Kamis, 21 Maret 2019

How Nsa Contact Chaining Combines Domestic Together With Unusual Hollo Records

(Updated: September 18, 2017)

In the previous posting nosotros saw that the domestic telephone records, which NSA collected nether say-so of Section 215 of the USA PATRIOT Act (internally referred to every bit BR-FISA), were stored inwards the centralized contact chaining scheme MAINWAY, which also contains all kinds of metadata collected overseas.

Here nosotros volition accept a step-by-step aspect at what NSA analysts do amongst these information inwards social club to regain yet unknown conspirators of unusual terrorist organisations.

It becomes clear that the initial contact chaining is followed past times diverse analysis methods, in addition to that the domestic metadata are largely integrated amongst the unusual ones, something NSA never talked nigh in addition to which alone really current practice nether the USA FREEDOM Act differs inwards diverse ways. The information inwards this article is almost completely derived from documents declassified past times the U.S. government, but these receive got diverse parts redacted.


 

RAS-approval

As a seed for starting a contact chain, NSA analysts tin accept a telephone identifier similar a telephone issue (also called a selector), based upon:
- their ain ongoing analysis on an existing target set;
- a Request for Information (RFI) from some other authorities agency;
- a notification of a check betwixt a known counterterrorism-related selector in addition to an identifier amidst newly ingested telephone metadata.

Access to the domestic telephone records was granted to nigh 125 intelligence analysts from the Homeland Security Analysis Center (HSAC, or S2I4) of the NSA's Signals Intelligence Directorate. There were also upwardly to 22 especially trained officials called Homeland Mission Coordinators or HMCs (initially shift coordinators).

As required past times the FISA Court orders, alone these HMCs, the main in addition to the deputy main of the HSAC are allowed to determine that at that topographic point is a Reasonable, Articulable Suspicion (RAS) that a sure as shooting selector is associated amongst a designated unusual terrorism grouping and/or Iran. Such a RAS-approval is alone needed for the domestic telephone records, non the ones collected overseas.

NSA has a special RAS Identifier Management System to streamline the adjudication of the requests for RAS approving in addition to the documentation thereof. The codename of this scheme is IRONMAN, every bit nosotros acquire from this document from a declassified 2011 training presentation (.pdf) inwards which this codeword wasn't redacted twice:



H5N1 RAS-approval is effective for i year, pregnant that during the side past times side year, repeated queries using the approved seed selector tin live made. If the selector is reasonably believed to live used past times a U.S. person, the approving flow is six months.

The issue of RAS-approved identifiers varied substantially over the years, but inwards 2012, at that topographic point were fewer than 300. According to the annual Transparancy Report from the Director of National Intelligence (DNI), at that topographic point were 423 such selectors inwards 2013, but simply 161 inwards 2014. It's non known how many of these belonged to Americans.
 


Different kinds of queries

From diverse declassified documents analysed inwards an * When this collection was brought nether supervision of the FISA Court, it express contact chaining to three hops.

But despite that authorization, the policy of NSA's Counter Terrorism branch restricted chaining to 2 hops, every bit tin live seen inwards an NSA training presentation (.pdf) from 2007:


H5N1 2011 training module says that chaining to a 3rd hop is possible, but alone after prior approving past times the analyst's segmentation management (for instance when a contact that comes upwardly amongst the outset hop appears to live an already known suspect).

Strangely enough, both a authorities white paper in addition to the PCLOB-report don't get upwardly this policy restriction in addition to inwards the latter it's fifty-fifty assumed that chaining three hops was regular practice:
"If a seed issue has seventy-five direct contacts, for instance, in addition to each of these first-hop contact has seventy-five novel contacts of its own, in addition to so each inquiry would render the authorities amongst the consummate calling records of 5,625 telephone numbers. And if each of those second-hop numbers has seventy-five novel contacts of its own, a unmarried inquiry would resultant inwards a batch of calling records involving over 420,000 telephone numbers"

As of 2012, the FISA Court also allowed an automated chaining process, but NSA was published past times the High German magazine Der Spiegel, showing a slide from an NSA presentation amongst a 2-hop contact graph for the email addresses of the CEO in addition to the chairwoman of the Chinese telecommunication companionship Huawei:




Domestic and unusual results

Generally, it is said that analysts inquiry the "Section 215 calling records", the "BR metadata" or something similar. This sounds similar they alone access the domestic telephone records in addition to that hence the resulting contact chains would fully consist of American telephone numbers.

The initial seed issue soundless volition frequently live a unusual number, every bit the whole role of the Section 215 plan is to regain connections betwixt unusual terrorists in addition to potential conspirators within the US. Analysts volition hence pick out a seed for which they hold off a skillful peril it has a domestic nexus, which likely explains the depression numbers of RAS-approved identifiers.

But every bit nosotros receive got seen inwards the previous article, NSA stored the domestic telephone records inwards MAINWAY, which also contains the unusual telephone in addition to cyberspace metadata collected overseas. That way that a contact chaining inquiry volition non alone render identifiers from the domestic, but also from the NSA's worldwide metadata collection.


Federated queries

Such results from multiple sources are called federated queries. According to a 2011 training module, BR FISA queries initially alone resulted inwards these federated queries, but inwards afterwards versions of the inquiry tool, the analyst could also banking concern check boxes to bear an "unfederated" inquiry in addition to pick out private collection sources.

These options tin live seen inwards the next screenshot from the user interface (the codename of which is redacted) used to bear the contact chaining:


Selecting the "FISABR Mode" makes that an additional checkbox for the EO12333 rootage appears. An NSA memorandum explains that when this BR FISA alternative is chosen, the analyst volition non alone live provided amongst the domestic telephone metadata, but also amongst those from the SIGINT realm (which is collection overseas nether EO 12333 authority), dating dorsum to belatedly 1998.

When the analyst used a RAS-approved selector, he could also banking concern check the box for PENREGISTRY, or PR/TT, which refers to the domestic cyberspace metadata, but the collection thereof was ended past times the halt of 2011. Normal way is for all other metadata collected abroad.
Analysts tin determine the collection sources of each resultant past times examining the Producer Designator Digraph (PDDG) and/or SIGINT Activity Designator (SIGAD) from each line of piece of occupation of the contact chain file. BR FISA metadata tin live identified past times specific SIGADs.

SPCMA

There's also a 4th box for SPCMA mode, which stands for the "Special Procedures governing Communications Metadata Analysis" from Jan 2011. These allow contact chaining in addition to other types of analysis on metadata that receive got already been collected nether EO 12333, regardless of nationality in addition to location (because metadata aren't constitutionally protected).

This way that U.S. soul identifiers that were inwards contact amongst valid unusual intelligence targets may live GCHQ volume (.pdf) disclosed final calendar week calls contact chaining the start of a "painstaking procedure of assembling information nigh a terrorist jail cellular telephone or network".


Analytic tools

In the early on years of the President's Surveillance Program (PSP), alone the SIGINT Navigator (SIGNAV) tool was available to thought the output of the MAINWAY contact chaining system. Later, novel tools were created to amend efficiency in addition to to obtain the most consummate results, they were designed to utilization telephone records collected both domestically in addition to overseas.

According to the 2009 BR FISA review, at that topographic point were xix dissimilar analytic tools used for analysing both the raw metadata every bit good every bit the results of contact chaining. The glossary of the review lists next tools, unfortunately amongst their codenames redacted:


S................?
"This tool is used past times HMCs to bear contact chaining against BR FISA metadata in addition to render the results to the [...]team. HMCs alone used RAS-approced selectors when using this tool. The [...] squad ultimately provided the results to NSA's [....]"

S.........?
"The primary desktop graphical user interface (GUI) for access to [....] information in addition to services"

S....?
"An analytic inquiry tool used to try out additional information on telephony selectors from [MAINWAY?] in addition to other noesis bases in addition to reporting repositories"

[SYNAPSE Workbench?]
"A side past times side generation metadata analysis graphical user interface (GUI) which is the replacement for [......]"

W......?
"The inquiry tool, which indicates whether a telephony selector is introduce inwards NSA information repositories, the total issue of unique contacts, total issue of calls, in addition to "first heard" in addition to "last heard" information for the selector"


The 2009 PR/TT review also mentions the next tool, which could receive got been redacted inwards the BR FISA review:

M.....?
"A database analytic scheme in addition to user interface tool for integrated analysis of multiple types of metadata, facilitating to a greater extent than comprehensive target activity tracking"


Update:
According to the internal NSA newsletter SIDToday from March 4, 2005, which was published past times The Intercept inwards September 2017, MAINWAY's Sigint Navigator (SigNav) version 4.0 became the vehicle for the novel unmarried sign-on tool GLOBALVISION, which gave analysts access to eleven databases.


Combining multiple contact chains

In 2006, a "high-level Bush Administration intelligence official" previous article, these information weren't derived from the MAINWAY system, but from a minute database which holds "individual BR FISA metadata telephone phone records for access past times authorized Homeland Security Analysis Center (HSAC) in addition to information integrity analysts to thought detailed information nigh specific telephony calling events".


Searching the minute database

This database of calling records also enables analysts to dependent land these records "to other analytic methods or techniques too querying", similar for instance searching them "using numbers, words, or symbols that uniquely position a especial caller or device", or using "selection damage that are non uniquely associated amongst whatsoever especial caller or device" - according to the PCLOB report.

So, when analysing i or to a greater extent than contact chains resulted inwards finding several suspicious telephone numbers, analysts tin in addition to so utilization those numbers for querying the minute database inwards social club to run across whether these numbers also look inwards telephone records that were non included inwards their initial contact chains.

And it also seems possible to inquiry for instance a body identifier to regain other phones from the same region. These form of searches tin hence render potential connections that could non receive got been constitute past times conducting a direct contact chaining query.

Update:
An NSA slide that was already published inwards Dec 2013, shows that MAINWAY tin indeed live used for queries amongst jail cellular telephone tower identifiers, inwards social club to regain selectors inwards sure as shooting geographical areas:



Some numbers

In a Department of Justice report (.pdf) from 2006 it's said that NSA "estimated that alone a tiny fraction (0,000025% or i inwards 4 million) of the call-detail records [...] were expected to live analyzed". This would hateful that of the 1,8 billion domestic telephone records provided daily past times AT&T, simply 450 would live used for analysis.

So inwards a year, the records (not the content) of roughly 230.000 private calls from the domestic metadata collection could receive got been used for analysis inwards add-on to contact chaining.



Foreign telephone phone records

As nosotros receive got seen, a contact chaining inquiry on Section 215 telephone metadata volition to a greater extent than frequently than non resultant inwards both unusual in addition to domestic numbers. Analysts volition hence non alone similar to analyze the associated telephone phone records from the domestic collection, but also those from unusual collection conducted abroad.

These unusual telephone records could live retrieved from the known metadata repositories similar ASSOCIATION (for mobile calls) in addition to BANYAN (for landline calls), or from a unmarried unusual "SIGINT" database, every bit is suggested past times an NSA memorandum from 2009.


Enrichment

Analyzing the detailed telephone phone records volition soundless non render names or other information that allows the identification of the people to which the numbers from a contact chain belong. For that, the telephone numbers receive got to live correlated ("enriched") amongst other kinds of information.

The easiest way is likely to combine them amongst target sentinel lists to run across if the contact chains comprise telephone numbers that belong to already known targets. This is demonstrated inwards the next video, which shows contact chain analysis using Sentinel Visualizer, which is a commercially available plan for this purpose:





Telephone identifiers constitute through contact chaining in addition to subsequent analysis tin of course of teaching also live correlated amongst cyberspace metadata. NSA does non collect domestic cyberspace metadata anymore, but its collection abroad results inwards over 10 billion cyberspace metadata a 24-hour interval existence stored inwards the MARINA database.

The metadata from contact chains tin also live enriched amongst information from for instance GPS in addition to TomTom, billing records in addition to banking concern transactions, rider manifests, voter registration rolls, belongings records in addition to unspecified revenue enhancement information - for both Americans in addition to foreigners, according to a New York Times report, but inwards which NSA denies using this for the domestic metadata collected nether Section 215.


SYNAPSE Data Model

With all this, analysts tin construct extensive social network graphs (or "community of interest" profiles) using 164 dissimilar human relationship types similar "travelsWith, hasFather, sentForumMessage, employs". It seems that this refers to the SYNAPSE Data Model, for which internal NSA relationships are shown inwards the next diagram that was published past times The New York Times too:



Apparently also based upon this information model is SYNAPSE Workbench, which seems to live the "next generation metadata analysis graphical user interface (GUI)" described inwards the 2009 BR FISA review. SYNAPSE Workbench is plainly capable of fusing metadata from multiple sources in addition to is also enabled for SPCMA searches.


Further action

When all this makes an analyst to believe that a sure as shooting telephone identifier belongs to someone who is of involvement but wasn't yet known or identified, the next actions tin live taken:
Is the identifier American in addition to of counterterrorism value, in addition to so it tin live passed on to the FBI for farther intelligence or criminal investigation. From 2006-2009, NSA provided the FBI (and other intelligence agencies) a total of 277 reports containing 2883 telephone identifiers.
Is the identifier foreign, in addition to so NSA tin utilization it every bit a selector to squall upwardly the content of associated communications that powerfulness live already inwards its databases. It tin also live entered into the NSA collection scheme inwards social club to line inwards the content of whatsoever hereafter communications of the target systematically.

In instance the identifier of the yet unknown suspect is foreign, the analyst powerfulness receive got constitute out a squall through the diverse enrichment correlations, but if not, this tin also live achieved past times listening into the content of associated telephone calls or additional Human Intelligence (HUMINT) methods.


 

Conclusion

As nosotros receive got seen, the domestic telephone records collected past times NSA nether Section 215 are used for contact chaining that combines both domestic in addition to unusual identifiers. NSA never explicitly explained this, likely because they didn't desire to line attending to their unusual metadata collection in addition to analysis efforts. But it did became clear from the many documents nigh the Section 215 plan that were declassified past times the U.S. government.

These documents made clear that NSA rarely went to three hops of contact chaining, which is opposite to what most people, including the Privacy in addition to Civil Liberties Oversight Board (PCLOB) assumed. Because of the federated queries, the resulting contact chains were made upwardly of both domestic in addition to unusual identifiers, which way contact chaining nether the Section 215 plan involved far less American telephone numbers than frequently presumed.

The documents also exhibit that contact chaining for finding yet unknown conspirators isn't every bit tardily every bit it may appear. It's non that i enters a telephone numbers in addition to the software provides a listing of suspects. Data retrieved through the contact chains receive got to live analysed in addition to correlated amongst other information sets inwards social club to regain out which numbers could matter. It soundless depends on experience, analysis in addition to eventually fifty-fifty guessing which information in addition to which numbers powerfulness live worth a closer investigation.

How successful this contact chaining in addition to subsequent analysis is, is hard to say. The PCLOB report judged that at that topographic point was "no instance inwards which the [Section 215] plan straight contributed to the uncovering of a previously unknown terrorist plot or the disruption of a terrorist attack" - but it's also possible that at that topographic point were simply no such conspirators.

The PCLOB study noticed that analysing the domestic telephone metadata did render some value "by offering additional leads regarding the contacts of terrorism suspects already known to investigators, in addition to past times demonstrating that unusual terrorist plots do non receive got a U.S. nexus" - although useful, this seems a rather meager resultant of what for sure as shooting required lots of work.


> Next: Collection of domestic telephone records nether the USA FREEDOM Act



Links in addition to Sources
- Lawfare Blog: Understanding Footnote 14: NSA Lawyering, Oversight, in addition to Compliance (2016)
- EmptyWheel.net: The NSA's Telephone Meta-data Program: Part I (2013)
- U.S. Administration White Paper: Bulk Collection of Telephony Metadata nether Section 215 of the USA PATRIOT Act (pdf) (2013)
- The New Yorker: What the N.S.A. Wants to Know About Your Phone Calls (2013)
- NSA: Business Records FISA NSA Review (.pdf) (2009)

Tidak ada komentar:

Posting Komentar