Tag Archives: encrypted

NSA clarification

I have written that we really didn’t know what was going on at the NSA. Well, this week we got some clarification.

From Kevin Drum:

Today, in the latest release of classified NSA documents from Glenn Greenwald, we finally got a look at these minimization procedures. Here’s the nickel summary:

The top secret documents published today detail the circumstances in which data collected on US persons under the foreign intelligence authority must be destroyed, extensive steps analysts must take to try to check targets are outside the US, and reveals how US call records are used to help remove US citizens and residents from data collection.

I have a feeling it must have killed Glenn to write that paragraph. But on paper, anyway, the minimization procedures really are pretty strict. If NSA discovers that it’s mistakenly collected domestic content, it’s required to cease the surveillance immediately and destroy the information it’s already collected. However, there are exceptions. They can:

Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity.

The Guardian has posted two classified documents online. The first one describes the procedure for determining whether a surveillance target is legitimate (i.e., a non-U.S. person located outside the country). The second one describes the minimization procedures in case of inadvertent targeting of a U.S. person. There are a few obvious things to say about them:

  • The determination document repeatedly emphasizes that NSA bases its decisions on the “totality of the circumstances.” There are quite a few safeguards listed to make sure that only foreigners are targeted, but in the end these are often judgment calls from analysts.
  • The minimization procedures are fairly strict, but they do allow retention and disseminationof domestic data—without a warrant—under quite a few circumstances. “Threat of harm” is pretty broad, as is “criminal activity.” The latter, in fact, seems like a loophole the size of a Mack truck. It suggests that NSA could have a significant incentive to “inadvertently” hoover up as much domestic information as possible so it can search for evidence of criminal activity to hand over to the FBI.
  • The oversight procedures are pretty thin. Analysts have quite a bit of discretion here.

It’s genuinely unclear how big a problem this stuff is. It’s plainly true that determining whether someone is a U.S. person is sometimes a judgment call, and it’s possible that mistakes are rare. What’s more, if collection of domestic content genuinely is inadvertent, and is only occasionally turned over to other agencies when there’s evidence of serious crime, we should all feel better about this. But we really have no way of knowing. That would require, say, an inspector general to gather this kind of information, and the IG has specifically declined to do this.

Also, note that the documents posted by the Guardian are from 2009. It’s quite possible that procedures have changed since then.

(Editor’s note – for me the take-home lesson is there is still a lot that we don’t know.)

Twitter hacked

twitter

Major companies like Twitter must fix this

Attackers may have gained access to 250,000 accounts on Twitter, the microblogging site said. It’s time to change your password…again.

The site’s security team identified multiple access attempts by unauthorized individuals to access user data this week, the Bob Lord, director of information security, wrote on the Twitter blog on Friday afternoon. The company also uncovered “one live attack” and shut it down while it was still in progress moments later, Lord said.

Further investigation revealed that attackers were able to access a subset of user data, including usernames, email addresses, session tokens, and encrypted/salted passwords, belonging to approximately 250,000 users, Twitter admitted in the post. Lord did not provide any additional information about the security breach, nor did he say whether any of the exposed accounts had been illegally accessed. (more…)

Oh, Java continues to have problems.