What Can the Nsa Do?

EAVESDROPPING 101: WHAT CAN THE NSA DO?

he recent revelations about illegal that act as gateways” at “some of the main NSA has no prior reason to suspect you, and eavesdropping on American citizens by arteries for moving voice and some Internet you are in no way tied to any other suspicious Tthe U.S. National Security Agency have traffic into and out of the United States.”1 individuals – you have just been plucked out raised many questions about just what the of the crowd by a computer algorithm’s analy- agency is doing. Although the facts are just This new level of direct access apparently sis of your behavior. beginning to emerge, information that has includes both some of the gateways through come to light about the NSA’s activities and which phone calls are routed, as well as other Use of these statistical fishing expeditions capabilities over the years, as well as the recent key nodes through which a large proportion has been made possible by the access to reporting by the New York Times and others, of Internet traffic passes. This new program communications streams granted by key cor- allows us to discern the outlines of what they also recognizes that today’s voice and porations. The NSA may also be engaging in are likely doing and how they are doing it. Internet communications systems are “geographic targeting,” in which they listen in increasingly converging, with a rising propor- on communications between the United The NSA is not only the world’s largest spy tion of even voice phone calls moving to the States and a particular foreign country or agency (far larger than the CIA, for example), Internet via VOIP, and parts of the old tele- region. More broadly, data mining has been but it possesses the most advanced technol- phone transmission system being converted greatly facilitated by underlying changes in ogy for intercepting communications. We to fiber optic cable and used for both data and technology that have taken place in the past know it has long had the ability to focus pow- voice communications. While data and voice few years (see page 3). erful surveillance capabilities on particular sometimes travel together and sometimes do individuals or communications. But the cur- not, and we do not know exactly which This dragnet approach is not only bad for civil rent scandal has indicated two new and sig- “switches” and other access points the NSA liberties – it is also a bad use of our scarce nificant elements of the agency’s has tapped, what appears certain is that the security and law enforcement resources. In eavesdropping: NSA is looking at both. fact, the creation of large numbers of waste- ful and distracting leads is one of the primary The NSA has gained direct access to the And most significantly, access to these reasons that many security experts say data telecommunications infrastructure through “switches” and other network hubs give the mining and other dragnet strategies are a some of America’s largest companies agency access to a direct feed of all the com- poor way of preventing crime and terrorism. The agency appears to be not only targeting munications that pass through them, and the The New York Times confirmed that point, with individuals, but also using broad “data min- ability to filter, sift through, analyze, read, or its report that the NSA has sent the FBI a ing” systems that allow them to intercept and share those communications as it sees fit. “flood” of tips generated by mass domestic evaluate the communications of millions of eavesdropping and data mining, virtually all people within the United States. of which led to dead ends that wasted the DATA MINING FBI’s resources. “We’d chase a number, find The ACLU has prepared a map (see page 2) The other major novelty in the NSA’s activities it’s a schoolteacher with no indication they’ve illustrating how all this is believed to work. It appears to be the exploitation of a new con- ever been involved in international terrorism,” shows how the military spying agency has cept in surveillance that has attracted a lot of one former FBI agent told the Times. “After you extended its tentacles into much of the U.S. attention in the past few years: what is com- get a thousand numbers and not one is turning civilian communications infrastructure, monly called “data mining.” Unlike the up anything, you get some frustration.”2 including, it appears, the “switches” through agency’s longstanding practice of spying on which international and some domestic com- specific individuals and communications COMBINING TELECOMMUNICATIONS munications are routed, Internet exchange based upon some source of suspicion, data AND OTHER PRIVATE DATA? points, individual telephone company central mining involves formula-based searches The NSA has historically been in the business facilities, and Internet Service Providers through mountains of data for individuals of intercepting and analyzing communica- (ISP). While we cannot be certain about these whose behavior or profile is in some way sus- tions data. One question is whether or not secretive links, this chart shows a represen- piciously different from the norm. this communications data is being combined tation of what is, according to recent reports, with other intimate details about our lives. A the most likely picture of what is going on. Data mining is a broad dragnet. Instead of few years ago, the Pentagon began work on targeting you because you once received a an breathtaking data mining program called CORPORATE BEDFELLOWS telephone call from a person who received a Total Information Awareness, which envi- One major new element of the NSA’s spying telephone call from a person who is a sus- sioned programming computers to trawl machinery is its ability to tap directly into the pected terrorist, you might be targeted through an extensive list of information on major communications switches, routing sta- because the NSA’s computers have analyzed Americans (including, according to the pro- tions, or access points of the telecommunica- your communications and have determined gram’s own materials, “Financial, Education, tions system. For example, according to the that they contain certain words or word com- Travel, Medical, Veterinary, Country Entry, New York Times, the NSA has worked with binations, addressing information, or other Place/Event Entry, Transportation, Housing, “the leading companies” in the telecommuni- factors with a frequency that deviates from Critical Resources, Government, cations industry to collect communications the average, and which they have decided Communications”) in the hunt for “suspicious” patterns, and has gained access “to switches might be an indication of suspiciousness. The patterns of activity. Congress decisively EAVESDROPPING 101 2

THE NSA SURVEILLANCE OCTOPUS

NSA

NSA TAP TELCO NSA TELCO TAP ISP CENTRAL NSA UNDERSEAS INTERNET NSA SWITCH CABLE TAP NSA UNDERSEAS NSA EXCHANGE CENTRAL TAP N CABLE TAP TAP T A SWITCH NSA S INTERNET NSA NSA A ISP ISP P EXCHANGE HQ ISP INTERNET EXCHANGE NSA INTERNET

N TAP EXCHANGE T A T T S ERNE INT INTERNET N A P NSA NGE XCHA E CENTRALEXCHANGE T A

DATA HUB NSA S

SWITCH A P

ISPENTRAL C TELCOCENTRAL TCH SWI SWITCH NSA facilities INTERNET INTERNET EXCHANGE civilian EXCHANGELCO TE NSA TELCO TAP communications

Schematic diagram - facilities shown are CENTRAL representational only SWITCH

Yakima listening post One way that telephone calls divided into Tier 1, Tier 2, and Tier 3 exchanges. The Tier 1 TELCO and other communications are sent from the United NSA exchanges, typically located in big cities, are the ones that States to Asia and other destinations is via satellite and DATA HUB have national and global reach and are likely to be of most microwave transmissions. This NSA satellite facility on interest to the NSA. a restricted Army firing range in Yakima, Washington ISP NSA SA N sweeps in millions of communications an hour from NSA UNDERSEAS Underseas cable tap According to published reports, HUB ATA D international communications satellites. CABLED ATATAP HUB American divers were able to install surveillance INTERNET devices onto the transoceanic cables that carry phone Sugar Grove listening post One way that telephone EXCHANGE calls and data across the seas. One of these taps was NSA RSEAS UNDE SA callsN and other communications are sent from the NSATAP UNDERSEASdiscovered in 1982, but other devices apparently contin- AP AP T E ABL C United States to Europe and other destinations is via CABLE TAP ued to function undetected. The advent of fiber-optic satellite and microwave transmissions. This NSA satel- ISPISP cables posed challenges for the NSA, but there is no NSA NSA lite facility, located in an isolated valley in Sugar Grove, NNSACSAENTRALNSA reason to believe that that problem remained unsolved SWITCH NAP SAT West Virginia, sweeps in millions of communications an HQ TAP by the agency. DATA HUB HQ hour from international communications satellites. INTINTERNEERNET T ISP The NSA’s headquarters Tens of thousands of peo- NSA TEEXCHAELCOXCHANSANGENGE SA N Internet Service Provider (ISP) The NSA may be NSA ple, including intelligence analysts, linguists and com- NSA UNDEISPHQ HQ RSEASforcing ISPs to provide it with information in the form of HQ puter professionals, work at this complex in Fort Meade, CABLE TAP INTERNET a computer tap (similar to a controversial FBI device Maryland outside of Washington, DC. NSA headquarters EXCHANGE dubbed “Carnivore”) that scans all the communications CENTRALCENTRAL is where the millions of intercepted communications are INTERNENSA T that reach that ISP. SWISWITCHTCH processed and analyzed. EXCHATAPNGE Central switch These facilities, one in New York and Telco: Domestic telephone company The NSA is CENTRAL one in Northern California, are operated by major TETELCOLCO apparently hooking in to U.S. telephone companies, SWINNSATCHSA HQ telecommunications companies. They are a primary which have not only networks that can be tapped into, but CENTRALHQ means by which a mix of voice and data communica- also records of customer communications. SWITCH tions, including those that travel over transoceanic TELCO NSA Data Hub: Domestic Warning Hub and Data undersea fiber optic cables, are routed (“switched”) NSA Warehouse, Aurora, CO The NSA is reportedly build- TELCO toward their proper destination. Because they serve as DATA HUB ISP central switching points, they offer the NSA access to a ing a massive data storage facility in this Denver suburb, large volume of communications. and also operates a reconaissance satellite dish here. This may be where the agency’s data mining operations NSA UNDERSEAS INTERNET Internet exchange These publicly or privately owned CABLE TAP take place. A CIA facility and the military’s Northern EXCHANGE “Internet exchanges” are where Internet traffic is Command (NORTHCOM) are also located here. exchanged between the sub-networks that make up the NSA Internet. These public or privately owned facilities are NSANSA DATADTATAAP HUB HUB CENTRAL SWITCH NNSASA NSA NSANSA UNDE UNDERSEASRSEAS DATA HUB CABLCHQABLE TEAP TAP TELCONSA DATA HUB NSANSA NSA UNDERSEAS TAPTAP CABLE TAP NSA UNDERSEAS CABLE TAP NSA NSA NNSANSASA TAP HQHQ NSA TAP NNSASA HQ NNSASA NSAHQ DATA HUB

NSA UNDERSEAS CABLE TAP

NSA TAP

NNSASA HQ 3 EAVESDROPPING 101 rejected this approach, voting to shut down the NSA’s computers may be at such tasks, voice conversations were increasingly using the program, at least for domestic use – but but if commercial attempts at analogous the new and different protocols of the Internet. we know Congress allowed elements of the activities such as face recognition are any program to be moved undercover, into the guide, they would also be likely to generate The consequence of this change was that the bowels of the Pentagon, while supposedly enormous numbers of false hits. NSA felt it was forced to change the points in the being restricted to non-Americans. We also communications infrastructure that it targeted – know that the NSA is sharing its information A THREE-STAGE PROCESS but having done that, it gained the ability to with other security services. What we do not So how are all these new techniques and analyze vastly more and richer communications. know is whether any of information from TIA- capabilities being put into practice? like enterprises is being combined with the Presumably, “The Program” (as insiders The Internet and technologies that rely upon NSA’s communications intercepts. reportedly refer to the illegal practices) con- it (such as electronic mail, web surfing and tinues to employ watch lists and dictionaries. Internet-based telephones known as Voice HOW THE NSA SEARCHES We do not know how the newer and more over IP or VOIP) works by breaking informa- FOR TARGETS sophisticated link analysis and statistical data tion into small “packets.” Each packet is then There are a range of techniques that are mining techniques are being used. routed across the network of computers that probably used by the NSA to sift through the make up the Internet according to the most sea of communications it steals from the But, a good guess is that the NSA is following efficient path at that moment, like a driver world’s cables and airwaves: a three-stage process for the broadest por- trying to avoid traffic jams as he makes his tion of its sweep through the communications way across a city. Once all the packets – Keywords. In this longstanding technique, the infrastructure: which are labeled with their origin, destina- agency maintains a watch list or “dictionary” tion and other “header” information – have of key words, individuals, telephone numbers 1. The Dragnet: a search for targets. In this arrived, they are then reassembled. and presumably now computer IP addresses. stage, the NSA sifts through the data coursing It uses that list to pick out potentially relevant through the arteries of our telecom systems, An important result of this technology is that communications from all the data that it gath- making use of such factors as keyword on the Internet, there is no longer a meaning- ers. These keywords are often provided to searches, telephone number and IP address ful distinction between “domestic” and the NSA by other security agencies, and the targeting, and techniques such as link analy- “international” routes of a communication. It NSA passes the resulting intelligence “take” sis, and “data mining.” At this stage, the was once relatively easy for the NSA, which by back to the other agencies or officials. communications of millions of people may be law is limited to “foreign intelligence,” to aim According to the law, the NSA must strip out scrutinized. its interception technologies at purely “for- the names and other identifying information eign” communications. But now, an e-mail of Americans captured inadvertently, a 2. Human review: making the target list. sent from London to Paris, for example, process called “minimization.” (According to Communications and individuals that are might well be routed through the west coast published reports, those minimization proce- flagged by the system for one reason or of the United States (when, for example, it is a dures are not being properly observed.) In another are presumably then subject to busy mid-morning in Europe but the middle the 1990s, it was revealed that the NSA had human review. An analyst looks at the origin, of the night in California) along the same path used the word “Greenpeace” and “Amnesty” destination and content of the communication traveled by mail between Los Angeles and (as in the human rights group Amnesty and makes a determination as to whether San Francisco. International) as keywords as part of its further eavesdropping or investigation is “Echelon” program (see below). desired. We have absolutely no idea what That system makes the NSA all the more kind of numbers are involved at this stage. eager to get access to centralized Internet Link analysis. It is believed that another man- exchange points operated by a few telecom- ner in which individuals are now being added 3. The Microscope: targeting listed individuals. munications giants. But because of the way to the watch lists is through a process often Finally, individuals determined to be suspi- this technology works, eavesdropping on an called “link analysis.” Link analysis can work cious in phase two are presumably placed on IP communication is a completely different like this: the CIA captures a terrorist’s com- a target list so that they are placed under the ballgame from using an old-fashioned “wire- puter on the battlefield and finds a list of full scrutiny of the NSA’s giant surveillance tap” on a single line. The packets of interest phone numbers, including some U.S. num- microscope, with all their communications to the eavesdropper are mixed in with all the bers. The NSA puts those numbers on their captured and analyzed. other traffic that crosses through that path- watch list. They add the people that are called way – domestic and international. from those numbers to their list. They could EXPANDING SURVEILLANCE AS then in turn add the people called from those TECHNOLOGY CHANGES ECHELON numbers to their list. How far they carry that Today’s NSA spying is a response to, and has Much of what we know about the NSA’s spying process and what standards if any govern the been made possible by, some of the funda- prior to the recent revelations comes from process is unknown. mental technological changes that have the late 1990s, when a fair amount of infor- taken place in recent years. Around the end mation emerged about a system popularly Other screening techniques. There may be of 1990s, the NSA began to complain privately referred to by the name “Echelon” – a code- other techniques that the NSA could be using – and occasionally publicly – that they were name the NSA had used at least at one time to pluck out potential targets. One example is being overrun by technology as communica- (although their continued use of the term, if at voice pattern analysis, in which computers tions increasingly went digital. One change in all, is unknown). Echelon was a system for listen for the sound of, say, Osama Bin particular was especially significant: elec- mass eavesdropping on communications Laden’s voice. No one knows how accurate tronic communications ranging from email to around the world by the NSA and its allies EAVESDROPPING 101 2 among the intelligence agencies of other “boxes”), and of performing mass analysis on to those abuses a matter of mere good fortune. nations. The best source of information on those communications (through data mining If our generation of leaders and citizens does Echelon was two reports commissioned by and other techniques). not rise to the occasion, we will prove ourselves the European Parliament (in part due to suspi- to be unworthy of the heritage that we have cions among Europeans that the NSA was car- Despite the fuzzy picture of “The Program” been so fortunate to inherit from our Founders. rying out economic espionage on behalf of that we now possess, the current spying American corporations). Other bits of informa- scandal has highlighted many unanswered ENDNOTES tion were gleaned from documents obtained questions about the NSA’s current activities. 1 Eric Lichtblau and James Risen, “Spy through the U.S. Freedom of Information Act, They include: Agency Mined Vast Data Trove, Officials as well as statements by foreign governments Report,” New York Times, December 24, that were partners in the program (the UK, • Just what kinds of communications 2005; Australia, Canada, and New Zealand). arteries has the NSA tapped into? http://select.nytimes.com/search/restricted/ article?res=FA0714F63E540C778EDDAB0994 As of the late 1990s/early 2000s, Echelon • What kinds of filters or analysis is the NSA DD404482 swept up global communications using two applying to the data that flows through primary methods: those arteries? How are data mining and 2 Lowell Bergman, Eric Lichtblau, Scott Shane other new techniques are being used? and Don Van Natta Jr., “Spy Agency Data After 1. The interception of satellite and microwave Sept. 11 Led F.B.I. to Dead Ends,” New York signals. One way that telephone calls and • Which telecom providers are cooperating Times, January 17, 2006; other communications are sent from the with the NSA? http://www.nytimes.com/2006/01/17/poli- United States to Europe and other destina- tics/17spy.html. tions is via satellite and microwave transmis- • How are subjects selected for targeted sions. ECHELON was known to use intercepts? numerous satellite receivers (“dishes”) – located on the east and west coasts of the • What kinds of information exchange are United States, in England, Australia, taking place between the NSA and other Germany, and elsewhere around the globe – security agencies? We know they probably to vacuum up the “spillover” broadcasts from turn over to other agencies any data turned these satellite transmissions. up by watch list entries submitted by those other agencies, and they are also 2.Transoceanic cable tapping. ECHELON’s apparently passing along data other primary eavesdropping method was to mining-generated “cold hits” to the FBI tap into the transoceanic cables that also and perhaps other security agencies for carry phone calls across the seas. According further investigation. Does information to published reports, American divers were flow the other way as well – are other able to install surveillance devices onto these agencies giving data to the NSA for help in cables. One of these taps was discovered in that second phase of deciding who gets put 1982, but other devices apparently continued under the microscope? to function undetected. It is more difficult to tap into fiber-optic cables (which unlike other • Is data that NSA collects, under whatever cables do not “leak” radio signals that can be rubric, being merged with other data, picked up by a device attached to the outside either by NSA or another agency? Is of the cable), but there is no reason to believe communications data being merged with that that problem remained unsolved by the other transactional information, such as agency. credit card, travel, and financial data, in the fashion of the infamous “Total Information We do not know the extent to which these Awareness” data mining program? (TIA, sources of data continue to be significant for while prohibited by Congress from engaging the NSA, or the extent to which they have in “domestic” activities, still exists within the been superseded by the agency’s new direct Pentagon – and can be used for “foreign access to the infrastructure, including the intelligence purposes.) Just how many Internet itself, over which both voice and data schoolteachers and other innocent communications travel. Americans have been investigated as a result of “The Program?” And just how UNANSWERED QUESTIONS much privacy invasion are they subject to The bottom line is that the NSA appears to be before the FBI can conclude they are not capable not only of intercepting the interna- “involved in international terrorism”? tional communications of a relatively small number of targeted Americans, but also of Rarely if ever in American history has a gov- intercepting a sweeping amount of U.S. com- ernment agency possessed so much power munications (through corporate-granted subject to so little oversight. Given that situa- access to communications “pipes” and tion, abuses were inevitable – and any limits