Metadata sharing through GLOBALREACH
Last month's Intercept report on ICREACH, NSA's program for sharing metadata with the broader U.S. intelligence community, also contained some information about GLOBALREACH, a similar program for sharing metadata among the Five Eyes countries.
As explained in the article (Ryan Gallagher, "The Surveillance Engine: How the NSA Built Its Own Secret Google," The Intercept, 25 August 2014),
The system began operating on a pilot project basis in 2007.
The following graphics from the May 2007 presentation (see pages 31 and 33 of the documents) show that data brokers had already been created to facilitate metadata sharing between NSA and GCHQ, and that brokers were planned for the other Five Eyes agencies, CSE, DSD (now ASD), and GCSB.
The presentation also showed (see page 21) that NSA databases already contained metadata concerning roughly 126 billion telephone "call events" obtained from Second Parties (mostly probably pertaining to communications outside their own countries), but that no Digital Network Information (Internet-related) metadata had "yet" been provided by the Second Parties.
Notes taken at a Five Eyes metadata-sharing conference hosted by GCHQ in 2008 (page 44 of the documents) indicate that "Second Party derived data" had not at that point been "made available to US Intelligence Community (IC) (domestic) agencies" (as opposed to the NSA itself), but that this broader access was being sought. "In the hope that such agreement will be forthcoming, NSA has persuaded other US IC agencies to make almost 100 bn previously NOFORN records [in the PROTON database] shareable with the 5-eyes via GLOBALREACH."
The conference also discussed the willingness of NSA's partners to share metadata relating to their own nationals/residents. DSD indicated that it was able to "share bulk, unselected, unminimised metadata as long as there is no intent to target an Australian national – unintentional collection is not viewed as a significant issue. However, if a ‘pattern of life’ search detects an Australian then there would be a need to contact DSD and ask them to obtain a ministerial warrant to continue."
CSEC, by contrast, was of the view that "bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised". Re-evaluation of this stance was underway at the time of the conference, the notes indicate, but a 2013 report by the CSE Commissioner indicated that CSEC continues to "[suppress] Canadian identity information in metadata and reports shared with the Second Parties". The same statement does confirm, however, that at least some minimized Canadian metadata is indeed shared. (And, of course, it remains possible for the relevant Canadian identity information to be provided if the other party can produce what may well be little more than a form letter justifying its provision.)
NSA, for its part, indicated that "Sharing unmasked US identifiers with second party SIGINT partners will be easier than with some US domestic partners.” (See page 43.)
The Intercept report notes that the total number of metadata records shared through ICREACH (and presumably GLOBALREACH) is "more than 850 billion". In fact, the total is likely to be much larger than that. By 2007 the databases were growing by about 570 billion records a year (page 22), and the annual collection rate has almost certainly increased substantially in the years since.
Older records may well have been purged of course, but even assuming no increase in collection and, for the sake of argument, a short, five-year data retention period, the total number of metadata records available must be close to three trillion. The actual number could be many trillions higher than that.
In addition, as The Intercept reported, "The intelligence community’s top-secret 'Black Budget' for 2013… shows that the NSA recently sought new funding to upgrade ICREACH to 'provide IC analysts with access to a wider set of shareable data.'"
Use of Five Eyes-related metadata is also getting more extensive. On 29 November 2010, the NSA's SID Management Directive 424 changed the procedures regarding metadata analysis to "permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets." As this document explains, "The impact of the new procedures is two-fold. In the first place it allows NSA to discover and track connections between foreign intelligence targets and possible 2nd Party or US communicants. In the second place it enables large-scale graph analysis on very large sets of communications metadata without having to check foreignness of every node or address in the graph."
What procedures are in place to protect the privacy of Canadians during such analyses?
As former NSA Director Michael Hayden famously said, "We kill people based on metadata". It is not impossible to imagine occasions when a Canadian might end up on the wrong end of a Hellfire missile, a practice we used to call "extrajudicial execution".
In his most recent annual report, the CSE Commissioner reported that he began, this year, to include "disclosures of Canadian identities to second party partners" in his annual review of disclosures of Canadian identity information.
As explained in the article (Ryan Gallagher, "The Surveillance Engine: How the NSA Built Its Own Secret Google," The Intercept, 25 August 2014),
The creation of ICREACH represented a landmark moment in the history of classified U.S. government surveillance...The documents released by The Intercept in conjunction with its report can be found here.
“The ICREACH team delivered the first-ever wholesale sharing of communications metadata within the U.S. Intelligence Community,” noted a top-secret memo dated December 2007. “This team began over two years ago with a basic concept compelled by the IC’s increasing need for communications metadata and NSA’s ability to collect, process and store vast amounts of communications metadata related to worldwide intelligence targets.”
The search tool was designed to be the largest system for internally sharing secret surveillance records in the United States, capable of handling two to five billion new records every day, including more than 30 different kinds of metadata on emails, phone calls, faxes, internet chats, and text messages, as well as location information collected from cellphones. Metadata reveals information about a communication—such as the “to” and “from” parts of an email, and the time and date it was sent, or the phone numbers someone called and when they called—but not the content of the message or audio of the call. ...
In 2006, NSA director Alexander drafted his secret proposal to then-Director of National Intelligence Negroponte. ...
Alexander explained in the memo that NSA was already collecting “vast amounts of communications metadata” and was preparing to share some of it on a system called GLOBALREACH with its counterparts in the so-called Five Eyes surveillance alliance: the United Kingdom, Australia, Canada, and New Zealand.
ICREACH, he proposed, could be designed like GLOBALREACH and accessible only to U.S. agencies in the intelligence community, or IC.
A top-secret PowerPoint presentation from May 2007 illustrated how ICREACH would work—revealing its “Google-like” search interface and showing how the NSA planned to link it to the DEA, DIA, CIA, and the FBI. Each agency would access and input data through a secret data “broker”—a sort of digital letterbox—linked to the central NSA system. ICREACH, according to the presentation, would also receive metadata from the Five Eyes allies.
The aim was not necessarily for ICREACH to completely replace [the earlier CIA-hosted] CRISSCROSS/PROTON, but rather to complement it. The NSA planned to use the new system to perform more advanced kinds of surveillance—such as “pattern of life analysis,” which involves monitoring who individuals communicate with and the places they visit over a period of several months, in order to observe their habits and predict future behavior.
The system began operating on a pilot project basis in 2007.
The following graphics from the May 2007 presentation (see pages 31 and 33 of the documents) show that data brokers had already been created to facilitate metadata sharing between NSA and GCHQ, and that brokers were planned for the other Five Eyes agencies, CSE, DSD (now ASD), and GCSB.
The presentation also showed (see page 21) that NSA databases already contained metadata concerning roughly 126 billion telephone "call events" obtained from Second Parties (mostly probably pertaining to communications outside their own countries), but that no Digital Network Information (Internet-related) metadata had "yet" been provided by the Second Parties.
Notes taken at a Five Eyes metadata-sharing conference hosted by GCHQ in 2008 (page 44 of the documents) indicate that "Second Party derived data" had not at that point been "made available to US Intelligence Community (IC) (domestic) agencies" (as opposed to the NSA itself), but that this broader access was being sought. "In the hope that such agreement will be forthcoming, NSA has persuaded other US IC agencies to make almost 100 bn previously NOFORN records [in the PROTON database] shareable with the 5-eyes via GLOBALREACH."
The conference also discussed the willingness of NSA's partners to share metadata relating to their own nationals/residents. DSD indicated that it was able to "share bulk, unselected, unminimised metadata as long as there is no intent to target an Australian national – unintentional collection is not viewed as a significant issue. However, if a ‘pattern of life’ search detects an Australian then there would be a need to contact DSD and ask them to obtain a ministerial warrant to continue."
CSEC, by contrast, was of the view that "bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised". Re-evaluation of this stance was underway at the time of the conference, the notes indicate, but a 2013 report by the CSE Commissioner indicated that CSEC continues to "[suppress] Canadian identity information in metadata and reports shared with the Second Parties". The same statement does confirm, however, that at least some minimized Canadian metadata is indeed shared. (And, of course, it remains possible for the relevant Canadian identity information to be provided if the other party can produce what may well be little more than a form letter justifying its provision.)
NSA, for its part, indicated that "Sharing unmasked US identifiers with second party SIGINT partners will be easier than with some US domestic partners.” (See page 43.)
The Intercept report notes that the total number of metadata records shared through ICREACH (and presumably GLOBALREACH) is "more than 850 billion". In fact, the total is likely to be much larger than that. By 2007 the databases were growing by about 570 billion records a year (page 22), and the annual collection rate has almost certainly increased substantially in the years since.
Older records may well have been purged of course, but even assuming no increase in collection and, for the sake of argument, a short, five-year data retention period, the total number of metadata records available must be close to three trillion. The actual number could be many trillions higher than that.
In addition, as The Intercept reported, "The intelligence community’s top-secret 'Black Budget' for 2013… shows that the NSA recently sought new funding to upgrade ICREACH to 'provide IC analysts with access to a wider set of shareable data.'"
Use of Five Eyes-related metadata is also getting more extensive. On 29 November 2010, the NSA's SID Management Directive 424 changed the procedures regarding metadata analysis to "permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets." As this document explains, "The impact of the new procedures is two-fold. In the first place it allows NSA to discover and track connections between foreign intelligence targets and possible 2nd Party or US communicants. In the second place it enables large-scale graph analysis on very large sets of communications metadata without having to check foreignness of every node or address in the graph."
What procedures are in place to protect the privacy of Canadians during such analyses?
As former NSA Director Michael Hayden famously said, "We kill people based on metadata". It is not impossible to imagine occasions when a Canadian might end up on the wrong end of a Hellfire missile, a practice we used to call "extrajudicial execution".
In his most recent annual report, the CSE Commissioner reported that he began, this year, to include "disclosures of Canadian identities to second party partners" in his annual review of disclosures of Canadian identity information.
2 Comments:
Just an FYI - how long has the CASIS link on the front page been going to a Brit payday loan page?
Dang link rot!
Thanks for the heads up, Tony.
- Bill
Post a Comment
<< Home