Everything you wanted to Know About NSA Surveillance *but were afraid to ask (Stray)

Jonathan Stray writes at ProPublica:

There have been a lot of news stories about NSA surveillance programs following the leaks of secret documents by Edward Snowden. But it seems the more we read, the less clear things are. We’ve put together a detailed snapshot of what’s known and what’s been reported where.

What information does the NSA collect and how?

We don’t know all of the different types of information the NSA collects, but several secret collection programs have been revealed:

A record of most calls made in the U.S., including the telephone number of the phones making and receiving the call, and how long the call lasted. This information is known as “metadata” and doesn’t include a recording of the actual call (but see below). This program was revealed through a leaked secret court order instructing Verizon to turn over all such information on a daily basis. Other phone companies, including AT&T and Sprint, also reportedly give their records to the NSA on a continual basis. All together, this is several billion calls per day.

Email, Facebook posts and instant messages for an unknown number of people, via PRISM, which involves the cooperation of at least nine different technology companies. Google, Facebook, Yahoo and others have denied that the NSA has “direct access” to their servers, saying they only release user information in response to a court order. Facebook has revealed that, in the last six months of 2012, they handed over the private data of between 18,000 and 19,000 users to law enforcement of all types — including local police and federal agencies, such as the FBI, Federal Marshals and the NSA.

Massive amounts of raw Internet traffic Much of the world’s Internet traffic passes through the U.S. even when the sender and receiver are both outside the country. A recently revealed presentation slide notes the U.S.’s central role in internet traffic and suggests domestic taps can be used to monitor foreign targets. A whistleblower claimed that he helped install a network tap in an AT&T facility in San Francisco on NSA orders in 2003. The tap sent the entire contents of high capacity fiber optic cables into a secret room filled with monitoring equipment. An unknown fraction of the intercepted data is stored in massive databases in case it is useful in the future.

Because there is no automatic way to separate domestic from international communications, this program also captures U.S. citizens’ internet activity, such as emails, social media posts, instant messages, the sites you visit and online purchases you make.

The contents of an unknown number of phone calls The details are sketchy, but there are several reports that the NSA records the audio contents of some phone calls. This reportedly happens “on a much smaller scale” than the programs above, after analysts select specific people as “targets.” There does not seem to be any public information about the collection of text messages, which would be much more practical to collect in bulk because of their smaller size.

The NSA has been prohibited from recording domestic communications since the passage of the Foreign Intelligence Surveillance Act but at least two of these programs — phone records collection and Internet cable taps — involve huge volumes of Americans’ data.

Does the NSA record everything about everyone, all the time?

No. The NSA routinely obtains and stores as much as it can of certain types of information, such as the metadata from telephone calls made in the U.S. (but not their content) and some fraction of the massive amount of raw data flowing through major internet cables. It is also possible for the NSA to collect more detailed information on specific people, such as the actual audio of phone calls and the entire content of email accounts. NSA analysts can submit a request to obtain these types of more detailed information about specific people.

Watching a specific person like this is called “targeting” by the Foreign Intelligence Surveillance Act, the law which authorizes this type of individual surveillance. The NSA is allowed to record the conversations of non-Americans without a specific warrant for each person monitored, if at least one end of the conversation is outside of the U.S. It is also allowed to record the communications of Americans if they are outside the U.S. and the NSA first gets a warrant for each case. It’s not known exactly how many people the NSA is currently targeting.

How the NSA actually gets the data depends on the type of information requested. If the analyst wants someone’s private emails or social media posts, the NSA must request that specific data from companies such as Google and Facebook. For information that is already flowing through Internet cables that the NSA is monitoring, or the audio of phone calls, a targeting request instructs automatic systems to watch for the communications of a specific person and save them.

It’s important to note that the NSA probably has information about you even if you aren’t on this target list. If you have previously communicated with someone who has been targeted, then the NSA already has the content of any emails, instant messages, phone calls, etc. you exchanged with the targeted person. Also, your data is likely in bulk records such as phone metadata and internet traffic recordings. This is what makes these programs “mass surveillance,” as opposed to traditional wiretaps, which are authorized by individual, specific court orders.

What does phone call metadata information reveal, if it doesn’t include the content of the calls?

Even without the content of all your conversations and text messages, so-called “metadata” can reveal a tremendous amount about you. If they have your metadata, the NSA would have a record of your entire address book, or at least every person you’ve called in the last several years. They can guess who you are close to by how often you call someone, and when. By correlating the information from multiple people, they can do sophisticated “network analysis” of communities of many different kinds, personal or professional — or criminal.

Phone company call records reveal where you were at the time that a call was made, because they include the identifier of the radio tower that transmitted the call to you. The government has denied that it collects this information, but former NSA employee Thomas Drake said they do. For a sense of just how powerful location data can be, see this visualization following a German politician everywhere he goes for months, based on his cellphone’s location information.

The type of data can be used to discover the structure of groups planning terrorism. But metadata is a sensitive topic because there is great potential for abuse. While no one has claimed the NSA is doing this, it would be possible to use metadata to algorithmically identify, with some accuracy, members of other types of groups like the Tea Party or Occupy Wall Street, gun owners, undocumented immigrants, etc. An expert in network analysis could start with all of the calls made from the time and place of a protest, and trace the networks of associations out from there.

Phone metadata is also not “anonymous” in any real sense. The NSA already maintains a database of the phone numbers of all Americans for use in determining whether someone is a “U.S. person” (see below), and there are several commercial number-to-name services in any case. Phone records become even more powerful when they are correlated with other types of data, such as social media posts, local police records and credit card purchase information, a process known as intelligence fusion.

Does the NSA need an individualized warrant to listen to my calls or look at my emails?

It’s complicated, but not in all cases. Leaked court orders set out the “minimization” procedures that govern what the NSA can do with the domestic information it has intercepted. The NSA is allowed to store this domestic information because of the technical difficulties in separating foreign from domestic communications when large amounts of data are being captured.

These documents show that individual intelligence analysts make the decision to look at previously collected bulk information. The analyst must document why they believe the information belongs to someone who is not a “U.S. person” (roughly, a U.S. citizen or permanent resident) but they do not need to ask anyone’s permission before looking at intercepted information or asking for additional information to be collected. If the analyst later discovers that they are looking at the communications of a U.S. person, they must destroy the data.

However, if the intercepted information is “reasonably believed to contain evidence of a crime” then the NSA is allowed to turn it over to federal law enforcement. Unless there are other (still secret) restrictions on how the NSA can use this data this means the police might end up with your private communications without ever having to get approval from a judge, effectively circumventing the whole notion of probable cause.

This is significant because it is not always possible to determine whether someone is a U.S. person before looking at their data. For example, it’s not usually possible to tell just from someone’s email address, which is why the NSA maintains a database of known U.S. email addresses and phone numbers. If the NSA does not have “specific information” about someone, that person is “presumed to be a non-United States person.”

Also, the NSA is allowed to provide any of its recorded information to the FBI, if the FBI specifically asks for it.

Is all of this legal?

Yes, assuming the NSA adheres to the restrictions set out in recently leaked court orders. By definition, the Foreign Intelligence Surveillance Court decides what it is legal for the NSA to do.

But this level of domestic surveillance wasn’t always legal, and the NSA has been found to violate legal standards on more than one occasion. Although the NSA’s broad data collection programs appear to have started shortly after September 11, 2001, the NSA was gradually granted authority to collect domestic information on this scale through a series of legislative changes and court decisions over the next decade. See this timeline of loosening laws. The Director of National Intelligence says that authority for PRISM programs comes from section 702 of the Foreign Intelligence Surveillance Act and the Verizon metadata collection order cites section 215 of the Patriot Act. The author of the Patriot Act disagrees that the act justifies the Verizon metadata collection program.

In March 2004, acting Attorney General James Comey ordered a stop to some parts of the secret domestic surveillance programs, but President Bush signed an order re-authorizing it anyway. In response, several top Justice Department officials threatened to resign, including Comey and FBI director Robert Mueller. Bush backed down, and the programs were at least partially suspended for several months.

In 2009, the Justice Department acknowledged that the NSA had collected emails and phone calls of Americans in a way that exceeded legal limitations.

In October 2011, the Foreign Intelligence Surveillance Court ruled that the NSA violated the Fourth Amendment at least once. The Justice Department has said that this ruling must remain secret, but we know it concerned some aspect of the “minimization” rules the govern what the NSA can do with domestic communications. The Foreign Intelligence Surveillance Court recently decided that this ruling can be released, but Justice Department has not yet done so.

Civil liberties groups including the EFF and the ACLU dispute the constitutionality of these programs and have filed lawsuits to challenge them.

How long can the NSA keep information on Americans?

The NSA can generally keep intercepted domestic communications for up to five years. It can keep them indefinitely under certain circumstances, such as when the communication contains evidence of a crime or when it’s “foreign intelligence information,” a broad legal term that includes anything relevant to “the conduct of the foreign affairs of the United States.” It can also keep encrypted communications indefinitely.

Does the NSA do anything to protect Americans’ privacy?

Yes. First, the NSA is only allowed to intercept communications if at least one end of the conversation is outside of the U.S. — though it doesn’t have to distinguish domestic from foreign communication until the “earliest practicable point” which allows the NSA to record bulk information from internet cables and sort it out later. When the NSA discovers that previously intercepted information belongs to an American, it must usually destroy that information. Because this determination cannot always be made by computer, this sometimes happens only after a human analyst has already looked at it.

The NSA also must apply certain safeguards. For example, the NSA must withhold the names of U.S. persons who are not relevant to ongoing investigations when they distribute information — unless that person’s communications contain evidence of a crime or are relevant to a range of national security and foreign intelligence concerns.

Also, analysts must document why they believe someone is outside of the U.S. when they ask for addition information to be collected on that person. An unknown number of these cases are audited internally. If the NSA makes a mistake and discovers that it has targeted someone inside the U.S., it has five days to submit a report to the Department of Justice and other authorities.

What if I’m not an American?

All bets are off. There do not appear to be any legal restrictions on what the NSA can do with the communications of non-U.S. persons. Since a substantial fraction of the world’s Internet data passes through the United States, or its allies, the U.S. has the ability to observe and record the communications of much of the world’s population. The European Union has already complained to the U.S. Attorney General.

The U.S. is hardly the only country doing mass surveillance, though its program is very large. GCHQ, which is the British counterpart to the NSA, has a similar surveillance program and shares data with the NSA. Many countries now have some sort of mass internet surveillance now in place. Although passive surveillance is often hard to detect, more aggressive governments use intercepted information to intimidate or control their citizens, including Syria, Iran, Egypt, Bahrain and China. Much of the required equipment is sold to these governments by American companies.

15 Responses

  1. According to James Bamford in his book on the NSA “The Puzzle Palace,” back in the 70’s the NSA was disposing of 20 tons a day of printouts from phone conversations. According to him, the NSA had machines monitoring phone calls and if a trigger word was used a printout was made and an analyst checked it over.

  2. Excellent article. I’m sure that between government and private industry their goals will not be satisfied until they have it all together and can call it the “Akashic Record”

    The akashic records – akasha being a Sanskrit word meaning “sky”, “space” or “aether” – are described as containing all knowledge of human experience and all experiences as well as the history of the cosmos encoded or written in the very aether or fabric of all existence…other analogies commonly found in discourse on the subject include a “universal supercomputer” and the “Mind of God”.

    link to en.wikipedia.org

  3. I am not sure how much confusion this roundup actually dispells. It is a rather conservative assessment.

    The final point made in the article, that all “bets are off” for non-Us citizens otherwise known as 95% of humanity undermines the limited safeguards documented before.

    Even if the NSA complex really had those limitations (and there are more leaks coming) they can easily get around the limits placed on the remaining 5% (otherwise known as US citizens) by conveniently logging in to databases set up by British colleagues for whom all Americans are fair game in turn.

    Any sane government would work with other countries to get their citizens off limits to them as well.

  4. Juan,

    Just a heads up…. This information should be updated now that it has been confirmed that along with the metadata being stoled by the NSA… the content is being stolen as well.

    When you wrote this, the NSA was still denying collection of content . Since then it has been revealed that “the NSA was lying” and the NSA have also been stealing the content along with the metadata. The people occupying the whitehouse can’t be trusted ~ Everything that comes out of their mouths these days is a lie !

    in solidarity,

    Gerard Ange’

  5. Disturbing, but I suppose it’s better for the govt. to have this info and not need it than to need it and not have it.

    • Ah, the argument used to justify the Cold War, and all kinds of other stuff. Presumes that “the government” is both competent, and interested in the survival of the species and that “nation” thing.

  6. Off the top of my head, I think the main concerns would be:

    If a US citizen and you are outside the US, why does that make you eligible, if so, to surveillance? Would not simply being a US citizen automatically safeguard you legally no matter where in the world you are? Or is it that you are using foreign communications equipment, if not your own phone, that may set off alarm bells since you can not tell it’s a US citizen doing the calling or internet use? Is this where if they find you to be a US citizen, anything they have gets discarded? The same could be said for drone targets, I suppose.

    Are we going after terrorists only or is this for all crime related activities – Gangs, organized crime, fringe militia type groups, human trafficking, child pornography, foreign governments spying on us, etc.? What if the NSA somehow came across information about two or more kids planning a school shooting, do they automatically pass that on to the FBI or locally known authorities? Would they be allowed to? It would seem really odd to have this system in place to go after just one target at the expense of dealing with all the rest. If we are just going after terrorists, and, in my opinion, Al Quaeda being a small, scattered, international gang of thugs with no state, military, and little, if any, intelligence infrastructure, etc., isn’t this overkill? Didn’t we have relevant info before 9/11 that was not believed, processed, and/or acted upon that enabled the hijackers to get lucky, so the response to dealing with that failure is to create this 800 pound meta-gorilla? Why did we not find out about the Boston marathon bombings? Does that not reveal an Achilles heel to the whole body of this program particularly in light of Russian inquiries about the brothers involved? We seem to be focused on what is not there and blind to what obviously is.

    And my biggest worry – If you are a professor, student, journalist, writer, or just someone curious and wanting to honestly learn more and you want to study and understand terrorism and/or Al Quaeda, and you visit sites with such information, will that get you a knock on the door by the FBI? What about other suspected concerns? Suppose you are a novelist writing about a terrorist group or a spy story and you do internet research in intelligence and/or weapons like bomb making, etc.? What about calling experts in these certain fields to learn more? Did we not have librarians asked to disclose what books people checked out and being made to stay silent about the request?

    What are the actual assurances this system will not be abused now or in the future? With so many involved, who is to say someone in power will not be tempted to go after political rivals, unions, activists, journalists, and so on? What about one disgruntled or untrustworthy analyst with access to a chunk, if not all, of this using information he/she may come by to leak or blackmail someone? Or be bribed/forced to find something out? How would we find out about such abuse? How would the person or persons be tried and punished, if held accountable, if the program is supposed to be so secret?

  7. Jay Leno interviewing Shia LeBoeuf about his new movie, “Eagle Eye” on the Tonight Show 9/17/08:

    Shia LeBoeuf: I remember we had an FBI consultant on the picture telling me that they can use your ADT security box microphone to get your stuff that is going on in your house. Or OnStar, they can shut your car down. And he told me that one in five phone calls that you make are recorded and logged and I laughed at him. And then he played back a phone conversation I had two years prior to joining the picture, the FBI consultant…

    Leno: They had a record of you from..

    Shia: Two years prior to me joining the picture…

    Leno: That seems creepy.

    Shia: Extremely creepy.

    link to dailykos.com

    The FBI consultant on the picture, Thomas Knowles, denies this happened.

    However, here’s another part of the surveillance state story from historian Rick Pearlstein (link to thenation.com):

    “We have been here before.

    “In the fall of 1975, when a Senate select committee chaired by Frank Church and a House committee chaired by Otis Pike were investigating abuses of power by the CIA and FBI, Congresswoman Bella Abzug, the loaded pistol from New York (she had introduced a resolution to impeach Richard Nixon on her first day in office in 1971) dared turned her own House Subcommittee on Government Information and Individual Rights to a new subject: the National Security Agency, and two twin government surveillance projects she had learned about codenamed “SHAMROCK” and “MINARET.” They had monitored both the phone calls and telegrams of American citizens for decades.

    “At the time, even political junkies did not know what the NSA was. “With a reputed budget of some $1.2 billion and a manpower roster far greater than the CIA,” the Associated Press explained, it had been “established in 1952 with a charter that is still classified as top secret.” (Is it still? I’d be interested to know.) President Ford had persuaded Frank Church not to hold hearings on the matter. (Ford had something in common with Obama: hypocrisy. “In all my public and private acts as your president, I expect to follow my instincts of openness and candor with full confidence that honesty is always the best policy in the end,” he’d said in his inaugural address, the one where he proclaimed, “Our long national nightmare is over.”) So Abzug proceeded on her own. At first, when she subpoenaed the executives responsible for going along with the programs the White House tried to prevent their testimony by claiming the private companies were “an agent of the United States.” When they did appear, they admitted their companies had voluntarily been turning over their full records of phone and telegram traffic to the government at the end of every single day, by courier, for over forty years, full stop. The NSA said the programs had been discontinued. Abzug claimed they still survived, just under different names. And at that, Church changed his mind: the contempt for the law here was so flagrant, he decided, he would initiate NSA hearings, too.”

    So, it seems that almost all communications have been monitored from the 1930s on, except for maybe a few minutes in the late 1970s when things got a little too hot and before Reagan’s morning in America reinstalled the wiretaps.

    • The National Security Agency did have members testify before Congress during the Church Committee hearings.

      I have read transcripts of Church Committee proceedings where the NSA was described by a panel member as having its charter not authorized by an Act of Congress but by executive order of the president, and the fact most Americans were unaware of its existence.

      NSA Deputy Director Benson Buffham had testified at that juncture before the Church Committee. Buffham had led a code-breaking unit in the Army during WWII, and later oversaw the early years of growth at the NSA. Buffham had been vocal about his belief that the USS Liberty attack was intentional (an NSA civilian employee died in that incident). He has given interviews on the history of U.S. intelligence (subject to NSA redaction before publication) Buffham today is in his 90s and lives in Florida.

      One thing I have not seen mentioned in the recent NSA controversy mentioned is the Privacy Act. During the ACLU litigation of FBI and National Security Agency surveillance of Abdeen Jabara, both the violation of the Privacy Act and attorney-client privilege were argued before the federal judiciary in Detroit and a number of those rulings were published in the Federal Supplement or Federal Reporter series. Wholesale surveillance by the NSA will necessarily encompass snaring communications that are statutorily protected for legal or medico-legal purposes. The federal judiciary did not dismiss attorney-client privilege concerns in the Jabara case but indicated that the client rather than the attorney had standing to bring those claims for violations of their privacy.

      The FBI began survellance of Arab-Americans during Operation Boulder in response to the 1972 Munich Olympics massacre and Jabara became a public figure as defense counsel of Sirhan Sirhan from 1968 to 1972, when Sirhan’s death sentence was vacated by the California Supreme Court; however federal surveillance of Jabara began, according to court records, in 1967 – well before the RFK shooting or the Munich incident – so neither of these events caused the surveillance being initiated against Jabara.

      Another prominent defense attorney from Detroit, William Bufalino, who defended Jimmy Hoffa, had in the 1960s, discovered Detroit Police Department wiretaps of his law firm’s telephones and sued Michigan Bell for its complicity in the affair. Bufalino, like Jabara, was never convicted of anything. Walter Sheridan, who had headed the “Get Hoffa Squad” on behalf of Robert F. Kennedy, was an NSA counter-intelligence officer.

      The ACLU litigation brought on behalf of Jabara uncovered highly questionable tactics of the FBI, CIA and NSA being directed at a U.S. citizen. During that case, affidavits were filed containing conclusory statements by CIA personnel to justify surveillance. The Snowden allegations do not surprise me as the Jabara court proceedings contain public record disclosure of extremely invasive government behavior. The ACLU/Jabara litigation commenced in 1972 and continued well into the 1980s before a settlement was reached.

      Abdeen Jabara currently lives in Manhattan and practices law – often collaborating with former U.S. Attorney General Ramsey Clark.

  8. Juan,

    For ten years or so I have been turning down engineering contracts and positions to do automatic voice recognition on telephone lines at high speed on many lines at once. The only reason for that technology is to snoop on political content on many many times as many phone lines as the thousands of NSA auditors can handle by themselves. The technology exists and is not very costly to apply to every telephone conversation whatsoever. I think we can assume that all lines are scanned for political content at the discretion of snoopers, who listen to the actual conversation if political content was detected. And we can assume that nearly all of those who listen are very simple minded conformists who equate liberal views with subversion, and record momentary excesses of anger at government as plans of subversion. If it is not quite so extreme now, it will be in very few years. There is simply no technical, moral, or ideological barrier to these agencies going that far. Your readers would be fooling themselves to think that any limits are respected in fact.

  9. The gist of the article is that, if it puts its mind to it, the NSA can learn just about anything we have communicated either through phone or the internet. Now consider what is going to happen with the consolidation and centralization of medical records. Of course such a consolidation is necessary to “bend the cost curve down,” and to determine the most effective “outcomes of medical interventions.” But all it takes is an executive order, given in complete secrecy, and the NSA will have access to our medical records. And voila, the NSA will know just about everything there is to know about us. Welcome to the brave new world we have created for ourselves.

  10. Since about 2003 awake people have known all our electronic traffic is fully public.
    ALL corporate communication is open to 10 of thousands of NSA and contracted workers; sold by them worldwide plus dozens or hundreds of Russian and Chinese hackers who (I expect) have root at NSA. All info worth trading on. If I were working at NSA (I am not) or if I were a Russian hacker I would call my broker in two minutes. A load of juice on the inside. Who cares about Bin Laden and related losers when you have all the e-mail and phone of the top dogs at the Carlisle Group on your 32 Gb pen drive?
    Sure the hackers report to somebody higher up with capital.
    There is real money to be made!
    Do you think these people are stupid or lazy?
    There are people in Russia who are not yet 40 who know more about what is goimg than does the POTUS.
    I am surprised the corporate elite don’t protest their plans are public.

  11. Appreciate the article, but I have to correct you on something. You said “if the intercepted information is “reasonably believed to contain evidence of a crime” then the NSA is allowed to turn it over to federal law enforcement.” At the end of the paragraph where the quoted passage was taken from, you go on to say that probable cause has been effectively circumvented. That is incorrect statement about the law. As you’ll see immediately below, you in fact quoted the standard for probable cause-in it’s short form.

    Per wikipedia and from my legal education, probable cause is defined as “a reasonable amount of suspicion, supported by circumstances sufficiently strong to justify a prudent and cautious person’s belief that certain facts are probably true.” That means according the Federal Law Enforcement Agency must have probable cause before the NSA can turn over the requested data/information. Probable Cause is required for all search warrants, so presumably (unless one can show otherwise) the Federal Law Enformancement Agency must have an independent magistrate (judge) sign off on the warrant before NSA turns over the data/information. Here, my guess, the magistrate who must sign off is a judge appointed to the FISA Court, based off the court order to Verizon.

    The only way probable cause is allowed to be circumvented to enable a warrantless search is if there’s either no reasonable expectation of privacy in the area the evidence was located or circumstances related to that specific suspect allowed for reasonable suspicion based on articularable facts to suggest a crime has been or will be committed.

    The concern here is that the fourth amendment is just being paid lip service. Is the magistrate who signs off on these warrants independent and not just motivated by “let’s get the bastards” standard of justice—we want our magistrates signing off on warrants in a similar fashion to the way Dick Wolf presents in Law & Order.

    Moreover, it really shouldn’t be a valid argument that we have no privacy expectation in our emails…we use gmail et al to instantly transmit messages that once took hours, days and weeks to reach the recipient via postal mail. In essence, Gmail et al function like an online post office in this sense-they are a conduit for transmitting/delivering your mail. If you use a postal service, your mail cannot be searched and read unless there’s probable cause, since it’s communication you’re not transmitting to a wide public audience via spoken communication but rather to a filtered group of people or just one person thru written communication sealed in an envelope. Your email functions the same way because you have to log on to a password protected account to read and send email…the password/account is like a stamped envelope-by using email instead of Facebook, you’ve declared to keep the message more private instead of publicly displaying it on your wall in your newsfeed. Privacy Groups and ACLU lawyers should make this argument to those who believe the Internet changes things at least when it comes to email.

  12. I argue we have less expectation of privacy on Facebook than email, because when we post to our wall on Facebook, unless one has taken additional steps to make their account über private, what you post is there for the preying eyes of the online community (not just your social network) to see.

Comments are closed.