What the Latest Snowden Documents Actually Say

By Jane Chong
Monday, June 8, 2015, 9:30 PM

A kerfuffle broke out here at Lawfare last week over the significance of the new tranche of Snowden-procured documents released on Thursday. The authors of the New York Times story published alongside the documents—Charlie Savage, Julia Angwin, Jeff Larson and Henrik Moltke—interpreted the documents as evidence that, in order to detect malicious foreign hackers, the Obama administration had quietly expanded the agency's warrantless surveillance of Americans’ international Internet traffic. Meanwhile, over at the Daily Beast, Shane Harris offered another take, contending that the documents are significant in that they reveal the extent of the alliance forged between NSA and FBI, who have joined forces to conduct a "new surveillance campaign" against foreign hackers.

Ben criticized the Savage story as "an embarrassing blunder" for accusing the government of expanding collection of American internet data when, by the story's own terms, the documents reveal “nothing more than incidental collection of the type that always takes place when NSA collects against foreigners abroad" (Ben's words). In response, Savage defended the Times story, first disputing the allegation that the story had misleadingly suggested NSA's activities were illegal or scandal-worthy, and then disagreeing with Ben's characterization of the documents as unduly minimizing of their privacy implications.

So what do the documents actually say? Read on for a brief walk-through. No commentary from me—summary only.


The latest disclosures consist of roughly six sets of NSA documents on the agency’s cyber surveillance authority and capabilities.

Page 1: An internal timeline of "Some Key (SSO) Cyber Milestone Dates Since Fall 2005" shows that the DOJ approved the targeting of "certain signatures" in May 2012 and "certain IP addresses" in July 2012.

Page 2: A 2012 NSA newsletter on 702 authorities "in the works" for cyber threats shows the NSA drafted a proposed certification to be reviewed by the FISA Court; procuring that approval is described in the newsletter as one of the NSA Director's "highest priorities." If approved, the certification would fill a "huge collection gap" that prevents cyber threat targets from being surveiled under 702 where they cannot be attributed to a foreign power. The new certification would not require this attribution and require only that the selector be tied to malicious cyber activity. The sought certification would codify the FISA Court's guidance on targeting cyber signatures, including IP addresses and other selectors not based on email or phone numbers. This new type of targeting and collection is already allowed under current certifications, but NSA and its overseers, including DOJ and ODNI, have not yet settled on a common understanding of how to implement it.

The desired 702 certification appears to be referenced again on page 49: "Because attribution is hard, just having to prove foreigness [sic] and an FI purpose is especially useful to NTOC. However, the selectors will likely not be the hard/strong selectors DoJ is used to."

Pages 3-4. A short PRISM slidedeck states, among other things, "[p]lan to add Dropbox as PRISM provider," the expansion of collection services from existing providers, and a desire "to add Cyber Threat Certification." The slidedeck notes that FAA 702 collections comprise PRISM program providers plus upstream programs with access to non-PRISM internet domains, DNR collection, cyber signatures and IP addresses.

Pages 5-8. A four-page "Staff Processing Form" asks that the Signals Intelligence Director grant approval for NSA to provide "technical assistance" requested by the FBI for the purpose of implementing orders the FBI has or will obtain from the FISA Court in cyber cases involving agents of foreign powers. Offering background for the sought agency collaboration, the document notes that the FBI requested assistance on December 20, 2011 in connection with FISA Court orders authorizing pen register/trap and trace (PRTT) collection in some instances and content collection in others. SSO was in discussions with the FBI throughout the second half of 2011, "in the belief that use of NSA's collection/processing infrastructure would allow the FBI to maximize the value of the collection without incurring the expenses associated with duplications of that infrastructure." Most of the FBI's electronic surveillance is conducted without NSA's assistance against targets located within the United States. But the FBI's traditional means are not effective against targets outside the U.S. who conduct intrusions on behalf of foreign powers.

In contrast, NSA has devoted significant resources to building collection/processing capabilities at chokepoints operated by U.S. providers through which international communications enter and leave the U.S. Although the FBI could direct U.S. providers to conduct surveillance at these chokepoints without NSA assistance, this would be duplicative of NSA efforts and cost-prohibitive.

The plan is to have the data that is collected pursuant to FISA Court orders forwarded to the designated FBI repository in Quantico, Virginia. NSA would have the opportunity to review and respond to any proposed use of FISA-derived information from the collections before the Attorney General authorizes its use in criminal proceedings.

Pages 9-74. The bulk of the tranche appears to consist of a slidedeck (possibly several) prepared by the NSA Office of General Counsel on the various legal authorities governing signals intelligence, accompanied by presenter notes. The slides themselves mostly contain basic descriptions of the President's Article II power, Executive Order 12333, various statutory and regulatory authorities, and key Fourth Amendment Supreme Court decisions. However, these slides are accompanied by presenter notes that offer a window into NSA's understanding of these authorities as well as some explanation of specific operational details.

  • Page 15. NSA/CSS has procedures in place to assist law enforcement and other civil authorities. For example, NSA could disseminate SIGINT to the FBI where a foreign intruder is in a U.S. system, leading FBI to start its own investigation.
  • Page 16. An overview of the evolution of government cyber surveillance, or CNE (computer network exploitation). The government conducts two types of CNE: (1) actual collection of information from the target computer system, and (2) "enabling activities" that allow access to the system "for possible later CNA."
  • Pages 21-23. The slidedeck gives somewhat more detailed treatment to the various exceptions to the Federal Wiretap Act that are permitted if conducted in accordance with FISA and/other other applicable procedures. The presenter notes instruct analysts to "talk to OGC (Office of General Counsel)" once a target is identified and there is a law enforcement purpose.
  • Starting on page 25, the slides situate legal surveillance developments within historical context, noting the Church/Pike Committees' discovery of IC abuses of power, and the congressional and executive response in the form of FISA, Executive Order 12333, and a variety of regulations and procedures.
  • From page 29, the slidedeck and notes begin providing some concrete operational details on how the SIGINT system works. For example, on page 33, we learn that if the only information available to NSA is that the hacker came from or through a foreign ISP, NSA may presume the hacker is foreign; if all that is known is that the intrusion is via a U.S. ISP, then NSA presumes the hacker is a U.S. person. Page 34 further notes that where an NSA analyst uses a presumption and then learns s/he has been targeting/collecting/disseminating communications to/from/about a U.S. person, the analyst must stop collection or get the proper authority, cancel reports, and report in the IG quarterly.
  • Also on page 34: although an analyst cannot target a foreign entity for the purpose of acquiring U.S. person communications, it appears (the bulleted grammar is a bit fuzzy here but this is my interpretation) the analyst can target a foreign hacker who is using a U.S. IP address in conjunction with a foreign hacker signature.
  • Page 35. NSA may not intentionally intercept communications to or from state, local and federal government officers and employees, and such communications must be destroyed upon recognition, but there are a number of exceptions: such as where anomalies reveal a potential vulnerability to U.S. communications authority, or the communications include not just significant foreign intelligence but also evidence of a crime or threat of death or bodily harm to "any person."
  • Pages 37-39. "Targeting by subject matter" is the use of selection terms to intercept communications based on their content rather than the identity of the communicants. Hacker signatures are cited as an example; they "pull in a lot." The presenter notes clarify: "Worst thing NTOC could do is to turn the SIGINT system to collect against a USP [U.S. person] hacker. It is not FI/CI, basically doing surveillance for LE [law enforcement] without a warrant. If incidentally collect information on USP hacking into a protected computer, this is a violation of law that should be reported to DL violations for OGC [Office of General Counsel] to refer. Do not want to see any/many of these."
  • Page 39. NSA has a "positive responsibility to defeat out to the extent possible collection of USP [U.S. person] comm[unications]."
  • Page 50. The slides and notes offer examples of how the SIGINT system is used to target specific foreign communicants in different situations. One such example: the presenter notes detail a situation in which the request to select was based on a foreign hacker signature in conjunction with a DoD military IP address. The analyst saw nothing in SIGINT, as the system "doesn't see everything . . . . So, without asking, analyst put the DoD military IP address in as a straight hit and obtained hundreds of hits."
  • Pages 62-63. The slides present hypothetical examples of how to implement "the procedures." In one scenario, an overseas hacker has attacked a U.S. company's computer, which contains communications between the company and a U.S. government entity. NSA's response includes exfiltration--unauthorized transfer of data--from that company's computer. The collection is valid, as the target is a foreign person overseas; the exfiltrated data potentially contains a great deal of U.S. person information but is incidental. "OGC advises that this type of exfiltrated data be segregated from the rest of the SIGINT raw traffic and is made available only to those who have the mission to collect/report on these types of foreign intrusions. The exfiltrated data does not contain any FI [foreign intelligence] other than what is reported in order to understand what the foreign hacker was seeking, and what the foreign hacker obtained for damage assessments."

Pages 75-90. The last documents in the tranche are two appendices redacted from the Obama administration’s "Cyber Policy Review" when the report was released back in 2009. As the New York Times notes, these documents consist of mostly unclassified information.

  • Appendix D largely sums up the major initiatives within the Comprehensive National Cybersecurity Initiative (CNCI), notes significant CNCI accomplishments to date, and provides commentary on weaknesses, such as the need for central leadership. The meat of the appendix is the enumeration of the areas of concern highlighted by the "60-day cyberspace review team" with respect to each CNCI initiative, followed by recommendations. For example, Initiative 1 aims to cut the number of internet access points used by the federal government from thousands to fewer than 100. Initiative 3 involves developing EINSTEIN 3, a system that will automatically block attempted cyber intrusions, as part of an effort to deploy intrusion prevention systems across the federal enterprise. But the linkage of EINSTEIN 3 to the NSA SIGINT system "raises civil liberties and privacy concerns that have significantly complicated EINSTEIN 3 development." Thus the review team recommends enhanced transparency and assessment of ways to reduce risks to program implementation.
  • Appendix E details the U.S. need for a comprehensive strategic international cybersecurity policy framework. The review team divides the priority issues into three categories: internet governance, international law and security, and multi-lateral public policy. A primary goal in the internet governance realm is to ensure the secure operation of the domain name and addressing system (DNS). Another cited area warranting attention is "research and development of new methods and capabilities to identify management and authentication for certain types of online activity." With respect to international law and security, the appendix urges the U.S. to recognize international cybercrime as a national security concern, and stresses the need for the U.S. and its allies need to develop technical capabilities, doctrines and rules of engagement premised on internationally recognized cybersecurity norms.