The NSA's 702 Shutdown Is Good News, But There Are A Whole Lot Of Caveats

from the ALL-THE-ASTERISKS dept

The surprising shutdown of the NSA’s email harvesting program — one that operated “upstream” and grabbed not just communications to and from surveillance targets, but also those “about” surveillance targets — is good news. Considering the NSA had done nothing but abuse this specific privilege, the shutdown is a welcome surprise. But it’s not great news, for a variety of reasons.

First, the shutdown arrives on the heels of a yearlong denial of surveillance requests by the FISA court. This indicates the NSA was either still abusing its collection or the court no longer felt the program was constitutional, at least not the way the NSA was running it. The shutdown seems to reflect the NSA’s inability or unwillingness to shift towards more targeted surveillance methods — ones that won’t sweep up lots of US persons’ communications inadvertently.

It also suggests the program — at least the upstream part of it — is no longer as useful as it used to be. The rise in default encryption by email providers may be preventing the NSA from gathering as much info as it used to, as Julian Sanchez explains at Just Security.

[I]t is entirely possible that the change is driven in significant part by the broader post-Snowden adoption of STARTTLS encryption of communications between e-mail servers. That is, it is quite plausible that a large and growing percentage of transiting e-mail traffic is simply no longer visible to NSA, and must be accessed “downstream” at the e-mail server itself, rendering this form of collection less worth picking fights with the FISC over.

The NSA’s statements about the shutdown mention that it will still be performing upstream collections but removing the “about” search variable. The agency notes this will decrease the amount of captured communications. But it’s quite possible it was seeing fewer and fewer communications before it made this decision. The NSA shouldn’t be too concerned about this loss (and it likely isn’t), considering it has other options it can use to capture the communications it says it won’t be capturing anymore.

[T]o the extent the traffic remains visible to NSA, they may simply have decided that it is easier to do the same “about” scans outside the borders of the United States, beyond the purview of either FISA or the FISC.

This is an option the NSA has deployed before. In 2011, the NSA killed off its bulk domestic collection of US persons’ email metadata. Or so it said. In reality, it simply stopped gathering this data from domestic providers.

The [Inspector General’s] report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. Because of the way the Internet operates, domestic data is often found on fiber optic cables abroad.

This option is still viable and possibly of much more use to the NSA. If so, the NSA may be giving up part of its upstream collection in hopes of preventing its offshore and downstream collections from being scrutinized as thoroughly in the runup to the renewal of the FISA Amendments Act.

This is just what isn’t being done upstream or under Section 702. The NSA still can gather plenty of US persons’ communications — incidentally or not — under Executive Order 12333.

[T]he NSA’s authorities under executive order 12333 are vast, undisclosed and unconstrained by any need to explain its collections to the Fisa court. A former state department official who has warned Congress about 12333, John Napier Tye, has alleged that the NSA uses 12333 as a backup plan to route around legal restrictions on US surveillance.

“To the extent US person information is either stored outside the United States, routed outside the United States, in transit outside the United States, it’s possible for it to be incidentally collected under 12333,” Tye told the Guardian in 2014.

Whatever the NSA might be losing, it can only be a small percentage of its total take. It also has the option of asking friendly foreign intelligence agencies to perform these searches for it — again without having to notify the FISA court.

The final problem with the NSA’s announcement is it’s unmoored from legislation. Unlike the drastic modification of the Section 215 metadata program — which was tied to statutory requirements laid down by the USA Freedom Act — the voluntary shutdown of the “about” collection doesn’t contain anything legally-binding. As the ACLU points out, without codification the NSA could start its collection up again without notice, provided it has found a way to comply with the FISA court’s demands… or found a better way to look like it’s in compliance.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The NSA's 702 Shutdown Is Good News, But There Are A Whole Lot Of Caveats”

Subscribe: RSS Leave a comment
Durham says:

Re: answer me this?

A nation physically can not legally or ethically impose its internal laws upon areas or persons outside its sovereign geographical territory, though some governments do by brute force or threats.

But that ‘should’ not matter with the NSA. NSA personnel nominally work directly for the U.S. President and indirectly for Congress– President/Congress could impose whatever administrative work rules/restrictions they desire upon NSA personnel, as a condition of employment.

However, in practice, the NSA is so secretive, isolated and powerful — that the President, his staff, and Congress (and FISA Court) have no real management knowledge or control of what NSA is actually doing day to day.

The NSA is essentially an independent, extra-governmental entity operating worldwide.

Anonymous Coward says:

Re: Re: answer me this?

“A nation physically can not legally or ethically impose its internal laws upon areas or persons outside its sovereign geographical territory, though some governments do by brute force or threats.”

You failed to understand the question.

#1. A nation CAN physically AND legally AND ethically impose its laws upon areas or persons outside its sovereign geographical territory. Yes ALL government do this and yes they ALL do it illegally, physically, and unethically as well. But each are separate issues and have no bearing upon each other.

#2. The answer to AC question should have been. All Americans technically and legally, as per the U.S. Constitution, “should” enjoy the exact same rights and privileges when dealing with the American government regardless of geographical locality. The rights of American citizens when dealing with their government never ends. But hey, its not like the American Government does not wipe its ass with the Constitution, and its not like most American Citizens are not worthless fucks without a clue. So naturally the Government is going to tell you right to your face that they respect the constitution as they clearly and visibly step on it as they walk to and from their podiums.

You are largely correct about the rest of the stuff and the NSA being extra governmental.

A lot of people don’t know it, but that creates a huge problem where a shadow coup is possible within the U.S.A. Power players are ALWAYS looking to stay in the shadows because that is the most powerful position to be in. Have you ever wondered why the rhetoric of most parties seem wildly different but the results tend to be largely the same?

Mike Masnick (profile) says:

Re: can someone answer me this?

Correct me if I’m wrong, but don’t U.S. laws apply to U.S. citizens whether they’re in the U.S. or not? If so, why does the NSA think that U.S. laws only apply to its operations in the U.S.?

The key term here is "US Persons" which the NSA considers to be anyone on US soil or a US citizen overseas. So, you’re correct. But the way they handle it (they claim) is through minimization. They can suck up tons of stuff overseas, but they claim that if they become aware of US persons’ communications (including US persons overseas), they will "minimize" the identifying info. How effective that is… well, that’s open to interpretation.

Anonymous Coward says:

Well, legislation protecting from inland collection has been one of the pillars in distinguishing between police and military jobs.

Today the stream of information is one grey mass on the internet, something the historical distinction cannot deal with. Thus NSA is a kind of limitless collection that sieves the information and puts it into boxes with different legal standards.

In reality the question of how NSA should act is largely ungoverned since it is a split responsibility. The presidents side is too easily slanted towards propagandizing for the apparatus in NSA (It is responsible for how the main part of NSA acts. Saying NSA does something illegal and/or has too wide responsibilities is pointing fingers at yourself!).
The corner the congress has access to review is mostly collateral and since congress don’t want to admit to problems on a historically bipartisan issue with no possibility for open public debate (no gain in smearing both parties!), the issue is very much in a political deadlock as to responsibility since nobody has anything to gain by playing up the issue and canaries are very easy to shut down on account of confidentiality.

Anonymous Coward says:

While this slightly heartens me, I’m wary. How are we to know there isn’t some classified legal interpretations of key words here? Just like shenanigans with “collect” and “facility”, I don’t see how it’s possible to trust this disclosure as being substantive.

I get it’s what we got and we’re starved for *anything* of substance with regards to NSA reforms, but bereft of robust judicial or legislative changes, I won’t hold my breath.

The inner cynic in me assumes this
1) Is being done to discourage Congress from implementing meaningful legal reforms under the guise of “the problem program has been shut down! We’re all good now. Nothing to see here!”
2) Is temporary and will be started back up later on without public notice.

Chuck says:

Do we get a refund now?

So, now that the program it was (primarily) built for is dead, do we (the taxpayers) get a refund on the $2 BILLION that was spent on the massive NSA Utah Data Center?


Just seems like a LOT of money for a government project that was only really used for 2 years. I mean, it’s practically brand new! Can’t the government sell it to Google or something and at least get us SOME of our (wasted) money back?!

JoeT says:

STARTTLS is perhaps why they don't need 702

One of the more obsolete reasons the NSA is allowed to intercept communications is if it is encrypted. Presumably under the assumption that “only spies encrypt their traffic”. While that may have been true in the 70’s, it clearly isn’t now, but just like ECPA and the Stored Communications Act, that the law isn’t keeping up with reality is acting in the spooks favor.

And if you don’t think a large percentage of “encrypted” communications are insecure to a well funded adversary (e.g. logjam, or protocol downgrade w/an active MITM), I have a bridge to sell you.

Personanongrata says:

Strategic Communications and Charades

The NSA’s 702 Shutdown Is Good News, But There Are A Whole Lot Of Caveats

Do not be fooled. This is simply a public-relations ploy on part of NSA (US government).

Unless congress reauthorizes the FISA Amendments Act by 31Dec2017 the Act will expire and what better way to foster goodwill than to appear to be making concessions to the law (Constitution).

Highlighted text below was excerpted from the website a report titled The FISA Amendments Act: Q&A

It will sunset on December 31, 2017 unless Congress passes legislation to remove or extend the sunset provision.
Title VII includes not only Section 702, which concerns
targeting non-United States (U.S.) persons 1 abroad for
surveillance, but also Sections 703, 704 and 705, which concern and provide statutory procedures and protections for
surveillance of U.S. persons abroad.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »