Clio Cloud Conference 2014

SEPTEMBER 22 – 23, 2014 · CHICAGO, ILLINOIS

Clio Cloud Conference 2014 #ClioCloud9

NSA Spying: Mass US Collection Basics

by Cindy Cohn

Clio Cloud Conference 2014 #ClioCloud9

• Internet Backbone collection

• Telephone records collection

• A few more things

• NOT PRISM, Internet metadata or foreign

collection

NSA Spying Mass US Collection Basics

Clio Cloud Conference 2014 #ClioCloud9

• Collect everything first and analyze• Phone records• Prism/Upstream

• Sort out what you actually need second • Rely heavily on minimization• “the Founders did not fight a revolution to

gain the right to government agency protocols” Riley v. California (June 25, 2014)

Turning upside down

Clio Cloud Conference 2014 #ClioCloud9

Response to General Warrants; Riley* First question: is it a search or seizure- Govt says no if metadata – Smith case

* If Search then warrant needed - FISC orders are NOT warrants

- Or exceptionSpecial needs turns on totality of the circumstances

and reasonableness * Also First Amendment

Fourth Amendment

Clio Cloud Conference 2014 #ClioCloud9

"the child independence was then and there born,[for] every

man of an immense crowded audience appeared to me to go

away as I did, ready to take arms against writs of assistance."

- John Adams

Clio Cloud Conference 2014 #ClioCloud9

* Right of Association - NAACP v. Alabama

- Prop 8 case

* If likely chilling effect

- Then must show “least restrictive means” and “narrow

tailoring”

* Gov’t says doesn’t apply if not aimed at

associations

First Amendment

Clio Cloud Conference 2014 #ClioCloud9

* Section 702 was passed in 2008, and the

government relies on this for the collection

of content.

* Targeting and Minimization docs- Aimed foreign targets

- Encrypted information kept forever

- Can “Tip” the FBI on criminal (and maybe IRS, DEA and

others)

FISA Amendments Act

#ClioCloud9Clio Cloud Conference 2014

FISA Amendments Act

Clio Cloud Conference 2014 #ClioCloud9

Clio Cloud Conference 2014 #ClioCloud9

“all call detail records or ‘telephony metadata’ created by Verizon for communications (i)

between the United States and abroad; or (ii) wholly within the United States, including local

telephone calls.”Originating and terminating phone nos., IMSI #, IMEI #, trunk identifier, telephone calling card

numbers, and time and duration of callRenewed every 90 days, kept 5 years

Phone Records Collection

Clio Cloud Conference 2014 #ClioCloud9

Section 215 amended FISA to allow orders to

produce “tangible things”

Must be “relevant to an authorized investigation

(other than a threat assessment)”

No broader than a Grand Jury Subpoena

Section 215 of PATRIOT Act

Clio Cloud Conference 2014 #ClioCloud9

You rang a phone sex service at 2:24 am and spoke for 18 minutes..

You called the suicide prevention hotline from the Golden Gate Bridge.

You spoke with an HIV testing service, then your doctor, then your health insurance company in

the same hour.Felten declaration in ACLU v. Clapper

Why Metadata Matters

Clio Cloud Conference 2014 #ClioCloud9

Klayman v. Obama (DC Circuit)

ACLU v. Clapper (2nd Circuit)

EFF:

Smith v. Obama (9th Circuit)

First Unitarian Church of Los Angeles v. NSA

Jewel v. NSA (since 2008!)

Phone Records Cases

Clio Cloud Conference 2014 #ClioCloud9

* Bullrun 5 Sept 2013

“Insert vulnerabilities into commercial systems”covertly influence and/or overtly leverage commercial products’”

“Shape the worldwide commercial cryptography marketplace to make it more tractable to NSA

“To the consumer and other adversaries, however, the systems' security remains intact.”* Targeting Tor

* I Hunt SysadminsExploit weaknesses: Google smiley face, Angry birds

Phishing: Quantum Exploit faking Facebook Then installing Malware that can turn on cameras, microphones, collect

passwords and taking total control of computer* Scooping up cookies: Google PREF cookies and others

And Also: Sabotage, Malware

Clio Cloud Conference 2014 #ClioCloud9

•Litigation

•Phone records:

Smith v. Obama

Jewel v. NSA (filed in 2008)

First Unitarian v. NSA (filed July 2014)

•FOIA

•Amicus

Lavabit

Support for criminal cases based on surveillance

Klayman and ACLU phone records case

What Is EFF Doing?

Clio Cloud Conference 2014 #ClioCloud9

USA FreedomCurrently support but it’s very small

End mass collection is goal

But wiggle room and we know govt plays word

games

FISC reformAdvocate and maybe more opinions published

Modest transparency (but not FBI)

Legislation

Clio Cloud Conference 2014 #ClioCloud9

13 Principles (necessaryandproportionate.net)

Around 600 organizations worldwide

UN Special Rapporteurs

UN High Commissioner for HR report

Legal processes ECHR complaint

OAS hearing

And: International

Clio Cloud Conference 2014 #ClioCloud9

Don’t Forget: Technology

Clio Cloud Conference 2014 #ClioCloud9

Questions?Cindy Cohn

Legal Director, EFF

Cindy@eff.org