Telecommunication giant AT&T facilitated, to a larger degree than any other provider, the National Security Agency’s surveillance reach beyond domestic telephone data collection to email and Internet traffic, companion New York Times and ProPublica articles said on Saturday.
It’s probably the worst-kept secret among the revelations from the NSA documents provided by former contractor Edward Snowden. Suspicion that AT&T was enabling NSA surveillance dates back beyond a 2006 class-action lawsuit filed by the Electronic Frontier Foundation alleging AT&T’s collaboration with the NSA in illegal programs to wiretap and collect data from Americans’ communications and the revelation of the existence of Room 641A of AT&T (SBC Communications) Folsom Street location in San Francisco.
The documents published this weekend demonstrate the coziness of the two sides’ partnership; the documents even stress that NSA agents display a cordial, friendly nature given that the agency’s relationship with AT&T was not contractual. The NSA, according to the documents, has surveillance equipment installed at least 17 AT&T Internet hubs in the U.S., far more than in Verizon hubs, and its budget for operations involving AT&T is double that of the budget for other providers.
The Times and ProPublica said that AT&T had given the intelligence agency access to billions of emails moving across domestic networks, and also exposed a secret court order that permitted the wiretapping of Internet communications at United Nations headquarters in New York, an AT&T customer.
“These documents not only further confirm our claims in Jewel, but convincingly demolish the government’s core response—that EFF cannot prove that AT&T’s facilities were used in the mass surveillance,” said EFF Executive Director Cindy Cohn. Jewel refers to the EFF’s Jewel vs. NSA suit on behalf of AT&T customers.
”It’s long past time that the NSA and AT&T came clean with the American people,” Cohn said. “It’s also time that the public U.S. courts decide whether these modern general searches are consistent with the Fourth Amendment’s guarantee against unreasonable search and seizure.”
The documents provide a blueprint into the NSA’s AT&T and Verizon (MCI) relationship, called Fairview and Stormbrew respectively. Fairview, the Times said, dates back 30 years and is the evidence confirming AT&T as the NSA’s principal partner; AT&T is never mentioned by name in the documents. Investigators at both publications connected a number of dots linking AT&T to the NSA, specifically, repairs made to a Fairview fiber optic cable damaged by the 2011 Japan earthquake that were repaired on the same day as another cable operated in Japan by AT&T; technical terms specific to AT&T were found in the Fairview documents. Also linked to Fairview was evidence of the court order permitting surveillance at the U.N., which was serviced by AT&T.
The NSA papers also spell out a timeline of post-September 11 data mining and sharing, pointing out that AT&T began sharing email and phone call metadata days after the attacks while MCI did not until the following February. Two years later, the documents indicate that AT&T was the NSA’s first partner to provide the agency with a “live presence” on the Internet and within months had forwarded 400 billion Internet metadata records—not content—to a keyword selection system operated by the agency. As of late 2003, the Stormbrew program, which cost half the $189 million of Fairview, had yet to turn on these capabilities, the Times reported.
Matthew Green, a Johns Hopkins professor and cryptographer, wrote an essay this morning on his personal website aimed at security engineers. In it he said that while some improvement has been made to encrypt data, the security industry still tolerates the existence of unencrypted protocols and services, pointing specifically to ISPs’ practice of downgrading email encryption such as stripping out STARTTLS flags.
“Even if we, by some miracle, manage to achieve 100% encryption of communications content, we still haven’t solved the whole problem,” Green wrote. “Unfortunately, today’s protocols still leak a vast amount of useful information via session metadata. And we have no good strategy on the table to defend against it.”
Insecure protocols still share in-the-clear data such as protocol type, port number and routing information, Green said, along with traffic characteristics and other related data.
“Absolutely none of this is news to security engineers. The problem is that there’s so little we can do about it,” Green said. “Anonymity networks like Tor protect the identity of endpoints in a connection, but they do so at a huge cost in additional bandwidth and latency — and they offer only limited protection in the face of a motivated global adversary. IPSec tunnels only kick the can to a different set of trusted components that themselves can be subverted.”
One of the recurring themes at the recent Black Hat conference was the eroding trust in the Internet and the need for security and privacy activists to speak up and also build reliable and secure protocols and systems that are simple to use. Influencers such as keynote speaker Jennifer Granick, a longtime defender of hackers, point out that as more emerging—and sometimes sanctioned—nations come online, Internet traffic may be increasingly routed through countries that don’t have freedom of speech and Bill of Rights.
“If you believe that this is the future, then the answer certainly won’t involve legislation or politics. The NSA won’t protect us through cyber-retaliation or whatever plan is on the table today. If you’re concerned about the future, then the answer is to finally, truly believe our propaganda about network trust,” Green said. “We need to learn to build systems today that can survive such an environment. Failing that, we need to adjust to a very different world.”