How the NSA Eavesdrops on Americans

Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA's data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures.

The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis -- and possibly the USA Today story.

Frustratingly, this has not become a major news story. It isn't being widely reported in the media, and most people don't know about it. At this point, the only aspect of the Snowden story that is in the news is the personal story. The press seems to have had its fill of the far more important policy issues.

I don't know what there is that can be done about this, but it's how we all lose.

Posted on July 1, 2013 at 12:16 PM • 31 Comments

Comments

David ThomasJuly 1, 2013 12:34 PM

At the very least, talk to your friends and family and coworkers and explain why this is a problem if they don't already get it!

Brandioch ConnerJuly 1, 2013 12:41 PM

From the USAToday story:

Without "specific information'' about whether the target is an American, and if the person's location is unknown, the target will be "presumed a non-U.S. citizen'' and subject to surveillance, according to one of the documents.
So everyone is included UNLESS there is EXTRA effort made to exclude them.

Let's go with that idea for a bit. Why is there still any crime in the US? If you bust one guy for dealing drugs in a gang then wouldn't the government have all the information to identify and convict his criminal associates?

Kidnappings/missing children, shouldn't these all be solved within hours of being reported?

SteveJuly 1, 2013 12:46 PM

"I don't know what there is that can be done about this, but it's how we all lose."

Yep, why the world can be said to be carried on the backs of the few. One factor appears to be a constant threat of death (see Israel) to have any sense of practical approach to security. Of course that which affects the whole nation, or more, will be a column on page 15.

Meanwhile what affected mostly one person, or family, will be front and center in the media. The country pulled together after 9/11 for a while. Without being constantly alert and willing to take action freedoms will be lost one way or another.

ShunraJuly 1, 2013 12:50 PM

I've been stating the problem as: "bits don't have passports" - which mostly falls on deaf ears.

Or worse, falls on terrified ears, willing to sacrifice privacy, autonomy, and liberty for the pretense of safety (limited by the whim of the state, and requiring increasing "clearance" to maintain.)

HotJamJuly 1, 2013 1:24 PM

You see, Dear Readers, it's the issue of patriotism that allows such atrocities...

Just tell convince people it's for the good of the fatherland and they can get away with murder.

I read Tim Weiner's book on the CIA (Legacy of Ashes) and it's a real eye-opener as to the policies (and the ineptness) of Murca. So this whole new deal is no surprise really!

YurpeenJuly 1, 2013 1:30 PM

> You see, Dear Readers, it's the issue of patriotism that allows such atrocities...

It's disgusting how you all don't give a shit about the privacy of non-Americans. It's all good if only foreigners are affected.

Bruce SchneierJuly 1, 2013 1:34 PM

This "must be a 51% chance that the target is not American" is fire for abuse. I remember reading that about 60% of all GMail users are not Americans. Given that fact, all of GMail can be monitored by the NSA.

name.withheld.for.obvious.reasonsJuly 1, 2013 1:47 PM

Has anyone recently looked at some of the certificate authorites lately? Has anyone noticed anything significantly different...what is EC384? Seems that SHA is being dropped, and offical use only CA's have the new keys?

A date based diff of the database ought indicate something (make sure to sort on issue and expire dates).

I'm just saying.

jggimiJuly 1, 2013 2:01 PM

From the EFF analysis, highlight mine: "More appallingly, the NSA is allowed to hold onto communications solely because you use encryption. Whether the communication is domestic or foreign, the NSA will hang on to the encrypted message forever, or at least until it is decrypted. And then at least five more years."

All I can do is now quote Walt Kelly's Pogo: "We have met the enemy and he is us."

DWJuly 1, 2013 3:29 PM

> Frustratingly, this has not become a major news story.

Mind you, in Europe it definitely has.

In the meantime, officials of the European Union demand clarification.
See here for an example.

I'm curious as to whether this is followed by the US news magazines.

Yes, at
CNN

DaveJuly 1, 2013 3:29 PM

"Frustratingly, this has not become a major news story."

I think the adverb you were looking for was "Predictably". Those who are trying to cover up what the NSA is doing figured out with Wikileaks that the way to prevent the contents of leaks from becoming a big deal was to make all the news about the leaker rather than what he leaked. And the large media organizations in the US have all pretty much declared that they cooperate with the White House rather than oppose it - for instance, the New York Times sat on important information about the Iraq War solely because the Bush administration asked them to.

DavidJuly 1, 2013 4:05 PM

What frustrates me is the number of people who proclaim that they have nothing to hide, or that if the NSA wants to read about what they're having for dinner that it's ok with them. We've already slipped down the road of police state complacency.

wumpusJuly 1, 2013 4:13 PM

"They were retained due to limitation on the NSA’s ability to filter communications."

I assume that as long as the agent in question is incapable of proving that this datum is safe they will retain it (standard procedure in all bureaucracies). I find is absurd that people think emailing/phoning in plaintext will keep their data out of data centers in Utah and Maryland. The NSA knows there is at least a desire if not the political will to turn off the spigot, and they aren't going to destroy the data they already have.

Are there any known cases of intelligence agencies giving up data?

Brian D. BuckleyJuly 1, 2013 6:04 PM

"I don't know what there is that can be done about this"

May I suggest Restore The Fourth, a nationwide protest movement that's demanding the restoration of our Fourth Amendment rights:
http://RestoreTheFourth.net

They're planning rallies this week in cities all across the country. I'll be at the one in Cleveland. Hope you can lend your support as well.

NobodySpecialJuly 1, 2013 6:08 PM

@Brian D. Buckley - Just remember not to click on that link from your own computer if you're American

SindersJuly 1, 2013 6:16 PM

I think the problem is that internally many people think that since 9/11 this is the action of a government "protecting" the people, and externally people shrug and say "Well, what can you expect from a country that condones torture and uses drones to assassinate whoever it likes wherever it likes? They have not respected the rule of law for some time, let alone bothered about morals." This may be a trifle harsh and it ignores the (admittedly weak) controls in place, but it is what people think.

So either way, nobody is surprised.

altjiraJuly 1, 2013 7:28 PM

So few comments on this, on a forum composed of people who can easily recognize the significance; of the fundamental importance of this issue. Of course, most here have either known or assumed the capability for years, although I will admit I was shocked at just how deep it goes. We haven't been able to use this coverage to point out the reality of what we've been warning about for years.

We're doomed. Privacy is a sick old man on his deathbed. Social media have taught us complacency. We Americans are not calling their representatives in enough numbers to make a difference. It's up to the rest of the world. Stop using Facebook, Gmail, the cloud on any US servers. C'mon, you all knew it was happening! It up to you to dump American companies. They're the only ones with the power to make anything change, and we can only do it by hitting their bottom line! Boycott the US internet.

This communication was posted by a US citizen and resident.

GeorgeJuly 1, 2013 11:06 PM

It's the same reason so many people defend the TSA. They want to feel safe, and are willing to sacrifice their liberty and privacy to do it (whether or not it actually does keep them safe). The secrecy apparently makes the Security Theatre more credible. We're getting a police state because that's what we want.

JeffHJuly 2, 2013 3:16 AM

I don't understand why the Guardian et al released these documents in a dripfeed approach. Time and time again we have seen that the media & the majority of the public have no tolerance for long drawn out technical stuff like this. They want the headlines - the attention grabbers.

I really don't think there's any conspiracy to keep this quiet per se - it's just not deemed newsworthy next to delicious gossip and other nonsense. It's more important to have pretty pictures of Snowden's girlfriend. I think the same can be said of the reactions of most 'people on the street' - it's a non-issue for them. They truly don't see a problem.

"Sure, they might be doing stuff, but it'll never affect me, right?"

TheDoctorJuly 2, 2013 4:34 AM

As being European I have to ask:
What on earth makes the american people so ignorant that they, even now, think "as long as only only those aliens (aka the rest of the world including faithful allies for over 60 years) are tapped, everything is ok" ?

If a secret service realizes that recording EVERYTING is within reach, why should they stop half way ? This would only open up a giant blind spot, if you are thinking in such a mindset.

And as you can see, the old proverb "Do as you would be done by" is still true.

Everything illegal (if done to your people) that you gouvernment trains on foreign people it will sooner or later do to you.

Clive RobinsonJuly 2, 2013 4:59 AM

@ JeffH,

    I don't understand why the Guardian et al released these documents in a dripfeed approach.

I can think of several reasons, the first being information overload on the readers, a second being giving sufficient detail for the information provided to be understandable by readers and therefor credible.

Another aspect is the difference between news reporting style and national audiance as perceived by reporting organisation editors and proprietors. It's no secret that the Murdoch empire has usually been reporting salacious gosip and "NipSlip" / "Wardrobe Malfunction" rather than indepth analysis it was in effect the "House Style". However not all newspapers are limited by such viewpoints, during the "cash for questions" and "dodgy expenses" of UK politicians and ministers the slow release method of "Death by a Thousand Cuts" proved most effective against politicians and got them not just squirming but in some cases imprisoned. If this is suitable or not for an average American audiance I cannot say.

Then there is the fallout from WikiLeaks, to much information was released to quickly and it's been argued that this endangered the lives of US citizens and those of their alies along with damage to "methods and sources". From what has been said it appears that Edward Snowden is being very cautious to stop this happening with the (supposed) large quantity of information in his posetion.

Further it's being reported that Mr Snowden also appears to be using the threat of full disclosure as a protection mechanism,

http://www.thedailybeast.com/articles/2013/06/25/...

Which is one of those brinkmanship games in that he has to release sufficient colatoral information to convince the US Gov he has some significantly harmfull material to make it preferable for them if he stayes both alive and out of their hands.

Scott "SFITCS" FergusonJuly 2, 2013 7:42 AM

@JeffH

I don't understand why the Guardian et al released these documents in a dripfeed approach. Time and time again we have seen that the media & the majority of the public have no tolerance for long drawn out technical stuff like this. They want the headlines - the attention grabbers.

Give the people something to consume but leave them wanting. The papers are businesses looking for future sales as well as current (the revenue is advertising, it's pricing based on previous readerships).
What's published today is old news tomorrow and forgotten next week ('cause they don't wrap chips or line bird cages with newspaper anymore).
If the papers release everything they have now, then next they'll only have the propaganda about cyberwars to publish.
So maintaining a salivating readership, and the Snowden release rate are factors, it may also be a negotiating position for a company that is tiny compared to News Corp (who have enormous sway over governments). Unless Wikileaks has access to the same material as Snowden we have no way of knowing what isn't being published, and it's possible he doesn't have many choices about papers he can negotiate with[*1].
A pragmatic business decision may also be to carefully scrutinise the material before releasing to avoid extreme, um, censure[*2] (I doubt the US believe they can stop the leaks, just mitigate the effect - which they are doing successfully).

Another thing that might factor into the decision is that the US interests being hurt by the leaks are committed to controlling the uncontrolled information dissemination via the internet - something that increasingly threatens the traditional media business. (So Snowden and Wikileaks are subject publishing decisions are made carefully, cyberwar/trolling/cybercrime/internet porn and copyright FUD - not so much).

[*1]I suspect that no US paper would touch the story unless a UK paper did first. Wired doesn't count, and Snowden would know better than to go near them (he's probably got copies of Lamo's pay stubs and unsolicited applications to be a special agent). Snowden needs US coverage. Al Jazeera would publish, but the people he wants to see the material think it's a terrorist media outlet. I suspect he wouldn't trust Der Speigel - ditto US television.
[*2]The idea that any media outlet has nothing to fear from government is foolish.

Disclaimer: To those who claim my support of Assange and Snowden traitorous, I am not a US citizen. My allegiance is to my country - where's yours?

Jan GoyvaertsJuly 2, 2013 9:37 AM

The role of the English in this affair hasn't been much covered either. According to the media GCHQ is tapping the wires to record the *full* traffic. And pass that to the NSA. I mean, what's wrong with them ??? Why would they eavesdrop on their allies and pass the info to a foreign government ? Last time I checked the English are still part of EU. Unfortunately, this is also very telling about the level of the EU security services. Didn't they notice ? At all ?

Personally I wouldn't mind to be spied upon IF this was all done in agreement with the authorities of my own government. Even if it was done secretly. Because we (me and my compatriots) voted for them. We're responsible for what happens with those votes. If we vote continually for morons we shouldn't be surprised in the end to find ourselves in dire straits. Unfortunately some of us consider voting an annoyance. And it shows.

Also, some might argue it's ridicule for Mr Snowden to apply for political asylum. Well, I wouldn't think so when looking to the efforts the US government is making to catch him. I wouldn't bet much on his safety when they'll finally get to him. Would you ?

NobodySpecialJuly 2, 2013 10:08 AM

@Jan Goyvaerts - perhaps De Gaule was right and the presence of Britain in the eu is simply to act as America's stooge.

It must be particularly galling for British companies like BAe and Rolls-Royce to know that their own government spies on them, hands the data over to the US government who presumably hands it straight to their competitors. Bizarrely it would be safer for a British defence company to be spied on by the Russians than their own government!

JackJuly 2, 2013 10:51 AM


There is a "this can't happen here" kind of mindset among Americans. And, there is a "I won't
be a conspiracy nut" kind of mindset.

As a lot of supporters of these programs are Democrat, who are supposedly "liberal", you also
have to figure in, "I can trust my Party". It doesn't matter that Obama did not actually withdraw
the troops or really change anything. He is good looking, his wife is good looking, they are
a minority. No more drawling cowboy.

America fought the Nazis. Black and white, good and evil. America won the Cold War against the
atheist, Stalnist Communists. Black and white, good and evil. Never mind Iraq had nothing to
do with 911 and that Iraq did not have any WMD. None of that matters, nor did it ever, except
as bullet points to get another appearance in the White House. Something less obviously evil
then what the world saw Bush as.

We have rock music, cool jeans, fast food, amazing technology, great movies and shows. We are
extremely diverse.

It. Can. Not. Happen. Here.

Tice gave some scary observations about surveilling politicians. But, even he did not have the
capacity to prove anyone was actually using that data to blackmail anyone. To control politicians.

The American public has never seen that in action. It was not even in the Eastwood Hoover movie.

It has not been in any movie or show. There has not been any depiction of this kind of "behind
the scenes wrangling" in any major fictional depiction where the power of secret surveillance
is shown.

So... they can understand the evil of Hitler, or other gross evils nowadays. They understand
"racism" is bad. They understand a lot of evils and condemn them. They condemn rape. They condemn
coverup of rape (if it is exposed to a global audience). But, these sorts of evils, like what
Hoover worked, what the Stasi did, what the KGB did , what the Nazis did -- they do not get
any of that.

Only arcane researchers who have studied surveillance get these sorts of things.

These matters of shadow intrigue really aren't even covered in the plethora of apocalyptic
movies that have come out over the past few decades.

What America - and the world - needs then is a script. A show. To explain this sort of evil.


Captain ObviousJuly 2, 2013 11:56 AM

@Jack

Not so black and white when our current administration was elected by atheist communists.

The American media and surprisingly over half its voting populace still worship Obama and are willing to overlook anything he and his do or don't do. They could open up gas chambers for the tea party and it wouldn't get more than a day's mention.

Milo M.July 2, 2013 3:55 PM

I share the frustration with the lack of coverage in traditional media. And agree with other commenters that it's not surprising, in that money -- ratings, readers, web site hits -- drive most of their editorial decisions. If there is a Murrow or Cronkite out there, they are on the air at a time when their main competition is Ron Popeil.

I wrote to one of our Senators, one of the nominal overseers, two weeks ago. A week ago that Senator's staff replied that all was well, but we're glad to hear from you. Basic citizenship requires crafting a more detailed reply, even knowing that it's just shoveling sand against the tide.

On a brighter note, I've been using Duckduckgo in lieu of Google for the past 3 months, ever since Bruce's post on 22 March:

http://www.schneier.com/blog/archives/2013/03/...

Yesterday the Technology section of the Washington Post carried a story claiming that Duckduckgo had seen a big increase in traffic in the past few weeks, driven in part by the NSA story:

http://www.washingtonpost.com/business/...

Usage chart:

https://duckduckgo.com/traffic.html

Really a drop in the bucket, but a journey of a thousand miles begins with a single step and all that.


bobJuly 2, 2013 8:15 PM

Is it fair to bring up the prisoners at guantanamo? my understanding is that there are a number of prisoners who are cleared to go but haven't. If you have innocent people being punished for who they communicate with and are left with no recourse but to starve themselves, isn't that a real example of why surveillance is dangerous? Isn't this a concrete example where we can say that the risk of one of these people becoming a terrorist is not greater than the risk of subverting the legal process? and yet it seems to me that it gets far less attention than this. is there really a discrepancy? because if even privacy advocates aren't fighting for them, why would any average person do anything about either issue?

Brent AshleyJuly 3, 2013 9:38 AM

Take note that these 'limitations' of keeping records for 5 years, etc, are what they will do if they _actually follow_ the until-recently-secret rules. What track record do they have of following ANY rules that don't suit them?

name.withheld.for.obvious.reasonsJuly 5, 2013 6:30 AM

Title:
How many Citizens does it Take to Screw in a Republic

Subtitle:
"I don't know how you got a law degree, but I am sure there is a child crying about the missing box top of her favorite cereal--Fruit Loops"

Part I of III

The failure of law, the political class, and the people that surround it. My arguments are a direct answer to all the

Surveillance, more specifically acts carried out by officials--with force--on persons, without proper legal standing, is an illegal act. It includes the act of coercion, violation(s) of civil liberties, and unlawful use of legal instruments. There is no single entity, except the U.S. government, that wields the authority to compel others (this is not an act of free will) to produce almost any kind of information about a person. Insurance companies nor the so called "Credit Reporting Agencies" have the type or power (and I am not going to mention the IRS stripping people of their 6th amendment rights) that can match the United States government--and they have guns.[1]

Seizing papers and affects without warrant such as pen register data (akin to a postal letter), but according to recently disclosed information held by the United States government, the wholesale collection of data, documents, and personal correspondence which exists without a "reasonable expectation of privacy" and therefore afforded no protection(s). To make the problem more apparent I will use a "fictional" environment that shares almost all aspects of the legal treatise.

Let's return to the 19th century before the advent of advanced computing systems or BIG DATA...it's shortly after the Civil War and the death of President Lincoln.

As a nefarious agent of the chaos calculus club, in Greensboro Kentucky, we trade formulas and equations that balance non-euclidean trees of large primes expressed as tensors along a Riemann manifold resulting in an extremely complex thesis about tracking wheat harvesting trends (we're ahead of our time). Opening our new company "Numbers and Such" we sell our newly designed ring-finger sized encoder for a $2 gold coin. We located our new facility for manufacturing to Kentucky because of the tax breaks we could get from the state and county governments.


We have customers but we don't ask questions

Confederacy agents and spies still roam the land. The U.S. government is concerned that these forces will bring down the government. Congress convenes an emergency session and in two days has a bill for President Grant to sign and approve. It is what is now as you all know, the infamous "Citizens And Patriots, Act for Suppressing Sedition)" or CAPASS. With CAPASS, the postal service must now track all postal mail and packages both domestically and internationally. This also applies to Wells Fargo, and a number of independent cross country wagon and livery companies; pony express will not survive the legislative favoritism. For the most part the pressure to comply to the new CAPASS rules causes the small regional livery companies to bankruptcy.

The new law requires three actions;


  • 1.) acquiring the actual point of origination (where the package came from), verify that address,

  • 2.) determine why it is being sent (the subject) and,

  • 3.) the destination must be recorded at the central postal mail tracking and horse shoe facility under the National Secrecy Act of 1847

All parcels are to be delivered to Maryland for proper and secure processing of the parcels under the lawful orders from the President and approved by a Kangaroo. The National Special Abacus group to tally and record all the postal mail numbers and counts of variables of various kinds.

Postal service is seriously impacted, in some areas where it might take a week, maybe two, to get a letter from Ft. Lauder-dale to Connecticut. It is now taking up to thirty days to deliver mail all the records need to be captured first before the mail can proceed to its destination. The postal service now claims it has had to grow its workforce by 300% to record the data on the envelopes and manage the additional routing required to get them to the processing centers. Postal processing centers cannot be used, mail record copying as it is a classified activity and must be segregated from the normal postal process.

Given that this program wasn't making much headway, by the time the records from all the secret processing centers had been collated the data was three months old. Sometimes it make take a year to map on address to another. Some at the National Security Abacus has been talking to this guy Von Newman, the may have answer but the contractor Pratt and Whitney, says it will be very expensive.

At the state of the union address, President Grant implores congress to pass the "Hey, Let's Put All the Data about All the People, All the Time--IN ONE PLACE" Act.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..