This week, of course, the US government passed
the USA Freedom Act, a modest step towards reform. As we've noted, it doesn't even touch on two of the more concerning surveillance authorities: Executive Order 12333 and Section 702 of the FISA Amendments Act, which includes the infamous "warrantless wiretapping" programs that allow the NSA to tap "upstream" fiber optic cables from AT&T and others to sniff all data traveling across those cables.
Pro Publica and the NY Times have teamed up to report on how the DOJ expanded the warrantless wiretapping regime
to go after hackers. There's a lot to unpack in the story (which is well worth reading), but the short version is that, under pressure from the White House, NSA and others, officials appear to have deliberately
blurred the lines between "crime" and "international terrorism" in order to get the DOJ to sign off on secret legal orders allowing the NSA and
the FBI to use its "upstream" snooping capabilities to monitor certain "cybersecurity signatures" which include basically anything the feds want, to sniff out a hacker. From the revealed documents
(which, yes, come from Ed Snowden's cache):
If you can't see that, the key line is:
The Certification will also for the first time spell out the authorization for targeting cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.
In short: the government said, "okay, you can now sniff that upstream firehose for hackers based on whatever "code snippets" or "IP addresses" we give you."
Of course, this raises some questions about the split between domestic law enforcement and international anti-terrorism/foreign intelligence work. Remember, the 702 upstream program is pretty specific in that it's only to be used
for non-domestic, non-criminal work. But, according to the White House, those distinctions no longer matter:
“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.
Yes, apparently, it's "impractical" for the surveillance state to actually follow the law.
The documents also reveal that they really wanted access to that sweet, sweet upstream firehose, because much more limited programs like PRISM (which involve court orders to certain internet companies) didn't provide enough coverage:
Then, to take things a step further, the government allowed the FBI direct access to the NSA's upstream collection, even though the FBI doesn't have the same limits against surveillance on Americans that the NSA has. Why? Basically, the argument appears to be "well, the NSA already has that data... so... let's give it to the FBI as well":
The documents do contain and interesting slide presentation about how and when certain capabilities can be used, including a slide dedicated to repeating the 4th Amendment, and another with a note saying that the "worst thing" the NSA can do is to use its signals intelligence capabilities "to collect against a [US Person] hacker" because doing so is "basically doing surveillance for [law enforcement] purpose without a warrant." So, at the very least, they understand the law
, but it's not at all clear that they follow it:
And, in fact, later in that same presentation, it notes that the NSA's Threat Operations Center (NTOC) wants more power to target "foreign hackers outside the US" without having to prove as much: "Because attribution is hard, just having to prove foreigness and an FI purpose is especially useful to NTOC."
According to the Pro Publica / NY Times report, the NSA sought more and more permission here, though it's not clear what has actually been granted:
In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.
That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power. That rule, the NSA soon complained, left a “huge collection gap against cyberthreats to the nation” because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.
So the NSA, in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any “malicious cyberactivity,” even if it did not yet know who was behind the attack.
The newsletter described the further expansion as one of “highest priorities” of the NSA director, Gen. Keith B. Alexander.
Remember all of this when you see the government asking for new "cybersecurity" laws -- which all too frequently are ways of granting the NSA and/or FBI greater powers to do surveillance via these upstream collections. As The Intercept points out, during the big debates on cybersecurity over the last few years, the NSA has insisted that it doesn't have access to this kind of information
, and almost every debate on the power of upstream collection by the NSA and others has been based on claims by the intelligence community that they only
use unique identifiers
like email addresses -- and not very, very broad identifiers like an IP address or "computer code."
There's a lot more in the full article and in the released documents
which you can see below.