These negotiations, the New York Times said, “illustrate how intricately the government and tech companies work together, and the depth of their behind-the-scenes transactions.” The article also contested the companies’ claims that they provide the NSA only with access that is legally compelled, noting: “While handing over data in response to a legitimate FISA request is a legal requirement, making it easier for the government to get the information is not, which is why Twitter could decline to do so.”
The Internet companies’ claim that they hand over to the NSA just the information that they are legally required to provide is also not particularly meaningful. That’s because the NSA only needs to obtain an individual warrant when it wants to specifically target a US person. No such special permission is required for the agency to obtain the communications data of any non-American on foreign soil, even when that person is communicating with Americans. Similarly, there is no check or limit on the NSA’s bulk collection of metadata, thanks to the government’s interpretation of the Patriot Act—an interpretation so broad that even the law’s original authors were shocked to learn how it was being used.
The close collaboration between the NSA and private corporations is perhaps best seen in the documents relating to Microsoft, which reveal the company’s vigorous efforts to give the NSA access to several of its most used online services, including SkyDrive, Skype, and Outlook.com.
SkyDrive, which allows people to store their files online and access them from various devices, has more than 250 million users worldwide. “We believe it’s important that you have control over who can and cannot access your personal data in the cloud,” Microsoft’s SkyDrive website proclaims. Yet as an NSA document details, Microsoft spent “many months” working to provide the government with easier access to that data:
In late 2011, Microsoft purchased Skype, the Internet-based telephone and chat service with over 663 million registered users. At the time of its purchase, Microsoft assured users that “Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic, and communications content.” But in fact, this data, too, was readily available to the government. By early 2013, there were multiple messages on the NSA system celebrating the agency’s steadily improving access to the communications of Skype users:
Not only was all this collaboration conducted with no transparency, but it contradicted public statements made by Skype. ACLU technology expert Chris Soghoian said the revelations would surprise many Skype customers. “In the past, Skype made affirmative promises to users about their inability to perform wiretaps,” he said. “It’s hard to square Microsoft’s secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google.”
In 2012, Microsoft began upgrading its email portal, Outlook.com, to merge all of its communications services—including the widely used Hotmail—into one central program. The company touted the new Outlook by promising high levels of encryption to protect privacy, and the NSA quickly grew concerned that the encryption Microsoft offered to Outlook customers would block the agency from spying on their communications. One SSO memo from August 22, 2012, frets that “using this portal means that email emerging from it will be encrypted with the default setting” and that “chat sessions conducted within the portal are also encrypted when both communicants are using a Microsoft encrypted chat client.”
But that worry was short-lived. Within a few months, the two entities got together and devised methods for the NSA to circumvent the very encryption protections Microsoft was publicly advertising as vital for protecting privacy:
Another document describes further collaboration between Microsoft and the FBI, as that agency also sought to ensure that new Outlook features did not interfere with its surveillance habits: “The FBI Data Intercept Technology Unit (DITU) team is working with Microsoft to understand an additional feature in Outlook.com which allows users to create email aliases, which may affect our tasking process.… There are compartmented and other activities underway to mitigate these problems.”
Finding this mention of FBI surveillance in Snowden’s archive of internal NSA documents was not an isolated occurrence. The entire intelligence community is able to access the information that the NSA collects: it routinely shares its vast trove of data with other agencies, including the FBI and the CIA. One principal purpose of the NSA’s great spree of data collection was precisely to boost the spread of information across the board. Indeed, almost every document pertaining to the various collection programs mentions the inclusion of other intelligence units. This 2012 entry from the NSA’s SSO unit, on sharing PRISM data, gleefully declares that “PRISM is a team sport!”:
“Upstream” collection (from fiber-optic cables) and direct collection from the servers of Internet companies (PRISM) account for most of the records gathered by the NSA. In addition to such sweeping surveillance, though, the NSA also carries out what it calls Computer Network Exploitation (CNE), placing malware in individual computers to surveil their users. When the agency succeeds in inserting such malware, it is able, in NSA terminology, to “own” the computer: to view every keystroke entered and every screen viewed. The Tailored Access Operations (TAO) division responsible for this work is, in effect, the agency’s own private hacker unit.
The hacking practice is quite widespread in its own right: one NSA document indicates that the agency has succeeded in infecting at least fifty thousand individual computers with a type of malware called “Quantum Insertion.” One map shows the places where such operations have been performed and the number of successful insertions:
Using Snowden documents, the New York Times reported that the NSA has in fact implanted this particular software “in nearly 100,000 computers around the world.” Although the malware is usually installed by “gaining access to computer networks, the NSA has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet.”
* * *
Beyond its work with compliant telecoms and Internet companies, the NSA has also colluded with foreign governments to construct its far-reaching surveillance system. Broadly speaking, the NSA has three different categories of foreign relationships. The first is with the Five Eyes group: the US spies with these countries, but rarely on them, unless requested to by those countries’ own officials. The second tier involves countries that the NSA works with for specific surveillance projects while also spying on them extensively. The third group is comprised of countries on which the United States routinely spies but with whom it virtually never cooperates.
Within the Five Eyes group, the closest NSA ally is the British GCHQ. As the Guardian reported, based on documents provided by Snowden, “The U.S. government has paid at least £100m to the UK spy agency GCHQ over the last three years to secure access to and influence over Britain’s intelligence gathering programs.” Those payments were an incentive to GCHQ to support the NSA’s surveillance agenda. “GCHQ must pull its weight and be seen to pull its weight,” a secret GCHQ strategy briefing said.
The Five Eyes members share most of their surveillance activities and meet each year at a Signals Development conference, where they boast of their expansion and the prior year’s successes. Former NSA deputy director John Inglis has said of the Five Eyes alliance that they “practice intelligence in many regards in a combined way—essentially make sure that we leverage one another’s capabilities for mutual benefit.”
Many of the most invasive surveillance programs are carried out by the Five Eyes partners, a substantial number of these involving the GCHQ. Of special note are the British agency’s joint efforts with the NSA to break the common encryption techniques that are used to safeguard personal Internet transactions, such as online banking and retrieval of medical records. The two agencies’ success in setting up backdoor access to those encryption systems not only allowed them to peer at people’s private dealings, but also weakened the systems f
or everyone, making them more vulnerable to malicious hackers and to other foreign intelligence agencies.
The GCHQ has also conducted mass interception of communications data from the world’s underwater fiber-optic cables. Under the program name Tempora, the GCHQ developed the “ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed,” the Guardian reported, and the “GCHQ and the NSA are consequently able to access and process vast quantities of communications between entirely innocent people.” The intercepted data encompass all forms of online activity, including “recordings of phone calls, the content of email messages, entries on Facebook, and the history of any internet user’s access to websites.”
The GCHQ’s surveillance activities are every bit as comprehensive—and unaccountable—as the NSA’s. As the Guardian noted:
The sheer scale of the agency’s ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate.
Canada is also a very active partner with the NSA and an energetic surveillance force in its own right. At the 2012 SigDev conference, the Communications Services Establishment Canada (CSEC) boasted about targeting the Brazilian Ministry of Mines and Energy, the agency in Brazil that regulates the industry of greatest interest to Canadian companies:
There is evidence of widespread CSEC/NSA cooperation, including Canada’s efforts to set up spying posts for communications surveillance around the world at the behest and for the benefit of the NSA, and spying on trading partners targeted by the US agency.
The Five Eyes relationship is so close that member governments place the NSA’s desires above the privacy of their own citizens. The Guardian reported on one 2007 memo, for instance, describing an agreement “that allowed the agency to ‘unmask’ and hold on to personal data about Britons that had previously been off limits.” Additionally, the rules were changed in 2007 “to allow the NSA to analyse and retain any British citizens’ mobile phone and fax numbers, emails and IP addresses swept up by its dragnet.”
Going a step further, in 2011 the Australian government explicitly pleaded with the NSA to “extend” their partnership and subject Australian citizens to greater surveillance. In a February 21 letter, the acting deputy director of Australia’s Intelligence Defence Signals Directorate wrote to the NSA’s Signals Intelligence Directorate, claiming that Australia “now face[s] a sinister and determined threat from ‘home grown’ extremists active both abroad and within Australia.” He requested increased surveillance on the communications of Australian citizens deemed suspicious by their government:
Beyond the Five Eyes partners, the NSA’s next level of cooperation is with its Tier B allies: countries that have some limited cooperation with the agency and are also targeted themselves for aggressive, unrequested surveillance. The NSA has clearly delineated these two levels of alliances:
Using different designations (referring to Tier B as Third Parties), a more recent NSA document—from the Fiscal Year 2013 “Foreign Partner Review”—shows an expanding list of NSA partners, including international organizations such as NATO:
As with the GCHQ, the NSA often maintains these partnerships by paying its partner to develop certain technologies and engage in surveillance, and can thus direct how the spying is carried out. The Fiscal Year 2012 “Foreign Partner Review” reveals numerous countries that have received such payments, including Canada, Israel, Japan, Jordan, Pakistan, Taiwan, and Thailand:
In particular, the NSA has a surveillance relationship with Israel that often entails cooperation as close as the Five Eyes partnership, if not sometimes even closer. A Memorandum of Understanding between the NSA and the Israeli intelligence service details how the United States takes the unusual step of routinely sharing with Israel raw intelligence containing the communications of American citizens. Among the data furnished to Israel are “unevaluated and unminimized transcripts, gists, facsimiles, telex, voice, and Digital Network Intelligence metadata and content.”
What makes this sharing particularly egregious is that the material is sent to Israel without having undergone the legally required process of “minimization.” The minimization procedures are supposed to ensure that when the NSA’s bulk surveillance sweeps up some communications data that even the agency’s very broad guidelines do not permit it to collect, such information is destroyed as soon as possible and not disseminated further. As the law is written, the minimization requirements already have plenty of loopholes, including exemptions for “significant foreign intelligence information” or any “evidence of a crime.” But when it comes to disseminating data to Israeli intelligence, the NSA has apparently dispensed with such legalities altogether.
The memo flatly states: “NSA routinely sends ISNU [the Israeli SIGINT National Unit] minimized and unminimized raw collection.”
Highlighting how a country can both cooperate on surveillance and be a target at the same time, an NSA document recounting the history of Israel’s cooperation noted “trust issues which revolve around previous ISR operations,” and identified Israel as one of the most aggressive surveillance services acting against the United States:
The same report observed that, despite the close relationship between American and Israeli intelligence agencies, the extensive information provided to Israel by the United States produced little in return. Israeli intelligence was only interested in collecting data that helped them. As the NSA complained, the partnership was geared “almost totally” to Israel’s needs.
Another rung lower, below the Five Eyes partners and second-tier countries such as Israel, the third tier is composed of countries who are often targets but never partners of US spying programs. Those predictably include governments viewed as adversaries, such as China, Russia, Iran, Venezuela, and Syria. But the third tier also includes countries ranging from the generally friendly to neutral, such as Brazil, Mexico, Argentina, Indonesia, Kenya, and South Africa.
* * *
When the NSA revelations first came out, the US government tried to defend its actions by saying that, unlike foreign nationals, American citizens are protected from warrantless NSA surveillance. On June 18, 2013, President Obama told Charlie Rose: “What I can say unequivocally is that if you are a U.S. person, the NSA cannot listen to your telephone calls … by law and by rule, and unless they … go to a court, and obtain a warrant, and seek probable cause, the same way it’s always been.” The GOP chairman of the House Intelligence Committee, Mike Rogers, similarly told CNN that the NSA “is not listening to Americans’ phone calls. If it did, it is illegal. It is breaking the law.”
This was a rather odd line of defense: in effect, it told the rest of the world that the NSA does assault the privacy of non-Americans. Privacy protections, apparently, are only for American citizens. This message prompted such international outrage that even Facebook CEO Mark Zuckerberg, not exactly known for his vehement defense of privacy, complained that the US government “blew it” in its response to the NSA scandal by jeopardizing the interests of international Internet companies: “The government said don’t worry, we’re not spying on any Americans. Wonderful, that’s really helpful for companies trying to work with people around the world. Thanks for going out there and being clear. I think that was really bad.”
Aside from being a strange strategy, the claim is also patently false. In fact, contrary to the repeated denials of President Obama and his top officials, the NSA continuously intercepts the communications of American citizens, without any individual “probable cause” warrants to justify such surveillance. That’s because the 2008 FISA law, as noted earlier, allows the NSA—without an individual warrant—to monitor the content of any American’s communications as long as those communications are exchanged with a targeted foreign national. The NSA labels this “inc
idental” collection, as though it’s some sort of minor accident that the agency has been spying on Americans. But the implication is deceitful. As Jameel Jaffer, the deputy legal director of the ACLU, explained:
The government often says that this surveillance of Americans’ communications is “incidental,” which makes it sound like the NSA’s surveillance of Americans’ phone calls and emails is inadvertent and, even from the government’s perspective, regrettable.
But when the Bush administration officials asked Congress for this new surveillance power, they said quite explicitly that Americans’ communications were the communications of most interest to them. See, for example, FISA for the 21st century, Hearing Before the S. Comm. On the Judiciary, 109th Cong. (2006) (statement of Michael Hayden), that certain communications “with one end in the United States” are the ones “that are most important to us.”
The principal purpose of the 2008 law was to make it possible for the government to collect Americans’ international communications—and to collect those communications without reference to whether any party to those communications was doing anything illegal. And a lot of the government’s advocacy is meant to obscure this fact, but it’s a crucial one: The government doesn’t need to “target” Americans in order to collect huge volumes of their communications.
Yale Law School professor Jack Balkin concurred that the FISA law of 2008 effectively gave the president the authority to run a program “similar in effect to the warrantless surveillance program” that had been secretly implemented by George Bush. “These programs may inevitably include many phone calls involving Americans, who may have absolutely no connection to terrorism or to Al Qaeda.”
No Place to Hide Page 13