[BITList] PRISM

FS franka at iinet.net.au
Mon Jun 24 15:36:43 BST 2013 

  Colin


  Using Tor and other means to hide your location piques NSA's interest
  in you

by Lisa Vaas <http://nakedsecurity.sophos.com/author/nslisavaas/> on 
June 24, 2013 | 
<http://nakedsecurity.sophos.com/2013/06/24/using-tor-and-other-means-to-hide-your-location-piques-nsas-interest-in-you/#comments> 


Filed Under: Featured 
<http://nakedsecurity.sophos.com/category/featured/>, Law & order 
<http://nakedsecurity.sophos.com/category/law-order/>, Privacy 
<http://nakedsecurity.sophos.com/category/privacy/>


President Barack Obama and top intelligence officials have emphasized 
that surveillance now being referred to as PRISM 
<http://nakedsecurity.sophos.com/2013/06/08/us-uses-nsa-fbi-prism-program-to-snoop-on-everything-and-everybody/> 
is done under court oversight.

Just what, exactly, that court oversight has entailed has never been 
elucidated - not, that is, until Thursday, when The Guardian 
<http://www.guardian.co.uk/world/2013/jun/20/fisa-court-nsa-without-warrant> 
published top-secret documents submitted to the secret Foreign 
Intelligence Surveillance (FISA) court.

Those documents show that FISA judges have signed off on "broad orders" 
that allow the National Security Agency (NSA) to use information 
collected "inadvertently" from domestic US sources without a warrant, 
The Guardian reports.

The Guardian published in full these two documents, which describe the 
procedures used by the NSA to target its surveillance:

  * NSA procedures to target non-US persons [PDF]
    <http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-a-procedures-nsa-document>
  * NSA procedures to minimise data collected from US persons [PDF]
    <http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-b-nsa-procedures-document>

Both documents were signed by Attorney General Eric Holder and dated 29 
July 2009.

In a speech 
<http://www.huffingtonpost.co.uk/2013/06/19/prism-obama-germany-merkel_n_3464613.html> 
delivered on Wednesday in Germany, President Obama called the 
surveillance "a circumscribed, narrow system" whose aim is to protect 
"our people", all of it being done "under the oversight of the courts."

In spite of such assurances, it turns out that the FISA courts allow for 
much broader surveillance and much more leeway for mistakes than the 
public has known up until now.

The documents detail when data collected on US persons under the foreign 
intelligence authority has to be destroyed, the procedures analysts must 
follow to ascertain whether targets are outside the US, and how US call 
records are used to help remove US citizens and residents from data 
collection.

 From The Guardian, a list of how policies approved by the FISA court 
allow NSA agents to:

  * Keep data that could potentially contain details of US persons for
    up to five years;
  * Retain and make use of "inadvertently acquired" domestic
    communications if they contain usable intelligence, information on
    criminal activity, threat of harm to people or property, are
    encrypted, or are believed to contain any information relevant to
    cybersecurity;
  * Preserve "foreign intelligence information" contained within
    attorney-client communications;
  * Access the content of communications gathered from "U.S. based
    machine[s]" or phone numbers in order to establish if targets are
    located in the US, for the purposes of ceasing further surveillance.

One of the most jarring revelations to come out of the documents is that 
the administration's assurances of US citizens' protection from 
warrantless surveillance seems to have plenty of footnotes and 
exceptions that haven't been publicly disclosed until now.

They also reveal that courts don't always determine who's targeted for 
surveillance because that discretion is practiced by the NSA's own 
analysts, with only a percentage of decisions being reviewed by regular 
internal audits.

To make those decisions, NSA analysts use information including IP 
addresses, potential targets' statements, and public information and 
data collected by other agencies.

Tor logo

In the absence of such information - for example, if a potential target 
is using online anonymity services such as Tor, or sending encrypted 
email and instant messages - agents are encouraged to assume that the 
target is outside the US.

 From the documents:

    "In the absence of specific information regarding whether a target
    is a United States person, a person reasonably believed to be
    located outside the United States or whose location is not known
    will be presumed to be a non-United States person unless such person
    can be positively identified as a United States person."

If it turns out that a person of interest is actually in the US, 
analysts are still permitted to look at the content of his or her 
messages, or listen to phone calls, to establish whether they are, in 
fact, in the country.

In 2009, Holder signed off on procedures that instructed communications 
interception to stop immediately once a target is confirmed to be in the 
US.

But that excludes large-scale data, from which the NSA claims it can't 
filter out US vs. non-US communications.

The NSA is allowed to argue for the retention of entirely domestic 
communications - i.e., when neither of the parties is overseas - if it 
finds "significant foreign intelligence information", "evidence of a 
crime", "technical database information" (such as encrypted 
communications), or "information pertaining to a threat of serious harm 
to life or property".

If communication is encrypted - particularly if a US person is using 
certain types of cryptology or steganography known to have been used by 
"individuals associated with a foreign power or foreign territory" - the 
NSA is free to collect it and store it "indefinitely" for future 
reference and cryptanalysis attempts.

The American Civil Liberties Union (ACLU) put out a statement 
<http://www.aclu.org/national-security/nsa-claims-broad-authority-monitor-americans-international-calls-and-emails> 
on Thursday criticizing the government's warrantless surveillance "of 
innocent Americans' international communications."

Jameel Jaffer, American Civil Liberties Union deputy legal director, 
said that the latest revelations confirm the fears that first arose when 
Congress enacted FISA in 2008:

    "We worried that the NSA would use the new authority to conduct
    warrantless surveillance of Americans' telephone calls and emails.
    These documents confirm many of our worst fears. The 'targeting'
    procedures indicate that the NSA is engaged in broad surveillance of
    Americans' international communications.

    "The 'minimization' procedures that supposedly protect Americans'
    constitutional rights turn out to be far weaker than we imagined
    they could be. For example, the NSA claims the authority to collect
    and disseminate attorney-client communications - and even, in some
    circumstances, to turn them over to Justice Department prosecutors.
    The government also claims the authority to retain Americans' purely
    domestic communications in certain situations."

ACLU Staff Attorney Alex Abdo said:

    "Collectively, these documents show indisputably that the legal
    framework under which the NSA operates is far too feeble, that
    existing oversight mechanisms are ineffective, and that the
    government's surveillance policies now present a serious and ongoing
    threat to our constitutional rights. The release of these documents
    will help inform a crucial public debate that should have taken
    place years ago."

Keyhole. Image courtesy of Shutterstock

The so-called PRISM surveillance saga, far from slipping from public 
view, has, in fact, fueled a debate that had already begun to produce 
fruit, including Texas' newly enacted law against warrantless 
surveillance 
<http://nakedsecurity.sophos.com/2013/06/19/texas-becomes-first-us-state-to-ban-warrantless-email-snooping/> 
at the state level.

Meanwhile, efforts are already underway in both houses of Congress to 
revise the woefully antiquated Electronic Communications Privacy Act, 
which was written in 1986, well before the current realities of cloud 
storage and other technologies transformed how we use electronic 
communications.

The debate is, indeed, overdue, and the public deserves to be informed 
of every aspect possible, short of compromising national security.

Read The Guardian's reporting on the issue. It's far more extensive than 
what I've summarized here.

A heartfelt thank you to the news outlet for continuing to follow the 
story to whatever new revelations it may yet have in store.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.bcn.mythic-beasts.com/pipermail/bitlist/attachments/20130624/520b84ab/attachment-0002.htm 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.bcn.mythic-beasts.com/pipermail/bitlist/attachments/20130624/520b84ab/attachment-0003.htm

More information about the BITList mailing list