When you read things such as this. If only to understand whats going on. And not to be in total disagreement, but like I said, to understand why NSA is able to do what the law allows them to do.

@RBReich: Don't be distracted. The big story isn't Edward Snowden nor intelligence leaks.
It's government's disregard for privacy and civil liberties.

Is inoperable.

They've parsed our rights so finely that they are almost irrelevant.

So why are they complaining about the leak?


And just to remind you, Clarence Thomas does not believe there is a right to privacy contained in the Constitution.

Nearly four million people have TS clearances. That is four million people who have access to the classified information. Such releases, by your own standard sir, indicate that there can be no reasonable expectation of secrecy. When more than 1% of the population has access, that is no longer considered secret.

Also by sharing the information with corporations. Corporations that are publicly traded, and thus must answer to their stockholders, you wipe away any expectation of secrecy. By using Security Consulting Firms to administer the day to day operation of secret programs, the programs can no longer be considered secret. You must expect that people will know, and thus speak of the program to superiors. Those superiors have their positions because of the board of directors, who must also be briefed in to know what any portion of the corporation is doing, and to properly administer corporate assets to the benefit of the company.

Then you have the board, elected by the stockholders, who are unlikely to choose people who are unable, or unwilling to report on what is going on with the company. If a board member tells a stockholder you don't need to know what the company is doing, then the stockholder is unlikely to support that board member at the next election.

So the four million known TS clearances is not even close enough to the actual number of people who know about the programs. Then there is briefings of foreign governments. To get their assistance, we must provide them with an overview of what is going on, and then share with them pertinent data that effects their nations, and their citizens.

So the number of people who "know" about the programs, and the information at least hoped to be gained, is now ten times the number of TS clearance holders. We are up to roughly ten percent of the population of the United States as to who is in the know on this program alone.

Some of those people will be less cautious, or even sympathetic with our enemies. So it can be a given that the enemy knows our capability, which is why we hear so much less in the news about non specific threats, chatter by Terrorists, and the like. We knew nothing of the Boston Bombers before the first explosion. We knew nothing for days afterwards. Despite the fact that the eldest brother traveled to and was trained in a known area of the presence of Extremist activity. We learned nothing in other words, except from the eyewitness testimony who was able to narrow down the pictures of the area, to help identify the actual suspect.

Then good old fashioned police investigation took over, and phone records, email account records, and other information as seized by warrants, and then we found associates who might have been involved. All the PRISM nonsense provided exactly zero assistance in preventing a bombing.

Maj. Hasan who shot up Fort Hood made many public statements that were upon review, very troubling. Several Officers were cited for dereliction of duty in not reporting those statements and their concerns. Yet despite the fact that Maj Hasan emailed people who are on every terrorist watch list, nothing was done with the information to save lives.

Sir, the program is an abomination. An abomination to the principles of American Government, and to our expectations of individual privacy. To blast the person who released this information as a criminal who compromised a vital security tool is ludicrous beyond my ability to describe. At least ten percent of the population of the United States knew of the program around the world. The idea that each of them was absolutely trustworthy is laughable. The enemy almost certainly knew of the program. The Intelligence community knew of the program, and the only people who did not know of the program was the voters, the people that the Government is supposed to be by, for, and of.

What the NSA is doing is multiple orders of magnitude more intrusive than a pen register on a single dispatch station in a single state.

What we have here is quite different and well beyond what the Court envisioned in 1967 and 1979. We need new guidance from the SCOTUS.

-Laelth

One knowingly exposes the data they send via any telecommunication device to the telecommunication company. We rely on the company to hold and relay that data to the recipient. In the analog world of 1967, one knew it COULD be recorded, but expected it would not be. In the digital world of today, it IS recorded, if only to transmit it to another device.

Investing in companies that make encryption/decryption devices might not be a bad idea...

http://www.themediaconsortium.com/reporting/wp-content/uploads/2008/03/affidavit-bp-final.pdf

My name is Babak Pasdar, President and CEO of Bat Blue Corporation. I have given this affidavit to
Thomas Devine, who has identified himself as the legal director of the Government Accountability
Project, without any threats, inducements or coercion.

I have been a technologist in the computer and computer security industry for the past nineteen years
and am a "Certified Ethical Hacker" (E-Commerce Consultants International Council.) I have worked
with many enterprise organizations, telecommunications carriers, as well as small and medium sized
organizations in consulting, designing, implementing, troubleshooting, and managing security systems.
This statement is to make a record ofmy concerns about the privacy implications for our society from
what I personally witnessed at a major telecommunications carrier, as summarized below.

What I know:

• I know I saw a circuit that everyone called the "Quantico Circuit."

• I know that all other sites had store numbers or affiliate numbers. The "Quantico Circuit" was
the only site being migrated that had such a unique name.

• I know that it was a third party connecting to the client's network via the "Quantico Circuit."

• I know everyone was uncomfortable talking about it.

• I know that connecting a third party to your network core with no access control is against all
standard security protocols, and would fail almost any compliance standard.

• 1 know that I was a trusted resource. During the project, I at all times had access and control
over the communications to the most sensitive of the organization's systems. This included
their sales applications, billing systems, text messaging and mobile internet access, including email
and web. I even had a client badge for entry to the building and access to facilities.

• I know the client had Network VCRs situated at various locations throughout their data centers.
These devices collected and recorded all network communications and had the capacity to store
them for days, possibly weeks.

• I know that many of the organization's branch offices and affiliate systems did not have that
unfettered access, because I instituted the controls.

What is likely, based on normal industry practice:

• A third party had access to one or more systems within the organization.

• The third party could connect to one or more of the client's systems. This would include the
billing system, fraud detection system, text messaging, web applications. Moreover, Internet
communications between a mobile phone and other Internet systems may be accessed.

• The client could connect to one or more of the third party's systems.

• The client's Data and Cell networks are interconnected.

• It is unlikely that any logging was enabled for any access to the Quantico circuit, because the
client's technical experts suggested that this was not enabled. They were tentative in even
discussing the subject. Even if logging was enabled the logging system was so inappropriately
sized that it was useless.

What is possible due to consistency with known facts but for which I don't have proof:

• The third party may be able to access the billing system to find information on a particular
person. This information may include their billing address, phone number(s), as well as the
numbers and information of other people on their plan. Other information could also include
any previous numbers that the person or others on their plan called, and the outside numbers
who have called the people on the plan.

• The third party may be able to identify the Electronic Security Number (ESN) of the plan
member's phones. This is a unique identifier that distinguishes each mobile device on the
carrier's network.

• With the ESN information and access to the fraud detection systems, a third party can locate or
track any particular mobile device. The person's call patterns and location can be trended and
analyzed.

• With the ESN, the third party could tap into any and all data being transmitted from any
particular mobile device. This would include Internet usage, e-mails, web, file transfers, text
messages and access to any remote applications.

• It also would be possible in real-time to tap into any conversation on any mobile phone
supported by the carrier at any point.

• It would be possible for the third party to access the Network VCR devices and collect a variety
of information en masse. The Network VCR collects all communications between two systems
indiscriminately. It would then archive this information making it available for retrieval on demand.
The third party could access the Network VCR systems and collect all data
communications for single mobile device such as text messaging, Internet access, e-mail, web
access, etc. over some period of minutes, hours, days or weeks. The same can be done for
communications of multiple, many or even all mobile devices for some period of minutes,
hours, days or weeks.

• Even if the client did not provide specific login and access for the third party to one or more of
their systems, without any access controls it is possible for the third party to leverage
vulnerabilities to "compromise" the client systems and obtain control or collect sensitive
information.