James Clapper's Latest Section 215 Doc Release Shows NSA Behavior, Redaction Skills Both Questionable

from the unofficial-doc-releases-still-preferable,-easier-to-read dept

The ODNI released another batch of Section 215 court orders on Friday, and as usual, it was prefaced with the same statement by James Clapper that obfuscates the fact that these document releases were compelled by an EFF lawsuit.

These releases reflect the Executive Branch’s continuing commitment to make information about the implementation of Sections 501 and 702 publicly available when appropriate, while ensuring the protection of the national security of the United States.
I'm not entirely sure the Executive Branch's "commitment" is any less compelled than the ODNI's document releases. Obama has said he "welcomes the debate" on national security, but it's a bit like "welcoming" someone who has kicked in your door and made himself comfortable on your couch. It's more "confrontation" than "conversation."

Either way, there's not a ton of surprising stuff in these documents, thanks to the release of an unredacted court order by The Guardian back in June of last year. The verbiage has morphed over the last several years (the docs released date back to 2006 -- the point at which the collection was "authorized") with the greatest changes occurring after Judge Walton nearly shut the program down (for "systemic abuse" of the collection since its inception three years earlier) in March of 2009.

Here's what's worth noting from the latest ODNI document dump.

A footnote that appears in many of the orders gives us some idea how many numbers have made their way back to the FBI since the program's inception. The earliest order released (dated 8-18-06) states this:
The Court understands that NSA expects that it will continue to provide on average approximately two telephone numbers per day to the FBI.
Three months later (11-13-06), the number of "tips" increases:
The Court understands that NSA expects that it will continue to provide on average approximately three telephone numbers per day to the FBI.
There may be several redundancies in the NSA's tipped numbers (presumably the NSA doesn't concern itself with ensuring it hasn't tipped a number before) but the raw numbers indicate the FBI is receiving 1,095 tips per year, per telco. It's by no means a massive number compared to the entire collection, but it's still a lot of numbers for the nation's second largest national security agency to investigate.

The next point of interest appears in an amendment to a 2007 order, this one signed by Judge Kollar-Kotelly. Whatever the NSA was searching its collection for apparently didn't fall within the normal "counterterrorism" confines. The text is very heavily redacted, but the words remaining around the edges suggest a non-national security target.
3. The results of each such query shall be segregated to the extent feasible until BR 07-10 expires or [xxxxxxxxxx] whichever comes first.

4. Upon the conclusion of [xxxxxxxxx] or at the time of the renewal application, whichever comes first, NSA shall submit a written report to the Court stating why the results of any query conducted pursuant to this Motion should not be destroyed.

5. This amendment is strictly limited to allowing queries of the metadata [xxxxxxxxx] and does not apply to queries for the purpose of [xxxxxxxxx].
[The text doesn't show the lengths of the redacted areas, so this screencap might be a little more relevant.]


As of January 2008, querying the metadata database was restricted to approval by "one of eight people." But by the following order (04-03-08), this number had mysteriously swelled to twenty-three. There's no documentation or explanation given for the expanded roster of query-approval personnel on what is basically the renewal of the previous court order. (This one is signed by a different judge, however.) This may be just be one example of the "systemic abuse" called out by Judge Walton in his near-dismantling of the program -- a tripling of query approvers for a database whose access was supposed to be very strictly controlled.

What is likely Judge Walton's first court order since his February 2008 order temporarily halting the NSA's bulk records collection notes that approvals to search the database will only be approved on a case-by-case basis until further notice. Unfortunately, this order also gives the agency a convenient way to avoid having to seek the court's prior approval.
[I]f the government determines that immediate querying of the BR metadata through contact chaining [xxxxxxxxxxxxxxx] is necessary to protect against an imminent threat to human life, the government may query the BR metadata for such purpose. In each such. case falling under this latter category, the government shall notify the Court of the access, in writing, no later than 5:00 Eastern Time on the next business day after such access.
Walton's court order dated Feb. 26, 2010 contains a number of new additions not seen in previous orders. Most notably, it details the NSA's (compelled) decision to fix its software to limit the number of "hops" an analyst could take during contact chaining.
In addition, the Court understands from the Declaration of Lieutenant General Keith B. Alexander, Director of NSA (Ex. A to the Report of the United States filed in docket number BR on August 17,2009) that NSA has made a number of technical modifications that will prohibit a) from inadvertently accessing the BR metadata in [xxxxxxx]; b) from querying the BR metadata in [xxxxxxx] with non-RAS-approved identifiers; and c) from going beyond three "hops" from an identifier used to query the BR metadata in [xxxxxxx].
How many "hops" did NSA analysts (this same order notes there are 125 analysts* approved to search the BR database) take before this implementation? Three years down the road from the program's beginning, the NSA is finally forced to admit it has a problem (well, several actually) and implemented the sort of software-based restrictions it should have had in place in 2006.

* This number seems to have been redacted needlessly in the renewal of the February court order.


It also notes the administration will be given access to BR data in order to "determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings." The follow-up question (which still has no real answer) is what does the Executive Branch do with this info? Does it get buried? Is it barred from being admitted as evidence because it would "damage national security," even though it could spring an innocent person? From what we've seen in previous cases, it appears as though the government is more willing to imprison someone than allow surveillance data to be admitted as evidence.

Also of note is this particular redaction, the length of which indicates this order is aimed at AT&T. (Gotta love monospaced fonts.)


This isn't the only document in which the NSA exposes something inadvertently. A January 2011 court order duly redacts anything worth noting, including the recipient of the order, right up until page 4, where this slips through.


Finally, two supplemental orders from 2011 indicate the NSA was also gathering credit card information along with the rest of the metadata, possibly inadvertently. Both contain the following paragraph.
It is hereby ORDERED that such reports, in addition to the elements described in Paragraph shall include a discussion of NSA's consideration and, to the extent feasible, implementation of methods of purging the credit card information produced by [xxxxxxx] and described in letters submitted by the government on March 1, 2011, and April 13, 2011, in Docket Nos. BR 10-49 and BR 10-70.
Note the time difference between the letters from the government and the orders to which they refer. Both BR collections were authorized by court orders in 2010 (10-49 was signed 08-04-10 and 10-70 on 10-29-10). At the very least, the NSA was sweeping up credit card info for nearly six months before it was pointed out.

What these documents show is that the NSA does have several layers of accountability and oversight, much of which has been in place since the inception of the Section 215 program. Unfortunately, most of these controls are internal, making the word "oversight" rather meaningless. As Walton discovered before issuing his order halting the program, any oversight outside of the agency had to rely on the NSA's portrayal of its activities, something that was rarely accurate.

And there's reason to believe that much of what was implemented as a result of Walton's court order has been less than rigorously enforced over the last few years. The orders following this pivotal point ran 10-13 pages and were loaded with restrictions and reporting requirements. The order leaked by Snowden from April 2013 runs only 4 pages and limits disclosure of the data, but very little else. The extensive reporting requirements implemented in 2009, as well as the stipulations restricting the number of people authorized to give query approval, are no longer present. Given what happened during the first three years of the program, this lack of mandated controls doesn't exactly inspire confidence that abuses aren't ongoing.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bulk collection, fisc, james clapper, metadata, odni, section 215


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 21 Jan 2014 @ 3:54am

    Unfortunately, most of these controls are internal

    To make matters worse the external oversight that could be applied (by the Congress mainly) is simply ignored by those who can do it or it's in the hands of morons that think everything is fine if u leave things to the NSA collective.

    link to this | view in chronology ]

  • identicon
    arcan, 21 Jan 2014 @ 5:52am

    why do we need 2 national security organizations?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jan 2014 @ 6:05am

      Re:

      You need two to increase the employment opportunities for bureaucrats and provide sinecures for generals.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jan 2014 @ 11:40am

      Re:

      One to keep us secure from the other....

      link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    out_of_the_blue, 21 Jan 2014 @ 6:02am

    Too Detailed Yet Too Vague; Didn't Read

    TDYTV;DR

    Without futher comment, here's a more interesting piece:

    Beyond the NSA: What About Big Data Abuse by Corporations, Politicians?

    http://rinf.com/alt-news/latest-news/beyond-nsa-big-data-abuse-corporations-politicians/

    Google's tailoring to YOU can selectively substitute, omit, and lie. You can't trust anything on the net, neither what you see nor what you don't see!

    02:02:14[c-5-5]

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jan 2014 @ 6:38am

    If you consider a telco to be a single entity and the number of hops that are being polled is two and a user contacting any number belonging to said entity as a single hop and any other user contacting same said entity as the second hop then in short order you have every single user of the phone system.

    link to this | view in chronology ]

  • identicon
    Beech, 21 Jan 2014 @ 6:52am

    irony

    It's hard not to note the specific irony of an agency so obsessed with obtaining every possible shred of data, yet being so completely and unnecessarily about it. "We need to know everything to stop terrorists. You can't know anything to stop terrorists."

    The key word for the NSA is "needless." They needlessly gather way more data than they could ever hope to analyze, then needlessly keep secrets that don't really need to be kept. And if those secrets weren't needless they wouldn't redacted them in one place and leave them uncensored elsewhere.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jan 2014 @ 7:17am

    "Also of note is this particular redaction, the length of which indicates this order is aimed at AT&T. (Gotta love monospaced fonts.)"

    And they say metadata doesn't tell you much.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jan 2014 @ 7:36am

    Conversation vs confrontration

    It's a bit like "welcoming" someone who has kicked in your door and made himself comfortable on your couch. It's more "confrontation" than "conversation."
    At least this conversation hasn't involved killing anyone's dogs yet.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jan 2014 @ 8:32am

    USA Update

    I'm in the USA, it's 2020 and I thought I'd post the update here on the current elections to try to restore democracy to this once free country.

    I hope you don't mind me posting comments here Mike, but in my own country of USA, I may be shot for daring to speak.

    Democracy is hard here in the US. The military industrial complex seized power in 2014, stuffed the Senate with its own people, ejected the elected leader from the country and created a fake 'Electoral Commission' and 'Constitutional Court' to ensure it keeps power.

    The media is owned by associates of the military machine. They pretend to be independent, but only the occasional critical remark is permitted, to give the fake gloss of balance.

    The elected leader was demonized, they refer to him as the 'fugitive in dubai' and astroturf and propaganda screens blurt out messages of hate for 'dubai fugitives latest crimes'. No proof of these crimes ever comes forward, but they served their soundbite purpose.

    Fake elections and counter protests have followed over the years, usually resulting in a giant massacre of democracy protestors. They blame these on the 'dubai fugitive', they claim he sent black-uniformed-terrorists to our country to kill us to make the military government look bad. But we know it was the military government itself. They don their black uniforms, kill us, then pretend its someone else.

    Like a plot from a cheap novella, they will catch these black shirts burning down a village, but the village is a few straw huts in a field that nobody has ever stepped in. They are lazy, they think we are stupid.

    The military wants to hold power, but the people rebel, so the military keeps power by controlling the agencies of state instead. When an elected leader gets out of hand, the military controlled 'National Anti Corruption Council' finds them guilty of 'failing to stop corruption' and bars them from power, banning their party.

    They reform, under a new name with new people and we vote for them. Using colors to keep track as they change their names and faces, 'red-pants' as we call them for their distinctive red colored pants. Vote 'red-pants'!

    The latest red-pants elected government was evicted when a corrupt military front man from the South of the country crawled his way up with a rent-a-mob and demanded our Prime Minister resign and alluded to all sorts of special authority. Authority normally attributed to the dark power of the military machine.

    How do we know he has that authority? Because the military didn't shoot him. Surely someone claiming to speak for them would quickly be shot.

    And when he demanded she step down or be kidnapped, surely she would step down, afraid of the military. And when his doctor friend says he will surgically operate on her genitals, surely that dehumanizing sexual threat will make her resign.

    He made the demand, but there was something different this time. Our leader, she said no, she called elections but she did not resign and did not hand him power. No means no.

    The military propaganda machine is in full swing. "She is corrupt" they say, but they are corrupt. "We are the people" they say, but they are the military. "She is anti-democratic", but they are the dictators.

    This man wants to install 400 of his military cronies into power, but the people dare to ask him 'who'. And he can't name them. Then he says he will 'reform the corrupt government', and the people ask 'how', and he doesn't know how. It's as if he just expected to be handed power and didn't think the next step. How dare we ask him questions!

    So then the people ask 'why' and it's clear the army is afraid. How can they shoot people just for asking why power should be handed to this idiot?

    The military needs us, we feed them, we cloth them, their people are us! So without us, there is no them! They can't just take power, because we'll stop working.

    Instead they fake disasters so they can be a savior. They create imaginary bad guys so they can battle them.

    Bombs have started going off. The military protestors are the target, yet their leader is not afraid, he is defiant! He will stand against these Dubai black uniformed terrorists trying to kill his people.

    And those people show each other videos, and pictures, the bombers are soldiers, military men, the very guards of the leader they follow! They are being killed so the propaganda machine can paint him as savior!

    The Electoral Commission has secretly already agreed it will cancel elections if there is too much democracy in the result. None of us know whether we'll be shot tomorrow for daring to think for a second that we can vote.

    I hope your country Mike, doesn't become like our country. It's very important to keep the bodies of government within the control of the democracy. If you let a feudal power take control of those bodies, then with it you lose the democracy itself.

    link to this | view in chronology ]

  • icon
    ahow628 (profile), 21 Jan 2014 @ 8:49am

    Wait...

    So they added technical enhancements to the software to prevent abuse but their search function can't find all occurrences of "Verizon"? Hmm, seems fishy.

    link to this | view in chronology ]

  • icon
    krolork (profile), 21 Jan 2014 @ 10:26am

    We need a revolution.

    link to this | view in chronology ]

  • icon
    krolork (profile), 21 Jan 2014 @ 10:27am

    We need a revolution.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2014 @ 9:16am

    Why is this guy not in jail yet?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.