So there's been a lot of hot and heavy action on the Snowden/NSA front of late. Having formerly had a TS/SAR Clearance working for a defense contractor in a previous life, and currently being a DBA and Systems Administrator in my current life - I may have a bit of unique perspective on much of this.
Taking it from the top we have the confirmation of Snowden's basic claims from previous NSA Whistleblower Russell Tice wherein he alleges that NSA resources were used to wiretap Senator Obama in 2004.
In the summer of 2004, one of the papers that I held in my hand was to wiretap a bunch of numbers associated with a 40-something-year-old wannabe senator for Illinois. You wouldn't happen to know where that guy lives right now would you? It's a big white house in Washington, D.C. That's who they went after, and that's the president of the United States now.
Now you have that contrasted with the recent article that essentially claims that
Snowden and Greenwald are Liars.
Now, a new report on the NSA programs casts doubt on the entire premise of Snowden and Greenwald's claims. Indeed, the report suggests that their claims are completely false -- that in fact, Snowden did not ever and would not ever have had either the authority for or access to the NSA database at all, much less to eavesdrop, as Snowden and Greenwald claimed.
I think to many extents both of these views are correct, and both of them are also probably wrong. Let's put them both into context.
The primary difference of course between these two views is the passage of time, and most importantly the FISA Fix that was implemented in the Protect America Act of 2007 after the first revelations of NSA warrentless spying were addressed by Congress.
Previous to this act, President Bush exerted his Unitary Executive Privilege to conduct his National Security as he pleased without oversight by the Congress or the Courts. With this act the FISA Court was enabled to periodically authorize and reauthorize every 90 days the foreign surveillance which had previously occurred under the Bush Administration in a blanket and unchecked manner.
The kind of abuses Russell describes are exactly the kinds of abuses we would all like to avoid, where innocent Americas or even worse political rivals of the current Administration have the power of the NSA turned against them for political purposes.
The point of bringing the court into the mix was to prevent exactly this from occurring. One of Snowden and Greenwald's main complaints about the court, is the fact that it rendered a secret opinion in 2008 that found the process used by the NSA to be Unconstitutional. Via Wired.
“On at least one occasion,” the intelligence shop has approved Sen. Ron Wyden (D-Ore.) to say, the Foreign Intelligence Surveillance Court found that “minimization procedures” used by the government while it was collecting intelligence were “unreasonable under the Fourth Amendment.” Minimization refers to how long the government may retain the surveillance data it collects. The Fourth Amendment to the Constitution is supposed to guarantee our rights against unreasonable searches.
In the letter, acquired by Danger Room (.pdf), Wyden asserts a serious federal sidestep of a major section of the Foreign Intelligence Surveillance Act.
That section — known as Section 702 and passed in 2008 — sought to legalize the Bush administration’s warrantless surveillance efforts. The 2008 law permitted intelligence officials to conduct surveillance on the communications of “non-U.S. persons,” when at least one party on a call, text or email is “reasonably believed” to be outside of the United States. Government officials conducting such surveillance no longer have to acquire a warrant from the so-called FISA Court specifying the name of an individual under surveillance. And only a “significant purpose” of the surveillance has to be the acquisition of “foreign intelligence,” a weaker standard than before 2008.
A similar FISC Court ruling was made in 2011.
http://www.ibtimes.com/...
A 2011 FISC court ruling had concluded that some of the NSA’s surveillance programs had violated sections of the Foreign Intelligence Surveillance Act, or FISA, a law aimed at protecting American citizens from surveillance programs targeted at foreigners.
The nation’s most secretive court, as it has been called in the media, said that the 86-page classified opinion can be made public if a district court orders it.
Logic dictates that in order to appease the court, these minimization procedures needed to be updated and increased to meet judicial muster, otherwise the court should certainly have the power to
enjoin all of this surveillance until it was satisfied. We know from Snowden's releases that after the first such finding some of these procedures were
required by the court in 2009. Hence we have the more recent report from the
Washington Post which outlines what some of those minimization procedures are.
But to begin a particular search, analysts must submit a request to their superiors showing why there is a “reasonable, articulable suspicion” that the number belongs to a member of a recognized terrorist organization. A reasonable, articulable suspicion is lower than the standard of “probable cause” used in criminal investigations to obtain a warrant or make an arrest. But the suspicion has to be based on facts that a reasonable person would accept.
...
The analysts’ 215 requests go to one of the 22 people at the NSA who are permitted to approve them — the chief or the deputy chief of the Homeland Security Analysis Center or one of 20 authorized Homeland Security mission coordinators within the Signals Intelligence directorate’s analysis and production directorate.
Each NSA database search is audited afterward by compliance officials at the agency. How many phone numbers are searched is reported every 30 days to the Foreign Intelligence Surveillance Court. Every 90 days, a small team from the Justice Department and the Office of the Director of National Intelligence spends a day at NSA looking over 215 documents and questioning analysts. Cursory reports on 215 activity are sent to Congress every year. The last one was eight sentences.
Some have argued that this proves that Snowden and Greenwald have "Lied" and that with this level of protection in place his claims could not be true.
“I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President, if I had a personal e-mail.”
“All they have to do is enter an e-mail address or an IP address, and it does two things, searches the database and lets them listen to the calls or read the e-mails of everything that the NSA has stored, or look at the browsing histories and Google search terms.”
“It’s done with no need to go to court, no need to get approval . . . But it allows them to listen to whatever e-mails they want, telephone calls, browsing history, Microsoft Word documents.”
This view unfortunately ignores several key factors. Edward Snowden was
not an analyst at the NSA. He's a
systems administrator and the the difference is as great as an ant and an elephant.
If I were an analyst I might go to my system and enter a database query by entering information into a form like this...
But if I were a system analyst I wouldn't need that form, I might have created that form in order to generate an SQL query like this one.
$query = "SELECT DISTINCT phone1.phoneID, phone1.name, phone1.service, phone1.typeID, phone1.callID, phone1.duration, phone1.calls, phone2.name as receivername FROM phonecalls as phone1 LEFT Join phonecalls as phone2 ON phone1.receiverID = phone2.phoneID WHERE phone1.sysID = '$sysID' ORDER BY phone2.datetime, phone2.name LIMIT $Start,9999" ;
One of these things, is obviously not like the other. The point being that a system administration
from his desk can ALWAYS run direct SQL Queries to the database and the only security involved, is his Administrator ID. There are no prior approvals required by management, and there is NO Audit trail (unless the DB has internal auditing, which it might, but even if it did the
administrator would have control of that auditing).
Other whistleblowers besides Tice have discussed the power that an Administrator would have as a Super-User. Something I discussed previously in this diary.
Thomas Drake: It has nothing to do with being 29. It's just that we are in the Internet age and this is the digital age. So, so much of what we do both in private and in public goes across the Internet. Whether it's the public Internet or whether it's the dark side of the Internet today, it's all affected the same in terms of technology. ...
One of the critical roles in the systems is the system administrator. Someone has to maintain it. Someone has to keep it running. Someone has to maintain the contracts.
Whistle Blower William Binney: Part of his job as the system administrator, he was to maintain the system. Keep the databases running. Keep the communications working. Keep the programs that were interrogating them operating. So that meant he was like a super-user. He could go on the network or go into any file or any system and change it or add to it or whatever, just to make sure — because he would be responsible to get it back up and running if, in fact, it failed.
So that meant he had access to go in and put anything. That's why he said, I think, "I can even target the president or a judge." If he knew their phone numbers or attributes, he could insert them into the target list which would be distributed worldwide. And then it would be collected, yeah, that's right. As a super-user, he could do that.
So there you have confirmation that Snowden is probably not lying or exaggerating. Someone in his former position could do - still today - what Russel Tice says was occurring back in 2004 before the involvement of the FISA court.
Which leads us to the ultimate issue. If the government is going to maintain a system like this, there will always be away around the security, particularly if those entrusted with All the Access happen to be the ones who choose to abuse it.
One solution to this problem, which comes from my previous secure experience, is to establish a two-man rule. No-one works alone. Someone would always have to be in the room or have direct access to the same terminal, with the same authorities and can double-check what the other person is doing and has done. It's not perfect, but it is an strong deterrent to systems abuse.
And it's a darn-sight better option that the sort of knee-jerk hair-on-fire response we've seen from the NSA. http://www.businessinsider.com/...
The National Security Agency, hit by disclosures of classified data by former contractor Edward Snowden, said Thursday it intends to eliminate about 90 percent of its system administrators to reduce the number of people with access to secret information.
"What we're in the process of doing - not fast enough - is reducing our system administrators by about 90 percent," he said.
Yes ridiculously overworked system administrators are going to be really NOT HAPPY system administrators. That's a plan fail right from the start, but at least in the short term - it does kinda plug their biggest security hole, which would be the people responsible for
implementing the security.
When it comes to some of the loopholes that have been pointed out from the FISA opinions released by Snowden regarding data from and by U.S. Citizens which may be caught up in this surveillance net... I actually don't have a problem with it.
Secret minimization procedures dating from 2009, published in June by the Guardian, revealed that the NSA could make use of any "inadvertently acquired" information on US persons under a defined range of circumstances, including if they held usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted or are believed to contain any information relevant to cybersecurity.
To me this seems a reasonable loophole for
exigent circumstances, just as we might not want a police officer to enter our house with a warrant - we tend to
waive that when someone in the house is screaming for help, or the house is on fire, or there's an audible gun-shot. We
want our Law Enforcement to go into that house under those circumstances rather than wait for a warrant, and that's how it should be.
Be all of this as it may, I am somewhat heartened by the President Obama has said his plans to further minimize the scope of NSA surveillance while improving it's transparency. He has pledged to the following. http://www.nationaljournal.com/...
2. Work with Congress to reform the Foreign Intelligence Surveillance Court to introduce an “independent voice” that would “make sure the government’s position is challenged by an adversary.”
3. Increase transparency. The Department of Justice will be making public the legal rationale for the collection of data. A website will also be created as “a hub” for further transparency.
4. A “high-level group of outside experts” will be formed for “new thinking, for a new era.” The independent group will be asked to review surveillance technologies, to ensure there is no abuse and find how the programs can maintain the trust of the public.
All of these are good moves.
Some may still argue that they aren't good enough, that simply the fact that the NSA has
built this haystack of data is itself a violation of the 4th Amendment. There are court cases making this argument right now, but another question I would ask them is : what would you have them do instead?
Let's say that all of this data, instead of being compiled and housed by NSA, were instead allowed to remain at the corporations which are their source, and only when a FISA warrant is issued would the NSA be able to go to each and every single one of these email & phone providers ONE BY ONE to do the kind of database query I gave a sample for above. In all likelihood, those queries would have to be done custom to each database because the field names, formats and database schema is not likely to be common or compatible.
Quite frankly, it would be a Nightmare.
Ultimately we as a Nation have to make a decision whether avoiding that nightmare, and the possibility that crucial data may be lost in the cracks of those imperfect data-joins is worth the risk of having a big giant shoe-string ball of data sitting in the desert where a wayward systems admin might decide to go look up who Christopher Walken has been talking to on his Blackberry.
I mean the worst that could happen is if a future Presidential candidate had his information scooped up by the NSA for some god-forsaken reason and then had what ever they found exploited to destroy his political career. Y'know - kinda the way the career of our current President clearly went south as soon as that kind of surveillance happened to him, way way back in 2004!
But then again simply the fact that now that the FISA Court is involved and overseeing the process and has twice put forward these minimization procedures shows that the system does work the way it should and reasonable protections are either in place, or will be added soon. This situation may not be perfect, but things are far better now than they were, and may soon be getting better still prior to a new President coming into office.
All in all, I'm not nearly as panicked and fearful about the entire thing now - as I was when I first heard about this program when Bush started it years ago.
Speaking of being worried about government abuse, malfeasance and neglect have you heard about the time we dropped nuclear bomb on Iceland? Now that's something to worry about.
Vyan
11:21 AM PT: As usual I wrote this at about 5am and planned to get up early for a final proofread Unfortunately I overslept the scheduled publishing time I'd posted, but now I've finally gone back over it. Sorry for that.
1:27 PM PT: Let me add that I can think of a few other worse case scenarios for abuse, such as the DEA using NSA derived domestic data then covering it up, or say Homeland Security potentially using innocuous personal information of people involved in Occupy to target them for further surveillance, harassment and prosecution. I would find all of that somewhat more troubling than the way the IRS handled Tea Party 501(c)(3) applications. But perhaps that's just me. However what I would then point out is that what you're now dealing with isn't an NSA problem you're dealing with a problem of law enforcement abusing their own mandate and authority, and that problem is large and ongoing both locally and federally.
There are many ways this could go wrong or horribly sideways, which is why we need more safeguards and protections in place [and not just at NSA]. As I said in the diary dismantling this entire system may ultimately be required, even I'm still on the fence about going that far yet, I have to consider the ultimately possibility.