A privacy compliance review of the Department of Homeland Security's cybersecurity systems has led to some stunning revelations about the framework that US is currently using which Congress plans on integrating with the private companies under new cybersecurity legislation.
Perhaps the most alarming information in the privacy compliance report is that the Einstein program, which is touted as Federal government's premier system for network intrusion detection and cyber threat prevention, is being used to intercept computer traffic that crosses federal government networks which is being forwarded to Israel and India.
While there are supposedly strict protocols in place for assuring the privacy of individuals in regard to data collected and shared among US agencies there are absolutely no such safeguards or oversight in place to monitor the information that is being forwarded overseas to India and Israel.
In what can only be described as doublespeak, the compliance report finds that cybersecurity system is complaint with privacy and sharing requirement only to later reveal that that program is complaint because there are no guidelines in place that must be complied to when the data is shared with external governments.
Sharing the data collected from the cybersecurity system requires agencies and organizations that are receiving the data to execute an agreement to follow guidelines on how personally identified information and data is to be shared as well as the retention rates of the data.
However, the compliance report that these agreements with Israel and India put no restrictions or guidelines on sharing information including information that could personally identify individuals or limits on data retention.
For those who dismiss my analysis see the Wired report below which confirms my analysis while reporting on a different angle of this story with details coming directly from a NSA whistleblower who reveals the juicy details of the operation.
As you read the following quoted section from the privacy compliance report, keep in mind that the claim that EINSTEIN program only reports on specific cyberthreats is an absolute lie. By reading the rest of the compliance report, the Privacy Impact Assessment, and the additional documents about the DHS cybersecurity program that are linked to below you get a complete picture of the operations being performed by the program which for starters intercepts and logs all traffic cross federal networks. At level 2 the program collects and logs IP and other internet traffic headers. At level 3, which is the level being ran for this compliance report, it collects additional data from upper level protocols such as email and web traffic headers. Furthermore the program interacts with all local, state, and federal databases, including NCIC, National Archives Database, and data amassed into NSA, FBI and CIA databases. The program also interacts with international shipping records, customs logs, bills of landing, international visitors records, DMV records, family court orders , and border crossing data, warrant databases and many other government databases. In addition to these records raw intelligence reports are included.
The reports also reveal that the DHS has redefined the meaning of several words to get around laws set up by congress to restrict their cybersecurity activities. For starters the the definition of a database - which requires a warrant to data mine - has been redefined so that any information available online including phone records, social network data, and other databases connected accessible by the the internet are no longer considered databases. In even further bypassing the laws, they have redefined a the meaning of a query that requires a warrant to only include search which look up individual records by using a key that points to specific data. That means that by instead of story data in a database table that uses pointers to individual records, raw data dumps - as collected by Einstein - can be mined without the need for a warrant.
Using the vast system which connects to all government databases DHS then uses specialized computer algorithms and highly advanced machine learning learning techniques to run templates to generate special reports to perform tasks such as automatically placing people on terror watch lists and no fly lists based on predictive probabilities that some one is a high risk of being a specific actor. The DHS even brags in their reports that they have been able to identify high-risk individual who have never committed a crime or ever even had a single interaction with law enforcement.
(Translated summary: DHS cyber security uses the most advanced artificial intelligence algorithms and tap into every monitor ever single digital communication, surveillance and database asset to implement an Orwellian big brother surveillance state and identifies individuals whose behaviors and characteristic reveal they are committing through crimes)
From the privacy compliance report:
Internal and External Sharing and DisclosureWired reports on another aspect based on whistle blower information.
Requirements from the EINSTEIN 2 PIA and the Initiative 3 Exercise PIA: NPPD/NCSD only shares information in the form of reports regarding specific cyber threats. These reports are shared internally within DHS in furtherance of the DHS cybersecurity mission. The reports are designed to minimize any PII found and only report on specific cyber threats.
External sharing through reports requires an executed Memorandum of Agreement (MOA) between NPPD/NCSD and the agency or other organization before any information can be shared.
Review: The DHS Privacy Office interviewed NPPD/NCSD officials and reviewed SOPs to identify internal and external sharing practices. The DHS Privacy Office also reviewed several MOAs in place between NPPD/NCSD and external agencies which included two international sharing agreements (Israel and India).
Finding: The DHS Privacy Office found NPPD/NCSD to be compliant with internal sharing and external sharing requirements. Internal sharing consists of reports sent by NPPD/NCSD to DHS components. NPPD/NCSD has information handling SOPs in place that direct this sharing and ensure compliance. External sharing involves US-CERT providing reports to U.S. federal government agencies regarding possible threats to their systems. Federal agencies in return report possible cyber threats to their network to NPPD/NCSD to ensure broad knowledge of the threat is available. Before the reports are shared, an MOA is completed which outlines what information the reports contain regarding the cyber threats and the limits on sharing. The MOAs the DHS Privacy Office reviewed contain guidance on how to work with NCSD and outline of the specific roles of DHS and the partner agency.
During the Exercise, external sharing was limited to within the federal government but currently, US-CERT collaborates with foreign governments through the use of EINSTEIN 2 technology. US-CERT analysts share reports with international partners but the DHS Privacy Office found no SOPs outlining what information to share and what to withhold. The DHS Privacy Office requested any relevant information sharing agreements, and was provided with two MOAs (Israel and India). The DHS Privacy Office reviewed these agreements and found no restrictions or guidelines on sharing information like PII. External sharing internationally was not directly mentioned in the PIAs and US-CERT was unaware of the DHS Privacy Office's concerns.
Recommendations: Moving forward, the DHS Privacy Office recommends that US-CERT require a provision describing what PII is to be shared in the reports and retention rates in MOAs with all foreign partners. This should be done in consultation with the DHS Privacy Office and the DHS Office of International Affairs. Additionally, the DHS Privacy Office recommends that these reports be reviewed annually by the NPPD Privacy Office to ensure compliance and SOPs should be circulated to the US-CERT analysts so they are aware what information should and should not be shared with international partners.
Source: Privacy Compliance Review of the EINSTEIN Program, January 3, 2012 (PDF, 9 pages - 112 KB)
Shady Companies With Ties to Israel Wiretap the U.S. for the NSAFor more information:
Despite the post-9/11 warrantless wiretapping of Americans, the NSA says that citizens should trust it not to abuse its growing power and that it takes the Constitution and the nation's privacy laws seriously.
But one of the agency's biggest secrets is just how careless it is with that ocean of very private and very personal communications, much of it to and from Americans. Increasingly, obscure and questionable contractors - not government employees - install the taps, run the agency's eavesdropping infrastructure, and do the listening and analysis.
And with some of the key companies building the U.S.'s surveillance infrastructure for the digital age employing unstable employees, crooked executives, and having troubling ties to foreign intelligence services, it's not clear that Americans should trust the secretive agency, even if its current agency chief claims he doesn't approve of extrajudicial spying on Americans. His predecessor, General Michael V. Hayden, made similar claims while secretly conducting the warrantless wiretapping program.
Until now, the actual mechanics of how the agency constructed its highly secret U.S. eavesdropping net, code-named Stellar Wind, has never been revealed. But in the weeks following 9/11, as the agency and the White House agreed to secretly ignore U.S. privacy laws and bypass the Foreign Intelligence Surveillance Court, J. Kirk Wiebe noticed something odd. A senior analyst, he was serving as chief of staff for the agency's Signals Intelligence Automation Research Center (SARC), a sort of skunkworks within the agency where bureaucratic rules were broken, red tape was cut, and innovation was expected.
"He was the one who organized it," said Bill Binney of Gunn. A former founder and co-director of SARC, Binney was the agency official responsible for automating much of the NSA's worldwide monitoring networks. Troubled by the unconstitutional nature of tapping into the vast domestic communications system without a warrant, he decided to quit the agency in late 2001 after nearly forty years.
"They needed to have somebody who knew how the code works to set it up," he said. "And then it was just a matter of feeding in the attributes [U.S. phone numbers, e-mail addresses and personal data] and any of the content you want." Those "attributes" came from secret rooms established in large telecom switches around the country. "I think there's 10 to 20 of them," Binney says.
Despite that drama, Jacobson and his people appeared to have serious misgivings about the NSA's program once they discovered its true nature, according to Binney. "They came and said, 'Do you realize what these people are doing?'" he said. "'They're feeding us other [U.S.] stuff in there.' I mean they knew it was unconstitutional right away." Binney added that once the job was finished, the NSA turned to still another contractor to run the tapping operation. "They made it pretty well known, so after they got it up and running they [the NSA] brought in the SAIC people to run it after that." Jacobsen was then shifted to other work at the NSA, where he and his company are still employed.
In addition to constructing the Stellar Wind center, and then running the operation, secretive contractors with questionable histories and little oversight were also used to do the actual bugging of the entire U.S. telecommunications network.
According to a former Verizon employee briefed on the program, Verint, owned by Comverse Technology, taps the communication lines at Verizon, which I first reported in my book The Shadow Factory in 2008. Verint did not return a call seeking comment, while Verizon said it does not comment on such matters.
At AT&T the wiretapping rooms are powered by software and hardware from Narus, now owned by Boeing, a discovery made by AT&T whistleblower Mark Klein in 2004. Narus did not return a call seeking comment.
What is especially troubling is that both companies have had extensive ties to Israel, as well as links to that country's intelligence service, a country with a long and aggressive history of spying on the U.S.
In fact, according to Binney, the advanced analytical and data mining software the NSA had developed for both its worldwide and international eavesdropping operations was secretly passed to Israel by a mid-level employee, apparently with close connections to the country. The employee, a technical director in the Operations Directorate, "who was a very strong supporter of Israel," said Binney, "gave, unbeknownst to us, he gave the software that we had, doing these fast rates, to the Israelis."
Because of his position, it was something Binney should have been alerted to, but wasn't.
"In addition to being the technical director," he said, "I was the chair of the TAP, it's the Technical Advisory Panel, the foreign relations council. We're supposed to know what all these foreign countries, technically what they're doing.... They didn't do this that way, it was under the table." After discovering the secret transfer of the technology, Binney argued that the agency simply pass it to them officially, and in that way get something in return, such as access to communications terminals. "So we gave it to them for switches," he said. "For access."
But Binney now suspects that Israeli intelligence in turn passed the technology on to Israeli companies who operate in countries around the world, including the U.S. In return, the companies could act as extensions of Israeli intelligence and pass critical military, economic and diplomatic information back to them. "And then five years later, four or five years later, you see a Narus device," he said. "I think there's a connection there, we don't know for sure."
Narus was formed in Israel in November 1997 by six Israelis with much of its money coming from Walden Israel, an Israeli venture capital company. Its founder and former chairman, Ori Cohen, once told Israel's Fortune Magazine that his partners have done technology work for Israeli intelligence. And among the five founders was Stanislav Khirman, a husky, bearded Russian who had previously worked for Elta Systems, Inc. A division of Israel Aerospace Industries, Ltd., Elta specializes in developing advanced eavesdropping systems for Israeli defense and intelligence organizations. At Narus, Khirman became the chief technology officer.
A few years ago, Narus boasted that it is "known for its ability to capture and collect data from the largest networks around the world." The company says its equipment is capable of "providing unparalleled monitoring and intercept capabilities to service providers and government organizations around the world" and that "Anything that comes through [an Internet protocol network], we can record. We can reconstruct all of their e-mails, along with attachments, see what Web pages they clicked on, we can reconstruct their [Voice over Internet Protocol] calls."
Like Narus, Verint was founded by in Israel by Israelis, including Jacob "Kobi" Alexander, a former Israeli intelligence officer. Some 800 employees work for Verint, including 350 who are based in Israel, primarily working in research and development and operations, according to the Jerusalem Post. Among its products is STAR-GATE, which according to the company's sales literature, lets "service providers ... access communications on virtually any type of network, retain communication data for as long as required, and query and deliver content and data ..." and was "[d]esigned to manage vast numbers of targets, concurrent sessions, call data records, and communications."
In a rare and candid admission to Forbes, Retired Brig. Gen. Hanan Gefen, a former commander of the highly secret Unit 8200, Israel's NSA, noted his former organization's influence on Comverse, which owns Verint, as well as other Israeli companies that dominate the U.S. eavesdropping and surveillance market. "Take NICE, Comverse and Check Point for example, three of the largest high-tech companies, which were all directly influenced by 8200 technology," said Gefen. "Check Point was founded by Unit alumni. Comverse's main product, the Logger, is based on the Unit's technology."
DHS Data Mining Reports
The Data Mining Report, which is provided to Congress each year, describes DHS programs, both operational and in development, that involve data mining as defined by the Federal Agency Data Mining Reporting Act of 2007.
- 2011 Data Mining Report (PDF, 37 pages - 1.61 MB).
- 2010 Data Mining Report (PDF, 35 pages - 517 KB).
- 2009 Data Mining Report (PDF, 34 pages - 378 KB).
- 2008 Data Mining Report (PDF, 47 pages - 467 KB).
- 2008 Data Mining Letter Report (PDF, 46 pages - 441 KB).
- 2007 Data Mining Report (PDF, 42 pages - 446 KB).
- 2006 Data Mining Report July 6, 2006 (PDF, 36 pages - 340 KB).
The Privacy Office works closely with the Office of Cybersecurity & Communications (CS&C), and, within CS&C, the National Cybersecurity Division and the United States Computer Emergency Readiness Team (US-CERT ), to integrate privacy protections into the Department's cybersecurity activities. The following resources provide background on these efforts:
EINSTEIN Program-Related Privacy Impact Assessments
- Privacy Compliance Review of the EINSTEIN Program, January 3, 2012 (PDF, 9 pages - 112 KB). The DHS National Protection and Programs Directorate (NPPD) National Cyber Security Division (NCSD) launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal executive agency information technology enterprises. NCSD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NCSD looks ahead toward the next phase of the program to EINSTEIN 3, the DHS Privacy Office determined that conducting a PCR would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward. The DHS Privacy Office found NPPD/NCSD generally compliant with the requirements outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise PIA. Specifically, NPPD/NCSD is fully compliant on collection of information, use of information, internal sharing and external sharing with federal agencies, and accountability requirements. PRIV identified actions taken to address retention and training requirements as outlined in the relevant EINSTEIN PIAs, but additional actions by the program are needed to bring them into full compliance with these requirements. The DHS Privacy Office is making five recommendations to strengthen program oversight, external sharing, and bring NPPD/NCSD into full compliance with retention and training requirements. NPPD agreed with our findings and is taking steps to address our recommendations.
- National Cyber Security Division Joint Cybersecurity Services Pilot (JCSP), January 13, 2012 (PDF, 16pages - 248 KB). The Department of Homeland Security (DHS) and the Department of Defense (DoD) are jointly undertaking a proof of concept known as the Joint Cybersecurity Services Pilot (JCSP). The JCSP extends the existing operations of the Defense Industrial Base (DIB) Exploratory Cybersecurity Initiative (DIB Opt-In Pilot) and shifts the operational relationship with the CSPs in the pilot to DHS. The JCSP is part of overall efforts by DHS and DoD to enable the provision of cybersecurity capabilities enhanced by U.S. government information to protect critical infrastructure information systems and networks. The purpose of the JCSP is to enhance the cybersecurity of participating DIB critical infrastructure entities and to protect sensitive DoD information and DIB intellectual property that directly supports DoD missions or the development of DoD capabilities from unauthorized access, exfiltration, and exploitation. The National Protection and Programs Directorate (NPPD) is conducting this Privacy Impact Assessment (PIA) on behalf of DHS because some known or suspected cyber threat information shared under the JCSP may contain information that could be considered personally identifiable information (PII). Associated SORN(s): DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.
- US-CERT: Initiative Three Exercise. March 18, 2010 (PDF 19 pages - 457 KB) Pursuant to Initiative Three of the Comprehensive National Cybersecurity Initiative, DHS is engaging in an exercise to demonstrate a suite of technologies that could be included in the next generation of the Department's EINSTEIN network security program. This demonstration, (commonly referred to as the "Initiative Three Exercise" or, more simply, as "the Exercise") will use a modified complement of system components currently providing the EINSTEIN 1 and EINSTEIN 2 capabilities, as well as a DHS test deployment of technology developed by the National Security Agency (NSA) that includes an intrusion prevention capability (collectively referred to as "the Exercise technology"). The purpose of the Exercise is to demonstrate the ability of an existing Internet Service Provider that is a designated as a Trusted Internet Connection Access Provider (TICAP) to select and redirect Internet traffic from a single participating government agency through the Exercise technology, for US-CERT to apply intrusion detection and prevention measures to that traffic and for US-CERT to generate automated alerts about selected cyber threats. This PIA is being conducted because the Exercise will analyze Internet traffic which may contain personally identifiable information (PII).
- EINSTEIN 1 PIA Update. February 19, 2010 (PDF, 12 pages - 194 KB) DHS and the State of Michigan ("Michigan") plan to engage in a 12-month proof of concept to determine the benefits and issues presented by deploying the EINSTEIN 1 capability to Michigan government networks managed by the Michigan Department of Information Technology (MDIT). This PIA updates the previous EINSTEIN PIAs listed below in one narrow aspect: the use of EINSTEIN 1 technology in a proof of concept with Michigan.
- EINSTEIN 2 Privacy Impact Assessment. May 19, 2008 (PDF, 23 pages - 423 KB). This is the Privacy Impact Assessment (PIA) for an updated version of the EINSTEIN System. EINSTEIN is a computer network intrusion detection system (IDS) used to help protect federal executive agency information technology (IT) enterprises. EINSTEIN 2 will incorporate network intrusion detection technology capable of alerting the US-CERT to the presence of malicious or potentially harmful computer network activity in federal executive agencies' network traffic.
- EINSTEIN 1 Privacy Impact Assessment. September 2004 (PDF, 12 pages - 153 KB) This PIA examines the privacy implications of US-CERT's EINSTEIN Program. The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, US-CERT builds and enhances our nation's cyber-related situational awareness.
- Malware Lab Network May 4, 2010 (PDF, 13 pages - 172 KB) The goal of the Department of Homeland Security (DHS or Department) National Protection and Programs Directorate (NPPD) is to advance the risk-reduction segment of the Department's overall mission. To meet this goal, the NPPD/U.S. Computer Emergency Readiness Team (US-CERT) provides key capabilities in four cyber mission areas: 1) Alert, Warning, and Analysis; 2) Coordination and Collaboration; 3) Response and Assistance; and 4) Protection and Detection. The Malware Lab Network (MLN) contributes critical support to existing tools used by US-CERT to better meet these cyber mission areas. The MLN collects, uses, and maintains analytically relevant information in order to support the Department's cyber security mission, including the prevention and mitigation of cyber attacks, protection of information infrastructure, the assessment of cyber vulnerabilities, and response to cyber incidents. DHS is conducting this PIA to publicly analyze and evaluate the personally identifiable information (PII) within the MLN.
- 24×7 Incident Handling and Response Center, April 2, 2007 (PDF, 17 pages -265 KB) The 24×7 Incident Handling and Response Center ("24×7″) focuses on ways to gather cyber information prior to attacks and to use that information to prevent attacks, protect computing infrastructure, and respond/restore where attacks are successful. 24×7 serves as a communication hub for the United States Computer Readiness Team (US-CERT) program, issuing regular security and warning bulletins, serving as a gateway for public contribution and outreach, and also serving as a ticketing center through which tasks may be delegated out to the various US-CERT programs.
- White Paper on Computer Network Security & Privacy Protection. February 19, 2010 (PDF, 11 pages - 114 KB). Provides an overview of the Department's cybersecurity responsibilities, the role of the EINSTEIN system in implementing those responsibilities, and the integrated privacy protections.
- White House Cybersecurity Site. The White House recently launched a site dedicated to the federal government's cybersecurity efforts, www.whitehouse.gov/cybersecurity, including the declassified description of the Comprehensive National Cybersecurity Initiative.
The 2007 Passenger Name Record (PNR) Agreement between the United States and the European Union (EU) made possible the transfer of certain passenger data to Customs and Border Protection (CBP) in order to facilitate safe and efficient travel. The documents below demonstrate the progression of the Agreement since its inception and include subsequent reviews conducted by both the United States and the EU to ensure compliance with the Agreement.
- European Commission Report on the Joint Review of the U.S.-E.U. Passenger Name Record Agreement April 7, 2010 (PDF, 34 pages - 409 KB)
- Department Response to the European Commission's Report on the Joint Review of the U.S.-E.U. Passenger Name Record Agreement, March 31, 2010 (PDF, 6 pages - 199 KB)
- U.S.-EU Joint Statement, February 10, 2010
- Update to the 2008 Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, February 2010 (PDF, 7 pages - 158 KB)
- Privacy Office Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, December 2008 (PDF, 60 pages - 2.93 MB)
- CBP Passenger Name Record Privacy Statement for PNR Data Received in Connection with Flights Between the U.S. and the European Union (PDF, 3 pages - 142 KB).
- Answers to Frequently Asked Questions (PDF, 5 pages - 27 KB)
- 2007 PNR Agreement between the U.S. and the European Union (PDF, 7 pages - 1.7 MB)
- Letter from the Council of the European Union to the U.S. (PDF, 3 pages - 1.5 MB)
- Letter from the U.S. to the Council of the European Union (PDF, 5 pages - 4. 5 MB)
- Privacy Office Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, September 19, 2005 (PDF, 30 pages - 306 KB)
PNR data is stored in the Automated Targeting System (ATS). CBP uses ATS to improve the collection, use, analysis, and dissemination of information that is gathered for the primary purpose of targeting, identifying, and preventing potential terrorists and terrorist weapons from entering the United States. For more background information, please consult our ATS Privacy Impact Assessments.
Other Homeland Security Privacy Reports
The following are public reports issued by the Privacy Office:
- Assessment of CBP Training Materials on Border Searches of Electronic Devices (PDF, 6 pages - 138 KB) In August 2009, Secretary Napolitano issued new directives regarding searches of electronic media at the border. In coordination with the release of the directives, the Privacy Office, Customs and Border Protection, and the Office for Civil Rights and Civil Liberties were instructed to assess the CBP training materials and course matter on the border search of electronic devices. This report presents a summary of this joint review.
- Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data, conducted pursuant to Section 222(b)(1)(B) of the Homeland Security Act, in order to enforce the provisions of Article 5 of the 2007 Passenger Name Records (PNR) Agreement. January 16, 2009 (PDF 43 pages - 1.19 MB)
- CCTV: Developing Best Practices, Report on the DHS Privacy Office Public Workshop, December 17 and 18, 2007 (PDF, 66 pages - 528 KB) Report summarizing the CCTV workshop panels and resources to help identify and address privacy concerns, including Best Practices for Government Use of CCTV (Appendix B); Template for Privacy Impact Assessment for the Use of CCTV by DHS Program (Appendix C); Template for Privacy Impact Assessment for the Use of CCTV by State and Local Entities (Appendix D); and Template for Civil Liberties Impact Assessments (CLIA) (Appendix E).
- ADVISE Report, (PDF, 25 pages - 411 KB) Review of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) Program including recommendations.
- Secure Flight Report, December 2006 (PDF, 18 pages - 694.60 KB) DHS Privacy Office Report to the Public on the Transportation Security Administration's Secure Flight Program and Privacy Recommendations.
- MATRIX Report, December 2006 (PDF, 9 pages - 386.97KB) DHS Privacy Office Report to the Public Concerning the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project.
- Report Assessing the Impact of the Automatic Selectee and No Fly Lists, April 27, 2006 (PDF, 29 pages - 242 KB).
- Report to the Public on Events Surrounding jetBlue Data Transfer February 20, 2004 (PDF, 10 pages - 65 KB)