The NSA finally admitted to buying bulk data on Americans from data brokers, in response to a query by Senator Wyden.
This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise.
Here are Wyden’s press release and some news articles.
Yasodara • January 30, 2024 8:32 AM
The data ecosystems need a reckoning. Too much data collected and negotiated creates space for fraud and hyper-surveillance. We need better technology to collect less data and delete it after use (along with laws regulating bureau suppliers).
Morley • January 30, 2024 10:34 AM
Is the NSA punishable, in practice?
Bob • January 30, 2024 10:45 AM
This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise.
Qualified immunity in a nutshell.
Cops: “This specific, exact thing is legal for us until we’re told otherwise, regardless of how obviously illegal it might actually be.”
Courts: “This specific thing is illegal, but it’s okay this time because you didn’t know.”
Cops: “This specific, exact thing is legal for us on Mondays until we’re told otherwise, even though it’s generally illegal.”
Courts: “This specific thing is illegal on Mondays, but it’s okay this time because you didn’t know.”
Cops: “This specific, exact thing is legal for us on Tuesdays until we’re told otherwise, despite it being illegal in general and on Mondays.
Courts: “This specific thing is also illegal on Tuesdays, but it’s okay this time because you didn’t know.”
We’ll eventually end up with some immunity doctrine or another that handwaves it away.
Bob • January 30, 2024 10:48 AM
@Morley
Anything and everything is punishable. At the end of the day, every organization is composed of people with names and addresses.
It’s just unlikely you or anyone you care about has much of a life left after punishing the NSA. The question is whether the juice is worth the squeeze.
Steve • January 30, 2024 11:22 AM
I think the links in the first para are backwards. The first one links to the letter, and the second links to the announcement.
lurker • January 30, 2024 12:40 PM
Moultrie’s response for Dod is classic weasel words, repeated for effect:
“Our subordinates know the rules, and we trust them to obey.”
Classifying it as “Commercially Available Information” is a sneaky way of hand-washing. But we can’t accuse them of receiving stolen goods until we prove it was stolen. And they have bigger, meaner, uglier lawyers than we have.
Clive Robinson • January 30, 2024 12:48 PM
@ Bruce, ALL,
Re : Permissus contra non permissus
“This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise.”
It is probably better that they try it on then get told “Not Permited” than they ask and get given blanket permission.
Because legaly a permission once legislated for is very hard to change to nolonger permitted.
Thus “a bad” which was originally not seen can become seen and much more easily stopped by legislation that says “Not alowed”
It’s one of my significant concerns with regards the likes of AI systems in all the various forms.
As of yet we have little or no idea of how bad AI is going to be as a mass psychological surveillance tool. My feeling based on some experience is bad, very very bad and,
“Beguile, befriend, bewitch, betray”
Will be the result on mass and we will significantly regret any “leges permissus” or “leges infirma” legislation that gets passed on AI in the near future.
But if Alphabet, Microsoft and others can push through legislation via lobbyists which is what they are clearly trying to do, then we will be stuck with “leges permissus” legislation of the very very bad, for a very long time.
Wicked Lad • January 30, 2024 1:07 PM
This reminds me of the Lawfare Podcast for 27 Sep 2014, in which Dan Carlin was interviewed. Speaking about U.S. intelligence services he said,
Strict oversight is absolutely required in a free society, and not because those aren’t patriots doing an important job for us, but because they’ve proven in the past they’re not always led by people who are as concerned with our constitutional freedoms as they are with finding the easiest, best, and most productive way to do their job.
JonKnowsNothing • January 30, 2024 1:18 PM
@ Bob, @Morley, ALL
re: Anything and everything is punishable. At the end of the day, every organization is composed of people with names and addresses.
There are some implied assumptions in “punishable” and that’s were things get sticky.
For the most part the answers are NO.
Occasional schadenfreude happens like when James Clapper, Director of National Intelligence (August 5, 2010-January 20, 2017) made a gaff when answering a public committee meeting question with an outright lie to the US Congress. iirc(badly) the Not Wittingly episode. (1)
There are however, tipping points where great changes occur. Those changes are generally catastrophic in scope. There are historical cases of punishment by death using various horrible methods, that happens to those on the wrong side of the question(s).
Within the last decades, a number of mass changes have taken place, plus some new ones or reignited ones, are in progress. During these types of Regime Change, many people pay permanently for being on the “wrong side” of the question(s).
Being on the wrong side of the question, does not mean that the person was incorrect in view point, it means only that the person with the guns or torture chambers dictate what the correct view is.
===
1)
h ttp s://en.wikipedia.org/wiki/James_Clapper
htt ps://en .w ikipedia.org/wiki/James_Clapper#Testimony_to_Congress_on_NSA_surveillance,_2013
Clive Robinson • January 30, 2024 1:27 PM
@ lurker, Bruce, ALL,
With regards for the weasel quote of,
“Our subordinates know the rules, and we trust them to obey.”
If you remember some time ago our host @Bruce pointed out that people at work get “security training” but have “targets to meet” to keeps their jobs etc.
Thus their priorities are not behaving in a secure way.
The same logic applies here.
As long as the incentives are skewed the wrong way by “no punishment” then they will just “give it two fingers and carry on”.
The solution would be sacking loss of pension, imprisonment with the punishment more draconian the further up the hierarchy a person who holds responsability is.
The same by the way holds with all “guard labour” including those “mall wanabe types” who should not even be trusted with guarding the shopping carts…
JonKnowsNothing • January 30, 2024 1:31 PM
@All
re: This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise.
fwiw: This is the same view as eSports gamer mod creators and users, that give any advantage to the player(s) using them against player(s) that are not using them.
It’s a variation of General vs Specific rules or laws.
iirc(badly)
I am not sure about laws in China and China Territories as their laws tend to float between both types at the same time.
P/K • January 30, 2024 1:37 PM
FISA only restricts the interception of cable-bound communications, which means that the NSA can still freely intercept wireless (radio/satellite) transmissions as long as they don’t intentionally spy on Americans.
Similarily, it’s legal for the NSA to acquire American communications data from other sources, like bying them from companies who collect them in various ways. It would only be illegal when such a company got those data from cable traffic, as the NSA is prohibited from let other parties do what they may not do themselves.
JonKnowsNothing • January 30, 2024 2:00 PM
@Clive, @lurker, All
re: The solution would be sacking loss of pension, imprisonment with the punishment more draconian the further up the hierarchy a person who holds responsibility is.
One popcorn set of events in the UK are the COVID Pandemic Inquires going on in UK and Scotland. Especially the parts of WHO DECIDED which people had GOOD INNINGS and how they were chosen to become Excess Deaths.
(1)
* Scottish government failed to record discussions during any of [Nicola Sturgeon] Sturgeon’s crucial “gold” meetings with a small handful of her advisers and senior ministers during 2020 and 2021.
In the popcorn hopper:
On the Horizon Post Office debacle over 25years it’s still not clear if anything at all will happen other than giving back a medal.
I’m personally waiting to see if the Post Master Francis Duff gets his full compensation back (2)
• 81-year-old former subpostmaster Francis Duff finally received £330,000 compensation for having lost everything during the scandal – only for the official receiver (part of the Department for Business) to immediately claw back £322,000 of it to cover bankruptcy and owed income tax. He couldn’t afford to heat his home last winter
===
1)
ht tps://www.the gua rdian.com/politics/2024/jan/30/no-minutes-kept-of-nicola-sturgeon-gold-command-meetings-covid-inquiry-told
2) ht tps://www .schneier.com/blog/archives/2024/01/friday-squid-blogging-new-species-of-pygmy-squid-discovered.html/#comment-430803
h ttp s://ww w.the guardian.com/commentisfree/2024/jan/09/heroes-post-office-scandal-villains
lurker • January 30, 2024 2:24 PM
Re: trusting subordinates
implicit is the notion of Command Responsibility. It seems hardly likely that any POTUS these days would put a sign on his desk saying “The Buck Stops Here”, and believe it. Those letters show the NSA Director and Under-Secretary of Defense certainly don’t.
Clive Robinson • January 30, 2024 3:14 PM
@ JonKnowsNothing, ALL,
Re : Compesation is not.
“I’m personally waiting to see if the Post Master Francis Duff gets his full compensation back “
Whilst £330,000 might sound a lot, it’s realy only a tiny fraction of what he and others have lost.
For instance some lost their homes and businesses, pensions and much else besides.
You could buy a house 30years ago for 10-15 thousand, that is now worth easily over a million. A pension pot of just 10 thousand from back then would if topped up at the same rate be worth around a million as well. Include other losses like that of the income for a business and you would be looking at 10-15 times the compensation.
Under UK law he is entitled to recompense at full rate. What is scaring the Government and why they are being so draconianly abusive, is if they had to make full recompense.
The Post Office would go “tits up” and Fujitsu well even with a few billion just going spare they would feel the pain.
Justice is not for you and I in a “Might is Right” Kleptocracy that the UK is in effect. Those “self entitled” who have in effect embezzled, see it as their right, and that you do not have any rights. They will kill rather than surrender what they have stolen.
In the past Kings could have Barons “Broken”, this is not some kind of mealy mouth loss of reputation as it is today, but physical by being strapped to a cart wheel and finished by hammer on the unbroken joints. It kind of does not leave space for “self entitlement” to continue.
JonKnowsNothing • January 30, 2024 4:53 PM
@Clive, All
re: Full Loss: house 30years ago for 10-15 thousand, that is now worth easily over a million
A MSM article about a group of aging persons in UK who decided to pool their funds and build a custom complex sounded really nifty until they mentioned the price tags and the, ahem, unfortunate situation where people could not move in because they could not pay the needed upkeep fees. (1)
note: The pictures showed lots of stairs. No mention of assisted care or EOLife needs, but that maybe part of the community.
It is a sad aspect that the extent of the financial catastrophe, lasting decades, is not fully comprehended by the population.
Half of Palo Alto,CA south of Page Mill Road, were such houses. Most of Sunnyvale, Santa Clara were the same. The great housing wealth of the Peninsula was from GIs buying homes. These are now the personal enclaves of the likes of Mark Zuckerberg who buys up the entire block because he cannot stand the neighbors.
None of this wealth “trickled down” to anyone.
That being noted, many banks and governments are including a “trickle up” profit sharing and future taxation expectations.
===
1)
HAIL Warning
ht tps ://www.theguardia n.com/lifeandstyle/2024/jan/30/we-just-held-hands-and-jumped-how-one-of-britains-happiest-healthiest-communes-was-built
Add ~£50k since then for inflation costs
Anonymous • January 30, 2024 5:50 PM
A step in the right direction.
What would be cool would be a Privacy Policy that states:
1)what information is being stored?
2)who has access to it?
3)how can it be deleted?
vas pup • January 30, 2024 6:59 PM
@Wicked Lad – thank you very much. Very good and informative input!
@Anonymous – in our pipe dream Your very reasonable suggestion is going to be implemented by legal requirements neither by Law(lobby in Congress of informational-industrial complex), nor by FTC – do not have current authority to punish for breach of privacy directly.
For FTC (towards private sector) ALL their privacy policies should be filed and stored in electronic form with FTC and this DB with free access with general public to evaluate how those policies match paradigm you suggested.
Time and again on this respected blog, policy addressing general public / user should be in PLAIN English with NO legalize no more than on 3-5 pages rather than currently where what allowed is on 10 pages then 90 pages with exceptions which basically negate privacy protection at all. All changes to Privacy Policy by private company should be filed and accessed in the same way – see above, so you may have current version not outdated.
@ALL – I have no idea what Common Law is saying, but Government could do ONLY what is allowed directly for particular structure either by Law or by other legal document available for general public meaning – no secret authorization at all, but CITIZEN can do anything if that is NOT directly prohibited/punished by Law.
See the difference? That is how it is working in not authoritarian regimes.
echo • January 30, 2024 8:53 PM
@JonKnowsNothing
You’ve been corrected on this. Please STOP posting disinformation about Nicola Sturgeon. I hate repeating myself so am positively FUMING. Scottish policy in government communications was very clear (and different from UK government communications policy effecting ministers. Sturgeon copied all relevant messages to her office who in turn handed everything over to the inquiry. Nothing was lost. I even posted a link to her public statement on the matter. Clearly, you ignored it.
All of this is a distraction from UK Tory government outright deleting their messages with no retained copy, “forgetting” their passwords, or having phones mysteriously disappear, or failing to produce their messages as required by law by a public inquiry and who are now in contempt which is, drum roll, a criminal offence.
Also there’s an issue of emphasis. Katie Forbes was invited after previously being excluded. Also Katie Forbes is a bit of a problem. Her entry into politics was as an MP’s advisor. Her position was financed by a US religious group. Due to her political status and contacts she was able to acquire from that point she was fast tracked into being an MP. Her political position is on the religious conservative right. She is opposed to abortion and LGBT rights. She has also developed a reputation as an agitator which is why she is no longer a minister in the Scottish government.
As for the Post Office scandal it isn’t much different from the hemophiliac blood supply scandal. Both scandals went right to the top of government – the Prime Minister.
When asked years later Ken Clarke then minister for health denied knowing anything about it although this was a little wriggly. Oddly enough I just watched footage of Ken Clark speaking in the House of Lords. It turns out he initially voted in favour of the Rwanda bill. His only objection now is the government are trying to legislate executive control over the courts and facts. The point as I read it isn’t about protecting people’s constitutional rights but objecting to the lower house power relationship with the upper house. That boat actually sailed years ago as the house of Lords used to be the supreme court of the UK until Blair pulled a funny. Being in the EU meant the UK had to bring the “European Convention” into law. When Blair did this he created the supreme court which took over the role of the house of lords. Where the house of lords judgments would previously overrule a government supreme court judgments were only advisory. This is the other shoe dropping.
So if you’re going to comment on UK politics it helps if you know something about it and how it works AND get your facts right.
I might have to put in some last minute pre-election lobbying and know when I’m being spun a line by politicians who have absolutely no clue what they’re doing. I can see a potential European Court of Human Rights case coming a million miles away and, yes, unless something is DONE this is/will be a repeat run of the Post Office/hemophilia scandal (and there are other similar cases in the pipeline). I’m just not prepared to wait another 20 years before anyone does anything about it.
Wannabe techguy • January 30, 2024 10:11 PM
Ok so here’s my ignorant question:
With all their collection apparatus, why would NSA need to buy data?
As for legality,that’s a joke right? Like they pay any attention to that.
JonKnowsNothing • January 30, 2024 10:30 PM
@ Wannabe techguy
re: why would NSA need to buy data?
They (and others) buy the data for convenience. There are loads of 3d party data brokers and warehouses from internet crawlers and there are also oodles of privately acquired data of identifiable persons from city agencies and ancillary support systems.
Consider License Plate Data
Some states will sell the data to Anyone but may not sell it directly to the NSA. So the NSA gets it directly or it gets it from the Anyone.
Some state not only sell the information about the LPN but also the DMV records for all the owners and previous owners and the disposition of all the cars they they have owned with where those trade-in cars ended up.
Other entities collect LPN and sell the data to insurance companies and LEAs, like tow truck operations and the wild cat tow-n-repo folks. They have a LPN reader and an insurance lookup system in the truck and can see if what you are driving is on the pick up list.
A giant 6-handshake trace, they don’t even have to work out, it’s all ready to go.
P/K • January 30, 2024 11:05 PM
Re: why would NSA need to buy data?
Because for their cyber defense mission they want to see as many traces of cyber attacks etc. as possible. And because NSA isn’t allowed to monitor all the cables inside the US, they get those data from other sources. Not much different from how cyber security companies operate.
ResearcherZero • January 31, 2024 12:11 AM
@ALL
This is all too common:
“The documented issues include a search warrant filed with incorrect information, missing search warrants, and missing reports.”
Records also show DiPonzio failed to upload recordings and document interviews with key witnesses from the day of the murder.
‘https://www.abc15.com/news/local-news/investigations/cold-cases-to-convictions-the-impact-of-phoenix-detectives-mistakes
Potential cause of wrongful convictions and other miscarriages of justice across Australia.
https://theconversation.com/why-police-and-prosecutors-dont-always-disclose-evidence-in-criminal-trials-104317
The report calls for a culture of zero tolerance in the CPS and police forces of any failures to hand over relevant material.
‘https://www.theguardian.com/law/2018/nov/15/cps-and-police-routinely-failing-to-disclose-evidence
https://www.precinctreporter.com/report-reveals-systemic-police-and-prosecutorial-misconduct/
Nearly every prosecutor’s office reports that job applications have plummeted over the past few years.
‘https://slate.com/news-and-politics/2024/01/prosecutor-crisis-criminal-justice-reform.html
(If you have ever wondered why the murder of any friends and family remains unsolved.)
ResearcherZero • January 31, 2024 1:28 AM
If the case gets up, Apple may have to open up iMessage [encrypted messaging] to Android users around the world…
‘https://www.abc.net.au/news/science/2024-01-30/beeper-mini-apple-android-messaging-wars-anti-trust-action/103384550
PyPush doesn’t work at the moment because Apple keeps blocking it. (Don’t share the config.json generated as this contains your keys)
‘https://jjtech.dev/reverse-engineering/imessage-explained/
ResearcherZero • January 31, 2024 2:03 AM
For true end-to-end (encryption then you would need to use Signal, as it is open sourced.
Information about you is spewing around the internet and generating a lot of spy revenue.
SMS messages are inherently insecure. They leak sensitive metadata and place your data in the hands of telecommunications companies. Signal does not store the encryption keys needed to decrypt your messages on their servers, but iMessage (Apple) does. The Signal protocol also changes the temporary key after every message.
Apple has servers around the world that may be subject to disclosure orders, and there is also no way to check for backdoors.
‘https://www.wired.com/story/ditch-all-those-other-messaging-apps-heres-why-you-should-use-signal/
Perfect forward secrecy is useless, it’s important to note, if users don’t delete their messages periodically. If someone’s phone is seized or stolen with all their messages still intact, they’ll be just as visible to whoever has the phone in hand as they were to the original owner.
“That means if your phone gets stolen at time X, any message you send before time X should still be safe.” That assurance is lacking, Green notes, in Apple’s iMessage, another popular messaging app that uses end-to-end encryption but doesn’t offer perfect forward secrecy.
‘https://www.wired.com/story/signal-encryption-protocol-hacker-lexicon/
Cyber Hodza • January 31, 2024 5:26 AM
Why would they need to do this- don’t they collect everything already?
anon • January 31, 2024 7:28 AM
@morely
Yes, but it will require the use the US Air Force to have any effect. I believe they’re the only service branch with nuclear weapons.
ResearcherZero • January 31, 2024 9:09 AM
@Cyber Hodza
All those apps on your devices collect so much more useful information in an accessible and well categorised format, along with how many users are using each particular app at any given time. Provides for far more selectors and improved packet interception.
Importantly such information also provides insights into behviour. Apps developed using certain SDKs provide precise location information, device identifiers, when devices are being actively used, and various device settings and states (via screen brightness and many such other values). Are you indoors or outdoors for example. Better targeting.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
whoops • January 30, 2024 7:58 AM
The problem is partly the legality of the NSA buying this. The real problem is that these data can be bought.
Or: if it is illegal for the NSA to buy these data, why should it be legal to (hoard and) sell it in the first place?