Feeds

Naughty NSA was so drunk on data it forgot collection rules

Declassified court docs show systematic breaches over [REDACTED] years

Security for virtualized datacentres

Declassified documents from America's Foreign Intelligence Surveillance Court (FISC) shows that even the NSA didn't know the limits of what it was supposed to collect, and overstepped its authorisations for years.

The documents were released to the Electronic Privacy Information Centre in response to an FOI request, and record FISC judges' disquiet about the program. Seeking a renewal for the NSA's use of “pen register and trap and trace (PR/TT)” devices in US networks to collect subscriber metadata, the papers note that “the government acknowledges that NSA exceeded the scope of authorised acquisition continuously during the more than [REDACATED] years of acquisition under these orders”.

The court says NSA's overcollection of metadata was “systematic” over a number of years.

Referring to the “serious compliance problems that have characterised the government's implementation of prior FISC orders”, the documents indicate that non-compliance was a frequent problem, with the government notifying the court of NSA breaches both in the over-collection of data and the disclosure of data to other agencies beyond the court's authorisation.

Rather than sift through the entire dataset to work out what was compliant and what was not, the court notes, the NSA at one point decided to flush it all and start again: “NSA had eliminated access to the database that contained the entire set of metadata, and repopulated the databases used by analysts to run queries so that they only contained information [REDACTED] that had not been involved in the unauthorised collection”.

Later still – but still with the dates redacted – the NSA managed a trifecta, with the court noting another round of compliance breaches relating to access to metadata; disclosure of query results; and overcollection (again).

While the details are still sketchy and redacted, it looks to The Register as if someone wrote an over-enthusiastic script: “the NSA had regularly accessed the bulk telephone metadata using a form of automated querying based on telephone numbers that had not been approved under the RAS standard” (RAS means “reasonable articulable suspicion”, that is, only persons suspected of association with international terrorist groups could be swept up in the PR/TT dragnet).

“Those conducting oversight at NSA failed to do so effectively”, the documents state.

Interestingly, the documents also reveal that the FISC court regards the line between “data” and “metadata” as blurry.

Early on, it cites this definition: “metadata is information 'about the communication, not the actual communication itself'”, which includes “numbers dialled, the length of a call, internet protocol addresses, e-mail addresses and similar information concerning the delivery of a communication rather than the message between two parties”.

So where does a URL sit in the FISC's view?

“In the context of Internet communications, a Uniform Resource Locator (URL) – 'an address that can lead you to a file on any computer on the Internet' – constitutes a form of 'addressing information' under the ordinary meaning of that term. Yet, in some circumstances a URL can also include 'contents'”, the papers state. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.