http://online.wsj.com/article/SB10001424127887324108204579025222...

What You Need t o Know on New Det ails of NSA Spying

Today's report in The Wall Street Journal reveals that the National Security Agency's spying t ools ext end deep int o t he domestic U.S. t elecommunications infrastructure, giving t he agency a surveillance struct ure wit h t he abilit y t o cover t he majorit y of Int ernet t raffic in t he count ry, according t o current and former U.S. officials and other people familiar wit h t he system. The information here is based on int erviews wit h current and former int elligence and government officials, as well as people familiar wit h the companies' systems. New Det ai l s Show Broader NSA Reach [1] Alt hough the system is focused on collect ing foreign communications, it includes cont ent of Americans' emails and ot her elect ronic communications, as well as "metadata," which involves information such as the "t o" or "from" lines of emails, or t he IP addresses people are using. At key point s along t he U.S. Int ernet infrastruct ure, the NSA has worked wit h t elecommunications providers to install equipment t hat copies, scans and filters large amount s of t he traffic that passes through. This system had it s genesis before t he attacks of Sept. 11, 2001, and has expanded since t hen. What is new i n t he Journal 's report ? Previous report s have indicated t hat t he NSA's surveillance of t elecommunications lines in t he U.S. focuses on int ernational gateways and landing point s. Ot her report s have indicated that surveillance of t he U.S. telecom network was used t o gather only metadata under a program t hat t he NSA says ended in 2011. The Journal report ing demonstrates that t he NSA, in conjunct ion wit h
1 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

t elecommunications companies, has built a system t hat can reach deep int o t he U.S. Int ernet backbone and cover 75% of t raffic in t he count ry, including not only metadata but t he cont ent of online communications. The report also explains how t he NSA relies on probabilit ies, algorit hms and filt ering t echniques to sift t hrough the data and find information related t o foreign int elligence investigations. What is t his surveil l ance syst em? NSA has worked wit h t elecom companies to develop a surveillance system that covers roughly 75% of U.S. t elecommunications. Armed wit h a court order, NSA can command t hat system to provide t he information it asks for. The t elecoms have a system in place designed t o do at least init ial filt ering and send streams of t raffic most responsive t o NSA's request t o NSA machines, which t hen filt er t hat stream of t raffic for "select ors"for instance, perhaps a set of IP addressesand sift out t he data t hat matches. NSA can't reach in and t ouch t he t elecommunications company's, or anyone else's, unfilt ered corporate system. But in general it can get what it needs from t he system. How does t hi s work? The exact t echnology used depends on the t elecommunications carrier involved, when t he equipment was installed and ot her factors. In general, t he system copies traffic flowing t hrough t he U.S. Int ernet system and t hen runs it through a series of filt ers. These filt ers are designed t o sift out communications that involve at least one person out side the U.S. and t hat may be of foreign-intelligence value. The information t hat makes it t hrough t he filt ers goes to the NSA; t he information t hat doesn't meet NSA's crit eria is discarded. More specifically, t here are t wo common methods used, according t o people familiar wit h the system. In one, a fiber-optic line is split at a junct ion, and traffic is copied t o a processing system that int eract s wit h t he NSA's systems, sifting through information based on NSA parameters.

2 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

In anot her, companies program t heir routers to do init ial filt ering based on metadata from Int ernet "packets" and send copied data along. This data flow goes t o a processing system t hat uses NSA parameters t o narrow down t he data furt her. What kinds of informat i on does t he syst em keep or discard? Init ial filters might look at things such as the t ype of communication being sent. For example, videos downloaded from YouTube might not be of much interest, so t hey could be filt ered out. The filters also look at IP addresses in an effort to determine the geographic region involved in t he t ransmission. This is done t o focus on foreign communications. The NSA ult imately decides what information t o keep based on what it calls "strong selectors," such as specific email addresses or ranges of Int ernet addresses t hat belong to organizations. But it receives a broader stream of Internet traffic from which it picks out data t hat matches selectors. Does t hi s mean NSA anal yst s are reading al l your emai ls and wat ching you surf t he Web? No. That would involve a t remendously large number of people and amount of t ime. However, t he government is in some cases allowed t o search Americans' information t hat is collect ed through t his system. How much I nt ernet t raf fi c does t he NSA get ? The NSA-telecom surveillance system covers about 75% of U.S. communications, but t he amount act ually stored by t he NSA is a small port ion of t hat, current and former government officials say. Why does t he NSA have t hi s syst em? The NSA uses this system t o help pursue foreign int elligence investigations. Such investigations include those that aim t o prevent attacks by int ernational t errorist groups. Because the people involved in these groups can be within t he U.S., investigators want to look at communications that involve people in
3 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

America, part icularly t hose who communicate wit h people out side t he U.S. In addit ion, a considerable amount of int ernational traffic flows t hrough t he U.S. or t o Int ernet services here, and national securit y investigators want t o be able to monit or that information. Why can't t hey j ust focus on t he i nt ernat i onal undersea cabl es? The NSA began by focusing on cables that carry int ernational t raffic t o and from t he U.S. under t he sea. But now the agency's reach covers a system t hat handles most domestic t raffic as well. Tapping only at cable landing point s present s some logistical problems, says Jennifer Rexford, a comput er science professor at Princeton University who studies Int ernet rout ing. First, t hose cables handle a huge amount of t raffic at very high speeds, meaning t hat it is more likely for a t ap t here to drop or lose some of t he data "packets" that make up Int ernet communications. Second, Internet routing is complicated: Not all parts of an Int ernet communication will flow over t he same path, meaning it could be difficult t o piece everything back t ogether if taps are only on t hose lines. The ability t o access domestic communications net works means the system has redundancy and is bett er able t o deliver t he information t he NSA needs. In addit ion, many people overseas use Int ernet services located in t he U.S., and t he NSA want s to be able t o access that t raffic. For instance, one person overseas could log int o a U.S.-based online email service and send an email t o t he account of anot her person who uses a different U.S. email. This email would actually t ravel from one server in t he U.S. to another server in t he U.S., even if the people communicating were outside it. I s t hi s l egal ? This system is currently conduct ed primarily under part of a law t hat was passed in 2008 amending t he Foreign Int elligence Surveillance Act. Somet imes t his part of t he law is called "Section 702." Section 702 allows the NSA and FBI t o t arget surveillance of people "reasonably believed" to be located outside t he U.S. Rules governing how t he NSA collect s data under t his law are approved by t he secret Foreign Int elligence Surveillance
4 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

Court , or FISC, but aft er t hat, each instance of surveillance doesn't need a judge's approval. The NSA and FBI must outline t o the court t he steps t hey t ake t o help ensure t he communications they gather are "reasonably believed" t o have a foreign element , as well as the measures used t o minimize Americans' communications that are collect ed inadvert ent ly. There are also a few ot her legal authorit ies related t o this collection: Before t he 2008 law was passed, the system was allowed under a short-lived stopgap law t hat allowed largely the same t hing. Before t hat stopgap measure, t he system was part of President George W. Bush's warrant less surveillance program. In addit ion, unt il t he end of 2011, t his same infrastructure allowed for a slightly different program t hat collected metadata from domestic U.S. communications in bulk. That program was possible under a part of the Foreign Int elligence Surveillance Act that allowed t ools called "pen registers," which are used to collect metadata. U.S. officials say that particular program was canceled in part because it wasn't producing valuable information. Some part s of the system are also carried out under foreign spying aut horit ies. The intelligence communit y has long been able t o apply for warrant s under Tit le 1 of the Foreign Int elligence Surveillance Act. Those warrant s are largely like warrant s used in law enforcement , except t hat t hey are approved by the FISC because of their secret nature. In some cases, t aps on Int ernet networks could be used t o fulfill t hese warrant s. What li mit at i ons are t here on t his program? The NSA must follow procedures approved by t he secret FISA court to narrow it s t argets and t o "minimize," or discard, information collected about Americans. Document s leaked by former NSA cont ract or Edward Snowden out lined t he procedures as they stood in 2009. One paragraph in t hese document s is part icularly relevant t o domestic Internet collect ion. In t hat paragraph, marked Top Secret, t he government says that it will "employ an Int ernet Protocol filt er" "or it will t arget Internet links that t erminate in a foreign count ry." This indicates t hat t he rules allow t he government eit her t o
5 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

rely on t he fact that t he cable runs t o a foreign count ry or t o rely on its IP filt ers, in order t o provide reasonable assurances that t he communication involves a foreigner. The NSA also vets targets using more t raditional methods, such as data it already hasand information from ot her agencies like human intelligence or cont act s wit h foreign law enforcementto decide whether t hey are "reasonably believed" t o be out side t he U.S. In addit ion, people familiar with t he legal process say lawyers at the t elecommunications providers can serve as a check on t he system. Aft er information is collected, t he NSA has rules to minimize information about people in the U.S. There are several except ions to t hese minimization rules, t hough. The NSA is allowed t o keep Americans' information and t urn it over t o t he FBI if it is "reasonably believed t o contain significant foreign int elligence information," "evidence of a crime" or information about communications security vulnerabilit ies, the document s say. Americans' communications also can be kept if they are encrypted, according t o t he document s. How does t hi s syst em f i t i n wi t h Pri sm? The Prism program collects stored Internet communications based on demands made t o Int ernet companies such as Google Inc. under Section 702. Several companies have said the requests under this program don't result in bulk collect ion, meaning t hey are narrower t han t he filtering system on t he domestic Internet backbone. The NSA can use these Prism requests to t arget communications that were encrypt ed when t hey t raveled across the Int ernet backbone, t o focus on stored data t hat t he filtering systems discarded earlier, and t o get data t hat is easier t o handle, among ot her t hings. What privacy i ssues does t hi s syst em rai se? One involves the reliance on algorithmic filt ering t o sift out domestic communications. Such algorithms can be complicated, and computer IP addresses don't always provide a good gauge of where the person is
6 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

geographically. Small changes in t he algorit hms can result in overcollect ion of Americans' data, which can t hen be stored by t he NSA, say former U.S. officials, and current officials say it has stored some purely domestic communications wit hin it s systems. Document s revealed by Mr. Snowden and disclosed recent ly indicate t hat t he NSA has made mistakes because of t echnical error. Some people familiar wit h t he systems say they are concerned t hat t he huge amount of U.S. information accessible by t hese filt ering systems, combined wit h the complicated nature of t he filt ers, means it could be easy t o sweep in domestic communications. In 2011, the FISA court found part of t he domestic NSA-telecom system unconstitutional, officials say. They say t he NSA set t he filt ers on t he programs inappropriately in 2008, and the problem was discovered by t he NSA in 2011 and reported. "NSA's foreign int elligence collect ion act ivit ies are cont inually audit ed and overseen int ernally and ext ernally," says NSA spokeswoman Vanee Vines. "When we make a mistake in carrying out our foreign intelligence mission, we report t he issue internally and to federal overseers and aggressively get t o t he bot t om of it." Anot her possible concern is the ability of overseers, including t he secret FISA court , to adequately police such technical systems. The court was created in t he 1970s to oversee warrant s on t argets in national securit y investigations, not "to be in the business of approving very t echnical collect ion procedures," said one former government official who is familiar wit h t he legal process. President Obama and ot her support ers of t he programs have said t he NSA programs face careful oversight from all t hree branches of government. "We've got congressional oversight and judicial oversight ," Mr. Obama has said. "And if people can't t rust not only t he execut ive branch but also don't t rust Congress and don't t rust federal judges to make sure that we're abiding by the Constit ut ion, due process and rule of law, t hen we're going t o have some problems here." A person familiar with t he legal process told t he Journal that t he system relies in part on t he t elecom companies themselves to push back against what t hey see as problematic surveillance. This person said the appropriate rules aren't always clear, because of t he complexities of Int ernet rout ing and surveillance.
7 of 8

8/21/2013 3:15 PM

http://online.wsj.com/article/SB10001424127887324108204579025222...

A U.S. official said lawyers at t hese companies serve as an independent check on what the NSA receives. Finally, t he except ions to minimization requirement s mean information gathered on Americans could be used in ordinary criminal investigations, according to rules approved by t he FISA court. NSA officials have said they are careful t o use t he information in accordance wit h the rules. Wri t e t o Jennifer Valent ino-DeVries at Jennifer.Valent ino-DeVries@wsj.com [2] and Siobhan Gorman at siobhan.gorman@wsj.com [3]

1. ht t p://online.wsj.com/art icle/SB10001424127887324108204579022874091732470.ht ml 2. mailt o:Jennifer.Valentino-DeVries@wsj.com 3. mailt o:siobhan.gorman@wsj.com

8 of 8

8/21/2013 3:15 PM