Thursday, June 6, 2013

U.S, Intelligence Using Nine Ineternet Companies To Spy On Americans

By Barton Gellman and Laura Poitras,

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.
The highly classified program, code-named PRISM, has not been disclosed publicly before. Its establishment in 2007 and six years of exponential growth took place beneath the surface of a roiling debate over the boundaries of surveillance and privacy. Even late last year, when critics of the foreign intelligence statute argued for changes, the only members of Congress who know about PRISM were bound by oaths of office to hold their tongues.
Graphic
If document requiring company to submit phone records for millions of Americans is authentic, it would be 
What has the government been doing? Is it legal? Does it mean some bureaucrat somewhere has heard all your phone calls? Read on to find out.
An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.
That is a remarkable figure in an agency that measures annual intake in the trillions of communications. It is all the more striking because the NSA, whose lawful mission is foreign intelligence, is reaching deep inside the machinery of American companies that host hundreds of millions of American-held accounts on American soil.
The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.
Dropbox , the cloud storage and synchronization service, is described as “coming soon.”
Government officials declined to comment for this story.
Roots in the ’70s
PRISM is an heir, in one sense, to a history of intelligence alliances with as many as 100 trusted U.S. companies since the 1970s. The NSA calls these Special Source Operations, and PRISM falls under that rubric.
The Silicon Valley operation works alongside a parallel program, code-named BLARNEY, that gathers up “metadata” — address packets, device signatures and the like — as it streams past choke points along the backbone of the Internet. BLARNEY’s top-secret program summary, set down alongside a cartoon insignia of a shamrock and a leprechaun hat, describes it as “an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks.”
But the PRISM program appears more nearly to resemble the most controversial of the warrantless surveillance orders issued by President George W. Bush after the al-Qaeda attacks of Sept. 11, 2001. Its history, in which President Obama presided over “exponential growth” in a program that candidate Obama criticized, shows how fundamentally surveillance law and practice have shifted away from individual suspicion in favor of systematic, mass collection techniques. The PRISM program is not a dragnet, exactly. From inside a company’s data stream the NSA is capable of pulling out anything it likes, but under current rules the agency does not try to collect it all.
Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”
Graphic

What has the government been doing? Is it legal? Does it mean some bureaucrat somewhere has heard all your phone calls? Read on to find out.
Even when the system works just as advertised, with no American singled out for targeting, the NSA routinely collects a great deal of American content. That is described as “incidental,” and it is inherent in contact chaining, one of the basic tools of the trade. To collect on a suspected spy or foreign terrorist means, at minimum, that everyone in the suspect’s inbox or outbox is swept in. Intelligence analysts are typically taught to chain through contacts two “hops” out from their target, which increases “incidental collection” exponentially. The same math explains the aphorism, from the John Guare play, that no one is more than “six degrees of separation” from Kevin Bacon.
A ‘directive’
Formally, in exchange for immunity from lawsuits, companies like Yahoo and AOL are obliged to accept a “directive” from the attorney general and the director of national intelligence to open their servers to the FBI’s Data Intercept Technology Unit, which handles liaison to U.S. companies from the NSA. In 2008, Congress gave the Justice Department authority to for a secret order from the Foreign Surveillance Intelligence Court to compel a reluctant company “to comply.”
In practice, there is room for a company to maneuver, delay or resist. When a clandestine intelligence program meets a highly regulated industry, said a lawyer with experience in bridging the gaps, neither side wants to risk a public fight. The engineering problems so immense, in systems of such complexity and frequent change, that the FBI and NSA would be hard pressed to build in back doors without active help from each company.
Apple demonstrated that resistance is possible, for reasons unknown, when it held out for more than five years after Microsoft became PRISM’s first corporate partner in May 2007. Twitter, which has cultivated a reputation for aggressive defense of its users’ privacy, is still conspicuous by its absence from the list of “private sector partners.”
“Google cares deeply about the security of our users’ data,” a company spokesman said. “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
Like market researchers, but with far more privileged access, collection managers in the NSA’s Special Source Operations group, which oversees the PRISM program, are drawn to the wealth of information about their subjects in online accounts. For much the same reason, civil libertarians and some ordinary users may be troubled by the menu available to analysts who hold the required clearances to “task” the PRISM system.
There has been “continued exponential growth in tasking to Facebook and Skype,” according to the 41 PRISM slides. With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an
analyst obtains full access to Facebook’s “extensive search and surveillance capabilities against the variety of online social networking services.”
According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.
Firsthand experience with these systems, and horror at their capabilities, is what drove a career intelligence officer to provide PowerPoint slides about PRISM and supporting materials to The Washington Post in order to expose what he believes to be a gross intrusion on privacy. “They quite literally can watch your ideas form as you type,” the officer said.

Julie Tate and Robert O’Harrow Jr. contributed to this report.

Tuesday, June 4, 2013

Obama Administration Appoitees Had Secret E-Mail Accounts


WASHINGTON (AP) - Some of President Barack Obama's political appointees, including the Cabinet secretary for the Health and Human Services Department, are using secret government email accounts they say are necessary to prevent their inboxes from being overwhelmed with unwanted messages, according to a review by The Associated Press.
The scope of using the secret accounts across government remains a mystery: Most U.S. agencies have failed to turn over lists of political appointees' email addresses, which the AP sought under the Freedom of Information Act more than three months ago. The Labor Department initially asked the AP to pay more than $1 million for its email addresses.
The AP asked for the addresses following last year's disclosures that the former administrator of the Environmental Protection Agency had used separate email accounts at work. The practice is separate from officials who use personal, non-government email accounts for work, which generally is discouraged - but often happens anyway - due to laws requiring that most federal records be preserved.
The secret email accounts complicate an agency's legal responsibilities to find and turn over emails in response to congressional or internal investigations, civil lawsuits or public records requests because employees assigned to compile such responses would necessarily need to know about the accounts to search them. Secret accounts also drive perceptions that government officials are trying to hide actions or decisions.
"What happens when that person doesn't work there anymore? He leaves and someone makes a request (to review emails) in two years," said Kel McClanahan, executive director of National Security Counselors, an open government group. "Who's going to know to search the other accounts? You would hope that agencies doing this would keep a list of aliases in a desk drawer, but you know that isn't happening."
Agencies where the AP so far has identified secret addresses, including the Labor Department and HHS, said maintaining non-public email accounts allows senior officials to keep separate their internal messages with agency employees from emails they exchange with the public. They also said public and non-public accounts are always searched in response to official requests and the records are provided as necessary.
The AP couldn't independently verify the practice. It searched hundreds of pages of government emails previously released under the open records law and found only one instance of a published email with a secret address: an email from Labor Department spokesman Carl Fillichio to 34 coworkers in 2010 was turned over to an advocacy group, Americans for Limited Government. It included as one recipient the non-public address for Seth D. Harris, currently the acting labor secretary, who maintains at least three separate email accounts.
Google can't find any reference on the Internet to the secret address for HHS Secretary Kathleen Sebelius. Congressional oversight committees told the AP they were unfamiliar with the non-public government addresses identified so far by the AP.
Ten agencies have not yet turned over lists of email addresses, including the Environmental Protection Agency; the Pentagon; and the departments of Veterans Affairs, Transportation, Treasury, Justice, Housing and Urban Development, Homeland Security, Commerce and Agriculture. All have said they are working on a response to the AP.
White House spokesman Eric Schultz declined to comment.
A Treasury Department spokeswoman, Marissa Hopkins Secreto, referred inquiries to the agency's FOIA office, which said its technology department was still searching for the email addresses. Other departments, including Homeland Security, did not respond to questions from the AP about the delays of nearly three months. The Pentagon said it may have an answer by later this summer.
The Health and Human Services Department initially turned over to the AP the email addresses for roughly 240 appointees - except none of the email accounts for Sebelius, even one for her already published on its website. After the AP objected, it turned over three of Sebelius' email addresses, including a secret one. It asked the AP not to publish the address, which it said she used to conduct day-to-day business at the department. Most of the 240 political appointees at HHS appeared to be using only public government accounts.
The AP decided to publish the secret address for Sebelius - KGS2(at)hhs.gov - over the government's objections because the secretary is a high-ranking civil servant who oversees not only major agencies like the Centers for Medicare and Medicaid Services but also the implementation of Obama's signature health care law. Her public email address is Kathleen.Sebelius(at)hhs.gov.
At least two other senior HHS officials - including Donald Berwick, former head of the Centers for Medicare and Medicaid Services, and Gary Cohen, a deputy administrator in charge of implementing health insurance reform - also have secret government email addresses, according to the records obtained by the AP.
The Interior Department gave the AP a list of about 100 government email addresses for political appointees who work there but none for the interior secretary at the time, Ken Salazar, who has since resigned. Spokeswoman Jessica Kershaw said Salazar maintained only one email address while serving as secretary but she would not disclose it. She said the AP should ask for it under the Freedom of Information Act, which would take months longer.
The Labor Department initially asked the AP to pay just over $1.03 million when the AP asked for email addresses of political appointees there. It said it needed pull 2,236 computer backup tapes from its archives and pay 50 people to pore over old records. Those costs included three weeks to identify tapes and ship them to a vendor, and pay each person $2,500 for nearly a month's work. But under the department's own FOIA rules - which it cited in its letter to the AP - it is prohibited from charging news organizations any costs except for photocopies after the first 100 pages. The department said it would take 14 weeks to find the emails if the AP had paid the money.
Fillichio later acknowledged that the $1.03 million bill was a mistake and provided the AP with email addresses for the agency's Senate-confirmed appointees, including three addresses for Harris, the acting secretary. His secret address was harris.sd(at)dol.gov. His other accounts were one for use with labor employees and the public, and another to send mass emails to the entire Labor Department, outside groups and the public. The Labor Department said it did not object to the AP publishing any of Harris' email addresses.
In addition to the email addresses, the AP also sought records government-wide about decisions to create separate email accounts. But the FOIA director at HHS, Robert Eckert, said the agency couldn't provide such emails without undergoing "an extensive and elongated department-wide search." He also said there were "no mechanisms in place to determine if such requests for the creation of secondary email accounts were submitted by the approximately 242 political appointees within HHS."
Late last year, the EPA's critics - including Republicans in Congress - accused former EPA Administrator Lisa Jackson of using an email account under the name "Richard Windsor" to sidestep disclosure rules. The EPA said emails Jackson sent using her Windsor alias were turned over under open records requests. The agency's inspector general is investigating the use of such accounts, after being asked to do so by Congress.
An EPA spokeswoman described Jackson's alternate email address as "an everyday, working email account of the administrator to communicate with staff and other government officials." It was later determined that Jackson also used the email address to correspond sometimes with environmentalists outside government and at least in some cases did not correct a misperception among outsiders they were corresponding with a government employee named Richard Windsor.
Although the EPA's inspector general is investigating the agency's use of secret email accounts, it is not reviewing whether emails from Jackson's secret account were released as required under the Freedom of Information Act.
The EPA's secret email accounts were revealed last fall by the Competitive Enterprise Institute, a conservative Washington think tank that was tipped off about Jackson's alias by an insider and later noticed it in documents it obtained the FOIA. The EPA said its policy was to disclose in such documents that "Richard Windsor" was actually the EPA administrator.
Courts have consistently set a high bar for the government to withhold public officials' records under the federal privacy rules. A federal judge, Marilyn Hall Patel of California, said in August 2010 that "persons who have placed themselves in the public light" - such as through politics or voluntarily participation in the public arena - have a "significantly diminished privacy interest than others." Her ruling was part of a case in which a journalist sought FBI records, but was denied.
"We're talking about an email address, and an email address given to an individual by the government to conduct official business is not private," said Aaron Mackey, a FOIA attorney with the Reporters Committee for Freedom of the Press. He said that's different than, for example, confidential information, such as a Social Security number.
Under the law, citizens and foreigners may use the FOIA to compel the government to turn over copies of federal records for zero or little cost. Anyone who seeks information through the law is generally supposed to get it unless disclosure would hurt national security, violate personal privacy or expose business secrets or confidential decision-making in certain areas.
Obama pledged during his first week in office to make government more transparent and open. The nation's signature open-records law, he said in a memo to his Cabinet, would be "administered with a clear presumption: In the face of doubt, openness prevails.