Tag: national security agency

NSA Spying on a Gazillion Americans

Today’s widespread outrage over reports that the National Security Agency is conducting widespread, untargeted, domestic surveillance on millions of Americans reminds me of this post from July 2012, in which Sen. Rand Paul reported on a private briefing he’d received. He couldn’t reveal what he’d learned, but he was able to report that the number of Americans subject to surveillance was closer to “a gazillion” than to zero. Now we have a bit more information. As I wrote then:

Sen. Rand Paul (R-KY) gave a great speech on surveillance last week at FreedomFest. Actually, he gave two good speeches, but the one embedded below is his short 6-minute talk at the Saturday night banquet. He talks about our slide toward state intrusion into our phone calls, our emails, our reading habits and so on. You know how big the surveillance state has gotten? The answer is “a gazillion.” Watch the speech—complete with high-falutin’ references to Fahrenheit 451 and the martyr Hugh Latimer!

Your Congress, Your NSA Spying

The National Security Agency is collecting records of every domestic and cross-border Verizon phone call between now and July 19th. The secret court order requiring Verizon to hand over these records has been leaked to the Guardian.

You may find that outrageous. 1984 has arrived. Big Brother is watching you.

But the author of this story is not George Orwell. It’s Representative Lamar Smith of Texas, Senator Diane Feinstein of California, and you.

Here’s what I mean: In June of last year, Representative Smith (R) introduced H.R. 5949, the FISA Amendments Act Reauthorization Act of 2012. Its purpose was to extend the FISA Amendments Act of 2008 for five years, continuing the government’s authority to collect data like this under secret court orders. The House Judiciary Committee reported the bill to the full House a few days later. The House Intelligence Committee, having joint jurisdiction over the bill, reported it at the beginning of August. And in mid-September, the House passed the bill by a vote of 301 to 118.

Sent to the Senate, the bill languished until very late in the year. But with the government’s secret wiretapping authority set to expire, the Senate took up the bill on December 27th. Whether by plan or coincidence, the Senate debated secret surveillance of Americans’ communications during the lazy, distracted period between Christmas and the new year.

Senator Dianne Feinstein (D) was the bill’s chief defender on the Senate floor. She parried arguments doggedly advanced by Senator Ron Wyden (D-OR) that the surveillance law lacks sufficient oversight. My colleague Julian Sanchez showed ably at the time that modest amendments proposed by Wyden and others would improve oversight and in no way compromise security. But false urgency created by the Senate’s schedule won the day, and on December 28th of last year, the Senate passed the bill, sending it to the president, who signed it on December 30th.

The news that every Verizon call is going to the NSA not only vindicates Senator Wyden’s argument that oversight in this area is lacking. It reveals the upshot of that failed oversight: The secret FISA court has been issuing general warrants for communications surveillance.

That is contrary to the Fourth Amendment to the Constitution, which requires warrants to issue “particularly describing the place to be searched, and the persons or things to be seized.” When a court requires “all call detail records” to be handed over “on an ongoing daily basis,” this is in no sense particular. Data about millions of our phone calls are now housed at the NSA. Data about calls you make and receive today will be housed at the NSA.

The reason given for secret mass surveillance of all our phone calls, according to an unofficial comment from the Obama administration, is that it is a “critical tool” against terrorism. These arguments should be put to public proof. For too long, government officials have waved off the rule of law and privacy using “terrorism” as their shibboleth. This time, show us exactly how gathering data about every domestic call on one of the largest telecommunications networks roots out the tiny number of stray-dog terrorists in the country. If the argument is based on data mining, it has a lot to overcome, including my 2008 paper with IBM data mining expert Jeff Jonas, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

The ultimate author of the American surveillance state is you. If you’re like most Americans, you allowed yourself to remain mostly ignorant of the late-December debate over FISA reauthorization. You may not have finished digesting your Christmas ham until May, when it was revealed that IRS agents had targeted groups applying for tax exempt status for closer scrutiny based on their names or political themes.

The veneer of beneficent government is off. The National Security Agency is collecting records of your phone calls. The votes in Congress that allowed this to happen are linked above in this post. What are you going to do about it?

CISPA’s Vast Overreach

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

Mass Tragedy Boilerplate and Rebuttal

On the road last week, and allergic to getting too heavily involved in the issue de l’heure, I only today saw Holman Jenkins’ Wall Street Journal commentary: “Can Data Mining Stop the Killing?

After the Aurora theater massacre, it might be fair to ask what kinds of things the NSA has programmed its algorithms to look for. Did it, or could it have, picked up on Mr. Holmes’s activities? And if not, what exactly are we getting for the money we spend on data mining?

Other than to collect it in a great mass along with data about all of us, the NSA could not have “picked up on” Mr. Holmes’s activities. As I wrote earlier this year about data mining’s potential for averting school shootings:

“[D]ata mining doesn’t have the capacity to predict rare events like terrorism or school shootings. The precursors of such events are not consistent the way, say, credit card fraud is. Data mining for campus violence would produce many false leads while missing real events. The costs in dollars and privacy would not be rewarded by gains in security and safety.

Jeff Jonas and I wrote about this in our 2006 Cato Policy Analysis, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

If the NSA has data about the pathetic loser, Mr. Holmes, and if it were to let us know about it, all that would do is provide lenses for some pundit’s 20/20 hindsight. Data about past events always points to the future that occurred. But there is not enough commonality among rare and sporadic mass shootings to use their characteristics as predictors of future shootings.

Jenkins doesn’t drive hard toward concluding that data mining would have helped, but his inquiry is mass tragedy boilerplate. It’s been rebutted by me and others many times.

Congress Has No Idea What the NSA Is Doing

Didja think that the legislative branch oversees the executive branch? Think again! Congress has no idea what the National Security Agency (NSA) is doing.

Spencer Ackerman at Wired’s Danger Room blog reports on a letter the inspector general of the intelligence community sent earlier this month to Senators Ron Wyden (D-OR) and Mark Udall (D-CO). They had asked how many people in the United States have had their communications collected or reviewed by the NSA.

The letter repeated the NSA IG’s conclusion that estimating this number was “beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission.” Not only that, figuring out the number of people in the United States that the NSA has snooped on “would itself violate the privacy of U.S. persons.”

A federal agency can write a tart, dry non-response like this because Congress is utterly supine before the security bureaucracy. The tough-talking politicians in both parties have no idea what is happening in the agencies they routinely defend as essential. And Congress still hasn’t approved nominations for the Privacy and Civil Liberties Oversight Board, weak sauce that it is, nearly five years since it was reconstituted with greater independence and subpoena power.

The letter concludes with a hopeful note: “I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight.” That also serves as a confession: We have no idea what the NSA is doing.

The Country’s Biggest Spy Center

Under insufficiently sharp questioning, the head of the National Security Agency, Keith Alexander, has denied the substance of a Wired report on the agency’s massive new computer facility and the capabilities the government has to monitor our communications—even heavily encrypted communications.

If you want a sense of how Congress, still panicked by 9/11, has abdicated its responsibilities and permitted the construction of a “turnkey totalitarian state,” read the whole thing.

Top NSA Mathematician: ‘I should apologize to the American people. It’s violated everyone’s rights.’

If you’re a telecommunications firm that helped the National Security Agency illegally spy on your customers without a court order, Sen. Barack Obama will happily vote for legislation he once promised to filibuster in order to secure retroactive immunity. If you’re implicated in the use of torture as an interrogation tactic, you can breathe easy knowing President Barack Obama thinks it’s in the country’s best interests to “look forward, not back.”  But if you were a government official spurred by conscience to blow the whistle on government malfeasance or ineptitude in the war on terror?  As Jane Mayer details in a must-read New Yorker article, you’d better watch out! This administration is shattering records for highly selective prosecutions under the espionage act—and the primary criteria seems to be, not whether national security was harmed in any discernible way by your disclosures, but by the degree of embarrassment they caused the government.

The whole thing is fascinating, but I’m especially interested in the discussion of how electronic surveillance tools that came with built-in privacy controls were tossed in favor of more indiscriminate programs that, by the way, didn’t work and generated huge cost overruns. The most striking quotations come from disillusioned Republican intelligence officials. Here’s Bill Binney, a top NSA mathematician and analyst, on the uses to which his work was put:

Binney expressed terrible remorse over the way some of his algorithms were used after 9/11. ThinThread, the “little program” that he invented to track enemies outside the U.S., “got twisted,” and was used for both foreign and domestic spying: “I should apologize to the American people. It’s violated everyone’s rights. It can be used to eavesdrop on the whole world.”

One GOP staffer on the House Intelligence Committee recounted an exchange with then-NSA head Michael Hayden:

[Diane] Roark, who had substantial influence over N.S.A. budget appropriations, was an early champion of Binney’s ThinThread project. She was dismayed, she says, to hear that it had evolved into a means of domestic surveillance, and felt personally responsible. Her oversight committee had been created after Watergate specifically to curb such abuses. “It was my duty to oppose it,” she told me. “That is why oversight existed, so that these things didn’t happen again. I’m not an attorney, but I thought that there was no way it was constitutional.” [….] She asked Hayden why the N.S.A. had chosen not to include privacy protections for Americans. She says that he “kept not answering. Finally, he mumbled, and looked down, and said, ‘We didn’t need them. We had the power.’ He didn’t even look me in the eye. I was flabbergasted.”

Remember, these aren’t hippies from The Nation,, or ACLU attorneys, or even (ahem) wild-eyed Cato libertarians. They’re registered Republicans appalled by the corruption of the intelligence mission to which they’d devoted their professional lives.