How NSA hacks the whole world

The NSA is building a $2-billion facility in Utah, which will have the capacity to store and process data equivalent to one million DVDs for every man, woman and child on earth.


EDWARD SNOWDEN, a 29-year-old former employee of Booz Allen Hamilton, a defence contractor in the United States, has blown the cover off the vast snooping empire that the U.S. has built. The Guardian and The Washington Post have published only a small fraction of the explosive material that Snowden has shared with them, with promise of more to come. The hitherto not-so-well-known security agency of the U.S.—the National Security Agency (NSA)—has now emerged as the linchpin of the mind-blowing 2 petabytes (1 petabyte is equal to a million gigabytes) of data that the U.S. collect every hour—e-mails, text messages, voice conversations, videos, and so on.


The NSA is building a new $2 billion facility in Utah, which, when ready, will have a capacity to store and process data equivalent to one million DVDs for every man, woman and child on earth! Every digital footfall, every bit of digital information, could be a part of NSA’s database. Welcome to George Orwell’s dystopia Nineteen Eighty-Four, even if 1984 has come a tad late.


The NSA processes this enormous stored data with a variety of data mining tools and programs. This, in today’s technical lingo, is called Big Data.


The Guardian has published a report on one such program, Boundless Informant, which showed that 97 billion pieces of intelligence were collected from around the globe in the month of March 2013 alone. Snowden’s exposure of another of these programs—called PRISM—shows that the U.S. has not only tapped into the global telecom networks but also gained access to the data of nine global Internet giants—Google, Microsoft, Yahoo!, Apple, Facebook, and four others.


Subsequently, The Guardian has revealed that the NSA and the United Kingdom’s Government Communications Headquarters (GCHQ), the British equivalent of the NSA, jointly spied on the G20 summit held in London in 2009. The snooping used a variety of methods, from tapping satellite signals to specially prepared Internet cafes for the delegations, and targeted not only Russia, but even Turkey, a member of the North Atlantic Treaty Oranisation (NATO). This G20 meeting was largely focussed on economic matters, and the spying of the delegations was to give the U.S. and U.K. delegations a negotiating advantage by knowing—in real time—the positions of other delegations. Manmohan Singh as India’s Prime Minister attended this G20 meeting.


What has created particular concern in the U.S. is that under the secretive Foreign Intelligence Surveillance Act (FISA) court orders, all the U.S. telecom companies have given the NSA all the transaction records of their millions of subscribers. Transactional data, or what is called metadata, are not the actual phone conversations but records of who talked to whom, from where and for how long. As experts have pointed out, this is almost as revealing as the actual conversation itself. Just one such FISA order served on Verizon (published by The Guardian) shows the omnibus nature of such orders—Furnish all records of all your subscribers.


The outrage in the U.S. has largely focussed on its citizens being subjected to NSA surveillance. That the U.S. is hacking into all the communications of the rest of the world has barely entered this discourse. And this is what should concern us—the other 95 per cent of the world who are not U.S. citizens.


The U.S. and its Anglo Saxon allies, the U.K., Canada, Australia, New Zealand, had set up a program called Echelon after the Second World War for spying on the global telecommunications network. Echelon was investigated by the European Union (E.U.), which issued a report in 2001 on its activities, particularly that of Echelon passing sensitive commercial information to help the U.S. and U.K. firms against their E.U. competitors. Echelon received a fillip with the setting up of the NSA in 1952. While retiring agents of the Central Intelligence Agency (CIA) start penning their memoirs even before they have quit, the NSA has managed to keep itself out of the limelight until now. Though the three earlier NSA whistle–blowers, Thomas Drake, William Binney and J. Kirk Wiebe, have been saying for years that NSA collects huge swathes of data of U.S. and non-U.S. citizens, it is the kind of details and documents that Snowden has provided that has finally caught the world’s attention.


What the Echelon program did earlier, NSA has now widened enormously. It is not just telecom cables being tapped and satellite communications being monitored. Two out of the five Snowden slides which have been published by The Guardian illustrate the nature of this surveillance. First is the global fibre optic network. As the U.S. is the world’s biggest fibre optic network hub, a huge part of global traffic passes through the U.S. It can then be tapped easily as all the U.S. carriers have obviously provided the U.S. government direct access to their networks. For example, we know that AT&T, in its Folsom Street Office in San Francisco, had allowed the NSA to install splitters that duplicate the data streams coming into AT&T switches from its global network, and divert one stream to a room housing NSA equipment. These data are then sent to NSA servers for storage and analysis. The Electronic Frontier Foundation (EFF) has questioned the validity of this program and has been fighting this case for the last four years with little result. In an affidavit submitted by the EFF, Mark Klein, a retired AT&T communications technician, stated that such splitting equipment was installed in other AT&T offices as well.


The Snowden slides also show another way that the global fibre optic network has been tapped. The U.S. is tapping into major trunk routes of the Internet in international waters; one of Snowden’s slides shows that there are three such taps—a tap off the coast of South America, one north of Africa and another in the Indian Ocean.


The last and the most discussed method of surveillance used by the NSA is tapping into the servers of global Internet companies. All the Silicon Valley giants mentioned in Snowden’s slide, speaking in almost identical language, have tried to say that they are not providing the NSA direct access to their servers, while at the same time admitting that they are duty bound under U.S. laws to provide the NSA any data it wants. What is clear is that they are providing some form of automated data delivery to the NSA that comply with the scope of requests and format of data desired by the NSA. They are also probably allowing the tapping of the telecom cables before entering their servers, similar to what AT&T has allowed in the Folsom Street case.


We have already seen that the scope of any one request —as shown in the FISA order on Verizon—can be millions of records. While the domestic clients of the U.S. have some protection, though weak under the U.S. law, the rest of the world has none. So the claim of the Internet companies that they only service legal requests of the U.S. agencies provide rather cold comfort to the rest of the world.


U.S. laws protect its citizens under the Fourth Amendment, which prohibits illegal search and seizures. While the U.S. agencies have other instruments to access their citizens’ data, the two preferred instruments are the National Security Letters (NSL) and FISA orders. These enable secrecy and lower evidentiary standards compared with other instruments (such as subpoena and warrants). The NSL mechanism has existed since 1978 but was rarely used, in part due to its extremely limited scope. This was expanded enormously after 9/11—with the enactment of the draconian Patriot Act in 2001 and the FISA Amendment Act in 2008.
Issuing an NSL requires no judicial oversight and can be done by any U.S. federal agency, Federal Bureau of Investigation (FBI), Homeland Security, Central Intelligence Agency (CIA), or NSA. All that it requires is that an officer of a certain rank issues the order. All information regarding such a letter is under a gag order—the organisation or person served with the letter cannot disclose that he or she has received such an order, or, indeed, the content of the order.


The FISA court, which is supposed to review all actions or requests for surveillance of the executive, virtually rubber-stamps all the requests it receives. Only 11 out of a total of 33,900 such surveillance requests have been denied by the FISA courts since 1980. All the proceedings of the FISA court are secret, including its orders. The only FISA order that is available to the public is the one Snowden has now disclosed regarding Verizon’s telephone records.


FISA was enacted in 1970 after widespread abuse of existing surveillance powers by the U.S. administration targeting critics of the Vietnam War, civil liberties movements, and so on. The primary purpose of FISA was to protect U.S. citizens from such abuse. After 9/11, the minimal checks and balances contained in the Act have been considerably weakened with various amendments to FISA.


The general acquisition and interception power, as well as the business records power under FISA, allow U.S. government agencies to compel access; possibly in real time, and definitely of stored data, of persons reasonably believed to be located outside the U.S. These powers are subject to minimisation requirements; the primary objective of these requirements is to minimise the targeting, collection and retention of private information of only U.S. citizens. The rest of the world is fair game and currently possesses virtually no protection under the U.S. domestic law.


After the public outcry about the massive spying being carried out by the NSA, the U.S. President and other officials have made candid statements. Barack Obama is now on record that the NSA has been reading content only of “foreigners” and not of U.S. citizens and therefore does not violate U.S. laws. The U.S. Congress is holding a hearing on the NSA leaks, but the title of its hearing is revealing: “How Disclosed NSA Programs Protect Americans, and Why Disclosure Aids Our Adversaries”, making clear what its conclusions are going to be.


Surveillance of India


India is one of the prominent targets of U.S. intelligence gathering. As shown by the Boundless Informant “heat” map published by The Guardian, it occupies the fifth place among countries under surveillance, with 6.3 billion pieces of data, and ahead of China and Russia. The reason for this penetration is quite simple. Not only do Google, Yahoo!, and Microsoft (Hotmail) have a large number of Indian users, even government agencies and officials routinely use these web-based services for their communications. In February 2013, after the Hyderabad bomb blast, India’s National Intelligence Agency (NIA) announced a reward of Rs.10 lakh for information; the e-mail address for receiving such communications was a Gmail address. The NIA is either unaware that Gmail is fully accessible to the U.S. intelligence agencies or it believes it has nothing to hide from the U.S. Even the Prime Minister’s Office and the Attorney General use such webmail services, as reported in Bloomberg Businessweek (July 18, 2011 /news/2011-07-18/india-government-s-use-of-hotmail-gmail-recipe-for-disaster-.html#p1). So do many other Ministries, and even the Indian Air Force. This recipe for disaster—as pointed out in Bloomberg’s 2011 report—is now confirmed by the Boundless Informant data.


The same ignorance or callousness is being displayed with regard to data relating to the unique identification number (UID)/Adhaar. The UID Authority has selected three U.S. companies—one for supporting and two for creating the data repository—without taking into consideration the fact that these U.S. companies are duty bound to furnish their data if asked for by the U.S. government (“Questions for Mr. Nilekani” by S.G. Vombatkere, The Hindu, February 6, 2013).


The other issue is the complete lack of data security pertaining to information on government websites, networks and computers. India has less than a 1,000 people manning its cyber security infrastructure. Worse, it is increasingly relying on U.S. companies in the name of partnership with the private sector as shown in the Joint Working Group for Cyber Security formed last year.


The Federation of Indian Chambers of Commerce and Industry (FICCI) and the National Association of Software and Service Companies (NASSCOM), the two agencies who are partnering Indian government’s cyber security exercises, have AT&T, Microsoft, Google, Facebook, and Yahoo! as key members, who are now known to be partnering the U.S. intelligence agencies. Similarly, the “Indian” team that the Ministry of Communications and Information Technology had constituted for the World Conference on How NSA hacks the whole world | Frontline… 2 of 3 29/05/15 2:03 pm Printable version | May 29, 2015 2:03:28 PM | © Frontline Telecommunications in Dubai in 2012 had representatives from the same companies. One can understand why the U.S. government partners U.S. companies; but why should the Indian government opt for the same partners?


The E.U.’s justice commissioner, Viviane Reding, has written to the U.S. Attorney-General asking for details of the PRISM program. India has stated that it considers hacking of Indian data “unacceptable”. Obviously, if all countries, except the U.S. and the U.K., are affected by the U.S. snooping, all of them have to come together for a new global architecture that prevents such wholesale hacking of their networks and data.


How the Internet is governed


This demands a relook at the basic infrastructure of the Internet and how it is being governed. Today, Internet Corporation for Assigned Names and Numbers (ICANN), the key Internet body, functions under a licence from the U.S. Department of Commerce. India, with certain other countries, had earlier called for a multilateral United Nations body to govern the Internet. The U.S. has opposed all such moves tooth and nail.


Attempts have also been made to bring certain aspects of the Internet, notably cyber security, under the International Telecom Union (ITU). Last year, the ITU placed some of these issues on the agenda of the World Conference on International Telecommunications (WCIT 2012) in Dubai, and the consequence was a veritable barrage of vilification launched against the ITU and its Director General. Civil society organisations were told that this was a ploy by authoritarian regimes such as China, Iran and Saudi Arabia to suborn the freedoms on the Internet. A lobbying group was formed by leading U.S. companies, including AT&T, Verizon, Microsoft, Google and Facebook, and this group led the global charge against the ITU. Proposals from countries such as Saudi Arabia and Russia were withdrawn because such proposals could have affected the freedom of the Internet; but still the U.S. and its allies walked out from WCIT, effectively preventing the emergence of any consensus. It is now clear that the issue before WCIT was not one of authoritarian regimes destroying the freedom of the Internet but that no limit should be placed on the U.S. intelligence agencies’ “right’ to hack the global Internet infrastructure.


The Internet is not only the global backbone of communications, it is also the repository of global knowledge. It is the key to our tomorrow. If we want to realise the true potential that the Internet can unlock, we need to step in right now. We need people across the globe to fight for an Internet which brings about a new world. Not an Orwellian World of Big Brother (or Brothers) watching all of us, but a world that fulfils the emancipatory vision of the Internet—bringing the world’s knowledge to our screens. This is the challenge before us.


Prabir Purkayastha is the Chairperson of Knowledge Commons, a body involved with Internet and Free Software issues. He is also the Vice President of Free Software Movement of India.