The NSA’s Ongoing Efforts to Hide Its Lawbreaking
Every quarter, the National Security Agency generates a report on its own lawbreaking and policy violations. The reports are classified and sent to the President’s Intelligence Oversight Board. It’s unclear what happens once they get there.
Those reports are now online dating back to late 2001.
The NSA has posted redacted versions of the documents to its website. “These materials show, over a sustained period of time, the depth and rigor of NSA’s commitment to compliance,” the agency’s self-congratulatory introduction declares. “By emphasizing accountability across all levels of the enterprise, and transparently reporting errors and violations to outside oversight authorities, NSA protects privacy and civil liberties while safeguarding the nation and our allies.”
These NSA characterizations are not credible.
Even the uninformed observer will be suspicious of the spy agency’s account upon learning that far from voluntarily releasing redacted versions of these documents, it was forced to do so by Freedom of Information Act requests filed by the ACLU. The NSA fought to continue suppressing these documents from the public, even though the redacted versions in no way harm U.S. national security.
A court ordered the documents released.
The next clue that the NSA does not, in fact, believe these documents reflect favorably upon its performance is the timing of the release. They chose to make the reports public on Christmas Eve, knowing that this would minimize news coverage.
As one might expect of reports that the NSA fought to suppress and attempted to release with minimal attention from the press, the newly released documents are less an illustration of “the depth and rigor of NSA’s commitment to compliance” than the fact that the NSA has, by its own admission, broken the law in every period covered. And these are just violations they self-reported. The NSA construes its mandate so broadly that it doesn’t regard logging every number I dial on my phone to be an instance of spying on a U.S. citizen. It continues to regard most of what Edward Snowden revealed to be perfectly legal and appropriate. Yet even with that expansive understanding of its powers, the NSA has not managed to stay within the laws and rules set for itself.
Its ongoing operations proceed with the expectation that laws will be broken every quarter, and that this is acceptable so long as the violations are logged and reported. It would be as if a journalist assured readers of the depth of his commitment to truth-telling by pointing to a backward-looking log documenting fabricated stories he wrote in every four-month period going back to 2001.
The NSA will demonstrate a commitment to lawfulness when it ceases to break laws.
The NSA’s supposed emphasis on “accountability” falls apart rather quickly when one realizes what happens when its employees are caught breaking a law. Take a female analyst mentioned in a 2012 report. It explains that for two or three years, “she had searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting.” The report adds that “although the investigation is ongoing, the analyst has been advised to cease her activities.” As Kevin Drum writes, “She was caught using NSA surveillance facilities to spy on her husband and was merely told to cease her activities? Wouldn’t it be more appropriate to, say, fire her instantly and bar her from possessing any kind of security clearance ever again in her life? What am I missing here?”
Perhaps she knew too much to be fired.
After all, even apart from the lawbreaking and disregard for privacy, you’d think it would be a firing offense to waste time spying on one’s lover instead of terrorists or foreign heads of state. Years of doing that wasn’t enough for termination?
Surveying similar misdeeds, Kevin Williamson flags a larger problem it illuminates:
These actions do not represent mere violations of NSA policies… but willful violations of the law… If you, citizen, were caught illegally using an NSA database to check up on that girl you met on OkCupid, what do you think would happen?
Do you reckon that you’d get a cease-and-desist letter — or that you’d be scooped up by a team of thick-necked men with very short haircuts and dumped in the darkest oubliette Uncle Sam has available? …This is an inversion of the right order. In a sane society, people entrusted with state power — from NSA agents down to traffic cops — would be held to a higher standard rather than a lower one, and sanctioned more severely for wrongdoing rather than less.
At The Intercept, Murtaza Hussain notes that “many of the reports appear to deal with instances of human error rather than malicious misuse of agency resources. Nonetheless, many of these errors are potentially serious, including entries suggesting that unminimized U.S. telephone numbers were mistakenly disseminated to unauthorized parties and that military personnel were given unauthorized access to raw traffic databases collected under the Foreign Intelligence Services Act.”
And even regular instances of human error should be alarming for at least two reasons. First, they suggest that the NSA maintains procedures and infrastructure wherein routine human error can result in laws being broken and significant privacy breaches. Second, in a system where human error routinely results in such abuses, wouldn’t it be relatively easy to mask a willful, targeted abuse as a mere error? To spy on a target despite the flagrant illegality of doing so, just reverse engineer the plausible “errors” that would expose what one wants.
Don’t worry about being caught: it’ll be explained away as an unintentional mistake in a very complicated system overseen so well that even such errors are flagged.
Then there are the report’s heavily-redacted abuses. They alone make it irresponsible for any media outlet to characterize this release as a compendium of minor transgressions.
Here’s an example of a heavily redacted entry documenting a violation of law or policy:
Here’s another:
Here’s a third:
It’s easy to fill in those blank spots with grave abuses… or relatively minor abuses. There’s no way of knowing the gravity so long as the redactions remain in place. And the examples above are but a few taken from a single quarterly report.
There’s plenty more like them.
Do I trust the NSA to redact these documents appropriately, given its dubious invocations of national security when arguing that it should never have had to release these reports at all and its record of misrepresenting its actions to overseers? Of course I don’t. Neither should you. As Scott Shackford puts it at Reason, “The fact that the ACLU had to fight the NSA to get just this extremely vague information is a reminder of how little the NSA actually supports transparency.” Unfortunately, the Obama Administration has often been just as bad.
This article was originally published at http://www.theatlantic.com/politics/archive/2014/12/the-nsas-ongoing-effort-to-hide-its-lawbreaking/384079/
Latest Snowden Revelations Expose Scope Of NSA Interceptions
Posted by Cat Zakrzewski (@Cat_Zakrzewski)
Over the weekend, German news outlet Spiegel published a story about the NSA’s ability to crack encrypted forms of communication, exposing the agency’s routine interception of SSL/TLS, which are used by web servers to transmit sensitive information. The report also exposed the fact that the agency has the ability to decrypt a virtual private network.
But perhaps more significantly, the revelations culled from the trove of documents leaked by Edward Snowden show the forms of encryption the NSA struggled to break (at least at the time of the documents in 2012). That list includes PGP, Tor, CSpace, OTR and ZRTP.
The combination of good news and bad news garnered contradictory coverage, with The Verge highlighting the networks the NSA can’t break, and Slashdot leading with “Snowden Documents Show How Well NSA Codebreakers Can Pry.”
Overall the report was reassuring. Many of the forms of added encryption measures those concerned about security have taken in the 18 months since the Snowden documents became public are effective. For example, the documents show that communications protected by ZRTP (the type of encryption RedPhone uses) block the NSA.
“It’s satisfying to know that the NSA considers encrypted communication from our apps to be truly opaque,” RedPhone developer Moxie Marlinspike told Spiegel.
Although the scope of the interceptions on SSL and VPN connections are concerning, many assumed the agency possessed this capability previously. The trove released by Spiegel shows the specific tools the agency used to go about this.
The Spiegel report has prompted backlash in the information security community, with some saying it sensationalizes the NSA’s ability to access information on VPN connections. According to Spiegel, the NSA operates “a large-scale VPN exploitation project to crack large numbers of connections, allowing it to intercept data inside the VPN — including, for example, the Greek government’s use of VPNs.”
This is a very concerning revelation, considering the high number of companies and governments that utilize VPNs to allow users to access their networks anywhere in the world. But No Hats, a security specialists blog, says if you properly configure your VPN, you’re not affected. According to the blog’s comprehensive breakdown of the NSA slides that Spiegel based its reporting on, properly configured IPsec based VPNs are okay.
Another alarming statistic from the article is the number of https connections, the type of secure connections used by sites like Facebook, that the agency intercepts. One document showed that by late 2012, the NSA was cracking 10 million such connections a day.
Much of the Spiegel article discusses a conflict of interest that the NSA faces: It is charged with recommending security standards, yet it is constantly attempting to break the very security standards it recommends.
At first glance these claims seem to point to the very hypocrisy we are reminded of time and again as more is exposed about the American surveillance state. Privacy advocates widely agree that communications vulnerable to law enforcement agencies are also at risk for all kinds of cyber threats, from criminals attempting to steal identities to hacks of foreign governments. It seems counterintuitive that the NSA would be responsible for creating standards it only wants to break, especially when American law enforcement agencies have a history of wanting communications to be less secure to make accessing information easier.
But in a blog post criticizing the Spiegel report, calling it “activist nonsense,” cybersecurity expert Robert Graham says the NSA trying to break the standards it sets is a good thing.
“You secure things by trying to break them,” he writes.
The Spiegel story leaked a large number of documents containing very specific information about the NSA’s techniques. A year-and-a-half after The Guardian and Washington Post first published the documents, the report reignited calls on social media for the full release of the Snowden documents. If anything, the report served as a reminder that we likely have years of new exposures to come about American surveillance practices.
Prying Eyes: Inside the NSA’s War on Internet Security
When Christmas approaches, the spies of the Five Eyes intelligence services can look forward to a break from the arduous daily work of spying. In addition to their usual job — attempting to crack encryption all around the world — they play a game called the “Kryptos Kristmas Kwiz,” which involves solving challenging numerical and alphabetical puzzles. The proud winners of the competition are awarded “Kryptos” mugs.
Encryption — the use of mathematics to protect communications from spying — is used for electronic transactions of all types, by governments, firms and private users alike. But a look into the archive of whistleblower Edward Snowden shows that not all encryption technologies live up to what they promise.