Since The New York Times reported in December that President Bush ordered the National Security Agency to monitor communications of U.S. citizens without a warrant, the president has insisted that no one's telephone calls were being monitored except those between the U.S. and other countries involving at least one suspected terrorist.
Monitoring such calls without a court's permission violates the Foreign Intelligence Surveillance Act, enacted in 1978 and updated five times since 9/11.
But that isn't all the NSA has been doing:
The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth [the nation's three largest telcos; Bellsouth is the Greensboro area's primary provider -- Lex], people with direct knowledge of the arrangement told USA TODAY.
The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.
"It's the largest database ever assembled in the world," said one person, who, like the others who agreed to talk about the NSA's activities, declined to be identified by name or affiliation. The agency's goal is "to create a database of every call ever made" within the nation's borders, this person added.
For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others.
The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said. The program is aimed at identifying and tracking suspected terrorists, they said.
The sources would talk only under a guarantee of anonymity because the NSA program is secret.
Air Force Gen. Michael Hayden, nominated Monday by President Bush to become the director of the CIA, headed the NSA from March 1999 to April 2005. In that post, Hayden would have overseen the agency's domestic call-tracking program. Hayden declined to comment about the program.
The NSA's domestic program, as described by sources, is far more expansive than what the White House has acknowledged. Last year, Bush said he had authorized the NSA to eavesdrop — without warrants — on international calls and international e-mails of people suspected of having links to terrorists when one party to the communication is in the USA. Warrants have also not been used in the NSA's efforts to create a national call database.
In defending the previously disclosed program, Bush insisted that the NSA was focused exclusively on international calls. "In other words," Bush explained, "one end of the communication must be outside the United States."
As a result, domestic call records — those of calls that originate and terminate within U.S. borders — were believed to be private.
Sources, however, say that is not the case. With access to records of billions of domestic calls, the NSA has gained a secret window into the communications habits of millions of Americans. Customers' names, street addresses and other personal information are not being handed over as part of NSA's domestic program, the sources said. But the phone numbers the NSA collects can easily be cross-checked with other databases to obtain that information. ...
The government is collecting "external" data on domestic phone calls but is not intercepting "internals," a term for the actual content of the communication, according to a U.S. intelligence official familiar with the program. This kind of data collection from phone companies is not uncommon; it's been done before, though never on this large a scale, the official said. The data are used for "social network analysis," the official said, meaning to study how terrorist networks contact each other and how they are tied together. (emphases added)
Even if the program is as limited as the article claims, the technology involved would make expanding it a short, easy step. What follows is a description of the computer hardware and software involved. First posted April 7, it's kind of long and kind of technical, but it's extremely important:
Earlier today [4/7/2006} we found out that the EFF [Electronic Frontier Foundation, a nonpartisan, nonprofit group that works for personal rights online -- Lex] had sued AT&T over their secret work with the NSA on surveillance of millions of US citizens without wiretaps. We learned that paragraph 65 of this complaint shows EFF is trying to turn it into a nationwide Class Action suit covering all current and former customers (any after 9/2001) of AT&T. And we learned that a retired AT&T technician had stepped forward and disclosed the installation of secret NSA spy equipment in the San Francisco trunk facility. As well as the belief that similar equipment is in place in Seattle, San Jose, Los Angeles and San Diego.
Specifically, this equipment was the Narus ST-6400, a machine that was capable of monitoring over 622 Mbits/second in real time in May, 2000, and capturing anything that hits its' semantic (i.e. the meaning of the content) triggers. The latest generation is called NarusInsight, capable of monitoring 10 billion bits of data per second. ...
How powerful is this? OC-192 carries about 10 gigabits of data per second. Ten billion bits per second, monitored in real-time. That is stunning. This is one damned powerful machine, one of the most powerful I've ever heard of in 25 years in IT.
And what does it monitor while looking at this 10 billion bits of IP data per second? First lets take a look at what the network model is, the OSI model of seven layers. NarusInsight focuses on two layers: number four, the transport layer, built on standards like TCP and UDP, the physical building blocks of internet data traffic, and number seven, the application layer, built on standards like HTTP and FTP, which are dependent on the application using them, i.e. Internet Explorer, Kazaa, Skype, etc. It monitors 10 billion bits per second at level four and 2500 million bits per second at level seven. For reference, the 256K DSL line I am using equals .25 million bits per second. So one NarusInsight machine can look at about 39,000 DSL lines at once in great detail. ...
So what exactly is done to and with this data? That's kind of a grey area, so let's try to find what we can. The starting point is called the Internet Protocol Detail Record, which Narus helped found. From that FAQ I just linked to, we learn that ...
IPDR.org has been in existence since 1999 and more than a dozen vendors have actual IPDR implementations "etched in code". Their systems are actually able to talk to each other and interoperate. Version 2.5 and up of the NDM-U represents a stable basis for development. IPDR.org's Interoperability Pavilion is a working demonstration of multiple companies exchanging service usage data in that format.
Service usage data. That would be data on the actual usage of the Internet. And what kind of data would this be? Way back in 1999, this article stated:
In an effort to provide more complex network traffic analysis, Narus is introducing its semantic network traffic service. The company cites research which predicts the fast-growing ISP sector will become stagnant without the ability to offer differentiated services. In order to gain significant revenues from these services, a technology was necessary to allow usage based pricing.
"We realized that, at the heart of the data that is needed to accurately measure usage and enable 'pay-as-you-go' business models for Internet service providers, is what we call the 'semantics' of network traffic," said Ori Cohen, Narus' founder and chief executive officer.
"In short, by seeing the 'semantics' of network traffic, service providers can see 'inside' the data, providing much more detailed insight about the use of the Internet and the perceived value of specific applications than existing technologies allow." [emphasis in original]
Semantic Traffic Analysis uses network technology to consistently capture and analyze all IP data streams on heavily trafficked networks remotely and non-invasively. In addition, the semantics of the data stream are determined also, as well as the protocol used and the application taking place. A variety of other data is available as well.
Remember that semantics is not just the data, but rather the meaning of the data. It looks at the the data in a more comprehensive way than looking for keywords. Each NarusInsight machine does this at 2500 million bits per second, in real-time.
You really wonder why BushCo doesn't want to talk about this stuff? It's the biggest invasion of privacy in history by several orders of magnitude.
How can we know? From Narus' Lawful Intercept and Regulatory Compliance page:
Explosive Internet growth in recent years has transformed worldwide communications, yielding tremendous efficiencies and benefits, as well as many risks.
For example, terrorist attacks around the globe have been carefully orchestrated through Internet-based forms of communications such as e-mail, messaging, hidden Web pages and now VoIP, forcing governmental organizations and law enforcement agencies to re-evaluate how they are providing public security as it becomes so much easier and faster to communicate electronically.
Recent mandates and the resulting standards referenced under CALEA in the United States and ETSI in Western Europe aim to preserve the right of law enforcement agencies to conduct authorized electronic surveillance in an effort to protect the public and its right to privacy. However, these mandates create IT headaches for carriers as they struggle to meet the requirements.
With a suite of products targeted at meeting lawful intercept requirements, Narus simplifies lawful intercept tasks helping carriers and agencies meet requirements without experiencing any degradation in service quality.
Key benefits
-Packet-mode data intercepts for Service Providers and Carriers.
-Wireline to wireless and WiFi or dialup to broadband.
-"Instant Compliance" with CALEA and ETSI for simple, fast and hands-free compliance.
-Carrier-grade speeds, performance and scalability.
-Supports all of your services, out-of-the-box.
-Securely manages resources while simplifying audits and reporting.
-Network and vendor agnostic.
-Enables additional application for revenue generation or revenue protection.
This data flows right into NarusInsight Intercept Suite, which enables:
Packet-level, flow-level, and application-level usage information is captured and analyzed as well as raw user session packets for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept.
The Lawful Intercept module offers carriers and service providers compliance with regulatory requirements regarding lawful intercept. The Lawful Intercept module provides an end-to-end solution consisting of Administration, Access and Delivery functions. The Lawful Intercept module is compliant with CALEA and ETSI standards. It can be seamlessly integrated with third party products for testing/validation or as a complete law enforcement solution.
The Directed Analysis module seamlessly integrates with NarusInsight Secure Suite or other DDoS, intrusion or anomaly detection systems, securely providing analysts with real-time, surgical targeting of suspect information (from flow to application to full packets). The Directed Analyis module provides industry standard formats and offers tools for archival and integration with third party investigative tools.
These capabilities include playback of streaming media (i.e. VoIP), rendering of web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. Narus partner products offer the ability to quickly analyze information collected by the Directed Analysis or Lawful Intercept modules. When Narus partners' powerful analytic tools are combined with the surgical targeting and real-time collection capabilities of Directed Analysis and Lawful Intercept modules, analysts or law enforcement agents are provided capabilities that have been unavailable thus far. (emphases in original)
... That's what it appears we are up against, folks. Real-time semantic data monitoring on a huge scale. ...
Lex here again. So, put another way, the government appears to have the capability of monitoring and storing far more information about our calls and Internet usage than they're saying they have used up to now -- and at least in the case of Internet, it appears to be content of our data -- e-mails, FTP'd files, whatever -- as much as simple transaction records. (That would explain how this could turn into the Largest Database Evah, because even a comprehensive file with basic details on every phone call, but in text only, couldn't come close to being the Largest Evah. An even more likely explanation, albeit one the story doesn't prove? They're storing the content of the calls; sound files are much bigger than text files containing the same info.) We have no way of knowing right now whether they're telling the truth about what they have and have not done. Remember, the president continues to insist that all communications on which information was gathered were international. We know now that that is not true.
Is this operation legal? At first glance, I'd say it appears to violate FISA, but I'm not a lawyer. But the USA Today article suggests it violates other laws as well:
Under Section 222 of the Communications Act [link added -- Lex], first passed in 1934, telephone companies are prohibited from giving out information regarding their customers' calling habits: whom a person calls, how often and what routes those calls take to reach their final destination. Inbound calls, as well as wireless calls, also are covered.
The financial penalties for violating Section 222, one of many privacy reinforcements that have been added to the law over the years, can be stiff. The Federal Communications Commission, the nation's top telecommunications regulatory agency, can levy fines of up to $130,000 per day per violation, with a cap of $1.325 million per violation. The FCC has no hard definition of "violation." In practice, that means a single "violation" could cover one customer or 1 million.
In the case of the NSA's international call-tracking program, Bush signed an executive order allowing the NSA to engage in eavesdropping without a warrant. The president and his representatives have since argued that an executive order was sufficient for the agency to proceed. Some civil liberties groups, including the American Civil Liberties Union, disagree.
Again, I'm not a lawyer, but I've been unable to find any reference to a case in which federal courts have upheld a notion that a president's executive order can singlehandedly overturn a Congressional ban. (Anyone who knows of one, by all means shoot me a link.)
And the details regarding Qwest's refusal to participate in the program shed additional light. Again, from USA Today:
One major telecommunications company declined to participate in the program: Qwest.
According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order — or approval under FISA — to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used.
Financial implications were also a concern, the sources said. Carriers that illegally divulge calling information can be subjected to heavy fines. The NSA was asking Qwest to turn over millions of records. The fines, in the aggregate, could have been substantial.
The NSA told Qwest that other government agencies, including the FBI, CIA and DEA, also might have access to the database, the sources said. As a matter of practice, the NSA regularly shares its information — known as "product" in intelligence circles — with other intelligence groups. Even so, Qwest's lawyers were troubled by the expansiveness of the NSA request, the sources said.
The NSA, which needed Qwest's participation to completely cover the country, pushed back hard.
Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.
In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.
Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court [the special, secret federal court that oversees wiretapping under the Foreign Intelligence Surveillance Act and must issue warrants for such wiretapping to take place -- Lex]. According to the sources, the agency refused.
The NSA's explanation did little to satisfy Qwest's lawyers. "They told (Qwest) they didn't want to do that because FISA might not agree with them," one person recalled. For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events.
So the government didn't want to try to get permission from the FISA court, which has approved all but a few of the thousands of requests for warrants it has ever received, because it was afraid the court would say no. And it didn't want to ask for authorization from the attorney general, apparently -- although this is not clear -- for the same reason.
Yeah, I'd be wondering about the legality, too, were I Qwest's CEO.
Why would telephone companies take the risk of big fines to go along with the government's request? I don't know, and I certainly hope journalists are raising that question today. Perhaps they honestly thought it essential to national security. And the NSA was willing to pay them for the data, USA Today reports, although it's not clear from the article (which refers, without elaboration, to a "contract") whether it ever actually did so. At least one commenter at USAToday.com, however, raises the possibility that they did so in exchange for administration support of a change in law they're pushing that would, in effect, let large telecommunications companies such as AT&T control how well certain Web sites work for you, depending on how much money those Web sites are paying the telcos.
At noon today President Bush issued a statement on domestic wiretapping, although he did not address the USA Today report directly or take any questions. Among its key points:
First, our intelligence activities strictly target al Qaeda and their known affiliates.
If USA Today is accurate, this statement is flatly untrue.
Second, the government does not listen to domestic phone calls without court approval.
In fact, both the president and the attorney general previously have admitted that the NSA surveillance program had, in fact, tapped some domestic calls. Moreover, this statement, even if true, doesn't address the key issue of the USA Today report: recording details on every single phone call made in the U.S. via its three largest telcos, without the consumer's knowledge and in apparent violation of both FISA and other telecommunications law.
Third, the intelligence activities I authorized are lawful and have been briefed to appropriate members of Congress, both Republican and Democrat.
If he's so confident they're lawful, why didn't he seek FISA-court approval? If he's so confident they're lawful, why has he blocked a Justice Department probe?
Moreover, as Intelligence Committee members of both Houses and both parties made clear, prior to the New York Times report, members of Congress were not, in fact, fully briefed. In many cases they were given fragmentary information, which they were sworn not to share with anyone else, even top aides. Thus, they could not exercise true oversight.
And Republican Sen. Arlen Specter of Pennsylvania, chairman of the Senate Judiciary Committee, is disturbed enough by the report to announce he'll be inviting telco executives to discuss the program with his committee. That would not be the kind of invitation one turns down.
Fourth, the privacy of ordinary Americans is fiercely protected in all our activities. We're not mining or trolling through the personal lives of millions of innocent Americans. Our efforts are focused on links to al Qaeda and their known affiliates.
No, he's not mining "the personal lives" of millions of innocent Americans, just records of their phone calls.
Every last one of their phone calls.
UPDATE: Even if the program were legal, it probably doesn't do what it's supposed to, wastes money and thereby let's real terrorists get away, one expert says.
UPDATE: Opinions on the legal issues from Orin Kerr of the Volokh Conspiracy and Glenn Greenwald at Unclaimed Territory.
UPDATE: The current Attorney General appears to have ... well, not been fully forthcoming in his Congressional testimony on this subject. From page 26:
[Rep. Gerald] NADLER: Number two, can you assure us that there is no warrantless surveillance of calls between two Americans within the United States?
GONZALES: That is not what the president has authorized.
NADLER: Can you assure us that it's not being done?
GONZALES: As I indicated in response to an earlier question, no technology is perfect.
NADLER: OK.
GONZALES: We do have minimization procedures in place...
NADLER: But you're not doing that deliberately?
GONZALES: That is correct.
Oops.
UPDATE: Talking head and former congressman Joe Scarborough is not amused. Nor is former House Speaker Newt Gingrich: "I’m not going to defend the indefensible."
UPDATE: The leftist Web publication Think Progress has posted a FAQ on some of the legal issues that suggests that the participating telcos might face significant civil liability, some government defenses notwithstanding.
