Return-Path: <sentto-279987-4253-1010538505-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 08 Jan 2002 17:10:08 -0800 (PST) Received: (qmail 25929 invoked by uid 510); 9 Jan 2002 01:08:45 -0000 Received: from n33.groups.yahoo.com (216.115.96.83) by all.net with SMTP; 9 Jan 2002 01:08:45 -0000 X-eGroups-Return: sentto-279987-4253-1010538505-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.187] by n33.groups.yahoo.com with NNFMP; 09 Jan 2002 01:08:25 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 9 Jan 2002 01:08:24 -0000 Received: (qmail 24385 invoked from network); 9 Jan 2002 01:08:23 -0000 Received: from unknown (216.115.97.171) by m6.grp.snv.yahoo.com with QMQP; 9 Jan 2002 01:08:23 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta3.grp.snv.yahoo.com with SMTP; 9 Jan 2002 01:08:22 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0918vE04113 for iwar@onelist.com; Tue, 8 Jan 2002 17:08:57 -0800 Message-Id: <200201090108.g0918vE04113@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 8 Jan 2002 17:08:57 -0800 (PST) Subject: [iwar] [fc:DoD.Memo.on.Collecting.Internet.Addys.for.Intel/CI.Components] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit <a href="http://www.dami.army.pentagon.mil/offices/dami-ch/io/whatsnew/whatsnew.html">http://www.dami.army.pentagon.mil/offices/dami-ch/io/whatsnew/whatsnew.html> MEMORANDUM SUBJECT: Principles Governing the Collection of Internet Addresses by DOD Intelligence and Counterintelligence Components This document lays the initial groundwork for determining how to apply intelligence oversight principles to the conduct of intelligence/counterintelligence (FI/CI) activities on the Internet. It is not intended to provide comprehensive intelligence oversight guidance. On the contrary, this paper only addresses a single question Does obtaining an e-mail or site address constitute a collection of information about a United States Person? These Principles provide a framework for answering this question. They are not a substitute for conducting a case-by-case analysis nor are they directive. Instead, they are intended to serve as a tool to assist the attorney and the intelligence officer in determining how to proceed during a given Internet-based activity. It is the expectation of this office that individual FI/CI components will build upon these principles to establish internal guidelines. While these Principles are being distributed by the Office of General Counsel, they represent the work and collective wisdom of attorneys and intelligence experts from throughout the Department of Defense, including the Office of the Assistant to the Secretary of Defense for Intelligence Oversight, the National Security Agency, the Defense Intelligence Agency, the Defense Information Systems Agency, the Joint Staff, USSPACECOM, and each of the Military Services. Original signed Richard L. Shiffrin Deputy General Counsel (Intelligence) Principles Governing the Collection of Internet Addresses by DOD Intelligence and Counterintelligence Components Increasingly, DOD intelligence components are conducting intelligence and counterintelligence activities on the Internet. One challenge they confront is to maximize the use of the Internet while ensuring that such use complies with Executive Order 12333, United States Intelligence Activities, and its implementing regulation, DOD 5240.1-R, Procedures Governing the Activities of DOD Intelligence Components That Affect United States Persons. Despite the fact that both of these documents were published well before the development of the Internet as it exists today, the concepts, principles, and procedures they embody remain vibrant and govern the intelligence and counterintelligence use of the Internet. In order to properly apply the provisions of E.O. 12333 and DOD 5240.1-R to the use of the Internet, intelligence and counterintelligence personnel need to know how to analyze, as well as characterize, IP addresses, URLs, and e-mail addresses. All three of these categories of information present challenges that are different from those encountered when working with traditional forms of information. Yet all three fit well within the framework of DOD 5240.1-R. A discussion of each of the three categories follows. IP Addresses An IP address is a numeric string (e.g., 149.122.3.30) that identifies a hardware connection on a network. The numeric string is information about the owner, operator, or user of the hardware connection. As is the case with a telephone number, the numeric string comprising an IP address does not, without further information, identify or consist of information about a United States person. However, open source information about IP addresses is available on the web. Sometimes, the information that is available is very general and would not allow one to determine if the IP address is information about a U.S. person. In other instances, the information that is available is quite specific and would allow such a determination. Intelligence and counterintelligence (FI/CI) components are not necessarily required to try to decipher an IP address as soon as they encounter one. They are only required to engage in such an inquiry once a decision is made to conduct analysis that is focused upon specific IP addresses. Prior to such analysis, IP addresses may be treated as ³data acquired by electronic means.² In accordance with DOD 5240.1-R, procedure 2.B.1, such data is not considered to be collected until it has been processed into intelligible form. There are no intelligence oversight restrictions on the maintenance or disposition of information that is not considered to have been ³collected.² However, once the decision is made to conduct analysis focused upon specific IP addresses, the ³collecting² component is obliged to conduct a reasonable and diligent inquiry to determine whether any of the IP addresses are associated with United States persons. To conduct this inquiry, the component may use the above described web tools, but also must consider any external information available to it that might assist in identifying the IP address. If the FI/CI component still cannot reasonably determine whether any given IP address is associated with at U.S. person, then it may apply the presumption that unattributed IP addresses do not constitute information about a person and the IP address may be the subject of inquiry without regard to whether or not it is associated with a U.S. person. If, however, the component subsequently obtains information to indicate that an IP address is associated with a U.S. person, then the presumption is overcome and that IP address must be handled in accordance with the procedures governing the collection of information about U.S. persons. The collecting component should document the efforts made to determine whether the IP address in question is associated with a U.S. person. E-Mail Addresses An e-mail address identifies a user so that the user can receive Internet e-mail. An e-mail address typically consists of a name to identify the user to the mail server, followed by ³@² and the host name and domain name of the mail server. For example, if Anne E. Oldhacker has an account on the mail server called baz at Foo Enterprises, she might have an e-mail address, aeo@baz.foo.com. E-mail addresses, unlike both IP addresses and URLs, are nearly universally associated with individuals. It is often difficult, however, to identify the individual with whom any given e-mail address is associated. Some e-mail addresses are configured as a string of alphanumeric symbols that do not convey any meaningful information (e.g. aronssop@ or smi2345@). Others plainly identify an individual (e.g. patti.aronsson@). Regardless of how straightforward an e-mail address appears to be on its face, more often than not, it does not provide sufficient information to identify it as being affiliated with a United States person. Sometimes, though, the name to the left of the ³@² will provide persuasive evidence that the e-mail address is associated with a U.S. person; for example, the person may be a well known public figure or may be the target of an investigation or inquiry in which the intelligence investigator or analyst is engaged. Occasionally, the information to the right of the ³@² may provide persuasive evidence about whether an e-mail address is associated with a U.S. person. The information to the right of the ³@² represents the service provider. Some service providers predominately serve a non-U.S. based clientele and e-mail accounts with such providers may be presumed not to be U.S. person accounts. Other service providers are so closely affiliated with the U.S. that any e-mail account with that provider should be presumed to be associated with a U.S. person (e.g. <a href="mailto:aronssop@osdgc.osd.mil?Subject=Re:%20(ai)%20DoD%20Memo%20on%20Collecting%20Internet%20Addys%20for%20Intel/CI%20Components%2526In-Reply-To=%2526lt;B860CA41.21C8B%25rforno@infowarrior.org">aronssop@o sdgc.osd.mil</a>). This latter category of e-mail addresses may only be collected, retained, or disseminated in accordance with the requirements of DOD 5240.1-R. All other e-mail addresses may be treated in a manner similar to the approach described for the treatment of IP addresses. E-mail addresses that are not self-evidently associated with U.S. persons may be acquired, retained and processed by CI and FI components without making an effort to determine whether any given address is associated with a United States person so long as the component does not engage in analysis focused upon specific addresses. Once such analysis is initiated, the CI or FI component must make an effort to determine whether the addresses are associated with U.S. persons. Unlike IP addresses, there is no central repository of e-mail addresses to assist the component in identifying them. Instead, the component must rely principally upon traditional methods to try to determine whether any a given address is being used by a United States person. Oftentimes, particularly for those e-mail addresses which are cryptic, it will be virtually impossible for the CI or FI component to make a determination. In such instances, the component may presume that the e-mail addresses do not identify U.S. persons. As with all presumptions, however, the component is under a continuing obligation to be alert to information that might overcome the presumption. URLs URL (Uniform Resource Locator) is a standard way of specifying the location of an object on the Internet, typically a web page. URLs are the form of address used on the World Wide Web. URLs typically appear as words rather than numbers and, while some URLs are gibberish, most of them convey a modicum of information. In some instances, that information is of a character that ostensibly identifies a person (e.g. Mary_Smith.com or USSTEEL.com). In other instances, the words in a URL do not convey, in any apparent way, information concerning persons (e.g. Bicyclists.com). Unlike IP addresses or e-mail addresses, URLs are, almost by definition, publicly available. As such, even if they identify U.S. persons, lists of URL addresses may be maintained by CI/FI components provided such collection is within the scope of an authorized intelligence/counterintelligence activity assigned to that component. CI/FI components also may open the websites associated with such URLs if doing so is part of an authorized mission. If, however, the component wants to collect information beyond that which is available on the site, then it must make an effort to determine whether the person about whom they are collecting is a U.S. person and, if so, comply with the requirements of DOD 5240.1-R. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Tiny Wireless Camera under $80! Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST