NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked

from the and-still-nothing-until-the-last-minute dept

The NSA's exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that's needed.

It appears the NSA finally engaged in the Vulnerabilities Equity Process -- not when it discovered the vulnerability, but rather when it became apparent the agency wouldn't be able to prevent it from being released to the public. What's happened recently has been devastating and Microsoft -- whose software was targeted -- has expressed its displeasure at the agency's inaction.

Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.

Officials called it "fishing with dynamite." The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn't bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

But there were plenty of others who viewed disclosure as "disarmament." Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won't happen again, the question now is how much of other people's security is the agency willing to sacrifice in the name of national security?

The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA's eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn't take).

What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

There's your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.

The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as "No Such Agency." It's only been the last four years that it's been forced to engage in more transparency and accountability, so it's tough to believe it's spent years proactively informing affected companies about the flaws in their products.

In any event, the NSA's second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it's likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA's inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.

Filed Under: exploits, leaks, nsa, vep, vulnerabilities, vulnerabilities equities program, wannacry

Inspector General's Report Shows Section 702 Isn't The Only Thing Being Abused By The NSA

from the does-the-NSA-even-understand-the-concept-of-'internal-controls?' dept

There's more than Section 702 up for renewal at the end of this year. Most of the attention has been focused on Section 702 because it's used most frequently for internet communications and data collections. Not only does the NSA make use of this collection, but other agencies (FBI, CIA) are allowed unminimized access to NSA 702 data stores. With this many agencies reliant on NSA communications interception, the sales pitches have been focusing on this particular authority.

But there are other surveillance authorities under Title VII: Sections 704 and 705, which allow the NSA to target US persons located outside of the country. The numbers put up by these sections aren't as impressive as Section 702's (~3,000 selectors for 151 million records), but 704/705 isn't supposed to result in incidental collection. It's a US spy agency actively spying on US citizens.

According to Marcy Wheeler, these collections only target about 80 people. But protections for US citizens aren't supposed to evaporate just because they've travelled out of the country. Agencies seeking to use these authorities must obtain a FISA court order to collect communications and data. Section 704 covers new requests for collections and Section 705 allows for "streamlined" requests/renewals for orders covering US persons already targeted by the agency.

The NSA may be compliant in terms of obtaining court orders, but the 2016 Inspector General's report [PDF] released last week shows the agency has done almost nothing to prevent abuse of its collections.

At the time of our review, the Agency could not reliably identify queries performed using selectors associated with FAA 704 and 705(b) targets because the SIGINT databases did not uniformly send records in the correct format to [REDACTED] (NSA's SIGINT auditing and logging system).

[...]

We identified [REDACTED] queries that were not compliant with the FAA 704 and 705(b) targeting and minimization procedures. [LONG REDACTION] We identified another [REDACTED] queries that were performed outside the targeting authorization periods in E.O. 12333 data, which is prohibited by the E.O. 12333 minimization procedures. We also identified [REDACTED] queries performed using USP slectors in FAA 702 upstream data, which is prohibited by the FAA 702 minimization procedures.

According to the NSA, the problem is its own software. These collections are obtained beforehand. The FISA orders only limit what analysts can search for in the collected data. Everything apparently funnels into one big pile, and it's up to analysts to search according to the controlling statute (702, 704, 705, or Executive Order 12333). The problem is the NSA's system immediately gives access to "all authorities to which analysts are entitled access." Someone who's supposed to be performing a more limited search under 704 may not take steps to remove 702 collections from the queried data or add the limiters needed to ensure proper minimization of US persons' communications.

That's already a terrible way to handle the querying of NSA collections. The default is everything, and affirmative, unprompted steps must be taken by analysts to ensure their queries are lawful. Making it worse is the issue the IG first mentioned: the NSA has no system for tracking possibly-prohibited searches.

Then there's this wrinkle in the statutory authorities the NSA seems unable to comply with: the NSA cannot engage in domestic surveillance so its targeting of US persons overseas must end when the US person arrives back on US soil. Possible violations of this nature were, again, not being tracked by the NSA.

FAA 704 and 705(b) targeting and minimization procedures prohibit targeting USPs while they are in the United States. Although the Agency is not required to document [REDACTED], maintaining these records is important for securing compliance with the targeting and minimization procedures.

The upshot of this report is that the NSA has probably engaged in wholly domestic surveillance thanks to lax recordkeeping and its all-access internet communications haystack. Having to get permission from the FISA court to search collected records is an important step, but it's completely meaningless when analysts are given full access to data stores under multiple authorities and expected to "opt out" of potentially unlawful searches.

As Marcy Wheeler points out in her post about 704/705 violations, the NSA is a "dumpster fire of noncompliance." She points to a just-released opinion by FISC judge Rosemary Collyer, in which the judge notes the NSA's new 704/705 search tool (put in place in 2012) resulted in far more violations than approved searches.

NSA examined all queries using identifiers for “U.S. persons targeted pursuant to Sections 704 and 705(b) of FISA using the tool [redacted] in [redacted] . . . from November 1, 2015 to May 1, 2016.” Id. at 2-3 (footnote omitted). Based on that examination, “NSA estimates that approximately eighty-five percent of those queries, representing [redacted] queries conducted by approximately [redacted] targeted offices, were not compliant with the applicable minimization procedures.” Id. at 3. Many of these non-compliant queries involved use of the same identifiers over different date ranges. Id. Even so, a non-compliance rate of 85% raises substantial questions about the propriety of using of [redacted] to query FISA data. While the government reports that it is unable to provide a reliable estimate of the number of non-compliant queries since 2012, id., there is no apparent reason to believe the November 2015-April 2016 period coincided with an unusually high error rate.

In other words, the tool was broken from the moment it was introduced and very likely resulted in four out of every five searches being noncompliant over that four-year period. This is the sort of thing that will be glossed over during the run up to renewal, with the NSA touting its multiple layers of oversight and rigorous self-reporting as reasons it should be given extended permission to engage in future noncompliance.

Filed Under: inspector general, nsa, section 702, surveillance

Latest FISA Court Order Details Why NSA Didn't Get Any 702 Requests Approved Last Year

from the hint:-a-datacenter's-worth-of-noncompliance dept

The latest document dump by the Office of the Director of National Intelligence (ODNI) -- which contains several documents pried loose by an ACLU FOIA lawsuit -- explains why the NSA ran through the entirety of 2016 without an approved Section 702 request from the FISA court. The short answer is a whole lot of noncompliance. So's the long answer:

After submitting its 2016 Certifications in September 2016, the Department of Justice and ODNI learned, in October 2016, about additional information related to previously reported compliance incidents and reported that additional information to the FISC. The NSA also self-reported the information to oversight bodies, as required by law. These compliance incidents related to the NSA’s inadvertent use of U.S. person identifiers to query NSA’s “upstream” Internet collection acquired pursuant to Section 702.

Pursuant to statutory requirements, the FISC was required to complete its review of the 2016 Certifications within 30 days of submission. See 50 U.S.C. § 1881a(i)(1)(B). Thus, the FISC had until October 26, 2016, to issue an order concerning the 2016 Certifications. However, after the October 2016 report to the FISC regarding improper queries, the FISC twice extended its time to consider the 2016 Certifications – first until January 31, 2017, and then until April 28, 2017 – in order to receive additional information about the compliance incidents and the Government’s plan to address them. See April 2017 Opinion at 3-4. The previous year’s certifications remained in effect during these extension periods.

Of note here is the fact that the court allowed 2015's certifications to remain in place despite even more reports of noncompliance by the NSA. Section 702 has been steadily abused, inadvertently or deliberately, since its inception in 2008 as part of the FISA Amendments Act.

Because the court was extremely hesitant to approve new searches under this authority, the agency apparently undertook a comprehensive overhaul of the program. The end result was the shutdown of the "about" collection -- an upstream dragnet for email communications that tended to grab a bunch of US persons' communications -- ones the NSA supposedly couldn't figure out how to separate from its non-domestic data.

The latest FISC opinion [PDF] -- roughly a month old at this point -- finally gives the NSA a 702 court order it can include in its next transparency report. The opinion doesn't spend much time chastising the agency for its long-running compliance issues but at least provides more examples of how little the NSA has done to prevent internal abuse of its collections. This abuse also includes the FBI, which has access to the NSA's raw, unminimized 702 data.

Since 2011, minimization procedures have prohibited use of U.S.-person identifiers to query the results of upstream Internet collection under Section 702. The October 26, 2016 Notice informed the Court that NSA had been conducting such queries in violation of that prohibition, with much greater frequency than had previously been disclosed to the Court… The government reported that the NSA IG and OCO were conducting other reviews covering different time periods, with preliminary results suggesting that the problem was widespread during all periods under review.

At the October 26, 2016 hearing, the Court ascribed the government's failure to disclose those IG and COO reviews at the October 4, 2016 hearing to an institutional "lack of candor" on part and emphasized that "this is a very serious Fourth Amendment issue."

Some of the compliance issues could be traced back to the NSA's querying system, which seemed built to ensure as many compliance issues as possible.

The January 3, 2017 Notice stated that "human error was the primary factor" in these incidents, but also suggested that system design issues contributed. For example, some systems that are used to query multiple datasets simultaneously required to "opt-out" of querying Section 702 upstream Internet data rather than requiring an affirmative "opt-in," which, in the Court's view, would have been more conducive to compliance.

The report also details further issues with the NSA and its data-sharing, including a heavily-redacted retelling of compliance issues at the FBI concerning dissemination of unminimized US persons' info (including to government contractors). While steps have now been put in place to prevent a recurrence, the court notes the government has routinely dragged its feet providing notice of misuse of surveillance databases.

Too often, however, the government fails to meet its obligation to provide prompt notification to the FISC when non-compliance is discovered. For example, it is unpersuasive to attribute -- even "in part" -- an eleven-month delay in submitting a preliminary notice to efforts to develop remedial steps… when the purpose of a preliminary notice is to advise the Court while investigation or remediation is still ongoing… The Court intends to monitor closely the timeliness of the government's reporting of non-compliance regarding Section 702 implementation.

And so it goes for 99 pages. Multiple compliance violations, multiple promises to do better next time by the government, and a handful of mild admonitions by the FISA judge. The most useful thing to come of this is the voluntary step the NSA took to end its "about" collection program, thus narrowing the number of incidentally-collected US persons' communications. While the court approves of this move, its approval means very little should the NSA decide to revive the program. Considering its lengthy run of compliance issues, it seems unlikely the agency will be in any hurry to defend a rollback of its rollback in a court that's heard about nothing but misuse and abuse of domestic communications for most of the last decade.

Filed Under: abuse, fisa court, fisc, nsa, section 702, surveillance

Microsoft Is PISSED OFF At The NSA Over WannaCry Attack

from the as-it-should-be dept

So, for about a day, Microsoft followed the usual course of action concerning the WannaCry malware that made the rounds last week. As we noted, this ransomware/attackware was built off some leaked NSA exploit code utilizing a vulnerability in Microsoft Windows... that the NSA failed to tell Microsoft about. Microsoft had actually patched it a few weeks prior to the code leaking online via Shadow Brokers, but, still... the NSA is supposed to disclose most of these vulnerabilities, rather than hold them for offensive use (that's the theory, at least).

Microsoft did its standard "no comment" bit for a day or so, but then on Sunday, its President and Chief Legal Officer let loose on the NSA for its failures that resulted in all of this happening. First, it officially confirmed what people were saying about the code being built off of leaked NSA code:

The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States.

The post does a good job discussing what Microsoft is doing about this and what it means, but then has this:

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

Whatever you might think of Microsoft and privacy and such, in the last few years (in part thanks to Smith's focus on this), it has been really good about pushing back on government surveillance and interference. This blog post seems to be the next step in that effort. I'm sure that plenty of readers here have a reflexive dislike of Microsoft (no need to express it in the comments, we know already), but the company has been taking a strong stand against excessive surveillance and other efforts to weaken the public's security. Calling out the failures of the intelligence community in not disclosing these kinds of vulnerabilities is another good step, and it's good to see Microsoft make such a clear statement on it.

Filed Under: exploits, nsa, ransomware, vep, vulnerabilities equities program, wannacry
Companies: microsoft

NSA Boss: Section 702 Should Be Renewed Because It Helped Prove Russia Hacked Election

from the pay-no-attention-to-the-abuses-and-violations dept

The push for a smooth Section 702 renewal continues. The never-not-abused surveillance program has received some vocal support in recent weeks. Former FBI Director James Comey's Senate testimony began with his praise for Section 702, despite there being about a million investigation-related questions Senators were dying to hear answers to.

Any opening will do for promoting the NSA's internet-based collections, even with the agency voluntarily shutting down its upstream email collection because it just couldn't stop sweeping up (and searching) domestic communications. Such is the case here, with NSA boss Admiral Mike Rogers aiming to remain the commander of oceans of internet data/communications (some of it gathered under actual oceans!) for the foreseeable future. The selling point here is the popular Jeopardy category CURRENT EVENTS.

"I would highlight much, not all, much of what was in the intelligence community's assessment, for example, on the Russian efforts against the U.S. election process in 2016, was informed by knowledge we gained through (Section) 702 authority," Rogers said.

Rogers said allowing the statute to expire on Dec. 31, unless Congress votes to reauthorize it, would degrade U.S. intelligence agencies' ability to provide "timely warning and insight" on a variety of criminal and national security threats.

There is little doubt the 702 program provides all the things Rogers says it does. How could it not? The program pulls millions of communications directly from internet backbones, in addition to what it gathers with the help of service providers. It also gathers plenty of US persons' communications, the recent culling of the "about" collection notwithstanding. And it gathers tons of useless communications because that's just how the collection works: the collection continues regardless. FISA court orders just narrow the searches analysts can perform.

Even with a pro-surveillance president and a controlling party that's shown little interest in pushing back against the administration, the Section 702 renewal process isn't going to go as smoothly as the NSA (and FBI) would hope. Too many documents have been leaked and the NSA has been caught abusing the program far too often. Sure, it's great the program helped track down evidence of politically-motivated hacking, but no one has ever argued the program is useless. They've argued it violates privacy and civil liberties in bulk and no amount of "usefulness" changes that fact.

Filed Under: admiral mike rogers, nsa, renewal, russia, section 702

Leaked NSA Hacking Tool On Global Ransomware Rampage

from the who-trusts-the-nsa? dept

Welp. What was that we were saying about the problems of the NSA creating hacking tools that leak, rather than helping patch security flaws? Oh, right. That it would make everyone less safe.

And here we are. With a global ransomware rampage, referred to as "WannaCry" putting tons of people at risk, thanks to leaked NSA malware:

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks — which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast — have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims -- including the National Health Service Hospitals in the UK -- are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.

Thus, there's some debate online about whether the "problem" here is organizations who don't upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days -- especially for large organizations with IT staff who should know better.

At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:

1. The NSA's dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it's quite clear that the offensive capabilities are valued much more than the defensive ones -- and that's a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
2. Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a "safe" way, where only government will get the backdoor access to encryption. The fact that some of the NSA's most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the "going dark" debate. But it won't. It's not safe, but many in the law enforcement community, in particular, are in denial about this.

These problems are not new. Hell, we've been talking about both of them for the better part of a decade already. But this rapid spread of WannaCry is putting an exclamation point on those arguments. Unfortunately, the cynical side of my brain says this warning will still be ignored.

Filed Under: hacking tools, malware, nhs, nsa, ransomware, shadow brokers, wannacry

NSA's New Transparency Report Contains Just Enough Info To Be Dangerous, Not Nearly Enough To Be Truly Transparent

from the because-'Slightly-Less-Opacity-Report'-doesn't-have-the-same-ring dept

Before we dive into the latest IC transparency report [PDF] from the Office of the Director of National Intelligence, let's take a moment to recognize the small miracle that it even exists. If NSA contractor Ed Snowden hadn't decided to color outside the official whistleblowing lines, we'd still be expected to put our complete trust in the government with zero evidentiary support.

That being said, the transparency report is still several steps removed from actual transparency, but it will have to do for now. What can we learn from it, even with many of the numbers being seemingly meaningless thanks to purposefully-missing context? Several things, actually. Marcy Wheeler has torn apart the report across four posts, each dealing with the report's fuzzy numbers (or, in the case of the CIA's contribution, a lack thereof).

One of the first misleading numbers in the report is the supposed single search of the NSA's 702 collections by the FBI for non-terrorism-related purposes. According to the report, this happened exactly once. But that's actually not true. The FBI makes far more frequent use of NSA data for non-terrorism investigations. It just does it in a way that won't show up in the IC's transparency report. Parallel construction is the FBI's friend.

FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC.

So, there's that bit of obfuscation right off the top. And the FBI isn't the only agency using an ostensibly foreign-facing collection to obtain information about US persons. The CIA -- an ostensibly foreign-facing agency -- does this as well. The FBI doesn't count its dips into the NSA haystacks. Neither does the CIA. The report shows 30,000 searches of unminimized US persons' data occurred last year. That number doesn't include the FBI's searches (because the FBI doesn't report its searches) and is quite possibly much, much higher than what's reported. This is only a good faith estimate by the IC, using software, rather than any form of reporting from the CIA.

NSA will rely on an algorithm and/or a business rule to identify queries of communications metadata derived from the FAA 702 [redacted] and telephony collection that start with a United States person identifier. Neither method will identify those queries that start with a United States person identifier with 100 percent accuracy.

As Wheeler points out, it could be 30,000… or 3 million… or 3 billion searches. No one knows. By the time the CIA's required to count its US persons searches, it will likely perform most of its searches under Executive Order 12333 authorities, rather than the more closely-watched Section 702.

Finally, there's a really big number contained in the report. It looks amazingly high, but might be indicative of not much surveillance activity at all, at least not in the entire scheme of things. According to the report, the NSA was able to scoop up 151 million "call detail records (CDRs)" using only 42 selectors.

Read in the (lack of) context in the report, this would look like pure bullshit. There's no way 42 terrorism suspects (and their 3,150 one-hop "friends") are making 130 calls a day. (Or, if they're only talking to each other, 65 calls a day.)

As Wheeler points out, call records are not just records about phone calls. They also pick up records on text messages.

If these were phone calls between just two people, then if our terrorist buddies only spoke to each other, each would be responsible for 24,000 calls a year, or 65 a day, which is certainly doable, but would mean our terrorist suspects and their friends all spent a lot of time calling each other.

The number becomes less surprising when you remember that even with traditional telephony call records can capture calls and texts. All of a sudden 65 becomes a lot more doable, and a lot more likely to have lots of perfectly duplicative records as terrorists and their buddies spend afternoons texting back and forth with each other.

With this, 151 million records looks less like full-blown exploitation of this surveillance authority and something possibly more targeted than the NSA's used to. Then again, it could mean the NSA is sweeping up 65 innocent Americans every day of the year with its CDR demands. There's simply no way to tell.

But CDRs include all "call events," which include a whole lot of related metadata having nothing to do with voice calls.

A CDR is defined as session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call.

Further trimming down this seemingly large number are two other aspects of the collection. Records obtained previously by the agency are included in this count, as well as junk metadata related to past selectors that may not be returning any current records.

That means our 3,192 targets and friends might only have had 48 calls or texts a day, without any duplication.

Which is a completely believable number of calls and texts between surveillance targets. The breathtaking 151 million records is suddenly a more manageable number that actually *gasp* looks as though the NSA is engaging in truly targeted collection.

But before we get carried away with the NSA's new "maybe collect a little less than it all" approach to surveillance, we need to remember this only covers a very small part of the NSA's collection activities.

[W]e need to understand the 65 additional texts — or anything else available only in the US from a large number of electronic communications service providers that might be deemed a session identifier — a day from 42 terrorists and their 3150 buddies [is] on top of the vast store of EO 12333 records that form the primary basis here.

Because (particularly as the rest of the report shows continually expanding metadata analysis and collection) this is literally just the tip of an enormous iceberg, 151 million edge cases to a vast sea of data.

That's what we're really dealing with here, unprecedented transparency or no: there is a vast surveillance apparatus operating in near-complete darkness, authorized by a presidential executive order and subject to almost zero oversight. Whatever concessions the NSA makes in relation to Section 702 in the upcoming months, its biggest collections will remain untouched. Unless something changes dramatically, the potential for constitutional violations and agency abuse remains unchanged. And, unless something changes dramatically, it will remain unseen.

Filed Under: nsa, odni, surveillance, transparency

NSA Statements On 'About' Collection Shutdown Contradict PCLOB's Findings

from the nothing-is-real-and-nothing-to-get-hung-about dept

The impact the dropping of the "about" collection will have on the NSA's upstream harvesting will either be massive or minimal, depending on who you ask.

The Privacy and Civil Liberties Oversight Board's report on the "about" collection noted a few things, one of them being the supposed impossibility of preventing inadvertent collection.

All of these types of “about” communications can provide intelligence value, helping the government learn more about terrorist networks and their plans or obtain other foreign intelligence. While “about” collection is valued by the government for its unique intelligence benefits, it is, to a large degree, an inevitable byproduct of the way the NSA conducts much of its upstream collection. As discussed earlier in this Report, because of the technical manner in which this collection is performed, the NSA cannot entirely stop acquiring “about” communications without also missing a significant portion of “to/from” communications. Nor does the agency have the capability to selectively acquire certain types of “about” communications but not others.

At least some forms of “about” collection present novel and difficult issues regarding the balance between privacy and national security. But current technological limits make any debate about the proper balance somewhat academic, because it is largely unfeasible to limit “about” collection without also eliminating a substantial portion of upstream’s “to/from” collection, which would more drastically hinder the government’s counterterrorism efforts.

According to the PCLOB's interpretation, the "about" collection -- despite its many civil liberties issues -- could not be dropped without causing a significant loss of intel. In fact, the report goes so far as to claim the "about" collection itself is an "inevitable byproduct" of upstream surveillance -- rather than the way it actually appears to be: the inadvertent collection of US persons' communications is an inevitable byproduct of the "about" collection.

The NSA's statements on the ending of this program don't seem to cohere with the PCLOB's assertions, something pointed out by Jake Laperruque on Twitter.

Two statements were released by the NSA. The first seems more aligned with the PCLOB report's assertions about tech impossibilities and intel loss.

Even though NSA does not have the ability at this time to stop collecting "about" information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.

The second statement, however, hints that the intel loss will not be nearly as significant as it's being portrayed... and that the "about" part was never a necessary part of intercepting "to/from" communications.

After considerable evaluation of the program and available technology, NSA has decided that its Section 702 foreign intelligence surveillance activities will no longer include any upstream internet communications that are solely "about" a foreign intelligence target. Instead, this surveillance will now be limited to only those communications that are directly "to" or "from" a foreign intelligence target. These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency's foreign intelligence targets.

The PCLOB's assertion that the "about" collection was an "inevitable byproduct" of upstream surveillance is nowhere to be found. The NSA itself states it can still perform upstream interception without nearly as much inadvertent collection simply by eliminating the "about" variable. If this is true, the NSA always had the capability to reduce the amount of inadvertently-collected communications. It just chose not to.

In any event, the upstream collection lives on, albeit in a slightly more constitutional form. The technical problem the NSA claimed prevented it from inadvertently collecting US persons' communications turns out to be something else: a minimal-impact search variable the agency could have eliminated years ago, bringing back some semblance of targeting to its surveillance work.

Filed Under: 702, about, about searches, mass surveillance, nsa, pclob, section 702, surveillance

The NSA's 702 Shutdown Is Good News, But There Are A Whole Lot Of Caveats

from the ALL-THE-ASTERISKS dept

The surprising shutdown of the NSA's email harvesting program -- one that operated "upstream" and grabbed not just communications to and from surveillance targets, but also those "about" surveillance targets -- is good news. Considering the NSA had done nothing but abuse this specific privilege, the shutdown is a welcome surprise. But it's not great news, for a variety of reasons.

First, the shutdown arrives on the heels of a yearlong denial of surveillance requests by the FISA court. This indicates the NSA was either still abusing its collection or the court no longer felt the program was constitutional, at least not the way the NSA was running it. The shutdown seems to reflect the NSA's inability or unwillingness to shift towards more targeted surveillance methods -- ones that won't sweep up lots of US persons' communications inadvertently.

It also suggests the program -- at least the upstream part of it -- is no longer as useful as it used to be. The rise in default encryption by email providers may be preventing the NSA from gathering as much info as it used to, as Julian Sanchez explains at Just Security.

[I]t is entirely possible that the change is driven in significant part by the broader post-Snowden adoption of STARTTLS encryption of communications between e-mail servers. That is, it is quite plausible that a large and growing percentage of transiting e-mail traffic is simply no longer visible to NSA, and must be accessed “downstream” at the e-mail server itself, rendering this form of collection less worth picking fights with the FISC over.

The NSA's statements about the shutdown mention that it will still be performing upstream collections but removing the "about" search variable. The agency notes this will decrease the amount of captured communications. But it's quite possible it was seeing fewer and fewer communications before it made this decision. The NSA shouldn't be too concerned about this loss (and it likely isn't), considering it has other options it can use to capture the communications it says it won't be capturing anymore.

[T]o the extent the traffic remains visible to NSA, they may simply have decided that it is easier to do the same “about” scans outside the borders of the United States, beyond the purview of either FISA or the FISC.

This is an option the NSA has deployed before. In 2011, the NSA killed off its bulk domestic collection of US persons' email metadata. Or so it said. In reality, it simply stopped gathering this data from domestic providers.

The [Inspector General's] report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. Because of the way the Internet operates, domestic data is often found on fiber optic cables abroad.

This option is still viable and possibly of much more use to the NSA. If so, the NSA may be giving up part of its upstream collection in hopes of preventing its offshore and downstream collections from being scrutinized as thoroughly in the runup to the renewal of the FISA Amendments Act.

This is just what isn't being done upstream or under Section 702. The NSA still can gather plenty of US persons' communications -- incidentally or not -- under Executive Order 12333.

[T]he NSA’s authorities under executive order 12333 are vast, undisclosed and unconstrained by any need to explain its collections to the Fisa court. A former state department official who has warned Congress about 12333, John Napier Tye, has alleged that the NSA uses 12333 as a backup plan to route around legal restrictions on US surveillance.

“To the extent US person information is either stored outside the United States, routed outside the United States, in transit outside the United States, it’s possible for it to be incidentally collected under 12333,” Tye told the Guardian in 2014.

Whatever the NSA might be losing, it can only be a small percentage of its total take. It also has the option of asking friendly foreign intelligence agencies to perform these searches for it -- again without having to notify the FISA court.

The final problem with the NSA's announcement is it's unmoored from legislation. Unlike the drastic modification of the Section 215 metadata program -- which was tied to statutory requirements laid down by the USA Freedom Act -- the voluntary shutdown of the "about" collection doesn't contain anything legally-binding. As the ACLU points out, without codification the NSA could start its collection up again without notice, provided it has found a way to comply with the FISA court's demands… or found a better way to look like it's in compliance.

Filed Under: 702, about collections, mass surveillance, nsa, surveillance