Skip to Content

NSA quietly expanded Internet snooping powers, leaked documents show

Nat'l Security Agency Director Attends AEI Discussion On CybersecurityNat'l Security Agency Director Attends AEI Discussion On Cybersecurity

A new joint report from the New York Times and ProPublica that cites classified documents reveals that the Obama administration secretly granted the National Security Agency additional authorities to spy on the international Internet communications of Americans in order to seek out hacking attacks from abroad. The expanded powers, which aimed to help the agency seek out and squelch foreign-born cyber intrusions, had not been previously disclosed to the public.

The latest news comes from the trove of documents provided by NSA contractor-turned-leaker Edward Snowden. As this set divulges: In May 2012, the Justice Department approved the NSA to target Internet traffic bearing “certain signatures,” or activity correlating to cyber attacks. Two months later, the department allowed the agency to target communications based on IP addresses.

Those permissions boosted the agency’s collection capabilities. The NSA had already been able to use email addresses and phone numbers to conduct its surveillance activities, the pair of news outlets points out. But by mid-2012, executive branch had “started allowing the agency to search its communications streams for less-identifying Internet protocol addresses or strings of harmful computer code.”

The report also reveals that the NSA desired to sidestep the thorny problem of cyber attack attribution, which tended to impede its surveillance. An NSA newsletter dated late March 2012 describes a proposal that would allow the NSA to collect data indiscriminately at the nation’s digital borders, without requiring attribution to terrorist groups or foreign governments. Instead, the updated provision would require only “that a selector be tied to malicious cyber activity.”

The augmented authority “will fill a huge collection gap against cyber threats to the nation,” the newsletter declared, noting that its approval was one of then-NSA director General Keith B. Alexander’s “highest priorities.”

That approval didn’t exactly pan out. While the NSA did not, apparently, win the right to target communications in the absence of evidence associating them with other nations and radical organizations, it still was able to greatly broaden its collection schemes through “targeting cyber signatures,” such as IP address and strings of code, as aforementioned.

This quiet expansion of powers was not isolated to the NSA either. The Federal Bureau of Investigation benefitted, too.

As the two agencies’ relationship has grown tighter over the years, the FBI was, also starting in 2012, able to tap into the NSA’s electronic surveillance program at international communications “chokepoints operated by U.S. providers,” another document reveals. While all of the collected information would be intended to combat foreign threats, it could easily ensnare Americans. Plus, any of the collected data could then be used by prosecutors in criminal cases, the Times notes.

When the Times asked the FBI for comment, the bureau directed the paper “to its existing procedures for protecting victims’ data acquired during investigations,” says the Times. The bureau added that it has “continually reviewed its policies ‘to adapt to these changing threats while protecting civil liberties and the interests of victims of cybercrimes.’”

Still, the NSA’s methodology for selecting targets remains unclear. And, as the Times notes, through this program the NSA almost certainly would have been scooping up oodles of sensitive American data as a result, since monitoring cyber thieves necessarily involves tracking and copying the information they’re looting.

An NSA lawyer, acknowledging this point in another leaked document, had recommended separating that information out from the rest of the NSA’s data collection programs—making it “available only to those who have the mission to collect/report on these types of foreign intrusions”—since it can contain “so much” information on U.S. persons.

Knowledge of the agency’s boosted warrantless snooping privileges comes just as the ink on the USA Freedom Act—a partial replacement of the USA Patriot Act, which largely authorized the NSA’s bulk data collection program—is barely dry. As more such revelations come to light, expect the debate over Internet surveillance between national security-minded government officials and privacy advocates to continue to play out.

 

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.