When the media and members of Congress say the NSA spies on Americans, what they really mean is that the FBI helps the NSA do it, providing a technical and legal infrastructure that permits the NSA, which by law collects foreign intelligence, to operate on U.S. soil. It's the FBI, a domestic U.S. law enforcement agency, that collects digital information from at least nine American technology companies as part of the NSA's Prism system. It was the FBI that petitioned the Foreign Intelligence Surveillance Court to order Verizon Business Network Services, one of the United States' biggest telecom carriers for corporations, to hand over the call records of millions of its customers to the NSA.
But the FBI is no mere errand boy for the United States' biggest intelligence agency. It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies—an operation that the NSA once conducted, was reprimanded for, and says it abandoned.
Cooperation and information-sharing between agencies sounds good and efficient, but it also opens up big loopholes and opportunities for agencies to make end-runs around any restrictions placed on them by elected officials.
Congress tells the NSA it can't do X? Let the FBI take care of it. Congress tells all federal agencies they can't spy on Y? Fine. Let the local police departments take care of it and share the information later.
That's one potential problem with the Department of Homeland Security handing out millions of dollars to cities, allowing local cops to quietly buy and maintain their own federal-grade surveillance equipment (or equipment with surveillance capabilities, depending on how you want to frame it). That's especially problematic if the local cops aren't even telling their local mayors and councils what they're up to—as Seattle has recently experienced with DHS-funded police drones, cameras, and other surprises.
Since the feds pay for the equipment, the local police are almost guaranteed to share it—internal SPD documents even list where all the information from its mesh network was planned to be routed. In the image below, towards the bottom of the list on the right, you'll see a "fusion center" as one of those recipients. (You'll also see input from "existing airborn video," which must've been the drones the SPD was later forced to shelve.)
But the important thing is the fusion center—a free information-swapping node between local, state, and federal agencies with no real restrictions on what kind of information they can share. Fusion centers are the Wild West of law-enforcement data sharing.
Even if Congress takes strong action to curb the NSA and the FBI, it's nearly impossible to imagine all city councils across the country coordinating to pass identical restrictions on the intelligence-gathering activity of the local police departments.
The result could be a national proliferation of Homeland Security-funded equipment collecting data under a weak patchwork of local restrictions, most of which would become irrelevant if all the surveillance data is being routed through the free-for-all of local fusion centers.
Whether that's part of a DHS strategy or just a happy accident, it's going to be a major challenge to any elected officials, small-time or big-time, who want to put a leash on the government agencies that specialize in spying on us.
Information sharing also provides p.r. cover to dodgy intelligence-gathering activities. Back to the Foreign Affairs story: "... having the DITU [the FBI's Data Intercept Technology Unit] act as a conduit provides a useful public relations benefit: Technology companies can claim—correctly—that they do not provide any information about their customers directly to the NSA, because they give it to the DITU, which in turn passes it to the NSA."
After Prism was disclosed in the Washington Post and the Guardian, some technology company executives claimed they knew nothing about a collection program run by the NSA. And that may have been true. The companies would likely have interacted only with officials from the DITU and others in the FBI and the Justice Department, said sources who have worked with the unit to implement surveillance orders.
Recently, the DITU has helped construct data-filtering software that the FBI wants telecom carriers and Internet service providers to install on their networks so that the government can collect large volumes of data about emails and Internet traffic.
The software, known as a port reader, makes copies of emails as they flow through a network. Then, in practically an instant, the port reader dissects them, removing only the metadata that has been approved by a court.
The FBI has built metadata collection systems before. In the late 1990s, it deployed the Carnivore system, which the DITU helped manage, to pull header information out of emails. But the FBI today is after much more than just traditional metadata — who sent a message and who received it. The FBI wants as many as 13 individual fields of information, according to the industry representative.
The DITU devised the port reader after law enforcement officials complained that they weren't getting enough information from emails and Internet traffic. The FBI has argued that under the Patriot Act, it has the authority to capture metadata and doesn't need a warrant to get them. Some federal prosecutors have gone to court to compel port reader adoption, the industry representative said. If a company failed to comply with a court order, it could be held in contempt.
The FBI's pursuit of Internet metadata bears striking similarities to the NSA's efforts to obtain the same information. After the 9/11 terrorist attacks, the agency began collecting the information under a secret order signed by President George W. Bush. Documents that were declassified Nov. 18 by Barack Obama's administration show that the agency ran afoul of the Foreign Intelligence Surveillance Court after it discovered that the NSA was collecting more metadata than the court had allowed. The NSA abandoned the Internet metadata collection program in 2011, according to administration officials.
But the FBI has been moving ahead with its own efforts, collecting more metadata than it has in the past.
The DITU also runs a bespoke surveillance service, devising or building technology capable of intercepting information when the companies can't do it themselves. In the early days of social media, when companies like LinkedIn and Facebook were starting out, the unit worked with companies on a technical solution for capturing information about a specific target without also capturing information related to other people to whom the target was connected, such as comments on posts, shared photographs, and personal data from other people's profiles, according to a technology expert who was involved in the negotiations.
The Operational Technology Division also specializes in so-called black-bag jobs to install surveillance equipment, as well as computer hacking, referred to on the website as "covert entry/search capability," which is carried out under law enforcement and intelligence warrants.
The tech experts at Quantico are the FBI's silent cybersleuths. "While [the division's] work doesn't typically make the news, the fruits of its labor are evident in the busted child pornography ring, the exposed computer hacker, the prevented bombing, the averted terrorist plot, and the prosecuted corrupt official," according to the website.
Thanks to Slog tipper Greg for the tip about the FA article.