Decoding America's spies: What does the NSA's cryptic memo really mean? Citizens illegally spied on again

Too much data slurped in October, months after snoops vowed not to do that

Analysis The NSA illegally gathered a trove of American citizens' phone and text message records just four months after it promised it had taken steps to literally not do that again.

That's the upshot of a document [PDF] provided to the American Civil Liberties Union (ACLU) and made public this week. The dossier was supplied by the NSA in response to a long-running legal challenge brought by the civil-rights warriors, who ultimately want Section 215 of the USA Patriot Act, which grants spying powers to Uncle Sam's snoops via secret courts, ruled as unconstitutional.

There are very few details given about the illegal data harvesting, and the vast majority of the document supplied to the ACLU following a Freedom of Information Act (FOIA) request is redacted. The file is one of a series of quarterly reports produced by the surveillance super-agency for an intelligence oversight board in the United States.

What we do know is that the data slurp happened back in October 2018, that it was the 24th issue of 2018 on which a report was written, and that the NSA didn't inform the Department of Defense's senior intelligence oversight official about it until February 1, 2019. This week is the first time anyone outside the intelligence community, and whichever company wrongly sent people's personal information to Uncle Sam's snoops, became aware of the issue.

The limited language available, couched in lingo, strongly suggests that the data that was wrongly gathered had resulted from, or led to, targeted surveillance of a specific individual. "Pursuant to UFA [USA Freedom Act], the FISC [Foreign Intelligence Surveillance Court] has authorized the targeted production to NSA of CDRs [call data records] pertaining to certain specific selection terms, and issued secondary orders to certain providers to compel the production of those CDRs," the document notes.

It goes on: "On or about October 12, 2018, NSA technical analysts examining the targeted production of CDRs observed an anomaly. Specifically, these analysts identified a larger than expected number of [LONG REDACTION]. Further investigation determined that these records were produced by [REDACTED]. On October 12, 2018, NSA requested the provider investigate the anomaly. The provider later confirmed that [REDACTED] has resulted in the creation of CDRs [LONG REDACTION]."

In plain language that means the system the NSA uses to request and gather people's information from companies like your cellular network provider went wrong and, as a result, the snoops were handed records on US citizens the spies were not supposed to receive.

Time to kill it off?

The fact that this went unreported, and happened just months after the same cock-up led to millions of records being wrongly gathered by the NSA, has led to renewed calls for the spying program to be shut down.

In a letter [PDF] the ACLU has sent to the heads of the House Committee on the Judiciary, the union argues the documents "provide further evidence that the NSA has consistently been unable to operate the call detail record program within the bounds of the law," and urges them to "end the flawed Section 215 call detail record authority once and for all."

Although the NSA's report says the impact of the data gathering was "limited given the quick identification, purge processes and lack of reporting," ACLU staff attorney Patrick Toomey argued the program is "too sweeping, the compliance problems too many, and the evidence of the program's value all but nonexistence." There is, he says, "no justification for leaving this surveillance power in the NSA's hands."

group of people in suits look at laptop screens

NSA: That ginormous effort to slurp up Americans' phone records that Snowden exposed? Ehhh, we don't need that no more

READ MORE

Just last month, lawmakers in both halves of Congress and in both parties introduced a bill that would end the surveillance program built around Section 215 as well as prevent the NSA from restarting it.

It is worth noting that the current, malfunctioning, system was introduced after a previous NSA data-mining operation was ruled unconstitutional. And that decision only happened after world-plus-dog were made aware of the system thanks to top-secret documents leaked by Edward Snowden.

The old spying system – where the NSA simply vacuumed up all the logs of Americans' phone calls and text messages – was replaced with one where the NSA has to request information from providers using specific search terms.

But with the program needing to be reauthorized by Congress by the end of the year, with some senators publicly stating their opposition to it, and with the ACLU fighting in the courts to have it struck down, Section 215 has become subject to significant scrutiny. In as far as that it possible.

Earlier this year, in a podcast, a key congressional staffer suggested that the NSA had decided it didn't want or need the Section 215-based program anymore. A month later, anonymous intelligence officials appeared to confirm the same thing to the Wall Street Journal.

Never what it seems

But as any journo who has attempted to cover the NSA's spying programs can attest, literally nothing that is said can be taken at face value. Even common words like "inaccurate" are frequently bent to their breaking point in documentation in order to conceal and obfuscate surveillance programs' inner workings.

While Section 215 has become synonymous in the public's mind with the mass gathering of innocent people's phone call logs by the US government, in the Land of the Free no less, in truth those logs now account for just three per cent of the information gathered under that particular program.

It is thought that the remaining 97 percent of information covers things like emails, instant messages, search engine searches, video uploads, and so on. That is possible thanks to the extraordinarily broad wording of the law that allows the NSA to collect "tangible things."

So while some may feel that a week-long over-supply of call logs from, say, Verizon is not that big a deal, in the grand scheme of things, people are likely to view it differently if it turns out that the provider was Google and the company had supplied every search result from anyone named Jones between October 3 and 12. Under the current system, both are perfectly possible and would be treated the same – with absolute secrecy.

(And don't imagine just because the NSA used the acronym CDRs, standing for call data records, that they were actually records of call data. The agency has a tendency to reinvent the meanings of words, even when they appear crystal clear.)

It is very possible that the NSA is flagging its willingness to drop the phone call metadata part of Section 215 because, after Snowden made it plain what the US government has access to, anyone of potential interest started using encrypted apps.

The value of phone call metadata has massively dropped but by saying it will stop gathering it, the NSA can be seen to be listening to privacy concerns. And then it will continue to gather all the information it wants under some other kind of legal formulation.

This week, the NSA unhappily revealed that its systems repeatedly fail, and seemingly always in the direction of over-supply of information. And it only revealed that much because of an ACLU legal battle that is laser-focused on one specific program. ®

Sponsored: Balancing consumerization and corporate control




Biting the hand that feeds IT © 1998–2019