Democratic Leadership Says NSA Data Collection Is Fine Because You 'May Be In Communication With Terrorists'

from the seriously? dept

One of the things that became quite clear with yesterday's vote by the House to keep the NSA collecting records on every single one of your phone calls was the strange bedfellows that came together over this issue. Fighting against the surveillance were conservatives who were skeptical about government power along with liberals who were skeptical of government overreach into private lives. On the flip side, you had the White House and the leadership of both parties -- who tend to lean more towards supporting excessive power in the executive branch (perhaps because of their own dreams of being able to control that power). It's not often you see Michele Bachmann and Nancy Pelosi agreeing on very much.

Over at the Huffington Post, there's a good article about these odd pairings, noting the oddity of Bachmann endorsing the "identical" position as the Obama administration. But the really stunning point is at the end of the article, where it mentions that Steny Hoyer, the Democratic whip, who's in charge of gathering up the votes on the Democratic side, and who apparently was working overtime to convince Democrats to vote in favor of ignoring the 4th Amendment, sent the most bizarre "description" of the amendment. While that only has a clip, a friend sent over the full "description" sent by Steny Hoyer to all of the Democrats in the House:

Amash/Conyers/Mulvaney/Polis/Massie Amendment – Bars the NSA and other agencies from using Section 215 of the Patriot Act (as codified by Section 501 of FISA) to collect records, including telephone call records, that pertain to persons who may be in communication with terrorist groups but are not already subject to an investigation under Section 215

Talk about misleading. The program pertains to everyone. At this point, it's no secret that the records collected under this authority include a record of every single phone call. This is not about collecting records of people talking to terrorists. It's about collecting records on everyone. So, the only rational deciphering of Hoyer's email is that he believes that every American "may be in communication with terrorist groups" and therefore it's okay to spy on them.

How do these people get elected?

Filed Under: business records, collection, democrats, metadata, nsa, nsa surveillance, section 215, steny hoyer, terrorists

Court Gives Chevron Access To Nine Years Of Americans' Email Metadata

from the seems-a-bit-extreme dept

For a few years now, we've been following a rather troubling legal fight between people in Ecuador and Chevron -- the oil giant that has been in a long-term legal battle with people in Ecuador over some of its actions in that country. A few years ago, we wrote about how Chevron was ordering a documentary filmmaker to turn over cut footage, claiming that it might exonerate the company (the filmmaker tried to hold it back, claiming it was protected under journalist shield rules). However, last fall, we noted something perhaps even more troubling. Chevron had issued subpoenas seeking various email info from Google, Yahoo and Microsoft going back years. As we noted at the time, they weren't seeking the content of the email, but the were seeking what many more people are now familiar with as "metadata." But, metadata can be quite revealing.

When we wrote about this case a year ago, it was under the context of one person, Kevin Heller, whose data was sought, and him successfully fighting back (with some help from the ACLU) getting Chevron to drop the request for his info. But, as for everyone else's info? Mother Jones alerts us to the news that a judge in NY recently said it was okay for Chevron to get all that metadata, in some cases going back nine years.

...a federal court granted Chevron access to nine years of email metadata—which includes names, time stamps, and detailed location data and login info, but not content—belonging to activists, lawyers, and journalists who criticized the company for drilling in Ecuador and leaving behind a trail of toxic sludge and leaky pipelines. Since 1993, when the litigation began, Chevron has lost multiple appeals and has been ordered to pay plaintiffs from native communities about $19 billion to cover the cost of environmental damage. Chevron alleges that it is the victim of a mass extortion conspiracy, which is why the company is asking Google, Yahoo, and Microsoft, which owns Hotmail, to cough up the email data. When Lewis Kaplan, a federal judge in New York, granted the Microsoft subpoena last month, he ruled it didn't violate the First Amendment because Americans weren't among the people targeted.

Leaving aside the fact that the court thinks it's okay to do this even if it's just "non-Americans" who have their privacy violated here, Mother Jones points out that this claim that it only targeted non-Americans isn't, in fact, true. Pesky details.

Now Mother Jones has learned that the targeted accounts do include Americans—a revelation that calls the validity of the subpoena into question. The First Amendment protects the right to speak anonymously, and in cases involving Americans, courts have often quashed subpoenas seeking to discover the identities and locations of anonymous internet users. Earlier this year, a different federal judge quashed Chevron's attempts to seize documents from Amazon Watch, one of the company's most vocal critics. That judge said the subpoena was a violation of the group's First Amendment rights. In this case, though, that same protection has not been extended to activists, journalists, and lawyers' email metadata.

The Electronic Frontier Foundation (EFF) represents 40 of the targeted users—some of whom are members of the legal teams who represented the plaintiffs—and Nate Cardozo, an attorney for EFF, says that of the three targeted Hotmail users, at least one is American. Cardozo says that of the Yahoo and Gmail users, "many" are American.

This seems like a pretty big problem, given the rationale of the judge initially. Beyond that, just the basic chilling effects from finding out that a giant company could get access like this to so much metadata on a large list of its critics is fairly incredible. As the article notes, while subpoenas on people who aren't actually parties to a lawsuit are "routine," they're not supposed to be mass fishing expeditions, which they appear to be in this case.

And, of course, even the whole "well they're not Americans so the First Amendment doesn't apply" thing is highly questionable -- since many of the accounts are anonymous internet users, and the First Amendment does protect online anonymity and there's no way for Chevron or the judge to know if the anonymous users are Americans or not.

Filed Under: ecuador, email, first amendment, metadata, privacy
Companies: chevron, google, microsoft, yahoo

FISA Order To Verizon Expires Today, No One Wants To Say If It's Being Renewed

from the because-it-is dept

The very first of the Ed Snowden leaks was a FISA court order to Verizon, ordering it to hand over information on every single phone call, on an "ongoing, daily basis." That order expired on July 19, 2013. Today. It quickly came out that the FISA court has been approving nearly identical orders every 90 days for about seven years, though the defenders of the program like to use that "it's only for 90 days" excuse to suggest there's "oversight." Still, given that the existence of this effort is now actually public, plenty of people are wondering whether or not the FISA court issued the expected followup. Of course, no one who knows wants to say anything.

The Obama administration is refusing to say whether it will seek to renew a court order that permits the National Security Agency's bulk collection of phone records on millions of Verizon customers when it expires at the end of this week.

Officials declined to discuss what action they intend to take about the order at the center of the current surveillance scandal, which formally expires at 5pm Friday.

That's because it's almost certain that it's already been renewed and rubber stamped by the FISA court. The White House told Guardian reporters to ask the Justice Department. Guess where that went:

The White House referred queries to the Justice Department. "We have no announcement at this time," said Justice Department spokesman Brian Fallon. The NSA and office of the Director of National Intelligence did not respond to questions.

A spokesman for the Fisa court, Sheldon Snook, said the court "respectfully declines to comment".

In other words: please, please, go away and can we hope this story dies down by the time the next 90-day window rolls around?

Thankfully, some members of Congress have told the White House not to seek a renewal, but it seems unlikely that the White House will do anything, other than keep on sucking up all that data.

Filed Under: business records, fisa court, fisc, metadata, section 215, telcos
Companies: at&t, sprint, verizon

If 'Just Metadata' Isn't An Issue, Why Can't Tech Companies Reveal 'Just Metadata' About NSA Surveillance?

from the simple-questions dept

You may have heard the news today that a bunch of big tech companies -- including Google, Facebook, Microsoft, Apple, Twitter, Mozilla, Reddit, Tumblr and others -- have sent a strong letter to a variety of government officials, both in the administration and Congress, demanding greater transparency, and the ability to reveal more information about the government's various surveillance programs that compel the tech companies to participate:

We the undersigned are writing to urge greater transparency around national security-related requests by the US government to Internet, telephone, and web-based service providers for information about their users and subscribers.

First, the US government should ensure that those companies who are entrusted with the privacy and security of their users’ data are allowed to regularly report statistics reflecting:

• The number of government requests for information about their users made under specific legal authorities such as Section 215 of the USA PATRIOT Act, Section 702 of the FISA Amendments Act, the various National Security Letter (NSL) statutes, and others;
• The number of individuals, accounts, or devices for which information was requested under each authority; and
• The number of requests under each authority that sought communications content, basic subscriber information, and/or other information.

Second, the government should also augment the annual reporting that is already required by statute by issuing its own regular “transparency report” providing the same information: the total number of requests under specific authorities for specific types of data, and the number of individuals affected by each.

As an initial step, we request that the Department of Justice, on behalf of the relevant executive branch agencies, agree that Internet, telephone, and web-based service providers may publish specific numbers regarding government requests authorized under specific national security authorities, including the Foreign Intelligence Surveillance Act (FISA) and the NSL statutes. We further urge Congress to pass legislation requiring comprehensive transparency reporting by the federal government and clearly allowing for transparency reporting by companies without requiring companies to first seek permission from the government or the FISA Court.

This follows on a somewhat somewhat similar letter from Reps. Jim Sensenbrenner and Zoe Lofgren to Attorney General Holder and Director of National Intelligence Clapper, urging them "to authorize U.S. companies to release information regarding national security requests for user data."

Both letters point out that they're just looking for the ability to reveal specific numbers about orders received and user accounts impacted, but obviously not further information that might reveal the details of any investigations. Basically, they're asking for "just the metadata."

You may have spotted the irony, pointed out by Ashkan Soltani: Defenders of many of the government's surveillance programs have repeatedly trotted out the "just metadata" argument for why all of this surveillance is no problem, claiming that mere metadata doesn't reveal anything important. Yet, when it comes to their own metadata about their own surveillance programs, suddenly it will reveal all their secrets? (And I won't even get into the fact that only some of the surveillance programs are "just metadata").

So, which is it, feds? Is "just metadata" nothing too important, or does it reveal everything?

Filed Under: jim sensenbrenner, metadata, national security letters, nsa surveillance, surveillance, tech companies, zoe lofgren
Companies: apple, facebook, google, microsoft, mozilla, reddit, tumblr, twitter, yahoo

7 Months Of Warrantless 'Just Metadata' Paints A Clear Picture Of Your Personal Life

from the anyone-still-believe-this-info-shouldn't-be-protected? dept

The ACLU (along with the EFF and many others) has filed an amicus brief in a case of warrantless cell location tracking currently being considered by the Fourth Circuit Court of Appeals. It cites the obvious similarity between this and the U.S. vs. Jones decision, in which the justices concluded that a person's privacy is violated by long-term tracking of their movements.

In that case, a GPS device was attached to a vehicle. In this one, the privacy implications run much deeper.

People carry their cell phones with them all the time. Each time a cell phone makes or receives a call or text message, the wireless provider logs the cell towers the phone connected to during that communication. Cell phone tracking therefore allows the government to reach back into the past and pull up a record of where we have been on any given day.

Lest we forget, this is the same sort of supposedly harmless, non-identifying "metadata" the NSA and FBI are collecting on millions of cell phone users every day, thanks to a very obliging FISA court. In the Jones case, the justices concurring opinion agreed with the appeals court in finding that the long-term tracking (in this case, 28 days) violated the Fourth Amendment. One wonders what this court will make of this warrantless tracking, which ran for nearly ten times as long.

In the case, United States v. Graham, the government obtained a staggering 221 days of historical cell site location information for two suspects. For one suspect, Aaron Graham, this timespan allowed the government to sweep up his location at 29,659 specific points.

The amount of information that can be culled from these data points easily exceeds anything law enforcement should reasonably expect to obtain without a warrant. Aaron Graham worked with his provider and the ACLU in order to provide it with the same tracking information law enforcement had acquired. Here's what the ACLU found.

Mr. Graham's wife was pregnant during the records period. 29 calls during business hours began or ended in the sector where Mr. Graham's wife's OB/GYN's office is located, allowing the inference that they were at the doctor's office at these times.

The most frequently occurring cell site and sector in Mr. Graham's records is the closest sector and tower to his home – nearly a third of all of his calls were placed or received in this sector. Of those 4,917 calls, 77 started in his home sector and ended elsewhere and 226 started elsewhere and ended when he was at home, providing information about his patterns of movements to and from home.

From July 10 to July 15, 2010, Mr. Graham's last call of the night and first call of the morning were either or both placed from his home sector, allowing the inference that he slept at home those evenings. However, on July 9, Mr. Graham's last call of the night and first call of the next morning were placed from a cell sector 30 minutes from his house. Although we have no reason to believe it to be the case here, this information could reveal private information about the status of a person's relationships and any infidelities.

The ACLU points out that technological advancements have made it easier for law enforcement and others to easily collect large amounts of data on any person, making the protections of the Fourth Amendment more important than ever. Just because millions voluntarily use products and services utilizing invasive technology doesn't mean they're implicitly waiving their right to privacy. Nor should it be assumed the use of a cell phone means the "expectation of privacy" is no longer valid.

Once again, it appears law enforcement's m.o. is "do it until someone makes you stop." One wonders what sort of information can be both so vital as to be obtained without the hassle of a warrant, yet still so elusive it could only be ascertained by gathering two-thirds of year's worth of location info. Hopefully, the court will find along the lines of the Jones decision, and continue rebuilding the protections the Fourth Amendment was written to provide.

Filed Under: gps, metadata, tracking, warrantless data

Anyone Brushing Off NSA Surveillance Because It's 'Just Metadata' Doesn't Know What Metadata Is

from the your-metadata-reveals-quite-a-bit dept

One of the key themes that has come out from the revelations concerning NSA surveillance is a bunch of defenders of the program claiming "it's just metadata." This is wrong on multiple levels. First of all, only some of the revealed programs involve "just metadata." The so-called "business records" data is metadata, but other programs, such as PRISM, can also include actual content. But, even if we were just talking about "just metadata," the idea that it somehow is no big deal, and people have nothing to worry about when it comes to metadata is ridiculous to anyone who knows even the slightest thing about metadata. In fact, anyone who claims that "it's just metadata" in an attempt to minimize what's happening is basically revealing that they haven't the slightest clue about what metadata is. Here are a few examples of why.

Just a few months ago, Nature published a study all about how much a little metadata can reveal, entitled Unique in the Crowd: The privacy bounds of human mobility by Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen, and Vincent D. Blondel. The basic conclusion: metadata reveals a ton, and even "coarse datasets" provide almost no anonymity:

A simply anonymized dataset does not contain name, home address, phone number or other obvious identifier. Yet, if individual's patterns are unique enough, outside information can be used to link the data back to an individual. For instance, in one study, a medical database was successfully combined with a voters list to extract the health record of the governor of Massachusetts27. In another, mobile phone data have been re-identified using users' top locations28. Finally, part of the Netflix challenge dataset was re-identified using outside information from The Internet Movie Database29.

All together, the ubiquity of mobility datasets, the uniqueness of human traces, and the information that can be inferred from them highlight the importance of understanding the privacy bounds of human mobility. We show that the uniqueness of human mobility traces is high and that mobility datasets are likely to be re-identifiable using information only on a few outside locations. Finally, we show that one formula determines the uniqueness of mobility traces providing mathematical bounds to the privacy of mobility data. The uniqueness of traces is found to decrease according to a power function with an exponent that scales linearly with the number of known spatio-temporal points. This implies that even coarse datasets provide little anonymity.

Some of the figures they presented show how easy it is to track individuals and their locations, which can paint a pretty significant and revealing portrait of who they are and what they've done. In an interview, one of the authors of the paper basically said that your metadata effectively creates a "fingerprint" that is unique to you and easy to match to your identity:

"We use the analogy of the fingerprint," said de Montjoye in a phone interview today. "In the 1930s, Edmond Locard, one of the first forensic science pioneers, showed that each fingerprint is unique, and you need 12 points to identify it. So here what we did is we took a large-scale database of mobility traces and basically computed the number of points so that 95 percent of people would be unique in the dataset."

Others are discovering the same thing. Ethan Zuckerman, who recently co-taught a class with one of the authors of the paper above, Cesar Hidalgo, wrote about how two students in the class created a project called Immersion, with Hidalgo, which takes your Gmail metadata ("just metadata") and maps out your social network. As Zuckerman notes, his own use of Immersion reveals some things that could be questionable or dangerous. He discusses some bits of metadata that are "obvious," which would make him easily identifiable, but which probably aren't that "questionable." However, he also notes some potentially problematic things as well:

Anyone who knows me reasonably well could have guessed at the existence of these ties. But there’s other information in the graph that’s more complicated and potentially more sensitive. My primary Media Lab collaborators are my students and staff – Cesar is the only Media Lab node who’s not affiliated with Civic who shows up on my network, which suggests that I’m collaborating less with my Media Lab colleagues than I might hope to be. One might read into my relationships with the students I advise based on the email volume I exchange with them – I’d suggest that the patterns have something to do with our preferred channels of communication, but it certainly shows who’s demanding and receiving attention via email. In other words, absence from a social network map is at least as revealing as presence on it.

Separately, more than two years ago, we wrote about how a German politician named Malte Spitz got access to all of the metadata that Deutsche Telekom had on him over a period of six months, and then worked with the German newspaper Die Zeit to put together an amazing visualization that lets you track six months of his life entirely via his metadata, combined with public information, such as his Twitter feed. While this all came out over two years ago, just recently, Spitz wrote a NYT op-ed piece about how this "just metadata" situation means that it's tough to trust the US government.

In Germany, whenever the government begins to infringe on individual freedom, society stands up. Given our history, we Germans are not willing to trade in our liberty for potentially better security. Germans have experienced firsthand what happens when the government knows too much about someone. In the past 80 years, Germans have felt the betrayal of neighbors who informed for the Gestapo and the fear that best friends might be potential informants for the Stasi. Homes were tapped. Millions were monitored.

Although these two dictatorships, Nazi and Communist, are gone and we now live in a unified and stable democracy, we have not forgotten what happens when secret police or intelligence agencies disregard privacy. It is an integral part of our history and gives young and old alike a critical perspective on state surveillance systems.

"Just metadata" isn't "just" anything, other than a massive violation of basic privacy rights.

Filed Under: cesar hidalgo, ethan zuckerman, fingerprints, immersion, malte spitz, metadata, nsa surveillance, prism, privacy, surveillance

Old School Snail Mail 'Metadata' Still Being Harvested By The USPS And Turned Over To Law Enforcement/Security Agencies By Request

from the get-it-all,-just-in-case dept

We live in a wondrous age of technological advancement, where almost any form of communication can be instantly captured by interceding security agencies and stored safely away somewhere in Utah where it can be "questioned" at the agencies' convenience.

But the old school ways still have their charm. Various entities have intercepted snail mail since the days when it was just referred to as "mail." Not so much interception goes on now, partly because there's much less to intercept, but law enforcement agencies are still able to access scans of the envelopes of every piece of mail sent or received in the US, all without a warrant. Not unexpectedly, this "enhancement" to the "mail covers" program emerged post-9/11.

The NY Times has a good piece on the Mail Isolation Control and Tracking program, which was put into place following the post-9/11 anthrax mailings. It quite literally scans every envelope, post card, and piece of junk mail — some 160 billion pieces of mail a year. These scanners probably know more about the mail you receive than you do.

The Mail Isolation program is really just a super-beefed-up version of the USPS "mail covers" program that has been around for about a century, explains the Times. Mail covers are warrantless requests for photos of the outside of specific recipients’ mail.

Basically, a law enforcement agency fills out the request, and for 30 days (extendable to 120 days), it receives scans of all mail related to the subject of the request. Only the outside of the mail is provided, as opening mail would require a warrant. Authorities maintain that no warrant is needed for information on the outside of a piece of mail, as there can be no reasonable expectation of privacy. The USPS can deny a mail covers request, but rarely does.

The old "mail covers" program was targeted. The new, post-9/11 version isn't. Everything is photographed and anything can be requested by simply filling out a form. The argument is that there's no expectation of privacy seeing as any number of people will be able to view what's written on the outside of the envelope as it's in transit. Of course, people might feel their privacy is being violated if they observed someone going through a stack of their mail and taking photos of every envelope, but that's where the courts stand on this issue currently.

Unlike other invasive programs officials have defended by claiming they have prevented [insert number here] terrorist attacks, the Mail Isolation Control and Tracking program has at least been instrumental in taking down a purveyor of terrorist-like activity.

In a criminal complaint filed June 7 in Federal District Court in Eastern Texas, the F.B.I. said a postal investigator tracing the ricin letters was able to narrow the search to Shannon Guess Richardson, an actress in New Boston, Tex., by examining information from the front and back images of 60 pieces of mail scanned immediately before and after the tainted letters sent to Mr. Obama and Mr. Bloomberg showing return addresses near her home. Ms. Richardson had originally accused her husband of mailing the letters, but investigators determined that he was at work during the time they were mailed.

While that's comforting, the downside is that this system, like any other mass data collection, is prone to abuse. And what's considered not "private enough" to require a warrant can still tell the requesting party quite a bit about you.

"It's a treasure trove of information," said James J. Wedick, a former F.B.I. agent who spent 34 years at the agency and who said he used mail covers in a number of investigations, including one that led to the prosecution of several elected officials in California on corruption charges. "Looking at just the outside of letters and other mail, I can see who you bank with, who you communicate with — all kinds of useful information that gives investigators leads that they can then follow up on with a subpoena."

But, he said: "It can be easily abused because it's so easy to use and you don't have to go through a judge to get the information. You just fill out a form."

The postal service holds the power to approve or deny these requests, without any outside review, which means every request will sail right through. 15-20,000 requests come through each year related to criminal activity. The number of requests made for national security reasons hasn't been revealed.

In the post-9/11 security/law enforcement climate, it seems it's better to have everything and not need it than want something and not have it. This is all above-board and perfectly constitutional according to the courts, so if any of these entities want to dig through your mail for any reason, (perhaps as a form of political harassment) all they have to do is fill out the right paperwork.

Filed Under: doj, mail, metadata, nsa, scans, surveillance, us postal service, warrants

FCC: Telcos Must Protect The Privacy Of Mobile Metadata That The NSA Insists Isn't Private

from the left-hand?-speak-to-the-right-hand dept

So the FCC has announced new rules saying that mobile operators must protect the privacy of their users, including around various metadata:

"When mobile carriers use their control of customers' devices to collect information about customers' use of the network, including using preinstalled apps ... carriers are required to protect that information," the FCC said in a statement today. "This sensitive information can include phone numbers that a customer has called and received calls from, the durations of calls, and the phone's location at the beginning and end of each call."

This came out, ostensibly, in response to an investigation by the FCC into the use of services like Carrier IQ by various mobile carriers, whereby they were collecting a ton of data about how everyone used their phones.

However, when put into the context of the news of the month: the federal government's dragnet surveillance efforts, which involves hoovering up all metadata on every single phone call made... it suddenly becomes somewhat interesting. On the one hand, you have the administration and its defenders claiming that there's no expectation of privacy in "metadata" like phone numbers, duration of calls and the phone's location. And yet, now you have the FCC, also a part of the same administration, flat out telling the world (and the telcos) that there's clearly an expectation of privacy in exactly the same information. And, of course, once you have that expectation of privacy, the 4th Amendment applies, no matter how many times the NSA says otherwise...

Filed Under: 4th amendment, expectation of privacy, fcc, metadata, mobile operators, nsa, nsa surveillance, privacy
Companies: carrier iq

Latest Leak: NSA Collects Bulk Email Metadata On Americans

from the so-there's-that... dept

The NSA leaks just keep on coming, and the latest one is a big one. It's concerning the NSA is about the Stellar Wind program -- which had been revealed before, and which former NSA whistleblower Bill Binney has discussed in the past -- but Binney left the NSA in 2001. The latest document is a report from the Inspector General that confirms some of the claims Binney has made in the past, showing that the NSA collected "bulk metadata" on emails of US persons. The program started as only being about non-US persons, but was later expanded by the DOJ in 2007 to cover US persons as well.

According to a top-secret draft report by the NSA's inspector general – published for the first time today by the Guardian – the agency began "collection of bulk internet metadata" involving "communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States".

Eventually, the NSA gained authority to "analyze communications metadata associated with United States persons and persons believed to be in the United States", according to a 2007 Justice Department memo, which is marked secret.

So, remember all that stuff the NSA and the President and various elected officials were saying about how they're not collecting internet data on Americans? And how they have minimization procedures and all of that? Yeah. So, that was -- yet again -- less than 100% accurate. Or, as Director of National Intelligence James Clapper likes to say, it was, perhaps, the "least untruthful" version of the events, meaning that it wasn't truthful.

Of course, the defenders of the program will say that this is okay because it was "just metadata," rather than the contents of email, but that's a huge cop out, since metadata can tell you an awful lot:

The internet metadata of the sort NSA collected for at least a decade details the accounts to which Americans sent emails and from which they received emails. It also details the internet protocol addresses (IP) used by people inside the United States when sending emails – information which can reflect their physical location. It did not include the content of emails.

On top of that, defenders of the metadata collection of phone records claimed that there was no privacy in the phone numbers you called and the duration of calls, because that information was clearly on your phone bill that the company sent to you each month. But that's not the case with email metadata.

For what it's worth, the administration shutdown this particular program in 2011, but that was after it had gone on for 10 years, with the last four involving collecting bulk metadata on Americans.

"The internet metadata collection program authorized by the Fisa court was discontinued in 2011 for operational and resource reasons and has not been restarted," Shawn Turner, the Obama administration's director of communications for National Intelligence, said in a statement to the Guardian.

"The program was discontinued by the executive branch as the result of an interagency review," Turner continued. He would not elaborate further.

However, as Glenn Greenwald and Spencer Ackerman at the Guardian (who broke this story as well) have noted, they have evidence that at least a similar program continues today:

In December 2012, for example, the NSA launched one new program allowing it to analyze communications with one end inside the US, leading to a doubling of the amount of data passing through its filters.

Some of the report actually helps to confirm a Washington Post story from last week about how this bulk metadata collection was initially done under no authority, but when various DOJ officials threatened to resign, they quickly got the FISA court to pull out its trusty giant rubber stamp to allow bulk data collection on emails.

The expansion of metadata collection and analysis to cover Americans came about as the NSA insisted this would help them better find foreign threats:

Wainstein told Mukasey that giving NSA broader leeway to study Americans' online habits would give the surveillance agency, ironically, greater visibility into the online habits of foreigners – NSA's original mandate.

"NSA believes that it is over-identifying numbers and addresses that belong to United States persons and that modifying its practice to chain through all telephone numbers and addresses, including those reasonably believed to be used by a United States person," Wainstein wrote, "will yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States."

Basically this pretty much confirms my earlier post about how the NSA (and the DOJ) are carefully defining "target" in their mandate. Most people believe that since the NSA can only target persons outside the US that they cannot collect data on US persons. However, if (as may be the case) they claim that the overall investigation is "targeting" non-US persons, it appears they believe they can collect and analyze data on US persons, meaning that they've effectively justified bulk spying on Americans if it might possibly bring to light a foreign threat.

One thing that is not clearly described is exactly how the NSA is getting access to this data, but from previous leaks, it appears that the data almost certainly comes from working with telcos to install systems that scoop up all data going through major ISPs/backbones. Either way, it seems abundantly clear, yet again, that the NSA surveillance, contrary to statements from the NSA and its defenders, included a ton of information on Americans.

Filed Under: doj, email, metadata, nsa, nsa surveillance, stellar wind

Is The Bigger Concern NSA Getting Phone Records, PRISM Or Just Everything?

from the phone-record-meta-data-is-a-bit-much dept

Former Deputy Assistant Secretary for Policy at Homeland Security, Paul Rosenzweig, who we've already quoted as pointing out that the NSA surveillance was larger than what he thought the government was doing, makes a good point: with the speed of leak upon leak, over the last few days, it seems that people are now more focused on PRISM than the government getting metadata on every phone call, when the metadata story is the much bigger one. As the details have come out about PRISM, there's really nothing that surprising. It's exactly what was allowed under the FISA Amendments Act (and why many were so vehement about speaking out on why it shouldn't have been re-approved recently). But the sucking up of so much metadata on all phone calls goes way beyond what most people thought the law allowed.

As Jane Mayer at the New Yorker recently explained, the metadata issue is the one we should be most frightened about:

“The public doesn’t understand,” [mathematician and former Sun Microsystems engineer Susan Landau] told me, speaking about so-called metadata. “It’s much more intrusive than content.” She explained that the government can learn immense amounts of proprietary information by studying “who you call, and who they call. If you can track that, you know exactly what is happening—you don’t need the content.”

For example, she said, in the world of business, a pattern of phone calls from key executives can reveal impending corporate takeovers. Personal phone calls can also reveal sensitive medical information: “You can see a call to a gynecologist, and then a call to an oncologist, and then a call to close family members.” And information from cell-phone towers can reveal the caller’s location. Metadata, she pointed out, can be so revelatory about whom reporters talk to in order to get sensitive stories that it can make more traditional tools in leak investigations, like search warrants and subpoenas, look quaint. “You can see the sources,” she said. When the F.B.I. obtains such records from news agencies, the Attorney General is required to sign off on each invasion of privacy. When the N.S.A. sweeps up millions of records a minute, it’s unclear if any such brakes are applied.

Metadata, Landau noted, can also reveal sensitive political information, showing, for instance, if opposition leaders are meeting, who is involved, where they gather, and for how long. Such data can reveal, too, who is romantically involved with whom, by tracking the locations of cell phones at night.

The PRISM program is interesting and worrisome, but as the details suggest, it's not as scary as was originally reported. There are still lots of problems with the way the government goes about getting information from all these tech companies, but at least it appears that it's not full access. The same is not true when it comes to the telcos and their handing over all those records. Furthermore, it's worth noting that while all of the internet companies came out and explained that they push back against overly broad government requests, none of the telcos appear to have done the same.

Filed Under: 4th amendment, metadata, nsa, nsa surveillance, pivacy, prism