Security Experts:

Government Surveillance Under Fire: What You Need to Know

The Guardian and the Washington Post are on fire this week, crushing the secrecy that used to belong to two intelligence-gathering operations controlled by the FBI and NSA. As a result, there has been a massive backlash against the Obama administration and the Department of Justice, while lawmakers call for an investigation into the latest leak of classified information.

On Wednesday, the Guardian’s Glenn Greenwald reported on a FISA order to Verizon that enabled the government to collect metadata for every customer. A day later, the Washington Post followed that story with details of a separate surveillance program that focuses on data mined from the likes of Google, Yahoo, Apple, Microsoft, and Facebook. In both cases, the news came about because someone leaked the information to the news organizations.

Government Surveillance, Phone Records and InternetSenator Dianne Feinstein (D), Chairman of the Senate Select Committee on Intelligence, told MSNBC that an investigation into the leak that led to the Guardian and the Post scoops should happen, adding that she felt “we have become a culture of leaks now.”

Mirroring her admonishment, James Clapper, the Director of National Intelligence said the leak was reprehensible; noting that the “unauthorized disclosure of a top secret U.S. court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation.”

Yet, the value of whistleblowers has been clear for decades. The problem is, not everyone agrees with transparency. Some are frightened of it, and others demand that secrets be kept in the name of security.

This week’s stories surrounding the surveillance programs touched a nerve, considering that the government was already in hot water and under suspicion for privacy and rights violations. Adding to this is the fact that there seems to be a war against whistleblowers in general by the government.

The Espionage Act of 1917, the weapon wielded most by the government in this type of situation, has been used six times to prosecute whistleblowers. Just this year, the Justice Department seized phone records for the AP during a leak investigation, which the AP’s president called a massive and unprecedented intrusion. That story still hasn’t gone away, and now the public is learning that things were much worse than they seemed.

Still, the argument can be (and has been) made that whistleblowing, forced transparency, whatever you wish to call it, is vital for a rounded government – as it’s often the only time the public will learn about abuses of power. Feinstein’s call for an investigation is a reflex response, due largely to embarrassment.

“The U.S. government is on a secrecy binge. It over classifies more information than ever. And we learn, again and again, that our government regularly classifies things not because they need to be secret, but because their release would be embarrassing,” wrote Bruce Schneier in an editorial for The Atlantic.

He goes on to note that knowing how the government spies on its citizens is important – not because of the likelihood of illegality, simply because the people have a right to know.

“Democracy requires an informed citizenry in order to function properly, and transparency and accountability are essential parts of that. That means knowing what our government is doing to us, in our name. That means knowing that the government is operating within the constraints of the law. Otherwise, we're living in a police state. We need whistle-blowers,” Schneier wrote.

It’s important to note that there’s two separate stories here, but they center on the same issue: An alleged overstepping of boundaries by the government. Not everyone agrees that what’s happened is illegal. While a vast majority of the response to the news items has been critical of the Obama administration and the government as a whole, some support the actions of the FBI and NSA. The Guardian’s story centers on a FISA order that was leaked to them. The order, published in full here, is actually a renewal of a previous order issued in 2006. Such renewals are needed every 90-days.

According to the FISA order, Verizon is to give the FBI and NSA the following for the millions of subscribers on their network:

Session data (phone number of customer, and the number of who they called)

IMSI (International Mobile Subscriber Identity) number

IMEI (International Mobile station Equipment) number

Trunk identifier

Calling card numbers

Time call was placed, and call duration

What isn’t being collected is the contents of the call themselves, including - according to 18 U.S.C. § 2510 (8) - “any information concerning the substance, purport, or meaning of that communication.”

In addition, Verizon isn’t sharing the name, address, or financial information of a subscriber of customer. Also, the order does not require them to share information for calls that originate in foreign countries.

How can the Verizon data be used?

The IMSI can show the 10 digit mobile number, mobile country code, and mobile network code. So the government would have the mobile numbers used during the call, the countries where the calls were made (due to the Mobile Country Code included within the IMSI), and the carrier network used by the callers (via the Mobile Network Code included within the IMSI)

The IMEI number is used to identify valid devices on a GSM network. Often this data is sought by law enforcement to use for wiretaps, as it ensures they are tracking the correct device. However, it’s important to note this only identifies the device. This is why the IMEI is rarely (if at all) requested by itself; there’s no way to tie a subscriber to the device without the IMSI data.

Trunk identifiers are the least complex of the data being shared by Verizon. A Trunk prefix is what one would dial before they placed a call internationally. This data isn’t all that sexy by itself, but useful when combined with IMSI, IMEI, and calling card data. Lastly, when it comes to dates, times, and call length, this data is rather important for intelligence gathering.

Does the government really need this data?

“The information acquired has been part of an overall strategy to protect the nation from terrorist threats to the United States, as it may assist counterterrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities,” James Clapper noted in a statement.

“The collection is broad in scope because more narrow collection would limit our ability to screen for and identify terrorism -related communications. Acquiring this information allows us to make connections related to terrorist activities over time.”

The question however, is access. Does the government have a right to such information, and if so should they be allowed to keep it to themselves or does the public have a right to know that they’re collecting it?

Considering what is being delivered by Verizon, it doesn’t take much effort to form a complete profile of someone who can be discovered via public records.

However, according to the Office of the Director of National Intelligence (ODNI), the data collected from Verizon is subject to strict, court-imposed restrictions on review and handling and the government is prohibited from indiscriminately sifting through it.

The ODNI said that the court only allows the data to be queried when there is a reasonable suspicion, based on certain set of facts, that the basis for the query is associated with an investigation into a foreign terrorist organization. Even then, assuming the court would allow the query, only specially cleared counterterrorism personnel, who are trained in the Court-approved procedures, may access the records.

Again, the Verizon FISA order has been in place since 2006, and unless the government declassifies their data, there is no evidence or proof that such efforts have done anything to make the nation safer. The lack of clarity is why some pushed back against the 2008 FISA amendments last December, in addition to the stance that the government’s interpretation of the law was suspect or overly broad.

Mark Udall (D), who serves on the U.S. Senate Select Committee on Intelligence, is one of those who has challenged FISA and the broad scope of orders such as the one presented to Verizon.

“The government's collection of millions of Americans' phone records is the type of surveillance I have long said would shock the public if they knew about it. We must strike the right balance between keeping Americans safe and protecting constitutional rights,” Udall said in a statement.

“There are many ways to protect our nation, and one of the most important ways is to ensure the integrity of our constitutional liberties and that we have a transparent government that is accountable to the people it serves.”

However, others support the FISA order to Verizon, making note of the fact that it’s legal. If people don’t like it they should push their representatives to change the laws governing FISA.

“You may not like the legal interpretation that produced this order, but you can’t say it’s lawless,” Commented Steward Baker, the former General Counsel for the NSA.

“Plenty of people will say that they don’t trust the government with such a large amount of data, that there’s too much risk that it will break the rules, even rules enforced by a two-party, three-branch system of checks and balances. Even I, when I first read the order, had a moment of chagrin and disbelief at its sweep. But for those who don’t like the alternative model, the real question is ‘compared to what?’”

Taking this issue further is the Washington Post story, which centers on a project run by the NSA called PRISM. Like the FISA order to Verizon, the Post’s story on PRISM sparked outrage because once again, the NSA is shown to be collecting information on private citizens. However, the data collected by PRISM isn’t random metadata, this time it’s much more personal.

According to the Washington Post, PRISM is the number one source of raw intelligence used for NSA analytic reports. The data collected by the classified program accounts for nearly 1 in 7 intelligence reports, and is the most prolific contributor to the President’s Daily Brief.

The raw intelligence itself comes from some of the Internet’s largest portals, including Google, YouTube, Facebook, Microsoft, Skype, Yahoo, AOL, and Apple.

The Post based their story on leaked slides, classified as Top Secret, Sensitive Information, not to be shared with foreign agents, showing that the internet giants are handing over email, chat (video, voice, and text) data, photos, videos, stored data, VoIP records, file transfer details, video conferencing details, login data, and social networking details on demand.

PRISM is said to be based on foreign communications traffic that flows through the U.S., and has been active since 2007, when Microsoft became the first company to cooperate. Yahoo joined in 2008, followed by Google and Facebook in 2009, YouTube in 2010, Skype and AOL in 2011, and Apple late last year.

In a statement, separate from the one referenced previously (which was removed from the Web), James Clapper said that the Washington Post story contained “numerous inaccuracies” reaffirming that the disclosure of the slides places the security of Americans at risk.

Of the companies listed in the NSA slide deck, those that would comment denied offering open access to the NSA, but did mention that they comply with the law when required and often require court orders. However, with the exposure of PRISM to the public, the NSA may be cutoff.

As reported by the Washington Post:

“Government officials and the document itself made clear that the NSA regarded the identities of its private partners as PRISM’s most sensitive secret, fearing that the companies would withdraw from the program if exposed.


98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources,” the briefing’s author wrote in his speaker’s notes.”

In the wake of this weeks revelations, no matter where one stands on the debate, privacy watchdogs have had enough.

"In the face of this avalanche of frightening revelations about the breadth of the NSA's surveillance programs, one thing is clear: It's time for a reckoning. The American people should not have to play guessing games about whether and how their own government is monitoring them," said CDT President Leslie Harris.

"Just like the Church Committee that was convened after the revelations of illegal spying in the 1970s, we need a sustained investigation into how far these programs reach into the private lives of American citizens."

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.