The Guardian reports: No telecommunications company has ever challenged the secretive Foreign Intelligence Surveillance court’s orders for bulk phone records under the Patriot Act, the court revealed on Tuesday.

The secretive Fisa court’s disclosure came inside a declassification of its legal reasoning justifying the National Security Agency’s ongoing bulk collection of Americans’ phone records.

Citing the “unprecedented disclosures” and the “ongoing public interest in this program”, Judge Claire V Eagan on 29 August not only approved the Obama administration’s request for the bulk collection of data from an unidentified telecommunications firm, but ordered it declassified. Eagan wrote that despite the “lower threshold” for government bulk surveillance under Section 215 of the Patriot Act compared to other laws, the telephone companies who have received Fisa court orders for mass customer data have not challenged the law.

“To date, no holder of records who has received an Order to produce bulk telephony metadata has challenged the legality of such an Order,” Eagan wrote. “Indeed, no recipient of any Section 215 Order has challenged the legality of such an order, despite the mechanism for doing so.”

That complicity has not been total. Before the Bush administration moved the bulk phone records collection under the authority of the Fisa court, around 2006, Qwest Communications refused to participate in the effort. [Continue reading…]

Der Spiegel reports: The United States’ NSA intelligence agency is interested in international payments processed by companies including Visa, SPIEGEL has learned. It has even set up its own financial database to track money flows through a “tailored access operations” division.

The National Security Agency (NSA) widely monitors international payments, banking and credit card transactions, according to documents seen by SPIEGEL.

The information from the American foreign intelligence agency, acquired by former NSA contractor and whistleblower Edward Snowden, show that the spying is conducted by a branch called “Follow the Money” (FTM). The collected information then flows into the NSA’s own financial databank, called “Tracfin,” which in 2011 contained 180 million records. Some 84 percent of the data is from credit card transactions.

Further NSA documents from 2010 show that the NSA also targets the transactions of customers of large credit card companies like VISA for surveillance. NSA analysts at an internal conference that year described in detail how they had apparently successfully searched through the US company’s complex transaction network for tapping possibilities.

Their aim was to gain access to transactions by VISA customers in Europe, the Middle East and Africa, according to one presentation. The goal was to “collect, parse and ingest transactional data for priority credit card associations, focusing on priority geographic regions.” In response to a SPIEGEL inquiry, however, a VISA spokeswoman ruled out the possibility that data could be taken from company-run networks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show. [Continue reading…]

Yochai Benkler writes: The spate of new NSA disclosures substantially raises the stakes of this debate. We now know that the intelligence establishment systematically undermines oversight by lying to both Congress and the courts. We know that the NSA infiltrates internet standard-setting processes to security protocols that make surveillance harder. We know that the NSA uses persuasion, subterfuge, and legal coercion to distort software and hardware product design by commercial companies.

We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations. The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.

First, the lying. The National Intelligence University, based in Washington, DC, offers a certificate program called the denial and deception advanced studies program. That’s not a farcical sci-fi dystopia; it’s a real program about countering denial and deception by other countries. The repeated misrepresentations suggest that the intelligence establishment has come to see its civilian bosses as adversaries to be managed through denial and deception. [Continue reading…]

TechDirt: Wednesday’s Fresh Air on NPR was devoted entirely to a wonderful interview with Barton Gellman, one of the three reporters (along with Laura Poitras and Glenn Greenwald) who Edward Snowden initially gave his complete set of documents to. The whole interview is interesting, though if you’ve been following this story for the last few months, you’ll have heard much of it before. Perhaps the two most interesting sections, however, are his discussions on Edward Snowden’s intentions with all of this. Many have ascribed comically nefarious intent. Gellman has a fairly compelling explanation for why that’s unlikely. First, he explains that Snowden could have easily just dumped all of these documents somewhere public:

“[Snowden] gave these documents, ultimately, to only three journalists. What he said he wanted was for us to use our own judgment and to make sure that his bias was kept out of it so that we could make our own judgment about what was newsworthy and important for the public to know. And he said we should also consider how to avoid harm.

“Now, in case anyone doubts his intentions, let’s consider what he could’ve done. If Chelsea [aka Bradley] Manning was able to exfiltrate and send to WikiLeaks and publish in whole half a million U.S. government documents, Edward Snowden — who is far, far more capable [and] had far greater access, certainly knows how to transmit documents — he could’ve sent them to WikiLeaks. He could’ve set up and mirrored around the Internet in a way that could not have been taken down. All of the documents could be public right now and they’re not. … He told us not to do it.”

Elsewhere in the discussion, he goes further:

Writing an editorial about the risk that Snowden… or that implies that Snowden is about to or may already have handed over all of his information to Wikileaks or to the Russians is entirely without evidence. It is pure speculation. There is strong evidence, now three months after his first disclosures, and more than three months after he started giving information to journalists, that he does not intend to make the whole pile public. He could have done it on the first day. He could have done it months before I ever heard of him.

He then goes on to explain why it’s incredibly unlikely that Snowden gave the documents to the Russians or the Chinese, despite many assuming that to be the case. [Continue reading…]

The Guardian reports: The court that oversees US surveillance has ordered the government to review for declassification a set of secret rulings about the National Security Agency’s bulk trawls of Americans’ phone records, acknowledging that disclosures by the whistleblower Edward Snowden had triggered an important public debate.

The Fisa court ordered the Justice Department to identify the court’s own rulings after May 2011 that concern a section of the Patriot Act used by the NSA to justify its mass database of American phone data. The ruling was a significant step towards their publication.

It is the second time in a week that a US court has ordered the disclosure of secret intelligence rulings. On Tuesday, a federal court in New York compelled the government to declassify numerous documents that revealed substantial tension between federal authorities and the surveillance court over the years.

On Thursday, James Clapper, the director of national intelligence, conceded that the NSA is likely to lose at least some of its broad powers to collect data on Americans.

He acknowledged that Snowden’s disclosures had prompted a necessary debate: “As loath as I am to give any credit to what’s happened here, I think it’s clear that some of the conversations this has generated, some of the debate, actually needed to happen.

“If there’s a good side to this, maybe that’s it.” [Continue reading…]

The Guardian reports: A former senior British secret intelligence officer on Thursday played down any potential damage done by the leaks to the Guardian of the spying activities of GCHQ and America’s National Security Agency, apparently contradicting claims made by UK security chiefs.

The leaks, by former NSA contractor Edward Snowden were “very embarrassing, uncomfortable, and unfortunate”, Nigel Inkster, former deputy chief of MI6, said.

While Inkster said it was too early to draw any definite conclusions about the impact of the leaks, he added:

“I sense that those most interested in the activities of the NSA and GCHQ have not been told very much they didn’t know already or could have inferred.”

Al-Qaida leaders in the tribal areas of Pakistan had been “in the dark” for some time – in the sense that they had not used any form of electronic media that would “illuminate” their whereabouts, Inkster said. He was referring to counter measures they had taken to avoid detection by western intelligence agencies.

Other “serious actors” were equally aware of the risks to their own security from NSA and GCHQ eavesdroppers, he said. [Continue reading…]

Zeynep Tufekci writes: In light of the revelations of a massive data collection and snooping effort by the NSA, one response has been to suggest that privacy advocates are overreacting, and that, as a friend put it, “the scale of abuses reported is minimal/nonexistent” so this is not that big of a deal.

That the abuses of this massive data trove that we know of are very few is true — but that should not be a comfort as this hides a huge, uncomfortable problem. We don’t know what we don’t know, and not just in some abstract, philosophical sense that there will always be “unknown unknowns,” but very specifically in that what we know of the NSA’s data management practices strongly suggests that the NSA itself doesn’t really know how the data it is collecting is being used.

In a nutshell, here’s what we’ve learned, or has been highlighted, as a result of Edward Snowden’s leaks: Almost all major software companies as well as telecommunications giants have created mechanisms by which the NSA has access to traffic and user information that goes through that company. We have also learned that NSA has been deliberately weakening internet security so that it can eavesdrop easier on it all. We learned that NSA also taps into internet’s physical backbone and listens in to the traffic directly.

In short, the NSA is collecting a massive amount of data from multiple, varied sources. Each of these data surveillance methods produces massive amounts of complex, incongruous data in nonstop fashion. Just managing data storage at this scale is a humongous challenge, let alone categorizing and sorting it all, and then retrieving it on demand.

To manage this data beast, the NSA seems to have relied on highly-competent “sysadmins”—in effect super users. The powerful wizards. What is increasingly clear that it did not do, however, is find a way to provide an effective oversight of these sysadmins, the custodians of it all. [Continue reading…]

Jay Rosen writes: This actually happened yesterday:

A professor in the computer science department at Johns Hopkins, a leading American university, had written a post on his blog, hosted on the university’s servers, focused on his area of expertise, which is cryptography. The post was highly critical of the government, specifically the National Security Agency, whose reckless behavior in attacking online security astonished him.

Professor Matthew Green wrote on 5 September:

I was totally unprepared for today’s bombshell revelations describing the NSA’s efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it’s true on a scale I couldn’t even imagine.

The post was widely circulated online because it is about the sense of betrayal within a community of technical people who had often collaborated with the government. (I linked to it myself.)

On Monday, he gets a note from the acting dean of the engineering school asking him to take the post down and stop using the NSA logo as clip art in his posts. The email also informs him that if he resists he will need a lawyer. The professor runs two versions of the same site: one hosted on the university’s servers, one on Google’s blogger.com service. He tells the dean that he will take down the site mirrored on the university’s system but not the one on blogger.com. He also removes the NSA logo from the post. Then, he takes to Twitter. [Continue reading…]

Mother Jones reports: Buried in a Brazilian television report on Sunday was the disclosure that the NSA has impersonated Google and possibly other major internet sites in order to intercept, store, and read supposedly secure online communications. The spy agency accomplishes this using what’s known as a “man-in-the-middle (MITM) attack,” a fairly well-known exploit used by elite hackers. This revelation adds to the growing list of ways that the NSA is believed to snoop on ostensibly private online conversations.

In what appears to be a slide taken from an NSA presentation that also contains some GCHQ slides, the agency describes “how the attack was done” on “target” Google users. According to the document, NSA employees log into an internet router — most likely one used by an internet service provider or a backbone network. (It’s not clear whether this was done with the permission or knowledge of the router’s owner.) Once logged in, the NSA redirects the “target traffic” to an “MITM,” a site that acts as a stealthy intermediary, harvesting communications before forwarding them to their intended destination.

The brilliance of an MITM attack is that it defeats encryption without actually needing to crack any code. If you visit an impostor version of your bank’s website, for example, the NSA could harvest your login and password, use that information to establish a secure connection with your real bank, and feed you the resulting account information — all without you knowing. [Continue reading…]

The Guardian reports: A review panel created by President Obama to guide reforms to US government surveillance did not discuss any changes to the National Security Agency’s controversial activities at its first meeting, according to two participants.

The panel, which met for the first time this week in the Truman Room of the White House conference center, was touted by Obama in August as a way for the government to consider readjusting its surveillance practices after hearing outsiders’ concerns.

But two attendees of the Monday meeting said the discussion was dominated by the interests of major technology firms, and the session did not address making any substantive changes to the controversial mass collection of Americans’ phone data and foreigners’ internet communications, which can include conversations with Americans.

Robert Atkinson, the president of the Information Technology and Innovation Foundation and an attendee, told the Guardian the he “did not hear much discussion” of changes to the bulk surveillance activities.

“My fear is it’s a simulacrum of meaningful reform,” said Sascha Meinrath, a vice president of the New America Foundation, an influential Washington think tank, and the director of the Open Technology Institute, who also attended. “Its function is to bleed off pressure, without getting to the meaningful reform.” [Continue reading…]

The Guardian reports: The National Security Agency routinely shares raw intelligence data with Israel without first sifting it to remove information about US citizens, a top-secret document provided to the Guardian by whistleblower Edward Snowden reveals.

Details of the intelligence-sharing agreement are laid out in a memorandum of understanding between the NSA and its Israeli counterpart that shows the US government handed over intercepted communications likely to contain phone calls and emails of American citizens. The agreement places no legally binding limits on the use of the data by the Israelis.

The disclosure that the NSA agreed to provide raw intelligence data to a foreign country contrasts with assurances from the Obama administration that there are rigorous safeguards to protect the privacy of US citizens caught in the dragnet. The intelligence community calls this process “minimization”, but the memorandum makes clear that the information shared with the Israelis would be in its pre-minimized state.

The deal was reached in principle in March 2009, according to the undated memorandum, which lays out the ground rules for the intelligence sharing.

The five-page memorandum, termed an agreement between the US and Israeli intelligence agencies “pertaining to the protection of US persons”, repeatedly stresses the constitutional rights of Americans to privacy and the need for Israeli intelligence staff to respect these rights.

But this is undermined by the disclosure that Israel is allowed to receive “raw Sigint” – signal intelligence. The memorandum says: “Raw Sigint includes, but is not limited to, unevaluated and unminimized transcripts, gists, facsimiles, telex, voice and Digital Network Intelligence metadata and content.”

According to the agreement, the intelligence being shared would not be filtered in advance by NSA analysts to remove US communications. “NSA routinely sends ISNU [the Israeli Sigint National Unit] minimized and unminimized raw collection”, it says.

Although the memorandum is explicit in saying the material had to be handled in accordance with US law, and that the Israelis agreed not to deliberately target Americans identified in the data, these rules are not backed up by legal obligations. [Continue reading…]

Wired reports: What happens when a secret U.S. court allows the National Security Agency access to a massive pipeline of U.S. phone call metadata, along with strict rules on how the spy agency can use the information?

The NSA promptly violated those rules — “since the earliest days” of the program’s 2006 inception — carrying out thousands of inquiries on phone numbers without any of the court-ordered screening designed to protect Americans from illegal government surveillance.

The violations continued for three years, until they were uncovered by an internal review, and the NSA found itself fighting to keep the spy program alive.

That’s the lesson from hundreds of pages of formerly top secret documents from the Foreign Intelligence Surveillance Court, released today by the Obama administration in response to a successful Freedom of Information Act lawsuit brought by the Electronic Frontier Foundation.

“Incredibly, intelligence officials said today that no one at the NSA fully understood how its own surveillance system worked at the time so they could not adequately explain it to the court,” says EFF activist Trevor Timm. “This is a breathtaking admission — the NSA’s surveillance apparatus, for years, was so complex and compartmentalized that no single person could comprehend it.”

Intelligence Director James Clapper, in a blog post today, blamed the unlawful spying in part on “the complexity of the technology employed in connection with the bulk telephony metadata collection program,” and said it was not done deliberately.

But the secret surveillance court, set up in 1978 to oversee intelligence-gathering activities, didn’t see it that way. In 2009, in response to the government telling the court that it was searching call records without “reasonable articulable suspicion” or RAS, the court said the government’s explanation “strains credulity.” [Continue reading…]

Shane Harris writes: On Aug. 1, 2005, Lt. Gen. Keith Alexander reported for duty as the 16th director of the National Security Agency, the United States’ largest intelligence organization. He seemed perfect for the job. Alexander was a decorated Army intelligence officer and a West Point graduate with master’s degrees in systems technology and physics. He had run intelligence operations in combat and had held successive senior-level positions, most recently as the director of an Army intelligence organization and then as the service’s overall chief of intelligence. He was both a soldier and a spy, and he had the heart of a tech geek. Many of his peers thought Alexander would make a perfect NSA director. But one prominent person thought otherwise: the prior occupant of that office.

Air Force Gen. Michael Hayden had been running the NSA since 1999, through the 9/11 terrorist attacks and into a new era that found the global eavesdropping agency increasingly focused on Americans’ communications inside the United States. At times, Hayden had found himself swimming in the murkiest depths of the law, overseeing programs that other senior officials in government thought violated the Constitution. Now Hayden of all people was worried that Alexander didn’t understand the legal sensitivities of that new mission.

“Alexander tended to be a bit of a cowboy: ‘Let’s not worry about the law. Let’s just figure out how to get the job done,'” says a former intelligence official who has worked with both men. “That caused General Hayden some heartburn.”

The heartburn first flared up not long after the 2001 terrorist attacks. Alexander was the general in charge of the Army’s Intelligence and Security Command (INSCOM) at Fort Belvoir, Virginia. He began insisting that the NSA give him raw, unanalyzed data about suspected terrorists from the agency’s massive digital cache, according to three former intelligence officials. Alexander had been building advanced data-mining software and analytic tools, and now he wanted to run them against the NSA’s intelligence caches to try to find terrorists who were in the United States or planning attacks on the homeland.

By law, the NSA had to scrub intercepted communications of most references to U.S. citizens before those communications can be shared with other agencies. But Alexander wanted the NSA “to bend the pipe towards him,” says one of the former officials, so that he could siphon off metadata, the digital records of phone calls and email traffic that can be used to map out a terrorist organization based on its members’ communications patterns.

“Keith wanted his hands on the raw data. And he bridled at the fact that NSA didn’t want to release the information until it was properly reviewed and in a report,” says a former national security official. “He felt that from a tactical point of view, that was often too late to be useful.”

Hayden thought Alexander was out of bounds. INSCOM was supposed to provide battlefield intelligence for troops and special operations forces overseas, not use raw intelligence to find terrorists within U.S. borders. But Alexander had a more expansive view of what military intelligence agencies could do under the law.

“He said at one point that a lot of things aren’t clearly legal, but that doesn’t make them illegal,” says a former military intelligence officer who served under Alexander at INSCOM. [Continue reading…]

The Washington Post reports: The Obama administration secretly won permission from a surveillance court in 2011 to reverse restrictions on the National Security Agency’s use of intercepted phone calls and e-mails, permitting the agency to search deliberately for Americans’ communications in its massive databases, according to interviews with government officials and recently declassified material.

In addition, the court extended the length of time that the NSA is allowed to retain intercepted U.S. communications from five years to six years — and more under special circumstances, according to the documents, which include a recently released 2011 opinion by U.S. District Judge John D. Bates, then chief judge of the Foreign Intelligence Surveillance Court.

What had not been previously acknowledged is that the court in 2008 imposed an explicit ban — at the government’s request — on those kinds of searches, that officials in 2011 got the court to lift the bar and that the search authority has been used.

Together the permission to search and to keep data longer expanded the NSA’s authority in significant ways without public debate or any specific authority from Congress. The administration’s assurances rely on legalistic definitions of the term “target” that can be at odds with ordinary English usage. The enlarged authority is part of a fundamental shift in the government’s approach to surveillance: collecting first, and protecting Americans’ privacy later. [Continue reading…]

McClatchy reports: President Barack Obama has announced the names of the five members of a task force to examine the National Security Agency’s controversial collection of Internet and cell phone records, but privacy and open government advocates say they don’t believe the panel is likely to be very critical of the NSA program.

At the time Obama announced the panel’s creation Aug. 9, anger at the extent of the NSA collection efforts was at its height, and the president’s move was intend to calm growing congressional calls for curbs on the program. Obama said the panel would be made up of outside experts and would review the government’s use of its intelligence-gathering capabilities and whether it adhered to constitutional standards.

“The review group will assess whether, in light of advancements in communications technologies, the United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust,” a White House memorandum on the panel said.

But advocates note that four of the five people named to the panel last week have long histories in government or in the intelligence community, and they said that made it unlikely the panel would be critical of the government’s practices when it completes its required final report, which is due on Dec. 15.

Steven Aftergood, director of the Federation of American Scientists’ project on Government Secrecy, said even the panel’s assignment misses the major concerns that have been expressed about the NSA programs, which had been kept largely secret from the public until their extent was leaked in June by fugitive former NSA contractor Edward Snowden.

“Basically, they’re saying, ‘Well how can we optimize surveillance while taking privacy in to account?’ Aftergood said. But what people really want to know is whether the NSA violates the law and the Constitution, he added. “I’m not sure that that sense of urgency has been adequately communicated to the review board.” [Continue reading…]

The New York Times reports: After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mail, online transactions and other communications.

Representative Rush D. Holt, a New Jersey Democrat who is also a physicist, said Friday that he believed the N.S.A. was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced.

“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”

Mr. Holt, whose Surveillance State Repeal Act would eliminate much of the escalation in the government’s spying powers undertaken after the 2001 terrorist attacks, was responding to news reports about N.S.A. documents showing that the agency has spent billions of dollars over the last decade in an effort to defeat or bypass encryption. The reports, by The New York Times, ProPublica and The Guardian, were posted online on Thursday.

The agency has encouraged or coerced companies to install back doors in encryption software and hardware, worked to weaken international standards for encryption and employed custom-built supercomputers to break codes or find mathematical vulnerabilities to exploit, according to the documents, disclosed by Edward J. Snowden, the former N.S.A. contractor. [Continue reading…]

The Washington Post reports: Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, first reported in The Washington Post and the Guardian that month. PRISM obtains data from American technology companies, including Google, under various legal authorities.

Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers. [Continue reading…]

The Guardian reports: US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

The files, from both the NSA and GCHQ, were obtained by the Guardian, and the details are being published today in partnership with the New York Times and ProPublica. They reveal:

• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made “vast amounts” of data collected through internet cable taps newly “exploitable”.

• The NSA spends $250m a year on a program which, among other goals, works with technology companies to “covertly influence” their product designs.

• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: “Do not ask about or speculate on sources or methods.”

• The NSA describes strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”.

• A GCHQ team has been working to develop ways into encrypted traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook. [Continue reading…]