Feature

Total Recall

If the NSA's massive spying operation sounds a lot like a Bush-era program ... that's because it is.

A decade ago, a Pentagon research project called "Total Information Awareness" sparked a mass panic because of its seemingly Orwellian interest in categorizing and mining every aspect of our digital lives. It was "the supersnoop's dream," declared William Safire of the New York Times, a "computerized dossier on your private life from commercial sources, [combined with] every piece of information that government has about you...."

If this sounds reminiscent of the current uproar over NSA surveillance, you're paying attention. That's because the NSA monitoring tools are very similar to -- and, in many cases are directly based on -- the technology that Total Information Awareness (TIA) tried to use.

The story of that convergence starts on the morning of Feb. 2, 2002, when retired Admiral John Poindexter drove to the headquarters of the National Security Agency at Ft. Meade, Maryland, and sat down with the agency's deputy director, an NSA veteran named Bill Black. Poindexter, a former White House national security adviser, was now running the TIA program at the Defense Advanced Research Projects Agency, the organization that tackles some of the hardest engineering and technology challenges in the Pentagon. Poindexter thought TIA was an innovative new way to stop terrorist attacks, and he wanted the NSA to help him test it. 

The idea, he explained to Black, was to give U.S. intelligence analysts access to the vast universe of electronic information stored in private databases that might be useful for detecting the next plot. Data such as phone call records, emails, and Internet searches. Poindexter wanted to build what he called a "system of systems" that would access all this raw information, sort and analyze it, and hopefully find indications of terrorist plotting. 

The NSA was the biggest collector of electronic data in the government, and Poindexter thought the NSA would be a natural partner in his endeavor. But what he didn't know was that under secret orders from President George W. Bush, the NSA was already building its own version of Total Information Awareness. Fewer than 100 people at the NSA knew that for the past few months, the agency had been monitoring the phone calls and other electronic communications of Americans, and that it was obtaining copies of domestic phone call records and looking at them for potential clues about terrorist attacks. 

Poindexter left Ft. Meade that day with no firm commitment from Black that the NSA would assist in his research. And TIA didn't last long. Although Poindexter's work wasn't classified, the press soon caught wind of his grand data-mining ambitions, and Poindexter was held up as the poster boy for intrusive government surveillance. "I think it's fair to say that in the country's history there has never been proposed a program with something this far reaching in terms of surveillance capacity," said Sen. Ron Wyden at the time. "And my sense is that the country just does not want to unleash a bunch of virtual bloodhounds to go sniffing into the medical, financial and travel records of law-abiding Americans."

TIA was officially shut down in 2003, and Poindexter left the government. But this wasn't the end of his grand vision.  

In a secret negotiation, members of Congress, some of whom had been among Poindexter's critics, reached an agreement to keep TIA research going, and to fund it from the classified portion of the military budget, the so-called "black budget." TIA's research components were given new cover names, and the program was moved under the control of the very agency that Poindexter had originally wanted to help him -- the NSA. There, Poindexter's ideas were incorporated into NSA's surveillance activities, the latest glimpses of which we have seen in the past two weeks. 

The NSA went on to build its own total information awareness system. What was once an idea in Poindexter's head is now a fully realized global surveillance apparatus, capable of gathering unprecedented amounts of digital information for near real-time analysis, or to be stored for future investigations, perhaps years from now. It is not precisely the system that Poindexter imagined, but what became clear to him looking back, as he explained to me in a series of interviews for my book, The Watchers, was that the NSA was doing many of the things he had proposed all along. Poindexter was demonized for even suggesting that the government get access to vast troves of private information. The NSA now does this routinely, and under the law.  

There are several key respects in which the NSA's system today mirrors that which Poindexter had proposed more than a decade ago. 

Access to many categories of private information

TIA envisioned, as its name suggested, access to the total universe of electronic information that might be useful for investigating terrorists. It placed particular emphasis on phone records, e-mails, Internet searches, travel records, and financial transactions -- because in order to plan attacks, terrorists need to communicate, conduct research, move around, and make purchases. 

This NSA is using the same body of information to investigate terrorists. Under a court order, the NSA obtains copies of all domestic phone call records, as well as records of international calls into and out of the United States. The agency also reportedly taps into undersea cables that carry Internet traffic. Using the PRISM system, it can read emails and see Internet searches, as well as forms of electronic messages that didn't even exist when TIA was proposed, such as Facebook messages. The agency has also obtained credit card receipt transactions and records from Internet service providers. The NSA has teams of analysts that work at the National Counterterrorism Center, where airline travel records are monitored and watch lists are compiled. And soon, the NSA will get to tap into a rich repository of financial information compiled by the Treasury Department that's used for investigating financial crimes and tracking terrorist money flows.  

Use of "virtual" databases

Rather than trying to make copies of private databases and hold them in a government facility, TIA proposed a kind of federated or "virtual" database. The system would effectively reach out and touch the private databases themselves, or systems that were set up attached to them, working with the information at, or close to, the source and siphoning off what it needed for analysis.  

This is what's happening with the NSA's Internet mining tool known as PRISM. The NSA doesn't have "direct access" to company servers, but obtains information on an as-needed basis using a technology that some have described as a drop box: The company deposits the information NSA wants in the box, and NSA takes it. Notably, Google has said that it doesn't use this kind of setup. But the company does comply with lawful orders for information without turning over the entirety of its data or letting the NSA jack into its central servers. The same goes for other companies that have provided information to the NSA, reportedly as many as 50. 

(Lack of) privacy protection  

At the core of TIA was a device, then yet-to-be-invented, that Poindexter called a "privacy appliance." It would strip all data of personally identifying information -- such as names and addresses -- and give each data point a unique, encrypted designation. A TIA analyst would see how pieces of information fit together, but he would need a court order if he wanted to unlock the privacy appliance and see the names associated with that data. 

NSA abandoned this privacy research when it took over Poindexter's programs in 2003, and a privacy appliance as sophisticated as what was hoped for in TIA still doesn't exist. However, the NSA's database of phone call records, known as Mainway, now have some privacy controls, according to intelligence employees who have used the system. The database does not contain any names, nor is the NSA collecting geolocation data that could pinpoint a user on a map, according to administration officials. When an analyst comes upon a phone number associated with a U.S. citizen or legal resident, a black 'X' mark appears over the number, says one former defense intelligence employee. Administration officials have said publicly that the databases only can be queried as part of a terrorism investigation, and that it has been accessed about 300 times last year. 

Much less is known about how PRISM protects the privacy and identities of U.S. persons, whose communications the NSA cannot target without a warrant. Analysts are allowed to target a set of foreign communications -- such as emails -- if PRISM determines with 51 percent confidence that they are indeed foreign. Technically, it is very difficult to determine whether an email was actually sent by a foreigner and not a US person, experts say. And a 51 percent confidence rating is not a high threshold. This practically guarantees that US persons' information is swept up by PRISM. The NSA has not disclosed the procedures it uses to separate that information from the foreigners' data. 

Use of broad searches 

Poindexter believed that in order to find the proverbial "needle in the haystack," analysts needed to be able to look at a lot of haystacks. TIA would cast a wide net searching among mostly innocent and innocuous communications for those that merited further scrutiny. 

NSA attempts to do just that with PRISM. It is meant to filter out potentially meaningful signals from an ocean of noise. Gen. Keith Alexander, the NSA director, has said that in the vast majority of terrorist attacks that the United States was able to stop, this kind of analysis was essential. (With the Mainway database, officials say their searches are more targeted, and are begun based on a specific phone number of a known or suspected terrorist.) 

Reliance on court orders 

Poindexter never envisioned giving the intelligence community unsupervised access to private data. He thought that courts should play a role, because this would legitimize the government's monitoring of private data and provide a check on potential abuse--at least in theory. He pointed to the longstanding practice of issuing intelligence surveillance warrants under the Foreign Intelligence Surveillance Court as a model. 

The NSA has come to rely on that court, which is now issuing broad orders for information that, prior to the 9/11 attacks, would have been unimaginable. The court has sanctioned the copying of all phone records in the United States. It also reviews the government's Internet surveillance methods in an attempt to ensure that they don't unreasonably scoop up Americans' data too. This is far from perfect science. On at least one occasion, the court has found that these procedures were unconstitutional. We still don't know how they were changed to make them legal. 

Amended privacy laws

Poindexter also hoped to ignite a national debate on whether to change privacy laws to reflect both advances in technology and the difficult task of finding an enemy -- such as terrorist networks -- that don't announce their presence.

He got his wish. In 2007 and 2008, after some of the NSA's secret programs were exposed, Congress debated changes to the Foreign Intelligence Surveillance Act. There were many public, heated exchanges. Ultimately, lawmakers voted to give the NSA more authority to search broadly for potential terrorists, and to do so without individualized warrants that name the specific person and place the agency wants to search.  

* * * 

The key question still unanswered is whether any of this surveillance actually prevents terrorist attacks. Poindexter couldn't say for sure that TIA would, though he believed that his early research showed promising signs. Officials now say that the NSA's surveillance activities have helped stop dozens of attacks. If the details of those plots are released, we'll all be able to decide for ourselves. Perhaps then can finally decide whether building Total Information Awareness was a good idea. 

Wikimedia

National Security

Comey Don't Play That

How Obama's pick to lead the FBI tried to put the brakes on the NSA's surveillance dragnet.

It was not until Attorney General John Ashcroft was hospitalized with pancreatitis in early 2004 that his deputy, James Comey, first learned the extent of the Bush administration's surveillance programs. Reluctantly, the White House had agreed to "read him in." What Comey found out -- about both the government's warrantless domestic telephone interceptions and the bulk collection of data processed on American servers -- stunned him. Relying on an extreme interpretation of executive authority, the Bush legal team had established a set of war powers that broke precedent and concentrated power in the White House. Together with Jack Goldsmith, the Justice Department's head of the Office of Legal Counsel, Comey realized these efforts were based on legal opinions that should never have been signed.

Of particular concern was the fact that telecom companies, Internet companies, credit-rating agencies, and the like had been providing the National Security Agency (NSA) with any customer records that the agency asked to see -- who called whom, who bought what, who rented a car where. As many as 50 companies were providing the NSA with un-sifted bulk data on a regular basis without a court order. There was no discrimination at all; Americans and non-Americans alike were swept up by this surveillance dragnet. Faced with a White House request to reauthorize these activities, as Ashcroft had done, Comey balked.

Comey, who is said to be President Obama's choice to be the next director of the FBI, has never publicly disclosed exactly what he refused to sanction when he was briefly acting attorney general during Ashcroft's hospital stay, but people briefed on the program who have spoken to Comey say it was the legal rationale giving the NSA quick access to un-sifted telecom and service provider-collected metadata that "drove him bonkers," not the Bush administration's warrantless wiretapping program. There was just no way, Comey thought, to justify an effort that simply turned over such a large amount of data on American citizens to one of America's foreign-intelligence agencies. It contravened a number of laws with which he, as a former federal prosecutor of terrorism cases, was intimately familiar.

With recent revelations that the NSA has undertaken a huge effort to collect telephonic metadata -- information about a phone call, such as the originating and receiving numbers, the time and duration of the call, and technical information about the call and the phone used -- the Bush administration's intelligence collection efforts have reclaimed a central place in the debate over the balance between national security and privacy. To understand the current controversy, one has to return to the origin of the government's post-9/11 expansion of intelligence gathering, an effort that set off a vicious internal debate. For critics of the recently revealed NSA programs, the bitter irony is that they are now in all likelihood fully legal. This is the story of how Congress made them lawful.

 

To acquire communications inside the United States before 9/11, the NSA needed the cooperation of the courts and U.S. telecommunications companies. The Stored Communications Act of 1986 (SCA) would not allow the provision of historical data without an order or warrant, and the Electronic Crimes and Privacy Act (ECPA) banned real-time monitoring without an order or warrant. Furthermore, because the types of communications the NSA wanted were considered "consumer proprietary information," telecom companies couldn't just turn them over at the government's request. This latter point was rejected by the NSA's lawyers, who said that the Federal Communications Commission, which enforces the relevant laws, misread the statute. But the SCA's language seemed pretty clear to Comey: "[A] provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service... to any governmental entity" -- unless the government obtains a warrant.

So, assuming that citizens of the United States counted as customers, telecom companies were forbidden from voluntarily turning over records to the federal government. In the fight to maintain privacy rights in the face of expanding national security prerogatives, few fights were more consequential than the one Comey was starting. Anything a telecom company kept in storage and anything involving the customer's past communications counted as a "record." In other words, these business records included everything the telecom companies knew about their customers.

In its pursuit of greater intelligence capacities, the Bush administration discarded those legal protections. The activities authorized by President Bush provided a get-out-of-jail-free card to telecom companies, authorizing them to ignore the Stored Communications Act and Electronic Crimes and Privacy Act. The card came in the form of a certification signed by the attorney general attesting that the government would not criminally prosecute the telecoms for their cooperation. There was no court involvement whatsoever. The initial justification for this seems to have been based -- the legal opinion itself remains classified -- on both an assertion of presidential powers and an interpretation of the USA Patriot Act's "business records provision," which allowed the government to collect "tangible things" from U.S. businesses so long as they related to terrorism. There was no statutory definition of "tangible thing" and no real sense of what it meant. Interpreted broadly, it would essentially give the entire government license to collect anything, at any time, without a warrant or order.

(The Senate Select Committee on Intelligence would later conclude that "we have seen no evidence that Congress intended the AUMF" -- the Authorization for Use of Military Force, the post-9/11 law that inaugurated the Bush administration's war on terror -- "to authorize a widespread effort to collect the content of Americans' phone and e-mail communications," implying that the NSA had used that law as justification as well. And, according to the Washington Post, the White House also advanced an interpretation of an obscure 1982 Department of Defense rule that defined "collection" in a way whereby the Fourth Amendment would not apply until a human being actually used the collected material.)

So what did the telecoms turn over to the NSA? Millions of transaction records, which included millions of instances of domestic telephones dialing other domestic telephones. Other companies sent over tranches of e-mail messages. The NSA would ask for telephone logs from a certain time at a certain place (that is, a company, a neighborhood, a mosque), and telecoms would transmit those records. The NSA could scan the metadata that attached itself to anything digital, whether a call or an e-mail, but actually listening to a call or reading an e-mail required probable cause.

The agency used several computer programs to scan the pen register logs (the lists of phone numbers that called other numbers) and the metadata associated with e-mails (for example, the to, from, and subject lines; IP addresses; lengths; frequencies; and so on). If a group of people associated with an entity (like an Islamic charity) had (or appeared to have) a connection with an entity connected to foreign terrorism, all three were subject to interception protocols.

 

When Ashcroft temporarily transferred power to Comey during his hospitalization in March 2004, the lanky former prosecutor would not sign a new certification for the collection of bulk metadata. There was no sound legal basis for the bulk transmission of data to the NSA, he believed, especially if the NSA meant to store it for future use. He was uncomfortable that the judicial branch was not involved at any step in the process. The Stored Communications Act and the Electronic Crimes and Privacy Act had exceptions, but Comey didn't think they applied. And the Patriot Act's provisions required a specific target.

The NSA's potential uses for the data only added to Comey's concerns. The agency could have taken telephone records and correlated them with the bulk intercepted data from, say, Yemen, to see which calls overlapped. Then it could (and would) task an analyst to either listen to the U.S. end of a call if the whole call had been recorded somewhere outside the United States, or to listen to future calls emanating from the U.S. terminus.

Mike McConnell, a former director of the NSA and the second director of national intelligence during the Bush administration, would later describe what happened next to a group of intelligence industry professionals: "If the U.S. end of the call was Grandma, and they were talking about cakes, we would minimize it. If it was operationally significant, we would keep it. If that U.S. number were to call another U.S. number, we would have to get a FISA warrant," he said, referring to the Foreign Intelligence Surveillance Act, which regulated the monitoring of calls between the United States and abroad.

Initially, the White House was ready to have the president's counsel, Alberto Gonzales, affix his own name to the certification authorizing bulk metadata collection that Comey had sent back without a signature. But with Ashcroft in the hospital on the night of March 10, the White House first tried to bully the barely conscious attorney general into signing the orders from his hospital bed. Comey got wind of the plan and raced to the hospital to intercept Gonzales and White House Chief of Staff Andy Card. In a now-legendary show of defiance against the Bush White House, a nearly delirious Ashcroft refused to sign. Card and Gonzales left empty-handed.

Then, to force Comey's hand, the White House tried to use Congress as a lever.

In a hastily organized briefing a few weeks later in the White House Situation Room with Comey and the so-called Gang of Eight -- the speaker and minority leader of the House, the majority and minority leaders of the Senate, and the chairs and ranking members of the intelligence committees -- a member of Congress asked White House officials whether any ongoing operations would be jeopardized if the telecoms refused to hand over data without a warrant. A senior official from the National Security Council brought up a major counterterrorism investigation code-named CREVICE. The United States, British MI5, and German intelligence were working closely together on the case, which involved al-Qaeda-linked jihadists in Europe who were communicating with Americans. One was caught on a wire musing about blowing up an airplane. At least some of their communication was transiting through the United States. Without the program, the White House insisted, the ability to disrupt CREVICE would be significantly reduced. But the FBI and the Justice Department representatives in the room who had been working CREVICE for months knew that wasn't true. FISA warrants had already been issued, and MI5 had its own technical surveillance operation under way. The bulk provision of data was just not necessary.

Since late 2001, the special NSA programs had been briefed to the Gang of Eight. Other members of the intelligence committees and some members of the armed services committees were given partial briefings. But Congress was an observer at this point, rather than a participant. From the secret programs' earliest days, the White House had never asked Congress to explicitly authorize bulk data collection or to update FISA, and Congress, not wanting to get its hands dirty, never volunteered to. In the Situation Room meeting, Comey got the impression that the legislative branch was brought in for show, to intimidate him.

The White House advanced a practical argument to Congress, arguing that the lawyers who handled the bulk data collection programs for the telecom companies would panic if after months of seeing executive branch authorizations bearing the signature of the attorney general -- the nation's top law enforcement officer -- they saw instead the scribble of Alberto Gonzales, the president's in-house guy.

Gonzales believed that without Comey's signature, without the signature of the attorney general, the telecoms and other content providers would not only have questioned any past cooperation with the NSA, but would probably also significantly curtail their cooperation in the future, raising the prospect that Comey's objections to bulk metadata collection might jeopardize the warrantless wiretapping program. Though Comey had signed off on that part of the program -- certifying that it was legal to intercept the U.S. side of an international communication connected with terrorism -- he refused to sign off on bulk metadata collection. Without his signature on that second program, the White House feared the companies might balk at providing any assistance.

But congressional leaders didn't want -- and didn't think they had an obligation -- to publicly rewrite a surveillance law to account for a secret program. This was the president's program. He initiated it, so he owned it. 

It was because of these practical considerations that the White House changed course after the hospital room confrontation. With no help forthcoming in Congress, the White House had to. It simply could not send a document to the telecoms with anyone else's signature. It took six months before the NSA was able to develop procedures that fit the interpretation of the metadata provisions promulgated by Jack Goldsmith and his successor, Daniel Levin.

As the main obstacle to continuing the bulk metadata collection program, Comey became a hated figure in the White House. Dick Cheney in particular was not a fan. Comey first met the vice president the same day he appointed Patrick Fitzgerald to investigate the Valerie Plame leak -- an investigation that would culminate with the indictment of Cheney's chief of staff for perjury. When Comey introduced himself that day, Cheney replied, without looking back, "Oh, I know you from television." He wasn't smiling.

 

The scene at the hospital marked a turning point for the data collection program but did so in a way that may well have hastened the day that Congress would officially deem it sound and legitimate. Immediately after he became attorney general in early 2005, Alberto Gonzales asked the new head of the OLC, Steve Bradbury, to reexamine whether there might be a different legal approach to the NSA activities authorized by the president -- one that would put those activities on a stronger legal footing. So, Bradbury crafted a novel legal analysis that, if approved by the FISA court, would permit much of the NSA program to be based on section 702 of the FISA statute, which allowed the NSA to acquire communications on foreign entities that happened to use U.S.-based content providers. In essence, the FBI would take a first pass at the data collection to make sure it did not contain information about U.S. persons. Then, and only then, would it be provided to the NSA. The attorney general would have to certify to the FISA court that the data was needed for foreign intelligence purposes.

Bradbury presented his new approach to the White House in the late spring of 2005, and the White House approved it without hesitation, provided that the director of national intelligence and the NSA were confident that the new approach would not materially compromise the value and effectiveness of the program. The DNI and the NSA expressed support, and over the next several months, the OLC, working with the Office of Intelligence Policy and Review at the Justice Department, developed a detailed analysis and proposal intended to be submitted to the FISA court in late 2005 or early 2006.

But in December 2005, the New York Times scuttled the effort to build a new legal basis for the metadata program by reporting on the OLC's attempt to draft a new justification under FISA. Bradbury and others in DOJ spent much of their time and attention in 2006 explaining to the public (and to Congress) the legal basis for the NSA activities, which were now publicly acknowledged by the president following the Times article, as well as addressing other alleged activities and rumors swirling around those charges. As a consequence of the distraction, it wasn't until January 2007 that Gonzales told Congress that DOJ had succeeded in obtaining a court order authorizing foreign collection using bulk data under a novel interpretation of FISA. What he did not say in open session was that bulk data collection had resumed under the Patriot Act's business-records provision. The main difference: The FISA court was reviewing and certifying all of the government's data requests. 

Then, just as quickly, that legal authorization was taken away. A FISA judge found problems with the collection. (We don't know exactly what the issues were.) It was then, and only then, that those in Congress read in to the program felt compelled to act. Congress passed stopgap legislation in 2007 and, in 2008, a permanent and fundamental restructuring of FISA.

In essence, the new FISA laws legalized bulk data collection for foreign intelligence gathered from wires passing through the United States, prohibited the collection of any content (audio of telephone calls, the body text of e-mails) on U.S. persons anywhere in the world without a warrant, and allowed the government to use FISA for collecting information to fight terrorism, proliferation, and espionage.

Today, the NSA's special programs are larger than they were when they first existed as a presidentially authorized intelligence collection tool. Inside the government there is a consensus that the NSA's intelligence-gathering activities -- both those recently revealed and those still classified -- are critical to national security. This consensus did not come easily, and from a civil libertarian standpoint the checks and balances are insufficient. It could be that the Justice Department, the courts, and Congress previously objected to the program only because they weren't let in on the secret. Now that they're in on it, they're willing participants in its perpetuation and expansion, one fully sanctioned by the law.

Congress has reauthorized the Patriot Act and rewritten FISA to allow for all of the activities that Comey found objectionable, although they are subject to a significantly higher level of oversight and auditing. But the legal interpretation and operational realities of what these reauthorizations meant were secret to all but a very small number of members.

That is, until just a few days ago.

Alex Wong/Getty Images