N.S.A. Collecting Millions of Faces From Web Images
The New York Times by By JAMES RISEN and LAURA POITRAS May 31, 2014
The National Security Agency is harvesting huge numbers of images of people from communications that it intercepts through its global surveillance operations for use in sophisticated facial recognition programs, according to top-secret documents.
The spy agency’s reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency’s ambitions for this highly sensitive ability and the scale of its effort have not previously been disclosed.
NSA loophole allows warrantless search for US citizens’ emails and phone calls
Exclusive: Spy agency has secret backdoor permission to search databases for individual Americans’ communications
The Guardian / UK by James Ball & Spencer Ackerman August 9, 2013
The National Security Agency has a secret backdoor into its vast databases under a legal authority enabling it to search for US citizens’ email and phone calls without a warrant, according to a top-secret document passed to the Guardian by Edward Snowden.
The previously undisclosed rule change allows NSA operatives to hunt for individual Americans’ communications using their name or other identifying information. Senator Ron Wyden told the Guardian that the law provides the NSA with a loophole potentially allowing “warrantless searches for the phone calls or emails of law-abiding Americans”.
The authority, approved in 2011, appears to contrast with repeated assurances from Barack Obama and senior intelligence officials to both Congress and the American public that the privacy of US citizens is protected from the NSA’s dragnet surveillance programs.
The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.
The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.
But this is the first evidence that the NSA has permission to search those databases for specific US individuals’ communications.
A secret glossary document provided to operatives in the NSA’s Special Source Operations division – which runs the Prism program and large-scale cable intercepts through corporate partnerships with technology companies – details an update to the “minimization” procedures that govern how the agency must handle the communications of US persons. That group is defined as both American citizens and foreigners located in the US.
“While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data,” the glossary states, “analysts may NOT/NOT [not repeat not] implement any USP [US persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence].”
The term “identifiers” is NSA jargon for information relating to an individual, such as telephone number, email address, IP address and username as well as their name.
The document – which is undated, though metadata suggests this version was last updated in June 2012 – does not say whether the oversight process it mentions has been established or whether any searches against US person names have taken place.
Wyden, an Oregon Democrat on the Senate intelligence committee, has obliquely warned for months that the NSA’s retention of Americans’ communications incidentally collected and its ability to search through it has been far more extensive than intelligence officials have stated publicly. Speaking this week, Wyden told the Guardian it amounts to a “backdoor search” through Americans’ communications data.
“Section 702 was intended to give the government new authorities to collect the communications of individuals believed to be foreigners outside the US, but the intelligence community has been unable to tell Congress how many Americans have had their communications swept up in that collection,” he said.
“Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”
Wyden, along with his intelligence committee colleague Mark Udall, have attempted repeatedly to warn publicly about the ability of the intelligence community to look at the communications of US citizens, but are limited by their obligation not to reveal highly classified information.
But in a letter they recently wrote to the NSA director, General Keith Alexander, the two senators warned that a fact sheet released by the NSA in the wake of the initial Prism revelations to reassure the American public about domestic surveillance was misleading.
In the letter, they warned that Americans’ communications might be inadvertently collected and stored under Section 702, despite rules stating only data on foreigners should be collected and retained.
“[W]e note that this same fact sheet states that under Section 702, ‘Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorised purpose nor evidence of a crime,'” they said.
“We believe that this statement is somewhat misleading, in that it implied the NSA has the ability to determine how many American communications it has collected under Section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”
The foreign intelligence surveillance (Fisa) court issues approvals annually authorizing such operations, with specific rules on who can be targeted and what measures must be taken to minimize any details “inadvertently” collected on US persons.
Secret minimization procedures dating from 2009, published in June by the Guardian, revealed that the NSA could make use of any “inadvertently acquired” information on US persons under a defined range of circumstances, including if they held usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted or are believed to contain any information relevant to cybersecurity.
At that stage, however, the rules did not appear to allow for searches of collected data relating to specific US persons.
Assurances from Obama and senior administration officials to the American public about the privacy of their communications have relied on the strict definition of what constitutes “targeting” while making no mention of the permission to search for US data within material that has already been collected.
The day after the Guardian revealed details of the NSA’s Prism program, President Obama said: “Now, with respect to the internet and emails, this doesn’t apply to US citizens and it doesn’t apply to people living in the United States.”
Speaking at a House hearing on 18 June this year, deputy attorney general James Cole told legislators “[T]here’s a great deal of minimization procedures that are involved here, particularly concerning any of the acquisition of information that deals or comes from US persons.
“As I said, only targeting people outside the United States who are not US persons. But if we do acquire any information that relates to a US person, under limited criteria only can we keep it.”
Dianne Feinstein, the California Democrat who chairs the Senate intelligence committee, said in June 2012 that she believed the intelligence agencies and the Justice Department were sufficiently mindful of Americans’ privacy.
“The intelligence community is strictly prohibited from using Section 702 to target a US person, which must at all times be carried out pursuant to an individualized court order based upon probable cause,” Feinstein stated in a report provided to the Senate record.
While there are several congressional proposals to constrain the NSA’s bulk collection of Americans’ phone records, there has to date been much less legislative appetite to abridge its powers under Section 702 – as lawmakers are satisfied it doesn’t sufficiently violate Americans’ privacy.
“702 is focused outside the United States at non-citizens,” said Adam Schiff, a member of the House intelligence committee. “The evidence of the effectiveness of 702 is much more substantial than 215 [the bulk phone records collection]. So I think there are fewer fourth amendment concerns and more evidence of the saliency of the program.”
Wyden and Udall – both of whom say foreign surveillance conducted under Section 702 has legitimate value for US national security – have tried and failed to restrict the NSA’s ability to collect and store Americans’ communications that it accidentally acquires.
Wyden told the Guardian that he raised concerns about the loophole with President Obama during an August 1 meeting with legislators about the NSA’s surveillance powers.
“I believe that Congress should reform Section 702 to provide better protections for Americans’ privacy, and that this could be done without losing the value that this collection provides,” he said.
The Guardian put the latest revelations to the NSA and the Office of the Director of National Intelligence but no response had been received by the time of publication.
Top secret documents submitted to the court that oversees surveillance by US intelligence agencies show the judges have signed off on broad orders which allow the NSA to make use of information “inadvertently” collected from domestic US communications without a warrant.
The Guardian is publishing in full two documents submitted to the secret Foreign Intelligence Surveillance Court (known as the Fisa court), signed by Attorney General Eric Holder and stamped 29 July 2009. They detail the procedures the NSA is required to follow to target “non-US persons” under its foreign intelligence powers and what the agency does to minimize data collected on US citizens and residents in the course of that surveillance.
The documents show that even under authorities governing the collection of foreign intelligence from foreign targets, US communications can still be collected, retained and used.
The procedures cover only part of the NSA’s surveillance of domestic US communications. The bulk collection of domestic call records, as first revealed by the Guardian earlier this month, takes place under rolling court orders issued on the basis of a legal interpretation of a different authority, section 215 of the Patriot Act.
The Fisa court’s oversight rolehas been referenced many times by Barack Obama and senior intelligence officials as they have sought to reassure the public about surveillance, but the procedures approved by the court have never before been publicly disclosed.
The top secret documents published today detail the circumstances in which data collected on US persons under the foreign intelligence authority must be destroyed, extensive steps analysts must take to try to check targets are outside the US, and reveals how US call records are used to help remove US citizens and residents from data collection.
However, alongside those provisions, the Fisa court-approved policies allow the NSA to:
• Keep data that could potentially contain details of US persons for up to five years;
• Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;
• Preserve “foreign intelligence information” contained within attorney-client communications;
• Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.
The broad scope of the court orders, and the nature of the procedures set out in the documents, appear to clash with assurances from President Obama and senior intelligence officials that the NSA could not access Americans’ call or email information without warrants.
The documents also show that discretion as to who is actually targeted under the NSA’s foreign surveillance powers lies directly with its own analysts, without recourse to courts or superiors – though a percentage of targeting decisions are reviewed by internal audit teams on a regular basis.
Since the Guardian first revealed the extent of the NSA’s collection of US communications, there have been repeated calls for the legal basis of the programs to be released. On Thursday, two US congressmen introduced a bill compelling the Obama administration to declassify the secret legal justifications for NSA surveillance.
The disclosure bill, sponsored by Adam Schiff, a California Democrat, and Todd Rokita, an Indiana Republican, is a complement to one proposed in the Senate last week. It would “increase the transparency of the Fisa Court and the state of the law in this area,” Schiff told the Guardian. “It would give the public a better understanding of the safeguards, as well as the scope of these programs.”
Section 702 of the Fisa Amendments Act (FAA), which was renewed for five years last December, is the authority under which the NSA is allowed to collect large-scale data, including foreign communications and also communications between the US and other countries, provided the target is overseas.
FAA warrants are issued by the Fisa court for up to 12 months at a time, and authorise the collection of bulk information – some of which can include communications of US citizens, or people inside the US. To intentionally target either of those groups requires an individual warrant.
One such warrant seen by the Guardian shows that they do not contain detailed legal rulings or explanation. Instead, the one-paragraph order, signed by a Fisa court judge in 2010, declares that the procedures submitted by the attorney general on behalf of the NSA are consistent with US law and the fourth amendment.
Those procedures state that the “NSA determines whether a person is a non-United States person reasonably believed to be outside the United States in light of the totality of the circumstances based on the information available with respect to that person, including information concerning the communications facility or facilities used by that person”.
It includes information that the NSA analyst uses to make this determination – including IP addresses, statements made by the potential target, and other information in the NSA databases, which can include public information and data collected by other agencies.
Where the NSA has no specific information on a person’s location, analysts are free to presume they are overseas, the document continues.
“In the absence of specific information regarding whether a target is a United States person,” it states “a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person can be positively identified as a United States person.”
If it later appears that a target is in fact located in the US, analysts are permitted to look at the content of messages, or listen to phone calls, to establish if this is indeed the case.
Referring to steps taken to prevent intentional collection of telephone content of those inside the US, the document states: “NSA analysts may analyze content for indications that a foreign target has entered or intends to enter the United States. Such content analysis will be conducted according to analytic and intelligence requirements and priorities.”
Details set out in the “minimization procedures”, regularly referred to in House and Senate hearings, as well as public statements in recent weeks, also raise questions as to the extent of monitoring of US citizens and residents.
NSA minimization procedures signed by Holder in 2009 set out that once a target is confirmed to be within the US, interception must stop immediately. However, these circumstances do not apply to large-scale data where the NSA claims it is unable to filter US communications from non-US ones.
The NSA is empowered to retain data for up to five years and the policy states “communications which may be retained include electronic communications acquired because of limitations on the NSA’s ability to filter communications”.
Even if upon examination a communication is found to be domestic – entirely within the US – the NSA can appeal to its director to keep what it has found if it contains “significant foreign intelligence information”, “evidence of a crime”, “technical data base information” (such as encrypted communications), or “information pertaining to a threat of serious harm to life or property”.
Domestic communications containing none of the above must be destroyed. Communications in which one party was outside the US, but the other is a US-person, are permitted for retention under FAA rules.
The minimization procedure adds that these can be disseminated to other agencies or friendly governments if the US person is anonymised, or including the US person’s identity under certain criteria.
A separate section of the same document notes that as soon as any intercepted communications are determined to have been between someone under US criminal indictment and their attorney, surveillance must stop. However, the material collected can be retained, if it is useful, though in a segregated database:
“The relevant portion of the communication containing that conversation will be segregated and the National Security Division of the Department of Justice will be notified so that appropriate procedures may be established to protect such communications from review or use in any criminal prosecution, while preserving foreign intelligence information contained therein,” the document states.
In practice, much of the decision-making appears to lie with NSA analysts, rather than the Fisa court or senior officials.
A transcript of a 2008 briefing on FAA from the NSA’s general counsel sets out how much discretion NSA analysts possess when it comes to the specifics of targeting, and making decisions on who they believe is a non-US person. Referring to a situation where there has been a suggestion a target is within the US.
“Once again, the standard here is a reasonable belief that your target is outside the United States. What does that mean when you get information that might lead you to believe the contrary? It means you can’t ignore it. You can’t turn a blind eye to somebody saying: ‘Hey, I think so and so is in the United States.’ You can’t ignore that. Does it mean you have to completely turn off collection the minute you hear that? No, it means you have to do some sort of investigation: ‘Is that guy right? Is my target here?” he says.
“But, if everything else you have says ‘no’ (he talked yesterday, I saw him on TV yesterday, even, depending on the target, he was in Baghdad) you can still continue targeting but you have to keep that in mind. You can’t put it aside. You have to investigate it and, once again, with that new information in mind, what is your reasonable belief about your target’s location?”
The broad nature of the court’s oversight role, and the discretion given to NSA analysts, sheds light on responses from the administration and internet companies to the Guardian’s disclosure of the PRISM program. They have stated that the content of online communications is turned over to the NSA only pursuant to a court order. But except when a US citizen is specifically targeted, the court orders used by the NSA to obtain that information as part of Prism are these general FAA orders, not individualized warrants specific to any individual.
Once armed with these general orders, the NSA is empowered to compel telephone and internet companies to turn over to it the communications of any individual identified by the NSA. The Fisa court plays no role in the selection of those individuals, nor does it monitor who is selected by the NSA.
The NSA’s ability to collect and retain the communications of people in the US, even without a warrant, has fuelled congressional demands for an estimate of how many Americans have been caught up in surveillance.
Two US senators, Ron Wyden and Mark Udall – both members of the Senate intelligence committee – have been seeking this information since 2011, but senior White House and intelligence officials have repeatedly insisted that the agency is unable to gather such statistics.
N.S.A. Said to Search Content of Messages to and From U.S.
The New York Times by Charlie Savage August 8, 2013
The National Security Agency is searching the contents of vast amounts of Americans’ e-mail and text communications into and out of the country, hunting for people who mention information about foreigners under surveillance, according to intelligence officials.
The N.S.A. is not just intercepting the communications of Americans who are in direct contact with foreigners targeted overseas, a practice that government officials have openly acknowledged. It is also casting a far wider net for people who cite information linked to those foreigners, like a little used e-mail address, according to a senior intelligence official.
The NSA’s XKeyscore program, revealed in a new report from The Guardian today, allows agency analysts to run quick searches for people that match certain criteria. In fact, it looked familiar: It looked an awful lot like Facebook’s Graph Search.
So we figured we’d see how the two compare. We took searches from the NSA presentation (it’s here) and ran them through the Facebook search tool.
We started with an easy one.
Here’s what Facebook gives us when we search for people who like Google Maps and use email. Everyone who has a Facebook account uses email, of course, but we added it as a search term just to make extra sure.
Some of these people (not the ones shown) have public email addresses, NSA. Point for Facebook. (We’ve blurred the faces and hidden the names. Facebook, of course, does not.)
Unusual language speakers
One of the identifiers the NSA uses to look for what it calls “anomalous events” is “Someone whose language is out of place for the region they are in.” It offers a specific example.
Another identifier the NSA uses is “someone who’s using encryption.” (See our primer on encryption if you, too, would like to be suspicious.)
“PGP” is “Pretty Good Privacy,” an encryption tool. Facebook’s results?
But enough of this easy stuff.
Cutting to the chase
Or, more broadly:
But Facebook Graph Search does have its limitations.
Remember when people argued that you share more on Facebook than the NSA can see? Yeah, well, they kind of had a point.