Follow-up: A Security Question


Yesterday I discussed the retro-scope of information-gathering[1] and I probably should have mentioned that President Obama – along with commuting Chelsea Manning’s sentence – handed the citizens of the US a great big “F.U.”  Just before leaving office he quietly changed how the NSA is allowed to share information, considerably expanding the power of the intelligence apparatus.

The original charter of the NSA was to collect foreign communications. Following the iron law of bureaucracy[2], the NSA’s charter has always been subject to “mission creep.” First, there was the rather obvious question of what to do with foreign communications where one end of the communication was in the US: collect it. Then, there was the fig-leaf that the attempt was made to filter out US-to-US communications abroad, or to only “look” at the foreign side. As I’ve mentioned elsewhere[3] the NSA slices language extremely fine when they talk about looking at data. When it became clear that the NSA had been unconstitutionally collecting bulk communications [timeline of NSA domestic spying] within the US as well as outside, the Bush administration a) retroactively forgave them  b) expanded their powers. That catches us up to the present.

MINE ALL MIIIIIINEEEEEE (source: weta)

MINE ALL MIIIIIINEEEEEE (source: weta)

As of a couple weeks ago, the NSA was still doing a fan-dance that the FBI or DEA or any other federal agency that wanted to query their data-pile had to something something mumble FISA court something classified mumble before they could get access. That’s in spite of mounting evidence that one of the “stove pipes” the Obama Administration aggressively broke down was the separation of data between CIA, NSA, and FBI. The NSA’s data-pile was the “crown jewels” of the intelligence community and they sat atop it like Smaug the Dragon, “mine, all mine!”

That was two weeks ago. On his way out the door, Obama broke down the last stovepipe: [New York Times]

WASHINGTON — In its final days, the Obama administration has expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections.

The New York Times’ reporting on security is consistently from the perspective of a lackey to power: they minimize and downplay the significance of things that are not in the service of the establishment. Notice in the sentence above, “before applying privacy protections”? That’s orwellian double-speak for: “throwing privacy protections out” – what the Obama Administration did was make NSA data available for query by other federal agencies without requiring them to even go through the effort to rubber-stamp things through the FISA court (which has never refused to issue a warrant, when requested).

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.

NSA Data Warehouse in Utah: Yottabytes of storage [source]

NSA Data Warehouse in Utah: Yottabytes of storage [source]

Remember when NSA was still doing the “it’s just metadata” dance? This confirms my earlier point that: if it was just metadata, nobody’d want it. It’s all the messages they have been collecting for years. So now if the DEA wants to see all of your SMS texts going back to when you started SMS’ing? They can just get them from NSA. It’s the best internet-based messaging backup system you can fit in a gigantic data warehouse.

The New York Times omits to mention, or are perhaps unaware, that the NSA’s data pile is not just a view of the present, it’s a time-scope into the unknown past. They’ve become good lapdogs and apologists for authoritarianism but won’t they be surprised if they discover themselves being investigated for years-old errors of judgement? And, by the way, the NSA’s data pile may also reveal a lot about journalists’ sources, retroactively. I’m deeply disappointed that the New York Times has nothing courageous to say about this, but I suppose I should have expected it.

The new regulations for sharing NSA’s data are significantly more relaxed [pdf] – basically it says that the NSA may do a bulk search for an agency and dump them the whole output, “Here, have fun. Our hands are clean.”

secret

As long as the endpoint agency can protect the data adequately, that is. Which is funny, because NSA’s history of securing their own data is pretty embarrassing.[4]

It’s dangerous to make predictions about this stuff, but as an information security practitioner, one thing I forsee is: more leaks. The cat will be out of the bag about what NSA collects, since there will now be 19 federal agencies digging through it, and the fig-leaves are going to fall pretty fast. It’s possible that from a technical standpoint, they already fell years ago (which is what I suspect) but the Obama Administration looked at the Snowden disclosures and decided, “whatever.” Now that a fraction of the truth is out there, the rest is inevitably going to be inferred. We may see an acceleration of political rubbish-rummaging, because now more politicians’ communications will be accessible by more agencies. Imagine what happens if someone in Air Force intelligence discovers that someone who was thinking of challenging the F-35 program budget had a past fondness for buying drugs on the dark web? Let a thousand fishing expeditions begin!

I heard the most horrible comment about this, ever, the other day: “Well, what Obama did was probably not as bad as what Trump would have done, so I guess it’s OK.”  Talk about excusing Obama’s shredding the 4th amendment in the name of lesser evilism! I don’t care which political party whatever totalitarian claims to  work for, they’re still totalitarians. They are still increasing the power of the police state. They are still increasing the likelihood that the US will turn into a data-driven dictatorship.

Comments

  1. sonofrojblake says

    I find this tradition of presidents sneaking out Columbo-style “one last thing” changes to the law very telling, especially that this one of Obama’s is so… evil.

    Prior to this, the one I was most familiar with was Bill Clinton’s decision to switch off selective availability, effectively making the GPS system usable for civilians everywhere and creating a whole bunch of industries and applications worldwide at a stroke. Pretty much the opposite of evil. The contrast is striking.

  2. says

    multitool@#2:
    I’m sorry I didn’t reply in the other thread, I got overloaded and it slipped my mind.

    have you looked at the giant mesh network Guifi net?

    That’s very cool stuff!!!! I’m guessing that would be nearly impossible to shut down or tap. You know, like how packet-switched networks are supposed to be. (Though usually internal controls make them easy to sinkhole or intercept)

    Xfiniti is sort of doing a similar thing here in the US: every home broadband router is also a public access point, and the home user gets a discount (and aren’t charged for the bandwith) if people use their access point. The intent is to create a massive cloud of access points.

    To make something that was safe from government surveillance it would need a broadcast messaging system with junk generators and flood-fill message delivery.

  3. says

    sonofrojblake@#1:
    I find this tradition of presidents sneaking out Columbo-style “one last thing” changes to the law very telling, especially that this one of Obama’s is so… evil.

    It’s a clear sign that “democracy” is not what’s going on here, when parliamentary tricks are used to avoid legislative review by representatives. The president has too much power. Of course the “lesser evilism” that is going on means that half the people will sit by and think “that’s so wrong, but he’s our guy” and the other half will think “that’s so wrong, but our guy did the same kind of thing in the previous administration so we can’t complain.”

  4. Pierce R. Butler says

    … excusing Obama’s shredding the 4th amendment in the name of lesser evilism!

    Trump(‘s handlers) would certainly have done this anyway – which doesn’t excuse Obama’s action, but leaves open the question of why.

    My first guess – they’ve been doing this informally all along, and have now made it a non-story when that comes out.

  5. says

    Pierce R. Butler@#5:
    My first guess – they’ve been doing this informally all along, and have now made it a non-story when that comes out.

    Agreed. That’s the only conclusion that makes sense.

  6. Pierce R. Butler says

    Marcus Ranum @ # 6 – C’mon, this is 2017!

    What does “making sense” have to do with anything now?

  7. multitool says

    Xfiniti is sort of doing a similar thing here in the US: every home broadband router is also a public access point…

    Would this mesh be NSA-compromised by the fact that Xfiniti owns it?

  8. lorn says

    I suspect that what a lot of what this sort of thing is, depicting Obama as allowing the intelligence community more leeway, is simply actually a left-handed attempt to make public what has been going on for 40 years now.

    Does anyone remember John Poindexter and Total Information Awareness? Yes, I know, the congress shut the program down and defunded it in a very public demonstration of outrage and shock. For those not familiar with the concept the outline was that we, the US through the intelligence community would capture all the information it could and it would make it available on a need to know basis to other agencies.

    The depictions I read about were about e-mails and telephone calls but a few insiders took the mandate to mean all electronic communications. Including voice, bank accounts, postal code information of who sends letters to whom (this is commonly done with mail to prisoners in jail), radio chatter, billing information for utilities, and credit card information. Essentially every form of information that is transmitted or recorded electronically.

    I automatically assume this program was simply renamed and inserted into the dark budget. I mean, such a program is so compelling that it simply cannot be not undertaken, if for no other reason than to see how far it can go, and, of course, because if ‘we’ don’t do it early someone else is going to get ahead of us on the curve. This is one of those swords that simply cannot not be forged, and once made cannot not be used.

    This is not limited to governments. A more limited application of the trend is that large corporations routinely set up alerts for social media postings by employees. In some ways corporations, evermore heartless than government, scare me more than any federal agency. Some corporations have their own armies and air forces. Does anyone think they don’t have their own intelligence agencies?

    Anyway, back on point. There has long been whispers about widespread electronic monitoring. I think it can be assumed it is all monitored. Of course most of it is recorded but not analyzed because the real trick is in the analysis, making sense of and organizing it all.

    I really think that the NSA, and all the other agencies have been sharing information. Some of this is likely the electronic version of leaving a file on the desk and walking out. Nobody has to know, or admit to, the transfer. The down side is two edged. It is inefficient and vital information that might best get transmitted gets delayed, and, because officially the transmission didn’t take place, there are no limits, regulations, or controls. You can’t regulate what you don’t admit is going on.

    Obama has simply put the practice on the official map where people can openly talk about it. He has dragged it into the sunlight. Of course, no good deed goes unpunished. The critics of surveillance will claim Obama started the practice, I assure you he didn’t, and the people inside the programs will condemn him for revealing their existence even as it has to be admitted that the outlines of the programs have been known and assumed to be in place for decades, albeit in primitive but rapidly evolving and evermore powerful form over the years.

Leave a Reply