NSA Director Alexander at the BlackHat convention in the summer of 2013. Via the Guardian
During a speech at a hacker convention five months ago, NSA Director Gen. Keith Alexander showed a PowerPoint slide that listed eight things his agency "does NOT collect." In the months since, every single claim has been proven a lie.
Today, the Guardian has revealed that the NSA once collected close to 200 million texts per day from all over the world, which were then datamined for info on everything from social connections, location, and bank info. (As the documents are from 2011, it's not clear if the practice is ongoing.) If that's the case—and those texts can be processed in near-real time—that means that the NSA may also be able to crack two-step authentication.
At this point, headlines starting with "The NSA Collects" have passed through to their fifth or sixth level of absurdity, but this new report shows just how obsessive the NSA's data collection is. Based on Snowden-leaked presentation documents from the GCHQ, the British counterpart to the NSA, the report details a pair of programs aimed at collecting and analyzing as many text messages as possible.
According to the documents, dated 2011, the NSA Dishfire program collected 194 million SMS messages a day in April of that year, while the Prefer program was dispatched to analyze their contents. The contact info and text itself is valuable data, but it's easy to forget that SMS can carry a wealth of other data as well. The presentation calls SMS text messages "a goldmine to exploit," and the Guardian lays out what that mine contains:
On average, each day the NSA was able to extract:
• More than 5 million missed-call alerts, for use in contact-chaining analysis (working out someone’s social network from who they contact and when)
• Details of 1.6 million border crossings a day, from network roaming alerts
• More than 110,000 names, from electronic business cards, which also included the ability to extract and save images.
• Over 800,000 financial transactions, either through text-to-text payments or linking credit cards to phone users
The agency was also able to extract geolocation data from more than 76,000 text messages a day, including from “requests by people for route info” and “setting up meetings”
The Guardian story is worth the full read, if only for the GCHQ's squirming at the release of its slides. But what really stands out from the story is that it proves, yet again, that Alexander has repeatedly lied about what his agency does.
The cover slide from the Dishfire presentation, via the Guardian
Last summer, Alexander gave a surprise talk at the Black Hat security conference in Las Vegas. It was designed to be a chance for him to clear the air and explain to a savvy crowd exactly what it is that the NSA does. The venue and message were meant to imply that media's accusations were misinformed, that the press simply doesn't understand tech things well, and that if people actually understood the NSA's technology, they'd know it's all okay.
It's an argument Alexander has used repeatedly, including during the ridiculous 60 Minutes segment from a few weeks ago. But aside from trying to obfuscate the issue by suggesting that the whole spying issue has been overblown, Alexander took a very clear stand on what the agency doesn't do. He even put it on the aforementioned PowerPoint slide:
NSA does NOT obtain:
• Content of calls
• NO voice communications
• NO SMS/text messages
• Subscriber information
• NO names
• NO addresses
• NO credit card numbers
• Locational information
Let's just run down the list really quick: The NSA's own disciplinary records have shown that the agency can definitely record the audio of phone calls. Despite what the NSA and courts say, the NSA's metadata collection is not anonymous, which makes finding subscriber information, names, and addresses a shockingly simple task, even if the agency doesn't directly "collect" it when it gathers phone records in bulk.
And now, with the proof that the NSA can collect SMS messages—which also can provide location and bank info—we can check off the last three things on Alexander's list of things the NSA definitely doesn't do.
But hey, it's not like we should be surprised that a spy chief should lie about his agency's operations. I mean, the NSA repeatedly lied to the secret court that oversees its operations, and despite knowing that, the court approved its operations anyway. (When that came to light, a FISA judge gave a very stern talking to the NSA, as if that could retroactively fix the entrenched free-for-all spy culture the court had already supported.)
And Alexander's not alone. In response to Sen. Ron Wyden's question as to whether the NSA collects "any data" on millions of Americans, Director of National Intelligence James Clapper said unequivocally that the NSA does not "wittingly" collect anything. (The ODNI's general council now argues that Clapper didn't lie, he just misspoke.)
It's obvious that the men running the nation's spy agencies are convinced they're above the law, and that regulations set down to protect citizens' private lives mean nothing in the face of the specter of terrorism. Somewhere along the line, the efficacy of data collection has taken a backseat to the obsession with collecting as much data as possible, a breach of privacy that far outweighs what demonstrable purpose it serves. But most importantly, this latest round of leaks is a final reminder that it's simply foolish to trust the word of the intelligence officials in charge.