DOJ Blurred Lines Between Terrorism & Crime To Expand NSA & FBI Warrantless Wiretapping Of 'Hackers'

from the whatever,-it's-all-the-same dept

This week, of course, the US government passed the USA Freedom Act, a modest step towards reform. As we've noted, it doesn't even touch on two of the more concerning surveillance authorities: Executive Order 12333 and Section 702 of the FISA Amendments Act, which includes the infamous "warrantless wiretapping" programs that allow the NSA to tap "upstream" fiber optic cables from AT&T and others to sniff all data traveling across those cables.

Pro Publica and the NY Times have teamed up to report on how the DOJ expanded the warrantless wiretapping regime to go after hackers. There's a lot to unpack in the story (which is well worth reading), but the short version is that, under pressure from the White House, NSA and others, officials appear to have deliberately blurred the lines between "crime" and "international terrorism" in order to get the DOJ to sign off on secret legal orders allowing the NSA and the FBI to use its "upstream" snooping capabilities to monitor certain "cybersecurity signatures" which include basically anything the feds want, to sniff out a hacker. From the revealed documents (which, yes, come from Ed Snowden's cache):
If you can't see that, the key line is:
The Certification will also for the first time spell out the authorization for targeting cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.
In short: the government said, "okay, you can now sniff that upstream firehose for hackers based on whatever "code snippets" or "IP addresses" we give you."

Of course, this raises some questions about the split between domestic law enforcement and international anti-terrorism/foreign intelligence work. Remember, the 702 upstream program is pretty specific in that it's only to be used for non-domestic, non-criminal work. But, according to the White House, those distinctions no longer matter:
“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.
Yes, apparently, it's "impractical" for the surveillance state to actually follow the law.

The documents also reveal that they really wanted access to that sweet, sweet upstream firehose, because much more limited programs like PRISM (which involve court orders to certain internet companies) didn't provide enough coverage:
Then, to take things a step further, the government allowed the FBI direct access to the NSA's upstream collection, even though the FBI doesn't have the same limits against surveillance on Americans that the NSA has. Why? Basically, the argument appears to be "well, the NSA already has that data... so... let's give it to the FBI as well":
The documents do contain and interesting slide presentation about how and when certain capabilities can be used, including a slide dedicated to repeating the 4th Amendment, and another with a note saying that the "worst thing" the NSA can do is to use its signals intelligence capabilities "to collect against a [US Person] hacker" because doing so is "basically doing surveillance for [law enforcement] purpose without a warrant." So, at the very least, they understand the law, but it's not at all clear that they follow it:
And, in fact, later in that same presentation, it notes that the NSA's Threat Operations Center (NTOC) wants more power to target "foreign hackers outside the US" without having to prove as much: "Because attribution is hard, just having to prove foreigness and an FI purpose is especially useful to NTOC."

According to the Pro Publica / NY Times report, the NSA sought more and more permission here, though it's not clear what has actually been granted:
In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.

That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power. That rule, the NSA soon complained, left a “huge collection gap against cyberthreats to the nation” because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.

So the NSA, in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any “malicious cyberactivity,” even if it did not yet know who was behind the attack.

The newsletter described the further expansion as one of “highest priorities” of the NSA director, Gen. Keith B. Alexander.
Remember all of this when you see the government asking for new "cybersecurity" laws -- which all too frequently are ways of granting the NSA and/or FBI greater powers to do surveillance via these upstream collections. As The Intercept points out, during the big debates on cybersecurity over the last few years, the NSA has insisted that it doesn't have access to this kind of information, and almost every debate on the power of upstream collection by the NSA and others has been based on claims by the intelligence community that they only use unique identifiers like email addresses -- and not very, very broad identifiers like an IP address or "computer code."

There's a lot more in the full article and in the released documents which you can see below.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Anonymous Coward, 4 Jun 2015 @ 12:03pm

    Unique Identifiers, IP addresses

    Like those who all have the same IP address from the same VPN?

    Craigslist won't let me on when I have my VPN turned on, and I have never done anything there except look at ads, so it is my VPN IP address that they look at, and deny me. Therefore, those few times I really want to look at Craigslist ads, I turn my VPN off for a half hour or so.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2015 @ 2:07pm

      Re: Unique Identifiers, IP addresses

      Which means in theory you could get a tracker (f.e. cookie) that identifies you on other sites and that makes the vpn useless because the cookie is linked to your IP and if they read the cookie they read your IP.
      Congrats, you just wasted money on a useless VPN ; )

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Anonymous Coward, 4 Jun 2015 @ 2:25pm

        Re: Re: Unique Identifiers, IP addresses

        Maybe, but I don't use it to hide my IP address, that is just another feature of such services, and as I noted, because of other bad actors a failure of such services.

        Oh, and cookies, I wipe all of those out with an irregular regularity.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Jun 2015 @ 3:21pm

          Re: Re: Re: Unique Identifiers, IP addresses

          Are you sure you can erase all cookies? In theory someone could get "in front" of the site and add some stuff via mitm that isn't deleted so easily.

          I wouldn't call it failure of such services because the service still works but the site decides to block them. So imho it is a failure of the site. But I guess both points of view have good arguments.

          And I guess if you don't use it to mask your IP and only for other stuff like i.e. IP blocks then it's nothing you have to worry about but for people who do it's just a reminder that even a short time of using a real IP can breach security.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 5 Jun 2015 @ 3:25am

            Re: Re: Re: Re: Unique Identifiers, IP addresses

            Yes you can manually delete all of your cookies in a dozen different ways. but there's just as many ways to manage your cookies (so only the cookies you want are recieved and updated) but most people are ignorant to the methods...

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2015 @ 4:37pm

      Re: Unique Identifiers, IP addresses

      Why not just use TorBrowser for Craigslist? You can keep switching IPs until you get one it doesn't block :)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Anonymous Coward, 4 Jun 2015 @ 5:23pm

        Re: Re: Unique Identifiers, IP addresses

        It is a matter of convenience. Your way, close browser, start the Tor hive thingy, open Torbrowser and when finished shut all those down and open regular browser again.

        My way, open router page, click on Tunneling client, click stop, and when finished click start and then click log out of router.

        Both methods would require that I log into my PasswordSafe. The fact that my VPN is on the router rather than desktop software helps a lot, including offloading encrypt/decrypt functions to a different cpu.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2015 @ 12:05pm

    "Democratic" governments lately: "It's so impractical to follow the Constitution or the Human Rights Act! It would make our jobs so much easier if we didn't have to follow those..."

    reply to this | link to this | view in chronology ]

  • identicon
    Jason, 4 Jun 2015 @ 12:16pm

    “Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.

    Yes, apparently, it's "impractical" for the surveillance state to actually follow the law.
    And apparently the difference between an armed attack, terrorism, and criminal activity is only "theoretical".

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2015 @ 2:34pm

      Re:

      Stupid consumers thinking they still have rights. How dare they get mad at us for spying on them. Don't they know we could arrest everyone just on the already stored information on them? Next thing you know, they are going to want to actually hold us accountable for what we do with our secret powers.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2015 @ 12:43pm

    So Raise your Hand...

    If you didn't see this coming?

    I mean the slippery slope folks fell all over themselves screaming about it.

    reply to this | link to this | view in chronology ]

    • identicon
      That One Other Not So Random Guy, 4 Jun 2015 @ 2:57pm

      Re: So Raise your Hand...

      Yes but they were labeled "Conspiracy Theorists" and no one listened. Looks like we need MORE tinfoil hats not less.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2015 @ 1:04pm

    Hmm, This is definitely a bit troubling. As an IT person, I in fact do have services in the US and also abroad which I use for multiple purposes including Pen testing my own systems. Basically, if I use my TATA communications account in India, my OVH server in France, or perhaps even my AWS account in Ireland to run metasploit, I guess that I'm now an international terrorist. Sadly, perhaps if some of the companies had performed some of these tests, there wouldn't be as many successful hacks that are seen today, or at least could have been minimized through proper IDS detection.

    reply to this | link to this | view in chronology ]

  • identicon
    Guardian, 4 Jun 2015 @ 1:06pm

    fellow humans of earth....

    fellow humans of earth

    STOP DOING BUSINESS WITH THE UNITED FACIST STATES OF AMERICA AND DO NOT FORGET COPS KILLED 9 BIKERS IN WACO AND ARE COVERING IT UP THAT THE SHOT HUNDREDS OF ROUNDS AT THEM ALL.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2015 @ 1:13pm

    It has been pretty clear that the current tyrants behind the last several decades of US government policies consider anyone that is not 100% for whatever choices the government makes is considered a terrorist.

    When you consider DHS and the FBI teaching people that the founding fathers were terrorists that should be hated and reviled instead of respected and revered

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2015 @ 3:21pm

    Computer Code

    I've head that terrorists have used Microsoft Windows in the past. So, someone using Windows on the internet could be a terrorist.

    Yeah, I see how that works.

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 5 Jun 2015 @ 12:44am

    For some reason, I see all the leaked document snippets as being written in Comic Sans.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 4:34am

    Unique code and strings?

    If obliviously glancing over some lines of code can be used in any judicial or executive process, this could be blatantly misused.
    "Your honor he haxxored 'printf('Hello World!');' just like the infamous 4chan the he surely must be, so please find him guilty and his possessions too"

    Copy&paste should be suspicous, as you could easily frame other people.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.