doctorow at August 24th, 2013 11:36 — #1
samthebutcher at August 24th, 2013 12:08 — #2
WSJ: The practice isn’t frequent — one official estimated a handful of cases in the last decade — but it’s common enough to garner its own spycraft label: LOVEINT.
BB: It is so widespread that it has its own slangy spook-name.
bcsizemo at August 24th, 2013 12:15 — #3
It's like combining "One Hour Photo" with "The Final Cut"....
websta at August 24th, 2013 12:44 — #4
I have to say that the increasingly-frequent argument, "Compared with how much traffic we're illegally/unconstitutionally monitoring overall, this criminal infraction is negligible," is becoming less and less convincing.
Perhaps the NSA needs to monitor more crisis managment PR people and learn how to be reassuring, rather than increasingly creepy.
socialmaladroit at August 24th, 2013 14:05 — #5
Give people the means and opportunity to do that kind of thing, and some of them will do it.
Here's a story from personal experience. I used to work at a 9-1-1 agency where the police maintained a database of pretty much everyone they came in contact with. To be more precise, if they wrote a police report involving you, even if you were the complainant, your info went in their database. (Forever, as far as I know.)
It was common practice for dispatchers to look up people they were dating in that database, even though it was technically a firing offence. In fact, back in the day when my wife was a trainee there, her coach told her, "Forget the rules, you'd be crazy to go on a date without looking them up."
It probably still is commonly done, although management made lot of rumbling noises about tightening up on the rules.
zhasu at August 24th, 2013 15:01 — #6
I assumed as much. I remember thinking about similar scenarios, but little bit worse. Imagine you have a neighbor who is a total asshole and works for NSA. One day you stop getting along for whatever reason. This guy starts monitoring you and waiting for something embarrassing or even illegal (like texting your dealer for some marijuana). This kind of situation can potentially affect millions of people. In this kind of system everyone should be worried, as it is perfect for the abuse.
knoxblox at August 24th, 2013 15:08 — #7
If I could think of at least one arena this would actually be helpful with, it would be determining whether profiles were men pretending to be women on OK Cupid or Match.com.
cowicide at August 24th, 2013 15:57 — #8
WSJ: The practice isn’t frequent — one official estimated a handful of cases in the last decade — but it’s common enough to garner its own spycraft label: LOVEINT. BB: It is so widespread that it has its own slangy spook-name.
What "officials" claim are "rare occurrences" are often, in reality, found out later to be widespread occurrences once the facts of the situation are brought to light by whistleblowers.
Did you not learn anything from all the other previous NSA statements that turned out to be massive understatements, half-truths and lies?
I mean, really...?
Also, don't you have to wonder how many business secrets have been stolen from people?
fuzzyfungus at August 24th, 2013 16:05 — #9
So, there have been zero abuses, and that's no bullshit; but they've had to fire people over abuses?
wioeutqoutryoqw at August 24th, 2013 16:14 — #10
One person's LOVEINT is another person's stalker.
I suspect the reality of the situation is similar to giving people the internet at work with the rule to keep their browsing work-related. "Several people self-reported having watched a stupid cat video, but it really never happens. One or two have been reprimanded for emailing their spouses. It's quite uncommon though. Once a year." The NSA: we record everything everywhere, but we don't look at it. Honestly.
In other news, the NSA is working for Hollywood to destroy the lives of alleged copyright infringers, a.k.a. "Billy Big Trousers."
acerplatanoides at August 24th, 2013 16:23 — #11
Yes Sam. BB has a different viewpoint than the WSJ. Shocking, I know.
Would you say that the WSJ has a spotless record when it comes to either accuracy or fairness in their own news reportage of intelligence activities?
Is the BB headline "wrong" in your view? What was the point you're making or attempting to make by pointing out the difference between the coverage?
samthebutcher at August 24th, 2013 17:01 — #12
Sensationalizing a story is rarely either necessary or desirable. The most dangerous thing about an echo chamber is that it can begin to run away with one viewpoint, and the occupants become impervious to any argument that fails to totally support it, to the minutest detail.
michael_r_smith at August 24th, 2013 17:18 — #13
When I worked in an environment where we had access to public CCTV feeds and the driver registration database for operation staff to look up the name and addresses of attractive women seen on the cameras.
michael_r_smith at August 24th, 2013 17:21 — #14
Similar issue where I worked but the database was modified to record all queries, and the sacking offence part of it was enforced eventually.
gilbertwham at August 24th, 2013 17:32 — #15
Very round Venn diagram, that...
digitalartform at August 24th, 2013 17:42 — #16
Who will be the first published of the many authors and screenwriters suddenly using that as their title and premise?
ygret at August 24th, 2013 17:53 — #17
The facts are obvious -- the NSA DOES NOT HAVE an auditing system for database and file access on its servers. If they did, they would know exactly what docs Snowden took, exactly who is querying the data without authorization, etc., etc.
These "LOVEINT" things likely happen all the time as the only cases they have discovered are the ones that were self-reported, usually as the result of a secrecy re-authorization (which uses polygraph machines!). In fact, its safe to say that analysts, if they are of a mind to, routinely look through the traffic of anyone they have an interest in, for whatever reason. Given the sheer number of people who have access to the data its probably an underestimation to say it happens a hundred times per day.
The shocking reality that their systems aren't auditable in terms of authorized versus unauthorized queries is just more evidence that everything they are telling us about the "security" of the data they collect is total garbage. There are ways to make such data more secure, they clearly and simply don't care to. Its hard, takes a lot of hours to build and maintain such systems and when your mantra is "collect it all" its clear where the money and effort is going, and it ain't going to keeping our data secure.
From working in IT departments for over a decade I fucking KNEW these guys were lying through their teeth. Well, maybe I didn't know it, but I suspected it strongly once it became clear they couldn't figure out what docs Snowden had viewed/taken.
The NSA systems should log and compare every query to a database of approved queries and immediately ding a supervisor when one doesn't match. There should be auditable, login based records of every document retrieved, printed and/or downloaded into a separate storage device. The only way to copy these docs without getting flagged should be to photograph the damned screen (and that should be very difficult because there should be rules about what analysts, etc. can bring to their desks.
But when you have thousands of analysts, sysadmins, tech support, software engineers, database engineers, government and non governmental employees at tens or hundreds of locations all using, configuring and querying massive datasets on a daily basis, the logistics of that would be incredibly difficult if not impossible. So of course, what does any self-respecting tech organization do, they say fuck it and open everything up. I've never worked anywhere that wasn't the case. THAT is the state of IT in the early 21st century.
And lets not even get into what data is used in their test databases - you know, the ones database engineers and software programmers use to test and refine new queries and software interfaces and database structures. One can't run such systems against a small set of fake data or they aren't being properly tested. A new query can bring down an entire database if written poorly or designed to grab too much data. These things MUST be tested on data that matches the topography of the data they will be run against in a production environment.
The mistake we keep making (not just with this NSA crap) is utterly over-estimating the technique, sophistication and skill behind IT systems. They are not magical. They are human made systems and they fail all the time, even when kept simple. And if anything these NSA systems are leviathans of complexity and size. Even if they gave a crap about auditability and data security, which they obviously do not, there would still be ten thousand ways to circumvent any protections. A system like this is begging, screaming to be abused. And it is being abused. Constantly and thoroughly.
These fucking spooks are lying through their fucking sharpened teeth (no insult to the Ferengi).
tachin1 at August 24th, 2013 19:44 — #18
This... you're right but I've seen this with other people as well, offering these people advice under the guise of criticism. Its like we want to believe that just saying it makes it so. Perhaps we're so wrapped up in managing identities that there just isn't any room for outrage, not while there's an identity to protect, even a fake one.
Maybe people really want to believe that this is in everybody's best interest and offer hedges when we can.
socialmaladroit at August 24th, 2013 22:03 — #19
Sure, the database the cops kept tracked who was logged on and whose names were run, and when. (So were the national and local law enforcement databases, and the DMV database.) The radio channel was taped.
That was the thing that made it a bit harder to enforce. Someone would have to listen to the radio recording to find out whose names the cops asked you to run, and then compare that to whose names you actually ran. Back in the day, they used to record everything on tape. I'm sure it's easier now that everything's recorded digitally and there's transcription software.
I'd be appalled if the NSA didn't keep track of who accessed what when. Then again, at 9-1-1, it was all about liability. If a cop arrested (or didn't arrest) someone based on information a dispatcher gave them, there was a potential lawsuit. If a citizen found out you ran them when you didn't have official permission to, there was a potential lawsuit.
But if the NSA and its contractors face little or no accountability for what they do, since it's all done in secret, what incentive do they have to keep close tabs on who accesses the databases they have? It's crazy that Snowden was even allowed to download what he did and walk out of an office with it.
acerplatanoides at August 24th, 2013 23:23 — #20
Telling a sensational story and sensationalizing a story are quite different.
next page →