September 30, 2015

NSA's Legal Authorities

(Updated: May 16, 2017)

Since the start of the Snowden-revelations, we not only learned about the various collection programs and systems of the National Security Agency (NSA), but also about the various legal authorities under which the agency collects Signals Intelligence (SIGINT).

Bceause these rules are rather complex, the following overview will show which laws and regulations govern the operations of the NSA, showing what they are allowed to collect where and under which conditions. Also mentioned are various collection programs that run under these authorities.

The overview provides a general impression of the most important elements of the various laws and regulations and does not pretend to be complete in every detail. For example, provisions for emergency collection are not included. Also, some of these laws and regulations govern the work of other US intelligence agencies too, but here the focus is on the NSA.


Collection INSIDE the US:
Targeted collection - US persons & foreigners:

- Section 105 FISA
- Section 703 FISA Amendments Act (FAA)

Targeted collection - Foreigners:

- Transit Authority

- Section 702 FISA Amendments Act (FAA)
- Downstream Collection (PRISM)
- Upstream Collection

Bulk collection - US persons:

- Section 402 FISA (PR/TT)

- Section 215 USA PATRIOT Act (BR FISA)

- USA FREEDOM Act (USAFA)

Collection OUTSIDE the US:
Targeted collection - US persons:

- Sections 704 & 705 FISA Amendments Act (FAA)

Targeted & Bulk collection - Foreigners:

- Executive Order 12333
- Classified Annex Authority (CAA)
- Special Procedures governing Communications Metadata Analysis (SPCMA)
- Raw SIGINT Availability Procedures



Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(Click to enlarge)



  - Inside the US - Targeted collection - US persons -
 

Section 105 FISA
- Effective since October 25, 1978.
- For communications of US citizens and foreigners, whether through a "facility" or individually, inside the US, for which there's a probable cause that they are agents of a foreign power or connected to an international terrorist group. Initially also for foreigners outside the US using an American webmail provider.
- Collection takes place at telephone and internet backbone switches, wireless networks, Internet Service Providers and data centers at over 70 locations inside the United States.
- Requires an individualized warrant from the FISA Court (which takes between four and six weeks), but if no US person will likely be overheard, only a certification by the Attorney General is required.
- Collection programs: BLARNEY, COWBOY (under FAIRVIEW), PERFECTSTORM (under STORMBREW)
 
Section 703 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- For communications of a US person outside the US, when there is probable cause that this person is an officer, employee, or agent of a foreign power or related to an international terrorist group.
- Requires an individualized warrant from the FISA Court.
- Collection takes place inside the United States (see Section 105 FISA).
- In practice, NSA apparently uses section 704 instead of 703 for collection against US persons overseas.


  - Inside the US - Targeted collection - Foreigners -
 

Transit Authority
- Effective since ?
- Probably based upon a presidential directive that has to be re-authorized regularly, but the 2009 STELLARWIND report says NSA is authorized to acquire transiting phone calls under EO 12333.
- For communications with both ends foreign: originating and terminating in foreign countries, but transiting US territory.
- Collection takes place inside the US, at major fiber-optic cables and switches operated by American telecommunication providers.
- Data may apparently be shared with other US intelligence agencies.
- Collection programs: FAIRVIEW, STORMBREW, SILVERZEPHYR (under OAKSTAR), ORANGEBLOSSOM (under OAKSTAR)

 

Section 702 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- For communications to or from foreigners who are reasonably believed to be outside the United States.
- Requires an annual certification by the Attorney General (AG) and the Director of National Intelligence (DNI), which has to be approved by the FISA Court. Certifications are known that have been approved for:
- Counter-Terrorism (CT, since 2007)
- Foreign Government (FG, since 2008; including some cyber threats since 2012)
- Counter-Proliferation (CP, since 2009)
- Cyber Threats (planned in 2012)
- Companies get a directive ordering them to cooperate. In return they are granted legal immunity and are compensated for reasonable expenses.
- Dissemination rules differ slightly per certification. Ordinarily, US person identifiers have to be masked, but unevaluated data may be shared with FBI and CIA, and foreign data may be shared with the 5 Eyes partners.
- Unencrypted data may be retained for up to 5 years, or for a longer period in response to an authorized foreign intelligence or counterintelligence requirement, as determined by the NSA's SIGINT Director.

Section 702 FAA has two components, each with slightly different rules:
 
Downstream Collection (PRISM)
- Only internet communications "to" and "from" specific e-mail addresses or other types of identifiers. Filtering only allowed for selectors, not for keywords.
- Collection is done by the FBI's DITU, which acquires the data from at least 9 major American internet companies. This results in both stored and future communications.
- Raw (unminimized) data may be shared with FBI and CIA.
- Data are retained for a maximum of 5 years.
- NSA is permitted to use US person identifiers for querying already-collected data when there's a reasonable expectation that this will return foreign intelligence.*
- Collection program: PRISM

 
Upstream Collection
- Both internet and telephone communications. The internet communications may be "to", "from" and "about" specific e-mail addresses or other types of identifiers, including IP addresses and cyber threat signatures. The "about" collection of American e-mails and texts was halted on April 28, 2017.
- Collection takes place inside the US, at major telephone and internet backbone switches. This only results in future communications.
- Raw (unminimized) data may not be shared outside NSA.
- Data are retained for a maximum of 2 years.
- Collection programs: FAIRVIEW, STORMBREW


  - Inside the US - Bulk collection - US persons -
 

Section 402 FISA (PR/TT)
- Effective since October 25, 1978.
- Since July 14, 2004, orders from the FISA Court allowed the NSA to collect domestic internet metadata in bulk under this authority. These metadata included the "to", "from", and "cc" lines of an e-mail, as well as the e-mail’s time and date.
- Only for Counter-Terrorism purposes.
- Collection took place inside the US, by acquiring the metadata from big American telecommunication providers.
- Query results could only be accessed by specially trained NSA analysts, and could only be shared for a counter-terrorism purpose.
- Data were being retained for a maximum of 5 years.
- Collection terminated in December 2011 for "operational and resource reasons" and all data were deleted, as the requirements could also be fulfilled under 702 FAA and SPCMA authorities.*
- Collection programs: FAIRVIEW

 

Section 215 USA PATRIOT Act (BR-FISA)
- Effective since October 26, 2001; expired as of May 31, 2015.
- Since 2006, orders from the FISA Court allowed the NSA to collect domestic telephone metadata in bulk under this authority. These metadata included the originating and receiving phone number, the date, time and duration of the call, and, since 2008, the IMEI and IMSI number.
- Only for Counter-Terrorism purposes: there must be a Reasonable and Articulable Suspicion (RAS) that the query term belongs to a foreign terrorist organization. The Emphatic Access Restriction (EAR) tool ensured that analysts only did queries on RAS-approved selectors.*
- Collection took place inside the US, by acquiring the metadata from big American telecommunication providers.
- Query results could only be accessed by specially trained NSA analysts, and could only be shared when a manager certifies the data are for a counter-terrorism purpose.
- Data were retained for a maximum of 5 years. Remaining data will be deleted after receiving direction from the appropriate court.
- Collection programs: FAIRVIEW, STORMBREW

During a 180-day transition period, the NSA continued the collection of bulk telephony metadata under section 215 USA PATRIOT Act, which was until November 29, 2015. In this period, telephony metadata could only be queried after a judicial finding that there is a Reasonable, Articulable Suspicion (RAS) that the selector is associated with an international terrorist group. The results had to be limited to metadata within 2 (instead of 3) hops of the seed term.
 

USA FREEDOM Act (USAFA)
- Effective since June 2, 2015.
- Allows the NSA to request metadata from telephone companies based upon specific selection terms for which there's a Reasonable, Articulable Suspicion (RAS) that they are associated with a foreign power or an international terrorist group. These metadata may consist of "session-identifying information", like originating and receiving numbers, IMSI, IMEI and telephone calling card numbers, and the date, time and duration of the call. Collection of, and contact chaining on location data is prohibited.
- Requires a warrant from the FISA Court approving specific telephone numbers or other identifying selectors.
- NSA provides these selectors to the telecommunication providers, who have to produce the results of their queries (one or two hops from the initial selector) in a useful format, on a daily basis, and for a period of up to 180 days.
- Companies providing these data are granted legal immunity and will be compensated for reasonable expenses.
- All records that are not foreign intelligence information have to be destroyed promptly.
- Query results may be fully shared with CIA and FBI.
- Also, foreign terrorists may be tracked for up to 72 hours when they enter the US, with authorization by the Attorney General.



  - Outside the US - Targeted collection - US persons -
 

Section 704 & 705 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- Collection takes place outside the United States.
- Data may be retained for up to 5 years, or for a longer period in response to an authorized foreign intelligence or counterintelligence requirement, as determined by the NSA's SIGINT Director. Inadvertent collection of US data has to be destroyed upon recognition, but the Attorny General can authorize exceptions.

The differences for these sections are:

Section 704 FAA
- For collection against a US person outside the US, when there is probable cause that this person is an officer, employee, or agent of a foreign power or related to an international terrorist group.
- Requires an individualized warrant from the FISA Court, for a period of up to 90 days.
 

Section 705(a) FAA
- For communications of a US person reasonably believed to be outside the United States.
- Requires an individualized warrant from the FISA Court.
- Collection may take place both inside and outside the United States.


Section 705(b) FAA
- For communications of a US person reasonably believed to be outside the US, when there is already an existing FISA Court order for collection against this person inside the US under section 105 FISA.
- Requires authorization by the Attorney General.



  - Outside the US - Targeted & Bulk collection - Foreigners -
 

Executive Order 12333
- Effective since December 4, 1981.
- For communications between foreigners outside the US.
- Requires no external approvals, except for fitting NSA's mission as set by the US government and prioritized by the National SIGINT Committee.
- Collection takes place outside the US and for all foreign intelligence purposes. However, Presidential Policy Directive 28 (PPD-28) from January 17, 2014, limits bulk collection to the following 6 purposes:
- Espionage and other threats by foreign powers
- Threats from terrorism
- Threats from weapons of mass destruction
- Cybersecurity threats
- Threats to US or allied armed forces
- Threats from transnational crime
- Data may be shared with other US intelligence agencies, as well as with foreign partner agencies.
- Dissemination of US person identifiers is only allowed when necessary and personal information should not be inappropriately included in intelligence reports.
- Unencrypted data from targeted collection are retained for up to 5 years, unless it is determined that continued retention is required; encrypted data are retained for an unlimited period of time.
- Collection programs: OAKSTAR, WINDSTOP (incl. INCENSER, MUSCULAR, etc), RAMPART-A (incl. SPINNERET, MOONLIGHTPATH, AZUREPHOENIX, etc), DANCINGOASIS, MYSTIC, and many more.

Under EO 12333, there are several additional authorizations:
 
Classified Annex Authority (CAA)
- Effective since 1988.
- For communications of US persons outside the US, for whom there's probable cause that they are agents of a foreign power or engaged in international terrorism.
- Requires prior approval by the Attorney General, limited to a period of time of up to 90 days.
- Also for communications of a US person who is held captive by a foreign power or a terrorist group, which requires approval of the Director of NSA.
 

Special Procedures governing Communications Metadata Analysis (SPCMA)
- Effective since January 2011
- Allows contact chaining and other analysis on metadata already-collected under EO 12333, regardless of nationality and location, including US person identifiers.
- For the purpose of following or discovering valid foreign intelligence targets (i.e. not restricted to counter-terrorism).
- Only covers analytic procedures and does not affect existing collection, retention or dissemination (including minimization) procedures for US person information.
- SPCMA-enabled tools: ICREACH, Synapse Workbench, CHALKFUN
 

Raw SIGINT Availability Procedures
- Effective since January 2017
- Allows other US intelligence agencies to request access to content and metadata of US persons from already-collected raw SIGINT data sets from the NSA.
- Only for foreign intelligence or counterintelligence purposes and the requesting agencies may not use selectors or key word queries that will result in domestic communications (contact-chaining is not limited).
- In general, raw SIGINT obtained in this way may be retained for up to 5 years, but foreign communications may be retained permanently if US person information is minimized. Domestic communications have to be destroyed promptly upon recognition, except when they provide significant intelligence value. Further dissemination is only allowed after approval by NSA.
- Sharing tools: ICREACH



                         - Information Assurance -                        


Besides collecting Signals Intelligence, the NSA is also responsible for Information Assurance (IA). This mission is conducted under the following authorities:

National Security Directive 42
("National Policy for the Security of National Security Telecommunications and Information Systems", 1990)

Executive Order 13587
("Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information", 2011)


- . - . - . - . - . - . - . - . -


Links and sources
- Emptywheel.net: 12333 info sharing working thread
- The New York Times: N.S.A. Gets More Latitude to Share Intercepted Communications
- Emptywheel.net: The Yahoo Scan: On Facilities and FISA
- Emptywheel.net: While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704
- IC on the Record: FACT SHEET: Implementation of the USA FREEDOM Act of 2015
- Emptywheel.net: Internet Dragnet Timeline - Phone Dragnet Timeline - 10 Goodies USA Freedom Act Gives the Intelligence Community
- Webpolicy.org: Executive Order 12333 on American Soil, and Other Tales from the FISA Frontier
- IC on the Record: Transition from the USA PATRIOT Act to the USA FREEDOM Act
- DNI.gov: Documents Regarding the Now-Discontinued NSA Bulk Electronic Communications Metadata
- Americanbar.org: Section 214 and Section 215 FISA
- National Research Council: Bulk Collection of Signals Intelligence: Technical Options (pdf) (2015)
- NSA Civil Liberties and Privacy Report about Targeted SIGINT Activities under EO 12333 (pdf) (2014)
- Privacy and Civil Liberties Oversight Board report about the Surveillance Program Operated Persuant to Section 702 FISA (pdf) (2014)
- Legal fact sheet: Executive Order 12333 (pdf) (2013)
- The Department of Defense Directive about NSA/CSS (pdf) (2010)
- NSA OGC: Course on legal compliance and minimization procedures (pdf)
- Memo about Reauthorization of the FISA Amendments Act (pdf)
- NSA OGC: FISA Amendments Act of 2008 - Section 702 - Summary Document (pdf)

September 16, 2015

9/11 inside the White House emergency bunker


On July 24, the US National Archives released a series of 356 never-before-seen photos, most of them taken on September 11, 2001 inside the emergency bunker under the White House.

The bunker is officially called the Presidential Emergency Operations Center (PEOC), but White House officials also call it the shelter. It was constructed in 1942 underneath the East Wing of the White House, which was primarily built to cover the building of the bunker. It is said the PEOC can withstand the blast overpressure from a nuclear detonation.



One of the very few photos from inside the PEOC available before the recent release
(White House photo - Click to enlarge)



The photos were released in response to a Freedom of Information Act (FOIA) request filed by Colette Neirouz Hanna, coordinating producer for the FRONTLINE documentary film team. They focus on the reaction from then-vice president Dick Cheney and other Bush administration officials during the terrorist attacks.


How Cheney reached the White House emergency bunker was reconstructed in the official report of the 9/11 Commission, which was issued on July 22, 2004:


American 77 began turning south, away from the White House, at 9:34. It continued heading south for roughly a minute, before turning west and beginning to circle back. This news prompted the Secret Service to order the immediate evacuation of the Vice President just before 9:36. Agents propelled him out of his chair and told him he had to get to the bunker.The Vice President entered the underground tunnel leading to the shelter at 9:37.

Once inside, Vice President Cheney and the agents paused in an area of the tunnel that had a secure phone, a bench, and television. The Vice President asked to speak to the President, but it took time for the call to be connected. He learned in the tunnel that the Pentagon had been hit, and he saw television coverage of smoke coming from the building.

The Secret Service logged Mrs. Cheney’s arrival at the White House at 9:52, and she joined her husband in the tunnel. According to contemporaneous notes, at 9:55 the Vice President was still on the phone with the President advising that three planes were missing and one had hit the Pentagon.We believe this is the same call in which the Vice President urged the President not to return to Washington. After the call ended, Mrs. Cheney and the Vice President moved from the tunnel to the shelter conference room.

The Vice President remembered placing a call to the President just after entering the shelter conference room. There is conflicting evidence about when the Vice President arrived in the shelter conference room. We have concluded, from the available evidence, that the Vice President arrived in the room shortly before 10:00, perhaps at 9:58. The Vice President recalled being told, just after his arrival, that the Air Force was trying to establish a combat air patrol over Washington.

 

Conference room

The newly released photos provide an almost 360-degree view of the conference room in the Presidential Emergency Operations Center. It appears to have two installations for secure videoconferencing: one at the long side of the room and one at the short side, so it can be used from either the long side or the short side of the table.

In the picture below we see the videoconference set-up at the long side of the room. Within a wooden paneling there are two television screens with the camera in between. Right of the paneling are four digital clocks showing the time for various places around the globe, and there's also a wall map of the United States:



(White House photo by David Bohrer - Click to enlarge)


On the screen on the far left we see a videoconference taking place with four participants, including the CIA and the Department of Defense. Reports about the events on 9/11 say there was a secure videoconference in which the White House, the CIA, the State Department, the Department of Justice and the Department of Defense participated.


The next picture shows the videoconferencing monitors at the short side of the room, which can also be used for normal television: other photos show feeds from CNN and Fox. In the corner on the right there's a wooden door with a (mirror?) window. Next to the door on the long side wall, there's a large mirror:



(White House photo by David Bohrer - Click to enlarge)


The wall at the long side of the room opposite to the videoconferencing installation has the presidential seal, which appears behind the person leading a videoconference from the chair in which vice president Cheney was sitting, in order to show that this is the White House:



(White House photo by David Bohrer - Click to enlarge)


Looking to the right provides a view of the other corner, where we see two doors: first there's a heavy metal door opening to a room with pinkish light. Next to it, at the short side of the room, there's another door which opens to what looks like a corridor with blueish light. Some people seem to come in through that door, so maybe that corridor leads to the entrance of the bunker:



(White House photo by David Bohrer - Click to enlarge)


At 6:54 PM in the evening, president Bush arrived back at the White House and joined vice-president Cheney in the Presidential Emergency Operations Center. This was captured in another series of photos. In the picture below we see Cheney and Bush, with on the right side a good view of the vault-like door, which has three heavy-duty hinges and a long downward pointing door handle:



(White House photo - Click to enlarge)


Exactly the same type of white metal door with the long door handle, can be seen in a picture from 1962 of an office next to the Situation Room in the basement of the West Wing (maybe a door to the tunnel leading to the bunker? The current entrance to the PEOC is still a well-kept secret).


Viewing from a different angle, we see more of the wall at the other short side of the room, which was probably never seen before. At the left it has the door to the corridor, and in the middle there are wooden folding doors with handles and a lock. As there are already two banks of monitors for videoconferencing, these doors probably hide something else:



(White House photo - Click to enlarge)


At 9:00 PM president Bush gathered his National Security Council for a meeting in the underground shelter, as can be seen in the picture below. This makes a 360-degree view of the conference room almost complete:



(White House photo - Click to enlarge)


A close look at this photo shows that something is mirrored in the glass pane for the camera of the videoconferencing system in the short side wall of the room. It clearly looks like a world map, more specifically like an automatic daylight map, which must be at the opposite wall, right of the wooden folding doors:




 

Telephone equipment

The newly released photos show the people in the PEOC conference room regularly making phone calls, using telephones that are somewhat hidden in drawers underneath the conference table. Probably just like the table itself, the drawers are custom made for a device that can be recognized as a small version of the Integrated Services Telephone (IST):




The IST was designed by Electrospace Systems Inc. and manufactured by Raytheon as a dedicated device for the Defense Red Switch Network (DRSN) and hence was called a "red phone". The DRSN is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

The standard version of the IST has 40 programmable buttons for access to both secure and non-secure lines (therefore sometimes called IST-40). Encryption isn't done by the phone itself, but by a network encryptor, after the switch separated secure and non-secure traffic. Although the IST phone had very futuristic looks, it was gradually replaced by the IST-2 since 2003.


The phone we see in the drawers of the PEOC conference room table are about half the size of the standard IST: instead of the 40 direct line buttons, there are just 6, replacing some of the special function buttons above the AUTOVON keypad with the four red keys for the Multilevel Precedence and Preemption (MLPP) function.

This small version of the IST is rarely seen, but it was in the collection of the JKL Museum of Telephony in Mountain Ranch, California, which unfortunately was completely destroyed by a wildfire last week.



The small version of the IST displayed
in the JKL Museum of Telephony



The ultimate test for these kind of communications systems is a real emergency situation. However, during 9/11, it came out that the Defense Red Switch Network (DRSN) didn't work like it should have. The 9/11 Commission report said:
On the morning of 9/11, the President and Vice President stayed in contact not by an open line of communication but through a series of calls. The President told us he was frustrated with the poor communications that morning. He could not reach key officials, including Secretary Rumsfeld, for a period of time. The line to the White House shelter conference room and the Vice President kept cutting off.


Besides the ISTs under the table, there's also a black telephone set, which sits on a shelf or a drawer underneath the wall map of the US. This phone is a common Lucent 8410, used in numerous offices all over the world. Here, it is part of the internal telephone network which is used for all non-secure calls both within the White House as well as with the outside world.



Vice-president Cheney using the Lucent 8410. On the conference table
at the right there's the thick laptop-like device
(White House photo - Click to enlarge)



On the corner of the conference table, there's also another kind of communications device: a black box, of which the upper part can be opened up like a laptop. The bottom part however is higher than normal notebooks, even for those days. It's also connected to a big adapter. Maybe it's a rugged and/or secure laptop for military purposes - readers who might recognize the device can post a reaction down below this article.



All three communications devices: the black Lucent 8410, the black
notebook-type of thing and the small version of the IST.
(White House photo - Click to enlarge)


 

Mysterious marking

A final photo shows then-Secretary of State Colin Powell sitting at the table in the PEOC conference room, reading a document which has a cover sheet for classified information:




The cover sheet seems of light yellowish paper and has a broad dark red border, which is a common feature for these sheets. Most of the text isn't eligable, but the lines in the upper half read like:
TOP SECRET//[....]

CRU

EYES ONLY [...]

The lines in the bottom half are probably the standard caveats and warnings that can be found on such cover sheets. With Top Secret being the classification level, and Eyes Only a well-known dissemination marking, the most intriguing are the letters CRU.


On Twitter it was suggested that CRU stands for Community Relations Unit, an FBI unit responsible for transmitting information to the White House. However, the website of the FBI says that this unit is actually part of the Office of Public Affairs, and as such is responsible for relationships with local communities and minority groups. Although that unit could stumble upon suspected terrorists, another option seems more likely:

After a 2009 FOIA request by the ACLU, a 2004 memo from the Justice Department's Office of Legal Counsel about the CIA's detention program and interrogation techniques was released. The classification marking of this memo was blacked out, but on one page this was forgotten. It read: TOP SECRET/CRU/GST.

In a job posting this was written like "CRU-GST", which indicates GST is a compartment of the CRU control system. Meanwhile we also know that GST is the abbreviation of GREYSTONE, which is a compartment for information about the extraordinary rendition, interrogation and counter-terrorism programs, which the CIA established after the 9/11 attacks.

Because Powell is reading the CRU-document on September 11, 2001 itself, the CRU parent-program must have been established somewhere before that day. It's still a secret what CRU stands for, but it probably covers information about highly sensitive CIA operations.




Links and sources
- Wikipedia: Timeline for the day of the September 11 attacks
- 9/11 Myths: Dick Cheney at the PEOC
- New York Times: Essay; Inside The Bunker (2001)