In 2016, Ryan Gallagher and Henrik Moltke published a long, Snowden-derived investigation into AT&T's secret NSA listening station in New York City, and AT&T's extensive complicity in mass, warrantless surveillance on Americans and foreigners.
In a new, detailed followup, Moltke and Gallagher reveal the details of eight more NSA spy centers in AT&T's interchange points, where other telcom providers (both domestic and foreign) cross-link their networks with AT&T's backbone. These centers, in Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C., are all well-situated for intercepting and monitoring traffic from AT&T and its competitors.
Some of those partners told Gallagher and Moltke that they suspect that this is going (others refused to comment), and AT&T engineers past and present confirmed the details of the program for them.
Also in the story is the NSA's own frank admission that they routinely overcollect from these taps, grabbing information at an incredible scale (for example, if they find a single email that matches a keyword, they will grab all the email stored by that user and then warn analysts not to read it); their internal controls that are supposed to mitigate this and keep NSA surveillance within the bounds of the law are (again, according to the NSA) inadequate and routinely fail.
“One example of this is when a user of a webmail service accesses her inbox; if the inbox contains one email message that contains an NSA tasked selector, NSA will acquire a copy of the entire inbox, not just the individual email message that contains the tasked selector,” the memo stated.
The court’s ruling left the agency with two options: shut down the spying based on mentions of targets completely, or ensure that protections were put in place to stop the unlawfully collected communications from being reviewed. The NSA chose the latter option, and created a “cautionary banner” that warned its analysts not to read particular messages unless they could confirm that they had been lawfully obtained.
But the cautionary banner did not solve the problem. The NSA’s analysts continued to access the same data repositories to search, unlawfully, for information on Americans. In April 2017, the agency publicly acknowledged these violations, which it described as “inadvertent compliance incidents.” It said that it would no longer use surveillance programs authorized under Section 702 of FISA to harvest messages that mentioned its targets, citing “technological constraints, United States person privacy interests, and certain difficulties in implementation.”
The Wiretap Rooms [Ryan Gallagher and Henrik Moltke/The Intercept]