Another FISC judge: “NSA exceeded the scope of authorized acquisition continuously”

Another FISC judge: “NSA exceeded the scope of authorized acquisition continuously”

Judge: “NSA exceeded the scope of authorized acquisition continuously”

New declassifed documents show legal arguments over bulk metadata collection.

by Cyrus Farivar – Nov 19 2013, 1:36am EST
Yet another Foreign Intelligence Surveillance Court (FISC) judge has blasted United States government and intelligence officials for disregarding the court’s guidelines for domestic surveillance of American e-mail metadata traffic, a program that ran for around a decade before ending in 2011.
“As noted above, [National Security Agency’s] record of compliance with these rules has been poor,” wrote Judge John D. Bates, in a 117-page opinion (PDF) whose date was redacted. The opinion is one of was just one of a series of documents released and declassified late Monday evening by the Office of the Director of National Intelligence (ODNI).
“Most notably, NSA generally disregarded the special rules for disseminating United States person information outside of NSA until it was ordered to report such disseminations and certify to the FISC that the required approval had been approved. The government has provided no meaningful explanation why these violations occurred, but it seems likely that widespread ignorance of the rules was a contributing factor.”
The documents, which include annual reports from the Attorney General to Congress, memos, presentations, and training documents, were released in relation to an Electronic Frontier Foundation lawsuit. The second batch was released in September 2013, and the first in August 2013. In total, ODNI says it has now released nearly 2,000 new documents in recent months.
“Release of these documents reflects the Executive Branch’s continued commitment to making information about this intelligence collection program publicly available when appropriate and consistent with the national security of the United States,” James Clapper, the head of the ODNI, wrote on Monday.
“Additionally, they demonstrate the extent to which the Intelligence Community kept both Congress and the Foreign Intelligence Surveillance Court apprised of the status of the collection program under Section 215 [of the Patriot Act]. Some information has been redacted because these documents include discussion of matters that continue to be properly classified for national security reasons and the harm to national security would be great if disclosed.”
The Bates opinion is the second of the two most revealing documents in this new tranche. The first, written by FISC Judge Colleen Kollar-Kotelly, responds to a government request that allows the NSA to use pen register and trap and trace devices (“pen/trap devices”) as a way to access metadata on electronic communication. She granted approval for the bulk surveillance, but laid out specific guidelines.
The subsequent second FISC opinion, authored by Judge Bates, is in response to a government request that aimed to expand the metadata collection program by “11-24 times.” Bates slams the government for not adhering to its guidelines, but “reluctantly” allows them to continue, citing deference to the Executive Branch (and intelligence agencies, like the NSA, whose powers are granted through the Reagan-era Executive Order 12333). In the opinion, Judge Bates appears unwilling or unable to meaningfully punish any government officials despite clear violations of the court’s prior orders.
“I see a lot of similarities between the Bates opinion and the Walton opinion,” Mark Rumold, a staff attorney at the Electronic Frontier Foundation, told Ars. Rumold was referring to a 2009 opinion by FISC Judge Reggie Walton, who equally lambasted the government.
“It’s essentially the same thing, FISC taking NSA and [the Department of Justice] to task for violating their orders, for accessing more information than they were allowed to access under the orders and laying out under the ways that they had violated the court’s orders, [but then] letting them continue,” Rumold added. “The executive branch has pushed the judiciary so far and hopefully now we’re at that tipping point that the judiciary is comfortable with and they’ll start pushing back on executive misrepresentations.”
Not your father’s pen/trap application
The Kollar-Kotelly opinion (PDF) describes her response to a government application that “seeks authority for a much broader type of collection than other pen register/trap and trace applications,” compared to what had previously been done before.
As we’ve reported in the past, pen/trap devices are a type of legal order that has recently skyrocketed in use in the US. Originally designed to apply to telephone companies, they are now being increasingly applied to tech companies as a way to capture user metadata, too. Of the total number of American law enforcement orders that it received in six months, Google said recently that 2 percent of those were pen/trap orders.
Applied to a Google user, for example, a pen register would likely record who that user was sending e-mail to. A corresponding “trap and trace order” would likely include metadata from e-mails received, likely including date, time, IP address, and other routing information. It could also include attachments, and perhaps even—if broadly interpreted enough—anything but the actual content of an e-mail. Secure e-mail service Lavabit recently received such an order prior to its shutdown.
In the Monday night Tumblr post, the ODNI defined this program this way:

Seattle Police snooping with Aruba Networks mesh WiFi system

Seattle Police have deployed a Aruba Networks mesh WiFi system. What’s interesting is it may well be snorting MAC addresses from every passing device; Aruba advertises that feature.
And when asked:
The SPD declined to answer more than a dozen questions
from The Stranger, including whether the network is
operational, who has access to its data, what it might
be used for, and whether the SPD has used it (or intends
to use it) to geo-locate people’s devices via their MAC
addresses or other identifiers.
Seattle Police detective Monty Moss, one of the
leaders of the mesh-network project—one part of
a $2.7 million effort, paid for by the Department
of Homeland Security—wrote in an e-mail that the
department “is not comfortable answering policy
questions when we do not yet have a policy.”
But that didn’t stop them from deploying it without one.
“Sentence First, Verdict Later” comes to mind.
Aruba also sells a software product called “Analytics
and Location Engine 1.0.” According to a document Aruba
has created about the product, ALE “calculates the location
of associated and unassociated wifi devices… even though
a device has not associated to the network, information
about it is available. This includes the MAC address,
location, and RSSI information.”

SafeSlinger claims Phone Privacy

CMU Researchers Claim To Have Created Messaging App Even NSA Can’t Crack

The app is called SafeSlinger, and is free on the iTunes store, and Google play store for Android phones. SafeSlinger’s easy-to-use interface brings cryptography and secure communication to non-expert users, but also achieving military-grade security against hackers.

Government captures a mirrored version of your smartphone standard practice

3 Important Lessons from a Canadian Border Crossing
By Jeffrey Tucker
Sep 17 2013
I was at the Canadian border, headed toward the freedom that exists a few feet beyond the last security check. I was gently waved down a side corridor.
Ninety minutes later, I was let go, but not before something truly alarming happened. I’m pretty sure that the Canadian government captured a mirrored version of my smartphone — which pretty much holds the whole of my life.
I’ll explain precisely how this happened in just a bit — in the hopes that perhaps you can take precautions that I did not. But let’s first establish that this practice is not unusual. According to documents obtained by the American Civil Liberties Union, this has become the standard backdoor method of search used today by governments around the world.
At border crossings, governments have discovered that they can get away with seizing and searching electronic devices from smartphones to laptops to tablets. The reason is that it is standard practice that border officials can ask you anything. Anything at all. You have to answer. They can make you empty the full contents of your brain and check for even the smallest misstatement. You can refuse to answer, but then you can expect detention for untold amounts of time. So of course, you comply.
If this is standard practice, it makes perfect sense that there is not anything they are not entitled to know. This is why they have begun to profile people based on their devices.
Maybe there was nothing I could have done to stop it. Maybe I was somehow fated to be among the 15 that were hit with this. But as I look back, I realize now that I was far too nonchalant in my whole approach. I’ve crossed that border dozens of times and never had any trouble. I expected no trouble this time.
The problem began at passport check. I was coming into Canada just to visit friends, but my dress suggested business. An official later confirmed to me that this was the first point that caused me to be flagged. Then, in stating my traveling route to get to that point, I flubbed a bit on the cities I had been in (some I entered by car and others by plane). I just wasn’t focusing, and I was just a bit too chatty and casual.
As I became increasingly flustered, the agent apparently marked my customs form to indicate that I should undergo a secondary screening. I didn’t know this had happened. As I casually presented my form to the last agent in the line, he signaled for me to follow a different path. I did so. There were no agents around. There were no officials. I just walked and walked until I found myself in a long and nearly empty room.
I realized that I was going to be there for a few minutes at least, and that I was in some kind of lineup. I was, essentially, under arrest. Unguarded, but arrested. There was nowhere to go. I could not go forward nor could I go back. There was no one to protest to.
I asked the people ahead of me how long they had been there. Forty-five minutes. I pulled out my laptop and starting watching an episode of Breaking Bad to pass the time.
After about an hour, I was called up. At first, everything seemed fine. The official wanted some clarification about whom I was visiting. They wanted the phone number in particular — a startling demand, but one never knows for sure when one should comply or refuse. Of course, I didn’t have the number memorized.
This was (I think) when I made my fateful decision. I reached into my pocket. I pulled out my smartphone. I unlocked it. I pulled up the contact information. Instead of reading it out loud, I showed the agent the number. She calmly took the phone — which I thought she was doing so she could see the number better.
In an instant, she was gone. She went to some back room somewhere. I stood there at the counter, completely unguarded. My heart started to race. My palms grew sweaty. I began to fidget. After all, my whole life was suddenly in the hands of a government official. My emails, my phone calls, my Facebook messages, my contacts far and wide, my financial information, my browsing history — even my diet and exercise routines were there.
And incredibly, I had unlocked it all and handed it over.