As one could have predicted, news is slowly emerging that the sweeping statements provided by the government about the limits of the information it was collecting are turning out to be false. They said that they only collect metadata and not the contents of the messages themselves. But a new report says that they do search through the data looking for certain keywords and if those are found, those emails are saved for later close analysis by humans.
To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.
…
The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”
As usual, the government uses words deceptively so that assertions they make are not as categorical as they seem. The article says that in this case, they deliberately use the word ‘target’ ambiguously.
I suspect that even these supposed limitations are being circumvented.
It really does surprise me that anyone is surprised by these “revelations”. I was at school when I first heard about ECHELON, so that’s more than 20 years ago.
I used to work for a firm that referenced the same European Parliament report mentioned in that quote in sales materials and then point to our products using 256 bit encryption. Every single time I saw a sales rep bring it up it was news to the customer that their communications were probably being monitored. I don’t know how likely it was that any particular company we dealt with might have lost info that way, but I know it got us some sales. Not that they couldn’t get the same security elsewhere (and many probably already had it), just that we put it out there and referenced the EP report to scare them.
Which is exactly why exporting software products containing 128-bit or 256-bit encryption mechanisms from the US was/is illegal. It wasn’t because some enemy government would be using Internet Exploder to send encrypted messages to their operatives elsewhere.
Banning export of strong crypto SW was based on the assumption that nobody outside the US could write it. The SW houses in the rest of the world were happy to see no US competitors in the market. The ban was lifted.
The separation of “metadata” from “user data” is obsolete.
In the days of telephony (SS7, “circuit switched” communicaation) the signals to set up and tear down a call were clearly separate from speech. They were called control plane and data plane. All phone companies saved control plane data for a few months for billing purposes. If the police wanted it, they could as for it after the fact. Not so with data plane. Its collection had to be prearranged, and somebody had to pay for the extra equipment. Therefore intercepting control and data planes were two separate activities.
In the Internet (IP, “packet switched” communication) this is not true. Both signalling and user data flow in the same packet stream. If you can snoop into it, you can get both data without any prearrangements. The separation to “metadata” and “user data” is technically meaningless. The only difference is that the spooks promise not to look between the fingers at user data.
The German government during the Brown Era probably assumed that nobody outside their sphere of control could exploit atomic fission. Different scale, but same kind of bad thinking, whose potential consequences avoided them. Same kind of bad thinking here; wish it would stay small-scale.
Lassi,
That depends on the protocol being employed, and in a few different ways.
There are protocols where the application layer data is encrypted from end to end, and so while someone would have access to the TCP headers (metadata) and the body of the message, the body they would have would be useless* ciphertext.
There are also pieces of analysis hardware in common use (such as some firewalls) which in hardware only look at packet headers and thus are incapable of being programmed to analyze or record the payload data.
So, packet switching (or more precisely, in-band control signaling) certainly does make it easier to snoop. For exactly the same reason that it makes pretty much everything else easier: there aren’t nearly as many wires. But there is a spectrum of approaches not really a binary distinction.
It becomes even murkier when you look at the fact that the circuit-switched PSTN has long employed various time-division and frequency-division multiplexing schemes that have put many logically distinct “circuits” on the same wire/fiber even before the widespread deployment of packet switched technologies.
At any rate, under either technology, there exist technical means of limiting the access you give someone to the control signals only. And under either technology there’s no way for anyone without access to the snooping hardware to verify whether such means are being employed. And under either technology end users who exchange keys out of band can ensure that their non-control-signal information is not snoopable in any meaningful* way. So there really isn’t a significant difference.
*Thought to be useless if the publicly published crypto work is in fact the state of the art, if P is a proper subset of NP, and if quantum computers of significant size are still a dream, and all those caveats.
using Internet Exploder to send encrypted messages to their operatives elsewhere.
One of the misfeatures of the public key infrastructure is that if you have the certficate you can silently read everything. If you think that was an accident, I have a bridge to Mars I’d like you to consider investing in. NSA rolled over pretty quickly regarding SSL and most of us assumed it was that they rolled over so they could muffle their giggles in the pillow.
I couldn’t compress a review of communication technology development in last 50 years in a few lines, so I omitted it and only mentioned the ends. My point is that terminology that was developed in the age of Steam System Seven is being used as if it were still relevant. Nothing new there -- Obfuscating Discussion with Misleading Terminology is not a crime.
There’s no rational excuse for surprise when the collected works of James Bamford are available (perhaps at your local library). His reports may be stone-age to experts in communications security, but a sharp stone tool does more for you than just any old rock would.
http://en.wikipedia.org/wiki/James_Bamford