NSA Statements On 'About' Collection Shutdown Contradict PCLOB's Findings

from the nothing-is-real-and-nothing-to-get-hung-about dept

The impact the dropping of the "about" collection will have on the NSA's upstream harvesting will either be massive or minimal, depending on who you ask.

The Privacy and Civil Liberties Oversight Board's report on the "about" collection noted a few things, one of them being the supposed impossibility of preventing inadvertent collection.

All of these types of “about” communications can provide intelligence value, helping the government learn more about terrorist networks and their plans or obtain other foreign intelligence. While “about” collection is valued by the government for its unique intelligence benefits, it is, to a large degree, an inevitable byproduct of the way the NSA conducts much of its upstream collection. As discussed earlier in this Report, because of the technical manner in which this collection is performed, the NSA cannot entirely stop acquiring “about” communications without also missing a significant portion of “to/from” communications. Nor does the agency have the capability to selectively acquire certain types of “about” communications but not others.

At least some forms of “about” collection present novel and difficult issues regarding the balance between privacy and national security. But current technological limits make any debate about the proper balance somewhat academic, because it is largely unfeasible to limit “about” collection without also eliminating a substantial portion of upstream’s “to/from” collection, which would more drastically hinder the government’s counterterrorism efforts.

According to the PCLOB's interpretation, the "about" collection -- despite its many civil liberties issues -- could not be dropped without causing a significant loss of intel. In fact, the report goes so far as to claim the "about" collection itself is an "inevitable byproduct" of upstream surveillance -- rather than the way it actually appears to be: the inadvertent collection of US persons' communications is an inevitable byproduct of the "about" collection.

The NSA's statements on the ending of this program don't seem to cohere with the PCLOB's assertions, something pointed out by Jake Laperruque on Twitter.

Two statements were released by the NSA. The first seems more aligned with the PCLOB report's assertions about tech impossibilities and intel loss.

Even though NSA does not have the ability at this time to stop collecting "about" information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.

The second statement, however, hints that the intel loss will not be nearly as significant as it's being portrayed... and that the "about" part was never a necessary part of intercepting "to/from" communications.

After considerable evaluation of the program and available technology, NSA has decided that its Section 702 foreign intelligence surveillance activities will no longer include any upstream internet communications that are solely "about" a foreign intelligence target. Instead, this surveillance will now be limited to only those communications that are directly "to" or "from" a foreign intelligence target. These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency's foreign intelligence targets.

The PCLOB's assertion that the "about" collection was an "inevitable byproduct" of upstream surveillance is nowhere to be found. The NSA itself states it can still perform upstream interception without nearly as much inadvertent collection simply by eliminating the "about" variable. If this is true, the NSA always had the capability to reduce the amount of inadvertently-collected communications. It just chose not to.

In any event, the upstream collection lives on, albeit in a slightly more constitutional form. The technical problem the NSA claimed prevented it from inadvertently collecting US persons' communications turns out to be something else: a minimal-impact search variable the agency could have eliminated years ago, bringing back some semblance of targeting to its surveillance work.

Filed Under: 702, about, about searches, mass surveillance, nsa, pclob, section 702, surveillance

Surprise: NSA Stops Collecting Americans' Emails 'About' Foreign Targets

from the this-is-big dept

There aren't many details yet, but Charlie Savage at the NY Times has a major scoop: apparently, the NSA has halted "about" email collections. This is important. As we've discussed in the past, under Section 702 of the FISA Amendments Act, the NSA can collect info on approved "foreign targets." But here's where it got sketchy: they could collect the communications "to" them or "from" them -- which most people would expect -- but also they could collect any communications "about" them. In other words, did you joke about Osama bin Laden in an email? It's possible that under Section 702, the NSA could collect that email without a warrant. That was massively concerning because the "about" emails from Americans could contain lots of other info, and once sucked up into the NSA's system and made available to the FBI for "backdoor" incidental collection searches, could expose people to lots and lots of trouble. There have been pushes over the past few years to limit the collection to no longer include "about" communications, but those had been (as far as we knew!) unsuccessful.

And, for an unclear reason, the NSA has stopped doing that. Trevor Timm speculates that perhaps the FISA court ruled that collection illegal, which is possible (also we just noted that there were no new 702 approvals by the FISA Court last year), so perhaps the FISC is finally taking its job a bit more seriously. We've also pointed out that there have been legal fights over the fact that the DOJ lied to the Supreme Court about the nature of these "about" collections, which may have created more pressure to stop them from happening.

I'm sure that we'll find out more about what happened in the near future, but this will certainly play a large role in the upcoming debate about renewing Section 702.

Filed Under: about searches, backdoor searches, doj, fisa court, fisc, mass surveillance, nsa, section 702, surveillance

Privacy And Civil Liberties Board Mostly Unconcerned About PRISM Or Backbone Tapping By NSA

from the that's-unfortunate dept

As expected, the Privacy and Civil Liberties Oversight Board (PCLOB) has now issued its analysis of the Section 702 surveillance done by the NSA (and, as revealed earlier this week, passed on to the FBI and CIA). You may recall that, back in January, the PCLOB issued a scathing report about the NSA's Section 215 bulk data collection efforts, calling the program both illegal and unconstitutional. In contrast, the report on the 702 program is much more muted -- claiming that the program is constitutional, legal and effective as a counterterrorism tool. Like the previous report, this new one is highly readable -- and I recommend reading it in its entirety. However, the legal analysis is disappointing compared to the earlier report.

The report details how the program works, in a manner that doesn't really reveal too much that's new for folks who have been following all of the details over the past year, but does confirm the basics of how the Section 702 collections work -- something that many, many people seem to be confused about. In short, the Section 702 program is made up of two different collections of information. The first is the infamous PRISM program, which is not as broad as many people have believed in the past. This is when, under FISA Court approval, various internet companies are given certain "selectors" related to non-US persons, and those companies are compelled to hand over the communications to or from that person:

In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet service provider (“ISP”), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls. The National Security Agency (“NSA”) receives all data collected through PRISM. In addition, the Central Intelligence Agency (“CIA”) and the Federal Bureau of Investigation (“FBI”) each receive a select portion of PRISM collection.

This is different from the much more troubling "upstream" collection, which comes from directly tapping the internet backbone and basically sifting through everything possible to see if any triggers are hit. This is where the infamous "about" triggers are included. As we've been discussing, the NSA doesn't just collect communications to and from targets, but also "about" them -- and that all happens at the upstream level, rather than PRISM. Upstream is also where the NSA is able to collect audio communications as well.

Upstream collection differs from PRISM collection in several respects. First, the acquisition occurs with the compelled assistance of providers that control the telecommunications “backbone” over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies. Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data. Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called “about” communications and the acquisition of so-called “multiple communications transactions” (“MCTs”). An “about” communication is one in which the selector of a targeted person (such as that person’s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication. Rather than being “to” or “from” the selector that has been tasked, the communication may contain the selector in the body of the communication, and thus be “about” the selector. An MCT is an Internet “transaction” that contains more than one discrete communication within it. If one of the communications within an MCT is to, from, or “about” a tasked selector, and if one end of the transaction is foreign, the NSA will acquire the entire MCT through upstream collection, including other discrete communications within the MCT that do not contain the selector.

While PRISM has been the sexy target for complaints due to its name and connection to easy target tech companies, the upstream sifting through the backbone has always been the much more troubling program, and this report confirms that.

Unfortunately, unlike the PCLOB's report on the Section 215 program, here the PCLOB more or less throws up its hands over the possible legal and constitutional issues, insisting that it's probably fine or that violations are "incidental." The EFF has issued a scathing condemnation of the report, noting its most glaring weakness: a failure to recognize that the Constitution requires a warrant to collect any such data in the first place. The PCLOB seems to totally ignore this requirement, as the EFF points out:

The board skips over the essential privacy problem with the 702 “upstream” program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government’s methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts. This content collection is the centerpiece of EFF’s Jewel v. NSA case, a lawsuit battling government spying filed back in 2008.

The board’s constitutional analysis is also flawed. The Fourth Amendment requires a warrant for searching the content of communication. Under Section 702, the government searches through content without a warrant. Nevertheless, PLCOB’s analysis incorrectly assumes that no warrant is required. The report simply says that it “takes no position” on an exception to the warrant requirement when the government seeks foreign intelligence. The Supreme Court has never found this exception.

PCLOB findings rely heavily on the existence of government procedures. But, as Chief Justice Roberts recently noted: "the Founders did not fight a revolution to gain the right to government agency protocols." Justice Roberts’ thoughts are on point when it comes to NSA spying—mass collection is a general warrant that cannot be cured by government’s procedures.

Frankly, it does seem bizarre that the PCLOB fails to even consider the original collection and whether or not that violates the 4th Amendment. The Constitutional analysis in the report seems to leap over that question almost entirely, focusing just on the question of what the NSA hangs onto later. The brief discussion about the actual collection basically just says "well, this is tricky, because we're not looking at a single instance, but rather an entire program -- some of which may be Constitutional and some of which may be not, so we'll just lump it all together and see if it meets the "reasonable" test." That seems... questionable. If any part of the program is unconstitutional then that's a problem. You don't get to lump it all together and say that, on the whole, it's probably Constitutional because most of the searches and collection would likely be allowed. Even as such, the PCLOB says that the program -- especially the backdoor searches on Americans -- pushes the program "close to the line of constitutional reasonableness" but probably not over it.

These features of the Section 702 program, and their cumulative potential effects on the privacy of U.S. persons, push the entire program close to the line of constitutional reasonableness. At the very least, too much expansion in the collection of U.S. persons’ communications or the uses to which those communications are put may push the program over the line. The response if any feature tips the program over the line is not to discard the entire program; instead, it is to address that specific feature.

And, indeed, nearly all of the "recommendations" are to "address" minor aspects that the PCLOB finds to be potentially troubling, but without making any significant changes to the way either part of the program functions.

For example, concerning those "about" searches, the PCLOB basically says that it would be nice if they were limited, but that the NSA doesn't really have a way to do that, so, oh well, what can you do?

With regard to the NSA’s acquisition of “about” communications, the Board concludes that the practice is largely an inevitable byproduct of the government’s efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate “about” communications from its collection without also eliminating a significant portion of the “to/from” communications that it seeks. The Board includes a recommendation to better assess “about” collection and a recommendation to ensure that upstream collection as a whole does not unnecessarily collect domestic communications.

Similarly, the PCLOB notes that, despite all of the information the intelligence community was willing to share with it, that did not include details of how many US persons were impacted by the program:

The government is presently unable to assess the scope of the incidental collection of U.S. person information under the program. For this reason, the Board recommends several measures that together may provide insight about the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized.

So, in short, on some of the biggest questions in front of the PCLOB, it basically says "Well, there's not much we can do, but it would sure be nice if we had more info next time." Blech. Shouldn't those be the point at which the PCLOB says "Hey, wait, that's unacceptable and illegal and needs to be fixed!"

While at first, it did seem that the report was ignoring the privacy rights of non-US persons, it does actually include a fairly thorough section on such privacy rights, and how those rights actually do have some built-in protections under the program. While it's a low bar, it's at least moderately reassuring that the program is not, as some assumed, designed to say "non-US persons have no privacy rights whatsoever." The report also notes international law, and President Obama's newly issued rules for protecting the privacy rights of non-US persons, but notes that those rules have not yet been fully implemented and could change the analysis.

In the end, the report does provide some valuable clarifications and explanations of what's going on -- but it's disappointingly weak in the legal and Constitutional analysis. If you're interested in the specific recommendations of the PCLOB, we've included them below, above the embedded report.

Filed Under: 4th amendment, about searches, backdoor searches, cia, fbi, nsa, pclob, prism, section 702, surveillance, upstream collection