- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - When NSA chief Gen. Keith Alexander addressed Black Hat earlier this year, he painted a rosy picture of how well the agency controls access to its phone record database, but he never brought up cases when those controls broke down, unauthorized access was made and data was shared among analysts who shouldn't have seen it.
Documents just released by the government say that far from being a well-oiled machine Alexander described to the security conference last month, the so called business-record metadata gathering program was repeatedly misused, data about activity on certain phone lines was accessed without appropriate authorization and that no single person at the NSA understood the technicalities of the system architecture.
Not only that, the NSA misled the Foreign Intelligence Surveillance Court about its misuse of the data, according to FISC documents from 2009.
At Black Hat, Alexander described the measures taken to ensure that call-detail records gathered by the NSA and stockpiled in a database for five years at a time as well guarded and queried only if there is “reasonable actionable suspicion” that a specific phone number was linked to foreign terrorists.
“The database is like a lockbox,” Alexander said at the time. “The controls that go on this database are greater than any data repository in government, and the oversight is the same.”
The database consists of date and time of calls, calling number or IP address, called number or IP address, duration of calls or length of emails and the origin of the metadata information. The NSA vacuums up this data from service providers on all calls and taps into it only under controlled circumstances – or at least that’s how it is supposed to work.
But in 2009 the NSA list of phone numbers being checked consisted mostly of numbers that had not met the reasonable actionable suspicion standard, according to a March 2, 2009 order by FISC Judge Reggie B. Walton.
One problem was that for years, nobody at the NSA understood the system in its entirety. “In fact,” Walton wrote, “the government acknowledges that, as of August 2006, "there was no single person who had a complete understanding of the BR FISA system architecture."”
One of the NSA’s excuses was that it thought the reasonable actionable suspicion rule applied only to data residing in certain NSA databases, not to data rolling in from service providers about calls being made day-to-day. “That interpretation of the Court's Orders strains credulity,” Walton wrote. If that interpretation were accurate, it would mean the rule was merely optional, he wrote.
The NSA further argued that this misuse of the database wasn’t surprising because that’s how data gathered from other sources is handled. That means the root problem was not that there was a misunderstanding between the NSA and the court, but that the NSA decided on its own that the court-approved rules didn’t apply, Walton wrote.