More Details of the NSA's Social Network Analysis 367
mrogers writes "USA Today has a story describing how the NSA looks for suspicious calling patterns in the huge volumes of traffic data it collects. "Templates" such as a call from overseas followed by a flurry of domestic calls are used to identify leads, which are forwarded to the FBI for investigation. There have been complaints that low-quality leads are drawing agents away from other cases, and similar pattern-matching approaches have been found wanting in the past. Can data mining identify terrorists?"
The strength of weak links... (Score:5, Interesting)
There is plenty out there on the "Strength of weak links", where past associations (old roommates, sleeper cells), with not contact can be very strong service links when reinitiated.
There is also plenty out there on how this is DoSing the FBI.
And the tin foil hat crowd (a very popular piece of headware these days) will point out that this tool is far more useful for targeting individuals than searching for patterns. And what if you are the target?
It's possible according to Yahoo (Score:2, Interesting)
I know that YAhoo has commented on this because they datamine extensively to find surfing habits on their site to better place advertisements. Obviously this is a bit different, but the technology and methodology is similar. I have no problem with computers analyzing calling patterns. There was a distinct pattern of calls that lead up to 911 and other attacks.
http://religiousfreaks.com/ [religiousfreaks.com]Historical != predictive modeling (Score:3, Interesting)
They looked at the history of a few people and found a pattern. Now that the pattern has been disclosed, only historical information is likely to have any merit. If the people controlling the communications know this is a way to be found, after getting a call from a watched country, they'll have the people go somewhere else and send emails or otherwise use a different channel for communication.
Knowing all of the data points isn't enough if you don't know which ones in different databases (phone, email, etc) are related and why.
Sounds like a traditional IDS (Score:2, Interesting)
Let's look how most Network Intrusion Detection Systems work today, including the OSS favorite Snort [snort.org].
We start off with a bunch if signatures. These signatures are analyzed against including network traffic. A signature is matched, an alert is sent out (syslog, mysql, whatever) and my little console displays the alert. I analyze, determine it's a "false alert". I try to tune it out, maybe, depending on frequency and annoyance, and continue on to the next (false?) alert. If the alert is deemed true, I determine if we were hacked or if something more serious is going on. Usually, I get other people involved.
Sounds like the NSA's system is very similar to the job of our favorite IDS operator. In fact, it's exactly the same thing. Some softwatre looks for patterns in telephone network traffic. Once these patterns are found, they do a quick check (basic analysis) to confirm the pattern has matched. Then, the alert is passed on to a different team to investigate whether there is a more serious event or not.
Are there false positives? Yes. Are there false negatives? Yes. Does this mean the method is ineffective? No. Does this mean it should be shut down? No. If it did, why am I, and thousands of others, getting paid for everyday?
False leads? No way! (Score:3, Interesting)
Okay, here's an example of how stupid the example given is (and it's not the example that's stupid, it's the intelligence community): I'm an American I have good friends, or maybe family living overseas. Let's say my brother lives in Germany and he just called me to tell me that his wife had a baby boy. So, what am I going to do? Call everyone in my family and anyone that knows my brother well and say, "Guess what, they had a baby boy."
The fact is that, with calls between friends and family overseas in particular, the calls are not infrequently going to be some sort of major or semi-major news that the person in the States is then going to want to share with other friends and family. If the FBI is getting hit with all this garbage, I'm surprised they find time to do anything else.
I'm not saying this stuff can't be used to find terrorists, but at what expense? I would imagine there are much more effective ways to spend the money.
To bring the example a little closer to home, back in the early 90s when export restrictions on encryption were quite a bit tighter than they are now, I was asked by an uncle of mine (who's a venture capitalist) to do a little research into encryption. He had been approached by a group that had come up with some new encryption algorithm and he wanted me to get some sort of feel for how theirs stacked up.
So, I go onto Usenet and start asking some questions, trying to educate myself on this stuff. A few weeks later, I'm talking to one of my neighbors and she says, "So, did you get that job at the White House?" I said, "What job at the White House?" She said, "Well, there were some agents from the State Department here asking questions about you and they said it was for a job at the White House."
Now, I'm no rocket scientist, but I can do the math. Ask about encryption, agents show up. I suspect the two were related. I'm sure they were probably NSA agents since encryption is really more of their deal, or maybe State Dept. agents tasked by the NSA. But whatever.
Had they even looked at my file, which I'm sure they had since I had a full background check for a security clearance a few years prior, they would have quickly discovered that I'm someone of little consequence and not a likely spy. But no, they had to send out a couple agents to investigate me asking questions that anyone from anywhere around the world could have posted on Usenet. What a complete waste of time and money. And it's not like you couldn't just download regulated encryption algorithms off the net at the time anyway.
But I digress. Spending money to protect us is fine, if it's spent wisely. This is costing time of valuable people and untold amounts fo money for what is sure to be barely usable information. But hey, that should come as no shock to anyone.
Re:False leads? No way! (Score:1, Interesting)
Okay, here's an example of how stupid the example given is (and it's not the example that's stupid, it's the intelligence community): I'm an American I have good friends, or maybe family living overseas. Let's say my brother lives in Germany and he just called me to tell me that his wife had a baby boy. So, what am I going to do? Call everyone in my family and anyone that knows my brother well and say, "Guess what, they had a baby boy."
conclusion: Pedritos "brother" has a "baby boy".
decision: Arrest Pedrito and his dealer network, send them to Egypt and other friendly coalition countries for some "extraordinary rendition".
Re:Attitude (Score:4, Interesting)
I guess as the US is a democratic country, it's alright to do so. Democracy means, literally, rule by the people. The vast majority of people either doesn't care or doesn't get beyond posting "wtf, criminals!" on /.
You'd have to shut down TV for a week or only a day - I bet enough people would start to care about this and many other things...
are they admitting to something? (Score:4, Interesting)
Are they admitting to collecting details on domestic phone calls _before_ 9/11?
Keep in mind... (Score:4, Interesting)
An interesting aside: as reported by Bruce Schneier, al Qaeda members avoid Echelon by using shared Hotmail accounts. Rather than sending email, they create drafts and save them, and have a running conversation in the draft before deleting it. Not sending the email means the email doesn't trigger midpoint monitoring. Would they be doing that if they didn't know about Echelon?
Better Interagency Communication (Score:3, Interesting)
That dodge is how Bush can appear on TV saying "this NSA program doesn't listen to your calls", because they forward your calls to another program, at the FBI (and probably elsewhere). Feel safer?
Re:Beside the point. (Score:3, Interesting)
How to become a suspected terrorist:
1) Niece in Pakistan...has first son
2)Niece calls aunt in Dearborn for 5 minutes using neighbor's cell phone
3)Proud aunt calls all of her friends and extended family in US/Canada
4)FBI agent from Detroit digs out auntie's file....adds entry
5) Auntie's Son at U of M attends Arab Heritage meeting in student union...add that to his file
6)Cross reference Auntie and Son's files and calling patterns
7)Find both called cousin in Italy
8) Cousin in Italy was previously arrested at anti-WTO meeting (what greater enemy to the USA than that!?)
9)Scoop up cousin and fly him of to Egypt as a "person of interest"
10) Question cousin about his ties to Al Quaeda...specifically his second cousin's neighbor
11) Despite 48 sleepless hours of interrogation, a sound beating, exposure to cold, being stripped and humiliated this "terrorist" claims to have never been to Pakistan and has never met his second cousin's neighbor
12) Fly cousin to Afganistan and leave him to rot for 6 months
13) Drop him off in the countryside of Bulgaria
How much of this is inconceivable? Does it make you feel safer that our government does this sort of thing? If safer, proud? Do we catch more bad guys than we create?
Re:The strength of weak links... (Score:3, Interesting)
Second, your recommendation that this be fixed is disturbing.
How about we just do away with the whole pile of crap. For more on the dismal state of affairs, see http://www.lewrockwell.com/engelhardt/engelhardt1
The only thing you can count on is that more and more money will be wasted on returning less and less of value.
Actually, have the CIA, NSA, etc. yet produced anything of value? Note: do not count useful intelligence ignored because the president was asleep, drunk, or just dumb as shit.
Re:terrororists (Score:1, Interesting)
I used to work for one of the computer, software, services, printer, and offshoring companies in the US that regularly sold such software to telcos all around the world. The only thing new about this is that the government is doing it, not that it is being done. If you don't think telcos had the ability to intelligently analyze who was calling who, for how long, whether the call was any way different than the caller (or reciever's) usual behavior, etc... you have been out of touch. About the only thing the telcos don't monitor is the actual content of your conversations...but there were 1 or 2 api's for our product that looked like they were specifically created for just this purpose (according to what I saw of their documentation).
If you want to learn more about this technology, I recommend you talk to someone from the CFCA (Communications Fraud Control Alliance) and see what they'll let slip. Sadly, it's a notoriously tight lipped group to those not in the industry and without a need to know.
Re:Quick, Look the Other Way! (Score:2, Interesting)
Regards,
Steve
Relevant Schneier article (Score:3, Interesting)
http://www.wired.com/news/columns/0,70357-0.html?
In a nutshell, his premise is that the underlying assumptions that make data mining work for such things as credit card fraud don't hold when searching for terrorist plots. Also, that trying to apply those models will result in a flurry of false negatives so large as to make the whole effort useless and a waste of resources which could otherwise be better spent. It's hard to argue with...
Re:Terrorist activities (Score:3, Interesting)
After 911 the US adminstration decreed along with the war on Terror - 'funding terrorism is a crime'. While the comment was primarliy aimed at Al-Queda, funding the IRA was (unintentionally?) put in the same category.
Its probably always been illegal to fund terrorism (IANAL), but I havent seen any arrests for funding the IRA hit the news, nor have i seen any Irish Americans thrown in GTMO. I'd say someone turned a blind eye.
Check out: http://en.wikipedia.org/wiki/NORAID [wikipedia.org]
Why arent the former/current leaders and members of NORIAD in GTMO?