Feeds

Naughty NSA was so drunk on data it forgot collection rules

Declassified court docs show systematic breaches over [REDACTED] years

Beginner's guide to SSL certificates

Declassified documents from America's Foreign Intelligence Surveillance Court (FISC) shows that even the NSA didn't know the limits of what it was supposed to collect, and overstepped its authorisations for years.

The documents were released to the Electronic Privacy Information Centre in response to an FOI request, and record FISC judges' disquiet about the program. Seeking a renewal for the NSA's use of “pen register and trap and trace (PR/TT)” devices in US networks to collect subscriber metadata, the papers note that “the government acknowledges that NSA exceeded the scope of authorised acquisition continuously during the more than [REDACATED] years of acquisition under these orders”.

The court says NSA's overcollection of metadata was “systematic” over a number of years.

Referring to the “serious compliance problems that have characterised the government's implementation of prior FISC orders”, the documents indicate that non-compliance was a frequent problem, with the government notifying the court of NSA breaches both in the over-collection of data and the disclosure of data to other agencies beyond the court's authorisation.

Rather than sift through the entire dataset to work out what was compliant and what was not, the court notes, the NSA at one point decided to flush it all and start again: “NSA had eliminated access to the database that contained the entire set of metadata, and repopulated the databases used by analysts to run queries so that they only contained information [REDACTED] that had not been involved in the unauthorised collection”.

Later still – but still with the dates redacted – the NSA managed a trifecta, with the court noting another round of compliance breaches relating to access to metadata; disclosure of query results; and overcollection (again).

While the details are still sketchy and redacted, it looks to The Register as if someone wrote an over-enthusiastic script: “the NSA had regularly accessed the bulk telephone metadata using a form of automated querying based on telephone numbers that had not been approved under the RAS standard” (RAS means “reasonable articulable suspicion”, that is, only persons suspected of association with international terrorist groups could be swept up in the PR/TT dragnet).

“Those conducting oversight at NSA failed to do so effectively”, the documents state.

Interestingly, the documents also reveal that the FISC court regards the line between “data” and “metadata” as blurry.

Early on, it cites this definition: “metadata is information 'about the communication, not the actual communication itself'”, which includes “numbers dialled, the length of a call, internet protocol addresses, e-mail addresses and similar information concerning the delivery of a communication rather than the message between two parties”.

So where does a URL sit in the FISC's view?

“In the context of Internet communications, a Uniform Resource Locator (URL) – 'an address that can lead you to a file on any computer on the Internet' – constitutes a form of 'addressing information' under the ordinary meaning of that term. Yet, in some circumstances a URL can also include 'contents'”, the papers state. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.