Bad news has emerged for fans of PGP and other encryption services. The NSA is taking a gloves-off approach when you go this route.

Mathew J. Schwartz, Contributor

June 21, 2013

5 Min Read

Bad news for fans of anonymizing Tor networks, PGP and other encryption services: If you're attempting to avoid the National Security Agency's digital dragnet, you may be making yourself a target, as well as legally allowing the agency to retain your communications indefinitely -- and even use them to test the latest code-breaking tools.

Those revelations come via leaked documents that detail the operating guidelines for secret NSA surveillance programs authorized by Congress in 2008. Those documents include a one-page memorandum from a U.S. Foreign Intelligence Surveillance Court (FISA) judge, saying that the guidelines don't violate Fourth Amendment protections against unreasonable searches.

Another one of the leaked documents, first published Thursday by the Guardian, was signed by U.S. Attorney General Eric Holder on July 28, 2009 and submitted to FISA. Titled "Procedures used by NSA to minimize data collection from US persons," it details the steps that the agency's analysts are required to follow when collecting and analyzing data intercepted by the agency's surveillance programs.

Subsequently, the The Washington Post published those documents, plus two more, including the judge's secret memorandum.

[ How vulnerable is your enterprise's data? See NSA Dragnet Debacle: What It Means To IT. ]

Based on the documents, the good news is that the NSA guidelines include substantial restrictions on how agency analysts are allowed to review information relating to Americans, unless they first obtain a warrant. In general, the guidelines require strict "minimization" techniques to ensure that analysts don't collect or analyze Americans' communications, and they require analysts to delete any information that's been improperly collected -- albeit with some intelligence and law enforcement exceptions. The NSA also maintains records of Americans' names, telephone numbers and electronic communications addresses, but it uses this list to help ensure it doesn't target any of those people's communications.

"Assuming that the documents are genuine, they are broadly reassuring," said Stewart A. Baker, an attorney at Steptoe & Johnson LLP who recently served as first assistant secretary for policy for the Department of Homeland Security, in a blog post. "There are elaborate sections on making sure that attorney-client communications aren't retained, that inadvertent collections of Americans are destroyed as soon as possible, etc., etc."

When encryption is encountered, however, the gloves can come off, with analysts being allowed to retain "communications that are enciphered or reasonably believed to contain secret meaning" for any period of time. The guidelines allow this retention to occur not just for recovering the source communications but for any cryptanalysis use, suggesting that the NSA could retain encrypted communications to use as target practice for future code-breaking techniques.

Furthermore, as noted by Ars Technica, encryption may mask not only a person's identity, but also their physical location. Since the NSA guidelines say that a person "will not be treated as a United States person" without a positive identification based on name, address, electronic communication addresses or geographic location, encryption users may because classified -- at least temporarily -- as non-U.S. residents by NSA analysts.

In the event of an emergency, meanwhile, NSA analysts are allowed to throw the guidelines out the window. "If NSA determines that it must take action in apparent departure from these minimization procedures to protect against an immediate threat to human life force protection or hostage situations and that it is not feasible to obtain a timely modification of these procedures, NSA may take such action," according to the guidelines. That said, NSA is then required to report its actions to the Office of the Director of National Intelligence as well and to the Department of Justice, which is then charged with notifying FISA.

In general, the guidelines say that NSA analysts may retain, for six months, communications that don't contain "foreign intelligence information" but that are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed," and they may share that information with the FBI. "There's a lot of leeway to use 'inadvertently' acquired domestic communications," Gregory Nojeim, senior counsel for the Center for Democracy and Technology, told The Washington Post.

Any information the NSA turns up on information security vulnerabilities -- such as zero-day exploits -- are also fair game, as the guidelines allow the agency to share the information with the FBI and other government agencies as it sees fit, and to retain those communications indefinitely.

How likely is it that the NSA might stumble upon evidence of a crime or act on it? That's unclear, although the scale of the NSA's surveillance operations is staggering. According to documents published last week by the Guardian, the NSA gleaned 3 billion pieces of intelligence from U.S. communications networks just in March 2013. That follows a Washington Post report in 2010 that said "every day, collection systems at the [NSA] intercept and store 1.7 billion e-mails, phone calls and other types of communications."

To address criticism that the NSA program is overbroad or operating on shaky legal footing, President Obama planned to meet Friday with the Privacy and Civil Liberties Oversight Board (PCLOB), a five-person independent agency that's charged with reviewing how the government balances surveillance requirements with people's civil liberties and right to privacy, reported Reuters. The board has been largely inactive since 2008, which is the year when Congress authorized the most recent secret NSA surveillance programs.

OCLOB chairman David Medine told Reuters that the board plans to hold a public hearing in July to solicit input from legal scholars and civil rights advocates on the NSA's surveillance programs. "Based on what we've learned so far, the board believes further questions are warranted," he said.

At Obama's direction, homeland security adviser Lisa Monaco asked the director of national intelligence Thursday to review information relating to FISA court opinions and see what additional information could be declassified and released to the public.

That initiative "builds on the administration's ongoing effort to declassify a significant amount of information regarding these programs," according to a White House statement. "The president's direction is that as much information as possible be made public while being mindful of the need to protect sources and methods and national security."

But Snowden's leaked documents -- of which there are reported to be at least dozens of interest -- appear to be detailing the previously withheld legal justifications for the NSA's monitoring programs faster.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights