Feeds

Naughty NSA was so drunk on data it forgot collection rules

Declassified court docs show systematic breaches over [REDACTED] years

Top 5 reasons to deploy VMware with Tegile

Declassified documents from America's Foreign Intelligence Surveillance Court (FISC) shows that even the NSA didn't know the limits of what it was supposed to collect, and overstepped its authorisations for years.

The documents were released to the Electronic Privacy Information Centre in response to an FOI request, and record FISC judges' disquiet about the program. Seeking a renewal for the NSA's use of “pen register and trap and trace (PR/TT)” devices in US networks to collect subscriber metadata, the papers note that “the government acknowledges that NSA exceeded the scope of authorised acquisition continuously during the more than [REDACATED] years of acquisition under these orders”.

The court says NSA's overcollection of metadata was “systematic” over a number of years.

Referring to the “serious compliance problems that have characterised the government's implementation of prior FISC orders”, the documents indicate that non-compliance was a frequent problem, with the government notifying the court of NSA breaches both in the over-collection of data and the disclosure of data to other agencies beyond the court's authorisation.

Rather than sift through the entire dataset to work out what was compliant and what was not, the court notes, the NSA at one point decided to flush it all and start again: “NSA had eliminated access to the database that contained the entire set of metadata, and repopulated the databases used by analysts to run queries so that they only contained information [REDACTED] that had not been involved in the unauthorised collection”.

Later still – but still with the dates redacted – the NSA managed a trifecta, with the court noting another round of compliance breaches relating to access to metadata; disclosure of query results; and overcollection (again).

While the details are still sketchy and redacted, it looks to The Register as if someone wrote an over-enthusiastic script: “the NSA had regularly accessed the bulk telephone metadata using a form of automated querying based on telephone numbers that had not been approved under the RAS standard” (RAS means “reasonable articulable suspicion”, that is, only persons suspected of association with international terrorist groups could be swept up in the PR/TT dragnet).

“Those conducting oversight at NSA failed to do so effectively”, the documents state.

Interestingly, the documents also reveal that the FISC court regards the line between “data” and “metadata” as blurry.

Early on, it cites this definition: “metadata is information 'about the communication, not the actual communication itself'”, which includes “numbers dialled, the length of a call, internet protocol addresses, e-mail addresses and similar information concerning the delivery of a communication rather than the message between two parties”.

So where does a URL sit in the FISC's view?

“In the context of Internet communications, a Uniform Resource Locator (URL) – 'an address that can lead you to a file on any computer on the Internet' – constitutes a form of 'addressing information' under the ordinary meaning of that term. Yet, in some circumstances a URL can also include 'contents'”, the papers state. ®

Intelligent flash storage arrays

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.