NSA meta data no help

from Greg
The Verge posted a story about NSA data collection programs producing no usable results according to the New America Foundation. I am no fan of the NSA meta data program. They have collected information on every phone call I have made since becoming a Verizon customer three years ago. You can have my meta data when you pry it from my cold dead iPhone.

Read the full story HERE

Read the report HERE

Get a PDF of the report HERE

from The Verge
Is NSA surveillance really necessary to defend against terrorist attacks? It's been a common claim by the agency's defenders as the programs come under scrutiny, but a report released today by the New America Foundation casts doubt on that logic. The report examines how NSA surveillance functioned in 225 counterterrorism cases since 9/11 and concludes that the agency wasn't as crucial as it would have you believe.

The report found that the NSA was responsible for 7.5 percent of counterterrorism investigations, and there was only one case out of the 225 that was initiated by NSA evidence. The case involved a cab driver named Basaaly Moalin who was convicted of sending money to Somalian terrorist groups. While successful, the case did not involve any direct threat of attack, and took more than two months between the initial tip and the eventual action by the FBI. Far more common were cases initiated by traditional tools like informants or suspicious-activity reports, which helped law enforcement focus their attention on particular targets. "The overall problem for US counterterrorism officials is not that they need vaster amounts of information from the bulk surveillance programs," the report says, "but that they don’t sufficiently understand or widely share the information they already possess."

from the New America Foundation
By PetervBergen, David Sterman, Emily Schneider, Bailey Cahall

January 13, 2014

On June 5, 2013, the Guardian broke the first story in what would become a flood of revelations regarding the extent and nature of the NSA’s surveillance programs.  Facing an uproar over the threat such programs posed to privacy, the Obama administration scrambled to defend them as legal and essential to U.S. national security and counterterrorism. Two weeks after the first leaks by former NSA contractor Edward Snowden were published, President Obama defended the NSA surveillance programs during a visit to Berlin, saying: “We know of at least 50 threats that have been averted because of this information not just in the United States, but, in some cases, threats here in Germany. So lives have been saved.”  Gen. Keith Alexander, the director of the NSA, testified before Congress that: “the information gathered from these programs provided the U.S. government with critical leads to help prevent over 50 potential terrorist events in more than 20 countries around the world.”  Rep. Mike Rogers (R-Mich.), chairman of the House Permanent Select Committee on Intelligence, said on the House floor in July that “54 times [the NSA programs] stopped and thwarted terrorist attacks both here and in Europe – saving real lives.”  

However, our review of the government’s claims about the role that NSA “bulk” surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading.  An in-depth analysis of 225 individuals recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda’s ideology, and charged in the United States with an act of terrorism since 9/11, demonstrates that traditional investigative methods, such as the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus for investigations in the majority of cases, while the contribution of NSA’s bulk surveillance programs to these cases was minimal. Indeed, the controversial bulk collection of American telephone metadata, which includes the telephone numbers that originate and receive calls, as well as the time and date of those calls but not their content, under Section 215 of the USA PATRIOT Act, appears to have played an identifiable role in initiating, at most, 1.8 percent of these cases. NSA programs involving the surveillance of non-U.S. persons outside of the United States under Section 702 of the FISA Amendments Act played a role in 4.4 percent of the terrorism cases we examined, and NSA surveillance under an unidentified authority played a role in 1.3 percent of the cases we examined. 

Regular FISA warrants not issued in connection with Section 215 or Section 702, which are the traditional means for investigating foreign persons, were used in at least 48 (21 percent) of the cases we looked at, although it’s unclear whether these warrants played an initiating role or were used at a later point in the investigation. (Click on the link to go to a database of all 225 individuals, complete with additional details about them and the government’s investigations of these cases: http://natsec.newamerica.net/nsa/analysis).

Surveillance of American phone metadata has had no discernible impact on preventing acts of terrorism and only the most marginal of impacts on preventing terrorist-related activity, such as fundraising for a terrorist group. Furthermore, our examination of the role of the database of U.S. citizens’ telephone metadata in the single plot the government uses to justify the importance of the program – that of Basaaly Moalin, a San Diego cabdriver who in 2007 and 2008 provided $8,500 to al-Shabaab, al-Qaeda’s affiliate in Somalia – calls into question the necessity of the Section 215 bulk collection program.  According to the government, the database of American phone metadata allows intelligence authorities to quickly circumvent the traditional burden of proof associated with criminal warrants, thus allowing them to “connect the dots” faster and prevent future 9/11-scale attacks. Yet in the Moalin case, after using the NSA’s phone database to link a number in Somalia to Moalin, the FBI waited two months to begin an investigation and wiretap his phone. Although it’s unclear why there was a delay between the NSA tip and the FBI wiretapping, court documents show there was a two-month period in which the FBI was not monitoring Moalin’s calls, despite official statements that the bureau had Moalin’s phone number and had identified him. ,  This undercuts the government’s theory that the database of Americans’ telephone metadata is necessary to expedite the investigative process, since it clearly didn’t expedite the process in the single case the government uses to extol its virtues. 

Additionally, a careful review of three of the key terrorism cases the government has cited to defend NSA bulk surveillance programs reveals that government officials have exaggerated the role of the NSA in the cases against David Coleman Headley and Najibullah Zazi, and the significance of the threat posed by a notional plot to bomb the New York Stock Exchange. 

Related articles

• Study Shows NSA Metadata Collection Doesn't Prevent Terrorist Attacks
• Nsa Snooping Fails to Prevent Terrorist Attacks, Watchdog Group Says
• New America Foundation Report: "Do NSA's Bulk Surveillance Programs Stop Terrorists?" Nope
• NSA Bulk Collection of Americans' Phone Data Had "No Discernible Impact" on Preventing Terrorism, Says New Study

Add to Cart View detail

Level 3 Communications, the NSA, and the end of the Physical-Digital Divide. What needs to be done?

The Level 3 Communications (NYSE: LVLT) blog recently published an article entitled "Say Goodbye to the Physical-Digital Divide." It's a light-hearted, upbeat corporate feel-good piece about how television shows are become Twitter-enabled. It's also a very disturbing piece when you realize that Level 3 is one of the Tier 1 backbone providers who has assisted the NSA in its collection efforts:

This is an exciting time!  Not only for Joe Consumer, who is being further enabled (and actively encouraged) to merge his offline and online behavior, blurring the lines of the physical-digital divide, but also for major content providers – many of whom we’re fortunate enough to call customers.  This is the new model of content consumption.  Always-on and always-available. Cross-media and cross-platform. 

Think about that from the standpoint of legal intercepts and data collection, and you'll see my point. We used to be vulnerable based upon what we read at the library, what we threw away in our trash, and what we wrote to our friends. Today, that has expanded exponentially and we've lost control of exactly how and where we are vulnerable to exposure.

Now consider that Level 3 is Google's upstream provider. Is that how the NSA was able to intercept the data traveling between Google's data centers? To be clear, Level 3 isn't doing anything illegal, nor is the NSA for that matter. And that's precisely the problem that needs addressing.

In less than 10 years, the physical - digital divide has disintegrated. In less time than it takes a human being to achieve mastery over a skill, technology has exponentially expanded how we interact with each other and, conversely, how we can harm each other.

Intelligence and law enforcement agencies, whose mission is to identify and intercept those who wish to cause us harm, have leveraged legal regimes like the Patriot Act, EO 12333, etc. to gain a foothold within the networks that are the primary supports (i.e., backbone) for our digital environment. The difference between what those out-dated laws still allow and what technology has made possible in the way of data collection and analysis is where our focus needs to be. In other words, the laws must be amended to catch up with how exposed we are in today's digital and physical world so that a better privacy:security balance can be restored.

Wasting time bashing the NSA and other intelligence services does more harm than good because it fails to address the real problem (out-dated authorities that need revising) in favor of lashing out at an easy and unpopular target - the NSA and its fellow agencies who diligently attempt to accomplish the very difficult tasks that we expect from them.

In an effort to help move this debate forward and clarify where reforms are needed, I've set aside two hours for a panel discussion at Suits and Spooks DC on how our parallel needs for security and privacy can be met through reform of the current laws authorizing data collection by the IC. It's not an easy panel to fill, so let me know if you have any suggestions for experts to participate on it. Dr. Catherine Lotrionte of Georgetown University will be the moderator. 

Add to Cart View detail

If Your Data Lives In Moscow, Are You At Risk In The U.S.?

Google's new data center - Finland

Even though I'm a U.S. citizen residing in the U.S., my Gmail messages, attached files, Google documents, and Google chat logs may reside in one of 17 different nation states, and may be accessed through differing legal standards in each. Those states are the U.S., Canada, Brazil, Germany, Switzerland, The Netherlands, Belgium, France, U.K., Ireland, Italy, Russian Federation, Japan, Peoples Republic of China, Malaysia, Austria, and Finland. If the foreign government of a state where Google does business issues an order for Google to provide information on parties of interest who represent a threat, have committed a crime, or whatever is required under that state's security laws, then Google is frequently obligated to comply. This also applies in states where Google has established a sales office but not a data center.

2008 Wayfaring map of Google data centers

Google provides partial information on the user data requests that it receives from governments here and information about its Transparency program can be found here. It's interesting that neither Russia nor China are on the user data list, but Hong Kong is (with 90 requests in the 2H 2010). That's probably due to the very low use of Google services by Russian and Chinese mainland citizens.

The question that's puzzling me is whether or not a U.S. citizen's data which is hosted on a foreign server can be accessed via a request from that state's security agency? And an even more basic question is shouldn't I as the owner of my own data know where in the world that data resides and have a say in the matter? Google's Privacy Policy specifies that your data may be moved around:

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information outside your own country.

In a different twist on the same problem, Gordon Frazer of Microsoft U.K. was recently asked a very pointed question:

Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?

Frazer's answer was "Microsoft cannot provide those guarantees. Neither can any other country." Most folks won't be affected by this layer of extended vulnerability, but for those individuals who are of interest to foreign states, including the U.S. government if you're from another country, it should serve as a warning to avoid cloud-based services as much as possible. Speaking personally, I've cut way back on my use of Gmail and I'm having second thoughts about my use of Google +. The same would apply to Microsoft, Amazon or any other cloud provider that refuses to guarantee that my personal data will stay in the same country that I live in.

UPDATE (9 AUG 11): Google acknowledges the same legal requirements that Microsoft did regarding its E.U. customers and its requirements under the U.S. Patriotic Act in this German article (Google Translate).

Add to Cart View detail