Eavesdropping 101: What Can The NSA Do?

June 13, 2006 (original story...)

The recent revelations about illegal eavesdropping on American citizens by the U.S. National Security Agency have raised many questions about just what the agency is doing. Although the facts are just beginning to emerge, information that has come to light about the NSA's activities and capabilities over the years, as well as the recent reporting by the New York Times and others, allows us to discern the outlines of what they are likely doing and how they are doing it.

The NSA is not only the world's largest spy agency (far larger than the CIA, for example), but it possesses the most advanced technology for intercepting communications. We know it has long had the ability to focus powerful surveillance capabilities on particular individuals or communications. But the current scandal has indicated two new and significant elements of the agency's eavesdropping:

1. The NSA has gained direct access to the telecommunications infrastructure through some of America's largest companies
2. The agency appears to be not only targeting individuals, but also using broad "data mining" systems that allow them to intercept and evaluate the communications of millions of people within the United States.

The ACLU has prepared a map illustrating how all this is believed to work. It shows how the military spying agency has extended its tentacles into much of the U.S. civilian communications infrastructure, including, it appears, the "switches" through which international and some domestic communications are routed, Internet exchange points, individual telephone company central facilities, and Internet Service Providers (ISPs). While we cannot be certain about these secretive links, this chart shows a representation of what is, according to recent reports, the most likely picture of what is going on.

CORPORATE BEDFELLOWS

One major new element of the NSA's spying machinery is its ability to tap directly into the major communications switches, routing stations, or access points of the telecommunications system. For example, according to the New York Times, the NSA has worked with "the leading companies" in the telecommunications industry to collect communications patterns, and has gained access "to switches that act as gateways" at "some of the main arteries for moving voice and some Internet traffic into and out of the United States."(1)

This new level of direct access apparently includes both some of the gateways through which phone calls are routed, as well as other key nodes through which a large proportion of Internet traffic passes. This new program also recognizes that today's voice and Internet communications systems are increasingly converging, with a rising proportion of even voice phone calls moving to the Internet via VOIP, and parts of the old telephone transmission system being converted to fiber optic cable and used for both data and voice communications. While data and voice sometimes travel together and sometimes do not, and we do not know exactly which "switches" and other access points the NSA has tapped, what appears certain is that the NSA is looking at both.

And most significantly, access to these "switches" and other network hubs give the agency access to a direct feed of all the communications that pass through them, and the ability to filter, sift through, analyze, read, or share those communications as it sees fit.

DATA MINING

The other major novelty in the NSA's activities appears to be the exploitation of a new concept in surveillance that has attracted a lot of attention in the past few years: what is commonly called "data mining." Unlike the agency's longstanding practice of spying on specific individuals and communications based upon some source of suspicion, data mining involves formula-based searches through mountains of data for individuals whose behavior or profile is in some way suspiciously different from the norm.

Data mining is a broad dragnet. Instead of targeting you because you once received a telephone call from a person who received a telephone call from a person who is a suspected terrorist, you might be targeted because the NSA's computers have analyzed your communications and have determined that they contain certain words or word combinations, addressing information, or other factors with a frequency that deviates from the average, and which they have decided might be an indication of suspiciousness. The NSA has no prior reason to suspect you, and you are in no way tied to any other suspicious individuals – you have just been plucked out of the crowd by a computer algorithm's analysis of your behavior.

Use of these statistical fishing expeditions has been made possible by the access to communications streams granted by key corporations. The NSA may also be engaging in "geographic targeting," in which they listen in on communications between the United States and a particular foreign country or region. More broadly, data mining has been greatly facilitated by underlying changes in technology that have taken place in the past few years (see below).

This dragnet approach is not only bad for civil liberties – it is also a bad use of our scarce security and law enforcement resources. In fact, the creation of large numbers of wasteful and distracting leads is one of the primary reasons that many security experts say data mining and other dragnet strategies are a poor way of preventing crime and terrorism. The New York Times confirmed that point, with its report that the NSA has sent the FBI a "flood" of tips generated by mass domestic eavesdropping and data mining, virtually all of which led to dead ends that wasted the FBI's resources. "We'd chase a number, find it's a schoolteacher with no indication they've ever been involved in international terrorism," one former FBI agent told the Times. "After you get a thousand numbers and not one is turning up anything, you get some frustration."(2)

COMBINING TELECOMMUNICATIONS AND OTHER PRIVATE DATA?

The NSA has historically been in the business of intercepting and analyzing communications data. One question is whether or not this communications data is being combined with other intimate details about our lives. A few years ago, the Pentagon began work on an breathtaking data mining program called Total Information Awareness, which envisioned programming computers to trawl through an extensive list of information on Americans (including, according to the program's own materials, "Financial, Education, Travel, Medical, Veterinary, Country Entry, Place/Event Entry, Transportation, Housing, Critical Resources, Government, Communications") in the hunt for "suspicious" patterns of activity. Congress decisively rejected this approach, voting to shut down the program, at least for domestic use – but we know Congress allowed elements of the program to be moved undercover, into the bowels of the Pentagon, while supposedly being restricted to non-Americans. We also know that the NSA is sharing its information with other security services. What we do not know is whether any of information from TIA-like enterprises is being combined with the NSA's communications intercepts.

HOW THE NSA SEARCHES FOR TARGETS

There are a range of techniques that are probably used by the NSA to sift through the sea of communications it steals from the world's cables and airwaves:

Keywords. In this longstanding technique, the agency maintains a watch list or "dictionary" of key words, individuals, telephone numbers and presumably now computer IP addresses. It uses that list to pick out potentially relevant communications from all the data that it gathers. These keywords are often provided to the NSA by other security agencies, and the NSA passes the resulting intelligence "take" back to the other agencies or officials. According to the law, the NSA must strip out the names and other identifying information of Americans captured inadvertently, a process called "minimization." (According to published reports, those minimization procedures are not being properly observed.) In the 1990s, it was revealed that the NSA had used the word "Greenpeace" and "Amnesty" (as in the human rights group Amnesty International) as keywords as part of its "Echelon" program (see Echelon).
Link analysis. It is believed that another manner in which individuals are now being added to the watch lists is through a process often called "link analysis." Link analysis can work like this: the CIA captures a terrorist's computer on the battlefield and finds a list of phone numbers, including some U.S. numbers. The NSA puts those numbers on their watch list. They add the people that are called from those numbers to their list. They could then in turn add the people called from those numbers to their list. How far they carry that process and what standards if any govern the process is unknown.
Other screening techniques. There may be other techniques that the NSA could be using to pluck out potential targets. One example is voice pattern analysis, in which computers listen for the sound of, say, Osama Bin Laden's voice. No one knows how accurate the NSA's computers may be at such tasks, but if commercial attempts at analogous activities such as face recognition are any guide, they would also be likely to generate enormous numbers of false hits.

A THREE-STAGE PROCESS

So how are all these new techniques and capabilities being put into practice? Presumably, "The Program" (as insiders reportedly refer to the illegal practices) continues to employ watch lists and dictionaries. We do not know how the newer and more sophisticated link analysis and statistical data mining techniques are being used.

But, a good guess is that the NSA is following a three-stage process for the broadest portion of its sweep through the communications infrastructure:

1. The Dragnet: a search for targets. In this stage, the NSA sifts through the data coursing through the arteries of our telecom systems, making use of such factors as keyword searches, telephone number and IP address targeting, and techniques such as link analysis, and "data mining." At this stage, the communications of millions of people may be scrutinized.
2. Human review: making the target list. Communications and individuals that are flagged by the system for one reason or another are presumably then subject to human review. An analyst looks at the origin, destination and content of the communication and makes a determination as to whether further eavesdropping or investigation is desired. We have absolutely no idea what kind of numbers are involved at this stage.
3. The Microscope: targeting listed individuals. Finally, individuals determined to be suspicious in phase two are presumably placed on a target list so that they are placed under the full scrutiny of the NSA's giant surveillance microscope, with all their communications captured and analyzed.

EXPANDING SURVEILLANCE AS TECHNOLOGY CHANGES

Today's NSA spying is a response to, and has been made possible by, some of the fundamental technological changes that have taken place in recent years. Around the end of 1990s, the NSA began to complain privately – and occasionally publicly – that they were being overrun by technology as communications increasingly went digital. One change in particular was especially significant: electronic communications ranging from email to voice conversations were increasingly using the new and different protocols of the Internet.

The consequence of this change was that the NSA felt it was forced to change the points in the communications infrastructure that it targeted – but having done that, it gained the ability to analyze vastly more and richer communications.

The Internet and technologies that rely upon it (such as electronic mail, web surfing and Internet-based telephones known as Voice over IP or VOIP) works by breaking information into small "packets." Each packet is then routed across the network of computers that make up the Internet according to the most efficient path at that moment, like a driver trying to avoid traffic jams as he makes his way across a city. Once all the packets – which are labeled with their origin, destination and other "header" information – have arrived, they are then reassembled.

An important result of this technology is that on the Internet, there is no longer a meaningful distinction between "domestic" and "international" routes of a communication. It was once relatively easy for the NSA, which by law is limited to "foreign intelligence," to aim its interception technologies at purely "foreign" communications. But now, an e-mail sent from London to Paris, for example, might well be routed through the west coast of the United States (when, for example, it is a busy mid-morning in Europe but the middle of the night in California) along the same path traveled by mail between Los Angeles and San Francisco.

That system makes the NSA all the more eager to get access to centralized Internet exchange points operated by a few telecommunications giants. But because of the way this technology works, eavesdropping on an IP communication is a completely different ballgame from using an old-fashioned "wiretap" on a single line. The packets of interest to the eavesdropper are mixed in with all the other traffic that crosses through that pathway – domestic and international.

ECHELON

Much of what we know about the NSA's spying prior to the recent revelations comes from the late 1990s, when a fair amount of information emerged about a system popularly referred to by the name "Echelon" – a codename the NSA had used at least at one time (although their continued use of the term, if at all, is unknown). Echelon was a system for mass eavesdropping on communications around the world by the NSA and its allies among the intelligence agencies of other nations. The best source of information on Echelon was two reports commissioned by the European Parliament (in part due to suspicions among Europeans that the NSA was carrying out economic espionage on behalf of American corporations). Other bits of information were gleaned from documents obtained through the U.S. Freedom of Information Act, as well as statements by foreign governments that were partners in the program (the UK, Australia, Canada, and New Zealand).

As of the late 1990s/early 2000s, Echelon swept up global communications using two primary methods:

* The interception of satellite and microwave signals. One way that telephone calls and other communications are sent from the United States to Europe and other destinations is via satellite and microwave transmissions. ECHELON was known to use numerous satellite receivers ("dishes") – located on the east and west coasts of the United States, in England, Australia, Germany, and elsewhere around the globe – to vacuum up the "spillover" broadcasts from these satellite transmissions.
* Transoceanic cable tapping. ECHELON's other primary eavesdropping method was to tap into the transoceanic cables that also carry phone calls across the seas. According to published reports, American divers were able to install surveillance devices onto these cables. One of these taps was discovered in 1982, but other devices apparently continued to function undetected. It is more difficult to tap into fiber-optic cables (which unlike other cables do not "leak" radio signals that can be picked up by a device attached to the outside of the cable), but there is no reason to believe that that problem remained unsolved by the agency.

We do not know the extent to which these sources of data continue to be significant for the NSA, or the extent to which they have been superseded by the agency's new direct access to the infrastructure, including the Internet itself, over which both voice and data communications travel.

UNANSWERED QUESTIONS

The bottom line is that the NSA appears to be capable not only of intercepting the international communications of a relatively small number of targeted Americans, but also of intercepting a sweeping amount of U.S. communications (through corporate-granted access to communications "pipes" and "boxes"), and of performing mass analysis on those communications (through data mining and other techniques).

Despite the fuzzy picture of "The Program" that we now possess, the current spying scandal has highlighted many unanswered questions about the NSA's current activities. They include:

* Just what kinds of communications arteries has the NSA tapped into?
* What kinds of filters or analysis is the NSA applying to the data that flows through those arteries? How are data mining and other new techniques are being used?
* Which telecom providers are cooperating with the NSA?
* How are subjects selected for targeted intercepts?
* What kinds of information exchange are taking place between the NSA and other security agencies? We know they probably turn over to other agencies any data turned up by watch list entries submitted by those other agencies, and they are also apparently passing along data mining-generated "cold hits" to the FBI and perhaps other security agencies for further investigation. Does information flow the other way as well – are other agencies giving data to the NSA for help in that second phase of deciding who gets put under the microscope?
* Is data that NSA collects, under whatever rubric, being merged with other data, either by NSA or another agency? Is communications data being merged with other transactional information, such as credit card, travel, and financial data, in the fashion of the infamous "Total Information Awareness" data mining program? (TIA, while prohibited by Congress from engaging in "domestic" activities, still exists within the Pentagon – and can be used for "foreign intelligence purposes.)
* Just how many schoolteachers and other innocent Americans have been investigated as a result of "The Program"? And just how much privacy invasion are they subject to before the FBI can conclude they are not "involved in international terrorism"?

Rarely if ever in American history has a government agency possessed so much power subject to so little oversight. Given that situation, abuses were inevitable – and any limits to those abuses a matter of mere good fortune. If our generation of leaders and citizens does not rise to the occasion, we will prove ourselves to be unworthy of the heritage that we have been so fortunate to inherit from our Founders.