Tech Fixes to Illegal Spying
NSA spying whistleblower Edward Snowden says that NSA agents as well as private contractors who work for the American security services can decide on their own to access any American’s digital communications. Snowden said in a video interview that he could from Hawaii “wiretap anyone from you or your accountant to a federal judge to even the president.”
In a question and answer session today through the Guardian newspaper, Snowden said:
1) More detail on how direct NSA’s accesses are is coming, but in general, the reality is this: if an NSA, FBI, CIA, DIA, etc analyst has access to query raw SIGINT databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset id (IMEI), and so on – it’s all the same. The restrictions against this are policy based, not technically based, and can change at any time. Additionally, audits are cursory, incomplete, and easily fooled by fake justifications. For at least GCHQ [the British equivalent of the NSA], the number of audited queries is only 5% of those performed.
2) NSA likes to use “domestic” as a weasel word here for a number of reasons. The reality is that due to the FISA Amendments Act and its section 702 authorities, Americans’ communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant. They excuse this as “incidental” collection, but at the end of the day, someone at NSA still has the content of your communications. Even in the event of “warranted” intercept, it’s important to understand the intelligence community doesn’t always deal with what you would consider a “real” warrant like a Police department would have to, the “warrant” is more of a templated form they fill out and send to a reliable judge with a rubber stamp.
Glenn Greenwald follow up: When you say “someone at NSA still has the content of your communications” – what do you mean? Do you mean they have a record of it, or the actual content?
Both. If I target for example an email address, for example under FAA 702, and that email address sent something to you, Joe America, the analyst gets it. All of it. IPs, raw data, content, headers, attachments, everything. And it gets saved for a very long time – and can be extended further with waivers rather than warrants.
The National Security Agency has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.
Rep. Jerrold Nadler, a New York Democrat, disclosed this week that during a secret briefing to members of Congress, he was told that the contents of a phone call could be accessed “simply based on an analyst deciding that.”
If the NSA wants “to listen to the phone,” an analyst’s decision is sufficient, without any other legal authorization required, Nadler said he learned. “I was rather startled,” said Nadler, an attorney and congressman who serves on the House Judiciary committee.
Not only does this disclosure shed more light on how the NSA’s formidable eavesdropping apparatus works domestically, it also suggests the Justice Department has secretly interpreted federal surveillance law to permit thousands of low-ranking analysts to eavesdrop on phone calls.
Because the same legal standards that apply to phone calls also apply to e-mail messages, text messages, and instant messages, Nadler’s disclosure indicates the NSA analysts could also access the contents of Internet communications without going before a court and seeking approval.
The disclosure appears to confirm some of the allegations made by Edward Snowden ….
Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls — in case an analyst needed to access the recordings in the future. A Wired magazine article last year disclosed that the NSA has established “listening posts” that allow the agency to collect and sift through billions of phone calls through a massive new data center in Utah, “whether they originate within the country or overseas.” That includes not just metadata, but also the contents of the communications.
Sen. Dianne Feinstein (D-Calif.), the head of the Senate Intelligence committee, separately acknowledged this week that the agency’s analysts have the ability to access the “content of a call.”
Yesterday, top NSA whistleblowers confirmed Snowden’s claims:
[USA Today]: Thomas Drake, you worked as a contractor for the NSA for about a decade before you went on staff there. Were you surprised that a 29-year-old contractor based in Hawaii was able to get access to the sort of information that he released?
Drake: It has nothing to do with being 29. It’s just that we are in the Internet age and this is the digital age. So, so much of what we do both in private and in public goes across the Internet. Whether it’s the public Internet or whether it’s the dark side of the Internet today, it’s all affected the same in terms of technology. …
One of the critical roles in the systems is the system administrator. Someone has to maintain it. Someone has to keep it running. Someone has to maintain the contracts.
Binney: Part of his job as the system administrator, he was to maintain the system. Keep the databases running. Keep the communications working. Keep the programs that were interrogating them operating. So that meant he was like a super-user. He could go on the network or go into any file or any system and change it or add to it or whatever, just to make sure — because he would be responsible to get it back up and running if, in fact, it failed.
So that meant he had access to go in and put anything. That’s why he said, I think, “I can even target the president or a judge.” If he knew their phone numbers or attributes, he could insert them into the target list which would be distributed worldwide. And then it would be collected, yeah, that’s right. As a super-user, he could do that.
[USA Today]: As he said, he could tap the president’s phone?
Binney: As a super-user and manager of data in the data system, yes, they could go in and change anything.
And the analysts’ decision to tap your communications can go backwards … a long way. For example, NBC News reports:
NBC News has learned that under the post-9/11 Patriot Act, the government has been collecting records on every phone call made in the U.S.
Former FBI counter-terrorism agent Tim Clemente told CNN:
There’s a way to look at digital communications in the past.
In other words, if an analyst wants to spy on you, he can pull up your communications since 9/11. (Remember, the private Internet Archive has been archiving web pages since the 1990s. So the NSA has undoubtedly been doing the same thing with digital communications).
The high-level NSA executive who largely created the NSA’s electronic data-gathering system – William Binney, a 32-year NSA veteran with the title of senior technical director, who headed the agency’s global digital data gathering program (featured in a New York Times documentary, and the source for much of what we know about NSA spying) – says that information gained through spying will be used to frame Americans that the government – or presumably anyone with the information – takes a dislike to:
Even if you’re not doing anything wrong you’re being watched and recorded. And the storage capability of these systems increases every year consistently by orders of magnitude … to where it’s getting to the point where you don’t have to have done anything wrong. You simply have to eventually fall under suspicion from somebody – even by a wrong call. And then they can use this system to go back in time and scrutinize every decision you’ve ever made, every friend you’ve ever discussed something with. And attack you on that basis to sort to derive suspicion from an innocent life and paint anyone in the context of a wrongdoer.
Binney also says that there is a cheap and easy technological fix for the government’s massive illegal spying program. Specifically, Binney says that he set up the NSA’s system so that all of the information would automatically be encrypted, so that the government had to obtain a search warrant based upon probably cause before a particular suspect’s communications could be decrypted.
But the NSA now collects all data in an unencrypted form, so that no probable cause is needed to view any citizen’s information. He says that it is actually cheaper and easier to store the data in an encrypted format: so the government’s current system is being done for political – not practical – purposes.
Binney’s statements have been confirmed by other top NSA whistleblowers.
Yesterday, these top NSA whistleblowers again explained that it is technically simple to keep America safe … while protecting our Constitutional rights:
[USA Today]: Is there a way to collect this data that is consistent with the Fourth Amendment, the constitutional protection against unreasonable search and seizure?
Binney: Two basic principles you have to use. … One is what I call the two-degree principle. If you have a terrorist talking to somebody in the United States — that’s the first degree away from the terrorist. And that could apply to any country in the world. And then the second degree would be who that person in the United States talked to. So that becomes your zone of suspicion.
And the other one (principle) is you watch all the jihadi sites on the Web and who’s visiting those jihadi sites, who has an interest in the philosophy being expressed there. And then you add those to your zone of suspicion.
Everybody else is innocent — I mean, you know, of terrorism, anyway.
Wiebe: Until they’re somehow connected to this activity.
Binney: You pull in all the contents involving (that) zone of suspicion and you throw all the rest of it away. You can keep the attributes of all the communicants in the other parts of the world, the rest of the 7 billion people, right? And you can then encrypt it so that nobody can interrogate that base randomly.
That’s the way of preventing this kind of random access by a contractor or by the FBI or any other DHS (Department of Homeland Security) or any other department of government. They couldn’t go in and find anybody. You couldn’t target your next-door neighbor. If you went in with his attributes, they’re encrypted. … So unless they are in the zone of suspicion, you won’t see any content on anybody and you won’t see any attributes in the clear. …
It’s all within our capabilities.
Drake: It’s been within our capabilities for well over 12 years.
Wiebe: Bill and I worked on a government contract for a contractor not too far from here. And when we showed him the concept of how this privacy mechanism that Bill just described to you — the two degrees, the encryption and hiding of identities of innocent people — he said, “Nobody cares about that.” I said, “What do you mean?”
This man was in a position to know a lot of government people in the contracting and buying of capabilities. He said. “Nobody cares about that.”
Drake: This (kind of surveillance) is all unnecessary. It is important to note that the very best of American ingenuity and inventiveness, creativity, had solved the major challenge problem the NSA faced: How do you make sense of vast amounts of data, provide the information you need to protect the nation, while also protecting the fundamental rights that are enshrined in the Constitution?
The government in secret decided — willfully and deliberately — that that was no longer necessary after 9/11. So they said, you know what, hey, for the sake of security we are going to draw that line way, way over. And if it means eroding the liberties and freedoms of Americans and others, hey, so be it because that’s what’s most important. But this was done without the knowledge of the American people.
And yesterday, these top NSA whistleblowers explained to USA Today that an easy technical fix could also keep contractors away from Americans’ confidential information that they’re not entitled to view:
[USA Today]: Would it make a difference if contractors weren’t used?
Wiebe: I don’t think so. They are human beings. You know, look at what’s going on with the IRS and the Tea Party. You know, there (are) human beings involved. We are all human beings — contractors, NSA government employees. We are all human beings. We undergo clearance checks, background investigations that are extensive and we are all colors, ages and religions. I mean this is part of the American fabric.
Binney: But when it comes to these data, the massive data information collecting on U.S. citizens and everything in the world they can, I guess the real problem comes with trust. That’s really the issue. The government is asking for us to trust them.
It’s not just the trust that you have to have in the government. It’s the trust you have to have in the government employees, (that) they won’t go in the database — they can see if their wife is cheating with the neighbor or something like that. You have to have all the trust of all the contractors who are parts of a contracting company who are looking at maybe other competitive bids or other competitors outside their — in their same area of business. And they might want to use that data for industrial intelligence gathering and use that against other companies in other countries even. So they can even go into a base and do some industrial espionage. So there is a lot of trust all around and the government, most importantly, the government has no way to check anything that those people are doing.
[USA Today]: So Snowden’s ability to access information wasn’t an exception?
Binney: And they didn’t know he was doing (it). … That’s the point, right? …They should be doing that automatically with code, so the instant when anyone goes into that base with a query that they are not supposed to be doing, they should be flagged immediately and denied access. And that could be done with code.
But the government is not doing that. So that’s the greatest threat in this whole affair.