NSA Insisted Snowden Didn't Have Access To Actual Surveillance Data: But He Did... And It Shows How Much Non-Terrorist Content NSA Collects

from the lying-liars dept

Just a few days ago, the Privacy and Civil Liberties Oversight Board (PCLOB) more or less gave a pass to the Section 702 surveillance program by the NSA (approved by Section 702 of the FISA Amendments Act). This is the program that combines PRISM (basically court orders to internet companies for content) and Upstream (tapping fiber backbone to sniff basically all traffic) to collect communications (not just metadata) of "targets." For years, we've pointed out that the NSA defines "targets" differently than most everyone else does -- and people in the know, like Senator Ron Wyden, have been trying to warn us that the NSA defines "targets" in a manner that allows the NSA to spy on the communications of a very, very large number of innocent people. The PCLOB more or less admitted that they didn't actually see the details of what the NSA collected, but a newly analyzed trove of documents from Ed Snowden reveals the truth. While the program may actually be useful in discovering terrorist plots, it also appears to collect a ridiculous amount of data on people who clearly are not targets, and the NSA is incredibly lax about purging the database (so-called "minimization") of that unrelated information.

This latest report, written by Barton Gellman and Ashkan Soltani at the Washington Post, is important for a number of different reasons. First is that, for quite some time now, NSA insiders have insisted that while Snowden had access to papers and reports about the various surveillance programs, he never actually had access to the actual contents of the surveillance databases. That was clearly a lie. As the article notes:
As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.

“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”

“The operational data?” the reporter asked.

“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”
And, of course, Snowden-haters have regularly mocked the claim he made in his very first interview that "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email." Many had used the fact that no such "FISA data" had been revealed, or even alluded to, as proof that Snowden was talking bigger than his actual position and supposedly, as an "IT guy," he didn't really have access to the same info that analysts could access. It is now clear that those people were lying. Snowden clearly had access to that data, and gave a sample to Gellman.
Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.
Of course, this makes it all the more concerning that the NSA has admitted it still has no idea what Snowden took. For all the talk of how carefully these programs are audited, can the NSA legitimately expect anyone to believe that others -- perhaps those with more nefarious intent -- haven't made off with the same kinds of content? The NSA (1) has admitted it doesn't know what Snowden took and (2) insisted he didn't have access to this data. Now that it's been proven he did have access to this data and gave it to journalists, it seems pretty damn clear that the NSA has no idea if anyone else took that same data as well -- or if they have been abusing the same access for more nefarious purposes (espionage, blackmail, you name it).

Meanwhile, the very same NSA attackers who insisted that Snowden didn't have access to the surveillance database have immediately ignored their old statements and now re-spun this story into how he was "reckless" in handling such sensitive data, Snowden explains that having a sample of this kind of data is incredibly important in letting the world know just how broad the 702 surveillance is:
In an interview, Snowden said “primary documents” offered the only path to a concrete debate about the costs and benefits of Section 702 surveillance. He did not favor public release of the full archive, he said, but he did not think a reporter could understand the programs “without being able to review some of that surveillance, both the justified and unjustified.”
Indeed, even for those of us who have been screaming loudly about how the NSA interpreted "target" differently than most people (including Congress) suspected, since long before Snowden leaked his documents, the detailed revelations here are eye opening about just how much information the NSA actually collects based on "targets."
Nine of 10 account holders... were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.
And, frequently, the information that the NSA retained on clearly non-targeted individuals was quite revealing. Remember that this is the actual content of communications, not "just metadata" (that's a different program).
Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.

[....]

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.
This sample cache shows pretty clearly that anything even remotely close to a loosely defined "target" (which could be a computer rather than a person) gets collected and stored:
If a target entered an online chat room, the NSA collected the words and identities of every person who posted there, regardless of subject, as well as every person who simply “lurked,” reading passively what other people wrote.

“1 target, 38 others on there,” one analyst wrote. She collected data on them all.

In other cases, the NSA designated as its target the Internet protocol, or IP, address of a computer server used by hundreds of people.
You may recall that, all the way back in 2011, we were reporting on Senators Ron Wyden and Mark Udall asking James Clapper how many Americans were being spied upon under Section 702 of the FISA Amendments Act and being told it was impossible to estimate such a number. Here, Gellman and Soltani use what they've found in the cache to give the estimate that the NSA/ODNI would not:
The NSA, backed by Director of National Intelligence James R. Clapper Jr., has asserted that it is unable to make any estimate, even in classified form, of the number of Americans swept in. It is not obvious why the NSA could not offer at least a partial count, given that its analysts routinely pick out “U.S. persons” and mask their identities, in most cases, before distributing intelligence reports.

If Snowden’s sample is representative, the population under scrutiny in the PRISM and Upstream programs is far larger than the government has suggested. In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.
The report also highlights the cavalier attitude by NSA analysts in determining what to keep and what to "minimize." Section 702 certainly gave the NSA a lot more leeway to spy on Americans, and NSA analysts are making quite a lot of use of that leeway.
In their classified internal communications, colleagues and supervisors often remind the analysts that PRISM and Upstream collection have a “lower threshold for foreignness ‘standard of proof’ ” than a traditional surveillance warrant from a FISA judge, requiring only a “reasonable belief” and not probable cause.

One analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language, a quality shared by tens of millions of Americans. Others are allowed to presume that anyone on the chat “buddy list” of a known foreign national is also foreign.
Basically, it appears that if an analyst can come up with any reason they can justify claiming someone is "foreign," they can use it, even if they know the person is actually a US person. And because the NSA knows they have much greater power to spy under Section 702, they often shift investigations over to put them under this authority since they can get away with more:
In an ordinary FISA surveillance application, the judge grants a warrant and requires a fresh review of probable cause — and the content of collected surveillance — every 90 days. When renewal fails, NSA and allied analysts sometimes switch to the more lenient standards of PRISM and Upstream.

“These selectors were previously under FISA warrant but the warrants have expired,” one analyst writes, requesting that surveillance resume under the looser standards of Section 702. The request was granted.
The report is quite damning in revealing two things that the NSA has tried to hide: First, Snowden clearly had widespread access to the surveillance database content, despite strong claims that he did not. Second, that the database includes a ton of information on people not "targeted" and that such information outweighs info on targets by a factor of 9 to 1.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: collections, ed snowden, keith alexander, non-targets, non-us persons, nsa, section 702, surveillance, targets


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 7 Jul 2014 @ 5:51am

    And this is the problem with believing your own lies.

    While they all pretended he crippled them, they said he didn't have the access to those things that don't exist.
    Except he did, those records do exist, and all of the people shouted down for wearing tinfoil hats now look like they could see the future.

    These programs have no oversight. Those charged with providing oversight have abdicated that role, instead wrapping themselves up in the comforting blanket of they only do it to bad people. Sadly unless you are part of the spying, you are the bad people.

    Sadly people will get distracted by what stupid thing some star did over the weekend, rather than forcing white hot rage at the leaders who have sold out the entire foundation the country was founded on. Because they are reading your posts, and misfortune hits those who dare speak out.

    link to this | view in chronology ]

    • icon
      Greevar (profile), 7 Jul 2014 @ 6:53am

      Re:

      Any government that keeps secrets from the citizens it is charged to serve is a tyranny. So by that reasoning, though it isn't the only reason, I say our government has become tyrannical.

      Remind me, what is the duty of the people when a government becomes tyrannical?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jul 2014 @ 6:07am

    I wonder if fiber-optic taps on internet backbones are considered "targets". That's a surefire way to maximize the amount of "incidentally" collected data. If I was trying to collect it all, that's what I'd do.

    What are we supposed to think? Everything we've been told by US officials has turned out to be nothing but lies. Like saying only metadata is collected. Now we're finding out baby pictures and other types of content are being collected and stored indefinitely. Without a warrant.

    Seizing and searching the content of American communications is unconstitutional. These NSA programs are illegal.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jul 2014 @ 7:42am

      Re:

      More like, corporations are now people and since people can be targets, target the corporation that has a foreign employees that they can claim aren't extended 4th amendment protections instead of the individuals and any employees that are US citizens are incidental accidents that are "unwittingly" swept up in the collection. Also use the number of hops excuse to justify this collection as well.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jul 2014 @ 8:02am

        Re: Re:

        That would be a terrifying prospect: Any company making deals abroad is of interest because of their foreign contacts. Make that universal to cover single persons and you have plenty justification for collecting data on yourself for posting on this forum. It doesn't take much to get into a situation where every person in the world has a suspect-dossier in NSAs archives if that is the case.

        You may be able to reduce the count by setting stricter standards for what is needed to define a foreign suspect, but then "collect it all" is a terrible strategy... It seems to me, that giving people the option of getting a gps-chip implanted in the neck and a camera in the forehead and have them maintained regularly, setting up for DNA, iris scan, facial scan, finger printing and a long interview or having NSA haunt you for life would make people choose something closer to Minority Report than 1984...

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Jul 2014 @ 11:46am

          Re: Re: Re:

          Now that I think about it, maybe it can be flipped around. Since corporations are now people, US corporations could be considered US persons. And US persons have a 4th amendment right against unreasonable search and seizure without a warrant issued describing the items and places to be searched based on probable cause presented under oath. That would mean that a simple subpoena or NSL is not enough to compel compliance with the request for information in possession of the company. The company can simply tell them that they need to come back with a warrant.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jul 2014 @ 6:16am

    All of our Computers including Smartphones are made in China I wonder if they are considered Targets and we are all just considered collateral damage.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jul 2014 @ 8:16am

      Re:

      Airport security in USA has been strenghtened to: Computers and Smartphones has to be able to be turned on in the airport for you to get on a plane... It looks more like a counter-Miranda action than a counter to "invisible bombs".

      So, yes, information is the target, people are collateral.

      link to this | view in chronology ]

      • identicon
        Jake, 8 Jul 2014 @ 12:57am

        Re: Re:

        That policy's been around for decades, and it's not got much to do with surveillance. Strip out all the interior workings of a laptop and you could stuff it full of enough Semtex to make one hell of a mess of an airliner, or a few grand's worth of cocaine.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jul 2014 @ 6:36am

    I think we need a lies to truths pie chart.

    link to this | view in chronology ]

  • identicon
    eroticreader, 7 Jul 2014 @ 6:40am

    It's times like these

    When I wish I could walk over to the NSA's various Bases and bitch-slap the heck out of the higher-ups (among other things). They are a disgrace to our country's Founders and our country as a whole.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jul 2014 @ 7:45am

      Re: It's times like these

      Bitch-slapping isn't enough. We need codified accountability thru criminal statutes that have significant penalties for civil rights violations of this nature and then they need to be prosecuted under such statutes.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jul 2014 @ 6:50pm

        Re: Re: It's times like these

        they need to be prosecuted under such statutes.

        Well there's your problem.

        link to this | view in chronology ]

  • identicon
    Duane, 7 Jul 2014 @ 6:47am

    encryption

    If I have several different encryption programs, and I encrypt my document in method A, then take the results of that and encrypt with method B and then take those results and encrypt in method C, I doubt anyone could decrypt the results, unless they had a hint of the programs used and the sequence they were used. Is there a flaw in this idea?

    link to this | view in chronology ]

    • icon
      ThatFatMan (profile), 7 Jul 2014 @ 6:59am

      Re: encryption

      It's not a new idea

      link to this | view in chronology ]

    • identicon
      Cowardsanonymous, 7 Jul 2014 @ 10:28am

      Re: encryption

      Here's what the NSA would probably do..

      1) They would bruteforce your file until it cracks, 2)It´s possible that a backdoor was implemented into your encryption software that allows NSA access
      3) If you plan to send the file to someone, then they would most likely hack the receiver of that file, and wait until the file is decrypted and, then either copy the entire clipboard while the receiver reads the file or download the file directly when opened. 4) They proably have software that easily can identify the encryption algoritm used. A walk in the park for these guys :)

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jul 2014 @ 11:32am

        Re: Re: encryption

        My bet would be a modified version of 3):
        Send a team to install a snooper on the computer, hack the computer or install an ex situ device to monitor the computer or several of the above to have some redundance. Preferably it is done with a warrent, but the point is that if the computer is turned on, it is possible to monitor the activity on it, whether it is online or not. Encryption may help with the online surveillance programs, but the computer will always be possible to gain access to through FBI/CIA if they really want to spend the money on it...

        link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 7 Jul 2014 @ 11:59am

          Re: Re: Re: encryption

          This.

          It's why we need false-bottom encryption devices as well as ones that can break themselves with a burn password.

          link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 7 Jul 2014 @ 11:21am

      Re: encryption

      A general notion with encryption is that the enemy is going to figure out the method. The keys have to be secure, even if the method is compromised.

      There are a lot of companies that try to hide their encryption algorithms on the notion that the process won't be discovered. It will. It is. Always.

      Better to use an encryption method that is known, in common use and has proven to be expensive to crack.

      link to this | view in chronology ]

  • icon
    ThatFatMan (profile), 7 Jul 2014 @ 6:55am

    Maybe he didn't have access to that data. Lets not forget that he talked to people about how the public would feel to learn about these programs, etc. Maybe he had help and he is trying to protect those persons that helped him.

    While it may sounds like what I am saying is that the NSA mouths aren't lying to us after all, what I am really saying is that maybe they really will never have any idea what he actually took or had access to indirectly. They may very well have a much larger problem on their hands than they realize at NSA. Snowden could be the tip of the ice-burg.

    link to this | view in chronology ]

  • icon
    xz11111000000 (profile), 7 Jul 2014 @ 7:06am

    It gets even better ... NSA did not "lie"

    Via Kevin Drum at Mother Jones:

    Naturally the NSA has an explanation:
    Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about "raw" intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.
    “We have talked about the very strict controls on raw traffic..." Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”

    Silly intelligence committee members. They should have specifically asked about access to processed content.


    You would think by now NSA would be tired of looking foolish.

    link to this | view in chronology ]

    • identicon
      David, 7 Jul 2014 @ 7:50am

      Re: It gets even better ... NSA did not "lie"

      Yeah, so the NSA just needed to "qualify" their previous statements.

      Snowden did not tap the raw traffic. Great. I can actually believe that since routing the Internet through Hawaii would likely have led to noticeable slowdowns.

      In order to obviate the need for further requalifications, let me propose a qualification for all of the NSA officials' statements so far that is not likely to require further revisions:

      "Bullshit". After some deliberation, I am willing to also profer the option "Hornswoggle".

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jul 2014 @ 7:59am

        Re: Re: It gets even better ... NSA did not "lie"

        Also, realize that the ODNI also redefined the word "lie" to not include the "least untruthful answers" to direct questions from members of Congress.

        link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 7 Jul 2014 @ 11:27am

      Re: It gets even better ... NSA did not "lie"

      The problem with an agency not being direct and open is that it kills any trust that was previously had in that agency.

      By NSA agents responding to deposition questions evasively, it presents evidence that they have no intention of giving direct, truthful answers, and that implies that they are operating beyond what would be acceptable parameters for such an agency, were those parameters made public.

      We cannot ever trust the NSA again. We may not be able to trust any future NSA-like state entity again.

      link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 7 Jul 2014 @ 7:08am

    Which database?

    Alexander insists that Snowden didn't have access to the database. Maybe he was right: Maybe Snowden had access to A database, but not THE database Alexander was thinking of.

    So maybe Snowden's revelation is just the tip of the iceberg. (As usual.)

    Also, remember the disclosure last week that they were using first order contacts of targets as targets. Therefore, the correct total above (using the 9:1 ratio) is 89000x9x9, or 7.2 million people...and that was just the one request.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jul 2014 @ 2:35pm

      Re: Which database?

      His words are likely meant to represent a lobbyists work to signal that NSA can handle their stuff, keep stopping legislation to improve oversight!

      As usual the comments from NSA are not well-formulated and the problematic part is mainly that they seem to err on the side of security through obscurity and try to hide even completely unproblematic details in much broader terms to make people think they do more and better work than is really happening. It is basic hoodwinking, but these kinds of misleading lobbyist answers are apparently not illegal since clarification can make them into non-lies...

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jul 2014 @ 7:15am

    it seems pretty damn clear that the NSA has no idea if anyone else took that same data as well -- or if they have been abusing the same access for more nefarious purposes (espionage, blackmail, you name it)


    We already know they have. Remember those articles about "LOVEINT"? That's basically stalking in some cases.

    The only question is what else they've abused the access for.

    link to this | view in chronology ]

  • icon
    Padpaw (profile), 7 Jul 2014 @ 7:17am

    Dissent is terrorism in the new Amerika. You need to be blindly loyal to the regime otherwise your labeled a possible threat to them for having the audacity to think for yourself.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jul 2014 @ 8:09am

    children and dinosaurs

    The techs working for the NSA look more and more like little children with a toy rather that an actual hero for protecting us from evil.

    Their employers look like dinosaurs with no clue what is going on.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 7 Jul 2014 @ 8:28am

      Re: children and dinosaurs

      This. Issues around domestic spying aside, I am utterly amazed at the lack of professionalism that the leaked documents have revealed. It looks for all the world like the NSA just went out and hired a bunch of script kiddies. Even if there were no constitutional issues with the programs, this would be enough of a reason to scream for reform.

      link to this | view in chronology ]

    • identicon
      Mr. Oizo, 7 Jul 2014 @ 8:38am

      Re: children and dinosaurs

      yeah, they sound like Google engineers who actually don't know they are creating shit for the NSA.

      link to this | view in chronology ]

    • identicon
      David, 7 Jul 2014 @ 9:07am

      Re: children and dinosaurs

      more like little children with a toy rather that an actual hero

      Red herring. Heroism is not in the job description for NSA snoopers. Do they even have field agents of their own? Their job is to provide intelligence that will be used for killing people.

      That's not heroism. It is the ultimate in institutionalized cowardice.

      link to this | view in chronology ]

  • identicon
    David, 7 Jul 2014 @ 9:17am

    When are we going to hear the following?

    "While the U.S. constitution and human rights are not explicitly targeted for elimination, they are not merely within two hops of terrorists but are indeed actively aiding and abetting enemies of the United States. Consequently we are not willing to take any measures preventing those traitors from becoming collateral damage in targeted operations."

    Because that's what this is actually about.

    link to this | view in chronology ]

    • icon
      Jack Of Shadows (profile), 8 Jul 2014 @ 7:25pm

      Re: When are we going to hear the following?

      Sadly, when this happens the terrorists have won. That was their goal from the outset, to so change our society we are more than willing to finish the destruction ourselves.

      link to this | view in chronology ]

  • icon
    sorrykb (profile), 7 Jul 2014 @ 9:17am

    quick wording question

    Meanwhile, the very same NSA attackers who insisted that Snowden didn't have access

    Should "attackers" be "defenders" in that sentence? (Or maybe "attack dogs"?)

    link to this | view in chronology ]

  • icon
    MarcAnthony (profile), 7 Jul 2014 @ 10:12am

    Protest

    US citizens have no representation in this matter, because it's unlikely your congressperson is privy to the details of the affairs of the NSA or the secret court that enables it. Remember what the founders did when they felt they lacked representation? Rightly, US citizens—and everyone else caught up in this illegal dragnet surveillance—should be dumping something in a harbor. This upcoming September 11th would be a great day to protest with a march on your respective capitals. Without displays of unrest, we're just going to continue to see our rights erode.

    "We know through painful experience that freedom is never voluntarily given by the oppressor; it must be demanded by the oppressed." – Martin Luther King, Jr.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.