Privacy SOS

Meet CISPA’s government buddy, Einstein 3

Please note that by playing this clip YouTube and Google will place a long term cookie on your computer.

Here's an idea: take the National Security Agency (NSA) and AT&T, two shameless and remorseless privacy offenders, and give them access to all data heading into and out of US federal government websites. Then pass all of that information on to DHS, but better not make too much noise about it.

As you might have guessed, it's not just an idea.

Meet the Bush administration's brainchild, "Einstein 3", a project the Obama administration is pursuing quietly but steadily, boasts of "most transparent administration" ever notwithstanding. As you can see in the video above, funds for the expansion of the project have just been approved in Congress — absent any privacy protections that would have required DHS to simply spell out what kinds of information it was going to collect about us. Rep. Jackson Lee proposed an amendment that would have achieved this most bare of privacy protections, but she was thoroughly shot down. (Watch above at the very end of the clip.)

Aside from Rep. Jackson Lee and likely a few other members of Congress, the internet monitoring program is a bipartisan affair. Indeed, as sponsor of the amendment to fast track Einstein 3 Rep. McCall said, the move to turn up the heat and implement the program at all federal government websites was made "in close coordination with the DOJ and DHS." That's the Obama DOJ and DHS. 

Back in 2010, the Department of Homeland Security released a Privacy Impact Assessment (PIA) describing the classified program. It tells us that Einstein 3 uses extremely invasive NSA spy technology "to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving […] executive branch networks." But predictably, the DHS document leaves out the most interesting stuff about the program.

The deep packet inspection technology DHS is borrowing from the NSA to use in Einstein 3 is the same kind of system that the governments of Iran and Syria use to spy on internet traffic in their countries. Loads of media ink has been spilled about the totalitarian implications of these systems abroad, but what about those here at home?

Apart from one well-informed opinion editorial (which I cite extensively below), written three years ago, there is hardly anything in the press about the program. Looking to the media for information about it would lead one to believe that the project doesn't exist — even today, as Congress authorizes more funds for the project. But it does, and it is extremely costly both in dollars and liberties.

Even though DHS' 2013 budget is smaller than it was in 2012, the agency will spend more on so-called "cybersecurity" measures in the next fiscal year than it did in this one. And even though a large part of that increase will go towards a rapid expansion of the Einstein 3 program, the media has hardly taken notice. Ahhem:

What does Einstein 3 really do? Who cares?

The government claims that Einstein 3 is a necessary precaution against cyber attacks on US critical infrastructure, and the technical specifications of the project are complicated. Plenty of journalists likely don't know about the program, but those who do might not write about it because it's too complicated, the information about it too shadowy, or because they want to believe DHS and the Obama administration when they say that the system is a necessary precaution against cyber attacks.

But is it? In short, no.

If Einstein 3 is really meant to stop cyber attacks on federal government websites, as the government claims, then why does it need to monitor outgoing traffic from those sites? And why, as whistleblower and computer expert Babak Pasdar has asked, does the system only monitor activity between server exchange points? If it were really looking for intrusive attacks, wouldn't the system look further outside the network, at the perimeter, from where the attacks are launched? 

Government watchdog groups are not pleased and don't buy the government's claims about the program, either. In July 2009 Jesselyn Radack of the Government Accountability Project penned a blistering LA Times op-ed in which she accuses DHS and the Obama administration of behavior "antithetical to basic civil liberties and privacy protections that are the core of a democratic society." 

Despite its name, the Einstein 3 program is more genie than genius — an omnipotent force (run by the NSA via AT&T's "secret rooms") that does the government's bidding — spying. The last time around, this sort of scheme was known as the "special access" program — "special" being code for "unconstitutional."

We've known for some time that NSA — a secretive intelligence wing of the Department of Defense — uses super computers to suck up and filter as much internet and telecommunications data as possible. But now DHS is getting in on it?

Well, not exactly. DHS has been involved in the Einstein programs for some years now. But this latest iteration of the program is very different — and so much more dangerous — than the first two versions. Radack explains:

…[W]hile Einstein 1 and Einstein 2 passively observe information, Einstein 3 technology plans to use "active sensors." This is a tactic used by malware developers and is a popular feature of spyware that clogs up the Internet, slows down PCs and tips off hackers by emitting signals.
 
And most disturbingly, according to the Department of Homeland Security's 2008 "Privacy Impact Assessment," while earlier iterations of Einstein implemented signatures based on malicious computer codes, Einstein 3 could include signatures based on personally identifiable information. The privacy implications are great. Any citizen logging on to a ".gov" website would trigger this.
 
The IRS and other governmental agencies collect sensitive personal information for legitimate and limited purposes. However, strict confidentiality rules apply to that information. Although the Department of Homeland Security, which is managing the program, insists that the "main focus is to identify malicious code," we've heard such empty reassurances before.
The Department of Homeland Security and the NSA are operating Einstein 3 as we speak, and the Obama DHS is making expansion of the program a fiscal priority. The government is meanwhile asking us to just trust that its spooks won't use the program to violate our privacy and snoop into our private online data.
 
The feds say that Einstein 3 is meant to protect the government from cyber attacks, and as Radack and others have observed, it is dangerous enough on its own. But as the government is wont to be lately, it isn't satisfied with these vast, unaccountable powers and therefore wants to expand them to cover the entire internet. So members of Congress and intelligence hawks are pushing CISPA — total internet surveillance, again courtesy of DHS and the NSA.
 
Apparently sucking up all of the internet data that goes near .gov domains isn't enough for the data hungry spy agencies. They want it all. 
 
But they'll have to get through us — and CISPA cat — first. Tell the government to keep its hands off of our private internet data and to mind its own business.
 
And as for Einstein 3, NSA spying and DHS overreach, well….we've got a long, hard road ahead of us. Stay tuned.
 
For more information about Einstein 3 and its significant privacy implications, read the Congressional Research Service report "Cybersecurity: Selected Legal Issues", dated March 14, 2012.
 
UPDATE: A week later, the press still doesn't care enough about these vital issues to write or talk about Einstein 3. 

© 2021 ACLU of Massachusetts.