US wiretapping information release

From Chris Parsons:

“Christopher Soghoian, a PhD Candidate at Indiana University, has released the information on US wiretap/pen register information along with documents received through FOIA that are inquiring into the costs that telecommunications carriers demand for the two aforementioned services. He also has full recordings of sessions from (the closed door) ISS World: Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering. An executive summary of his draft thoughts are below, followed by a link to the full piece he’s written. He has made available his recordings and the responses to his FOIA requests to the public at large, all accessible at the link below.

Executive Summary

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint’s Manager of Electronic Surveillance, who described it during a panel discussion at awiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.”

The Biggest Database in the World

James Bamford has a superb review of the new book by Matthew Aid about the US National Security Agency (NSA) in the New York Review of Books this month. What seems to be causing a stir around the intelligence research (and computing) community is the reference to a report by the MITRE corporation into a the information needs of the NSA in relation to new central NSA data repository being constructed in the deserts of Utah. The report, which is being rather speculative, says that IF the trend for increasing numbers of sensors collecting all kinds of information continues, then the kind of storage capacity required would be in the range of yottabytes by 2015 – as CrunchGear blog points out: there are “a thousand gigabytes in a terabyte, a thousand terabytes in a petabyte, a thousand petabytes in an exabyte, a thousand exabytes in a zettabyte, and a thousand zettabytes in a yottabyte. In other words, a yottabyte is 1,000,000,000,000,000GB.” However CrunchGear misses the ‘ifs’ in the report as some of the comments on the story point out. There is no doubt however, that the NSA will have some technical capabilities that are way beyond what the ordinary commercial market currently provides and it’s probably useless to speculate just how far beyond. Perhaps more important in any case, are the technologies and techniques required to sort such a huge amount of information into usable data and to create meaningful categories and profiles from it – that is where the cutting edge is. The size of storage units is not really even that interesting… The other interesting thing here is the hint of competition within US intelligence that never seems to stop: just a few months back, the FBI was revealed to have its Investigative Data Warehouse (IDW) plan. Data Warehouses or repositories seem to be the current fashion in intelligence: whilst the whole rest of the world moves more towards ‘cloud computing’ and more open systems, they collect it all and lock it down.

Canadian Internet Snooping Law

I’ve noted before that there seems to be a concerted push around the world by governments to introduce comprehensive new telecoms surveillance laws that force telecommunications and Internet Service Providers (ISPs) to record, store, and provide access to and/or share with state intelligence agencies, the traffic and/or communications data of their customers (in other words, users like us). What is noticeably here is that there is a particular logic that appears in the arguments of governments who are attempting to persuade their parliaments or people of the need for such laws. This logic that is firstly, circular and self-referential, in that it makes reference to the fact that other governments have passed such laws as if this in itself provides some compelling reason for the law to be passed in their own country. The second part of this is a king of competitive disadvantage arguments that flows from the first argument: if ‘we’ don’t have this law, then somehow we are falling behind in a never openly discussed intelligence-capability race that will hit national technological innovation too.

The media often seem oblivious to what seems obvious, and hence the story on the CTV news site today with reference to Canada’s currently proposed communications law that would allow the Canadian Security and Intelligence Service (CSIS) warrantless access to such the data from Internet and telecoms providers. They consider it to be ‘unexpected’ that the parliamentary Security Intelligence Review Committee has come out in support of the bill. Looking at the reasons why though, they are exactly what one would expect if one has been following the debates around the world and contain exactly the logics I have outlined. The story notes that the committee “points out that governments in the United States and Europe have already passed laws requiring co-operation between security agencies and online service providers” (without, incidentally, pointing out that these remain enormously controversial, or that other governments have abandoned some of their attempts) and later that “intelligence technology… requires continued access to new talent and innovative research.” However they won’t go into details as it is a “very sensitive matter.”

And absent from this debate as usual is the fact that this is not just a question of ‘national security’ if you set up these systems, you feed the US National Security Agency too. Canadian intelligence is still bound by agreements made after WW2, particularly the CANUSA agreement on Signals Intelligence (SIGINT), later incorporated into the UKUSA structure. And as we all know, right now, the USA does not always have the same strategic interests as Canada (the issue of arctic sovereignty is just one example). If this bill is passed, it’s a license for US spies, not just Canadian ones.

FBI data warehouse revealed by EFF

Tenacious FoI and ‘institutional discovery’ work both in and out of the US courts by the Electronic Frontier Foundation has resulted in the FBI releasing lots of information about its enormous dataveillance program, based around the Investigative Data Warehouse (IDW). 

The clear and comprehensible report is available from EFF here, but the basic messages are that:

  •  the FBI now has a data warehouse with over a billion unique documents or seven times as many as are contained in the Library of Congress;
  • it is using content management and datamining software to connect, cross-reference and analyse data from over fifty previously separate datasets included in the warehouse. These include, by the way, both the entire US-VISIT database, the No-Fly list and other controversial post-9/11 systems.
  • The IDW will be used for both link and pattern analysis using technology connected to the Foreign Terrorist Tracking Task Force (FTTTF) prgram, in other words Knowledge Disovery in Databases (KDD) software, which will through connecting people, groups and places, will generate entirely ‘new’ data and project links forward in time as predictions.

EFF conclude that datamining is the future for the IDW. This is true, but I would also say that it was the past and is the present too. Datamining is not new for the US intelligence services, indeed many of the techniques we now call datamining were developed by the National Security Agency (NSA). There would be no point in the FBI just warehousing vast numbers of documents without techniques for analysing and connecting them. KDD may well be more recent for the FBI and this phildickian ‘pre-crime’ is most certainly the future in more ways than one…

There is a lot that interests me here (and indeed, I am currently trying to write a piece about the socio-techncial history of these massive intelligence data analysis systems), but one issue is whether this complex operation will ‘work’ or whether it will throw up so many random and worthless ‘connections’ (the ‘six-degrees of Kevin Bacon’ syndrome) that it will actually slow-down or damage actual investigations into real criminal activities. That all depends on the architecture of the system, and that is something we know little about, although there are a few hints in the EFF report…

(thanks to Rosamunde van Brakel for the link)

Surveillance in the UK and the USA: commonalities and differences

In one of those fortuitous instances of synchronicity, there are two stories today that illustrate some of both the commonalities and the differences between state surveillance practices and regulation in the UK and the USA.

In the UK, The Guardian has revealed that the Surveillance Commissioner (a separate office to the Information Commissioner) has been very critical behind the scenes, as the Lords Committee was in public, of the uses to which the Regulation of Investigatory Powers Act (2000) (RIPA) has been put, not this time by local government, but by national ministries like the Department for Environment, Food and Rural Affairs (DEFRA) and agencies, including Ofcom (the broaadcast and communications regulator) and the Charities Commission. DEFRA came in for a particular telling-off over its spying on fishermen. The chief commissioner, Sir Christopher Rose found generalised lax practice, a lack of proper justification for and proportionality in the used of RIPA, and little training or accountability. In short, RIPA is being used because the powers exist not because there is any pressing justification to use surveillance in this manner – the used of surveillance has expanded because it is available.

It is very interesting that The Guardian had to discover all this through Freedom of Information Act (FOIA) requests, and that the Surveillance Commissioner had not put all of this in the public domain as a matter of course. It highlights for me, once again, the clear difference in attitude and regulatory practice between him and the open, accountable, and active Information Commissioner’s Office (ICO). It confirms my view that we would be much better off if the Surveillance Commissioner’s work was absorbed into the ICO.

In the USA, it is to lawyers that people immediately turn if some bad practice is suspected on behalf of the government. The Los Angeles Times reports that on Friday, the US government lost the case it had been bringing to try to stop an Islamic charity based in Oregon from suing them over what they claim were illegal wiretapping operations targeted at them. The case stems from the Bush administration’s attempts to bypass what were already very weak regulations governing the surveillance of American citizens which were introduced in the Foreign Intelligence Surveillance Act (1978) (FISA) and recently amended in the Protect America Act (2007). Requests are supposed to go to the Foreign Intelligence Surveillance Court (FISC) which meets in secret and does not have to publish its rulings and so far as we know, has never turned down a request – so it is somewhat mystifying except as a matter of speed and convenience that the Bush administration did bypass the court.

Now the Obama administration is (shamefully) defending the actions of his predecessor. This is not entirely surprising. Intelligence is one area of continuity between governments: it is what Peter Gill called the ‘secret state’, a core that remains constant regardless of changes of administration. Nixon and Bush were both stupid enough to get caught, but the NSA, CIA and FBI are continually looking for different ways to get around domestic regulations on surveillance. Political devices like the UKUSA agreement served this purpose for many years – whereby Canadian and British intelligence services would collect SIGINT on Americans and supply it to the NSA and vice-versa. But GCHQ and others just don’t have the capabilities to carry out the amount of monitoring that now goes on. It’s been the reality for many years now that the NSA in particular does spy on Americans. Again, they have the capabilities so those capabilities are used.

Of course, unlike in the UK, we are talking about the threat of terrorism not anglers catching one-too-many fish; that really does say something about the petty bureaucracy that characterises the UK! However RIPA was also justified originally with reference to terrorism and serious and organised crime. Anyway, the ruling in the Oregon case clearly states that state secrets privilege was not enough to justify warrantless surveillance of suspects, whatever they had allegedly done. It seems that at least is one point of hope that the USA and the UK have in common. Let’s see where these situations now lead in each country…