ODNI Tasks Researchers With Figuring Out How To Store Section 215 Collections Off-Site
from the still-looking-at-the-symptoms,-rather-than-the-sickness,-however dept
One of the few stipulations in Obama's NSA reforms was to transfer the Section 215 collections to a third party and out of the NSA's direct control. The assumption is that these records will be held by those generating them -- the telcos. But the telcos have made it apparent that, while they have no problem asking "how high" whenever the NSA says, "jump," they have no interest in storing the records onsite. The administration didn't specifically order anyone to take control of the records, basically punting the issue to Congress and the DOJ and "allowing" them to sort it out.
For better or worse, the ODNI has already taken action toward fulfilling the president's order.
The Office of the Director of National Intelligence has paid at least five research teams across the country to develop a system for high-volume, encrypted searches of electronic records kept outside the government's possession. The project is among several ideas that could allow the government to store Americans' phone records with phone companies or a third-party organization, but still search them as needed.These researchers' suggestions will be weighed against anything the DOJ or Congress has to offer, albeit with a slight hometeam advantage. There are some protections the ODNI has specified that may make its conclusions preferable to others, in terms of data security at least, and possibly provide more flexibility for shifting records to whatever entity(ies) is left holding the metadata bag.
Under the research, U.S. data mining would be shielded by secret coding that could conceal identifying details from outsiders and even the owners of the targeted databases, according to documents obtained by The Associated Press and interviews with researchers, corporate executives and government officials…This would ease the logistics problem and (theoretically) reduce the possibility of abuse. But it doesn't eliminate every problem, including the "why" of collecting and storing millions of irrelevant phone records. While it will reduce the odds of abuse, it doesn't eliminate that prospect. Another concern is the fact that the use (as opposed to the collection and storage) of the data will still be removed from any meaningful oversight.
An encrypted search system would permit the NSA to shift storage of phone records to either phone providers or a third party, and conduct secure searches remotely through their databases. The coding could shield both the extracted metadata and identities of those conducting the searches, Bellovin said. The government could use encrypted searches to ensure that its analysts were not leaking information or abusing anyone's privacy during their data searches. And the technique could also be used by the NSA to securely search out and retrieve Internet metadata, such as emails and other electronic records.
On a more positive note, the encrypted search requirement would stave off hacking attempts and prevent the phone companies from knowing which records have been searched. Of course, while preventing the phone companies from knowing what's going on with their records does some damage to the recently loosened restrictions on government access reporting, it does at least eliminate one of the telcos' objections to maintaining the collected data onsite. (Although it can be argued that the telcos -- Verizon and AT&T especially -- have been so compliant over the years that storing data onsite won't be remarkably different than storing it at NSA data centers.)
There are some pluses to the ODNI's efforts, but the question of why the collection is needed still hasn't been answered. The administration's cosmetic reforms placed a few restrictions on the Section 215 program but completely avoided addressing the overall uselessness of the Fourth Amendment-skirting program. As the program morphs to meet the few requirements given, the NSA's supporters are likely to greet each change with more proclamations of the damage being done to national security. (Not that they haven't started already…)
Ultimately, the NSA has no need to keep the data onsite, considering it will now have to seek court approval before searching the database. It will still have some leeway to bypass the judicial constraints thanks to National Security Letters, but for the most part, it's a return to its 2009 restraints as ordered by FISC judge Reggie Walton after observing "systemic abuse" of the bulk records collections. With this in place, the agency can't really argue that uninterrupted, direct access is needed as it will be something it no longer has, onsite or not. Placing another small hurdle simply makes it a bit more difficult to abuse the collection and, after having free rein for so many years, a little friction is exactly what the agency needs to experience.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bulk metadata, james clapper, nsa, odni, patriot act, privacy, section 215, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Section 215 allows the *FBI* to get *records* that are *relevant* to an actual *investigation*.
PCLOB: NSA program fails on "FBI", "records," "relevant" & "investigation."
When do we all pull out the torches and pitchforks? I for one am ready.
[ link to this | view in thread ]
Easy Solution
[ link to this | view in thread ]
[ link to this | view in thread ]
o rly
That would depend largely on whether (A) the encryption was intentionally crippled with a backdoor, and (B) a new high-value high-volume high-security database was of any interest as a target in a world full of highly-sophisticated hacker collectives.
[ link to this | view in thread ]
Always trust the government to exploit a crisis
[ link to this | view in thread ]
as for the bit about 'anyone outside of the USA being fair game', i reckon the USA needs to watch itself. it may think everyone is fair game but it dont mean the other countries are gonna be compliant to those thoughts, especially after what has been revealed up to now over citizens and heads of EU countries! there could be a bigger heap of shit thrown America's way than it wants. it has struggled so far to retain that shit from really hitting fan, with only the thick fucking UK government under Obama's arse licker, Cameron, not going mad for obvious reasons. with the legal challenges going to be conducted in the not too distant future, the UK needs to watch it's step!!
[ link to this | view in thread ]
The government will, using funds currently dedicated to NSA's PRISM servers.
And guess what will happen once the telcos will have optimized the infrastructure to cut costs?
It is a way to tie the hands of the telcos to cooperate even more, as it sort of guaranties them possibly huge incomes, and even if it is not the case, the mere possibility that it could be used that way is frightening.
If decentralizing the storage sort of mitigates some risks of abuses from the NSA, it also dilutes responsibilities. It is currently hard enough to deal with the "NSA problem"; is it really a good idea to welcome a potential "NSA + every single telco problem"?
[ link to this | view in thread ]
Aren't these statements in direct conflict? Even if someone who is not an "analyst" is technically making the search and reporting the data, how is hiding the identity of the searcher going to prevent leakers and/or abuse? Isn't that just shifting the risk of abuse and leakage to a third party? If the third party providing the search and the details of how the NSA is using the data are kept separate by being separate entities, I could maybe see an argument that leakers are reduced (no one has enough of the puzzle to form a complete picture). This is not the case for people abusing their access to the data, IMO.
[ link to this | view in thread ]
Stop right there: Since when the executive branch creates the laws in this country?
[ link to this | view in thread ]
I hear "Target" is on the short list
[ link to this | view in thread ]
Oh, great!
[ link to this | view in thread ]
Re:
Before this, they were doing it all by their lonesome, behind a curtain so we couldn't see them violating our constitutional rights.
Well, now that they are getting called on this, they have to think of a way to keep doing what they are doing without looking like they are doing it. And they really, REALLY like that curtain, so they are going to drag it along with them, even though it doesn't make sense.
So, the new idea is to get it away from the NSA. And they will contract it. Planning stopped about three milliseconds before the plan reached this stage, so now we have a worse situation than we did before. Now we are having our constitutional rights violated at the same time as we lose more of our privacy, and at roughly the same cost, but with far more data breaches.
Who said you couldn't do more with less?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
The solution is obvious, no?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Actually Totally Plausible
This would, indeed, be a good way to control so called LOVINT and other low level abuses that are in the news now. However, while creepy these abuses aren't the real danger. They merely demonstrate the danger posed by someone with manager level access engaged in something more diabolical than stalking potential or former lovers. While I suspect a knowingly evil/anti-US motive is unlikely it seems totally plausible that a manager could be convinced that some candidate would be a disaster for the US and use their position to spy on the least reputable associates of a political candidate.
However, the system could be designed so that the supervisors have the appropriate cryptographic keys to supervise their underlings.
[ link to this | view in thread ]