NSA Insisted Snowden Didn't Have Access To Actual Surveillance Data: But He Did... And It Shows How Much Non-Terrorist Content NSA Collects
from the lying-liars dept
Just a few days ago, the Privacy and Civil Liberties Oversight Board (PCLOB) more or less gave a pass to the Section 702 surveillance program by the NSA (approved by Section 702 of the FISA Amendments Act). This is the program that combines PRISM (basically court orders to internet companies for content) and Upstream (tapping fiber backbone to sniff basically all traffic) to collect communications (not just metadata) of "targets." For years, we've pointed out that the NSA defines "targets" differently than most everyone else does -- and people in the know, like Senator Ron Wyden, have been trying to warn us that the NSA defines "targets" in a manner that allows the NSA to spy on the communications of a very, very large number of innocent people. The PCLOB more or less admitted that they didn't actually see the details of what the NSA collected, but a newly analyzed trove of documents from Ed Snowden reveals the truth. While the program may actually be useful in discovering terrorist plots, it also appears to collect a ridiculous amount of data on people who clearly are not targets, and the NSA is incredibly lax about purging the database (so-called "minimization") of that unrelated information.This latest report, written by Barton Gellman and Ashkan Soltani at the Washington Post, is important for a number of different reasons. First is that, for quite some time now, NSA insiders have insisted that while Snowden had access to papers and reports about the various surveillance programs, he never actually had access to the actual contents of the surveillance databases. That was clearly a lie. As the article notes:
As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.And, of course, Snowden-haters have regularly mocked the claim he made in his very first interview that "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email." Many had used the fact that no such "FISA data" had been revealed, or even alluded to, as proof that Snowden was talking bigger than his actual position and supposedly, as an "IT guy," he didn't really have access to the same info that analysts could access. It is now clear that those people were lying. Snowden clearly had access to that data, and gave a sample to Gellman.
“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”
“The operational data?” the reporter asked.
“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”
Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.Of course, this makes it all the more concerning that the NSA has admitted it still has no idea what Snowden took. For all the talk of how carefully these programs are audited, can the NSA legitimately expect anyone to believe that others -- perhaps those with more nefarious intent -- haven't made off with the same kinds of content? The NSA (1) has admitted it doesn't know what Snowden took and (2) insisted he didn't have access to this data. Now that it's been proven he did have access to this data and gave it to journalists, it seems pretty damn clear that the NSA has no idea if anyone else took that same data as well -- or if they have been abusing the same access for more nefarious purposes (espionage, blackmail, you name it).
Meanwhile, the very same NSA attackers who insisted that Snowden didn't have access to the surveillance database have immediately ignored their old statements and now re-spun this story into how he was "reckless" in handling such sensitive data, Snowden explains that having a sample of this kind of data is incredibly important in letting the world know just how broad the 702 surveillance is:
In an interview, Snowden said “primary documents” offered the only path to a concrete debate about the costs and benefits of Section 702 surveillance. He did not favor public release of the full archive, he said, but he did not think a reporter could understand the programs “without being able to review some of that surveillance, both the justified and unjustified.”Indeed, even for those of us who have been screaming loudly about how the NSA interpreted "target" differently than most people (including Congress) suspected, since long before Snowden leaked his documents, the detailed revelations here are eye opening about just how much information the NSA actually collects based on "targets."
Nine of 10 account holders... were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.And, frequently, the information that the NSA retained on clearly non-targeted individuals was quite revealing. Remember that this is the actual content of communications, not "just metadata" (that's a different program).
Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.
Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.This sample cache shows pretty clearly that anything even remotely close to a loosely defined "target" (which could be a computer rather than a person) gets collected and stored:
[....]
Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.
If a target entered an online chat room, the NSA collected the words and identities of every person who posted there, regardless of subject, as well as every person who simply “lurked,” reading passively what other people wrote.You may recall that, all the way back in 2011, we were reporting on Senators Ron Wyden and Mark Udall asking James Clapper how many Americans were being spied upon under Section 702 of the FISA Amendments Act and being told it was impossible to estimate such a number. Here, Gellman and Soltani use what they've found in the cache to give the estimate that the NSA/ODNI would not:
“1 target, 38 others on there,” one analyst wrote. She collected data on them all.
In other cases, the NSA designated as its target the Internet protocol, or IP, address of a computer server used by hundreds of people.
The NSA, backed by Director of National Intelligence James R. Clapper Jr., has asserted that it is unable to make any estimate, even in classified form, of the number of Americans swept in. It is not obvious why the NSA could not offer at least a partial count, given that its analysts routinely pick out “U.S. persons” and mask their identities, in most cases, before distributing intelligence reports.The report also highlights the cavalier attitude by NSA analysts in determining what to keep and what to "minimize." Section 702 certainly gave the NSA a lot more leeway to spy on Americans, and NSA analysts are making quite a lot of use of that leeway.
If Snowden’s sample is representative, the population under scrutiny in the PRISM and Upstream programs is far larger than the government has suggested. In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.
In their classified internal communications, colleagues and supervisors often remind the analysts that PRISM and Upstream collection have a “lower threshold for foreignness ‘standard of proof’ ” than a traditional surveillance warrant from a FISA judge, requiring only a “reasonable belief” and not probable cause.Basically, it appears that if an analyst can come up with any reason they can justify claiming someone is "foreign," they can use it, even if they know the person is actually a US person. And because the NSA knows they have much greater power to spy under Section 702, they often shift investigations over to put them under this authority since they can get away with more:
One analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language, a quality shared by tens of millions of Americans. Others are allowed to presume that anyone on the chat “buddy list” of a known foreign national is also foreign.
In an ordinary FISA surveillance application, the judge grants a warrant and requires a fresh review of probable cause — and the content of collected surveillance — every 90 days. When renewal fails, NSA and allied analysts sometimes switch to the more lenient standards of PRISM and Upstream.The report is quite damning in revealing two things that the NSA has tried to hide: First, Snowden clearly had widespread access to the surveillance database content, despite strong claims that he did not. Second, that the database includes a ton of information on people not "targeted" and that such information outweighs info on targets by a factor of 9 to 1.
“These selectors were previously under FISA warrant but the warrants have expired,” one analyst writes, requesting that surveillance resume under the looser standards of Section 702. The request was granted.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: collections, ed snowden, keith alexander, non-targets, non-us persons, nsa, section 702, surveillance, targets
Reader Comments
Subscribe: RSS
View by: Time | Thread
While they all pretended he crippled them, they said he didn't have the access to those things that don't exist.
Except he did, those records do exist, and all of the people shouted down for wearing tinfoil hats now look like they could see the future.
These programs have no oversight. Those charged with providing oversight have abdicated that role, instead wrapping themselves up in the comforting blanket of they only do it to bad people. Sadly unless you are part of the spying, you are the bad people.
Sadly people will get distracted by what stupid thing some star did over the weekend, rather than forcing white hot rage at the leaders who have sold out the entire foundation the country was founded on. Because they are reading your posts, and misfortune hits those who dare speak out.
[ link to this | view in thread ]
What are we supposed to think? Everything we've been told by US officials has turned out to be nothing but lies. Like saying only metadata is collected. Now we're finding out baby pictures and other types of content are being collected and stored indefinitely. Without a warrant.
Seizing and searching the content of American communications is unconstitutional. These NSA programs are illegal.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
It's times like these
[ link to this | view in thread ]
encryption
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Remind me, what is the duty of the people when a government becomes tyrannical?
[ link to this | view in thread ]
While it may sounds like what I am saying is that the NSA mouths aren't lying to us after all, what I am really saying is that maybe they really will never have any idea what he actually took or had access to indirectly. They may very well have a much larger problem on their hands than they realize at NSA. Snowden could be the tip of the ice-burg.
[ link to this | view in thread ]
Re: encryption
[ link to this | view in thread ]
It gets even better ... NSA did not "lie"
You would think by now NSA would be tired of looking foolish.
[ link to this | view in thread ]
Which database?
So maybe Snowden's revelation is just the tip of the iceberg. (As usual.)
Also, remember the disclosure last week that they were using first order contacts of targets as targets. Therefore, the correct total above (using the 9:1 ratio) is 89000x9x9, or 7.2 million people...and that was just the one request.
[ link to this | view in thread ]
We already know they have. Remember those articles about "LOVEINT"? That's basically stalking in some cases.
The only question is what else they've abused the access for.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
Then collect FB likes.
Then the problem is all solved.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: It's times like these
[ link to this | view in thread ]
Re: It gets even better ... NSA did not "lie"
Snowden did not tap the raw traffic. Great. I can actually believe that since routing the Internet through Hawaii would likely have led to noticeable slowdowns.
In order to obviate the need for further requalifications, let me propose a qualification for all of the NSA officials' statements so far that is not likely to require further revisions:
"Bullshit". After some deliberation, I am willing to also profer the option "Hornswoggle".
[ link to this | view in thread ]
Re: Re: It gets even better ... NSA did not "lie"
[ link to this | view in thread ]
Re: Re:
You may be able to reduce the count by setting stricter standards for what is needed to define a foreign suspect, but then "collect it all" is a terrible strategy... It seems to me, that giving people the option of getting a gps-chip implanted in the neck and a camera in the forehead and have them maintained regularly, setting up for DNA, iris scan, facial scan, finger printing and a long interview or having NSA haunt you for life would make people choose something closer to Minority Report than 1984...
[ link to this | view in thread ]
children and dinosaurs
Their employers look like dinosaurs with no clue what is going on.
[ link to this | view in thread ]
Re:
So, yes, information is the target, people are collateral.
[ link to this | view in thread ]
Re: children and dinosaurs
[ link to this | view in thread ]
Re: children and dinosaurs
[ link to this | view in thread ]
Re: children and dinosaurs
Red herring. Heroism is not in the job description for NSA snoopers. Do they even have field agents of their own? Their job is to provide intelligence that will be used for killing people.
That's not heroism. It is the ultimate in institutionalized cowardice.
[ link to this | view in thread ]
When are we going to hear the following?
Because that's what this is actually about.
[ link to this | view in thread ]
quick wording question
Should "attackers" be "defenders" in that sentence? (Or maybe "attack dogs"?)
[ link to this | view in thread ]
Protest
"We know through painful experience that freedom is never voluntarily given by the oppressor; it must be demanded by the oppressed." – Martin Luther King, Jr.
[ link to this | view in thread ]
Re: encryption
1) They would bruteforce your file until it cracks, 2)It´s possible that a backdoor was implemented into your encryption software that allows NSA access
3) If you plan to send the file to someone, then they would most likely hack the receiver of that file, and wait until the file is decrypted and, then either copy the entire clipboard while the receiver reads the file or download the file directly when opened. 4) They proably have software that easily can identify the encryption algoritm used. A walk in the park for these guys :)
[ link to this | view in thread ]
Re: encryption
There are a lot of companies that try to hide their encryption algorithms on the notion that the process won't be discovered. It will. It is. Always.
Better to use an encryption method that is known, in common use and has proven to be expensive to crack.
[ link to this | view in thread ]
Re: It gets even better ... NSA did not "lie"
By NSA agents responding to deposition questions evasively, it presents evidence that they have no intention of giving direct, truthful answers, and that implies that they are operating beyond what would be acceptable parameters for such an agency, were those parameters made public.
We cannot ever trust the NSA again. We may not be able to trust any future NSA-like state entity again.
[ link to this | view in thread ]
Re: Re: encryption
Send a team to install a snooper on the computer, hack the computer or install an ex situ device to monitor the computer or several of the above to have some redundance. Preferably it is done with a warrent, but the point is that if the computer is turned on, it is possible to monitor the activity on it, whether it is online or not. Encryption may help with the online surveillance programs, but the computer will always be possible to gain access to through FBI/CIA if they really want to spend the money on it...
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: encryption
It's why we need false-bottom encryption devices as well as ones that can break themselves with a burn password.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Which database?
As usual the comments from NSA are not well-formulated and the problematic part is mainly that they seem to err on the side of security through obscurity and try to hide even completely unproblematic details in much broader terms to make people think they do more and better work than is really happening. It is basic hoodwinking, but these kinds of misleading lobbyist answers are apparently not illegal since clarification can make them into non-lies...
[ link to this | view in thread ]
Re: Re: It's times like these
Well there's your problem.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: When are we going to hear the following?
[ link to this | view in thread ]
Re:
https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html
[ link to this | view in thread ]