Data and Goliath
Page 8
Much of the NSA’s money for its modern surveillance infrastructure came from the post-9/11 war efforts in Afghanistan and Iraq: the offensive effort to identify and locate enemy targets, and the defensive effort to identify and neutralize improvised explosive devices. That is, the capabilities were developed against networks in those countries, and because everyone else in the world uses the same equipment, they could be more cheaply deployed against systems elsewhere.
One obvious question arises: is this legal? The real answer is that we don’t know. The current authority for NSA surveillance comes from three places:
• Executive Order 12333, signed by President Reagan in 1981, permits the NSA to conduct extensive surveillance abroad. It contains some protection for US citizens only, but allows for extensive collection, analysis, and retention of Americans’ data.
• Section 215 of the USA PATRIOT Act, enacted in 2001, allows the NSA to collect “any tangible things (including books, records, papers, documents, and other items)”—about anyone, not just foreigners—“for an investigation to protect against international terrorism or clandestine intelligence activities.” That last bit might sound like a limitation, but a secret court interpreted this to include the continuing collection of telephone metadata for every American.
• Section 702 of the FISA (Foreign Intelligence Surveillance Act) Amendments Act of 2008 retroactively authorized NSA collection activities that were conducted illegally after 9/11. It expanded the NSA’s remit to gather data on foreigners, with minimal protections for US citizens. The NSA used this authority to monitor Internet backbone connections entering the country, harvesting data on both foreigners and Americans.
The reason the discussion doesn’t end there is twofold. One, many of the surveillance provisions of those laws are almost certainly unconstitutional, either as illegal searches or illegal seizures. And two, some of the NSA’s interpretations of those laws are almost certainly illegal. Challenges along both of those fronts are being debated in the courts right now. I believe that eventually much of what the NSA is currently doing will be stopped by the courts, and more of what the NSA is currently doing will be stopped by new legislation. Of course, by then Americans will have been subject to decades of extensive surveillance already, which might well have been the agency’s strategy all along. I’ll talk considerably more about this in Chapter 13.
The NSA collects a lot of data about Americans. Some of it is “incidental.” That is, if the NSA monitors a telephone network in France, it will collect data on calls between France and the US. If it monitors an Internet cable under the Atlantic, it will sweep up data on Americans whose traffic happens to get routed through that cable. The NSA has minimization rules designed to limit the amount of data on Americans it collects, analyzes, and retains, although much of what we have learned about them indicates that they don’t work very well. The rules are different for communications content and metadata, and the rules are different depending on the legal authority the NSA is using to justify the connection. And minimized doesn’t mean that Americans’ data is deleted; it just means that it’s anonymized unless someone actually wants to see it. The NSA does a lot of playing around with the rules here, and even those trying to oversee the NSA’s activity admit that they can’t figure out what it’s really doing.
A 2014 analysis of some of the actual intercepted traffic provided by Snowden found that data about innocent people, both Americans and non-Americans, far exceeded the data about authorized intelligence targets. Some of this reflects the nature of intelligence; even minimized information about someone will contain all sort of communications with innocents, because literally every communication with a target that provides any interesting information whatsoever will be retained.
The NSA might get the headlines, but the US intelligence community is actually composed of 17 different agencies. There’s the CIA, of course. You might have heard of the NRO—the National Reconnaissance Office—it’s in charge of the country’s spy satellites. Then there are the intelligence agencies associated with all four branches of the military. The Departments of Justice (both FBI and DEA), State, Energy, the Treasury, and Homeland Security all conduct surveillance, as do a few other agencies. And there may be a still-secret 18th agency. (It’s unlikely, but possible. The details of the NSA’s mission remained largely secret until the 1970s, over 20 years after its formation.)
After the NSA, the FBI appears to be the most prolific government surveillance agency. It is tightly connected with the NSA, and the two share data, technologies, and legislative authorities. It’s easy to forget that the first Snowden document published by the Guardian—the order requiring Verizon to turn over the calling metadata for all of its customers—was an order by the FBI to turn the data over to the NSA. We know there is considerable sharing amongst the NSA, CIA, DEA, DIA, and DHS. An NSA program code-named ICREACH provides surveillance information to over 23 government agencies, including information about Americans.
That said, unlike NSA surveillance, FBI surveillance is traditionally conducted with judicial oversight, through the warrant process. Under the Fourth Amendment to the US Constitution, the government must demonstrate to a judge that a search might reasonably reveal evidence of a crime. However, the FBI has the authority to collect, without a warrant, all sorts of personal information, either targeted or in bulk through the use of National Security Letters (NSLs). These are basically administrative subpoenas, issued by the FBI with no judicial oversight. They were greatly expanded in scope in 2001 under the USA PATRIOT Act (Section 505), although the initial legal basis for these letters originated in 1978. Today, NSLs are generally used to obtain data from third parties: e-mail from Google, banking records from financial institutions, files from Dropbox.
In the US, we have reduced privacy rights over all that data because of what’s called the third-party doctrine. Back in 1976, Michael Lee Smith robbed a woman in Baltimore, and then repeatedly harassed her on the phone. After the police identified someone matching Smith’s description, they had the phone company place a “pen register” on Smith’s phone line to create a record of all the phone numbers Smith dialed. After verifying that Smith called the woman, they got a search warrant for his home and arrested him for the robbery. Smith tried to get the pen register evidence thrown out, because the police hadn’t obtained a warrant. In a 1979 decision, the Supreme Court ruled that a warrant was not necessary: “This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Basically, because Smith shared those phone numbers with his phone company, he lost any expectation of privacy with respect to that information. That might have made sense in 1979, when almost all of our data was held by us and close to us. But today, all of our data is in the cloud somewhere, held by third parties of undetermined trust.
Technology has greatly enhanced the FBI’s ability to conduct surveillance without a warrant. For example, the FBI (and also local police) uses a tool called an IMSI-catcher, which is basically a fake cell phone tower. If you’ve heard about it, you’ve heard the code name StingRay, which is actually a particular type of IMSI-catcher sold by Harris Corporation. By putting up the tower, it tricks nearby cell phones into connecting to it. Once that happens, IMSI-catchers can collect identification and location information of the phones and, in some cases, eavesdrop on phone conversations, text messages, and web browsing. The FBI is so scared of explaining this capability in public that the agency makes local police sign nondisclosure agreements before using the technique, and instructs them to lie about their use of it in court. When it seemed possible that local police in Sarasota, Florida, might release documents about StingRay cell phone interception equipment to plaintiffs in civil rights litigation against them, federal marshals seized the documents.
It’s hard to keep track of all the US government organizations involved with surveillance. The National Counterterrorism Center keeps track of the Terrorism Iden
tities Datamart Environment, the US government’s central repository of international terrorist suspects. The institution maintains a huge database of US citizens, keeping tabs on 700,000 identifiers (sort of like people, but not really) in 2007, and is where the various watch lists come from. The procedures for getting on these lists seem very arbitrary, and of course there’s no recourse once someone gets on one. Boston Marathon bomber Tamerlan Tsarnaev was on this list.
There are also Organized Crime Drug Enforcement Task Forces for drug-related investigations, and a Comprehensive National Cybersecurity Initiative for computer threats. The Bureau of Alcohol, Tobacco, and Firearms is building a massive database to track people and their friends. Even the Pentagon has spied on Americans, through a little-known agency called the Counterintelligence Field Activity, closed in 2008. In 2010, the Naval Criminal Investigative Service monitored every computer in the state of Washington running a particular file-sharing program, whether associated with the military or not—a clear violation of the law.
Outside of the federal government, a lot more surveillance and analysis of surveillance data is going on. Since 9/11, the US has set up “fusion centers” around the country. These institutions are generally run by state and local law enforcement, and are meant to serve as an information bridge between those groups and national agencies like the FBI and DHS. They give local police access to previously unavailable surveillance capabilities and data. They were initially supposed to focus on terrorism, but increasingly they’re used in broader law enforcement. And because they’re run locally, different fusion centers have different rules—and different levels of adherence to those rules. There’s minimal oversight, probably illegal military involvement, and excessive secrecy. For example, fusion centers are known to have spied on political protesters.
Joint Terrorism Task Forces are also locally run, nebulously defined, and shrouded in extreme secrecy. They’ve been caught investigating political activists, spreading anti-Islamic propaganda, and harassing innocent civilians.
Taken as a whole, there’s a great deal of overenthusiastic, ideologically driven surveillance going on in the US.
Across the Atlantic, the NSA’s UK equivalent is GCHQ. It conducts extensive spying on its own citizens and worldwide, both from its own country and from remote listening posts in Oman, Cyprus, and elsewhere. It has a very close partnership with the NSA, and is increasingly conducting mass surveillance inside its own borders. Other countries listening in on their own citizens and the citizens of other countries include Germany, France, Denmark, Australia, New Zealand, Israel, Canada . . . and probably every other country with enough money to have an intelligence budget. The government of Australia has claimed that its surveillance of Indonesia helped thwart several terrorist threats in that country.
We know much less about government surveillance in other countries; but don’t assume that they aren’t doing these same things just because whistleblowers there haven’t brought those stories to light. Other governments are doing much the same thing to as much of the Internet as they can get their hands on, often with fewer legal restrictions on their activities.
Russia collects, stores, and analyzes data from phone calls, e-mail, Internet use, social networking, credit card transactions, and more. Russia’s System for Operative Investigative Measures, or SORM, is built right into its Internet. We saw a glimpse of how extensive this system is during the 2014 Sochi Olympics, where the Russian authorities monitored pretty much everything that happened online. Crime and terrorism provide justifications for surveillance, but this data is also used against Russian journalists, human rights activists, and political opponents.
China, too, attempts to monitor everything its citizens do on—and, increasingly, off—the Internet. China also uses location information from mobile phones to track people en masse. It turns mobile phones on remotely to eavesdrop on people, and it monitors physical spaces with its 20 to 30 million surveillance cameras. As in Russia, crime is the ostensible excuse for all this snooping, but dissent is a major reason as well. TOM-Skype is a Chinese video and texting service, a joint venture between Microsoft and the Chinese company TOM Online. Messages containing words like “Tiananmen,” “Amnesty International,” and “Human Rights Watch,” as well as references to drugs and pornography, are copied and saved. More than 30,000 Internet police conduct the monitoring.
We got additional glimpses of global Internet monitoring a few years ago, when India, Russia, Saudi Arabia, the UAE, and Indonesia all threatened to ban BlackBerry if the company didn’t allow them access to user communications. BlackBerry data is generally encrypted, which prevents eavesdropping. BlackBerry cut a deal with India whereby corporate users were allowed to keep their data secure, but the government would be able to track individual users’ e-mails, chats, and website visits. We don’t know about the deals it may have struck with the other countries, but we can assume that they’re similar.
Smaller countries often turn to larger ones to help them with their surveillance infrastructure. China helped Iran build surveillance into its own Internet infrastructure. I’ll say more in Chapter 6 about Western companies helping repressive governments build surveillance systems.
The actions of these and other countries—I could fill a whole book with examples—are often far more oppressive and totalitarian than anything the US or any of its allies do. And the US has far more legal controls and restrictions on government collection than any other country on the planet, including European countries. In countries like Thailand, India, and Malaysia, arresting people on the basis of their Internet conversations and activities is the norm. I’ll talk about risks and harms in Chapter 7; right now, I want to stick to capabilities.
GOVERNMENT HACKS
Electronic espionage is different today from what it was in the pre-Internet days of the Cold War. Before the Internet, when surveillance consisted largely of government-on-government espionage, agencies like the NSA would target specific communications circuits: that Soviet undersea cable between Petropavlovsk and Vladivostok, a military communications satellite, a microwave network. This was for the most part passive, requiring large antenna farms in nearby countries.
Modern targeted surveillance is likely to involve actively breaking into an adversary’s computer network and installing malicious software designed to take over that network and “exfiltrate” data—that’s NSA talk for stealing it. To put it more plainly, the easiest way for someone to eavesdrop on your communications isn’t to intercept them in transit anymore; it’s to hack your computer.
And there’s a lot of government hacking going on.
In 2011, an Iranian hacker broke into the Dutch certificate authority DigiNotar. This enabled him to impersonate organizations like Google, CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter, and Microsoft’s Windows Update service. That, in turn, allowed him to spy on users of these services. He passed this ability on to others—almost certainly in the Iranian government—who in turn used it for mass surveillance on Iranians and probably foreigners as well. Fox-IT estimated that 300,000 Iranian Gmail accounts were accessed.
In 2009, Canadian security researchers discovered a piece of malware called GhostNet on the Dalai Lama’s computers. It was a sophisticated surveillance network, controlled by a computer in China. Further research found it installed on computers of political, economic, and media organizations in 103 countries: basically a Who’s Who of Chinese espionage targets. Flame is a surveillance tool that researchers detected on Iranian networks in 2012; we believe the US and Israel put it there and elsewhere. Red October, which hacked and spied on computers worldwide for five years before it was discovered in 2013, is believed to be a Russian surveillance system. So is Turla, which targeted Western government computers and was ferreted out in 2014. The Mask, also discovered in 2014, is believed to be Spanish. Iranian hackers have specifically targeted US officials. There are many more known surveillance tools like these, and presumably others still undiscovere
d.
To be fair, we don’t have proof that these countries were behind these surveillance networks, nor that they were government sponsored. Governments almost never admit to hacking each other’s computers. Researchers generally infer the country of origin from the target list. For example, The Mask target list included almost all the Spanish-speaking countries, and a bunch of computers in Morocco and Gibraltar. That sounds like Spain.
In the US, the group charged with hacking computers is the Tailored Access Operations group (TAO) inside the NSA. We know that TAO infiltrates computers remotely, using programs with cool code names like QUANTUMINSERT and FOXACID. We know that TAO has developed specialized software to hack into everything from computers to routers to smartphones, and that its staff installs hardware “implants” into computer and networking equipment by intercepting and infecting it in transit. One estimate is that the group has successfully hacked into, and is exfiltrating information from, 80,000 computers worldwide.
Of course, most of what we know about TAO and the US’s hacking efforts comes from top-secret NSA documents provided by Snowden. There haven’t been similar leaks from other countries, so we know much less about their capabilities.
We do know a lot about China. China has been reliably identified as the origin of many high-profile attacks: against Google, against the Canadian government, against the New York Times, against the security company RSA and other US corporations, and against the US military and its contractors. In 2013, researchers found presumed–Chinese government malware targeting Tibetan activists’ Android phones. In 2014, Chinese hackers breached a database of the US Office of Personnel Management that stored detailed data on up to 5 million US government employees and contractors with security clearances.