[liberationtech] Meet the Spies Doing the NSA's Dirty Work

[Eugen Leitl]

http://www.foreignpolicy.com/articles/2013/11/21/the_obscure_fbi_team_that_does_the_nsa_dirty_work?hidecomments=yes&page=full

Meet the Spies Doing the NSA's Dirty Work

This obscure FBI unit does the domestic surveillance that no other
intelligence agency can touch.

BY SHANE HARRIS | NOVEMBER 21, 2013

With every fresh leak, the world learns more about the U.S. National Security
Agency's massive and controversial surveillance apparatus. Lost in the
commotion has been the story of the NSA's indispensable partner in its global
spying operations: an obscure, clandestine unit of the Federal Bureau of
Investigation that, even for a surveillance agency, keeps a low profile.

When the media and members of Congress say the NSA spies on Americans, what
they really mean is that the FBI helps the NSA do it, providing a technical
and legal infrastructure that permits the NSA, which by law collects foreign
intelligence, to operate on U.S. soil. It's the FBI, a domestic U.S. law
enforcement agency, that collects digital information from at least nine
American technology companies as part of the NSA's Prism system. It was the
FBI that petitioned the Foreign Intelligence Surveillance Court to order
Verizon Business Network Services, one of the United States' biggest telecom
carriers for corporations, to hand over the call records of millions of its
customers to the NSA.

But the FBI is no mere errand boy for the United States' biggest intelligence
agency. It carries out its own signals intelligence operations and is trying
to collect huge amounts of email and Internet data from U.S. companies -- an
operation that the NSA once conducted, was reprimanded for, and says it
abandoned.

The heart of the FBI's signals intelligence activities is an obscure
organization called the Data Intercept Technology Unit, or DITU (pronounced
DEE-too). The handful of news articles that mentioned it prior to revelations
of NSA surveillance this summer did so mostly in passing. It has barely been
discussed in congressional testimony. An NSA PowerPoint presentation given to
journalists by former NSA contractor Edward Snowden hints at DITU's pivotal
role in the NSA's Prism system -- it appears as a nondescript box on a
flowchart showing how the NSA "task[s]" information to be collected, which is
then gathered and delivered by the DITU.

But interviews with current and former law enforcement officials, as well as
technology industry representatives, reveal that the unit is the FBI's
equivalent of the National Security Agency and the primary liaison between
the spy agency and many of America's most important technology companies,
including Google, Facebook, YouTube, and Apple.

The DITU is located in a sprawling compound at Marine Corps Base Quantico in
Virginia, home of the FBI's training academy and the bureau's Operational
Technology Division, which runs all the FBI's technical intelligence
collection, processing, and reporting. Its motto: "Vigilance Through
Technology." The DITU is responsible for intercepting telephone calls and
emails of terrorists and foreign intelligence targets inside the United
States. According to a senior Justice Department official, the NSA could not
do its job without the DITU's help. The unit works closely with the "big
three" U.S. telecommunications companies -- AT&T, Verizon, and Sprint -- to
ensure its ability to intercept the telephone and Internet communications of
its domestic targets, as well as the NSA's ability to intercept electronic
communications transiting through the United States on fiber-optic cables.

For Prism, the DITU maintains the surveillance equipment that captures what
the NSA wants from U.S. technology companies, including archived emails,
chat-room sessions, social media posts, and Internet phone calls. The unit
then transmits that information to the NSA, where it's routed into other
parts of the agency for analysis and used in reports.

After Prism was disclosed in the Washington Post and the Guardian, some
technology company executives claimed they knew nothing about a collection
program run by the NSA. And that may have been true. The companies would
likely have interacted only with officials from the DITU and others in the
FBI and the Justice Department, said sources who have worked with the unit to
implement surveillance orders.

"The DITU is the main interface with providers on the national security
side," said a technology industry representative who has worked with the unit
on many occasions. It ensures that phone companies as well as Internet
service and email providers are complying with surveillance law and
delivering the information that the government has demanded and in the format
that it wants. And if companies aren't complying or are experiencing
technical difficulties, they can expect a visit from the DITU's technical
experts to address the problem.

* * *

Recently, the DITU has helped construct data-filtering software that the FBI
wants telecom carriers and Internet service providers to install on their
networks so that the government can collect large volumes of data about
emails and Internet traffic.

The software, known as a port reader, makes copies of emails as they flow
through a network. Then, in practically an instant, the port reader dissects
them, removing only the metadata that has been approved by a court.

The FBI has built metadata collection systems before. In the late 1990s, it
deployed the Carnivore system, which the DITU helped manage, to pull header
information out of emails. But the FBI today is after much more than just
traditional metadata -- who sent a message and who received it. The FBI wants
as many as 13 individual fields of information, according to the industry
representative. The data include the route a message took over a network,
Internet protocol addresses, and port numbers, which are used to handle
different kinds of incoming and outgoing communications. Those last two
pieces of information can reveal where a computer is physically located --
perhaps along with its user -- as well as what types of applications and
operating system it's running. That information could be useful for
government hackers who want to install spyware on a suspect's computer -- a
secret task that the DITU also helps carry out.

The DITU devised the port reader after law enforcement officials complained
that they weren't getting enough information from emails and Internet
traffic. The FBI has argued that under the Patriot Act, it has the authority
to capture metadata and doesn't need a warrant to get them. Some federal
prosecutors have gone to court to compel port reader adoption, the industry
representative said. If a company failed to comply with a court order, it
could be held in contempt.

The FBI's pursuit of Internet metadata bears striking similarities to the
NSA's efforts to obtain the same information. After the 9/11 terrorist
attacks, the agency began collecting the information under a secret order
signed by President George W. Bush. Documents that were declassified Nov. 18
by Barack Obama's administration show that the agency ran afoul of the
Foreign Intelligence Surveillance Court after it discovered that the NSA was
collecting more metadata than the court had allowed. The NSA abandoned the
Internet metadata collection program in 2011, according to administration
officials.

But the FBI has been moving ahead with its own efforts, collecting more
metadata than it has in the past. It's not clear how many companies have
installed the port reader, but at least two firms are pushing back, arguing
that because it captures an entire email, including content, the government
needs a warrant to get the information. The government counters that the
emails are only copied for a fraction of a second and that no content is
passed along to the government, only metadata. The port reader is designed
also to collect information about the size of communications packets and
traffic flows, which can help analysts better understand how communications
are moving on a network. It's unclear whether this data is considered
metadata or content; it appears to fall within a legal gray zone, experts
said.

* * *

The DITU also runs a bespoke surveillance service, devising or building
technology capable of intercepting information when the companies can't do it
themselves. In the early days of social media, when companies like LinkedIn
and Facebook were starting out, the unit worked with companies on a technical
solution for capturing information about a specific target without also
capturing information related to other people to whom the target was
connected, such as comments on posts, shared photographs, and personal data
from other people's profiles, according to a technology expert who was
involved in the negotiations.

The technicians and engineers who work at the DITU have to stay up to date on
the latest trends and developments in technology so that the government
doesn't find itself unable to tap into a new system. Many DITU employees used
to work for the telecom companies that have to implement government
surveillance orders, according to the industry representative. "There are a
lot of people with inside knowledge about how telecommunications work. It's
probably more intellectual property than the carriers are comfortable with
the FBI knowing."

The DITU has also intervened to ensure that the government maintains
uninterrupted access to the latest commercial technology. According to the
Guardian, the unit worked with Microsoft to "understand" potential obstacles
to surveillance in a new feature of Outlook.com that let users create email
aliases. At the time, the NSA wanted to make sure that it could circumvent
Microsoft's encryption and maintain access to Outlook messages. In a
statement to the Guardian, Microsoft said, "When we upgrade or update
products we aren't absolved from the need to comply with existing or future
lawful demands." It's the DITU's job to help keep companies in compliance. In
other instances, the unit will go to companies that manufacture surveillance
software and ask them to build in particular capabilities, the industry
representative said.

The DITU falls under the FBI's Operational Technology Division, home to
agents, engineers, electronic technicians, computer forensics examiners, and
analysts who "support our most significant investigations and national
security operations with advanced electronic surveillance, digital forensics,
technical surveillance, tactical operations, and communications
capabilities," according to the FBI's website. Among its publicly disclosed
capabilities are surveillance of "wireline, wireless, and data network
communication technologies"; collection of digital evidence from computers,
including audio files, video, and images; "counter-encryption" support to
help break codes; and operation of what the FBI claims is "the largest fixed
land mobile radio system in the U.S."

The Operational Technology Division also specializes in so-called black-bag
jobs to install surveillance equipment, as well as computer hacking, referred
to on the website as "covert entry/search capability," which is carried out
under law enforcement and intelligence warrants.

The tech experts at Quantico are the FBI's silent cybersleuths. "While [the
division's] work doesn't typically make the news, the fruits of its labor are
evident in the busted child pornography ring, the exposed computer hacker,
the prevented bombing, the averted terrorist plot, and the prosecuted corrupt
official," according to the website.

According to former law enforcement officials and technology industry
experts, the DITU is among the most secretive and sophisticated outfits at
Quantico. The FBI declined Foreign Policy's request for an interview about
the unit. But in a written statement, an FBI spokesperson said it "plays a
key role in providing technical expertise, services, policy guidance, and
support to the FBI and the intelligence community in collecting evidence and
intelligence through the use of lawfully authorized electronic surveillance."

In addition to Carnivore, the DITU helped develop early FBI Internet
surveillance tools with names like CoolMiner, Packeteer, and Phiple Troenix.
One former law enforcement official said the DITU helped build the FBI's
Magic Lantern keystroke logging system, a device that could be implanted on a
computer and clandestinely record what its user typed. The system was devised
to spy on criminals who had encrypted their communications. It was part of a
broader surveillance program known as Cyber Knight.

In 2007, Wired reported that the FBI had built another piece of surveillance
malware to track the source of a bomb threat against a Washington state high
school. Called a "computer and Internet protocol address verifier," it was
able to collect details like IP addresses, a list of programs running on an
infected computer, the operating system it was using, the last web address
visited, and the logged-in user name. The malware was handled by the FBI's
Cryptologic and Electronic Analysis Unit, located next door to the DITU's
facilities at Quantico. Wired reported that information collected by the
malware from its host was sent via the Internet to Quantico.

The DITU has also deployed what the former law enforcement official described
as "beacons," which can be implanted in emails and, when opened on a target's
computer, can record the target's IP address. The former official said the
beacons were first deployed to track down kidnappers.

* * *

Lately, one of the DITU's most important jobs has been to keep track of
surveillance operations, particularly as part of the NSA's Prism system, to
ensure that companies are producing the information that the spy agency wants
and that the government has been authorized to obtain.

The NSA is the most frequent requester of the DITU's services, sources said.
There is a direct fiber-optic connection between Quantico and the agency's
headquarters at Fort Meade, Maryland; data can be moved there instantly. From
the companies' perspective, it doesn't much matter where the information ends
up, so long as the government shows up with a lawful order to get it.

"The fact that either the targets are coming from the NSA or the output goes
to the NSA doesn't matter to us. We're being compelled. We're not going to do
any more than we have to," said one industry representative.

But having the DITU act as a conduit provides a useful public relations
benefit: Technology companies can claim -- correctly -- that they do not
provide any information about their customers directly to the NSA, because
they give it to the DITU, which in turn passes it to the NSA.

But in the government's response to the controversy that has erupted over
government surveillance programs, FBI officials have been conspicuously
absent. Robert Mueller, who stepped down as the FBI's director in September,
testified before Congress about disclosed surveillance only twice, and that
was in June, before many of the NSA documents that Snowden leaked had been
revealed in the media. On Nov. 14, James Comey gave his first congressional
testimony as the FBI's new director, and he was not asked about the FBI's
involvement in surveillance operations that have been attributed to the NSA.
Attorney General Eric Holder has made few public comments about surveillance.
(His deputy has testified several times.)

The former law enforcement official said Holder and Mueller should have
offered testimony and explained how the FBI works with the NSA. He was
concerned by reports that the NSA had not been adhering to its own
minimization procedures, which the Justice Department and the FBI review and
vouch for when submitting requests to the Foreign Intelligence Surveillance
Court.

"Where they hadn't done what was represented to the court, that's
unforgivable. That's where I got sick to my stomach," the former law
enforcement official said. "The government's position is, we go to the court,
apply the law -- it's all approved. That makes for a good story until you
find out what was approved wasn't actually what was done."