COVID-19: Exiting Lockdown and Geolocation

Pressure will mount around the end of this month (assuming we are past the peak death rate and virus spread is under control) for the US to exit lockdown. This needs to be done in a smart way, which includes:

1. Required use of facemasks
2. Cocooning of vulnerable populations
3. Contact tracing and forced isolation of cases, perhaps using geolocation technology

See related posts

COVID-19: Smart Technologies and Exit from Lockdown (Singapore)
COVID-19: CBA, CFR, Open Borders
COVID-19: Cocoon the vulnerable, save the economy?
COVID-19 Notes

WSJ: Western governments aiming to relax restrictions on movement are turning to unprecedented surveillance to track people infected with the new coronavirus and identify those with whom they have been in contact.

Governments in China, Singapore, Israel and South Korea that are already using such data credit the practice with helping slow the spread of the virus. The U.S. and European nations, which have often been more protective of citizens’ data than those countries, are now looking at a similar approach, using apps and cellphone data.

“I think that everything is gravitating towards proximity tracking,” said Chris Boos, a member of Pan-European Privacy-Preserving Proximity Tracing, a project that is working to create a shared system that could take uploads from apps in different countries. “If somebody gets sick, we know who could be infected, and instead of quarantining millions, we’re quarantining 10.” ...

Some European countries are going further, creating programs to help track individuals—with their permission—who have been exposed and must be quarantined. The Czech Republic and Iceland have introduced such programs and larger countries including the U.K., Germany and Spain are studying similar efforts. Hundreds of new location-tracking apps are being developed and pitched to those governments, Mr. Boos said.

U.S. authorities are able to glean data on broad population movements from the mobile-marketing industry, which has geographic data points on hundreds of millions of U.S. mobile devices, mainly taken from apps that users have installed on their phones.

Europe’s leap to collecting personal data marks a shift for the continent, where companies face more legal restrictions on what data they may collect. Authorities say they have found workarounds that don’t violate the European Union’s General Data Protection Regulation, or GDPR, which restricts how personal information can be shared. ...

Google, Apple, Facebook, etc. are reluctant to draw attention to their already formidable geolocation capabilites. But this crisis may focus public awareness on their ability to track almost all Americans throughout the day.

WSJ: Google will help public health officials use its vast storage of data to track people’s movements amid the coronavirus pandemic, in what the company called an effort to assist in “unprecedented times.”

The initiative, announced by the company late Thursday, uses a portion of the information that the search giant has collected on users, including through Google Maps, to create reports on the degree to which locales are abiding by social-distancing measures. The “mobility reports” will be posted publicly and show, for instance, whether particular localities, states or countries are seeing more or less people flow into shops, grocery stores, pharmacies and parks. ... 

This is just a hint at what Google is capable of. Check out Google Timeline! Of course, users have to opt in to create their Google Timeline. But it should be immediately obvious that Google already HAS the information necessary to populate a detailed geolocation history of every individual...




Added from the comments:

There are really two separate issues here:

1. What is the basic epidemiology of CV19? i.e., R0, CFR, age distribution of vulnerability, comorbidities, mechanism of spread, utility of masks, etc.

2. What is the cost benefit analysis for various strategies (e.g., lockdown vs permissive sweep with cocooning)

While we have not reached full convergence on #1 I think reasonable people agree that the "mainstream" consensus has a decent chance of being correct: e.g., CFR ~ 1% or so, possibility of wide sweep in any population, overload of ICUs means much higher CFR, warmer weather might not save the day, etc. Once this scenario for #1 has, say, >50% chance of being right you are forced to at least take it seriously and then you are on to #2. (It is not required to believe that the scenario above is true at 95% or 99% confidence level...)

#2 is a question of trade-offs and two reasonable people can easily disagree until the end of time... I've already posted very simple CBA that show the answer can go either way depending on how you "price" QALYs, what you think long term effects on economy are from lockdown -- i.e., how fragile you think financial, supply chain, psychological systems are in various places; is it a ~$trillion cost, or could it go nonlinear?

Re: Physicists (and addressing gmachine comment below which has a lot of truth in it), we have no trouble understanding modeling done by other people (whether in finance, climate, or epidemiology), and we are also trained to deal with very uncertain data / statistical situations. We can "take apart" the model in our head to see where the dependencies are and how the uncertainties propagate through the model. I am amazed often to meet people who built a very complex model (e.g., thousands of lines of code, lots of input parameters), but they lack the chops to develop good intuition for how their model works, to make qualitative estimates for uncertainty quantification, etc. I have seen this in economics, finance, biology, and climate contexts many times. "There are levels to this thing..." Understanding the model can be more g-loaded than building it!

Finally, we are trained to think from first principles -- which assumptions are crucial to reach the conclusions, which are not? What are the key uncertainties in the analysis? Do we really need very specific assumptions about, e.g., social interaction rates as in the Imperial models? Or can I do a quick Fermi estimate which gets me a more robust answer at the cost of a factor of 2 uncertainty that does not really affect the main conclusion -- e.g., will ICU overload happen?

Enrico Fermi at the Trinity test: "I tried to estimate its strength by dropping from about six feet small pieces of paper before, during, and after the passage of the blast wave. Since, at the time, there was no wind I could observe very distinctly and actually measure the displacement of the pieces of paper that were in the process of falling while the blast was passing. The shift was about 2 1/2 meters, which, at the time, I estimated to correspond to the blast that would be produced by ten thousand tons of T.N.T." The actual yield was about 20 kt. Sometimes a smart guy can get to within a factor of two, and with much greater clarity, than a huge team of modelers...

COVID-19 Notes

First some basic assumptions, for which I think the evidence is strong (reference):

1. R0 ~ (2-3) or higher in a permissive environment -- no strong efforts at social distancing, quarantine, etc.

2. Fatality rate: roughly 1 percent of cases, heavily concentrated in older individuals and/or those with pre-existing conditions. Note this assumes a well-functioning health system and resources for the 5% or so of cases that need intensive care. See below.

3. In situations like #1 above, doubling time could be as short as a few days. Number of infections in Italy grew by ~1000x over the month of February -- i.e., 2^10 or 2+ doublings per week!

USA has perhaps ~1M total hospital beds, over half already occupied, and perhaps 50k ICU spaces. For those infected, the distribution of severity is roughly (again, concentration in vulnerable sub-populations):

80 percent mild case
15 percent serious (may require hospitalization)
5 percent ICU

So roughly 1M infected at a given time would overwhelm US health capabilities. We probably have at least ~1000 infected in the country at the moment, so in the absence of serious measures like social distancing (cancellation of sporting events, large meetings, moving to K12 and college distance learning, etc.), we would reach the health system breaking point in about a month. Many other countries, in Europe and elsewhere, are facing a similar situation.

Whether we impose draconian social measures (which would have a strongly negative effect on cafes, restaurants, hotels, airlines, theaters, etc.) or let COVID-19 infect millions of people, we are in for at least a one quarter downturn (recession?) with the possibility of more significant nonlinear events (complete market collapse, systemic failures). Traders already understand this, which is why equities are in huge decline despite a 50 bp Fed rate cut last week. I went largely to cash already...

We have technology that could help us fight the epidemic. The article below, in the Journal of the American Medical Association, describes how Taiwan successfully handled the epidemic -- less than 50 cases! -- despite close proximity and extensive travel to China. (Note, Taiwan in Jan-Feb is a bit warmer than Milan, but I don't think climate is the entire reason for their good performance...) Google and Apple have these technical (geolocation, tracking) capabilities, but they don't like to emphasize it to the public.

Response to COVID-19 in Taiwan: Big Data Analytics, New Technology, and Proactive Testing

JAMA. Published online March 3, 2020. doi:10.1001/jama.2020.3151

Taiwan is 81 miles off the coast of mainland China and was expected to have the second highest number of cases of coronavirus disease 2019 (COVID-19) due to its proximity to and number of flights between China.1 The country has 23 million citizens of which 850 000 reside in and 404 000 work in China.2,3 In 2019, 2.71 million visitors from the mainland traveled to Taiwan.4 As such, Taiwan has been on constant alert and ready to act on epidemics arising from China ever since the severe acute respiratory syndrome (SARS) epidemic in 2003. Given the continual spread of COVID-19 around the world, understanding the action items that were implemented quickly in Taiwan and assessing the effectiveness of these actions in preventing a large-scale epidemic may be instructive for other countries.

COVID-19 occurred just before the Lunar New Year during which time millions of Chinese and Taiwanese were expected to travel for the holidays. Taiwan quickly mobilized and instituted specific approaches for case identification, containment, and resource allocation to protect the public health. Taiwan leveraged its national health insurance database and integrated it with its immigration and customs database to begin the creation of big data for analytics; it generated real-time alerts during a clinical visit based on travel history and clinical symptoms to aid case identification. It also used new technology, including QR code scanning and online reporting of travel history and health symptoms to classify travelers’ infectious risks based on flight origin and travel history in the past 14 days. Persons with low risk (no travel to level 3 alert areas) were sent a health declaration border pass via SMS (short message service) messaging to their phones for faster immigration clearance; those with higher risk (recent travel to level 3 alert areas) were quarantined at home and tracked through their mobile phone to ensure that they remained at home during the incubation period.

Google + Apple + cell carriers have the data to detect near collisions (proximity) between COVID-19 spreaders (once diagnosed) and other individuals. This can be done anonymously: i.e., public health services get a warning that a spreader visited nursing home X on timestamp T without naming the spreader. Another alternative (see WSJ video below) is to have an OPT-IN app that checks location history and warns if you were in close proximity to a spreader. The PRC government version of this app has been used by 200M+ Chinese already -- note it's OPT-IN. The companies above have the data to do this but don't like it to be known that they can.




Note Added: Latest results from the beginnings of broader testing in Seattle suggest that the virus is widespread in the community already. The number of cases detected is primarily limited by number of tests:

Nature: “We are past the point of containment,” says Helen Chu, an infectious-disease specialist at the University of Washington School of Medicine (UW Medicine) in Seattle. “So now we need to keep the people who are vulnerable from getting sick.”

I checked the weather records for Seattle in February 2020: daily highs in the mid-40s to mid-50s. There is very little chance that wintry areas of the US will be warmer than this over the next 30 days, even with an early spring. So I don't see that US spread in those regions can be mitigated by anything less than social distancing and other strong measures. Weather will probably not save us.

Front line tweets from Italian doctors describe medical resources pushed to the breaking point. I hope we do not experience this in the US, but I don't see how we will avoid it: [1] [2]

Some interesting information about transmission (surfaces, air in confined spaces) at the beginning; Italian overload at 17m; S. Korean data at 19m.

Twilight Struggles in a Wilderness of Mirrors: Admiral Mike Rogers, the NSA, and Obama-era Political Spying

I believe that if the full story is told about Obama-era political spying, Admiral Mike Rogers (former head of NSA) will emerge as a hero. Sources say Rogers has been cooperating with the ongoing Durham investigation. Look for significant developments in the case as we approach the 2020 election...

Below is a Rogers timeline covering illegal spying using NSA data. This illegal use of data is a matter of record -- undisputed, but also largely unreported. The FISC (FISA court) report on this illegal use of data appeared in April 2017; the author is Rosemary Collyer, the head FISA judge. The report was originally classified Top Secret but was later declassified and released with redactions. Collyer uses the phrase "institutional lack of candor" when referring to behavior of federal agencies in their dealings with FISC over this issue.

Just this week, Collyer ordered the FBI to report on its abuse of FISA in surveillance of the Trump campaign, as documented in the Horowitz DOJ IG report.

More background on the earlier abuses here:

The court learned in October 2016 that analysts ... were conducting prohibited database searches “with much greater frequency than had previously been disclosed to the court.” The forbidden queries were searches of Upstream Data using US-person identifiers. The report makes clear that as of early 2017 NSA Inspector General did not even have a good handle on all the ways that improper queries could be made to the system.

Timeline:

November 2015-April 2016 – The FBI and DOJ’s National Security Division (NSD) uses private contractors to access raw FISA information using “To” and “From” FISA-702(16) & “About” FISA-702(17) queries.

February 2016 NYT reports: Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts "The new system would permit analysts at other intelligence agencies to obtain direct access to raw information from the N.S.A.’s surveillance to evaluate for themselves."

March 2016 – NSA Director Rogers becomes aware of improper access to raw FISA data.

April 2016 – Rogers orders the NSA compliance officer to run a full audit on 702 NSA compliance.

April 18 2016 – Rogers shuts down FBI/NSD contractor access to the FISA Search System.

Mid-October 2016 – DNI Clapper submits a recommendation to the White House that Director Rogers be removed from the NSA.

October 20 2016 – Rogers is briefed by the NSA compliance officer on the Section 702 NSA compliance audit and “About” query violations.

October 21 2016 – Rogers shuts down all “About Query” activity. Rogers reports the activity to DOJ and prepares to go before the FISA Court.

October 21 2016 – DOJ & FBI seek and receive a Title I FISA probable cause order authorizing electronic surveillance on Carter Page from the FISC. At this point, the FISA Court is unaware of the Section 702 violations.

October 24 2016 – Rogers verbally informs the FISA Court of Section 702(17) violations.

October 26 2016 – Rogers formally informs the FISA Court of 702(17) violations in writing.

November 17 2016 (morning) – Rogers travels to meet President-Elect Trump and his Transition Team in Trump Tower. Rogers does not inform DNI James Clapper.

November 17 2016 (evening) – Trump Transition Team announces they are moving all transition activity to Trump National Golf Club in New Jersey.

Parts of the timeline are from this 2018 article, which contains much more background. However, note that the events listed above are almost entirely a matter of public record now.

The 2017 FISC report does not reveal the exact nature of the abuses of NSA surveillance data, only that the abuses occurred, and in large volume. However, Rogers' behavior suggests very strongly that some of the abuses involved spying on political opposition.

Key issues:

Who were the FBI/DOJ contractors making the illegal queries? (Fusion GPS? Opposition research firms?)

Note that Upstream Data includes intercepts from the internet backbone -- essentially ALL of our communications pass through such channels and are potentially stored at NSA data centers.

Did FBI seek the Carter Page FISA warrant because earlier (illegal) access to NSA data was interrupted by Rogers?

What did Rogers reveal to the Trump transition team that caused them to move operations from Trump Tower to a golf course in New Jersey?

FBI had access not just to ongoing communications, but stored past communications (within "two hops") of Carter Page and other Trump campaign staff. They must have known very early on (it is suggested, by early 2017) that there was no Russian collusion. So what was the purpose of the Mueller investigation?

I believe Durham's investigation will be able to address many of these questions, although results may be classified and not shared with the public.

More fun facts: (Note I've always thought NSA the most competent and least political among CIA, FBI, NSA.)

James Clapper was the architect of the Russia Report – Assessing Russian Activities and Intentions in Recent U.S. Elections. It was used to push the entire Russia Narrative...

The report was technically created by a joint effort between the CIA (former Director John Brennan), FBI (former Director James Comey) and the NSA (current Director Mike Rogers) – and assembled by the DNI (former Director James Clapper).

The joint report contains one significant caveat:

CIA and FBI have high confidence in this judgment; NSA has only moderate confidence.

Rogers stated in Senate hearing testimony that his confidence did not reach even this threshold: "I wouldn’t call it a discrepancy, I’d call it an honest difference of opinion between three different organizations and in the end I made that call.…It didn’t have the same level of sourcing and the same level of multiple sources."

Othram: the future of DNA forensics

I've blogged frequently about the impact of the genomic revolution on embryo selection in IVF and precision health (complex disease risk prediction).

DNA forensics -- the use of DNA for identification of criminals, victims, military remains, etc. -- will also be transformed by inexpensive genotyping and powerful informatics.

The existing FBI standard (CODIS) for DNA identification uses only 20 markers (STRs -- previously only 13 loci were used!). By contrast, genome wide sequencing can reliably call millions of genetic variants. For the first time, the cost curves for these two methods have crossed: modern sequencing costs no more than extracting CODIS markers using the now ~30 year old technology.

What can you do with millions of genetic markers?

1. Determine relatedness of two individuals with high precision. This allows detectives to immediately identify a relative (ranging from distant cousin to sibling or parent) of the source of the DNA sample, simply by scanning through large DNA databases. In many cases this narrows the pool of suspects to ~100 or fewer individuals. With only 20 CODIS markers this is not possible. Some notorious cold cases have already been solved using this method, with more examples every few weeks.

2. Phenotype and Ancestry reports: in addition to ethnicity, we can now predict cosmetic traits such as hair color, eye color, skin tone (i.e., light to dark), baldness, height, BMI, and bodyfat percentage. (The last two are the least accurate, although outliers are still identifiable.) Again, not remotely possible using CODIS markers.

I'm a co-founder of Othram, a startup providing 1&2 above to law enforcement, the military, and other customers.

Recently I visited Othram's brand new 4000 square foot lab which will be entirely dedicated to forensic applications of advanced sequencing and genomic prediction. The lab has specialized air handling and sample processing infrastructure, and will soon be home to an Illumina NovaSeq. The guy at bottom is CEO David Mittelman.

On the legal status of large DNA databases, such as those of 23andMe and Ancestry: these firms have genotyped 5M and 10M individuals, respectively, with both numbers set to double in the next year. Their datasets are large enough to, e.g., immediately return a first- or second-cousin match for most searches on DNA from someone of primarily European heritage. Using such resources the majority of crimes with DNA evidence become easy to solve. The Genomic Panopticon is nearly a reality.

Both 23andMe and Ancestry have, on grounds of customer privacy, resisted law enforcement requests to search for matches to forensic DNA. However, one of their smaller competitors, FamilyTreeDNA, revealed that it is routinely collaborating with FBI. I do not believe that 23andMe or Ancestry can resist a court order if vigorously pursued. The situation is similar to that of ISPs and web email providers in the early days of the internet. They also resisted cooperation with law enforcement on privacy grounds, but in the end had to capitulate. All such firms today have compliance departments that process law enforcement queries on a routine basis. I would be very surprised if 23andMe and Ancestry don't end up with a similar accommodation, despite their current posture.

Spygate in 20 minutes

Bongino (former federal agent and TV/podcast personality) gives a very clear and entertaining overview of Spygate: the illegal use of government surveillance powers against an opposition political candidate (Donald Trump). I agree with Bongino that this is the biggest political scandal in the modern era, orders of magnitude beyond Watergate. But because the story is complicated and has been largely covered up (as much as possible) by the media, few people understand what actually happened. You can get the gist of it in 20 minutes from the video. (Real content starts @6min or so.)

As Bongino states, the factual claims in his talk can all be sourced from reporting by "mainstream" news outlets such as CNN, NYTimes, WSJ, or from government documents such as the declassified (2017) FISC report on abuses of surveillance powers. But you will not find them all in one place as you do in the video (or on my blog).

See Deep State Update (May 2018):

It's been clear for well over a year now that the Obama DOJ-FBI-CIA used massive surveillance powers (FISA warrant, and before that, national security letters and illegal contractor access to intelligence data) against the Trump campaign. In addition to SIGINT (signals intelligence, such as email or phone intercepts), we now know that HUMINT (spies, informants) was also used.

Until recently one could still be called a conspiracy theorist by the clueless for stating the facts in the paragraph above. But a few days ago the NYTimes and WaPo finally gave up (in an effort to shape the narrative in advance of DOJ Inspector General report(s) and other document releases that are imminent) and admitted that all of these things actually happened. The justification advanced by the lying press is that this was all motivated by fear of Russian interference -- there was no partisan political motivation for the Obama administration to investigate the opposition party during a presidential election.

If the Times and Post were dead wrong a year ago, what makes you think they are correct now?

PanOpticon in my Pocket: 0.35GB/month of surveillance, no charge!

Your location is monitored roughly every 10 minutes, if not more often, thanks to your phone. There are multiple methods: GPS or wifi connections or cell-tower pings, or even Bluetooth. This data is stored forever and is available to certain people for analysis. Technically the data is anonymous, but it is easy to connect your geolocation data to your real world identity -- the data shows where you sleep at night (home address) and work during the day. It can be cross-referenced with cookies placed on your browser by ad networks, so your online activities (purchases, web browsing, social media) can be linked to your spatial-temporal movements.

Some quantities which can be easily calculated using this data: How many people visited a specific Toyota dealership last month? How many times did someone test drive a car? Who were those people who test drove a car? How many people stopped / started a typical 9-5 job commute pattern? (BLS only dreams of knowing this number.) What was the occupancy of a specific hotel or rental property last month? How many people were on the 1:30 PM flight from LAX to Laguardia last Friday? Who were they? ...

Of course, absolute numbers may be noisy, but diffs from month to month or year to year, with reasonable normalization / averaging, can yield insights at the micro, macro, and individual firm level.

If your quant team is not looking at this data, it should be ;-)

Google Data Collection
Professor Douglas C. Schmidt, Vanderbilt University
August 15, 2018

... Both Android and Chrome send data to Google even in the absence of any user interaction. Our experiments show that a dormant, stationary Android phone (with Chrome active in the background) communicated location information to Google 340 times during a 24-hour period, or at an average of 14 data communications per hour. In fact, location information constituted 35% of all the data samples sent to Google. In contrast, a similar experiment showed that on an iOS Apple device with Safari (where neither Android nor Chrome were used), Google could not collect any appreciable data (location or otherwise) in the absence of a user interaction with the device.

e. After a user starts interacting with an Android phone (e.g. moves around, visits webpages, uses apps), passive communications to Google server domains increase significantly, even in cases where the user did not use any prominent Google applications (i.e. no Google Search, no YouTube, no Gmail, and no Google Maps). This increase is driven largely by data activity from Google’s publisher and advertiser products (e.g. Google Analytics, DoubleClick, AdWords)11. Such data constituted 46% of all requests to Google servers from the Android phone. Google collected location at a 1.4x higher rate compared to the stationary phone experiment with no user interaction. Magnitude wise, Google’s servers communicated 11.6 MB of data per day (or 0.35 GB/month) with the Android device. This experiment suggests that even if a user does not interact with any key Google applications, Google is still able to collect considerable information through its advertiser and publisher products.

f. While using an iOS device, if a user decides to forgo the use of any Google product (i.e. no Android, no Chrome, no Google applications), and visits only non-Google webpages, the number of times data is communicated to Google servers still remains surprisingly high. This communication is driven purely by advertiser/publisher services. The number of times such Google services are called from an iOS device is similar to an Android device. In this experiment, the total magnitude of data communicated to Google servers from an iOS device is found to be approximately half of that from the Android device.

g. Advertising identifiers (which are purportedly “user anonymous” and collect activity data on apps and 3rd-party webpage visits) can get connected with a user’s Google identity. This happens via passing of device-level identification information to Google servers by an Android device. Likewise, the DoubleClick cookie ID (which tracks a user’s activity on the 3rd-party webpages) is another purportedly “user anonymous” identifier that Google can connect to a user’s Google Account if a user accesses a Google application in the same browser in which a 3rd-party webpage was previously accessed. Overall, our findings indicate that Google has the ability to connect the anonymous data collected through passive means with the personal information of the user.

Face Recognition applied at scale in China

The Chinese government is not the only entity that has access to millions of faces + identifying information. So do Google, Facebook, Instagram, and anyone who has scraped information from similar social networks (e.g., US security services, hackers, etc.).

In light of such ML capabilities it seems clear that anti-ship ballistic missiles can easily target a carrier during the final maneuver phase of descent, using optical or infrared sensors (let alone radar).

Terminal targeting of a moving aircraft carrier by an ASBM like the DF21D

Simple estimates: 10 min flight time means ~10km uncertainty in final position of a carrier (assume speed of 20-30 mph) initially located by satellite. Missile course correction at distance ~10km from target allows ~10s (assuming Mach 5-10 velocity) of maneuver, and requires only a modest angular correction. At this distance a 100m sized target has angular size ~0.01 so should be readily detectable from an optical image. (Carriers are visible to the naked eye from space!) Final targeting at distance ~km can use a combination of optical / IR / radar that makes countermeasures difficult.

So hitting a moving aircraft carrier does not seem especially challenging with modern technology.

Susan Rice and U.S. person information "derived solely from raw SIGINT"

I hope this scandal will focus additional attention on massive bulk collection and preservation of private communications of US citizens by NSA.

Media discussion continues to focus on "unmasking" = dissemination of identities of US individuals. However, I have yet to see discussion of whether someone like Rice could order specific database searches (e.g., by NSA, of preserved records) on a specific individual to acquire intercepts such as voice transcripts, emails, etc. It doesn't seem to become an unmasking until that information is distributed in the form of an intelligence report (or, is such a request automatically an unmasking?). The search results alone constitute an invasion of individual privacy. It is unclear to me who has access to such results, and under what conditions the searches can be requested. There are well known instances of NSA employees abusing these powers: see LOVEINT. Could the White House order something similar without a record trail? (See excerpt added below.)

Bloomberg: Susan Rice Sought Names in Trump Intel, Says Eli Lake

Former national security adviser Susan Rice made multiple requests for the identities of people connected to the transition team of Donald Trump contained in raw intelligence reports, according to U.S. officials familiar with the matter. Bloomberg View columnist Eli Lake has the details.

From Nunes, Trump, Obama and Who Watches the Watchers?, this is the legal standard that the Susan Rice unmaskings will be judged by:

Section VI: ... An IC element may disseminate U.S. person information "derived solely from raw SIGINT" under these procedures ... if ... the information is “necessary to understand the foreign intelligence or counterintelligence information,”

Richard Haas notes that this kind of activity on the part of Susan Rice and NSC staff is only justifiable under "extraordinary circumstances"!



Added (from comments):

The Observer: ... In addition, Rice didn’t like to play by the rules, including the top-secret ones. On multiple occasions, she asked the NSA to do things they regarded as unethical and perhaps illegal. When she was turned down — the NSA fears breaking laws for any White House, since they know they will be left holding the bag in the end — Rice kept pushing.

As a longtime NSA official who experienced Rice’s wrath more than once told me, “We tried to tell her to pound sand on some things, but it wasn’t allowed—we were always overruled.” On multiple occasions, Rice got top Agency leadership to approve things which NSA personnel on the front end of the spy business refused. This means there may be something Congress and the FBI need to investigate here.

...

John Schindler is a security expert and former National Security Agency analyst and counterintelligence officer. A specialist in espionage and terrorism, he’s also been a Navy officer and a War College professor. He’s published four books and is on Twitter at @20committee.

Nunes, Trump, Obama and Who Watches the Watchers?

I've made this separate entry from the update to my earlier discussion FISA, EO 12333, Bulk Collection, and All That. I believe the Nunes revelations from yesterday support my contention that the Trump team intercepts are largely "incidental" collections (e.g., bulk collections using tapped fiber, etc.) under 12333, and the existence of many (leaked) intel reports featuring these intercepts is likely a consequence of Obama's relaxation of the rules governing access to this bulk data. At least, the large number of possible leakers helps hide the identities of the actual leakers!

EO12333 + Obama OKs unprecedented sharing of this info as he leaves office = recent leaks? Note the use of the term "incidentally" and the wide dissemination (thanks to Obama policy change as he left office).

WSJ: ... “I recently confirmed that on numerous occasions the intelligence community incidentally collected information about U.S. citizens involved in the Trump transition,” Mr. Nunes said, reading a brief statement to reporters on Capitol Hill on Wednesday afternoon. “Details about U.S. persons associated with the incoming administration—details with little or no apparent foreign intelligence value—were widely disseminated in intelligence community reporting.”

... Mr. Nunes added that it was “possible” the president himself had some of his communication intercepted, and has asked the Federal Bureau of Investigation, National Security Agency and other intelligence agencies for more information.

The change put in place as Obama left office is probably behind the large number of circulating reports that feature "incidentally" captured communications of the Trump team. The NYTimes article below is from February.

NYTimes: ... Until now, National Security Agency analysts have filtered the surveillance information for the rest of the government. They search and evaluate the information and pass only the portions of phone calls or email that they decide is pertinent on to colleagues at the Central Intelligence Agency, the Federal Bureau of Investigation and other agencies. And before doing so, the N.S.A. takes steps to mask the names and any irrelevant information about innocent Americans.

[ So FBI is only getting access to this data for the first time. It is interesting that Nunes said that NSA would comply with his request for more information but that FBI has not complied. It seems possible that FBI does not yet have good internal controls over how its agents use these new privileges. ]

The new system would permit analysts at other intelligence agencies to obtain direct access to raw information from the N.S.A.’s surveillance to evaluate for themselves. If they pull out phone calls or email to use for their own agency’s work, they would apply the privacy protections masking innocent Americans’ information — a process known as “minimization” — at that stage, Mr. Litt said.

... FISA covers a narrow band of surveillance: the collection of domestic or international communications from a wire on American soil, leaving most of what the N.S.A. does uncovered. In the absence of statutory regulation, the agency’s other surveillance programs are governed by rules the White House sets under a Reagan-era directive called Executive Order 12333.

... [it is unclear what] rules say about searching the raw data using names or keywords intended to bring up Americans’ phone calls or email that the security agency gathered “incidentally” under the 12333 surveillance programs ...

It appears that the number of individuals allowed to search bulk, incidentally collected data has been enlarged significantly. Who watches these watchers? (There must now be many thousands...)

Sophos: Obama administration signs off on wider data-sharing for NSA ... Patrick Toomey, a lawyer for the American Civil Liberties Union (ACLU), put it in an interview with the New York Times, 17 intelligence agencies are now going to be “rooting… through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant”.

The new rules mean that the FBI, the CIA, the DEA, and intelligence agencies of the US military’s branches and more, will be able to search through raw signals intelligence (SIGINT): intercepted signals that include all manner of people’s communications, be it via satellite transmissions, phone calls and emails that cross network switches abroad, as well as messages between people abroad that cross domestic network switches.

Added: Quick and dirty summary of new rules governing access to raw SIGINT. Note, lots of room for abuse in what I quote below:

Section III: ... NSA may make raw SIGINT available through its own systems, through a shared IC or other government capability (like a cloud environment), or by transferring the information to the IC element's information systems.

Section V: ... Communications solely between U.S. persons “inadvertently retrieved during the selection of foreign communications” will be destroyed except if they contain significant foreign intelligence or counterintelligence as determined by the IC element.

Section VI: ... An IC element may disseminate U.S. person information "derived solely from raw SIGINT" under these procedures ... if ... the information is “necessary to understand the foreign intelligence or counterintelligence information,”

Here are the entities who now have access (thanks Obama!) to raw SIGINT, and seem to have the discretionary power to "unmask" US citizens appearing in the data.

IC elements are defined under 3.5(h) of E.O. 12333 as: (1) The Office of the Director of National Intelligence; (2) The Central Intelligence Agency; (3) The National Security Agency; (4) The Defense Intelligence Agency; (5) The National Geospatial-Intelligence Agency; (6) The National Reconnaissance Office; (7) The other offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs; (8) The intelligence and counterintelligence elements of the Army, the Navy, the Air Force, and the Marine Corps; (9) The intelligence elements of the Federal Bureau of Investigation; (10) The Office of National Security Intelligence of the Drug Enforcement Administration; (11) The Office of Intelligence and Counterintelligence of the Department of Energy; (12) The Bureau of Intelligence and Research of the Department of State; (13) The Office of Intelligence and Analysis of the Department of the Treasury; (14) The Office of Intelligence and Analysis of the Department of Homeland Security; (15) The intelligence and counterintelligence elements of the Coast Guard; and (16) Such other elements of any department or agency as may be designated by the President, or designated jointly by the Director and the head of the department or agency concerned, as an element of the Intelligence Community.

FISA, EO 12333, Bulk Collection, and All That

Some basic questions for the experts:

1. To what extent does EO12333 allow surveillance of US individuals without FISA warrant?

2. To what extent are US voice conversations recorded via bulk collection (and preserved for, e.g., 5 or more years)? The email answer is clear ... But now automated voice recognition and transcription make storage of voice conversations much more scalable.

3. To what extent do Five Eyes intel collaborators have direct access to preserved data?

4. Are "experts" and media pundits and Senators even asking the right questions on this topic? For example, can stored bulk-collected voice data from a US individual be accessed by NSA without FISA approval by invoking 12333? How can one prevent a search query on stored data from producing results of this type?

See, e.g., Overseas Surveillance in an Interconnected World (Brennan Center for Justice at NYU School of Law), ACLU.org, and Executive Order 12333 (epic.org):

EPIC has tracked the government's reliance on EO 12333, particularly the reliance on Section 1:12(b)(13), which authorizes the NSA to provide "such administrative and technical support activities within and outside the United States as are necessary to perform the functions described in sections (1) through (12) above, including procurement." This provision appears to have opened the door for the NSA's broad and unwarranted surveillance of U.S. and foreign citizens.

Executive Order 12333 was signed by President Ronald Reagan on December 4, 1981. It established broad new surveillance authorities for the intelligence community, outside the scope of public law. EO 12333 has been amended three times. It was amended by EO 13284 on January 23, 2003 and was then amended by EO 13555 on August 27, 2004. EO 13555 was subtitled "Strengthened Management of the Intelligence Community" and reflected the fact that the Director of National Intelligence (DNI) now existed as the head of the intelligence community, rather than the CIA which had previously served as the titular head of the IC. EO 13555 partially supplemented and superseded EO 12333. On July 30, 2008, President George W. Bush signed EO 13470, which further supplemented and superseded EO 12333 to strengthen the role of the Director of National Intelligence.

Since the Snowden revaluations there has been a great deal of discussion regarding the activities of the IC community, but relatively little attention has been paid to EO 12333. EO 12333 often serves an alternate basis of authority for surveillance activities, above and beyond Section 215 and 702. As Bruce Schneier has emphasized, "Be careful when someone from the intelligence community uses the caveat "not under this program," or "not under this authority"; almost certainly it means that whatever it is they're denying is done under some other program or authority. So when[NSA General Counsel Raj] De said that companies knew about NSA collection under Section 702, it doesn't mean they knew about the other collection programs." Senator Dianne Feinstein (D-CA), Chair of the Senate Intelligence Committee, has said in August 2013 that, "The committee does not receive the same number of official reports on other NSA surveillance activities directed abroad that are conducted pursuant to legal authorities outside of FISA (specifically Executive Order 12333), but I intend to add to the committee's focus on those activities." In July 2014, a former Obama State Department official, John Napier Tye, wrote an Op-Ed in the Washington Post calling for greater scrutiny of EO 12333. Tye noted that "based in part on classified facts that I am prohibited by law from publishing, I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215."

Tye in the WaPo:

... [EO 12333] authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

[ E.g., NSA could "incidentally" retain the email of a US individual which happens to be mirrored in Google or Yahoo data centers outside the US, as part of bulk collection for an ongoing (never ending) foreign intelligence or anti-terrorism investigation... ]

“Incidental” collection may sound insignificant, but it is a legal loophole that can be stretched very wide. Remember that the NSA is building a data center in Utah five times the size of the U.S. Capitol building, with its own power plant that will reportedly burn $40 million a year in electricity.

See also Mining your data at NSA (source of image at top).

UPDATE: EO12333 + Obama OKs unprecedented sharing of this info as he leaves office = recent leaks? Note the use of the term "incidentally" and the wide dissemination (thanks to Obama policy change as he left office).

WSJ: ... “I recently confirmed that on numerous occasions the intelligence community incidentally collected information about U.S. citizens involved in the Trump transition,” Mr. Nunes said, reading a brief statement to reporters on Capitol Hill on Wednesday afternoon. “Details about U.S. persons associated with the incoming administration—details with little or no apparent foreign intelligence value—were widely disseminated in intelligence community reporting.”

... Mr. Nunes added that it was “possible” the president himself had some of his communication intercepted, and has asked the Federal Bureau of Investigation, National Security Agency and other intelligence agencies for more information.

The change put in place as Obama left office is probably behind the large number of circulating reports that feature "incidentally" captured communications of the Trump team. The NYTimes article below is from February.

NYTimes: ... Until now, National Security Agency analysts have filtered the surveillance information for the rest of the government. They search and evaluate the information and pass only the portions of phone calls or email that they decide is pertinent on to colleagues at the Central Intelligence Agency, the Federal Bureau of Investigation and other agencies. And before doing so, the N.S.A. takes steps to mask the names and any irrelevant information about innocent Americans.

The new system would permit analysts at other intelligence agencies to obtain direct access to raw information from the N.S.A.’s surveillance to evaluate for themselves. If they pull out phone calls or email to use for their own agency’s work, they would apply the privacy protections masking innocent Americans’ information — a process known as “minimization” — at that stage, Mr. Litt said.

... FISA covers a narrow band of surveillance: the collection of domestic or international communications from a wire on American soil, leaving most of what the N.S.A. does uncovered. In the absence of statutory regulation, the agency’s other surveillance programs are governed by rules the White House sets under a Reagan-era directive called Executive Order 12333.

... [it is unclear what] rules say about searching the raw data using names or keywords intended to bring up Americans’ phone calls or email that the security agency gathered “incidentally” under the 12333 surveillance programs ...

It appears that the number of individuals allowed to search bulk, incidentally collected data has been enlarged significantly. Who watches these watchers? (There must now be many thousands...)

Sophos: ... Patrick Toomey, a lawyer for the American Civil Liberties Union (ACLU), put it in an interview with the New York Times, 17 intelligence agencies are now going to be “rooting… through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant”.

The new rules mean that the FBI, the CIA, the DEA, and intelligence agencies of the US military’s branches and more, will be able to search through raw signals intelligence (SIGINT): intercepted signals that include all manner of people’s communications, be it via satellite transmissions, phone calls and emails that cross network switches abroad, as well as messages between people abroad that cross domestic network switches.

Citizenfour and Sisu

NYBooks: ... In an interview about Citizenfour with the New Yorker reporter Jane Mayer, Snowden has said that his action seemed to him necessary because the American officials charged with the relevant oversight had abdicated their responsibility. He meant that President Obama, Attorney General Eric Holder, and the intelligence committees in the House of Representatives and the Senate had utterly failed to guard against extraordinary abuses of the public trust under the pretext of national security. Nor had they undertaken the proper work of setting limits to government spying on Americans consistent with the spirit of the First Amendment and the letter of the Fourth Amendment.

...Snowden is often called a “fanatic” or a “zealot,” a “techie” or a “geek,” by persons who want to cut him down to size. Usually these people have not listened to him beyond snippets lasting a few seconds on network news. But the chance to listen has been there for many months, in two short videos by Poitras on the website of The Guardian, and more recently in a full-length interview by the NBC anchorman Brian Williams. The temper and penetration of mind that one can discern in these interviews scarcely matches the description of fanatic or zealot, techie or geek.

An incidental strength of Citizenfour is that it will make such casual slanders harder to repeat. Nevertheless, they are likely to be repeated or anyway muttered in semiprivate by otherwise judicious persons who want to go on with their business head-down and not be bothered. It must be added that our past politics give no help in arriving at an apt description of Snowden and his action. The reason is that the world in which he worked is new. Perhaps one should think of him as a conscientious objector to the war on privacy — a respectful dissident who, having observed the repressive treatment endured by William Binney, Thomas Drake, and other recent whistle-blowers, does not recognize the constitutional right of the government to put him in prison indefinitely and bring him to trial for treason. ...

What seems most remarkable in that hotel room in Hong Kong is Snowden’s freedom from anxiety. He is fearful, yes ... He knows that he is at risk of being subjected to “rendition” or worse. But there is no theatrical exaggeration here, and no trace of self-absorption. He has made his commitment and that is that. ...

... [Snowden] realizes that if he keeps his identity a secret, the government will rally all its powers and those of the media to convert the treacherous and hidden leaker into the subject of the story. His intuition is that the best way to counter such a distraction will be to make the story personal right away, but to render the personal element dry and matter-of-fact. He will do this in the most unobtrusive and ordinary manner. He will simply admit that he is the person and spell out the few relevant facts about his life and work.

The undeclared subject of Citizenfour is integrity—the insistence by an individual that his life and the principle he lives by should be all of a piece.

Sisu is a Finnish term loosely translated into English as strength of will, determination, perseverance, and acting rationally in the face of adversity. However, the word is widely considered to lack a proper translation into any other language. Sisu contains a long-term element; it is not momentary courage, but the ability to sustain an action against the odds. Deciding on a course of action and then sticking to that decision against repeated failures is sisu. It is similar to equanimity, except the forbearance of sisu has a grimmer quality of stress management than the latter.

Pessimism of the Intellect, Optimism of the Will.

Big data from a big eye in the sky

From NOVA Rise of the Drones.

ARGUS ("Wide Area Persistent Stare"): 1.8 Gigapixels, built using off the shelf components: 368 cellphone cameras, 5 MP each. Can surveil 15 square miles simultaneously from 17,000 ft, with 6 inch resolution of objects on the ground. Generates 1E6 terabytes of data per day. This system has been available for a couple of years already.

Watch What Drones Can See on PBS. See more from NOVA.

A problem for data scientists

If flash mobs or riots (like the ones in London) are organized using Twitter, Facebook, BlackBerry and SMS, won't it be very easy to catch the people responsible? Not only are the organizers / initiators easy to track down, but with geolocation (GPS or cell tower) and a court order it would be easy to determine whether any particular individual had participated. Perhaps current privacy laws prevent that data from being stored, but we can easily modify the laws if necessary.

Where are those law enforcement data scientists when you need them? :-)

Spooks drowning in data

Almost every technical endeavor, from finance to high energy physics to biology to internet security to spycraft, is either already or soon to be drowning in Big Data. This is an inevitable consequence of exponential Moore's Laws in bandwidth, processing power, and storage, combined with improved "sensing" capability. The challenge is extracting meaning from all that data.

My impression is that the limiting factor at the moment is the human brainpower necessary to understand the idiosyncrasies of the particular problem, and, simultaneously, develop the appropriate algorithms. There are simply not enough people around who are good at this; it's not just a matter of algorithms, you need insight into the specific situation. Of equal importance is that the (usually non-technical) decision makers who have to act on the data need to have some rough grasp of the strengths and limitations of the methods, so as not to have to treat the results as coming from a black box.

To give you my little example of big data, on my desk (in Oakland, not in Eugene) I have stacks of terabyte drives with copies of essentially every Windows executable (program that runs on a flavor of Windows) that has appeared on the web in the past few years (about 5 percent of this is malware; also stored in our data is what each executable does once it's installed). Gathering this data was only modestly hard; analyzing it in a meaningful way is a lot harder!

NY Review of Books: On a remote edge of Utah's dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America's equivalent of Jorge Luis Borges's "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined.

Unlike Borges's "labyrinth of letters," this library expects few visitors. It's being built by the ultra-secret National Security Agency—which is primarily responsible for "signals intelligence," the collection and analysis of various forms of communication—to house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital "pocket litter." Lacking adequate space and power at its city-sized Fort Meade, Maryland, headquarters, the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. "As the sensors associated with the various surveillance missions improve," says the report, referring to a variety of technical collection methods, "the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015."[1] Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven't yet been named. Once vacuumed up and stored in these near-infinite "libraries," the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist. In the NSA's world of automated surveillance on steroids, every bit has a history and every keystroke tells a story.

... Where does all this leave us? Aid concludes that the biggest problem facing the agency is not the fact that it's drowning in untranslated, indecipherable, and mostly unusable data, problems that the troubled new modernization plan, Turbulence, is supposed to eventually fix. "These problems may, in fact, be the tip of the iceberg," he writes. Instead, what the agency needs most, Aid says, is more power. But the type of power to which he is referring is the kind that comes from electrical substations, not statutes. "As strange as it may sound," he writes, "one of the most urgent problems facing NSA is a severe shortage of electrical power." With supercomputers measured by the acre and estimated $70 million annual electricity bills for its headquarters, the agency has begun browning out, which is the reason for locating its new data centers in Utah and Texas. And as it pleads for more money to construct newer and bigger power generators, Aid notes, Congress is balking.

The issue is critical because at the NSA, electrical power is political power. In its top-secret world, the coin of the realm is the kilowatt. More electrical power ensures bigger data centers. Bigger data centers, in turn, generate a need for more access to phone calls and e-mail and, conversely, less privacy. The more data that comes in, the more reports flow out. And the more reports that flow out, the more political power for the agency.

Rather than give the NSA more money for more power—electrical and political—some have instead suggested just pulling the plug. "NSA can point to things they have obtained that have been useful," Aid quotes former senior State Department official Herbert Levin, a longtime customer of the agency, "but whether they're worth the billions that are spent, is a genuine question in my mind."

Based on the NSA's history of often being on the wrong end of a surprise and a tendency to mistakenly get the country into, rather than out of, wars, it seems to have a rather disastrous cost-benefit ratio. Were it a corporation, it would likely have gone belly-up years ago. The September 11 attacks are a case in point. For more than a year and a half the NSA was eavesdropping on two of the lead hijackers, knowing they had been sent by bin Laden, while they were in the US preparing for the attacks. The terrorists even chose as their command center a motel in Laurel, Maryland, almost within eyesight of the director's office. Yet the agency never once sought an easy-to-obtain FISA warrant to pinpoint their locations, or even informed the CIA or FBI of their presence.

But pulling the plug, or even allowing the lights to dim, seems unlikely given President Obama's hawkish policies in Afghanistan. However, if the war there turns out to be the train wreck many predict, then Obama may decide to take a much closer look at the spy world's most lavish spender. It is a prospect that has some in the Library of Babel very nervous. "It was a great ride while it lasted," said one.

Skype backdoor

I knew it was too good to be true! As a for-profit company, Skype/EBay eventually had to cave in to spook pressure and allow for eavesdropping. In fact, the back door might have been in from the beginning.

Heise online: According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary's press spokesman was brief, "Skype does not comment on media speculation. Skype has no further comment at this time." There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

Here's what I wrote back in 2005:

...I just learned that Skype connections are encrypted using 256 bit AES, negotiated using 1024 bit RSA. This level of encryption is essentially unbreakable with current computing power. The Feds (with the possible exception of the NSA, and they would have to work very hard to break even a single session) have no chance of eavesdropping on any Skype conversation.

It is true that Skype is closed-source, so it isn't easy to verify that the crypto implementation doesn't have any holes or backdoors. However, given the number of users and the negative consequences for the company of any privacy issues, I suspect that it works as advertised.

Well, although you are probably safe from your neighbors or local network admin, the Feds apparently don't have any problems listening in on your Skype calls.

Mining your data at NSA

Let me get this straight. Because there are a lot of Arab-Americans in Detroit, a routine search by an NSA employee could dredge up some communication or transaction of mine with an entity in Detroit, even if it has no connection to a suspected terrorist? Whatever happened to my privacy rights?

Oh, I forgot, they went away thanks to the never ending "war" on terror, which is, apparently, more of a threat to our way of life than facing down a technologically advanced nuclear adversary with thousands of warheads and delivery systems. I had more legal protections of my privacy during the cold war than I do now. See earlier comments here, here and here.

Posted in 2005: ...You might argue that Al Qaeda is more dangerous than the USSR and eastern bloc, with their hundreds of ICBMs and thousands of nuclear warheads, but you'd be crazy. Let me offer the following analogy. While walking home you are confronted by a man with a loaded shotgun. By staring him down and pointing out that you yourself are armed, you avoid having your head blown off. Continuing on your way home, a small dog bites your ankle. Is the dog really a greater threat, just because it bit you, than the guy with the shotgun? If not, why should we allow Bush to unilaterally claim greater security powers than Reagan or Carter had? (Indeed, contravening the existing FISA law of 1978.)

The fact that the NSA has the capability to, e.g., pull up my past internet searches and email traffic, means that the telcos are turning over gigantic amounts of data on each of us to NSA for storage and indexing. The article below states that they don't generally have access to the content of email messages. However, this does not imply that they don't store the content (the text part of the message is a trivial amount of data, not much larger on average than the header information), just that they need a higher level of (FISA?) approval before looking more deeply at the communications. So, if you ever need to recover some lost email that you sent, you could always check with the NSA as a last resort!

WSJ: ...According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called "transactional" data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA's own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge's approval when a link to al Qaeda is suspected.

The NSA's enterprise involves a cluster of powerful intelligence-gathering programs, all of which sparked civil-liberties complaints when they came to light. They include a Federal Bureau of Investigation program to track telecommunications data once known as Carnivore, now called the Digital Collection System, and a U.S. arrangement with the world's main international banking clearinghouse to track money movements.

The effort also ties into data from an ad-hoc collection of so-called "black programs" whose existence is undisclosed, the current and former officials say. Many of the programs in various agencies began years before the 9/11 attacks but have since been given greater reach. Among them, current and former intelligence officials say, is a longstanding Treasury Department program to collect individual financial data including wire transfers and credit-card transactions.

It isn't clear how many of the different kinds of data are combined and analyzed together in one database by the NSA. An intelligence official said the agency's work links to about a dozen antiterror programs in all.

...the systems then can track all domestic and foreign transactions of people associated with that item -- and then the people who associated with them, and so on, casting a gradually wider net. An intelligence official described more of a rapid-response effect: If a person suspected of terrorist connections is believed to be in a U.S. city -- for instance, Detroit, a community with a high concentration of Muslim Americans -- the government's spy systems may be directed to collect and analyze all electronic communications into and out of the city.

The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information doesn't generally include the contents of conversations or emails. But it can give such transactional information as a cellphone's location, whom a person is calling, and what Web sites he or she is visiting. For an email, the data haul can include the identities of the sender and recipient and the subject line, but not the content of the message.