NSA's First Post-USA Freedom Act Report Shows It Can Still Turn Transparency Into Opacity

from the most-notable-fact?-that-it-even-exists. dept

The NSA has released its first post-USA Freedom Act “Transparency Report,” highlighting the changes made to its bulk records collection as a result of the legislation. The NSA is now limited to approaching service providers for records using RAS (Reasonable Articulable Suspicion)-approved selectors, rather than simply gathering everything and sorting through it at its convenience.

That being said, it still performs a certain amount of “selecting” in the dark, using collected data held on its own servers. While the number of “hops” it’s able to perform from its original RAS-approved selector has been limited, it may be able to perform more expansive contact chaining thanks to its own analytic processes, which are removed from FISA Court oversight.

Julian Sanchez, writing for Just Security, notes that the NSA is indeed complying with the new law’s limitations on contact chaining.

The report’s definition of “one hop” and “two hop” results clarifies that they are interpreting the statute as Congress intended: The “results” generated in response to a specific selector will encompass only particular numbers in direct contact with that selector, as opposed to any numbers that might show up on (say) the same monthly phone bill.

However, this doesn’t necessarily mean the NSA is limiting itself to contacts once or twice removed from numbers in direct contact with RAS-approved selectors. Sanchez points out that there’s no way to tell exactly what the NSA is doing with its collected records before approaching service providers for data on contacts further down the chain.

There are two notable consequences to this procedure. On the one hand, at least on its face, it would seem to preclude NSA from requiring the phone carriers to conduct “chaining” between the first and second hop using data (such as, for instance, location information or billing addresses) possessed by the telephone carriers but not produced to NSA, because it falls outside the scope of USA Freedom’s relatively narrow definition of Call Detail Records. On the other hand, it makes the process of generating the list of one-hop selectors to be used by carriers as the basis for production of second-hop Call Detail Records effectively a black box under NSA’s control. The first list of “specific selectors” will consist of phone numbers or other identifiers that the Foreign Intelligence Surveillance Court has verified are linked to a foreign power (or agent thereof) engaged in international terrorism. But the second list — the basis for production of those second-hop Call Detail Records — will be generated by NSA itself, using its massive array of internal databases and its own definition of what it means for two numbers (or other identifiers) to be in “direct contact.”

So, that’s a concern and one that’s incredibly hard to track, as the NSA’s transparency reporting obscures the number of selectors queried. Not only that, but despite the report continually referring to “call records” and “telecommunications providers,” there’s nothing in the program that limits the NSA to collecting only telephone call metadata. Marcy Wheeler points out that a “selector” could be almost anything and return — instead of numbers dialed or received — information that could be used to track other activity.

What this means, in effect, is that NSA and FBI (the latter does the actual application) will get a specific identifier — which could be a phone number, a SIM card number, a handset identifier, or a credit card, among other things — approved at the FISC, then go back to at least NSA’s data (and quite possibly FBI’s), and find all the contacts with something deemed to “be” that identifier that would be meaningful for a “phone company” to query their own records with, up to and including a cookie (which is, by definition, a session identifier).

The ambiguity surrounding the term “selector” will not be made any less ambiguous by the NSA’s reporting.

Given the breathtaking variety of selector types the NSA uses, this could represent a great deal of queries on the provider side, many tracking user activity rather than user communications. And, at least given how the privacy report describes the transparency reporting, neither those interim NSA selectors nor cookies showing user activity but not communication of information would get counted in transparency reports.

This is how the NSA will be reporting data on selectors, targets and records returned:

The number of targets under each order: Defined as the person using the selector. For example, if a target has a set of four selectors that have been approved, NSA will count one target, not four. Alternatively, if two targets are using one selector that has been approved, NSA will count two targets.

The number of unique identifiers used to communicate information collected pursuant to an order: Defined as each unique record sent back from the provider(s).

Julian Sanchez similarly notes the NSA will achieve opacity through transparency by reporting on its collection efforts in this manner.

[T]he additional directive to report the “number of unique identifiers used to communicate information collected pursuant to an order” employed under this authority has been interpreted in a rather counterintuitive way. The most natural-seeming way to read this would be as requiring a count of the number of “specific selectors” sent to the phone carriers as the basis for production of records — though arguably the fact that the statute doesn’t explicitly use the “specific selector” language could be read to signal that something different may have been intended. Instead, NSA reads this as requiring them to publish a tally of “each unique record sent back from the provider,” meaning that “if NSA receives the same record separately, whether from multiple providers or one provider, NSA will count each response separately. The Agency recognizes that NSA’s metrics, therefore, likely will be over-inclusive.” This will guarantee that the number reported is both extremely large and quite difficult to interpret.

By undercounting selectors and overcounting records collected, the NSA can nod towards transparency while producing a jumble of numbers that comes nowhere close to accurately portraying its collection activities.

Still, the fact that such a report exists is notable in and of itself, considering the agency has spent decades in total darkness. And there’s always a chance more refined reporting will be demanded in the future. For now, though, the NSA appears to be complying with the new law — at least as far as its relationship with telecommunications providers is concerned. Its method of contact chaining, however, appears to exist in a statutory loophole, free from direct FISA oversight.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA's First Post-USA Freedom Act Report Shows It Can Still Turn Transparency Into Opacity”

Subscribe: RSS Leave a comment
Ben (profile) says:

One specific error in the quoted document

A cookie is not by definition in any way a session identifier. A web page can use a cookie to store a session identifier, but you can use a cookie to store something as simple as a language preference (eg, “lang=en”) and that is a cookie that in no way identifies a specific person, or their specific interaction with a web page (or site) in the way that a session cookie can.

I hate this kind of fuzzy thinking and manipulation of our technology to make a political point in a report. Too many reports avoid using accurate enough language to be right, whilst giving reporters (who’re generally not specialists) and therefore the readers of their reports an inaccurate understanding of a simple technology.

Cookies are a Good Thing(TM) in general, that can be used to less-than-spotless purposes, but they are not by definition dangerous. Just like computers.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...