July 12, 2014

Document shows that it was not NSA, but FBI that monitored 5 Americans

(Updated: August 18, 2016)

Three days ago, on July 9, 2014, Glenn Greenwald published an article which he earlier announced as being the grand finale of the Snowden-revelations. It would demonstrate that NSA is also spying on ordinary American citizens, something that would clearly be illegal.

The report is titled "Meet the Muslim-American Leaders the FBI and NSA Have Been Spying On" and it tells the story of Faisal Gill, Asim Ghafoor, Hooshang Amirahmadi, Agha Saeed and Nihad Awad whose e-mail addresses were found in an NSA file from the Snowden-trove. Although the article confusingly mentions both FBI and NSA, many people and media got the impression that this was the long-awaited major NSA abuse scandal.

But as we will show here, the document that was published contains no evidence of any involvement of the NSA in this particular case. Everything indicates that it was actually an FBI operation, so it seems not justified to have NSA mentioned in the article.

The FISA spreadsheet

Greenwald's report is all about a spreadsheet titled "FISA recap" - which refers to the Foreign Intelligence Surveillance Act (FISA) from 1978. This law allows electronic surveillance of Americans who are suspected of espionage or terrorism.

The spreadsheet contains 7485 e-mail addresses that were apparently monitored under FISA authority between 2002 and 2008. Unfortunately the article doesn't say whether the addresses are all from American e-mail providers or that some of them are foreign.

We do know that 202 (or 3%) of these e-mail addresses belong to a "US person", 1782 (or 24%) to a "Non-US person" and of 5501 (or 73%) addresses the nationality of the user is unknown:

Part of a spreadsheat titled "FISA recap" showing e-mail addresses monitored
between 2002 and 2008. The table seems to be ordered by expiration date
(click to enlarge)

In this sample, there are 8 e-mail addresses where the nationality is marked as "US Person" and except for one, these are all under responsibility of FBI. Of the 12 marked "Non-US Person", 4 are under responsibility of the CIA, 7 under the NSA and 1 has no responsible agency.

FBI Case Notations

Each entry in the list has a unique Case Notation starting with XX.SQF followed by six numbers. Greenwald states that such a case notation starting with XX.SQF is "assigned to all “FISA accounts” as a unique identifier" and points to a slide titled "FISA dataflow" as evidence for that:

Slide showing "FISA dataflow". It's unclear why the Case Notation format
has been partially redacted, and PALMCARTE is also not explained.
NAC presumably stands for NSA's Network Analysis Center.
(date unknown)

But in a little known NSA document (pdf) from 2006, which was published on March 11, 2014 by The New York Times, we see that XX.SQF is actually the prefix for FBI FISA data. It also says that US-984J is a SIGINT Activity Designator (SIGAD) which denotes FBI collection.

Data collected by NSA under FISA authority is identified by the SIGAD US-984*, in which the asterisk is a placeholder for additional suffixes (other than a J), like for example in US-984XN, which is the SIGAD for NSA's famous PRISM program.

So, the prefix XX.SQF isn't used for "all FISA accounts" as Greenwald wants us to believe, but just for those from the FBI. The 2006 document doesn't say what prefix is used for NSA data, but from the PRISM-presentation we know that communications collected by NSA through PRISM are identified by the trigraph SQC.

Analogue to the way the PRISM case notations are composed, a case notation from the spreadsheet, like for example XX.SQF055191 for the e-mail address of Asim Ghafoor breaks down into the following parts:
XX - This may stand for Internet Service Providers
. (dot) - Indicating multiple types of content
SQF - Fixed trigraph denoting FBI FISA collection
05 - Year the Case Notation was established: 2005
5191 - Serial number of the targeted address

The FBI as Responsible Agency

A second role of the FBI becomes clear when we look at the spreadsheet column for the "Responsible Agency". According to Greenwald's article, this column shows the federal agency that requested the monitoring of a particular e-mail address. In the sample shown above we see that this can either be FBI, NSA or CIA.

Most striking is that for the e-mail addresses of all five Muslim-American leaders, the FBI is the responsible agency that requested their surveillance. This was also recognized in Greenwald's story, and it's of course exactly how it should be, as it's officially up to the FBI to investigate American citizens and residents:

Excerpts of the FISA spreadsheet showing the entries for five Muslim-American leaders
The asterisk behind some of the mail addreses seems to
indicate that collection has been terminated
(compilation by IC Off the record - click to enlarge)

As we can see, these entries for the five Americans contain nothing that points to any kind of involvement of the NSA. Instead, both the case notation and the responsible agency indicate that it were FBI operations.

Greenwald and his co-author Murtaza Hussain were asked on Twitter whether there might be some additional evidence for the involvement of the NSA, but they haven't responded to this question.

The only relationship this list has to the NSA, is that it was among the Snowden-documents, but that can also be easily explained by the fact that for many other entries the NSA is the responsible agency. The list was most likely sent to all three agencies as a recap of which addresses were monitored on their behalf.

Given these considerations, it seems that the spreadsheet actually shows a large number of e-mail addresses that have been monitored by the FBI, and therefore their case notation starts with XX.SQF. This monitoring apparently took place partly for the FBI's own investigations and partly on behalf of NSA and CIA, to whom the FBI would have passed the communications from the e-mail addresses they requested.

According to a Foreign Policy article, the NSA is the most frequent requester of data from the FBI's interception unit DITU, for which there's a direct fiber-optic cable between Quantico and the NSA headquarters at Fort Meade.

Someone's suggestion that the case notation reflects the agency that requested the surveillance seems not plausible, because in that case there would have been a different prefix for FBI, NSA and CIA, but here the communications they requested all have the same XX.SQF-prefix.

How the FBI intercepts messages

All the cases on the list started before the FISA Amendments Act of 2008 was enacted, so it was done under the authority of the original Foreign Intelligence Surveillance Act (FISA) of 1978, which requires an individual order of the FISA Court (FISC) for every American that is considered a target. According to a top FBI lawyer, the application for every single US person consists of a 35 to 150 page packet that has to demonstrate the necessary probable cause.

After the FISC granted a warrant, the FBI probably went to the target's Internet Service Provider (ISP) in order to collect his communications. Each ISP is legally obliged to have Lawful Intercept (LI) equipment installed on their networks, in order to "perform electronic surveillance on an individual target as authorized by a judicial or administrative order", in this case the FISA Court warrant.

The equipment filters internet data packets based upon identifiers like e-mail and IP addresses, which means all kinds of communications that contain a particular e-mail address will be pulled out and forwarded to the FBI's Data Intercept Technology Unit (DITU). This method would also explain why in all case notations from the spreadsheet we see a dot, indicating that the collection resulted in multiple types of content.

Some people suggested that the government went to Yahoo and Google to get the messages from the Gmail.com and Yahoo.com e-mail domains (and retorically asked whether these companies did fight the order), but that is unlikely. For the assistance of these kind of web service providers, NSA set up the PRISM program, wich started in the fall of 2007, so only shortly before the surveillance cases mentioned in the spreadsheet expired. Yahoo joined PRISM in March 2008 and Google in January 2009.

The NSA has similar filtering equipment installed at switches of major internet backbone cables (for the so-called Upstream collection), but these are specifically used for foreign or international communications. One would expect that data collected this way, has a case notation with an NSA trigraph, but Washington Post journalist Barton Gellman writes that Upstream collection from network switches also has case notations that begin with XX.SQF, because this kind of collection is "managed by the bureau and shared with NSA". This seems to be a mistake because it is generally considered proven that Upstream interception is done by the NSA (for example: the Upstream slides don't mention the FBI, and a PRISM slide says NSA has a direct relationship with Upstream-providers).

There's a lot we don't know

In trying to clarify what the spreadsheet tells us, I assumed for the sake of readability that the FBI actually intercepted, processed and stored messages from these five Muslim-American leaders. But in his article, Glenn Greenwald suggests that even that is not known for sure:

"Given that the government’s justifications for subjecting [these five] U.S. citizens to surveillance remain classified, it is impossible to know why their emails were monitored, or the extent of the surveillance. It is also unclear under what legal authority it was conducted, whether the men were formally targeted under FISA warrants, and what, if anything, authorities found that permitted them to continue spying on the men for prolonged periods of time."

What he says is that we actually know hardly anything, except for the fact that the e-mail addresses of the men were found on the "FISA recap" list. Although the Muslim-leaders seem innocent of spying or acts related to terrorism, there's still the possibility that the FBI had good reasons to monitor them, but we just have no information about that.

In an ABC News report, anonymous former and current US government officials said that the five men could be guilty or innocent or even cooperating with the government (for example by having agreed with monitoring their communications in order to collect evidence against suspects).

According to these officials, Snowden or Greenwald may well have misunderstood the spreadsheet and made wrong interpretations. ABC further noticed that the document was also curiously absent of the regular classification markings, but that is probably because the list isn't in a .doc or a .pdf document, but in its original .xls spreadsheet file format.


Just like many other documents from the Snowden-leaks that were misrepresented, the original file disclosed in this latest Greenwald piece contains no evidence that NSA had anything to do with the monitoring of the five Muslim-American leaders. In fact, everything points to the FBI, but apart from that we know too little about these cases to say whether the Bureau acted illegally or out of paranoia. However that may be, we can't blame that on the NSA.

Update #1:
After an interview with Edward Snowden on May 5, 2015, Washington Post journalist Barton Gellman said that he himself wouldn't have published about this issue, because he saw not enough evidence for the claims that Greenwald made in his article for The Intercept.

Update #2:
On August 15, 2016, the website The Intercept published a few documents from the Snowden trove showing that the NSA used PRISM to get information about a New Zealand citizen who GCSB believed was involved in a plot against the regime on the island of Fiji, which turned out not to be the case.

Links and Sources
- TheWeek.com: What you need to know about the latest NSA revelations
- Salon.com: First Amendment’s racial tumult: Why Greenwald’s latest revelation matters
- ABCNews.com: Feds Spied on Prominent Muslim-Americans, Report Claims
- ForeignPolicy.com: Meet the Spies Doing the NSA's Dirty Work

No comments: