Did the Leaker Exaggerate the NSA Internet Spying Program?


Josh Constine at TechCrunch says that the Guardian, or their source, Edward Snowden, is exaggerating the access that the NSA has to the systems of Microsoft, Yahoo, Google, Skype and other internet companies. Constine says that there is a separate, segregated system and requests still have to be made one by one.

The NSA may have wanted full firehoses of data from Google, Facebook and other tech giants, but the companies attempted to protect innocent users from monitoring via compliance systems that created segregated data before securely handing it over as required by law, according to individuals familiar with the systems used by the tech companies targeted by PRISM.

The widely criticized corroboration with the NSA therefore may have benefited citizens rather than being to their detriment.

My sources confirm that the NSA did not have direct access or any special instant access to data or servers at the PRISM targets, but instead had to send requests to the companies for the data. These requests must be complied with by law, but only if the government narrowly defines what it’s looking for. The government may have initially requested a firehose of data, and was happy to take this full data dump from the tech companies and sort it itself. Had the tech giants simply accepted these requests at the minimum level required by law, many innocent citizens’ data could have been monitored.

By working to create “a locked mailbox and give the government the key” which the New York Times reported, rather than allowing widespread monitoring, the firehose is restricted to a trickle of specific requests. When the NSA has specific people they want to data about, they make a specific, legal request for that data that the tech companies are required to comply with. Google or Facebook then puts the specific requested data into the locked mailbox where the government can access it. This keeps requested data about suspected terrorists or other people who are threats to national security segregated from that of innocent users.

By cooperating, companies can better ensure that each request is valid, and narrow enough in its scope. If the request is too broad, the tech companies can send it back and ask for a narrower pull. The method also ensure the data is securely transferred from the companies to the government, opposed to being more forcibly pulled by the NSA in ways that could have left it open for exploit by third-parties.

If this is true, that make it considerably more palatable — but it’s hardly a panacea. Bear in mind that the government can use National Security Letters without a warrant to request such information. also bear in mind that we know that NSLs have been used more often for non-terrorism investigations than for terrorism ones. The same is true of “sneak and peek” warrants. So I’d still like to know a lot more about the criteria used by both the government and the companies and the safeguards in place. Are warrants required? If not, the 4th Amendment is violated.

So if this is true, it reduces the danger posed by the NSA program but doesn’t eliminate it. And it does nothing about the privacy concerns for the Verizon metadata program (also followed by AT&T and Sprint).

Comments

  1. jamessweet says

    This was the impression I was already starting to get about PRISM, is that it was somewhat less than it was initially made out to be.

    Nevertheless! It’s the whole “If this is true” part that you repeated at the beginning of each paragraph. Who freakin’ knows? The lack of transparency makes it impossible to police.

  2. eric says

    He’s glossing over the constitutional issue, which is this (bold part added by me):

    When the NSA has specific people they want to data about, they make a specific, legal request for that data without first getting a warrant that the tech companies are required to comply with.

  3. timberwoof says

    “The widely criticized corroboration with the NSA therefore may have benefited citizens rather than being to their detriment.”

    In other words, if the big corporations made the government trade in their automatic assault rifles for sniper rifles when they want to go citizen-hunting, that would benefit the citizens, who should feel grateful that an executive order would only target one or two of them instead of random crowds.

    “When the NSA has specific people they want to data about, they make a specific, legal request for that data that the tech companies are required to comply with.”

    This is almost just exactly like the Freedom of Information Act. When citizens have specific unclassified government activities they want to have data about, they can make a legal FOIA request for that data that the government can stonewall, redact, or conveniently lose.

  4. embraceyourinnercrone says

    Yeah, gotta love this little phrase in that TechCrunch article

    “This keeps requested data about suspected terrorists or other people who are threats to national security segregated from that of innocent users.”

    Of course you can probably be a considered a “suspected terrorist” for being part of Occupy Wall Street, the anti-war movement, GreenPeace, or other environmental group or donating to same.

    Personally if I never have to hear the ” terra, terra, terra!” refrain again it will be too soon. And yet with all this information did it allow them to stop what happened in Boston. Nope. Does it stop any yahoo with the money from buying almost anything at a gun show? Nope.

    Yes terrorism is terrible. I don’t live very far from Manhattan. The first few days after 9/11 were pretty scary. People I went to school with, worked and died in one of the towers, clients we talked to every day worked blocks away and we didn’t know at first if they were OK , it was frightening, but the absolute idiocy that has happened since is far scarier. In actuality the people who dropped the towers and hit the Pentagon achieved what they wanted.

    They got us to turn ourselves into fear obsessed fools, willing to give up our rights and privacy for an illusion of safety.

    And apropos of nothing, can I just say that the term “Department of Homeland Security” bugs me no end. I won’t Godwin the comments but you can guess what it brings to mind

  5. trucreep says

    Also remember that the term “direct access” has a very different meaning in the tech world than it does for most other people; it’s considered having a person physically at the actual server. I don’t think that’s what most of us think of when we hear “direct access.”

    I also assumed that these assurances of oversight and checks and balances were long ago dismissed by most for the obvious bullshit that it is….

    Seriously, the damage control mode that the government is in would almost be funny if it wasn’t so serious.

  6. baal says

    Pardon my tinfoil…It’s hardly surprising that a ‘big scoop” gets played up. It’s similarly unsurprising that the government and folks with contacts to the gov are doing a full court press damage control right now. So this story and the flood of others like it cannot be seen as fully honest reporting.

    That said, given what I know about data bases and the government and the various dissemblings, it’s likely that the gov is hovering all info every where (Total Information Awareness’s larger progeny). This DB (these data sets) are then housed somewhere. The FEDGOV then goes and gets rubber stamps from FISA or equivalent to create specific uses of the database or to allow for specific farming sprees based on investigation x or y. See that way you get to have your cake and eat it too (all data full tracking of us citizens all the time & some fiction of process).

    The leaker, with trivial tech-dev knowledge level, can probably code queries or kick off back room query tools to independently rifle through the db. Stopping that or keeping a close watch with the scope of employee numbers would be nearly impossible.

    I don’t think I feel any better under my model than I do under a RT persistent sniffer model.

  7. baal says

    Hrm, I need an edit button. I wasn’t dinging Ed’s honesty, rather that comment is to imply Constine should be taken with a grain of salt.

  8. Michael Heath says

    embraceyourinnercrone writes:

    Of course you can probably be a considered a “suspected terrorist” for being part of Occupy Wall Street, the anti-war movement, GreenPeace, or other environmental group or donating to same.

    “Of course”? Really? Than you should easily be able to provide a cite validating that.

    embraceyourinnercrone writes:

    They got us to turn ourselves into fear obsessed fools, willing to give up our rights and privacy for an illusion of safety.

    Perhaps the fear still exists and is now directed elsewhere. And I’m not sure why you think our security is an illusion. The facts seem to argue it’s very robust, to the point I’d happily ask that we risk a supposed reduction in security in order to better secure all people’s protections of our 4th, 5th, and 8th Amendment rights.

    “Supposed” given that I don’t think we have to sacrifice our rights to better secure our safety, there are better ways to protect our security than contain the blowback from the west’s policies that create a demand for terrorism.

  9. slc1 says

    Couple of items from the latest news.

    1. The NSA director claims in congressional testimony that the surveillance activities prevented dozen’s of terrorist attacks.

    http://www.nydailynews.com/news/politics/nsa-director-surveillance-helped-stop-dozens-attacks-article-1.1370764

    2. Representative Peter King, one of Brayton’s favorite congresscritters, has called for the arrest and prosecution of Glenn Greenwald. Since Greenwald currently resides in Brazil, which I seem to recall has no extradition treaty with the US, this doesn’t look like something that is going to happen.

  10. says

    You know, Heath, while I appreciate the importance of citations as a skeptic and a writer of many a paper, when someone uses the qualifier of “probably” that tends to imply speculation, in this case most likely based on familiarity with verified abuse of semantics by law enforcement personnel. Regardless, asking for a citation for what amounts to a guess is a bit facetious. As an aside, I’m pretty sure the “illusion of security” to which embraceyourinnercrone referred is more specifically the “illusion of security that is garnered specifically from these measures.” My impression is that you both agree on this issue, so I’m not sure why you feel the need to argue about it.

  11. embraceyourinnercrone says

    http://news.firedoglake.com/2013/06/11/aclu-files-lawsuit-against-nsa-phone-spying-program/

    Apparenty the ACLU has filed a lawsuit today because it is a customer of Verizon Business Network Services which last week was ordered to turn over on an ongoing basis details such as who the ACLU calls,who calls them and when the calls are made. To me it sounds like a fishing expedition.

    I will try to find the other info I would like to cite when I am can post from something other than my phone. Sorry for the lack of citation in the original comment

  12. eoleen says

    Of course the leaker exaggerated. Besides, the NSA does not need to go to Google, etc. to gain traffic information: they already have their hooks into the Web, and have had since the beginning, when it was known as ARPANET.

    The information they are getting from the phone company is simply the billing records, which, BY LAW, the phone companies are required to keep for 600 days. The reason is that, in the past, there were some egregious “billing errors” made by the phone companies which went uncorrected “because we don’t have the data any more” or “because we lost the data by accident”. Thus the requirement that the data be kept – in three copies, no less.

    As a practical matter, the tapes, once written on, are never recycled: the data sits in save storage (in three places…) for forever and a day, or until we run out of storage space some time around the year 3000. Phone companies by tape, in one form or another, by the semi load.

    THe data is kept “online” for some 60 to 90 days, so that a customer who wants to dispute a bill won’t cost the phone company an arm and a let trying to restore the data so that it is available “on line”: by having it on disk a service person can (attempt to) resolve the issue when the customer calls with his/her/their complaint. After that they have to dig out the data from tape: a forth set of data is kept in the data center for that purpose. After a year it is shuffled off to some off-site location for storage.

    What NSA is doing is simply getting a copy of the data the phone company already has and is RE

  13. says

    Sigh. Comment in moderation because I included too many links.

    Short form: those of you who think the whistle-blowers are exaggerating need to do more research. The desirable capabilities of the system simply aren’t there if you’re not able to do fishing expeditions, and the whistleblowers like Klein describe systems that match systems known to exist. :/

  14. eric says

    Michael Heath,
    Just to add a bit to what @11 said, a citation isn’t really necessary in this case because of the larger point: since warrants are not required, the NSA gets to decide who counts as a ‘suspected terrorist.’

    Personally, whether they are currently collecting information on people in (just an example) Greenpeace is nowhere near as important to me as whether they can without a warrant. The argument that “they aren’t doing that” basically amounts to a good behavior defense. That’s not good enough for me, because they could. I want to know that they can’t legally do it without the approval of the courts.

  15. says

    @eoleen
    ” they already have their hooks into the Web, and have had since the beginning, when it was known as ARPANET.”

    Um, I doubt that’s going to workout. The vast majority of the internet backbone is privately operated. Just because you have a “hook” into the internet, doesn’t mean that packets are traversing their legs. And since we are are talking about routed networks (layer 3+), only packets directed to their legs would go there.

    Not that I care myself anyway. I never considered my internet communications to be private to begin with (advertisers and all that jazz, not to mention facebook and twitter are pretty damn public as it is. Email’s a little different, though)

Leave a Reply