Posts

A Guide to the 5+ Known Intelligence Community Telecommunications Metadata Dragnets

I’ve been laying this explanation out since USA Today provided new details on DEA’s International Dragnet, but it’s clear it needs to be done in more systematic fashion, because really smart people continue to mistakenly treat the Section 215 database as the analogue to the DEA dragnet described by USAT, which it’s not. There are at least five known telecommunications dragnets (some of which appear to integrate other kinds of metadata, especially Internet metadata). Here’s a quick guide to what is known about each (click to enlarge, let me know of corrections/additions, I will do running updates to make this more useful):

150410 Dragnets

NSA, International

When people think about the NSA dragnet they mistakenly think exclusively of Section 215. That is probably the result of a deliberate strategy from the government, but it leads to gross misunderstanding on many levels. As Richard Clarke said in Congressional testimony last year, Section “215 produces a small percentage of the overall data that’s collected.”

Like DEA, NSA has a dragnet of international phone calls, including calls into the United States. This is presumably limited only by technical capability, meaning the only thing excluded from this dragnet are calls NSA either doesn’t want or that it can’t get overseas (and note, some domestic cell phone data may be available offshore because of roaming requirements). David Kris has said that what collection of this comes from domestic providers comes under 18 U.S.C. § 2511(2)(f). And this dragnet is not just calls: it is also a whole slew of Internet data (because of the structure of the Internet, this will include a great deal of US person data). And it surely includes a lot of other data points, almost certainly including location data. Analysts can probably access Five Eyes and other intelligence partner data, though this likely includes additional restrictions.

There are, within this dragnet, two sets of procedures for accessing it. There is straight EO 12333, which appears to defeat US person data (so if you’re contact chaining and a known US person is included in the chain, you won’t see it). This collection requires only a foreign intelligence purpose (which counternarcotics is explicitly included in). Standard NSA minimization procedures apply, which — given that this is not supposed to include US person data — are very permissive.

Starting in 2008 (and probably before 2004, at least as part of Stellar Wind), specially-trained analysts are also permitted to include US persons in the contact chaining they do on EO 12333 data, under an authority call “SPCMA” for “special procedures.” They can’t target Americans, but they can analyze and share US person data (and NSA has coached analysts how to target a foreign entity to get to the underlying US data). This would be treated under NSA’s minimization procedures, meaning US person data may get masked unless there’s a need for it. Very importantly, this chaining is not and never was limited to counterterrorism purposes — it only requires a foreign intelligence purpose. Particularly because so much metadata on Americans is available overseas, this means NSA can do a great deal of analysis on Americans without any suspicion of criminal ties.

Both of these authorities appear to link right into other automatic functions, including things like matching identities (such that it would track “emptywheel” across all the places I use that as my uniquename) and linking directly up to content, if it has been collected.

NSA, Domestic

Screen Shot 2014-02-16 at 10.42.09 PM Then there is the Section 215 dragnet, which prior to 2006 was conducted with telecoms voluntarily producing data but got moved to Section 215 thereafter; there is a still-active Jack Goldsmith OLC opinion that says the government does not need any additional statutory authorization for the dragnet (though telecoms aside from AT&T would likely be reluctant to do so now without liability protection and compensation).

Until 2009, the distinctions between NSA’s EO 12333 data and Section 215 were not maintained. Indeed, in early 2008 “for purposes of analytical efficiency,” the Section 215 data got dumped in with the EO 12333 data and it appears the government didn’t even track data source (which FISC made them start doing by tagging each discrete piece of data in 2009), and so couldn’t apply the Section 215 rules as required.  Thus, until 2009, the Section 215 data was subjected to the automatic analysis the EO 12333 still is. That was shut down in 2009, though the government kept trying to find a way to resume such automatic analysis. It never succeeded and finally gave up last year, literally on the day the Administration announced its decision to move the data to the telecoms.

The Section 215 phone dragnet can only be used for counterterrorism purposes and any data that gets disseminated outside of those cleared for BRFISA (as the authority is called inside NSA) must be certified as to that CT purpose. US person identifiers targeted in the dragnet must first be reviewed to ensure they’re not targeted exclusively for First Amendment reasons. Since last year, FISC has pre-approved all identifiers used for chaining except under emergencies. Though note: Most US persons approved for FISA content warrants are automatically approved for Section 215 chaining (I believe this is done to facilitate the analysis of the content being collected).

Two very important and almost universally overlooked points. First, analysts access (or accessed, at least until 2011) BRFISA data from the very same computer interface as they do EO 12333 data (see above, which would have dated prior to the end of 2011). Before a chaining session, they just enter what data repositories they want access to and are approved for, and their analysis will pull from all those repositories. Chaining off data from more than one repository is called a “federated” query. And the contact chaining they got — at least as recently as 2011, anyway — also included data from both EO 12333 collection and Section 215 collection, both mixed in together. Importantly, data with one-end in foreign will be redundant, collected under both EO 12333 and 215. Indeed, a training program from 2011 trained analysts to re-run BRFISA queries that could be replicated under EO 12333 so they could be shared more permissively. That said, a footnote (see footnote 13) in phone dragnet orders that has mostly remained redacted appears to impose the BRFISA handling rules on any data comingled with it, so this may limit (or have imposed new more recent limits) on contact chaining between authorities.

As I noted, NSA shut down the automatic features on BRFISA data in 2009. But once data comes back in a query, it can be subjected to NSA’s “full range of analytical tradecraft,” as every phone dragnet order explains. Thus, while the majority of Americans who don’t come up in a query don’t get subjected to more intrusive analysis, if you’re 3 hops (now 2) from someone of interest, you can be — everything, indefinitely. I would expect that to include trolling all of NSA’s collected data to see if any of your other identifiable data comes up in interesting ways. That’s a ton of innocent people who get sucked into NSA’s maw and will continue to even after/if the phone dragnet moves to the providers.

DEA, International

As I said, the analogue to the program described by the USA Today, dubbed USTO, is not the Section 215 database, but instead the EO 12333 database (indeed, USAT describes that DEA included entirely foreign metadata in their database as well). The data in this program provided by domestic providers came under 21 USC 876 — basically the drug war equivalent of the Section 215 “tangible things” provision. An DEA declaration in the Shantia Hassanshahi case claims it only provides base metadata, but it doesn’t specify whether that includes or excludes location.  As USAT describes (and would have to be the case for Hassanshahi to be busted for sanctions violations using it, not to mention FBI’s success at stalling of DOJ IG’s investigation into it), this database came to be used for other than counternarcotics purposes (note, this should have implications for EO 12333, which I’ll get back to). And, as USAT also described, like the NSA dragnet, the USTO also linked right into automatic analysis (and, I’m willing to bet good money, tracked multiple types of metadata). As USAT describes, DEA did far more queries of this database than of the Section 215 dragnet, but that’s not analogous; the proper comparison would be with NSA’s 12333 dragnet, and I would bet the numbers are at least comparable (if you can even count these automated chaining processes anymore). DEA says this database got shut down in 2013 and claims the data was purged. DEA also likely would like to sell you the Brooklyn Bridge real cheap.

DEA, Domestic

There’s also a domestic drug-specific dragnet, Hemisphere, that was first exposed by a NYT article. This is not actually a DEA database at all. Rather, it is a program under the drug czar that makes enhanced telecom data available for drug purposes, while the records appear to stay with the telecom.

This seems to have been evolving since 2007 (which may mark when telecoms stopped turning over domestic call records for a range of purposes).  At one point, it pulled off multiple providers’ networks, but more recently it has pulled only off AT&T’s networks (which I suspect is increasingly what has happened with the Section 215 phone dragnet).

But the very important feature of Hemisphere — particularly as compared to its analogue, the Section 215 dragnet — is that the telecoms perform the same kind of analysis they would do for their own purposes. This includes using location data and matching burner phones (though this is surely one of the automated functions included in NSA’s EO 12333 dragnet and DEA’s USTO). Thus, by keeping the data at the telecoms, the government appears to be able to do more sophisticated kinds of analysis on domestic data, even if it does so by accessing fewer records.

That is surely the instructive motivation behind Obama’s decision to “let” NSA move data back to the telecoms. It’d like to achieve what it can under Hemisphere, but with data from all telecom providers rather than just AT&T.

CIA

At least as the NSA documents concerning ICREACH tell it, CIA and DEA jointly developed a sharing platform called PROTON that surely overlaps with USTO in significant ways. But PROTON appeared to reside with CIA (and FBI and NSA were late additions to the PROTON sharing). PROTON included CIA specific metadata (that is, not telecommunications metadata but rather metadata tracking their own HUMINT).  But in 2006 (these things all started to change around that time), NSA made a bid to become the premiere partner here with ICREACH, supporting more types of metadata and sharing it with international partners.

So we don’t know what CIA’s own dragnet looks like, just that it has one, one not bound to just telecommunications.

In addition, CIA has a foreign intelligence equivalent of Hemisphere, where it pays AT&T to “voluntarily” hand over data that is at least one-end foreign (and masks the US side unless the record gets referred to FBI).

Finally, CIA can “upload or transfer some or all” of the metadata that it pulls off of raw PRISM data received under 702 into its other databases. While this has to be targeted off a foreign target, that surely includes a lot of US person data, and metadata including Internet based calls, photos, as well as emails. CIA does a lot of metadata queries for other entities (other IC agencies? foreign partners? who knows!), and they don’t count it, so they are clearly doing a lot of it.

FBI

As far as we know, FBI does not have a true “bulk” dragnet, sucking up all the phone or Internet records for the US or foreign switches. But it surely has fairly massive metadata repositories itself.

Until 2006, it did, however, have something almost identical to what we understand Hemisphere to be, all the major telecoms, sitting onsite, ready to do sophisticated analysis of numbers offered up on a post-it note, with legal process to follow (maybe) if anything nifty got turned over. Under this program, AT&T offered some bells and whistles, included “communities of interest” that included at least one hop. That all started to get moved offsite in 2006, when DOJ’s IG pointed out that it didn’t comply with the law, but all the telecoms originally contracted (AT&T and the companies that now comprise Verizon, at least), remained on contract to provide those services albeit offsite for a few years. In 2009, one of the telecoms (which is likely part or all of Verizon) pulled out, meaning it no longer has a contract to provide records in response to NSLs and other process in the form the FBI pays it to.

FBI also would have a database of the records it has collected using NSLs and subpoenas (I’ll go look up the name shortly), going back decades. Plus, FBI, like CIA, can “upload or transfer some or all” of the metadata that it pulls off of raw PRISM data received under 702. So FBI has its own bulky database, but all of the data in it should have come in in relatively intentional if not targeted fashion. What FBI does have should date back much longer than NSA’s Section 215 database (30 years for national security data) and, under the new Section 309 restrictions on EO 12333 data, even NSA’s larger dragnet. On top of that, AT&T still provides 7 bells and whistles that are secret and that go beyond a plain language definition of what they should turn over in response to an NSL under ECPA (which probably parallel what we see going on in Hemisphere). In its Section 215 report, PCLOB was quite clear that FBI almost always got the information that could have come out of the Section 215 dragnet via NSLs and its other authorities, so it seems to be doing quite well obtaining what it needs without collecting all the data everywhere, though there are abundant reasons to worry that the control functions in FBI’s bulky databases are craptastic compared to what NSA must follow.

“Information Is No Longer Being Collected in Bulk [Pursuant to 21 U.S.C. § 876]”

Given the details in yesterday’s USAT story on DEA’s dragnet, I wanted to re-examine the DEA declaration revealing details of the phone dragnet in the Shantia Hassanshahi case which I wrote about here. As I noted then, there’s a footnote modifying the claim that the database in question “was suspended in September 2013” that is entirely redacted. And the declaration only states that “information is no longer being collected in bulk pursuant to 21 U.S.C. §876,” not that it is no longer being collected.

According to the USAT, DEA moved this collection to more targeted subpoenas that may number in the thousands.

The DEA asked the Justice Department to restart the surveillance program in December 2013. It withdrew that request when agents came up with a new solution. Every day, the agency assembles a list of the telephone numbers its agents suspect may be tied to drug trafficking. Each day, it sends electronic subpoenas — sometimes listing more than a thousand numbers — to telephone companies seeking logs of international telephone calls linked to those numbers, two official familiar with the program said.

The data collection that results is more targeted but slower and more expensive. Agents said it takes a day or more to pull together communication profiles that used to take minutes.

We should expect this move occurred either in the second half of 2013 (after the dragnet first got shut down) or the first half of 2014 (after DEA backed off its request to restart the draget). And we should expect these numbers to show in the telecoms transparency reports.

But they don’t — or don’t appear to.

Both AT&T and Verizon reported their 2013 numbers for the entire year. They both broke out their 2014 numbers semiannually. (Verizon; AT&T 2013AT&T 2014; h/t Matt Cagle, who first got me looking at these numbers)

Here are the numbers for all subpoenas (see correction below):

Screen Shot 2015-04-08 at 1.50.32 PM

Both companies show a decrease in overall criminal subpoenas from 2013 to 2014. And while Verizon shows a continued decline, AT&T’s subpoena numbers went back up in the second half of 2014, but still lower than half of 2013’s numbers.

In any case, both companies report at least 15% fewer subpoenas in 2014, at a time when — according to what USAT got told — they should have been getting thousands of extra subpoenas a day.

It is possible what we’re seeing is just the decreased utility of phone records. As the USAT notes, criminals are increasingly using messaging platforms that use the Internet rather than telecoms.

But it’s possible the DEA’s dragnet went somewhere else entirely.

Though USAT doesn’t mention it (comparing instead with the Section 215 dragnet, which is not a comparable program because it, like Hemisphere as far as we know, focuses solely on domestic records), the NSA has an even bigger phone and Internet dragnet that collects on drug targets. Indeed, President Obama included “transnational criminal threats” among the uses permitted for data collected in bulk under PPD-28, which he issued January 17, 2014. So literally weeks after DEA supposedly moved to subpoena-based collection in December 2013, the President reiterated support for using NSA (or, indeed, any part of the Intelligence Community) bulk collections to pursue transnational crime, of which drug cartels are the most threatening.

There is no technical reason to need to collect this data in the US. Indeed, given the value of location data, the government is better off collecting it overseas to avoid coverage under US v. Jones. Moreover, as absolutely crummy as DOJ is about disclosing these kinds of subpoenas, it has disclosed them, whereas it continues to refuse to disclose any collection under EO 12333.

Perhaps it is the case that DEA really replaced its dragnet with targeted collection. Or perhaps it simply moved it under a new shell, EO 12333 collection, where it will remain better hidden.

Update: I realized I had used criminal subpoenas for AT&T, but not for Verizon (which doesn’t break out criminal and civil). Moreover, it’s not clear whether the telecoms would consider these criminal or civil subpoenas.

I also realized one other possible explanation why these don’t show up in the numbers. USAT reports that DEA uses subpoenas including thousands of numbers, whereas they used to use a subpoena to get all the records. That is, the telecoms may count each of these subpoenas as just one subpoena, regardless of whether it obtains 200 million or 1,000 numbers. Which would have truly horrifying implications for “Transparency.”

Update: There would be limitations to relying on the NSA’s database (though DEA could create its own for countries of particular interest). First, DEA could not search for US person identifiers without Attorney General approval (though under SPMCA, it could conduct chaining it knew to include US persons). Also, as of August 2014, at least, NSA wasn’t sharing raw EO 12333 data with other agencies, per this Charlie Savage story.

The N.S.A. is also permitted to search the 12333 storehouse using keywords likely to bring up Americans’ messages. Such searches must have “foreign intelligence” purposes, so analysts cannot hunt for ordinary criminal activity.

For now, the N.S.A. does not share raw 12333 intercepts with other agencies, like the F.B.I. or the C.I.A., to search for their own purposes. But the administration is drafting new internal guidelines that could permit such sharing, officials said.

That said, it’s clear that NSA shares metadata under ICREACH with other agencies, explicitly including DEA.

ICREACH and EO 12333

Because I need a hobby, I’m knee deep in tracking how EO 12333 got changed in 2008. Part of the impetus came from Congress, some members of which were furious that OLC had given the President authority to pixie dust EO 12333 in secret.

But the bigger impetus came from the Intelligence Community.

That’s why this document — an NSA OGC memo on the sharing of raw SIGINT through database access released as part of ACLU’s FOIA for EO 12333 documents — is so interesting.

It captures a July 12, 2007 discussion about whether or not NSA could share its data with other agencies by making it available in databases.

You have asked us to conduct a legal review in order to set out the limits — and the rationale associated with the limits — on allowing personnel from other agencies access to NSA databases under the existing rules governing such access, and the advisability of changes to the Executive Order that would allow other agencies access to SIGINT databases.

While the memo adopts a cautious approach, recommending “case-by-case” access to SIGINT, it does embrace making SIGINT available by bringing Intelligence Committee partners into the production cycle (CIA and FBI both have people stationed at NSA), and finding ways to expand access to both phone and Internet metadata.

There are substantial and well-grounded legal limits on NSA’s ability to provide its partners and customers with access to raw SIGINT databases, both those that contain content and those that contain only metadata. Within those limits, NSA has lawfully expanded that access in two ways: with respect to content, we have expanded access by bringing IC partners within the SIGINT production chain in carefully defined circumstances. With respect to metadata, we have aggressively pushed telephony metadata to IC partners, and have plans in place to increase dramatically both the types and the completeness of the metadata we share.

Remember the timing of this: Read more

ICREACH and FBI’s PRTT Program

I’ll have a more substantive post about what we learn about NSA’s broader dragnet from the Intercept’s ICREACH story.

But for the moment I want to reiterate a point I made the other day. ICREACH is important not just because it makes NSA data available to CIA and FBI. But also because it makes CIA and FBI data available for the metadata analysis the NSA conducts.

The documents describe that to include things like clandestine intelligence and flight information.

But there’s one other program that ought to be of particular concern with regards to NSA’s programs. As I laid out here, FBI had a Pen Register/Trap and Trace “program” that shared information with the NSA at least until February 2012, several months after NSA had ended its PRTT Internet dragnet program.

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

I have no idea what this program entailed — and no one else has even picked up on this detail. It’s possible NSA’s Internet dragnet just moved under the FBI’s control. It’s possible (this is my current operative wildarseguess) that FBI’s PRTT program collects location data; the Bureau uses PRTT orders to get individualized location data, after all.

Whatever it is, though, the existence of ICREACH would make that data available to NSA in a form it could use to include it in contact chaining of metadata (which may be why it figures so prominently in NSA’s classification guide). And note: FBI’s minimization procedures are far more lenient than NSA’s, so whatever this data is, NSA may be able to do more with it given that FBI collected it.

And as with a number of other things, even the Pat Leahy version of USA Freedom would weaken protections for PRTT data.

SPCMA and ICREACH

Within weeks of Michael Mukasey’s confirmation as Attorney General in November 2007, Assistant Attorney General Ken Wainstein started pitching him to weaken protections then in place for US person metadata collected overseas; Mukasey did so, under an authority that would come to be known as SPCMA, on January 3, 2008.

In 2007, Wainstein explained the need to start including US person data in its metadata analysis, in part, because CIA wanted to get to the data — and had been trying to get to it since 2004.

(3) The Central Intelligence Agency’s (CIA) Interest in Conducting Similar Communications Metadata Analysis. On July 20, 2004 [days after CIA had helped NSA get the PRTT dragnet approved], the General Counsel of CIA wrote to the General Counsel ofNSA and to the Counsel for Intelligence Policy asking that CIA receive from NSA United States communications metadata that NSA does not currently provide to CIA. The letter from CIA is attached at Tab C. Although the proposed Supplemental Procedures do not directly address the CIA’s request, they do resolve a significant legal obstacle to the dissemination of this metadata from NSA to CIA. (S//SII/NF)

Wainstein also noted other DOD entities might access the information.

That’s important background to the Intercept’s latest on ICREACH, data sharing middleware that permits other intelligence agencies to access NSA’s metadata directly — and probably goes some way to answer Jennifer Granick’s questions about the story.

As the documents released by the Intercept make clear, ICREACH arose out of an effort to solve a data sharing effort (though I suspect it is partly an effort to return to access available under Bush’s illegal program, in addition to expanding it). A CIA platform, PROTON, had been the common platform for information sharing in the IC. NSA was already providing 30% of the data, but could not provide some of the types of data it had (such as email metadata) and could not adequately protect some of it. Nevertheless, CIA was making repeated requests for more data. So starting in 2005, NSA  proposed ICREACH, a middleware platform that would provide access to both other IC Agencies as well as 2nd parties (Five Eyes members). By June 2007, NSA was piloting the program.

Right in that same time period, NSA’s Acting General Counsel Vito Potenza, Acting OLC head Steven Bradbury, and Wainstein started changing the rules on contact chaining including US person metadata. They did so through some word games that gave the data a legal virgin birth as stored data that was therefore exempt from DOD’s existing rules defining the interception or selection of a communication.

For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

See this post for more on this amazing legal virgin birth.

Significantly, they would define metadata the same way ICREACH did (page 4), deeming certain login information to be metadata rather than content.

“Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account.

It would take several years to roll out SPCMA (remember, that’s the authority to chain on US person data, as distinct from the sharing platform); a pilot started in NSA’s biggest analytical unit in 2009. When it did, NSA made it clear that personnel could access this data to conduct analysis, but that existing dissemination rules remained the same (which is consistent with the 2006-2008 proposed activity).

Additionally, the analyst must remain cognizant of minimization procedures associated with retention and dissemination of US person information. SPCMA covers analytic procedures and does not affect existing procedures for collection, retention or dissemination of US person information. [emphasis original]

Accessing data in a database to do analysis, NSA appears to have argued, was different than disseminating it (which is a really convenient stance when you’re giving access to other agencies and trying to hide the use of such analysis).

Of course, the pitch to Mukasey only nodded to direct access to this data by CIA (and through them and PROTON, the rest of the IC) and other parts of DOD. In what we’ve seen in yesterday’s documents from the Intercept and earlier documents on SPCMA, NSA wasn’t highlighting that CIA would also get direct access to this data under the new SPCMA authority, and therefore the data would be disseminated via analysis outside the NSA. (Note, I don’t think SPCMA data is the only place NSA uses this gimmick, and as I suggested I think it dates back at least to the illegal dragnet.)

In response to yesterday’s Intercept story, Jennifer Granick suggested that by defining this metadata as something other than communication, it allows the NSA to bypass its minimization procedures.

The same is true of the USSID18 procedures. If the IC excludes unshared stored data and other user information from the definition of communications, no minimization rules at all apply to protect American privacy with regard to metadata NSA collects, either under 12333 or section 702.

[snip]

NSA may nevertheless call this “minimized”, in that the minimization rules, which require nothing to be done, have been applied to the data in question. But the data would not be “minimized” in that it would not be redacted, withheld, or deleted. 

Given what we’ve seen in SPCMA — the authority permitting the analysis of expansively defined metadata to include US person data — she’s partly right — that the NSA has defined this metadata as something other than communication “selection” — but partly missing one of NSA’s gimmicks — that NSA distinguishes “analysis” from “dissemination.”

And if a bunch of agencies can access this data directly, then it sort of makes the word “dissemination” meaningless.  Read more

ICREACH and the 2009 Phone Violations

The Intercept has an article on ICREACH, the middleware NSA implemented between 2005 and 2007 to permit greater sharing of metadata with its IC partners. The article makes this claim.

ICREACH does not appear to have a direct relationship to the large NSA database, previously reported by The Guardian, that stores information on millions of ordinary Americans’ phone calls under Section 215 of the Patriot Act. Unlike the 215 database, which is accessible to a small number of NSA employees and can be searched only in terrorism-related investigations, ICREACH grants access to a vast pool of data that can be mined by analysts from across the intelligence community for “foreign intelligence”—a vague term that is far broader than counterterrorism.

I’m fairly certain that is inaccurate.

As I reported on February 6 (at a time when I technically had been hired by the Intercept but not to “report” for them), the circa January 4, 2008 phone dragnet primary order for the first time revealed that the 215 data had been combined with other data “for the purposes of analytical efficiency.”

The Court understands that for the purposes of analytical efficiency a copy of meta data obtained pursuant to the Court’s Orders in this matter will be stored in the same database with data obtained pursuant to other NSA authorities and data provided to NSA from other sources. Access to such records shall be strictly limited in accordance with the procedures set forth in paragraphs A – G.

This happened just after ICREACH got generally rolled out in late 2007.

Given the violations “discovered” in 2009, given that NSA used federated queries with Section 215 and PRTT Internet dragnet data at least as late as 2012, I’m fairly certain that the 215 (and PRTT) repositories were made accessible to a more general interface via ICREACH (which one of the documents describes as middleware) at that point. As I’ve been explaining patiently for over 6 months, the Section 215 phone dragnet we’ve been arguing about is just one small part of the more  general dragnet.

That doesn’t mean FBI and DEA and CIA had access to the raw Section 215 metadata (though it ought to raise questions, especially with regards to the Internet dragnet data, for reasons I’ll return to). As far as we know, those agencies only got direct access to FISC-authorized phone and Internet dragnet query results, not raw data.

The documents released by the Intercept make it clear other Agencies’ analysts would need PKI to log into ICREACH. And that’s how — at least after the 2009 phone violations — NSA restricted phone dragnet access to limited numbers of analysts (even while John Bates made the PRTT Internet dragnet data accessible to just about all NSA analysts in 2010). In other words, what the interface did (again, after the 2009 violations anyway) was to ensure that only those with PKI permitting access to the FISC-authorized data could get in and — this was another addition added in 2009 — could only conduct queries using identifiers approved under the more narrow permissions tied to the FISC data. But those NSA analysts who qualified definitely had access to both FISC-authorized and EO 12333 authorized data from the same one-step shop, and for at least a year the FISC-authorized dragnets got subjected to the automatic processes implemented for EO 12333.  That was the problem (or one major source of the problem): FISC-authorized phone and Internet data was being exposed to the processes permitted with EO 12333 data but not permitted with FISC data.

If I’m correct, the inclusion of FISC-approved data in ICREACH led to (or exacerbated) FISC-approved data being treated as EO 12333 data for at least a year. That is, it led to the violations that included (among other things) 3,000 US persons being watchlisted without First Amendment review.

I will have more about what the Intercept documents show later (as well as some thoughts on what the structure of ICREACH might suggest about the NSA’s technical problems with the phone dragnet). They answer a number of questions about the metadata dragnet I’ve been posing for months.

Update: Adding that the point of this sharing is two-way. Not only does NSA share huge amounts of metadata with FBI and CIA, but NSA can contact chain its own metadata with non-metadata from the other agencies (documents mention things like passenger data and clandestine collection). That is, while I don’t think FBI and CIA had access to raw BR FISA data (at least not after 2009), I do think NSA was chaining on more than BR FISA.