WORTH READING NSA domestic wiretap over-collection

[David Farber <dave () farber net>]

Begin forwarded message:

From: "David P. Reed" <dpreed () reed com>
Date: April 16, 2009 8:26:55 AM EDT
To: dave () farber net
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] NSA domestic wiretap over-collection

In my personasl opinion, it is high time for the public to come to  
understand that the term "wiretap" is profoundly wrong as a  
description of the actual activities that the NSA and private  
contractors are carrying out.

If the public actually knew what was being covered by this euphemism -  
nothing less than massive, non-selective recording, analysis, and the  
like, with almost no distinction between foreign and domestic, they  
could ask simple questions like: who is held accountable for  
overreaching on the part of agencies involved.  They would find a  
technically ill-informed Congress, a manipulative classifiction  
system, and decisions being taken with regard to motives other than  
protecting citizens and citizen interests (e.g. protecting non-US  
investor interests).

Democratic governments do need excellent, accurate, actionable  
intelligence, but unlike totalitarian states governed by the few, we  
need such intelligence to be vetted both as to its sources and  
methods, and as to its accuracy and protection of citizens from those  
private entities the government hires (more and more by contract) to  
do the collection. What we clearly have today is collection without  
care, collection without protection from hidden agendas of the  
agencies involved.  It's easy to "overcollect" - and highly profitable  
for the vendors of networking equipment and services who are willing  
to make large amounts of money from overcollection of content, call  
records, location records, ...  it's much harder to *profit* from  
getting the intelligence *right* - which, by the way, is never part of  
the NSA's equipment and service procurement effort.

Merely collecting invites bad decisions, especially by political  
actors more interested in turning the knobs of executive power to  
reinforce their power positions, their budgets, and their immunity  
from criticism.


David Farber wrote:
> Begin forwarded message:
>
> From: Matt Blaze <mab () crypto com>
> Date: April 16, 2009 3:15:24 AM EDT
> To: David Farber <dave () farber net>
> Subject: NSA domestic wiretap over-collection
>
> For IP, if you'd like.
>
> Today's New York Times is reporting that the NSA has been
> over-collecting" purely domestic telephone and e-mail
> traffic as part of its warrentless wiretap program:
>  http://www.nytimes.com/2009/04/16/us/16nsa.html?hp=&pagewanted=all
>
> According to Eric Lichtblau and James Risen's article,
> part of the reason for the unauthorized domestic
> surveillance was technological:
>
> > Officials would not discuss details of the over-
> > collection problem because it involves classified
> > intelligence-gathering techniques. But the issue
> > appears focused in part on technical problems in
> > the N.S.A.'s inability at times to distinguish
> > between communications inside the United States and
> > those overseas as it uses its access to American
> > telecommunications companies' fiber-optic lines and
> > its own spy satellites to intercept millions of calls
> > and e-mails.
> >
> > One official said that led the agency to inadvertently
> > "target" groups of Americans and collect their domestic
> > communications without proper court authority. Officials
> > are still trying to determine how many violations may
> > have occurred.
>
> As disturbing as this is, the sad fact is that over-collection
> was readily predictable given the way the NSA apparently has
> been conducting some of the intercepts. According to court
> filings in the EFF's lawsuit against AT&T, the taps for
> international traffic are placed not, as we might expect, at
> the trans-oceanic cable landings that connect to the US. but
> rather inside switching centers that also handle purely domestic
> traffic.  Domestic calls are supposed to be excluded from the
> data stream sent to the government by specially configured
> network filtering devices supplied by the NSA.
>
> This is, to say the least, a precarious way to ensure that
> only international traffic is collected, and a curious design
> choice given the NSA's exclusively international mandate. My
> colleagues and I have been warning of the risks of this
> architecture for several years, perhaps most prominently in
> this IEEE Security and Privacy article:
>   http://www.crypto.com/papers/paa-ieee.pdf
> And I raised the point on a panel with former NSA official
> Bill Crowell at last year's RSA conference; as I blogged then:
>   http://www.crypto.com/blog/rsa_extravaganza/
>
> > There's a tendency to view warrantless wiretaps in strictly
> > legal or political terms and to assume that the interception
> > technology will correctly implement whatever the policy is
> > supposed to be. But the reality isn't so simple. I found myself
> > the sole techie on the RSA panel, so my role was largely to to
> > point out that this is as much an issue of engineering as it is
> > legal oversight. And while we don't know all the details about
> > how NSA's wiretaps are being carried out in the US, what we do
> > know suggests some disturbing architectural choices that make
> > the program especially vulnerable to over-collection and abuse.
> > In particular, assuming Mark Klein's AT&T documents are accurate,
> > the NSA infrastructure seems much farther inside the US telecom
> > infrastructure than would be appropriate for intercepting the
> > exclusively international traffic that the government says it
> > wants. The taps are apparently in domestic backbone switches
> > rather than, say, in cable heads that leave the country, where
> > international traffic is most concentrated (and segregated).
> > Compounding the inherent risks of this odd design is the fact
> > that the equipment that pans for nuggets of international
> > communication in the stream of (off-limits) domestic traffic is
> > apparently made up entirely of hardware provided and configured
> > by the government, rather than the carriers. It's essentially
> > equivalent to giving the NSA the keys to the phone company central
> > office and hoping that they figure out which wires are the right
> > ones to tap.
>
> Architecture matters. As Stanford Law professor Larry Lessig
> famously points out, in the electronic world "code is law". Arcane
> choices in how technologies are implemented can have at least as
> much influence as do congress and the courts. As this episode
> demonstrates, any meaningful public debate over surveillance
> policy must include acareful and critical examination of how,
> exactly, it's done.
>
> More at http://www.crypto.com/blog/nsa_overcollection
>
> -matt
>
>
>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com