DOJ Blurred Lines Between Terrorism & Crime To Expand NSA & FBI Warrantless Wiretapping Of 'Hackers'

from the whatever,-it's-all-the-same dept

Thu, Jun 4th 2015 11:54am — Mike Masnick

This week, of course, the US government passed the USA Freedom Act, a modest step towards reform. As we've noted, it doesn't even touch on two of the more concerning surveillance authorities: Executive Order 12333 and Section 702 of the FISA Amendments Act, which includes the infamous "warrantless wiretapping" programs that allow the NSA to tap "upstream" fiber optic cables from AT&T and others to sniff all data traveling across those cables.

Pro Publica and the NY Times have teamed up to report on how the DOJ expanded the warrantless wiretapping regime to go after hackers. There's a lot to unpack in the story (which is well worth reading), but the short version is that, under pressure from the White House, NSA and others, officials appear to have deliberately blurred the lines between "crime" and "international terrorism" in order to get the DOJ to sign off on secret legal orders allowing the NSA and the FBI to use its "upstream" snooping capabilities to monitor certain "cybersecurity signatures" which include basically anything the feds want, to sniff out a hacker. From the revealed documents (which, yes, come from Ed Snowden's cache):

If you can't see that, the key line is:

The Certification will also for the first time spell out the authorization for targeting cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.

In short: the government said, "okay, you can now sniff that upstream firehose for hackers based on whatever "code snippets" or "IP addresses" we give you."

Of course, this raises some questions about the split between domestic law enforcement and international anti-terrorism/foreign intelligence work. Remember, the 702 upstream program is pretty specific in that it's only to be used for non-domestic, non-criminal work. But, according to the White House, those distinctions no longer matter:

“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.

Yes, apparently, it's "impractical" for the surveillance state to actually follow the law.

The documents also reveal that they really wanted access to that sweet, sweet upstream firehose, because much more limited programs like PRISM (which involve court orders to certain internet companies) didn't provide enough coverage:

Then, to take things a step further, the government allowed the FBI direct access to the NSA's upstream collection, even though the FBI doesn't have the same limits against surveillance on Americans that the NSA has. Why? Basically, the argument appears to be "well, the NSA already has that data... so... let's give it to the FBI as well":

The documents do contain and interesting slide presentation about how and when certain capabilities can be used, including a slide dedicated to repeating the 4th Amendment, and another with a note saying that the "worst thing" the NSA can do is to use its signals intelligence capabilities "to collect against a [US Person] hacker" because doing so is "basically doing surveillance for [law enforcement] purpose without a warrant." So, at the very least, they understand the law, but it's not at all clear that they follow it:

And, in fact, later in that same presentation, it notes that the NSA's Threat Operations Center (NTOC) wants more power to target "foreign hackers outside the US" without having to prove as much: "Because attribution is hard, just having to prove foreigness and an FI purpose is especially useful to NTOC."

According to the Pro Publica / NY Times report, the NSA sought more and more permission here, though it's not clear what has actually been granted:

In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.

That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power. That rule, the NSA soon complained, left a “huge collection gap against cyberthreats to the nation” because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.

So the NSA, in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any “malicious cyberactivity,” even if it did not yet know who was behind the attack.

The newsletter described the further expansion as one of “highest priorities” of the NSA director, Gen. Keith B. Alexander.

Remember all of this when you see the government asking for new "cybersecurity" laws -- which all too frequently are ways of granting the NSA and/or FBI greater powers to do surveillance via these upstream collections. As The Intercept points out, during the big debates on cybersecurity over the last few years, the NSA has insisted that it doesn't have access to this kind of information, and almost every debate on the power of upstream collection by the NSA and others has been based on claims by the intelligence community that they only use unique identifiers like email addresses -- and not very, very broad identifiers like an IP address or "computer code."

There's a lot more in the full article and in the released documents which you can see below.

Cyber Surveillance Documents (PDF)Cyber Surveillance Documents (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 702, cybersecurity, fbi, fisa, hacking, nsa, surveillance, upstream, upstream collection, warrantless wiretapping

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Anonymous Coward, 4 Jun 2015 @ 12:03pm

Unique Identifiers, IP addresses
Like those who all have the same IP address from the same VPN?

Craigslist won't let me on when I have my VPN turned on, and I have never done anything there except look at ads, so it is my VPN IP address that they look at, and deny me. Therefore, those few times I really want to look at Craigslist ads, I turn my VPN off for a half hour or so.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Jun 2015 @ 2:07pm
  
  Re: Unique Identifiers, IP addresses
  Which means in theory you could get a tracker (f.e. cookie) that identifies you on other sites and that makes the vpn useless because the cookie is linked to your IP and if they read the cookie they read your IP.
  Congrats, you just wasted money on a useless VPN ; )
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward, 4 Jun 2015 @ 2:25pm
    
    Re: Re: Unique Identifiers, IP addresses
    Maybe, but I don't use it to hide my IP address, that is just another feature of such services, and as I noted, because of other bad actors a failure of such services.
    
    Oh, and cookies, I wipe all of those out with an irregular regularity.
    [ link to this | view in chronology ]
    - Anonymous Coward, 4 Jun 2015 @ 3:21pm
      
      Re: Re: Re: Unique Identifiers, IP addresses
      Are you sure you can erase all cookies? In theory someone could get "in front" of the site and add some stuff via mitm that isn't deleted so easily.
      
      I wouldn't call it failure of such services because the service still works but the site decides to block them. So imho it is a failure of the site. But I guess both points of view have good arguments.
      
      And I guess if you don't use it to mask your IP and only for other stuff like i.e. IP blocks then it's nothing you have to worry about but for people who do it's just a reminder that even a short time of using a real IP can breach security.
      [ link to this | view in chronology ]
      - Anonymous Coward, 5 Jun 2015 @ 3:25am
        
        Re: Re: Re: Re: Unique Identifiers, IP addresses
        Yes you can manually delete all of your cookies in a dozen different ways. but there's just as many ways to manage your cookies (so only the cookies you want are recieved and updated) but most people are ignorant to the methods...
        [ link to this | view in chronology ]
- Anonymous Coward, 4 Jun 2015 @ 4:37pm
  
  Re: Unique Identifiers, IP addresses
  Why not just use TorBrowser for Craigslist? You can keep switching IPs until you get one it doesn't block :)
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward, 4 Jun 2015 @ 5:23pm
    
    Re: Re: Unique Identifiers, IP addresses
    It is a matter of convenience. Your way, close browser, start the Tor hive thingy, open Torbrowser and when finished shut all those down and open regular browser again.
    
    My way, open router page, click on Tunneling client, click stop, and when finished click start and then click log out of router.
    
    Both methods would require that I log into my PasswordSafe. The fact that my VPN is on the router rather than desktop software helps a lot, including offloading encrypt/decrypt functions to a different cpu.
    [ link to this | view in chronology ]
Anonymous Coward, 4 Jun 2015 @ 12:05pm

"Democratic" governments lately: "It's so impractical to follow the Constitution or the Human Rights Act! It would make our jobs so much easier if we didn't have to follow those..."
[ link to this | view in chronology ]
Jason, 4 Jun 2015 @ 12:16pm

“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.

Yes, apparently, it's "impractical" for the surveillance state to actually follow the law.
And apparently the difference between an armed attack, terrorism, and criminal activity is only "theoretical".
[ link to this | view in chronology ]
- Anonymous Coward, 4 Jun 2015 @ 2:34pm
  
  Re:
  Stupid consumers thinking they still have rights. How dare they get mad at us for spying on them. Don't they know we could arrest everyone just on the already stored information on them? Next thing you know, they are going to want to actually hold us accountable for what we do with our secret powers.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Jun 2015 @ 12:43pm

So Raise your Hand...
If you didn't see this coming?

I mean the slippery slope folks fell all over themselves screaming about it.
[ link to this | view in chronology ]
- That One Other Not So Random Guy, 4 Jun 2015 @ 2:57pm
  
  Re: So Raise your Hand...
  Yes but they were labeled "Conspiracy Theorists" and no one listened. Looks like we need MORE tinfoil hats not less.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Jun 2015 @ 1:04pm

Hmm, This is definitely a bit troubling. As an IT person, I in fact do have services in the US and also abroad which I use for multiple purposes including Pen testing my own systems. Basically, if I use my TATA communications account in India, my OVH server in France, or perhaps even my AWS account in Ireland to run metasploit, I guess that I'm now an international terrorist. Sadly, perhaps if some of the companies had performed some of these tests, there wouldn't be as many successful hacks that are seen today, or at least could have been minimized through proper IDS detection.
[ link to this | view in chronology ]
Guardian, 4 Jun 2015 @ 1:06pm

fellow humans of earth....
fellow humans of earth

STOP DOING BUSINESS WITH THE UNITED FACIST STATES OF AMERICA AND DO NOT FORGET COPS KILLED 9 BIKERS IN WACO AND ARE COVERING IT UP THAT THE SHOT HUNDREDS OF ROUNDS AT THEM ALL.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Jun 2015 @ 1:32pm
  
  Re: fellow humans of earth....
  Sorry, the propaganda article is the one below this one.
  [ link to this | view in chronology ]
- That One Other Not So Random Guy, 4 Jun 2015 @ 2:53pm
  
  Re: fellow humans of earth....
  Engrish much Comrade?
  [ link to this | view in chronology ]
Anonymous Coward, 4 Jun 2015 @ 1:13pm

It has been pretty clear that the current tyrants behind the last several decades of US government policies consider anyone that is not 100% for whatever choices the government makes is considered a terrorist.

When you consider DHS and the FBI teaching people that the founding fathers were terrorists that should be hated and reviled instead of respected and revered
[ link to this | view in chronology ]
Anonymous Coward, 4 Jun 2015 @ 3:21pm

Computer Code
I've head that terrorists have used Microsoft Windows in the past. So, someone using Windows on the internet could be a terrorist.

Yeah, I see how that works.
[ link to this | view in chronology ]
orbitalinsertion (profile), 5 Jun 2015 @ 12:44am

For some reason, I see all the leaked document snippets as being written in Comic Sans.
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 4:34am

Unique code and strings?

If obliviously glancing over some lines of code can be used in any judicial or executive process, this could be blatantly misused.
"Your honor he haxxored 'printf('Hello World!');' just like the infamous 4chan the he surely must be, so please find him guilty and his possessions too"

Copy&paste should be suspicous, as you could easily frame other people.
[ link to this | view in chronology ]