NSA admits it violated American's privacy by spying on their phone calls
The National Security Agency for almost three years searched a massive database of Americans’ phone call records attempting to identify potential terrorists in violation of court-approved privacy rules, and the problem went unfixed because no one at the agency had a full technical understanding of how its system worked, according to new documents and senior government officials.
Moreover, it was Justice Department officials who discovered the problem and reported it to the court that oversees surveillance programs, the documents show, undermining assertions by the NSA that self-reporting is part of its culture.
The improper activity went on from May 2006 to January 2009, according to a March 2009 opinion by Judge Reggie B. Walton, who serves on the Foreign Intelligence Surveillance Court.
It was one of more than a dozen documents declassified and released Tuesday in response to lawsuits by civil liberties groups and at the direction of President Obama in the wake of the June disclosure by former NSA contractor Edward J. Snowden of the massive phone records collection.
“The documents released today are a testament to the government’s strong commitment to detecting, correcting and reporting mistakes that occur in implementing technologically complex intelligence collection activities, and to continually improving its oversight and compliance processes,” said James R. Clapper, the director of national intelligence.
A strong rebuke of the NSA by the court comes less than a month after the Office of the Director of National Intelligence released a highly critical FISA court opinion that took the agency to task for its operation of a separate surveillance program. Taken together, the documents released by the office over the past month paint a troubling picture of an agency that has sought and won far-reaching surveillance powers to run complex domestic data collection without anyone having full technical understanding of the efforts, and that has repeatedly misrepresented the programs’ scope to its court overseer.
Such revelations call into question the effectiveness of an oversight program that depends on accurate disclosure by the NSA to a court that acts in secret and says it lacks the resources to verify independently the agency’s assertions.
“It has finally come to light that the FISC’s authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses” the phone data, Walton wrote.
“This misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions,” he continued.
Privacy procedures “have been so frequently and systemically violated that it can fairly be said that this critical element of the overall [phone records] regime has never fully functioned effectively,” he said.
http://www.washingtonpost.com/world/national-security/declassified-court-documents-highlight-nsa-violations/2013/09/10/60b5822c-1a4b-11e3-a628-7e6dde8f889d_story.html
NSA's "FLYING PIG" program imitates Google's servers:
Glyn mentioned this in his post yesterday about the NSA leaks showing direct economic espionage, but with so many other important points in that story, it got a little buried. One of the key revelations was about a program called "FLYING PIG" which is the first time I can recall it being clearly stated that the NSA has been running man-in-the-middle attacks on internet services like Google. This slide makes it quite clear that the NSA impersonates Google servers:
There have been rumors of the NSA and others using those kinds of MITM attacks, but to have it confirmed that they're doing them against the likes of Google, Yahoo and Microsoft is a big deal -- and something I would imagine does not make any of those three companies particularly happy.
In some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.
Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.
While some may not be surprised by this, it's yet more confirmation as to how far the NSA is going and how the tech companies aren't always "willing participants" in the NSA's efforts here. Of course, the real question now is how the NSA is impersonating the security certificates to make these attacks work.
http://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml
NSA shares raw intelligence including Americans' data with Israel:
The National Security Agency routinely shares raw intelligence data with Israel without first sifting it to remove information about US citizens, a top-secret document provided to the Guardian by whistleblower Edward Snowden reveals.
http://www.theguardian.com/world/2013/sep/11/nsa-americans-personal-data-israel-documents
View the NSA documents:
http://apps.washingtonpost.com/g/page/world/declassified-fisa-court-documents-on-intelligence-collection/447/
