Maybe it’s just a measure of how far the course has run on the NSA’s surveillance programs that news outlets have lost track of what’s been published. The revelations from the Edward Snowden cache seems to have slowed considerably, despite the access that media outlets like the Washington Post have had to it. The Post runs with the scoop today that PRISM wasn’t the only surveillance program used by the NSA, and that several upstream collection programs are also in use:
Recent debate over U.S. government surveillance has focused on the information that American technology companies secretly provide to the National Security Agency. But that is only one of the ways the NSA eavesdrops on international communications.
A classified NSA slide obtained by The Washington Post and published here for the first time lists “Two Types of Collection.”
“Published here” is the operative phrase. Despite the Post’s headline, “The NSA slide you haven’t seen,” this slide was published a month ago in the Guardian. The only change from that publication to this one is that the two redactions of program names have been removed:
As one can see, this even includes the “You Should Use Both” exhortation that is the focus of the Post’s reporting:
The interaction between Upstream and PRISM – which could be considered “downstream” collection because the data is already processed by tech companies — is not entirely clear from the slide. In addition, its description of PRISM as “collection directly from the servers” of technology giants such as Google, Microsoft and Facebook has been disputed by many of the companies involved. (They say access to user data is legal and limited).
However PRISM works, the NSA slide makes clear that the two collection methods operate in parallel, instructing analysts that “You Should Use Both.” Arrows point to both “Upstream” and “PRISM.”
The overall heading of the slide is “FAA 702 Operations” – a reference to a 2008 law that enabled collection on U.S. soil of communications of foreigners thought to be overseas without an individual warrant from a court, including when the foreigners are communicating with someone in the United States. The law says the collection may be for a foreign intelligence purpose, which includes terrorism, nuclear weapons proliferation or cyber-security.
The slide also shows a crude map of the undersea cable network that carries data from either side of North America and onto the rest of the world. As a story in Sunday’s Postmade clear, these undersea cables are essential to worldwide data flows – and to the surveillance capabilities of the U.S. government and its allies.
Here’s what the Guardian reported a month ago:
In the interests of aiding the debate over how Prism works, the Guardian is publishing an additional slide from the 41-slide presentation which details Prism and its operation. We have redacted some program names.
The slide, below, details different methods of data collection under the FISA Amendment Act of 2008 (which was renewed in December 2012). It clearly distinguishes Prism, which involves data collection from servers, as distinct from four different programs involving data collection from “fiber cables and infrastructure as data flows past”.
Essentially, the slide suggests that the NSA also collects some information under FAA702 from cable intercepts, but that process is distinct from Prism.
Analysts are encouraged to use both techniques of data gathering.
It’s not as if this information is unimportant. It shows that the NSA employed a variety of techniques to capture Internet traffic for surveillance rather than just the PRISM program, which used information delivered by Internet service providers in some form under administrative subpoenas and warrants. The other four programs appear to work independently of such legal niceties, and perhaps have been largely forgotten in the debate over the FISA court, warrants, and administrative subpoenas. However, it’s not new by any definition of the term, and the Post seems a little unaware of how far and fast the information got released from the Snowden cache.
While the Utah Legislature debates whether to stick with, scale back or junk a law giving prosecutors broad power to secretly obtain the names, addresses, phone records and bank account information of suspected child predators, Internet service provider Pete Ashdown has decided to take the law into his own hands.
He has refused to give customers’ information to the attorney general’s office four times in as many years when presented with one of these administrative subpoenas, which are issued by prosecutors without a court order.
It’s not that he wants to enable suspects of child pornography or exploitation, vowing he would gladly comply when presented with a warrant. But the president and founder of XMission calls the subpoenas “unconstitutional” — an invasion of the Fourth Amendment guarantee against unreasonable search and seizure — because they bypass the courts.
Ashdown is apparently alone in the state in ignoring the subpoenas, although at least one other small Internet service provider (ISP) in Utah expresses qualms about the potential for abuse of power.
A handful of others, small “mom and pop” ISPs outside the state, also have declined to comply, but 99.9 percent of the companies have provided the subpoenaed records, said Craig Barlow, chief of children’s justice in the Utah attorney general’s office.
NPR explains that the courts aren’t likely to back Ashdown — at least for now:
The courts tend to disagree. These administrative subpoenas are for connection data, not content. In other words, investigators are looking for evidence that person X connected to website Y at time Z. Courts have held that this kind of information is akin to the address written on the outside of an envelope; people don’t have an expectation of privacy about connection data, and so it doesn’t enjoy the protection of the Fourth Amendment.
But the courts may change their minds. Especially now, as powerful analytics tools have made it possible to use connection data to draw a detailed portrait of a person’s private life. That kind of analysis is the business model for much of Silicon Valley. Now police are getting into the act. The tech-savvy agencies have learned to use connection data earlier in their investigations — not just to prove the case against a suspect, but also to identify suspects to begin with.
A lot of privacy advocates want to see a good test case of whether a subpoena is really enough. Ashdown’s company seems to be begging for a showdown, as it lists the subpoenas it has refused. But so far, Ashdown says, no dice.
We need a lot more discussion on administrative subpoenas and court actions without benefit of adversarial counsel, it seems. And perhaps a return look at the “upstream” activities of the NSA, even if it’s not exactly the scoop the Post believed it to be.