NSA's New Transparency Report Contains Just Enough Info To Be Dangerous, Not Nearly Enough To Be Truly Transparent
from the because-'Slightly-Less-Opacity-Report'-doesn't-have-the-same-ring dept
Before we dive into the latest IC transparency report [PDF] from the Office of the Director of National Intelligence, let's take a moment to recognize the small miracle that it even exists. If NSA contractor Ed Snowden hadn't decided to color outside the official whistleblowing lines, we'd still be expected to put our complete trust in the government with zero evidentiary support.
That being said, the transparency report is still several steps removed from actual transparency, but it will have to do for now. What can we learn from it, even with many of the numbers being seemingly meaningless thanks to purposefully-missing context? Several things, actually. Marcy Wheeler has torn apart the report across four posts, each dealing with the report's fuzzy numbers (or, in the case of the CIA's contribution, a lack thereof).
One of the first misleading numbers in the report is the supposed single search of the NSA's 702 collections by the FBI for non-terrorism-related purposes. According to the report, this happened exactly once. But that's actually not true. The FBI makes far more frequent use of NSA data for non-terrorism investigations. It just does it in a way that won't show up in the IC's transparency report. Parallel construction is the FBI's friend.
FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC.
So, there's that bit of obfuscation right off the top. And the FBI isn't the only agency using an ostensibly foreign-facing collection to obtain information about US persons. The CIA -- an ostensibly foreign-facing agency -- does this as well. The FBI doesn't count its dips into the NSA haystacks. Neither does the CIA. The report shows 30,000 searches of unminimized US persons' data occurred last year. That number doesn't include the FBI's searches (because the FBI doesn't report its searches) and is quite possibly much, much higher than what's reported. This is only a good faith estimate by the IC, using software, rather than any form of reporting from the CIA.
NSA will rely on an algorithm and/or a business rule to identify queries of communications metadata derived from the FAA 702 [redacted] and telephony collection that start with a United States person identifier. Neither method will identify those queries that start with a United States person identifier with 100 percent accuracy.
As Wheeler points out, it could be 30,000… or 3 million… or 3 billion searches. No one knows. By the time the CIA's required to count its US persons searches, it will likely perform most of its searches under Executive Order 12333 authorities, rather than the more closely-watched Section 702.
Finally, there's a really big number contained in the report. It looks amazingly high, but might be indicative of not much surveillance activity at all, at least not in the entire scheme of things. According to the report, the NSA was able to scoop up 151 million "call detail records (CDRs)" using only 42 selectors.
Read in the (lack of) context in the report, this would look like pure bullshit. There's no way 42 terrorism suspects (and their 3,150 one-hop "friends") are making 130 calls a day. (Or, if they're only talking to each other, 65 calls a day.)
As Wheeler points out, call records are not just records about phone calls. They also pick up records on text messages.
If these were phone calls between just two people, then if our terrorist buddies only spoke to each other, each would be responsible for 24,000 calls a year, or 65 a day, which is certainly doable, but would mean our terrorist suspects and their friends all spent a lot of time calling each other.
The number becomes less surprising when you remember that even with traditional telephony call records can capture calls and texts. All of a sudden 65 becomes a lot more doable, and a lot more likely to have lots of perfectly duplicative records as terrorists and their buddies spend afternoons texting back and forth with each other.
With this, 151 million records looks less like full-blown exploitation of this surveillance authority and something possibly more targeted than the NSA's used to. Then again, it could mean the NSA is sweeping up 65 innocent Americans every day of the year with its CDR demands. There's simply no way to tell.
But CDRs include all "call events," which include a whole lot of related metadata having nothing to do with voice calls.
A CDR is defined as session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call.
Further trimming down this seemingly large number are two other aspects of the collection. Records obtained previously by the agency are included in this count, as well as junk metadata related to past selectors that may not be returning any current records.
That means our 3,192 targets and friends might only have had 48 calls or texts a day, without any duplication.
Which is a completely believable number of calls and texts between surveillance targets. The breathtaking 151 million records is suddenly a more manageable number that actually *gasp* looks as though the NSA is engaging in truly targeted collection.
But before we get carried away with the NSA's new "maybe collect a little less than it all" approach to surveillance, we need to remember this only covers a very small part of the NSA's collection activities.
[W]e need to understand the 65 additional texts — or anything else available only in the US from a large number of electronic communications service providers that might be deemed a session identifier — a day from 42 terrorists and their 3150 buddies [is] on top of the vast store of EO 12333 records that form the primary basis here.
Because (particularly as the rest of the report shows continually expanding metadata analysis and collection) this is literally just the tip of an enormous iceberg, 151 million edge cases to a vast sea of data.
That's what we're really dealing with here, unprecedented transparency or no: there is a vast surveillance apparatus operating in near-complete darkness, authorized by a presidential executive order and subject to almost zero oversight. Whatever concessions the NSA makes in relation to Section 702 in the upcoming months, its biggest collections will remain untouched. Unless something changes dramatically, the potential for constitutional violations and agency abuse remains unchanged. And, unless something changes dramatically, it will remain unseen.
Filed Under: nsa, odni, surveillance, transparency