possible for you to assist us, we would be most grateful. We suggest that you meet with us in person in Chump City, and that during your visit I introduce you to the representatives of the Facebook Company, as well as with certain officials of the Goldman Sachs.

Please call me at your earliest convenience at 202-555-MOTU. Time is of the essence in this matter; very quickly the Securities and Exchange Commission will realize that the Goldman Sachs is maintaining this amount on deposit, and attempt to levy certain depository taxes on it.

Yours truly,

Lloyd Blankfein