The Top 5 Things We’ve Learned About the NSA Thanks to Edward Snowden
The top 5 things we’ve learned about the NSA thanks to Edward Snowden
And the top 5 things that have happened as a result of the whistleblowing.ars Technica - Just over four months ago, the Internet at large became significantly more acquainted with the National Security Agency (NSA).
It's all thanks to Edward Snowden, a former NSA contractor (and longtime Ars reader) with access to an unprecedented volume of documents. Snowden's leaks detailed for the first time the vast scale of American international telecommunications surveillance. While many people may have speculated or even "known" about such capabilities, Snowden’s disclosures provided internal proof previously unavailable to the general public.
Ars has done its best to cover the day-by-day updates that have unfolded as a result of Snowden’s actions, both in terms of what we’ve learned of the government’s capabilities and what has changed since then. With most of the Ars staff at our annual two-day conference this week, we’ve decided to take some time to breathe and recap what we’ve learned so far. We've narrowed the revelations down to five, so this list is hardly exhaustive—but feel free to tell us what we’ve missed.
What we’ve learned:
- American telcos are compelled to routinely hand over metadata to the government
- Digital surveillance programs capture vast amounts of data: PRISM and XKeyscore
- US companies have done little to resist government pressure
- NSA's sister organization, GCHQ, does what the NSA can’t
- NSA analysts even used capabilities to spy on their exes
- As a way to prevent future leaks, the NSA fired nearly all its sysadmins
- Privacy-minded e-mail providers shut themselves down under pressure
- The Foreign Intelligence Surveillance Court (FISC) opened up and published docket and opinions
- Patriot Act author said that NSA’s interpretation is overbroad
- Congressional reforms introduced, remain slow-moving
Ain’t no party like a third party
The entire saga kicked off on June 5, 2013 when The Guardian first published a secret order issued by the FISC that required Verizon to hand over vast metadata to the NSA. The order specified that Verizon was required to share the information on an “ongoing, daily basis” and encompassed the phone records pertaining to all of Verizon's American customers, whether the communications were between US-based callers or between a US caller and an international caller.While the Verizon order was the only one officially published to date, it’s been a working assumption that other American telcos have been served with similar FISC orders. Roughly six weeks after this first disclosure, the FISC renewed that order.
The government relies on a well-established (but increasingly challenged) part of American case law known as the “third-party doctrine.” This notion says that when a person has voluntarily disclosed information to a third party—in this case, the telco—the customer no longer has a reasonable expectation of privacy over the numbers dialed or call duration. Therefore, this doctrine argues, such metadata can be accessed by law enforcement with essentially no problem.
The following day, Glenn Greenwald, The Guardian journalist who first broke the story, revealed another bombshell. On June 6, 2013, he introduced the world to PRISM, a massive NSA spying program that involved data sharing through various household-name tech giants, including Facebook, Google, Microsoft, and others.
In connection to the PRISM news, Facebook published a blog post soon after, writing that it has “been in discussions with US national security authorities urging them to allow more transparency and flexibility around national security-related orders we are required to comply with.”
Facebook continued: “We’re pleased that as a result of our discussions, we can now include in a transparency report all US national security-related requests (including Foreign Intelligence Surveillance Act [FISA] as well as National Security Letters)—which until now no company has been permitted to do.”
Despite the positive tone, Facebook (and other companies) cannot disclose how many of the requests for user data that it received were from federal, state, or local authorities. The companies can't detail whether any federal letters were from the NSA, a FISA court, the FBI, or some other entity. Facebook said that overall, it received between 9,000 and 10,000 requests from authorities in the second half of 2012, pertaining to between 18,000 and 19,000 individual Facebook accounts. (Other companies have subsequently also argued to the government that they should be allowed to break out how many aggregate requests it receives, but many have been rebuffed so far.)
A special relationship
Within two months of the PRISM revelations, Greenwald published another codenamed program: XKeyscore.This NSA spy program captures vast swaths of unencrypted HTTP traffic at secret sites that span the entire world. However, due to storage limitations, it seems that it can only keep that data for relatively short periods of time. As Ars previously described, it would be nearly impossible for the NSA to store all that data for an extended time. One published slide says that for a single 30-day period in 2012, the data included “at least 41 billion total records.”
By the end of July 2013, we learned directly from an FISC judge that no corporation ever served with a “business record” court order under the Patriot Act has ever challenged one. This is despite the fact that the law provides them a means to do so. In other words, when the government asked Verizon to hand over call records and other metadata to the NSA, the company did so without so much as a peep.
In an 11-page letter from FISC Presiding Judge Reggie B. Walton to Sen. Patrick Leahy (D-VT), the judge wrote, “To date no recipient of a production order has opted to invoke this section of the statute.”
As the summer went on, it appeared that at least some of the Snowden trove was being shared by additional media outlets, including The Washington Post and a few foreign outlets, particularly in Brazil and Germany. Some of those publications soon reported that there was also extensive spying by the NSA’s British sister spy agency, the Government Communications Headquarters (GCHQ).
"It's not just a US problem. The UK has a huge dog in this fight," Snowden told The Guardian. "They [GCHQ] are worse than the US."The Guardian also reported that Snowden’s documents showed that the NSA paid around $152 million to the GCHQ since 2010. "GCHQ must pull its weight and be seen to pull its weight," a GCHQ strategy briefing reportedly said.
Later, Süddeutsche Zeitung (Google Translate) and German public broadcaster NDR (Google Translate) published not only the names of the companies but also their GCHQ nicknames: "Verizon ('Dacron'), BT ('Remedy'), Vodafone Cable ('Gerontic'), Global Crossing ('Pinnage'), Level 3 ('Little'), Viatel ('Vitreous'), and Interoute ('Streetcar')."
The German newspaper cited an internal GCHQ presentation slide as its source. It also slammed the GCHQ, saying that the organization had “lost all sense of proportion.”
Under Britain's Regulatory and Investigatory Powers Act (RIPA) of 2000, the government does have broad powers to conduct digital surveillance. However, many believe that this wholesale data sharing is outside the scope of targeted warrants as described under RIPA. In July 2013, Privacy International, a London-based advocacy group, sued the British government for alleged abuses under the law.
Even with all those wrinkles, probably the most memorable (and darkly humorous) episode came from the disclosure of LOVEINT.
In August 2013, the Wall Street Journal introduced the world to an internal term that NSA analysts have come up with to describe the act of spying on one’s ex-partner: LOVEINT. The word is reminiscent of existing spycraft parlance, like HUMINT (human intelligence) or SIGINT (signals intelligence). (As you'd expect, LOVEINT spawned endless Twitter jokes.)
Needless to say, many Americans, including Sen. Chuck Grassley (R-IA) were not exactly thrilled with the idea that NSA employees could put America’s vast surveillance capability to use spying on ex-boyfriends and ex-girlfriends. He immediately fired off a letter to the NSA Office of the Inspector General (OIG).
By late September 2013, the OIG’s September 11, 2013 response to Sen. Grassley was published on the senator’s website. Inspector General Dr. George Ellard wrote that the NSA had “two open investigations into alleged misuse of SIGINT and is reviewing one allegation for possible investigation.”
In each of these cases, NSA employees were either docked in pay or punished administratively. Some even left the agency before any further action could be taken. Ultimately, no criminal charges were brought against any of these subjects. Worse still, most of these instances appeared to largely be the result of reactive reporting by the “subject” (the person who conducted the LOVEINT abuse), not the result of proactive internal measures at the NSA.
“A substantial misrepresentation”
One of the most immediate effects of Snowden’s disclosures was the beginning of the NSA looking inward. The head of the NSA, Gen. Keith Alexander, testified before a Congressional hearing that as of June 2013, there were approximately 1,000 NSA system administrators similarly credentialed to Edward Snowden. Alexander revealed new plans that would require two-person authorization for any employee to download the kind of data Snowden did.“This is a huge problem,” Alexander said. “We’re coming up with a two-person rule to make sure we have a way to block [such wide access].”By August, the agency also dismissed nearly all of its systems administrators as a way to avoid another such massive leak.
As the NSA story began to unfold, more of us started to take our own operational security more seriously. (Ars even published its first list of staff PGP keys.) Snowden, of course, beat us all to the punch. As a veteran of intelligence agencies, he deeply understood the long arm of the United States. Snowden famously refused to communicate with Greenwald until the American reporter enabled PGP on his own computer.
Snowden’s e-mail provider of choice, the Texas-based Lavabit, came under newfound scrutiny. By the second week of August, Lavabit pulled the plug rather than succumbing to government pressure to hand over access to all of its users’ data, including Snowden’s. Less than a day later, Silent Circle did the same to its Silent Mail product—going so far as to physically destroy company servers.
The biggest bit of self-reflection and action likely came from the FISC, though. Created in 1978 under FISA, the court’s mandate (among other things) is to approve special surveillance warrants (FISA warrants) for American federal agencies to use against suspected foreign agents. One of 11 judges who are tapped from existing federal circuit judge posts nationwide can then grant a warrant’s approval. (The sitting chief justice of the Supreme Court, John Roberts, currently has the sole authority to nominate FISC judges.)
In the court’s history, warrants (and related orders) are approved more than 99 percent of the time.
But post-Snowden, in mid-June 2013, we saw a FISC milestone. Less than two weeks after the first leak, FISC granted its first-ever motion to not block disclosure of an earlier FISC opinion. And this was a doozy—the disclosed opinion declared parts of the NSA’s surveillance under Section 702 of the FISA Amendments Act to be unconstitutional. Today, the court’s publicly accessible docket remains pretty short, and in fact, the website didn't even exist prior to Snowden’s actions. The court’s decisions, orders, and warrants have been kept secret for 30 years.
As a result of a lawsuit brought about by the Electronic Frontier Foundation, the government ordered a declassification review. This later prompted the publication (on Tumblr of all places) of a number of FISC orders and opinions. That lawsuit was filed after Sen. Ron Wyden (D-OR) went public with the knowledge of at least one violation in July 2012.
In late August 2013, the publication of these documents showed that there have been many instances in which FISC judges had substantial questions about the NSA’s spying operations.
The longest item from the initial group was a previously secret October 2011 document from the FISC showing that the NSA "frequently and systematically violated" its own oversight requirements. The agency collected as many as 56,000 e-mails and communications by Americans with no connection to terrorism.
The federal judge authoring the opinion, FISC Judge John Bates, concluded that there is no way to know with certainty how far the government’s intelligence and surveillance capabilities have actually gone. In his 85-page opinion, Bates noted that his court originally approved the NSA's ability to capture a limited and targeted amount of data.
“In conducting its review and granting those approvals, the Court did not take into account NSA’s acquisition of Internet transactions, which now materially and fundamentally alters the statutory and constitutional analysis,” the judge wrote.In a footnote, he added:
The Court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.A September 2013 release and another phone conference with reporters showed that FISC judges again had significant problems with the NSA’s actions. As expected, top intelligence officials downplayed the court's findings, insisting that the court "did not find any intentional effort" to violate the law.
. . .
Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying. The Court concluded that this requirement had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall… regime has never functioned effectively.”
"These are some incredibly complicated systems that NSA was not able to fully and accurately articulate to the court, in large part because no one at NSA had a full understanding of how the program was operating at the time," said Robert Litt, general counsel of the Office of the Director of National Intelligence.
“Simply beyond any reasonable understanding of the word”
Beyond new documents from the FISC, other traditional courts have become possible avenues to halt current mass surveillance programs. Within the first two months of the Snowden leaks, two major groups (the American Civil Liberties Union and the Electronic Frontier Foundation) filed separate but equally significant lawsuits as an attempt to halt the Verizon metadata handover program.One of the strongest challenges to the metadata handover, at least in the court of public opinion, has come from Rep. James Sensenbrenner (R-WI), the original author of the PATRIOT Act. That post-September 11 piece of legislation (specifically its Section 215) is what the government claims gives it the authority to collect all this data.
As Sensenbrenner wrote in his filing:
The vast majority of the records collected will have no relation to the investigation of terrorism at all. This collection of millions of unrelated records is built-in to the mass call collection program. Defendants’ theory of “relevance” is simply beyond any reasonable understanding of the word. And it certainly is not what amicus intended the word to mean.Beyond legal cases, there may be some hope of legislative relief to put the brakes on what has clearly become an overzealous data collection and foreign surveillance program.
…
Defendants do not explain why Congress would have enacted such meaningless provisions. The bulk data collection program is unbounded in its scope. The NSA is gathering on a daily basis the details of every call that every American makes, as well as every call made by foreigners to or from the United States. How can every call that every American makes or receives be relevant to a specific investigation?
In late September, Sen. Ron Wyden (D-OR) and three colleagues introduced the Intelligence Oversight and Surveillance Reform Act, which would add unprecedented changes to the intelligence and FISC process.
“[FISC's] rulings and opinions need to be made public in order for public confidence to exist,” Wyden said. “Secret courts were one of the reasons that we rebelled against the English. Star chambers became a symbol of our reason for revolution, and secrecy should be really an anathema to our judicial process.”Wyden and his colleagues pushed the idea of a “constitutional advocate,” or ombudsman, who would act as the government’s judicial adversary in an FISC hearing. He also addressed a likely rebuttal from the intelligence community: that valuable information may be lost if the judicial process is bogged down by appeals.
“There should be no delay from a constitutional advocate because the review can happen while the warrants are ongoing,” he said. “That appeal can be to SCOTUS or to [other] courts of appeals, to [the FISC of Review]. The appeal right now is nonexistent because only the government is represented. The constitutional advocate would have as its clients the rights of American citizens.”However, due to the United States government October 2013 shutdown, the immediate prospects for passage of this act seem murky at best. After all, President Barack Obama’s surveillance review panel never convened as a result of the gridlock.
Meanwhile, the NSA’s surveillance programs continue unabated. And just this week, we learned about a new one—an address book-gathering program.
No comments:
Post a Comment