Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] NSA is very likely storing all encrypted communications it is intercepting

Eugen Leitl eugen at
Fri Jun 21 05:32:46 PDT 2013

Leaked NSA Doc Says It Can Collect And Keep Your Encrypted Data As Long As It
Takes To Crack It
If you use privacy tools, according to the apparent logic of the National
Security Agency, it doesn’t much matter if you’re a foreigner or an American:
Your communications are subject to an extra dose of surveillance.

Since 29-year-old systems administrator Edward Snowden began leaking secret
documentation of the NSA’s broad surveillance programs, the agency has
reassured Americans that it doesn’t indiscriminately collect their data
without a warrant, and that what it does collect is deleted after five years.
But according to a document signed by U.S. Attorney General Eric Holder and
published Thursday by the Guardian, it seems the NSA is allowed to make
ambiguous exceptions for a laundry list of data it gathers from Internet and
phone companies. One of those exceptions applies specifically to encrypted
information, allowing it to gather the data regardless of its U.S. or foreign
origin and to hold it for as long as it takes to crack the data’s privacy

The agency can collect and indefinitely keep any information gathered for
“cryptanalytic, traffic analysis, or signal exploitation purposes,” according
to the leaked “minimization procedures” meant to restrict NSA surveillance of
Americans. ”Such communications can be retained for a period sufficient to
allow thorough exploitation and to permit access to data that are, or are
reasonably believed likely to become, relevant to a future foreign
intelligence requirement,” the procedures read.
And one measure of that data’s relevance to foreign intelligence? The simple
fact that the data is encrypted and that the NSA wants to crack it may be
enough to let the agency keep it indefinitely. “In the context of
cryptanalytic effort, maintenance of technical data bases requires retention
of all communications that are enciphered or reasonably believed to contain
secret meaning,” the criteria for the exception reads. “Sufficient duration
[for retaining the data] may consist of any period of time during which
encrypted material is subject to, or of use in, cryptanalysis.”

That encryption exception is just one of many outlined in the document, which
also allows NSA to give the FBI and other law enforcement any data from an
American if it contains “significant foreign intelligence” information or
information about a crime that has been or is about to be committed.
Americans’ data can also be held if it’s “involved in the unauthorized
disclosure of national security information” or necessary to “assess a
communications security vulnerability.” Other “inadvertently acquired” data
on Americans can be retained up to five years before being deleted.

“Basically we’re in a situation where, if the NSA’s filters for
distinguishing between domestic and foreign information stink, it gives them
carte blanche to review those communications for evidence of crimes that are
unrelated to espionage and terrorism,” says Kevin Bankston, a director of the
Free Expression Project at the Center For Democracy and Technology. “If they
don’t know where you are, they assume you’re not a US person. The default is
that your communicatons are unprotected.”

All of those exceptions seem to counter recent statements made by NSA and FBI
officials who have argued that any collection of Americans’ data they perform
is strictly limited by the Foreign Intelligence Surveillance Act (FISA)
Court, a special judiciary body assigned to oversea the National Security
Agency. “We get great oversight by all branches of government,” NSA director
Alexander said in an on-stage interview at the Aspen Institute last year.
“You know I must have been bad when I was a kid. We get supervised by the
Defense Departmnet, the Justice Department the White House, by Congress… and
by the [FISA] Court. So all branches of government can see that what we’re
doing is correct.”

But the latest leaked document bolsters a claim made by Edward Snowden, the
29-year-old Booz Allen contractor who has leaked a series of top secret NSA
documents to the media after taking refuge in Hong Kong. In a live Q&A with
the public Monday he argued that NSA analysts often make independent
decisions about surveillance of Americans not subject to judicial review.
“The reality is that…Americans’ communications are collected and viewed on a
daily basis on the certification of an analyst rather than a warrant,”
Snowden wrote. “They excuse this as ‘incidental’ collection, but at the end
of the day, someone at NSA still has the content of your communications.”

However, the leaked document doesn’t exactly paint Snowden’s picture of a
random NSA analyst determining who is surveilled. The guidelines do state
that exceptions have to be “specifically” approved by the “Director (or
Acting Director) of NSA…in writing.”

Just how much actual surveillance the NSA’s exception for Americans’
encrypted data allows also remains unclear. The Center for Democracy and
Technology’s Kevin Bankston points out that a previously leaked slide from an
NSA presentation makes reference to programs called FAIRVIEW and BLARNEY,
which are described as “collection of communications on fiber cables and
infrastructure as data flows past.”

If the NSA is in fact tapping the Internet’s network infrastructure,
Thursday’s leaked guidelines suggest it might be allowed to collect and
retain all data protected with the common Web encryption Secure Sockets
Layer, (SSL) used for run-of-the-mill private communications like the Web
email offered by Google and Microsoft, social networking services like
Twitter and Facebook, and online banking sites. “If they’re tapping at the
[network] switches and they take full allowance of this ability to retain
data, that could mean they’re storing an enormous amount of SSL traffic,
including things like Gmail traffic,” Bankston says.

In other words, privacy advocates may be facing a nasty Catch-22: Fail to
encrypt your communications, and they’re vulnerable to any eavesdropper’s
surveillance. But encrypt them, and they become legally subject to
eavesdropping by the most powerful surveillance agency in the world.

More information about the liberationtech mailing list