The disclosure of controversial mass surveillance programmes by intelligence and national security agencies has evoked an international debate on the right of citizens to be protected from illegitimate or warrantless collection and analysis of their data and meta-data. This report aims at identifying what are the risks of data breaches for users of publicly available Internet services such as web browsing, email, social networks, cloud computing, or voice communications, via personal computers or mobile devices, and what are the possible impacts for the citizens and the European Information Society. In this context a clear distinction has to be made between data and meta-data. Also it must be differentiated between mass unwarranted and indiscriminate interception, and targeted lawful interception of Internet and telephony data for the purpose of law enforcement and crime investigation. While targeted lawful interception constitutes a necessary and legitimate instrument of intelligence and law enforcement agencies, mass surveillance is considered a threat to civil liberties such as the right to freedom of opinion and expression. These civil liberties are essential human rights in democratic societies and of particular importance for safeguarding independent journalism and political opposition.
This manual provides guidance for sanitization of Information Systems (IS) storage devices for disposal or recycling in accordance with NSA/CSS Policy Statement 9-12, “NSA/CSS Storage Device Sanitization.” Information stored on these devices may range from UNCLASSIFIED to TOP SECRET and may include compartmented, sensitive, or limiteddistribution material. Furthermore, this manual provides information on how to obtain current listings of evaluated sanitization equipment that meets NSA/CSS specifications.
Section 215 is designed to enable the FBI to acquire records that a business has in its possession, as part of an FBI investigation, when those records are relevant to the investigation. Yet the operation of the NSA’s bulk telephone records program bears almost no resemblance to that description. While the Board believes that this program has been conducted in good faith to vigorously pursue the government’s counterterrorism mission and appreciates the government’s efforts to bring the program under the oversight of the FISA court, the Board concludes that Section 215 does not provide an adequate legal basis to support the program. There are four grounds upon which we find that the telephone records program fails to comply with Section 215. First, the telephone records acquired under the program have no connection to any specific FBI investigation at the time of their collection. Second, because the records are collected in bulk — potentially encompassing all telephone calling records across the nation — they cannot be regarded as “relevant” to any FBI investigation as required by the statute without redefining the word relevant in a manner that is circular, unlimited in scope, and out of step with the case law from analogous legal contexts involving the production of records. Third, the program operates by putting telephone companies under an obligation to furnish new calling records on a daily basis as they are generated (instead of turning over records already in their possession) — an approach lacking foundation in the statute and one that is inconsistent with FISA as a whole. Fourth, the statute permits only the FBI to obtain items for use in its investigations; it does not authorize the NSA to collect anything.
In the wake of the disclosures surrounding PRISM and other US surveillance programmes, this study makes an assessment of the large-scale surveillance practices by a selection of EU member states: the UK, Sweden, France, Germany and the Netherlands. Given the large-scale nature of surveillance practices at stake, which represent a reconfiguration of traditional intelligence gathering, the study contends that an analysis of European surveillance programmes cannot be reduced to a question of balance between data protection versus national security, but has to be framed in terms of collective freedoms and democracy. It finds that four of the five EU member states selected for in-depth examination are engaging in some form of large-scale interception and surveillance of communication data, and identifies parallels and discrepancies between these programmes and the NSA-run operations. The study argues that these surveillance programmes do not stand outside the realm of EU intervention but can be engaged from an EU law perspective via (i) an understanding of national security in a democratic rule of law framework where fundamental human rights standards and judicial oversight constitute key standards; (ii) the risks presented to the internal security of the Union as a whole as well as the privacy of EU citizens as data owners, and (iii) the potential spillover into the activities and responsibilities of EU agencies. The study then presents a set of policy recommendations to the European Parliament.
This white paper explains the Government’s legal basis for an intelligence collection program under which the Federal Bureau of Investigation (FBI) obtains court orders directing certain telecommunications service providers to produce telephony metadata in bulk. The bulk metadata is stored, queried and analyzed by the National Security Agency (NSA) for counterterrorism purposes. The Foreign Intelligence Surveillance Court (“the FISC” or “the Court”) authorizes this program under the “business records” provision of the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. § 1861, enacted as section 215 of the USA PATRIOT Act (Section 215). The Court first authorized the program in 2006, and it has since been renewed thirty-four times under orders issued by fourteen different FISC judges. This paper explains why the telephony metadata collection program, subject to the restrictions imposed by the Court, is consistent with the Constitution and the standards set forth by Congress in Section 215. Because aspects of this program remain classified, there are limits to what can be said publicly about the facts underlying its legal authorization. This paper is an effort to provide as much information as possible to the public concerning the legal authority for this program, consistent with the need to protect national security, including intelligence sources and methods. While this paper summarizes the legal basis for the program, it is not intended to be an exhaustive analysis of the program or the legal arguments or authorities in support of it.
Many networks run by public and private organizations have experienced intrusions in recent years, and this cyber exploitation has resulted in an unprecedented transfer of wealth due to lost intellectual property. The threats to our networks and systems exist across numerous components that include end-user-devices, servers, and infrastructure devices. To address threats to routers and other network infrastructure devices, the National Security Agency’s Information Assurance Directorate (IAD) is publishing this IAA to guide U.S. Government systems accreditors’ strategic plan for network hardening.
Adversary actors in cyberspace continue to demonstrate the interest in and ability to execute Distributed Denial of Service (DDoS) attacks against the United States. The need to offer Internet services in support of mission requirements inherently exposes these services to malicious traffic and the potential for DDoS attack. Proactive preparation to ensure network resilience in the event of a DDoS event is essential. Reactive measures are feasible, but are often too slow to respond to the dynamic nature of today’s threat.
This document is intended as the standard U.S. user’s manual for planning and conducting field key generation and OTAD in support of tactical activities. It is targeted primarily at Joint and Intra-Service Operations and Exercises, particularly those involving forces that do not routinely train or operate together. It also has limited application to Combined operations and exercises involving Allied forces that hold OTAR- and OTAT-capable COMSEC equipment
This document provides detailed instructions for the implementation and installation of premise wire infrastructure in support of unclassified and classified networks within NSAW, Build-out Facilities, domestic facilities where NSA controls the plenum, domestic facilities where NSA does not control the plenum and all OCONUS field sites. This document provides instructions for implementations and installations of premise wiring in communications facilities, office spaces and machine rooms by ITD Internal Service Providers (ISP), External Service providers (ESP), field personnel stationed at the respective facilities or authorized NSA agents.
The Department of Defense (DOD) has published the (Final) Environmental Impact Statement (EIS) for the proposed implementation of campus development initiatives and the construction of associated facilities for the National Security Agency (NSA) complex at Fort George G. Meade (Fort Meade), Maryland, dated September, 2010. The National Security Agency/Central Security Service (NSA/CSS) is a cryptologic intelligence agency administered as part of the DOD. It is responsible for the collection and analysis of foreign communications and foreign signals intelligence. For NSA/CSS to continue to lead the Intelligence Community into the next 50 years with state-of-the-art technologies and productivity, its mission elements will require new facilities and infrastructure.
The policy of the U.S. Government is that all classified information must be appropriately safeguarded to assure the confidentiality, integrity, and availability of that information. This document provides procedural guidance for the protection, use, management, and dissemination of Sensitive Compartmented Information (SCI), and is applicable to the Department of Defense (DoD) to include DoD components and Government contractors who process SCI.
With internet traffic growing exponentially, attacks on government and commercial computers by cyber terrorists and rogue states have escalated. Those wishing harm have espionage programs targeting the data systems used by the United States and allies. Drug traffickers and weapons dealers use the internet with encrypted communications. To counter these activities, the National Security Agency, an agency of the U.S. government, is building a fortified data center deep inside a mountain in Utah. This complex will house the world’s most sophisticated supercomputers dedicated to code breaking and data traffic analysis. Another site will eventually take delivery of the latest Cray supercomputer called Cascade to support the NSA’s need to crack codes faster to protect the nation and its allies.
The NSA has the capability to do individualized searches, similar to Google, for particular electronic communications in real time through such criteria as target addresses, locations, countries and phone numbers, as well as watch-listed names, keywords, and phrases in email. The NSA also has the capability to seize and store most electronic communications passing through its U.S. intercept centers. The wholesale collection of data allows the NSA to identify and analyze Entities or Communities of interest later in a static database. Based on my proximity to the PSP and my years of experience at the NSA, I can draw informed conclusions from the available facts. Those facts indicate that the NSA is doing both.
A letter from the Commander of U.S. Cyber Command Keith Alexander to Senator John McCain describing the role of U.S. Cyber Command and its position on current efforts to pass cybersecurity legislation.
A map and list of possible locations of NSA domestic interception points inside the United States. The list was presented by computer security researcher Jacob Appelbaum at a recent event held at the Whitney Museum in New York along with filmmaker Laura Poitras and ex-NSA employee William Binney. One of the addresses, an AT&T building on Folsom Street in San Francisco, is the location of Room 641A which was the subject of multiple lawsuits regarding warrantless surveillance of U.S. citizens. A recent article in Wired quoted Binney as estimating that there are likely ten to twenty of these locations around the country.
The Office of the Director of National Intelligence (ODNI) is building a computer system capable of automatically analyzing the massive quantities of data gathered across the entire intelligence community and extracting information on specific entities and their relationships to one another. The system which is called Catalyst is part of a larger effort by ODNI to create software and computer systems capable of knowledge management, entity extraction and semantic integration, enabling greater analysis and understanding of complex, multi-source intelligence throughout the government.
The National Security Agency/Central Security Service officially opened the new NSA/CSS Georgia Cryptologic Center at a ribbon-cutting ceremony where officials emphasized how the $286 million complex will provide cryptologic professionals with the latest state-of-the-art tools to conduct signals intelligence operations, train the cryptologic workforce, and enable global communications. NSA/CSS has had a presence in Georgia for over 16 years on Ft. Gordon, when only 50 people arrived to establish one of NSA’s Regional Security Operations Centers.
The National Security Agency, a secretive arm of the U.S. military, has begun providing Wall Street banks with intelligence on foreign hackers, a sign of growing fears of financial sabotage. The assistance from the agency that conducts electronic spying overseas is part of an effort by American banks and other financial firms to get help from the U.S. military and private defense contractors to fend off cyber attacks, according to interviews with U.S. officials, security experts and defense industry executives. The Federal Bureau of Investigation has also warned banks of particular threats amid concerns that hackers could potentially exploit security vulnerabilities to wreak havoc across global markets and cause economic mayhem. While government and private sector security sources are reluctant to discuss specific lines of investigations, they paint worst-case scenarios of hackers ensconcing themselves inside a bank’s network to disable trading systems for stocks, bonds and currencies, trigger flash crashes, initiate large transfers of funds or turn off all ATM machines.
Threats posed by cyber-attacks on computer networks and the Internet are escalating from large-scale theft of data and strikes designed to disrupt computer operations to more lethal attacks that destroy entire systems and physical equipment. “That’s our concern about what’s coming in cyberspace — a destructive element,” Gen. Alexander, who is also the director of the National Security Agency, the electronic spying agency, said in a speech at a conference on cyberwarfare. Gen. Alexander said two cases illustrate what could happen in an attack.
Google has admitted complying with requests from US intelligence agencies for data stored in its European data centers, most likely in violation of European Union data protection laws. Gordon Frazer, Microsoft UK’s managing director, made news headlines some weeks ago when he admitted that Microsoft can be compelled to share data with the US government regardless of where it is hosted in the world. At the center of this problem is the USA PATRIOT ACT, which states that companies incorporated in the United States must hand over data administered by their foreign subsidiaries if requested. Not only that, but they can be forced to keep quiet about it in order to avoid exposing active investigations and alert those targeted by the probes.
A federal judge has issued an opinion in EPIC v. NSA, and accepted the NSA’s claim that it can “neither confirm nor deny” that it had entered into a relationship with Google following the China hacking incident in January 2010. EPIC had sought documents under the FOIA because such an agreement could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The “Glomar response,” to neither confirm nor deny, is a controversial legal doctrine that allows agencies to conceal the existence of records that might otherwise be subject to public disclosure. EPIC plans to appeal this decision. EPIC is also litigating to obtain the National Security Presidential Directive that sets out the NSA’s cyber security authority. And EPIC is seeking from the NSA information about Internet vulnerability assessments, the Director’s classified views on how the NSA’s practices impact Internet privacy, and the NSA’s “Perfect Citizen” program.
Declassified DoD Inspector General Report on NSA Thinthread and Trailblazer Systems from December 15, 2004.