The stream of leaks revealing the U.S. National Security Agency's (NSA) secrets carries on with the public outing of an powerful intelligence tracking tool.
On the back of key talks between Chinese president Xi Jinping and U.S. President Obama on issues of surveillance and cybercrime, the U.S. government's week has just gotten a lot worse. In a fresh wave of documents obtained by The Guardian, the details of the NSA's data mining tool "Boundless Informant" are laid out for the world to see.
The first story, which brought U.S. intelligence capabilities and surveillance to the media's attention, were claims that the NSA received a court order which allowed it to collect the telephone records of U.S.-based Verizon customers.
The order was issued by the Foreign Intelligence Surveillance Court (FISC), a secretive establishment which was created under the Foreign Intelligence Surveillance Act (FISA) 1978 and amended by the Patriot Act in 2001. The court order forced Verizon to hand over communications metadata on an "ongoing, daily basis" to the agency until July 19 this year, when the order expires.
After the court order came to light, details over NSA's internal computer system, dubbed PRISM, were leaked by The Washington Post. The report alleged that Prism was used to collect communications data from around the globe since 2007 under the NSA's Signals Intelligence Directorate, with "the assistance of communications providers in the U.S."
Seven firms allegedly involved in the program were named as Microsoft, Yahoo, Google, Facebook, AOL, Skype, YouTube, Apple, and PalTalk. One by one, the companies all denied knowledge of the system, and the Post quietly altered the report, which originally stated the tech giants "knowingly participated" in the scheme.
In response, U.S. Director of National Intelligence James Clapper issued a statement stating the system is "important and entirely legal," and the behaviour of media outlets disclosing details of the program was "reprehensible."
The intelligence chief released a PRISM factsheet (.PDF) on Saturday which claims that under Section 702 of FISA: "the United States government does not unilaterally obtain information from the servers of U.S. electronic communication service providers." In addition, data is only obtained following FISA court approval and with the knowledge of service providers.
"Section 702 facilitates the targeted acquisition of foreign intelligence information concerning foreign targets located outside the United States under court oversight. Service providers supply information to the Government when they are lawfully required to do so. The Government cannot target anyone under the court-approved procedures for Section 702 collection unless there is an appropriate, and documented, foreign intelligence purpose for the acquisition."
PRISM's existence has been recently confirmed by President Obama in a speech on Friday. Whereas the internal computer system collects data, Boundless Informant focuses on organizing and indexing metadata. In other words, the tool categorizes communications records rather than the content of a message itself, such as a text message or phone call.
A leaked fact sheet (.PDF) explains that almost three billion pieces of intelligence has been collected from U.S. computer networks in the 30-day period ending March this year, as well as indexing almost 100 billion pieces worldwide. Countries are ranked based on how much information has been taken from mobile and online networks, and color-coded depending on how extensively the NSA is spying on a country.
Users of the tool are able to select a country on Boundless Informant's "heat map" to view details including the metadata volume and different kinds of NSA information collection.
Iran is top of the surveillance list with over 14 billion data reports categorized by the tracking tool in March, with Pakistan coming in close second at 13.5 billion reports. Jordan, Egypt and India are also top contributors.
Levels of country-specific surveillance are color-coded depending on severity; green the least and moving through the spectrum to red if a country is under heavy surveillance.
Example use cases include "How many records (and what type) are collected against a particular country?" and "Are there any visible trends for the collection?" for example.
The other leaked document (.PDF) says the tool is designed to give NSA officials answers to questions including what coverage the agency has on specific countries, how data collection compares in different regions, and how many records are being produced.
Both documents were protectively marked as "top secret" and "NOFORN," denying non-U.S. citizens from viewing them.
According to the documents, Boundless Informant is hosted on corporate servers and leverages open-source FOSS technology. Raw data is analyzed and processed in the cloud. The level of data categorized can also be broken down to determine which intercepts originate from the U.S., and this detail includes IP addresses — which can be tracked back to determine a user's country of origin, state and city.
In a March hearing last year, NSA director-general Keith Alexander has repeatedly denied that the U.S. government spies on its citizens. When asked by Rep. Hank Johnson (R-GA) if the NSA has the technological capacity to identify citizens based upon the content of their emails, Alexander commented:
"No no, we don't have the technical insights in the United States. In other words, you have to have something to intercept or some way of doing that either by going to a service provider with a warrant or you have to be collecting in that area. We’re not authorized to that nor do we have the equipment in the United States to collect that kind of information."
The exposure of the NSA's internal Boundless tracking tool — which is likely only used by the intelligence agency — and Alexander's previous comments appear to be in complete contradiction. The NSA has maintained its position and denies spying on U.S. citizens; a spokesperson for the agency telling The Guardian:
"NSA has consistently reported — including to Congress — that we do not have the ability to determine with certainty the identity or location of all communicants within a given communication. That remains the case. The continued publication of these allegations about highly classified issues, and other information taken out of context, makes it impossible to conduct a reasonable discussion on the merits of these programs."