NSA's First Post-USA Freedom Act Report Shows It Can Still Turn Transparency Into Opacity

from the most-notable-fact?-that-it-even-exists. dept

The NSA has released its first post-USA Freedom Act "Transparency Report," highlighting the changes made to its bulk records collection as a result of the legislation. The NSA is now limited to approaching service providers for records using RAS (Reasonable Articulable Suspicion)-approved selectors, rather than simply gathering everything and sorting through it at its convenience.

That being said, it still performs a certain amount of "selecting" in the dark, using collected data held on its own servers. While the number of "hops" it's able to perform from its original RAS-approved selector has been limited, it may be able to perform more expansive contact chaining thanks to its own analytic processes, which are removed from FISA Court oversight.

Julian Sanchez, writing for Just Security, notes that the NSA is indeed complying with the new law's limitations on contact chaining.

The report’s definition of “one hop” and “two hop” results clarifies that they are interpreting the statute as Congress intended: The “results” generated in response to a specific selector will encompass only particular numbers in direct contact with that selector, as opposed to any numbers that might show up on (say) the same monthly phone bill.
However, this doesn't necessarily mean the NSA is limiting itself to contacts once or twice removed from numbers in direct contact with RAS-approved selectors. Sanchez points out that there's no way to tell exactly what the NSA is doing with its collected records before approaching service providers for data on contacts further down the chain.
There are two notable consequences to this procedure. On the one hand, at least on its face, it would seem to preclude NSA from requiring the phone carriers to conduct “chaining” between the first and second hop using data (such as, for instance, location information or billing addresses) possessed by the telephone carriers but not produced to NSA, because it falls outside the scope of USA Freedom’s relatively narrow definition of Call Detail Records. On the other hand, it makes the process of generating the list of one-hop selectors to be used by carriers as the basis for production of second-hop Call Detail Records effectively a black box under NSA’s control. The first list of “specific selectors” will consist of phone numbers or other identifiers that the Foreign Intelligence Surveillance Court has verified are linked to a foreign power (or agent thereof) engaged in international terrorism. But the second list — the basis for production of those second-hop Call Detail Records — will be generated by NSA itself, using its massive array of internal databases and its own definition of what it means for two numbers (or other identifiers) to be in “direct contact.”
So, that's a concern and one that's incredibly hard to track, as the NSA's transparency reporting obscures the number of selectors queried. Not only that, but despite the report continually referring to "call records" and "telecommunications providers," there's nothing in the program that limits the NSA to collecting only telephone call metadata. Marcy Wheeler points out that a "selector" could be almost anything and return -- instead of numbers dialed or received -- information that could be used to track other activity.
What this means, in effect, is that NSA and FBI (the latter does the actual application) will get a specific identifier — which could be a phone number, a SIM card number, a handset identifier, or a credit card, among other things — approved at the FISC, then go back to at least NSA’s data (and quite possibly FBI’s), and find all the contacts with something deemed to “be” that identifier that would be meaningful for a “phone company” to query their own records with, up to and including a cookie (which is, by definition, a session identifier).
The ambiguity surrounding the term "selector" will not be made any less ambiguous by the NSA's reporting.
Given the breathtaking variety of selector types the NSA uses, this could represent a great deal of queries on the provider side, many tracking user activity rather than user communications. And, at least given how the privacy report describes the transparency reporting, neither those interim NSA selectors nor cookies showing user activity but not communication of information would get counted in transparency reports.
This is how the NSA will be reporting data on selectors, targets and records returned:
The number of targets under each order: Defined as the person using the selector. For example, if a target has a set of four selectors that have been approved, NSA will count one target, not four. Alternatively, if two targets are using one selector that has been approved, NSA will count two targets.

The number of unique identifiers used to communicate information collected pursuant to an order: Defined as each unique record sent back from the provider(s).
Julian Sanchez similarly notes the NSA will achieve opacity through transparency by reporting on its collection efforts in this manner.
[T]he additional directive to report the “number of unique identifiers used to communicate information collected pursuant to an order” employed under this authority has been interpreted in a rather counterintuitive way. The most natural-seeming way to read this would be as requiring a count of the number of “specific selectors” sent to the phone carriers as the basis for production of records — though arguably the fact that the statute doesn’t explicitly use the “specific selector” language could be read to signal that something different may have been intended. Instead, NSA reads this as requiring them to publish a tally of “each unique record sent back from the provider,” meaning that “if NSA receives the same record separately, whether from multiple providers or one provider, NSA will count each response separately. The Agency recognizes that NSA’s metrics, therefore, likely will be over-inclusive.” This will guarantee that the number reported is both extremely large and quite difficult to interpret.
By undercounting selectors and overcounting records collected, the NSA can nod towards transparency while producing a jumble of numbers that comes nowhere close to accurately portraying its collection activities.

Still, the fact that such a report exists is notable in and of itself, considering the agency has spent decades in total darkness. And there's always a chance more refined reporting will be demanded in the future. For now, though, the NSA appears to be complying with the new law -- at least as far as its relationship with telecommunications providers is concerned. Its method of contact chaining, however, appears to exist in a statutory loophole, free from direct FISA oversight.

Filed Under: nsa, transparency report, usa freedom act


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Anonymous Coward, 22 Jan 2016 @ 3:09pm

    Hop To It

    Maybe we should rename NSA HQ the Magic Rabbit Hutch, since they are just hop, hop, hopping along, invisibly.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jan 2016 @ 5:52am

      Re: Hop To It

      As a fellow humanoid rabbit, I'm offended that you compare me to the NSA. Please stay put while I dispatch a Silent Killer Bunny squad.

      reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 23 Jan 2016 @ 1:01am

    That "one hop" relationship

    One, "So, do they have anything in common?"

    Two, "They both live on Earth, but otherwise...I don't see anything..."

    One, "But if they both live on Earth, that's one hop, right?"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2016 @ 1:51am

    FTNSA

    reply to this | link to this | view in chronology ]

  • icon
    Ben (profile), 23 Jan 2016 @ 2:58am

    One specific error in the quoted document

    A cookie is not by definition in any way a session identifier. A web page can use a cookie to store a session identifier, but you can use a cookie to store something as simple as a language preference (eg, "lang=en") and that is a cookie that in no way identifies a specific person, or their specific interaction with a web page (or site) in the way that a session cookie can.

    I hate this kind of fuzzy thinking and manipulation of our technology to make a political point in a report. Too many reports avoid using accurate enough language to be right, whilst giving reporters (who're generally not specialists) and therefore the readers of their reports an inaccurate understanding of a simple technology.

    Cookies are a Good Thing(TM) in general, that can be used to less-than-spotless purposes, but they are not by definition dangerous. Just like computers.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Jan 2016 @ 8:08am

      Re: One specific error in the quoted document

      You are technically correct, but in practice cookies are nearly always used to store identifiers. As such, it's entirely reasonable to assume they are dangerous unless proven otherwise.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 23 Jan 2016 @ 9:54pm

    Call me cynical

    Why do I think they are collecting all of the data they want and telling us they aren't?

    These days, only an idiot would believe anything coming from Washington or any agency employed by Washington.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 24 Jan 2016 @ 2:26am

      Re: Call me cynical

      Does it still count as cynicism if it's gained from extensive experience? If someone is well known to lie, constantly, is it cynical to assume that they're going to continue lying, and are in fact most likely lying to you currently, or would that just be common sense?

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.