Using Tor and other means to hide your location piques NSA's interest in you

[anuseems]

President Barack Obama and top intelligence officials have emphasized that surveillance now being referred to as PRISM is done under court oversight.

Just what, exactly, that court oversight has entailed has never been elucidated - not, that is, until Thursday, when The Guardian published top-secret documents submitted to the secret Foreign Intelligence Surveillance (FISA) court.

Those documents show that FISA judges have signed off on "broad orders" that allow the National Security Agency (NSA) to use information collected "inadvertently" from domestic US sources without a warrant, The Guardian reports.

The Guardian published in full these two documents, which describe the procedures used by the NSA to target its surveillance:

NSA procedures to target non-US persons [PDF]

NSA procedures to minimise data collected from US persons [PDF]

Both documents were signed by Attorney General Eric Holder and dated 29 July 2009.

In a speech delivered on Wednesday in Germany, President Obama called the surveillance "a circumscribed, narrow system" whose aim is to protect "our people", all of it being done "under the oversight of the courts."

In spite of such assurances, it turns out that the FISA courts allow for much broader surveillance and much more leeway for mistakes than the public has known up until now.

The documents detail when data collected on US persons under the foreign intelligence authority has to be destroyed, the procedures analysts must follow to ascertain whether targets are outside the US, and how US call records are used to help remove US citizens and residents from data collection.

From The Guardian, a list of how policies approved by the FISA court allow NSA agents to:

Keep data that could potentially contain details of US persons for up to five years;

Retain and make use of "inadvertently acquired" domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;

Preserve "foreign intelligence information" contained within attorney-client communications;

Access the content of communications gathered from "U.S. based machine" or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.

One of the most jarring revelations to come out of the documents is that the administration's assurances of US citizens' protection from warrantless surveillance seems to have plenty of footnotes and exceptions that haven't been publicly disclosed until now.

They also reveal that courts don't always determine who's targeted for surveillance because that discretion is practiced by the NSA's own analysts, with only a percentage of decisions being reviewed by regular internal audits.

To make those decisions, NSA analysts use information including IP addresses, potential targets' statements, and public information and data collected by other agencies.

In the absence of such information - for example, if a potential target is using online anonymity services such as Tor, or sending encrypted email and instant messages - agents are encouraged to assume that the target is outside the US.

From the documents:

"In the absence of specific information regarding whether a target is a United States person, a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person can be positively identified as a United States person."

If it turns out that a person of interest is actually in the US, analysts are still permitted to look at the content of his or her messages, or listen to phone calls, to establish whether they are, in fact, in the country.

In 2009, Holder signed off on procedures that instructed communications interception to stop immediately once a target is confirmed to be in the US.

But that excludes large-scale data, from which the NSA claims it can't filter out US vs. non-US communications.

The NSA is allowed to argue for the retention of entirely domestic communications - i.e., when neither of the parties is overseas - if it finds "significant foreign intelligence information", "evidence of a crime", "technical database information" (such as encrypted communications), or "information pertaining to a threat of serious harm to life or property".

If communication is encrypted - particularly if a US person is using certain types of cryptology or steganography known to have been used by "individuals associated with a foreign power or foreign territory - the NSA is free to collect it and store it "indefinitely" for future reference and cryptanalysis attempts.

The American Civil Liberties Union (ACLU) put out a statement on Thursday criticizing the government's warrantless surveillance "of innocent Americans' international communications."

Jameel Jaffer, American Civil Liberties Union deputy legal director, said that the latest revelations confirm the fears that first arose when Congress enacted FISA in 2008:

"We worried that the NSA would use the new authority to conduct warrantless surveillance of Americans' telephone calls and emails. These documents confirm many of our worst fears. The 'targeting' procedures indicate that the NSA is engaged in broad surveillance of Americans' international communications.

"The 'minimization' procedures that supposedly protect Americans' constitutional rights turn out to be far weaker than we imagined they could be. For example, the NSA claims the authority to collect and disseminate attorney-client communications - and even, in some circumstances, to turn them over to Justice Department prosecutors. The government also claims the authority to retain Americans' purely domestic communications in certain situations."

ACLU Staff Attorney Alex Abdo said:

"Collectively, these documents show indisputably that the legal framework under which the NSA operates is far too feeble, that existing oversight mechanisms are ineffective, and that the government's surveillance policies now present a serious and ongoing threat to our constitutional rights. The release of these documents will help inform a crucial public debate that should have taken place years ago."

The so-called PRISM surveillance saga, far from slipping from public view, has, in fact, fueled a debate that had already begun to produce fruit, including Texas' newly enacted law against warrantless surveillance at the state level.

Meanwhile, efforts are already underway in both houses of Congress to revise the woefully antiquated Electronic Communications Privacy Act, which was written in 1986, well before the current realities of cloud storage and other technologies transformed how we use electronic communications.

The debate is, indeed, overdue, and the public deserves to be informed of every aspect possible, short of compromising national security.

Read The Guardian's reporting on the issue. It's far more extensive than what I've summarized here.

A heartfelt thank you to the news outlet for continuing to follow the story to whatever new revelations it may yet have in store.

@ http://nakedsecurity.sophos.com/2013/06/24/using-tor-and-other-means-to-hide-your-location-piques-nsas-interest-in-you/