(That sense of mild threat you feel right now that is preventing you from either watching the video or commenting here is entirely natural and nothing to worry about. Go about your day as normal.)
I often address the NSA by microphone, I doubt they pay attention to me though. I'm just like "Hey NSA, monitoring my "steps"" haha as I try to start a fire.
The goal isn't even to watch everyone, even if you devoted 100% of all federal spending to watching everyone you wouldn't be able to do it. Not enough resources or time. The goal is to chill conversation and thought that is too critical of institutions. Mission accomplished.
I went to the comments instead of the link to take a look at whether there was a second source that didn't involve hitting a CCC page. Chilling effects indeed.
Nothing inherent - the CCC is a great organization.
But it's already come out that searching for Tails or Tor can set off NSA flags, so I was pointing out that reading Chaos Computer Club accounts of NSA surveillance practices sounds like another likely way to be flagged.
> Chaos Computer Club accounts of NSA surveillance practices sounds like another likely way to be flagged.
It sure is, meaning that a privacy conscious person is not a friend of a government and needs to be held in check. It's also quite disturbing that NSA is surveilling political parties around the World to excerpt pressure on them and to get geopolitical and economic influence.
How is Bill Binney still walking around a free man? Surely he had security clearances and made an oath not to break them. Is it just that he's riding a fine line and not disclosing classified information?
If the people don't care anyway, and can't see beyond pro/anti-Trump and pro/anti-SJW BS (at their most "political") and the latest pop/tv BS (for the typical apolitical masses), then it doesn't matter if it gets credence for some small minority that cares.
As a counter-point (regardless of the legalities) if there are, as he conjectures, 1.2 million people on a drone kill-list (with seemingly no-oversight), is it not in the public interest that these things are highlighted by whistle blowers?
I didn't really make a point, so I don't know what you think you're countering. I just asked a question, and apparently the answer is that he doesn't disclose classified information.
This 1.2 million number sounds like his zettabyte number. Nobody could possibly take him seriously, and that's probably why he doesn't get into any trouble — it's not a crime to talk about aliens in Roswell or zettabyte capacity datacenters because those things obviously don't exist.
This is all publicly available information. You don't give up your right to free speech when you gain access to sensitive information. He probably vetted this content very carefully and had several friends within the intelligence community review it for him to ensure he wasn't revealing anything undisclosed to the public already.
He did it internally. He didn't leak very much publicly other than broad strokes about what was happening. He 'leaked' internally to the DoD IG. The response from the FBI/NSA was essentially to punish them and what amounts to a public witch hunt at the hands of the FBI. This response was what started the trend of much more public whistle blowing because it became clear if you went through the official routes you would be persecuted and your life made miserable, even if they could not land you in jail.
All of this under the banner of state secrets justifying these actions. Whereas in any corporation or visible branch of government the waste would have been a scandal. In the NSA the use of state secrets means power concentrates and individual employees have little recourse (Snowden, etc.).
I didn't watch the whole thing just jumped around but he has included slides that are marked 'SECRET//NOFORN' so if that material is accurately classified at that level (and its disclosure was not authorized), well he probably shouldn't be presenting to that.
Of course whether those slides would cause 'serious damage' to national security is a whole other matter or maybe it was 'authorized'.
Perhaps they were previously leaked through Snowden or others and he's only included them in his slides? Then he's not disclosing anything. He hasn't worked at NSA for a loooong time.
I'm no expert, and you are right he did leave sometime ago, perhaps there were changes with regards to protecting classified information after he left.
Classified information does not become unclassified just because it is publicly available if I remember correctly. Either way, I can't comment on whether including them in his slides is disclosing/divulging or not.
He actually sort of answers this in the last question they ask at the end. He says that because he's made it so obvious that they're his enemy it's impossible for them to do anything about him in the public light except possibly have him killed which would obviously be incredibly suspicious.
As far as the actual legality of the things he does, it seems like pretty much everything in the talk I had heard before, mostly through the Snowden files.
> Is it just that he's riding a fine line and not disclosing classified information
Yes, at least in this talk he's very careful only to disclose what can be inferred from already public information (e.g. Snowden leaks). People from his former line of work are kind of used to this, I guess, as they probably cannot even discuss every detail of what they're doing with all of their own colleagues during lunch breaks.
You have to put together what we know about PRISM with recent testimony.
https://en.wikipedia.org/wiki/Jewel_v._NSA is extremely important here. The NSA argues it can collect virtually every scrap of data flowing across US communications systems and that it does not violate your rights because as long as no one is looking at it your 4th amendment rights aren't violated. So to "look" at the data they get a secret FISA warrant. Jewel was defeated in court with the same tired argument of Clapper et. al -- "Your facts are inaccurate, but we won't tell you how because it is a state secret. Case dismissed. You let us worry about protecting your privacy within our walled garden."
NSA directors have a long history dating back to 2002 with Hayden of misleading congress and then saying "oops, sorry about that." It is a naked power game between congress and the executive branch and a bit of political chicken because the intelligence committees can only go so far before the president/white house can say the legislative branch is undermining your freedom and aren't tough on terror.... which will not go well for anyone at reelection time if it sticks.
The back and forth goes on. The picture painted, and I can't dig everything up is that, essentially, the NSA collects almost everything that happens on US soil. It has a legal fiction via executive orders (see Snowden emails) that let it do this. And then if searches of this data turn up anything interesting (since automated computer searches don't require a warrant under this legal fiction) they then apply for a secret FISA warrant and then humans can "look" at the collected data. And since no humans were collecting or looking at your data your 4A rights are fine and safe.
edit: I guess I meant to add this legal construction is why the "how" of their collection matters so much. Until we have accurate details of the "how" we can't even begin to argue against them in open court. And since the executive branch tries its very best to keep the "how" secret (for many not obvious reasons!) these things are important. I have seen people dismiss the importance of the technical details as just bits and bytes and what matters is the politics at play, but the "how" is very important as shown by the failure of Jewel to win in court due to specious "state secrets" arguments.
Buying 100 mil. 8TB SSDs when SSD market is even smaller than HDD market would be not possible without everyone noticing. That's entire year (2015) of total SSD units production. 8TB drives would be at the time a tiny fraction of the total.
One can probably leave out all the torrents, youtube and netflix videos that fly across the internet. Stick to text of emails, calls and chats only. Suddenly you only need a few thousand drives.
Even if you do need that data, you can probably dedupe the large sites fairly easily. Save one copy, then just record the ID of the video watched/downloaded.
As much as I'm arguing in another thread that you shouldn't go too nuts with rampant paranoia, I'm still gonna get a GPS jammer and cell phone jammer and a pile of IR LEDs just to have.
What I don't understand is with such capabilities, why weren't Michelle carters texts flagged? Or the heather Mack texts/fb messages. Or the texts revolving around the death of Tim piazza at penn state? If the capability to save these people was there, why wasn't it exercised?
He states it in the video: they are incredibly overwhelmed with data coming in and are just using "old search methods" such as word search that he deems ineffective.
My understanding is that this bulk data gathering is not as much as preventing attacks but further securing of power for the strange amalgamation that we would call the federal government.
Having left his job more than 15 years ago, is there any chance that he's simply not aware of the actual methods they're using?
I know in other fields the ability to do concept searching (via LSI and other techniques), rather than simple text based searching, has been in use for many years. His example/problem of a search for "bomb" bringing up noise (such as an email talking about a QB throwing a 'bomb' pass) should have long ago been solved.
Even if they cared, they wouldn't risk burning a source/method over a couple of teenagers potentially harming themselves or each other. This apparatus isn't about helping police, it's about state control, ostensibly of things like immigration and terrorism, but realistically as you say it's pure power.
It's odd reading about this on HN.. Paul Graham sprading bayesian flagging long ago. One thing though... money isn't everything; I can imagine NSA employees being blindsighted by their own resources and keep using a hammer to kill a fly.
That was years ago - By now, I'm sure they run it all through deep networks and ought to easily be able to "search by thought" - for example, "find all people who have considered or ever talked about blowing up something in a non sarcastic way".
Neural networks, with enough training data (which the NSA surely possesses), and enough compute power (which the NSA also possesses), could easily do this.
Occam's razor says it's because the capability to gather far exceeds the NSA's ability to analyze. The data they collect is probably run through basic automated analysis (probably keywords, sentiment, and social network analysis, possibly some attempt to correlate to interesting real-world activity like purchase of large amounts of fertilizer, etc). But mostly the cache is used for retroactive surveillance to catch colluders after an event. The data would also be useful for local law enforcement (a kind of "super tap"), and certainly they have the eyes (if not the skill) to analyze the data, but that's a political hot potato. (And thank God - there are plenty of local police chiefs just itching to send the SWAT team in to a family home based on NSA "cyber").
Note that one of the more useful and interesting uses for this data would be political demographic analysis more comprehensive than anything available legitimately. It could also be used to target leakers, especially if you could use devices to put 3rd parties in the same room. E.g. my phone hears or sees you and your friend together, even if you don't have phones.
>But mostly the cache is used for retroactive surveillance to catch colluders after an event.
The bar for collusion is really low. Look at what happened to the pot dealer for the guys that bombed the Boston marathon.
The odds of any one transaction coming back to get you are practically and almost literally zero but when something bad happens it doesn't happen in a vacuum. The bank robbers have to buy their getaway car from someone.
Their analysts cannot query on US Person Information, so unless this was discussed in foreign-to-foreign communications, flagging would not be possible.
His main point as I understood it seems to be that the problem is the direction of the organization demands that it continue to grow in that direction. More data means more power which demands more funding but also leads to less effectiveness at what they are actually supposed to be doing. It's really smart that he is confronting the problem by trying to create a legal framework that can steer the ship in a better direction. I really appreciate his work.
As they say, any bureaucracy will eventually be controlled by people trying to preserve the bureaucracy rather than those trying to achieve the actual goals of the bureaucracy.
Or:
> Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":
> First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.
> Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.
> The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.
Apologies if this may sound a little naive, but I can't help but wonder; Can anything be done about this situation within the next couple of years? Or is this process of mass data collection just going to continue and reach an irreversible stage where those agencies' power is out of control?
Making the issue key for reelection to congress would have an impact. Absent that I think we'll have to wait for a favorable court result, which may be difficult or impossible.
Gotta be careful with that - make too much encrypted and there will be pressure to change the law to make encryption illegal.
I think the existing state with e2e encryption easily accessible to those who care, but not enabled by default in many areas, is probably ideal.
I'd like to see more work on encryption of the metadata - for example, hiding who is sending messages to who, and when. The who, where and when of communications leaks nearly as much private data as the content itself.
Currently, tech for hiding who, where, and when isn't easy enough to use.
Here's something that pops in my head every time Binney comes up, but I've never quite articulated it...
Let's just assume for the moment that outcome X is good while outcome Y is bad. (I know most people wouldn't agree with that as applied to the NSA's history of wide-net surveillance, but just stick with me...)
You design a system that technically delivers outcome X. It could technically deliver outcome Y, but you didn't implement it to deliver that outcome. However, there is nothing at all preventing outcome Y from being achieved with your system other than stated policy. Additionally, your system as designed brings the possibility of outcome Y much closer to fruition at a fraction of the cost of the quotes from contractors from the time.
It comes to be known that your system has been trivially revised to achieve outcome Y, and you become a dissident. Now you take on the responsibility of educating people about what can be achieved with your system, and systems like it.
I get that part. But here's the question: what was Binney's responsibility in designing the system in the first place? In interviews I've watched he seems to justify his contribution to the program by referring to the policy at the time-- to only use wide-net surveillance data gleaned from the internet on non-U.S. citizen targets overseas, and nobody ever imagined it would be turned around to spy on the domestic population.
But has anyone ever asked him if he regrets building a system in the first place that lowered the cost on a type of surveillance the risks of which are not well-understood? In that sense I don't see anything different in what he did than what the Stuxnet authors did. And I'm quite sure if a whistleblower from that team went public someone would ask why they thought it was responsible to build it in the first place.
Yes, there is a lesson there for all of us. For a quick (~4 hour) recent computer game on the same subject (very well executed, IMHO) check out Orwell: https://news.ycombinator.com/item?id=13549725
Can't you take it as an axiom that if someone can build something that can do Y, that you should assume its construction is inevitable? And isn't it always better to be the one building it first than to be the one building it second?
The codenames do not provide a material insight, also "what" is being done is very different to "how". An audience such as CCC would be more interested in the "how".
It is clear that major Internet companies are colluded with the government, including hardware manufacturers (Intel).
Bill mentions that the current solutions are much more expansive, so it seems very likely that the NSA uses a private Google Cloud Video Intelligence[1] installation with TPUs in combination with their current iteration of TREASUREMAP.
This would enable the NSA to search based on scene descriptions of likely crimes and get government-ID tagging with GPS. This would serve as an effective filtering system and increase the productivity of intelligence operators.
I'm having trouble understanding what you mean to imply here, or how it relates to likely crimes and GPS tagging. Could you elaborate?
Additionally, I am not sure how TREASUREMAP relates to the rest of your comment, as TREASUREMAP is essentially Shodan with more datasets included based on publicly available, commercially available, and collected data.
EDIT: Watching video now and I understand your interpretation of TREASUREMAP...this is bizarre...he appears to believe it is something else entirely. Here is the full presentation he referenced for context though (Warning: TS/SI): https://assets.documentcloud.org/documents/1301057/tm-m-402....
84 comments
[ 2.6 ms ] story [ 155 ms ] threadIs that the relevant part? Haha
I am a mere peasant worthless dumb and powerless. Another gusano.
But it's already come out that searching for Tails or Tor can set off NSA flags, so I was pointing out that reading Chaos Computer Club accounts of NSA surveillance practices sounds like another likely way to be flagged.
It sure is, meaning that a privacy conscious person is not a friend of a government and needs to be held in check. It's also quite disturbing that NSA is surveilling political parties around the World to excerpt pressure on them and to get geopolitical and economic influence.
This is what I'm countering, perhaps something like this needs to be discussed as it's in the public interest.
All of this under the banner of state secrets justifying these actions. Whereas in any corporation or visible branch of government the waste would have been a scandal. In the NSA the use of state secrets means power concentrates and individual employees have little recourse (Snowden, etc.).
Of course whether those slides would cause 'serious damage' to national security is a whole other matter or maybe it was 'authorized'.
Classified information does not become unclassified just because it is publicly available if I remember correctly. Either way, I can't comment on whether including them in his slides is disclosing/divulging or not.
As far as the actual legality of the things he does, it seems like pretty much everything in the talk I had heard before, mostly through the Snowden files.
Yes, at least in this talk he's very careful only to disclose what can be inferred from already public information (e.g. Snowden leaks). People from his former line of work are kind of used to this, I guess, as they probably cannot even discuss every detail of what they're doing with all of their own colleagues during lunch breaks.
https://www.washingtonpost.com/investigations/us-intelligenc...
https://cryptome.org/2014/01/nsa-prism-dk.pdf
You have to put together what we know about PRISM with recent testimony.
https://en.wikipedia.org/wiki/Jewel_v._NSA is extremely important here. The NSA argues it can collect virtually every scrap of data flowing across US communications systems and that it does not violate your rights because as long as no one is looking at it your 4th amendment rights aren't violated. So to "look" at the data they get a secret FISA warrant. Jewel was defeated in court with the same tired argument of Clapper et. al -- "Your facts are inaccurate, but we won't tell you how because it is a state secret. Case dismissed. You let us worry about protecting your privacy within our walled garden."
NSA directors have a long history dating back to 2002 with Hayden of misleading congress and then saying "oops, sorry about that." It is a naked power game between congress and the executive branch and a bit of political chicken because the intelligence committees can only go so far before the president/white house can say the legislative branch is undermining your freedom and aren't tough on terror.... which will not go well for anyone at reelection time if it sticks.
The back and forth goes on. The picture painted, and I can't dig everything up is that, essentially, the NSA collects almost everything that happens on US soil. It has a legal fiction via executive orders (see Snowden emails) that let it do this. And then if searches of this data turn up anything interesting (since automated computer searches don't require a warrant under this legal fiction) they then apply for a secret FISA warrant and then humans can "look" at the collected data. And since no humans were collecting or looking at your data your 4A rights are fine and safe.
edit: I guess I meant to add this legal construction is why the "how" of their collection matters so much. Until we have accurate details of the "how" we can't even begin to argue against them in open court. And since the executive branch tries its very best to keep the "how" secret (for many not obvious reasons!) these things are important. I have seen people dismiss the importance of the technical details as just bits and bytes and what matters is the politics at play, but the "how" is very important as shown by the failure of Jewel to win in court due to specious "state secrets" arguments.
Quarterly production of hard drives is around 100-140 million. That's quite a big slice of global production.
The buying operation of this scale should be visible somewhere on the price charts.
Backup tapes have significant capacity and are cheaper than hard drives.
US defense spending built most of the technology industry. That activity didn't stop.
One can probably leave out all the torrents, youtube and netflix videos that fly across the internet. Stick to text of emails, calls and chats only. Suddenly you only need a few thousand drives.
My understanding is that this bulk data gathering is not as much as preventing attacks but further securing of power for the strange amalgamation that we would call the federal government.
I know in other fields the ability to do concept searching (via LSI and other techniques), rather than simple text based searching, has been in use for many years. His example/problem of a search for "bomb" bringing up noise (such as an email talking about a QB throwing a 'bomb' pass) should have long ago been solved.
Neural networks, with enough training data (which the NSA surely possesses), and enough compute power (which the NSA also possesses), could easily do this.
Note that one of the more useful and interesting uses for this data would be political demographic analysis more comprehensive than anything available legitimately. It could also be used to target leakers, especially if you could use devices to put 3rd parties in the same room. E.g. my phone hears or sees you and your friend together, even if you don't have phones.
The bar for collusion is really low. Look at what happened to the pot dealer for the guys that bombed the Boston marathon.
The odds of any one transaction coming back to get you are practically and almost literally zero but when something bad happens it doesn't happen in a vacuum. The bank robbers have to buy their getaway car from someone.
Or:
> Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":
> First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.
> Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.
> The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.
I think the existing state with e2e encryption easily accessible to those who care, but not enabled by default in many areas, is probably ideal.
I'd like to see more work on encryption of the metadata - for example, hiding who is sending messages to who, and when. The who, where and when of communications leaks nearly as much private data as the content itself.
Currently, tech for hiding who, where, and when isn't easy enough to use.
Let's just assume for the moment that outcome X is good while outcome Y is bad. (I know most people wouldn't agree with that as applied to the NSA's history of wide-net surveillance, but just stick with me...)
You design a system that technically delivers outcome X. It could technically deliver outcome Y, but you didn't implement it to deliver that outcome. However, there is nothing at all preventing outcome Y from being achieved with your system other than stated policy. Additionally, your system as designed brings the possibility of outcome Y much closer to fruition at a fraction of the cost of the quotes from contractors from the time.
It comes to be known that your system has been trivially revised to achieve outcome Y, and you become a dissident. Now you take on the responsibility of educating people about what can be achieved with your system, and systems like it.
I get that part. But here's the question: what was Binney's responsibility in designing the system in the first place? In interviews I've watched he seems to justify his contribution to the program by referring to the policy at the time-- to only use wide-net surveillance data gleaned from the internet on non-U.S. citizen targets overseas, and nobody ever imagined it would be turned around to spy on the domestic population.
But has anyone ever asked him if he regrets building a system in the first place that lowered the cost on a type of surveillance the risks of which are not well-understood? In that sense I don't see anything different in what he did than what the Stuxnet authors did. And I'm quite sure if a whistleblower from that team went public someone would ask why they thought it was responsible to build it in the first place.
I looked at it, I didn't feel any chilling effect. From an engineering point of view its interesting. Maybe I'm too dumb to process fear.
It is clear that major Internet companies are colluded with the government, including hardware manufacturers (Intel).
This would enable the NSA to search based on scene descriptions of likely crimes and get government-ID tagging with GPS. This would serve as an effective filtering system and increase the productivity of intelligence operators.
1. https://cloud.google.com/video-intelligence/
Nope.
Additionally, I am not sure how TREASUREMAP relates to the rest of your comment, as TREASUREMAP is essentially Shodan with more datasets included based on publicly available, commercially available, and collected data.
EDIT: Watching video now and I understand your interpretation of TREASUREMAP...this is bizarre...he appears to believe it is something else entirely. Here is the full presentation he referenced for context though (Warning: TS/SI): https://assets.documentcloud.org/documents/1301057/tm-m-402....