Sophos Cloud Optix
President Barack Obama and top intelligence officials have emphasized that surveillance now being referred to as PRISM is done under court oversight.
Just what, exactly, that court oversight has entailed has never been elucidated – not, that is, until Thursday, when The Guardian published top-secret documents submitted to the secret Foreign Intelligence Surveillance (FISA) court.
Those documents show that FISA judges have signed off on “broad orders” that allow the National Security Agency (NSA) to use information collected “inadvertently” from domestic US sources without a warrant, The Guardian reports.
The Guardian published in full these two documents, which describe the procedures used by the NSA to target its surveillance:
- NSA procedures to target non-US persons [PDF]
- NSA procedures to minimise data collected from US persons [PDF]
Both documents were signed by Attorney General Eric Holder and dated 29 July 2009.
In a speech delivered on Wednesday in Germany, President Obama called the surveillance “a circumscribed, narrow system” whose aim is to protect “our people”, all of it being done “under the oversight of the courts.”
In spite of such assurances, it turns out that the FISA courts allow for much broader surveillance and much more leeway for mistakes than the public has known up until now.
The documents detail when data collected on US persons under the foreign intelligence authority has to be destroyed, the procedures analysts must follow to ascertain whether targets are outside the US, and how US call records are used to help remove US citizens and residents from data collection.
From The Guardian, a list of how policies approved by the FISA court allow NSA agents to:
- Keep data that could potentially contain details of US persons for up to five years;
- Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;
- Preserve “foreign intelligence information” contained within attorney-client communications;
- Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.
One of the most jarring revelations to come out of the documents is that the administration’s assurances of US citizens’ protection from warrantless surveillance seems to have plenty of footnotes and exceptions that haven’t been publicly disclosed until now.
They also reveal that courts don’t always determine who’s targeted for surveillance because that discretion is practiced by the NSA’s own analysts, with only a percentage of decisions being reviewed by regular internal audits.
To make those decisions, NSA analysts use information including IP addresses, potential targets’ statements, and public information and data collected by other agencies.
In the absence of such information – for example, if a potential target is using online anonymity services such as Tor, or sending encrypted email and instant messages – agents are encouraged to assume that the target is outside the US.
From the documents:
"In the absence of specific information regarding whether a target is a United States person, a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person can be positively identified as a United States person."
If it turns out that a person of interest is actually in the US, analysts are still permitted to look at the content of his or her messages, or listen to phone calls, to establish whether they are, in fact, in the country.
In 2009, Holder signed off on procedures that instructed communications interception to stop immediately once a target is confirmed to be in the US.
But that excludes large-scale data, from which the NSA claims it can’t filter out US vs. non-US communications.
The NSA is allowed to argue for the retention of entirely domestic communications – i.e., when neither of the parties is overseas – if it finds “significant foreign intelligence information”, “evidence of a crime”, “technical database information” (such as encrypted communications), or “information pertaining to a threat of serious harm to life or property”.
If communication is encrypted – particularly if a US person is using certain types of cryptology or steganography known to have been used by “individuals associated with a foreign power or foreign territory” – the NSA is free to collect it and store it “indefinitely” for future reference and cryptanalysis attempts.
The American Civil Liberties Union (ACLU) put out a statement on Thursday criticizing the government’s warrantless surveillance “of innocent Americans’ international communications.”
Jameel Jaffer, American Civil Liberties Union deputy legal director, said that the latest revelations confirm the fears that first arose when Congress enacted FISA in 2008:
"We worried that the NSA would use the new authority to conduct warrantless surveillance of Americans' telephone calls and emails. These documents confirm many of our worst fears. The 'targeting' procedures indicate that the NSA is engaged in broad surveillance of Americans' international communications.
"The 'minimization' procedures that supposedly protect Americans' constitutional rights turn out to be far weaker than we imagined they could be. For example, the NSA claims the authority to collect and disseminate attorney-client communications - and even, in some circumstances, to turn them over to Justice Department prosecutors. The government also claims the authority to retain Americans' purely domestic communications in certain situations."
ACLU Staff Attorney Alex Abdo said:
"Collectively, these documents show indisputably that the legal framework under which the NSA operates is far too feeble, that existing oversight mechanisms are ineffective, and that the government's surveillance policies now present a serious and ongoing threat to our constitutional rights. The release of these documents will help inform a crucial public debate that should have taken place years ago."
The so-called PRISM surveillance saga, far from slipping from public view, has, in fact, fueled a debate that had already begun to produce fruit, including Texas’ newly enacted law against warrantless surveillance at the state level.
Meanwhile, efforts are already underway in both houses of Congress to revise the woefully antiquated Electronic Communications Privacy Act, which was written in 1986, well before the current realities of cloud storage and other technologies transformed how we use electronic communications.
The debate is, indeed, overdue, and the public deserves to be informed of every aspect possible, short of compromising national security.
Read The Guardian’s reporting on the issue. It’s far more extensive than what I’ve summarized here.
A heartfelt thank you to the news outlet for continuing to follow the story to whatever new revelations it may yet have in store.
Image of keyhole and private courtesy of Shutterstock.
Presumably, "encrypted" communications would include any websites visited over HTTPS? Which would suggest that if you take steps to protect yourself from criminals, the NSA will assume you're a criminal.
At this rate, they'll be locking everyone up "just in case".
That is the logical end-point for all politicians that say “all possible steps must be taken to avoid “x”…”, or “I would do anything to prevent “x”…”
We have to accept that whatever ill “x” is, it is not possible to totally avoid it, and therefore a balance has to be struck.
Absolutely. Thank you to The Guardian and to Edward Snowden for allowing the public to have the debate and thus stand up for our rights. That is invaluable.
HTTPS and VPN traffic is "encrypted". Do they keep that forever as well?
So, just because I am not in the USA they think it's right to snoop on me and everyone else similarly not in the US? What about my friend who is a US citizen but temporarily reside in the UK for business reasons so communicates with his employer and family/friends back home – is he considered snoop fodder?
Doesn't seem right to me that anyone outside of the US is possibly being snooped on and probably for no good reason.
Yes, I know there are those out there in the ether who would 'do evil' to those who don't agree with them, but they are a minority surely?
They sure do.
Yup
But then all of us outside the US of A are considered “aliens” and presumably therefore more likely to do evil than those miscreants inside the US.
Didn’t the Afghans disagree with the American govt about the placement of some pipeline (through existing villages) and get told to accept either a carpet of gold or a carpet of bombs ? So, disagree with the American govt and you can see how the Americans ‘do evil’.
Several data centers that totalize a few hundreds of thousands of square meters just for storing data caught inadvertently?
Ha, ha, ha!
db
So the juiciest digital valuables of rich people – who actually bother to encrypt their shit for obvious reasons – will have their shit decrypted at the earliest possible time a vulnerability is discovered in their encryption. And then the digital valuables may become equally as valuable to the person(s) who decrypted it.
I’ve been wondering about the lack of references to SSL as well. Should we assume that SSL traffic is casually and easily decrypted en-route by the NSA?
So, being a non-american who uses u.s. based cloud services and encrypts the files on the cloud (for my privacy and my clients’ protection) I am automatically a spy/terrorist.
As much as it is convenient for me to use these services, I think it’s time to look into non-u.s. based alternatives since all american based company will be forced to comply with these measures.
Then to look for non-u.s. Operating System, Software, etc.
Lost all faith in any u.s. based technology.
Steer clear of UK services as well – GCHQ are apparently monitoring even more than the NSA. Google "Tempora" if you want to be scared.
Precisely why open source software is the best solution. If you (and everyone else) can vet the source code, you can be sure there are no back doors.
Isn’t this something akin to, “We’re gonna follow that guy because he’s wearing gloves, and gloves hide fingerprints.” Encryption and tunneling techniques are completely legal. It’s not right that we should be targeted for using legal software techniques.
It seems that we all need to use tor and encrypt our communications so as to let the government know that not all who do are criminals. I commonly encrypt my email to others about the development of a plug computer which no one really cares about. I guess I'm going to have to find a tor site to use if, if that makes them happy. Just think how much storage they would need if we all did this??? I think we should.
I just might turn out that Edward Snowden may be a hero instead of a criminal. I tried to write my senator about that, specifically. Have not received any response as of yet.
For Mike in the UK, yes you COULD be a criminal, however it seems we are all in this boat and as one of them stated "Don't worry if we have your number, you are being protected and we have very secure areas for this data". Doesn't that just make you feel great!
Jack
I am Sparticus?
So, lemmee see if I've got this straight: The NSA's assumption is that if you're using secure (encrypted) messaging, you must have something illegal to hide, and therefore you must be guilty of some crime? Terrific.
Translation: Taking normal and reasonable steps to ensure the privacy and security of one's personal information and private communications is now considered sufficient grounds for surveillance of suspected illegal activity.
Sheesh…this just gets worse with each new revelation.
The deliberate installation and use of monitoring equipment and software cannot possible be construed as “inadvertant” in any court of law.
Some people use Tor / VPN / Proxies, when watching porn. It would time waster for NSA to go after these people.
Not if they are watch child-porn, sadly sick people like this exist and actually use Tor and similar encryption mechanism to do their dealings.
The more I read about PRISM the more the concept of big brother is becoming a reality.
This raises an interesting point I noticed. In many movies the bad guys are easily recognizable and therefore easy to despise and fight against. And often have to actually do something despicable for us to recognize them.
But in reality bad guys are often hard to recognize in the first place, justify actions in such a way that you don’t think they are doing evil and carry out their evil deeds without people ever knowing. They are the most dangerous kind.
Please NSA don’t be those bad guys!
If the snoops stop snooping now, terrorist attacks will certainly escalate – thousands of limbs blown apart, airport security worsens to being unbearable, sports and music events become potential death traps. Choosing between these 2 evils, I know which one I'll choose.
They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety. -Benjamin Franklin
When does it stop? This is a clear example of this tumbling effect going too far. We will all essentially be owned soon enough if this is allowed to continue.