Project SpyLighter: Shining a light on spies
Project SpyLighter launched unofficially with the September 16, 2013 responsive documents on a FOIA of Vupen's contract with the NSA.
It has since coalesced around the core ideas of surveying technology in use by the NSA and other agencies, confirming the identities of corporations contracting with these agencies, and revealing how much money they actually spend on private contracts. We intend to FOIA the NSA and other agencies for their contracts with any companies which either manufacture and sell spy technology to U.S. intelligence agencies, or companies which are forced to install and use this technology on behalf of the spy agencies.
All of the documents posted are legally obtained through the FOIA process.
Who's behind this project?
Heather Akers-Healy is an activist and researcher based in California. She has a background in legal research and anthropology and is learning how to code. Her interests include civil rights, freedom of information, privacy, and examining how technology influences culture.<br> Jason Gulledge is a systems architect, programmer and researcher living in Paris, France. He is focused on fighting censorship, defending press freedoms, and fighting for personal privacy.
Runa Sandvik is privacy and security researcher and sometimes Forbes contributor.
Scott Ainslie is an undergraduate. He is a Fellow of Free Software Foundation Europe and harbours a specific interest in privacy-enhancing technologies and use of strong cryptography as a mechanism for social benefit.
Our findings so far:
- The NSA contracted with Packet Forensics in 2012 for $500,000 and 2010 for $17,500. We will be appealing the NSA's redaction of what they purchased.
- The NSA contracted with French company Vupen for a year's subscription to their binary analysis and exploits service
- The NSA is not (yet) using the Netronome SSL interceptor, a piece of equipment highlighted in the WikiLeak's SpyFiles. Netronome was recently acquired by Blue Coat, a company for which we are currently waiting on FOIA results.
How you can help:
If you haven’t already, please create an account. Anyone can participate in this project by filing a FOIA for spy tech or contracts through MuckRock’s website and tagging it with “SpyLighter.”Please check the link below for existing FOIA requests before filing one on a specific company to make sure it hasn’t already been requested. Please also do a search for the company name in the search box to the right as some requests may not be tagged properly and we need to avoid duplicate requests.
Tips on filing:
- Make sure to include the full company name and address when seeking company contracts, otherwise your request may be rejected as not having enough information to complete the search. The FOIA office has in the past processed some of our requests as “key word” searches when we had clearly requested a search with the company name. Include as much specific information about what you seek as possible.
- The language below was successful in obtaining the Vupen contract. This can be a model for your request but please add the address of the company.
- Publicize your requests and responses! Tweet them out, tweet at us for retweets, blog them, write about them!
- Ask for help if you get a denial or redaction. You can also search at Muckrock for how others have handled similar problems or submit a question here: https://www.muckrock.com/questions/
- Get inspired! The following resources might spike your curiosity:
- Larger companies (like Raytheon, for example) will have a huge volume of contracts with the NSA. We think asking for a list of invoices and their associated contract numbers may be a good idea. If successful it will allow you to review and select contracts that look interesting for the purposes of doing a separate FOIA request.
- As far as we're able to tell, NSA contract numbers all start with one of the following prefixes: MDA904, H98230-yy (where "yy" is the two digit year, for example H98230-13-C) Prior to filing your request you may want to search publicly available information for related contracts.
- From what we can tell, academic grants (usually focused around advanced mathematics/statistics) follow the format with a prefix of: H98230-yy-1
- The NSA apparently has a limited search capability that prevents them from doing keyword searches. Heather attempted to obtain contracts on FinFisher software and received a response stating that by DoD regulation FOIA requests for contracts must contain a company name, contract number, or date. She is appealing, but this keyword limitation is something to keep in mind when formulating your request.
- Again, please avoid submitting a request that has already been sent through the MuckRock website!
"Copies of contracts with VUPEN Security and any final reports generated and delivered by VUPEN to the agency over the past 10 years. If retrieving the contracts themselves is too burdensome please provide a list of contracts."
Last month the NSA released documents regarding their records management practices. While these documents reveal a wealth of information for persons who submit FOIA requests, they also call into question our ability to effectively oversee the NSA’s activities when their records keeping cycles are, in many circumstances, notably short.
Wish you were a little more organized? Have trouble finding that archived contract when you actually need it? Don’t feel too bad: The National Security Agency has the same problem, claiming that its contract database is stored manually and impossible to search by topic, category, or even by vendor in most cases.
Documents requested by Heather Akers-Healy from the National Security Agency show it had a contract with the French security researcher VUPEN, whose founder and CEO Chaouki Bekrar puckishly touts himself as the ‘Darth Vader of Cybersecurity.”