Schneier on Security
A blog covering security and security technology.
« I've Joined the EFF Board |
| Security Analysis of Children »
July 2, 2013
NSA E-Mail Eavesdropping
More Snowden documents analyzed by the Guardian -- two articles -- discuss how the NSA collected e-mails and data on Internet activity of both Americans and foreigners. The program might have ended in 2011, or it might have continued under a different name. This is the program that resulted in that bizarre tale of Bush officials confronting then-Attorney General John Ashcroft in his hospital room; the New York Times story discusses that. What's interesting is that the NSA collected this data under one legal pretense. When that justification evaporated, they searched around until they found another pretense.
This story is being picked up a bit more than the previous story, but it's obvious that the press is fatiguing of this whole thing. Without the Ashcroft human interest bit, it would be just another story of the NSA eavesdropping on Americans -- and that's lasts week's news.
Posted on July 2, 2013 at 6:49 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Put this in contract with Ashcroft's pro-Patriot Act stance and the circumstances of his resignation and I get more questions than answers.
What I find remarkable was the ex-FISA court chief justice defending her behavior, and mentioning that the key secret ruling back in 2004 was kept secret from the rest of the secret FISA court!.
If your secret ruling has to be secret from the rest of your secret court, you're secretly betraying the constitution. And there is no surprise in people finding this, well, remarkable.
Here's another article making an issue of encryption as a growing means to thwart eavesdropping, snooping. http://www.bloomberg.com/news/2013-07-02/...
It has a tone conveyed by the writer that it's some big new trend, but it's not - 15 cases out of 3,395? Why would the reader follow the writer's inference? It doesn't make any sense. In fact, if you enter "encryption" into Google Trends it is on a long slow decline with nothing special visible. And try variations on the term. The article is probably old and moldy, was dredged up from archives and polished a little to make it sound like new and investigative. That happens a LOT in journalism.
Encryption is a pain in the ass. It's difficult to implement well and even harder to know whether you did or did not implement it well.
When someone asks about, say, privacy in the cloud, the response is often "Oh, just encrypt", but that's from someone who just wants to protect their stuff and the key is probably derived from a passphrase they THINK is strong.
The drum beats can be heard now and they're not going to go away. Designed weaknesses in implementation are going to become widespread and even the cocky commenter on Bloomberg who thinks he's ahead of the game when he types in his passphrase to the encryption app will be living in a fool's paradise.
Re: press fatigue... now that you're on the Board of Directors of the EFF, I'm really hoping that the EFF will be leading the fight on this. Has the EFF tried contacting any members of Congress directly? People like Sen Ron Wyden, and Reps Thomas Massie & Justin Amash, for example, are very much against this unwarranted surveillance of citizens.
You're the new press. At least for the smaller subset of people who are engaged, think deeply and care about these issues.
Keep on, and keep promoting those who get it.
Thanks for linking to that Post article... a couple of revealing things about the FISA court:
1) "Under orders from the president, none of the court’s other 10 members could be told about the Internet metadata program. . ."
So, the President has authority to set regulations/restrictions that bind the FISA Ct. judges!?
2) Judge Colleen Kollar-Kotelly is quoted as saying:
“I participated in a process of adjudication, not ‘coordination’ with the executive branch. The discussions I had with executive branch officials were in most respects typical of how I and other district court judges entertain applications for criminal wiretaps under Title III, where issues are discussed ex parte.”
It's like an adjudication, except there isn't a party appearing before the court that represents the rights of the public, the citizens.
3) "The agency was not properly walling off information gained in warrantless surveillance and may have been using the information to obtain court warrants, which was forbidden."
From the 2009 Exhibit B minimization procedures leaked by Snowden, this issue wasn't fixed at all.
Any storage media that contains acquired information (e.g., warrantlessly collected content and/or metadata) can be "processed," defined to mean "any step necessary to convert a communication into an intelligible form intended for human inspection."
So there isn't any "wall" separating people from content. It all gets processed, and then presumably some of the content sets off flags, and there are humans who then review the content that was flagged, and then pass off the unminimized content to the FBI.
Perhaps there is another definition of "surveillance" being used by the judge... the word parsing games being played are amazing.
@ Chris W.--
Totally agree. In fact, it's even less of a problem than you said. From the article:
"State and federal judges authorized 3,395 wiretaps in 2012 and encryption was encountered in 15 of those cases, according to a June 28 report by the Administrative Office of the U.S. Courts. In four instances, police couldn’t decipher the plain text of messages, something they hadn’t previously encountered, according to the report."
In a whopping .1178% of wiretap cases, LE couldn't decipher the plaintext. This is clearly an ENORMOUS problem. We need to ban encryption now.
To be fair, it is a huge increase if they hadn't experienced the inability to decipher messages ever before. The alarms still seem a bit premature though.
So, how much are these news stories going to change the laws or structures of surveillance?
Keep surveilling the press and they will care about it maybe.
Has anyone noticed the certifcate authorities with expiry dates that coincide with the declassification dates on the leaked documents. Must be when the 114 Mormons are taken up to space
One trillion records. They are recording all email.
Is that all email? That is definitely a lot of email. I wonder how much this costs?
None of this is even remotely legal. We are not in the Middle
Ages anymore, we are not under Caeser.
How much does it cost to do this? How can this even be remotely tied into "terrorism"?
How can anyone celebrate "one trillion emails", in good conscience, or say, in good conscience,
that this sort of behavior is acceptable, legal, ethical? These are things we have not seen
in the worst of totalitarian countries. The Gestapo never had this kind of surveillance power,
the KGB never could do this.
How are these guys in the US Government justifying this? They claim to be anti-Communist,
anti-totalitarian and celebrate making the US Government totalitarian?
Are there any readers who would like to explain or apologize for this?
So, the story is the US Federal Government has been breaking laws at a really rampant pace.
Snowden is a "rat", and "ratted" them out. How do these guys continue pursuing suspects when
their own people are breaking all of these laws? How do you stomach putting people in jail,
when your own people have broken more laws then the criminals you are pursuing?
Let's get honest... do they argue, "God put them in power and authority, so they must be
right"? Have there ever been corrupt cops or people in power and authority that are corrupt?
What about leaders of gangs and organized crime? What about Stalin, Hitler?
Continuing in that honesty... does anyone seriously want to argue even in their own hearts
that this sort of spying is being used "just for terrorism"? So, nobody in power behind
all of this is spying on their political rivals or adversaries? They are not using this
information to control corporations, or to pay corporations?
Is any of this going to be prosecuted? Do the laws even matter anymore, or it is all about
who has more guns and more people?
One criminal arrests another criminal and throws them in jail. More like who is the stronger
kidnapper then justice anymore.
Obama rattles off, preening in his power, "I won't fuel up the jets for some 29 year old
hacker", while France and Germany refuse to even allow the Bolivian President to fly in
their airspace - just in case - Snowden is onboard.
Snowden rocks. He is a rock star. I hope the mafia posing as the US Government does not
It isn't just the USA capturing email headers. The EU has a law that requires ISPs working inside the EU to provide email headers to law enforcement. To, From, Date, Subject were definitely included - there may have been other fields too - don't recall.
Don't know the specific law any more, just that I worked on deploying a system that did exactly that and sent the most commonly used headers to servers in France daily. Didn't write the software, so don't know if, or how, they limited the captured data to just EU email.
This system was physically located inside the USA.
Everyone is spying on everyone, then sharing data. Publicly, EU countries have to act outraged, but they want the data about their people too. If it comes from outside sources, is that against local laws? Perhaps not.
how does one protect the email header info when using online mail service?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.