Monday, March 24, 2014

Could the NSA Gain Ability to Record and Replay Every Call, Everywhere?

Published on Alternet (http://www.alternet.org)

Democracy Now! [1] / By Amy Goodman [2], Juan González [3]
Could the NSA Gain Ability to Record and Replay Every Call, Everywhere?
March 21, 2014 |

The latest disclosures from Edward Snowden show the National Security Agency is recording every single phone call made in an undisclosed foreign country. A surveillance system called MYSTIC stores the billions of phone conversations for up to 30 days. Agents are able to rewind and review any conversation within the previous month using a tool codenamed RETRO. One senior manager for the program compared it to a time machine. We speak to Ashkan Soltani, who co-wrote the Washington Post exposé on MYSTIC and has closely studied the cost of surveillance. He has co-written a series of other exposés for the Post that revealed how the NSA uses Google cookies to pinpoint targets for hacking and how the NSA secretly broke into the main communications links that connect Yahoo and Google data centers around the world.
Transcript

This is a rush transcript. Copy may not be in its final form.

Juan González: The latest disclosures from Edward Snowden show the National Security Agency is recording every single phone call made in an undisclosed foreign country. A surveillance system called "MYSTIC" stores billions of phone conversations for up to 30 days. Agents are able to rewind and review any conversation within the previous month using a tool codenamed RETRO. One senior manager for the program compared it to a time machine. Michelle Richardson of the American Civil Liberties Union criticized the MYSTIC program.

Michelle Richardson: Well, we’re concerned this is another example of U.S. government overreach and that instead of really targeting its very powerful surveillance authorities on terrorists and spies, that they’re doing this bulk collection that sweeps up a lot of innocent people. So if they’re targeting an entire country’s phone calls, collecting and recording all of them and searching through them later, that doesn’t violate just the privacy of the people in that country, but the Americans that communicate with them.

Amy Goodman: The Washington Post broke the story [4] Tuesday. The paper said it withheld details that could be used to identify the country where the system is being employed at the request of the U.S. government. The paper also revealed last year’s secret intelligence budget named five more countries for which the MYSTIC program provides "comprehensive metadata access and content," with a sixth expected to be in place by last October.

Our first guest today is independent privacy and security researcher Ashkan Soltani, who co-wrote the Washington Post piece. He has also co-written a series [5] of other exposés for the Post that revealed how the NSA uses Google cookies to pinpoint targets for hacking and how the NSA secretly broke into the main communications links that connect Yahoo and Google data centers around the world.

Ashkan Soltani, welcome to Democracy Now! Why don’t you lay out what you found? One hundred percent of the calls in a particular country are being recorded by the NSA?

Ashkan Soltani: That’s right. So our reporting demonstrates the NSA’s capability in at least one country to capture the entire communications. And this is not targeted communications; this is communications in bulk. So people’s conversations to, from and inside the country are able — are available to the NSA to be kind of retroactively accessed, so they can later go back in time and say who was talking to whom or particularly — look up particular conversations of interest.

JG: Now, your article seemed to indicate that the biggest problem the agency had was its storage capacity, its ability — how to mine this information, just because of the sheer volume involved. Could you talk about that?

AS: Yeah, that’s actually been a common thread in most of the stories that we’ve come out with, including the data center one. We previously covered the NSA’s accessing of address books. This is like who — the address books in your phone. And an often kind of — or a common theme is that the NSA hits up on technology barriers, so limits to storage, limits to bandwidth, limits to processing power. And that’s when we see the information in the slides that we have.

And that’s really telling, since it highlights a kind of a larger problem, which is that the limitations are not legal or policy restrictions, right? The limitations are technical restrictions. And as technical capacity goes up, I think the NSA will be kind of growing these programs. We’re already aware of one large data center being built in Utah, which will have kind of a very large capacity to store this type of communication. And again, we’re going to need to look to legal restrictions to kind of minimize this collection, rather than technical ones.

AG: Ashkan, how does the conversation go with the U.S. government and The Washington Post when they make their case for you not identifying the country that is 100 percent monitored, all the phone calls?

AS: I can’t get too into the details, but typically there’s a conversation on both sides, of kind of — the editors, the writers, the government all kind of weigh in on what they think is and isn’t important to cover. We felt that kind of our representation, our highlighting the existence of this program — and it is an ongoing program; it’s in place still — we wanted to raise the policy implications or policy issues associated with bulk content collection, without necessarily blowing a capability that the government currently has.

JG: Now, were you able to tell to what degree the NSA needed cooperation or complicity by the telecommunications companies that were actually providing this telephone service?

AS: Again, I can’t — I can’t kind of get into the how and the where. I can say, again, it’s comprehensive access in at least one country.

AG: At least one country, explain that.

AS: So, we — so, the documents we had were from last year, and they indicated a system up and running. And they would kind of go from, you know, earlier coverage to 100 percent, once — when we saw the documents. But they hinted at the expansion of this program in at least one other place by October 2013, October of last year. And there was kind of hints in the documents and in the budget documents that this capacity would be growing to other places as soon as the technical capacity was there.

JG: Well, during his recent TED Talk, Edward Snowden referenced you by name and talked about your work on the cost of surveillance.

Edward Snowden: There is an argument to be made that the powers of Big Brother have increased enormously. There was a recent legal article at Yale that established something called the Bankston-Soltani principle, which is that our expectation of privacy is violated when the capabilities of government surveillance have become cheaper by an order of magnitude, and each time that occurs, we need to revisit and rebalance our privacy rights. Now, that hasn’t happened since the government’s surveillance powers have increased by several orders of magnitude, and that’s why we’re in the problem that we’re in today.

But there is still hope, because the power of individuals have also been increased by technology. I am living proof that an individual can go head to head against the most powerful adversaries and the most powerful intelligence agencies around the world — and win. And I think that’s something that we need to take hope from and we need to build on to make it accessible not just to technical experts, but to ordinary citizens around the world. Journalism is not a crime. Communication is not a crime.

JG: Ashkan Soltani, your response to Edward Snowden?

AS: So, he was highlighting a paper [6] that we wrote, I co-authored with Kevin Bankston, looking at the Supreme Court U.S. v. Jones decision. It was a landmark privacy decision where they found that 28 days of continuous surveillance, location surveillance, of an individual violated the Fourth Amendment. They actually kind of hung it on a particularity with regards to the access of the vehicle, but there was multiple concurring opinions of kind of describing this — the problem with mass prolonged surveillance. And so, what we tried to do, we tried to kind of figure out what was the — what was the hook.

There was a following — following that decision, there was a hearing in which, I think, Rep. Dowdy [sic] kind of went through a line of questioning, and saying, "Well, why do we need Fourth Amendment protections around location surveillance? Do I need — you know, is there — do I need a warrant? Do I need kind of probable cause to go and follow someone around on the street? Do I need to do so if I’m a police officer? Do I need to — do I need a warrant to follow them around by car, by air, etc.?" And the answer to this is, no, you do not, right? You can — a police officer can decide to follow you. He can decide to spend his time following you on the street, and to do his job. And I think the key of that assumption is that the police officer would find it worth his time to follow you. He would be not following someone else that might be kind of more likely to be a suspect, and he would be, you know, spending his own precious time doing it.

Technology has changed that. So what we looked at is we tried to highlight, in terms of just dollars, what would it cost to follow around someone on foot, traditionally, covertly, and what would — and how has technology changed that calculus. And so, for example, if a police officer wants to follow you around on foot, his average — an average salary of a police officer comes down to something like $50 with benefits, including kind of overtime and all this kind of stuff. And if he wanted to do so, or if they — if the police wanted follow you around covertly, they’d need five or so agents, in what’s known as a "floating box formation," so people could swap in and swap out and you wouldn’t know who’s following you. That’s somewhere on the order of $250 an hour to follow an individual throughout the day, right? And there’s like human limits to that, but let’s just, for the sake of argument, take that as a base number.

Now we compare that to what we know around what telephone providers, or telcos, charge the government for location tracking using your cellphone or using a GPS device. And that comes down to somewhere — to like $10 an hour, down to even four cents an hour, for an entire month, to track someone on Sprint’s network. So the government can pay a flat rate to Sprint, and it comes down to something around four cents a month to — for cents an hour to track an individual. That’s very different than $250 an hour to track an individual. And as such, the calculus is orders of magnitude less, right? They have orders of magnitude less barriers to be able to track you on the street, and therefore they’re more likely to do so.

JG: So, in other words, the cost-benefit analysis of a total police state, where people are following you around, is just too prohibitively expensive, but now, with technology, the cost-benefit has been reduced dramatically.

AS: Yeah. I mean, an example that we use at the very end of the paper is, right after the Supreme Court decision, an FBI official kind of announced that they had to request permission to turn on 3,000 devices that were in the field, so that they could go get them. Right after this decision, they had to disable those devices, and they needed permission to turn on those devices, they needed — from the courts, in order to go retrieve them. What’s interesting about that is that it indicates that, at that point in time, there was at least 3,000 devices in the field that they needed to go collect. And if you do the math, again, 3,000 kind of simultaneous targets would require somewhere on the order of 15,000 individuals full-time tracking those — the location of those targets. The FBI currently has something like 13,000 field agents that would be doing this work. And assuming that they did nothing else — they didn’t sleep, they didn’t shower, they didn’t — they did only surveillance, there would still not be enough FBI agents to surveil 3,000 people simultaneously. And I think that’s kind of the outcome, is, well, the technology allows a much greater capacity to do surveillance in bulk at a much lower cost, and so we’re going to just do it, because the technology can, and not kind of have a bigger policy debate of what is the right balance, right? How many agents should we have per person, per capita?

AG: We’re going to link to your piece [6] in The Yale Law Journal at democracynow.org. I wanted to turn to Deputy Director of National Security Agency Rick Ledgett, who gave a response to Snowden’s on-stage, virtual appearance at TED earlier in the week. Ledgett insisted the NSA believes in a right to privacy.

Rick Ledgett: And we devote an inordinate amount of time and pressure — inordinate and appropriate, actually, I should say, amount of time and effort in order to ensure that we — that we protect that privacy — and beyond that, the privacy of citizens around the world. It’s not just Americans. You know, several — several things come into play here. First, we’re all on the same network. My communications — I’m a user of a particular Internet email service that is the number one email service of choice by terrorists around the world, number one, and so I’m there right beside them in email space in the Internet. And so, we need to be able to pick that apart and find the information that’s relevant. In doing so, we’re going to necessarily encounter Americans and innocent foreign citizens who are just going about their business, and so we have procedures in place that shreds that out, that says, "OK, when you find that — not if you find it, when you find it, because you’re certain to find it — here’s how you protect that." These are called minimization procedures. They’re approved by the attorney general and constitutionally based. And so, we protect those. And then, for people — you know, citizens of the world who are going about their lawful business on a day-to-day basis, the president, in his 17 January speech, laid out some additional protections that we are providing to them. So I think, absolutely, folks do have a right to privacy.

AG: That’s the deputy director of the National Security Agency, Rick Ledgett, giving a TED Talk, actually, from Fort Meade, Maryland, in response to Edward Snowden’s TED Talk earlier this week. Your response to this, Ashkan Soltani?

AS: Well, the fact that he gave a TED Talk is amazing on a number of levels. But going to the kind of substance of his — of his speech there, one thing to realize is, in fact, yes, the NSA does employ minimization procedures when they encounter U.S. persons’ information. For example, in bulk surveillance, if they are to discover that voice communications or email communications belong to an American, and they determine that it is not of foreign intelligence or other kind of national security interests — right, so they could be under counterterrorism, counternarcotics — I think in that speech he describes human trafficking, he describes, you know, money laundering. There’s a number of kind of missions that the data could become useful for. But if it’s determined that it’s a U.S. person and it’s not viable to any of those broad missions, then there is minimization in place.

I think what the tension is, what the kind of disconnect is, that the — that kind of that minimization happens on access to the data, but not on collection, right? So in our — in our story, we describe bulk collection or bulk kind of storage of entire countries’ worth of communications. That communication will continue as persons’ information for that rolling buffer of 30 days, and it’s not considered collection, or these minimization procedures don’t fall into place, until someone looks at it. But all during this time, your information has been recorded and is accessible, right? So it’s one of these things where it’s essentially the government saying, "We want to be able to look, but we won’t look unless — you know, unless we really need to, and we’ll close our eyes." And I think a lot of people would say, "Well, no, you shouldn’t be able to look unless you need to," right? And that’s the disconnect.

JG: I wanted to ask you about this whole issue of the government’s restrictions in terms of collecting material on Americans. In the articles that you did on Google and the ability of the U.S. government to access Google data centers, you raised a particular, I think, issue that most people are not aware of. If I write on a Gmail account an email to Amy here in New York City, that email can appear in a Google server somewhere else in the world. Could you talk about that?

AS: That’s right. So, as we’re moving to a cloud-based kind of architecture, as more of our services are cloud-based, what that means is the servers are distributed all over the world, and they replicate, and they’re redundant to one another, such that if California fell off the, you know, grid sometime, that your emails and your communications are still accessible, right? And so, what happens is, in the scenario you described, if you’re in New York, you might be talking to either a Mountain View data center or something — or something in North Carolina, a data center in North Carolina. Your emails and your activity, your login, your — kind of the data that you generate will be housed in North Carolina, but it will immediately get replicated to Google’s data centers all over the world, the ones in Iceland, the ones in Japan. And as that data gets replicated, the NSA is able to tap that communication, that replication, that transfer of data. And so, even though, under their Executive Order 12333, they’re collecting overseas, they’re going to be incidentally collecting a large number of U.S. persons’ information, given the global architecture that we’re moving to, this global cloud architecture that we’re moving to.

AG: And this Executive Order 12333 was signed by Reagan in 1981?

AS: Yeah, that — what’s interesting about 12333, it’s the kind of president’s sole kind of guidance on collection overseas for the intel agencies. And it’s — not a lot is known around that particular program. In my opinion, it’s actually — you know, there’s been a lot of talk of Section 215, the bulk metadata program; Section 702, which is essentially the PRISM program, where they go to companies and get data from Google and Yahoo. The bulk kind of — almost all of our stories, or the ones that I’ve been involved in, have been focusing around this 12333 kind of international collection, since it allows the government, almost kind of with very few restrictions, to collect data internationally. And there’s minimization procedures that apply to U.S. persons’ information that is encountered internationally, but those are only after, as I said, the information is accessed or looked at. But in the machine processing of it, they’re able to collect, broadly, everyone’s data under this executive order.

AG: Ashkan, very quickly, can you talk about Google cookies?

AS: Sure, absolutely. So, another one of the stories in — in the story we did on location tracking, we kind of highlighted the government collecting information broadly from mobile devices, from cellphone networks, a variety of sources to track people’s location — five billion records a day, I think, was what we described. One of the findings from that particular kind of line of research was that the government was also using or relying on Google cookies to identify individuals. And so, the kind of the purpose might seem strange, but this goes back to the costs of surveillance and the costs to do identification, right?

So, you guys at Democracy Now! might use the Internet, and all of you will be behind the Democracy Now! firewall, and you would appear as the same user, the same IP address, and so the government couldn’t identify one of you versus another, right? But because you use Google services, Google will essentially identify you guys individual. They’ll set cookies for each user that’s unique to that user.
And so, what we found is the government was in fact relying on Google cookies, Yahoo cookies, a bunch of services, to uniquely identify users that they couldn’t otherwise do — again, an indication of their growing capacity due to the kind of change in our global telecommunications network. They’re benefitting from it or they’re able to leverage it in a kind of a really interesting way.

AG: Ashkan Soltani, we want to thank you very much for being with us, independent privacy and security researcher. He has co-written a series of exposés [5] for The Washington Post based on the leaks of Edward Snowden, including, most recently, the one [4] headlined "NSA Surveillance Program Reaches 'Into the Past' to Retrieve, Replay Phone Calls." This is Democracy Now! We’ll link to that piece at democracynow.org, and all your pieces.

Source URL: http://www.alternet.org/news-amp-politics/could-nsa-gain-ability-record-replay-every-call-everywhere

Links:
[1] http://www.democracynow.org/
[2] http://www.alternet.org/authors/amy-goodman-0
[3] http://www.alternet.org/authors/juan-gonzalez-0
[4] http://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html
[5] http://ashkansoltani.org/work/wapo-snowden-files/
[6] http://www.yalelawjournal.org/the-yale-law-journal-pocket-part/constitutional-law/tiny-constables-and-the-cost-of-surveillance:-making-cents-out-of-united-states-v.-jones/

Donations can be sent to the Baltimore Nonviolence Center, 325 E. 25th St., Baltimore, MD 21218. Ph: 410-366-1637; Email: mobuszewski [at] verizon.net. Go to http://baltimorenonviolencecenter.blogspot.com/

"The master class has always declared the wars; the subject class has always fought the battles. The master class has had all to gain and nothing to lose, while the subject class has had nothing to gain and everything to lose--especially their lives." Eugene Victor Debs

No comments: