us persons – Techdirt (original) (raw)

Latest ODNI Transparency Report Shows Steep Spike In Unmasking Requests For US Person Caught In NSA Collections

from the some-bad-news,-worse-news,-and-indecipherable-news dept

The Office of the Director of National Intelligence (ODNI) has released the 2018 Transparency Report [PDF]. In it, the ODNI covers the government’s multiple surveillance programs, detailing (but with a minimum of detail) how much intelligence we’re collecting under which authorities.

It’s far from perfect but it’s also far more than we had prior to the Snowden leaks. Transparency was forced on the Intelligence Community following Snowden’s whistleblowing. It’s still an uncomfortable fit for No Such Agency and the agencies benefiting from its data and communication collections.

Even though the NSA’s Section 215 program appears to be on the ropes, plenty of other info, data, and communications were gathered under other authorities. Some of the data provided in the report suggests intelligence collection efforts are becoming more efficient.

National Security Letters (NSLs), the self-issued demands for info favored by the FBI, are experiencing a downturn in use. Some of this may be due to the government now having to justify the indefinite gag orders attached to every NSL. It’s definitely made it a lot less fun to use, seeing as most major tech companies are routinely challenging the secrecy demands attached to this paperwork.

But, while NSL use may be declining, the amount of information collected remains about the same.

Nearly 20,000 NSLs were issued in 2013 with 38,832 ROIs (requests for information) attached. In 2018, only 10,235 NSLs were needed to obtain nearly the same ROI total (38,872).

As was mentioned above, Section 215 — modified by the USA Freedom Act — has all but been abandoned by the NSA. Technical difficulties already present in the program were made worse when the storage of data reverted back to the telcos the NSA approached. According to a national security advisor, this program wasn’t used at all this year, and there’s reason to believe it wasn’t the NSA’s focus last year. Despite that, the NSA still managed to obtain 434 million phone records via Section 215 in 2018.

That number raises questions, some of them voiced by Senator Ron Wyden. The number of records obtained isn’t even the complete total, according to his statement, and it shows the NSA is still not being honest about a collection program it now says it doesn’t think is worth continuing.

The annual ODNI transparency report, while welcome, nonetheless provides a valuable window into how much the American public still doesn’t know about how sprawling surveillance authorities are being used by the federal government.

To start, this report is silent on the status of the National Security Agency’s phone records surveillance program under Section 215. It is critical that the American people know the status of the program, especially given the upcoming congressional debate over reauthorizing it.

Furthermore, the report provides an incomplete count of Section 215 collection because the Intelligence Community claims it cannot count anything it receives in hard copy of portable media. That is unacceptable. And even the incomplete count shows Section 215 collection more than doubled, which requires an explanation. Finally, there needs to be a better public description of what kinds of records are being collected. What kinds of ‘papers, documents and other items’? How does the Intelligence Community define ‘electronic communications transactions records’?

Also of concern is how often requests are being made to unmask the identities of US persons caught up in supposedly foreign-facing surveillance. Minimization processes are supposed to protect US citizens inadvertently collected by the NSA, but this can be undone if a US agency shows a “need” to know the identity of the person whose records have been collected.

Despite all the noise this administration made about alleged improper targeting of Trump’s transition team via unmasking requests, these requests have increased under Trump.

In 2018, the NSA, which conducts legally authorized surveillance of communications overseas, unmasked the identities of 16,721 “U.S. persons,” a term that can include corporations, in response to a request from another government agency, according to the report from the Office of the Director of National Intelligence. That was a more than 7,000-person increase from 2017.

Here are the numbers:

The NSA is doing its part by masking US persons caught in its collections, but it’s being undone by other agencies. The ODNI’s… um… civil liberties officer says the spike may be due to increased monitoring of foreign attacks on US companies. It’s likely we’ll never know what’s behind this unmasking spike (barring another Snowden), but it is something to remain concerned about, no matter who’s running the country.

Filed Under: mass surveillance, nsa, odni, surveillance, unmasking, us persons

Documents Obtained By The ACLU Show NSA's Inability To Prevent Collection Of US Persons' Data And Communications

from the sued-into-translucence dept

The ACLU has freed up more NSA documents — again as the result of a FOIA lawsuit. Some of what’s been obtained provides a few more details on the NSA’s reliance on Executive Order 12333 to perform its data and communications harvesting. This Executive Order is, and always has been, the go-to authority for the NSA. This allows it to bypass nearly every form of oversight. There’s no FISA court involvement or input from Congressional oversight committees. The NSA relies almost exclusively on the good graces of the Executive Branch — something that has worked out in its favor for the past two presidencies.

The NSA’s Office of General Counsel issued a memo discussing the agency’s SIGINT (signals intelligence) work in 2007 as a response to questions from the executive branch. As is par for the course, the memo expresses its concerns for the rights of “US persons,” as well as the agency’s strict compliance with the Fourth Amendment. All well and good as far as that goes, which isn’t very far.

[W]e conclude that compliance with NSA’s Attorney General-approved minimization procedures, which are required by Executive Order 12333 and are rooted in Fourth Amendment privacy protections, constrains NSA from granting to employees of other intelligence agencies widespread access to NSA content databases.

Which is true, more or less. Agencies like the UK’s GCHQ are given broad access to raw, unminimized data and communications collected by the NSA, all without a warrant. The built-in argument is that the NSA doesn’t release unminimized US person data or communications to its Five Eyes partners. But this distinction makes very little difference in practice.

As a practical matter, metadata from electronic communications such as email cannot be similarly shared at the moment under the same theory, because it is not possible to determine what communications are to or from U.S, persons nearly as readily as is the case with telephony, and often is not possible at all.

As a “practical matter,” nearly nothing the NSA collects should be shared, considering the untargeted manner in which it’s collected. The NSA can’t guarantee anything about the composition of its bulk collections, but that doesn’t stop it from disseminating unminimized data/communications to its foreign “customers.” In fact, the document clearly states that the agency feels there are zero protections inherent in “meta data,” which means the sharing of identifying information (like phone numbers) with foreign intelligence agencies is perfecty acceptable.

A more recent memo — issued in 2013 — notes the further expansion of its powers under EO 12333. The document describes the 2008’s modification of the 1981 Order, which consolidated signals intelligence programs under the Director of the National Security Agency. This also brought the Director of the CIA onboard as the head of Human Intelligence. The FBI was also brought in under the expansion of this directive, which added a new layer of middle management — “functional managers” — to the mix. These positions are in place to “weigh” the effectiveness of the interconnected agencies’ programs against the “National Intelligence Priorities Framework,” something that has rarely worked out in favor of privacy or civil liberties.

Filed Under: 4th amendment, eo 12333, executive order 12333, foia, nsa, privacy, surveillance, us persons
Companies: aclu

Obama: Checks & Balances Work Great To Prevent Abuse By NSA… But, Perhaps We Could Fix Things

from the say-what-now dept

It appears that, for the first time, President Obama has, ever so slightly, conceded that perhaps laws need to be tightened up to prevent abuses by the NSA. Of course, that came immediately after he insisted (falsely) that the current checks and balances were working and that the NSA isn’t spying on Americans. This is a flat out lie from the President, and people should call him on it. He’s lying.

“What I can say with confidence is that when it comes to our domestic operation, the concerns that people have back home in the United States of America, that we do not surveil the American people or persons within the United States, that there are a lot of checks and balances in place designed to avoid a surveillance state,” Obama said. “There have been times where the procedures, because these are human endeavors, have not worked the way they should and we had to tighten them up. And I think there are legitimate questions that have been raised about the fact that as technology advances and capabilities grow, it may be that the laws that are currently in place are not sufficient to guard against the dangers of us being able to track so much.”

Once again, that first part — the part he says “with confidence” — is a lie. We’ve already seen plenty of evidence that while the NSA insists that it doesn’t surveil people within the US, it appears to do so regularly. Of course, since it classifies these as “incidental,” it doesn’t think they count, but they do. No, it may not be watching every single thing that US citizens do, but US citizens’ data are clearly captured and analyzed quite frequently.

That said, the second part of that statement is actually a tiny step forward, in that it’s President Obama actually signalling — for the first time — that the program has been abused and that new rules are possible. Many people will complain that it’s such a minor statement (and coming right after a flat out lie, not particularly trustworthy), but it is more or less a signal that the President is likely resolved to agree to changes in how the NSA operates. Now the fight will be over what kinds of changes. The administration will seek to minimize those changes, but just the admission that changes need to happen is at least a baby step in the right direction.

Filed Under: barack obama, checks and balances, lies, nsa, nsa surveillance, oversight, us persons

Oh, And Let's Not Forget That The NSA Tried To 'Intercept' A Ton Of Phone Calls From Egypt

from the not-just-about-us-persons dept

I know that one thing I’ve heard from a bunch of foreigners during the past few months concerning the debates over the NSA’s surveillance programs is that they don’t understand why everyone’s so focused on the issue of “US persons,” since that implies we really don’t care at all about the fact that the NSA has no restrictions at all on spying on every communication from everyone else in the world. And, that’s a valid point. Of course, if we’re focusing on just the pure flat out law-breaking by the NSA, the US persons issue is important, because they’re not allowed to do that. But, it shouldn’t minimize the fact that if you’re not a “US person” under the NSA’s definition, you’re totally fair game. And while we’ve already mentioned the whole “accidental” collection of a bunch of phone call metadata from Washington DC by the NSA, it’s worth revisiting it as well in this context. Most of the coverage has just focused on the fact that the NSA collected so much data on calls coming out of DC:

In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.

Right, but if they did that “correctly” it would have meant info on a “large number” of calls from Egypt all would have been collected. And, given this information, it seems quite likely that once the “programming error” was “corrected” those Egyptian call info did start getting sucked up into the machine. Now, some in the US might not mind that, but I’d imagine that people in Egypt and around the globe outside of the US are probably looking at that and are not at all happy about it. The fact that an analyst can just plug in their entire country code and “intercept” calls without (it appears) any oversight (which, of course, would have caught the 202/20 error) seems ripe for massive abuse, which is unlikely to get recorded in any report.

Filed Under: egypt, intercepts, nsa surveillance, phone calls, surveillance, us persons

Wacky NSA Slide Tells Agents Not To Worry About 'Incidental' Collection Of Info On Americans

from the keep-on-searching... dept

There are so many incredible bits and pieces in Barton Gellman’s Washington Post expose on NSA abuse, that we’ve got a bunch of posts today digging deeper into various parts. For example, Gellman reveals a somewhat wacky presentation slide, complete with a palm tree graphic and with the somewhat folksy title:

Lesson 4: So you got a U.S. Person Information?

And then explains what to do about it. They’re pretty clear that if you’re directly targeting a US person, that’s a problem (and it is, because that’s illegal). If it’s considered “inadvertent,” then you also have to stop, write up an incident report and notify people. That sounds reasonable. But… then there’s the “incidental” section. Here, incidental is described as:

You targeted a legitimate foreign entity and acquired information/communications to/from/about a U.S. Person in your results.

That doesn’t seem particularly “incidental” to me. But, here’s the kicker. While with all the other forms of collection the NSA is told to stop, when it’s “incidental” they’re told:

This does not constitute a USSID SP008 violation, so it does not have to be reported in the IG quarterly.

Note that the IG report is the one that was revealed, listing all of the abuses. Yet, here they seem to be indicating that these “incidental” collections of information (and note that it’s not just “metadata” here, but full “communications” as well) aren’t a real problem. They’re told to “apply… minimization procedures” to limit the info on US persons, but we’ve already seen what a joke those minimization procedures can be.

As Gellman also notes in his report, it appears that the info collected “incidentally” here gets added to NSA databases and can be searched freely:

The NSA uses the term “incidental” when it sweeps up the records of an American while targeting a foreigner or a U.S. person who is believed to be involved in terrorism. Official guidelines for NSA personnel say that kind of incident, pervasive under current practices, “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress. Once added to its databases, absent other restrictions, the communications of Americans may be searched freely.

Just last week, it was discussed that there’s a “loophole” that, according to Senator Wyden, allows for “warrantless searches for the phone calls or emails of law-abiding Americans.” Who knows if this is that particular loophole, but it does seem like a fairly large loop. Just say it’s “incidental” and boom, search away.

Remember, the IG report also reveals that a “programming error” meant that a ton of phone calls placed from Washington DC were “intercepted” by the NSA (because someone typed in 202, DC’s area code, instead of 20, Egypt’s country code) — and that mistake wasn’t reported. That doesn’t seem “incidental” to me.

Another example:

In dozens of cases, NSA personnel made careless use of the agency’s extraordinary powers, according to individual auditing reports. One team of analysts in Hawaii, for example, asked a system called DISHFIRE to find any communications that mentioned both the Swedish manufacturer Ericsson and “radio” or “radar” — a query that could just as easily have collected on people in the United States as on their Pakistani military target.

Think about that for a second. Any communication that mentions both Ericsson and “radio” or “radar.” Just for the hell of it, I just did a search on my own email account for the terms “Ericsson” and “radio” and it came back with a ton of results, including 47 from just 2013. In just my mailbox. Many of those are from various wireless news letters or PR announcements, but still…

Filed Under: americans, incidental, loophole, nsa, nsa surveillance, us persons

Loophole Shows That, Yes, NSA Has 'Authority' To Spy On Americans — Directly In Contrast With Public Statements

from the and,-another-one dept

Right, so remember that claim yesterday from Barack Obama about how there is no domestic surveillance program? And remember in our post we noted that such a statement might come back to bite him, seeing that Snowden had leaked somewhere between 15,000 to 20,000 more documents to Glenn Greenwald and somewhere in there, it seemed like there was a decent chance there was evidence that Obama was lying? Right, so, funny story… this morning, James Ball and Spencer Ackerman over at the Guardian have published the details of a neat little loophole that does, in fact, give the NSA “authority” to run searches on Americans without any kind of warrant. This is due to a “rule change” in 2011.

The focus here is on Section 702 under the FISA Amendments Act, which is the authority that the PRISM program is under. Ever since the initial leaks, the defenders of the NSA have repeatedly stated that 702 only applies to non-US citizens who are outside the US. But as the “update” above notes, there was a change to the rules in late 2011 which allows for queries on US persons. As Senator Wyden told the Guardian, this “loophole” now directly allows “warrantless searches for the phone calls or emails of law-abiding Americans.”

This also seems reminiscent of our point on Wednesday, in which we noted that every time the NSA is asked about its ability to spy on everyone, it answers about its authority. And, here’s evidence that it has clearly been given the “authority” to spy on Americans, contrary to the very clear language of the law.

Also, the timing of this seems interesting. Earlier, we’d noted that the NSA’s massive data collection program, Stellar Wind, had been shut down in 2011. And… right about that time suddenly a new law is put in place allowing 702 searches to happen on US persons? I’m sure that’s just a complete coincidence…

Filed Under: 702, backdoor searches, domestic surveillance, faa, fisa amendments act, loophole, nsa, nsa surveillance, ron wyden, surveillance, us persons

Latest NSA Leak: Rules On How They Use Data Without A Warrant

from the wow dept

Glenn Greenwald had promised that there were more incredible leaks concerning the NSA to come, and here’s the first big one. Greenwald has revealed the NSA’s rules that show the procedures for targeting non-US persons, and also how they “minimize” data collected on US persons when dealing with the “bulk” data records collection they do, such as with all of the data around every phone call made. These are two key parts to the NSA’s insistence that they’re staying within the law and not spying on people in the US. The details here, however, suggest a very different story. The FISA court has signed off on these rules that appear to grant incredibly wide latitude for the NSA to make use of data, rather than really “minimize” its usage. While President Obama and others have insisted that the rules make sure that the NSA really isn’t collecting data on Americans, the reality shows that FISC approved rules let the NSA:

* Keep data that could potentially contain details of US persons for up to five years; * Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity; * Preserve “foreign intelligence information” contained within attorney-client communications; * Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.

The report from Greenwald also reveals that orders he has seen from the FISA court concerning broad data collection do not appear to include details or explanations, other than your basic rubber stamp that FISC says it’s okay.

One such warrant seen by the Guardian shows that they do not contain detailed legal rulings or explanation. Instead, the one-paragraph order, signed by a Fisa court judge in 2010, declares that the procedures submitted by the attorney general on behalf of the NSA are consistent with US law and the fourth amendment.

But since those procedures have now been leaked, we can see that they’re not very carefully targeted at all. If the NSA doesn’t know where someone is located, it can assume the person is foreign:

In the absence of specific information regarding whether a target is a United States person, a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person can be positively identified as a United States person.

That part about how the NSA can still keep data on US persons if they believe the data contains “evidence of a crime,” “technical data base information” or “information pertaining to a threat of serious harm to life or property” obviously give the NSA incredible powers to — contrary to what they’ve stated publicly — retain all sorts of info on Americans.

Once we and others have had a chance to dig deeper through these, I’m sure we’ll have more to say, but for now, it appears that, once again, the NSA and its defenders were less than fully forthcoming about how the NSA uses the data it collects and how it makes sure that Americans aren’t targeted.

Filed Under: fisa, fisa court, fisc, foreign persons, minimization, nsa, nsa surveillance, oversight, targeting, us persons, warrants