Return-Path: <sentto-279987-4253-1010538505-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 08 Jan 2002 17:10:08 -0800 (PST)
Received: (qmail 25929 invoked by uid 510); 9 Jan 2002 01:08:45 -0000
Received: from n33.groups.yahoo.com (216.115.96.83) by all.net with SMTP; 9 Jan 2002 01:08:45 -0000
X-eGroups-Return: sentto-279987-4253-1010538505-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.187] by n33.groups.yahoo.com with NNFMP; 09 Jan 2002 01:08:25 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_1_3); 9 Jan 2002 01:08:24 -0000
Received: (qmail 24385 invoked from network); 9 Jan 2002 01:08:23 -0000
Received: from unknown (216.115.97.171) by m6.grp.snv.yahoo.com with QMQP; 9 Jan 2002 01:08:23 -0000
Received: from unknown (HELO red.all.net) (12.232.125.69) by mta3.grp.snv.yahoo.com with SMTP; 9 Jan 2002 01:08:22 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0918vE04113 for iwar@onelist.com; Tue, 8 Jan 2002 17:08:57 -0800
Message-Id: <200201090108.g0918vE04113@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 8 Jan 2002 17:08:57 -0800 (PST)
Subject: [iwar] [fc:DoD.Memo.on.Collecting.Internet.Addys.for.Intel/CI.Components]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
<a href="http://www.dami.army.pentagon.mil/offices/dami-ch/io/whatsnew/whatsnew.html">http://www.dami.army.pentagon.mil/offices/dami-ch/io/whatsnew/whatsnew.html>
MEMORANDUM
SUBJECT: Principles Governing the Collection of Internet Addresses by DOD
Intelligence and Counterintelligence Components
This document lays the initial groundwork for determining how to apply
intelligence oversight principles to the conduct of
intelligence/counterintelligence (FI/CI) activities on the Internet. It is
not intended to provide comprehensive intelligence oversight guidance. On
the contrary, this paper only addresses a single question Does obtaining
an e-mail or site address constitute a collection of information about a
United States Person?
These Principles provide a framework for answering this question. They
are not a substitute for conducting a case-by-case analysis nor are they
directive. Instead, they are intended to serve as a tool to assist the
attorney and the intelligence officer in determining how to proceed during a
given Internet-based activity. It is the expectation of this office that
individual FI/CI components will build upon these principles to establish
internal guidelines.
While these Principles are being distributed by the Office of General
Counsel, they represent the work and collective wisdom of attorneys and
intelligence experts from throughout the Department of Defense, including
the Office of the Assistant to the Secretary of Defense for Intelligence
Oversight, the National Security Agency, the Defense Intelligence Agency,
the Defense Information Systems Agency, the Joint Staff, USSPACECOM, and
each of the Military Services.
Original signed
Richard L. Shiffrin
Deputy General Counsel
(Intelligence)
Principles Governing the Collection of Internet Addresses by DOD
Intelligence and Counterintelligence Components
Increasingly, DOD intelligence components are conducting intelligence
and counterintelligence activities on the Internet. One challenge they
confront is to maximize the use of the Internet while ensuring that such use
complies with Executive Order 12333, United States Intelligence Activities,
and its implementing regulation, DOD 5240.1-R, Procedures Governing the
Activities of DOD Intelligence Components That Affect United States Persons.
Despite the fact that both of these documents were published well before the
development of the Internet as it exists today, the concepts, principles,
and procedures they embody remain vibrant and govern the intelligence and
counterintelligence use of the Internet.
In order to properly apply the provisions of E.O. 12333 and DOD 5240.1-R
to the use of the Internet, intelligence and counterintelligence personnel
need to know how to analyze, as well as characterize, IP addresses, URLs,
and e-mail addresses. All three of these categories of information present
challenges that are different from those encountered when working with
traditional forms of information. Yet all three fit well within the
framework of DOD 5240.1-R. A discussion of each of the three categories
follows.
IP Addresses
An IP address is a numeric string (e.g., 149.122.3.30) that identifies a
hardware connection on a network. The numeric string is information about
the owner, operator, or user of the hardware connection. As is the case
with a telephone number, the numeric string comprising an IP address does
not, without further information, identify or consist of information about a
United States person. However, open source information about IP addresses
is available on the web. Sometimes, the information that is available is
very general and would not allow one to determine if the IP address is
information about a U.S. person. In other instances, the information that
is available is quite specific and would allow such a determination.
Intelligence and counterintelligence (FI/CI) components are not
necessarily required to try to decipher an IP address as soon as they
encounter one. They are only required to engage in such an inquiry once a
decision is made to conduct analysis that is focused upon specific IP
addresses. Prior to such analysis, IP addresses may be treated as ³data
acquired by electronic means.² In accordance with DOD 5240.1-R, procedure
2.B.1, such data is not considered to be collected until it has been
processed into intelligible form. There are no intelligence oversight
restrictions on the maintenance or disposition of information that is not
considered to have been ³collected.²
However, once the decision is made to conduct analysis focused upon
specific IP addresses, the ³collecting² component is obliged to conduct a
reasonable and diligent inquiry to determine whether any of the IP addresses
are associated with United States persons. To conduct this inquiry, the
component may use the above described web tools, but also must consider any
external information available to it that might assist in identifying the IP
address. If the FI/CI component still cannot reasonably determine whether
any given IP address is associated with at U.S. person, then it may apply
the presumption that unattributed IP addresses do not constitute information
about a person and the IP address may be the subject of inquiry without
regard to whether or not it is associated with a U.S. person. If, however,
the component subsequently obtains information to indicate that an IP
address is associated with a U.S. person, then the presumption is overcome
and that IP address must be handled in accordance with the procedures
governing the collection of information about U.S. persons. The collecting
component should document the efforts made to determine whether the IP
address in question is associated with a U.S. person.
E-Mail Addresses
An e-mail address identifies a user so that the user can receive
Internet e-mail. An e-mail address typically consists of a name to identify
the user to the mail server, followed by ³@² and the host name and domain
name of the mail server. For example, if Anne E. Oldhacker has an account
on the mail server called baz at Foo Enterprises, she might have an e-mail
address, aeo@baz.foo.com.
E-mail addresses, unlike both IP addresses and URLs, are nearly
universally associated with individuals. It is often difficult, however, to
identify the individual with whom any given e-mail address is associated.
Some e-mail addresses are configured as a string of alphanumeric symbols
that do not convey any meaningful information (e.g. aronssop@ or smi2345@).
Others plainly identify an individual (e.g. patti.aronsson@). Regardless of
how straightforward an e-mail address appears to be on its face, more often
than not, it does not provide sufficient information to identify it as being
affiliated with a United States person. Sometimes, though, the name to the
left of the ³@² will provide persuasive evidence that the e-mail address is
associated with a U.S. person; for example, the person may be a well known
public figure or may be the target of an investigation or inquiry in which
the intelligence investigator or analyst is engaged.
Occasionally, the information to the right of the ³@² may provide
persuasive evidence about whether an e-mail address is associated with a
U.S. person. The information to the right of the ³@² represents the service
provider. Some service providers predominately serve a non-U.S. based
clientele and e-mail accounts with such providers may be presumed not to be
U.S. person accounts. Other service providers are so closely affiliated
with the U.S. that any e-mail account with that provider should be presumed
to be associated with a U.S. person (e.g. <a href="mailto:aronssop@osdgc.osd.mil?Subject=Re:%20(ai)%20DoD%20Memo%20on%20Collecting%20Internet%20Addys%20for%20Intel/CI%20Components%2526In-Reply-To=%2526lt;B860CA41.21C8B%25rforno@infowarrior.org">aronssop@o
sdgc.osd.mil</a>).
This latter category of e-mail addresses may only be collected,
retained, or disseminated in accordance with the requirements of DOD
5240.1-R. All other e-mail addresses may be treated in a manner similar to
the approach described for the treatment of IP addresses. E-mail addresses
that are not self-evidently associated with U.S. persons may be acquired,
retained and processed by CI and FI components without making an effort to
determine whether any given address is associated with a United States
person so long as the component does not engage in analysis focused upon
specific addresses. Once such analysis is initiated, the CI or FI component
must make an effort to determine whether the addresses are associated with
U.S. persons.
Unlike IP addresses, there is no central repository of e-mail addresses
to assist the component in identifying them. Instead, the component must
rely principally upon traditional methods to try to determine whether any a
given address is being used by a United States person. Oftentimes,
particularly for those e-mail addresses which are cryptic, it will be
virtually impossible for the CI or FI component to make a determination. In
such instances, the component may presume that the e-mail addresses do not
identify U.S. persons. As with all presumptions, however, the component is
under a continuing obligation to be alert to information that might overcome
the presumption.
URLs
URL (Uniform Resource Locator) is a standard way of specifying the
location of an object on the Internet, typically a web page. URLs are the
form of address used on the World Wide Web. URLs typically appear as words
rather than numbers and, while some URLs are gibberish, most of them convey
a modicum of information. In some instances, that information is of a
character that ostensibly identifies a person (e.g. Mary_Smith.com or
USSTEEL.com). In other instances, the words in a URL do not convey, in any
apparent way, information concerning persons (e.g. Bicyclists.com).
Unlike IP addresses or e-mail addresses, URLs are, almost by definition,
publicly available. As such, even if they identify U.S. persons, lists of
URL addresses may be maintained by CI/FI components provided such collection
is within the scope of an authorized intelligence/counterintelligence
activity assigned to that component. CI/FI components also may open the
websites associated with such URLs if doing so is part of an authorized
mission. If, however, the component wants to collect information beyond
that which is available on the site, then it must make an effort to
determine whether the person about whom they are collecting is a U.S. person
and, if so, comply with the requirements of DOD 5240.1-R.
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST