DOJ Blurred Lines Between Terrorism & Crime To Expand NSA & FBI Warrantless Wiretapping Of 'Hackers'

from the whatever,-it's-all-the-same dept

This week, of course, the US government passed the USA Freedom Act, a modest step towards reform. As we’ve noted, it doesn’t even touch on two of the more concerning surveillance authorities: Executive Order 12333 and Section 702 of the FISA Amendments Act, which includes the infamous “warrantless wiretapping” programs that allow the NSA to tap “upstream” fiber optic cables from AT&T and others to sniff all data traveling across those cables.

Pro Publica and the NY Times have teamed up to report on how the DOJ expanded the warrantless wiretapping regime to go after hackers. There’s a lot to unpack in the story (which is well worth reading), but the short version is that, under pressure from the White House, NSA and others, officials appear to have deliberately blurred the lines between “crime” and “international terrorism” in order to get the DOJ to sign off on secret legal orders allowing the NSA and the FBI to use its “upstream” snooping capabilities to monitor certain “cybersecurity signatures” which include basically anything the feds want, to sniff out a hacker. From the revealed documents (which, yes, come from Ed Snowden’s cache):

If you can’t see that, the key line is:

The Certification will also for the first time spell out the authorization for targeting cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.

In short: the government said, “okay, you can now sniff that upstream firehose for hackers based on whatever “code snippets” or “IP addresses” we give you.”

Of course, this raises some questions about the split between domestic law enforcement and international anti-terrorism/foreign intelligence work. Remember, the 702 upstream program is pretty specific in that it’s only to be used for non-domestic, non-criminal work. But, according to the White House, those distinctions no longer matter:

?Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,? the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA?s internal files.

Yes, apparently, it’s “impractical” for the surveillance state to actually follow the law.

The documents also reveal that they really wanted access to that sweet, sweet upstream firehose, because much more limited programs like PRISM (which involve court orders to certain internet companies) didn’t provide enough coverage:

Then, to take things a step further, the government allowed the FBI direct access to the NSA’s upstream collection, even though the FBI doesn’t have the same limits against surveillance on Americans that the NSA has. Why? Basically, the argument appears to be “well, the NSA already has that data… so… let’s give it to the FBI as well”:
The documents do contain and interesting slide presentation about how and when certain capabilities can be used, including a slide dedicated to repeating the 4th Amendment, and another with a note saying that the “worst thing” the NSA can do is to use its signals intelligence capabilities “to collect against a [US Person] hacker” because doing so is “basically doing surveillance for [law enforcement] purpose without a warrant.” So, at the very least, they understand the law, but it’s not at all clear that they follow it:
And, in fact, later in that same presentation, it notes that the NSA’s Threat Operations Center (NTOC) wants more power to target “foreign hackers outside the US” without having to prove as much: “Because attribution is hard, just having to prove foreigness and an FI purpose is especially useful to NTOC.”

According to the Pro Publica / NY Times report, the NSA sought more and more permission here, though it’s not clear what has actually been granted:

In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.

That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power. That rule, the NSA soon complained, left a ?huge collection gap against cyberthreats to the nation? because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.

So the NSA, in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any ?malicious cyberactivity,? even if it did not yet know who was behind the attack.

The newsletter described the further expansion as one of ?highest priorities? of the NSA director, Gen. Keith B. Alexander.

Remember all of this when you see the government asking for new “cybersecurity” laws — which all too frequently are ways of granting the NSA and/or FBI greater powers to do surveillance via these upstream collections. As The Intercept points out, during the big debates on cybersecurity over the last few years, the NSA has insisted that it doesn’t have access to this kind of information, and almost every debate on the power of upstream collection by the NSA and others has been based on claims by the intelligence community that they only use unique identifiers like email addresses — and not very, very broad identifiers like an IP address or “computer code.”

There’s a lot more in the full article and in the released documents which you can see below.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DOJ Blurred Lines Between Terrorism & Crime To Expand NSA & FBI Warrantless Wiretapping Of 'Hackers'”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward says:

Unique Identifiers, IP addresses

Like those who all have the same IP address from the same VPN?

Craigslist won’t let me on when I have my VPN turned on, and I have never done anything there except look at ads, so it is my VPN IP address that they look at, and deny me. Therefore, those few times I really want to look at Craigslist ads, I turn my VPN off for a half hour or so.

Anonymous Coward says:

Re: Unique Identifiers, IP addresses

Which means in theory you could get a tracker (f.e. cookie) that identifies you on other sites and that makes the vpn useless because the cookie is linked to your IP and if they read the cookie they read your IP.
Congrats, you just wasted money on a useless VPN ; )

Anonymous Anonymous Coward says:

Re: Re: Unique Identifiers, IP addresses

Maybe, but I don’t use it to hide my IP address, that is just another feature of such services, and as I noted, because of other bad actors a failure of such services.

Oh, and cookies, I wipe all of those out with an irregular regularity.

Anonymous Coward says:

Re: Re: Re: Unique Identifiers, IP addresses

Are you sure you can erase all cookies? In theory someone could get “in front” of the site and add some stuff via mitm that isn’t deleted so easily.

I wouldn’t call it failure of such services because the service still works but the site decides to block them. So imho it is a failure of the site. But I guess both points of view have good arguments.

And I guess if you don’t use it to mask your IP and only for other stuff like i.e. IP blocks then it’s nothing you have to worry about but for people who do it’s just a reminder that even a short time of using a real IP can breach security.

Anonymous Anonymous Coward says:

Re: Re: Unique Identifiers, IP addresses

It is a matter of convenience. Your way, close browser, start the Tor hive thingy, open Torbrowser and when finished shut all those down and open regular browser again.

My way, open router page, click on Tunneling client, click stop, and when finished click start and then click log out of router.

Both methods would require that I log into my PasswordSafe. The fact that my VPN is on the router rather than desktop software helps a lot, including offloading encrypt/decrypt functions to a different cpu.

Jason says:

“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.

Yes, apparently, it’s “impractical” for the surveillance state to actually follow the law.

And apparently the difference between an armed attack, terrorism, and criminal activity is only “theoretical”.

Anonymous Coward says:

Re: Re:

Stupid consumers thinking they still have rights. How dare they get mad at us for spying on them. Don’t they know we could arrest everyone just on the already stored information on them? Next thing you know, they are going to want to actually hold us accountable for what we do with our secret powers.

Anonymous Coward says:

Hmm, This is definitely a bit troubling. As an IT person, I in fact do have services in the US and also abroad which I use for multiple purposes including Pen testing my own systems. Basically, if I use my TATA communications account in India, my OVH server in France, or perhaps even my AWS account in Ireland to run metasploit, I guess that I’m now an international terrorist. Sadly, perhaps if some of the companies had performed some of these tests, there wouldn’t be as many successful hacks that are seen today, or at least could have been minimized through proper IDS detection.

Anonymous Coward says:

It has been pretty clear that the current tyrants behind the last several decades of US government policies consider anyone that is not 100% for whatever choices the government makes is considered a terrorist.

When you consider DHS and the FBI teaching people that the founding fathers were terrorists that should be hated and reviled instead of respected and revered

Anonymous Coward says:

Unique code and strings?

If obliviously glancing over some lines of code can be used in any judicial or executive process, this could be blatantly misused.
“Your honor he haxxored ‘printf(‘Hello World!’);’ just like the infamous 4chan the he surely must be, so please find him guilty and his possessions too”

Copy&paste should be suspicous, as you could easily frame other people.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...