FBI turns to broad new wiretap method

[Martin]

There goes our privacy...

http://news.zdnet.com/2100-9595_22-6154457.html

Quote:

FBI turns to broad new wiretap method
By Declan McCullagh, CNET News.com
Published on ZDNet News: January 30, 2007, 4:00 AM PT

FBI turns to broad new wiretap method The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

Such a technique is broader and potentially more intrusive than the FBI's Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what's legally permissible.

Call it the vacuum-cleaner approach. It's employed when police have obtained a court order and an Internet service provider can't "isolate the particular person or IP address" because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department's Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)

That kind of full-pipe surveillance can record all Internet traffic, including Web browsing--or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider's network at the junction point of a router or network switch.

The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University's law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium.

In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agents' default method for Internet surveillance. "You collect wherever you can on the (network) segment," he said. "If it happens to be the segment that has a lot of IP addresses, you don't throw away the other IP addresses. You do that after the fact."

"You intercept first and you use whatever filtering, data mining to get at the information about the person you're trying to monitor," he added.

On Monday, a Justice Department representative would not immediately answer questions about this kind of surveillance technique.

"What they're doing is even worse than Carnivore," said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation who attended the Stanford event. "What they're doing is intercepting everyone and then choosing their targets."

When the FBI announced two years ago it had abandoned Carnivore, news reports said that the bureau would increasingly rely on Internet providers to conduct the surveillance and reimburse them for costs. While Carnivore was the subject of congressional scrutiny and outside audits, the FBI's current Internet eavesdropping techniques have received little attention.

Carnivore apparently did not perform full-pipe recording. A technical report (PDF: "Independent Technical Review of the Carnivore System") from December 2000 prepared for the Justice Department said that Carnivore "accumulates no data other than that which passes its filters" and that it saves packets "for later analysis only after they are positively linked by the filter settings to a target."

One reason why the full-pipe technique raises novel legal questions is that under federal law, the FBI must perform what's called "minimization."

Federal law says that agents must "minimize the interception of communications not otherwise subject to interception" and keep the supervising judge informed of what's happening. Minimization is designed to provide at least a modicum of privacy by limiting police eavesdropping on innocuous conversations.

Prosecutors routinely hold presurveillance "minimization meetings" with investigators to discuss ground rules. Common investigatory rules permit agents to listen in on a phone call for two minutes at a time, with at least one minute elapsing between the spot-monitoring sessions.

That section of federal law mentions only real-time interception--and does not explicitly authorize the creation of a database with information on thousands of innocent targets.

But a nearby sentence adds: "In the event the intercepted communication is in a code or foreign language, and an expert in that foreign language or code is not reasonably available during the interception period, minimization may be accomplished as soon as practicable after such interception."

Downing, the assistant deputy chief at the Justice Department's computer crime section, pointed to that language on Friday. Because digital communications amount to a foreign language or code, he said, federal agents are legally permitted to record everything and sort through it later. (Downing stressed that he was not speaking on behalf of the Justice Department.)

"Take a look at the legislative history from the mid '90s," Downing said. "It's pretty clear from that that Congress very much intended it to apply to electronic types of wiretapping."

EFF's Bankston disagrees. He said that the FBI is "collecting and apparently storing indefinitely the communications of thousands--if not hundreds of thousands--of innocent Americans in violation of the Wiretap Act and the 4th Amendment to the Constitution."

Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., said a reasonable approach would be to require that federal agents only receive information that's explicitly permitted by the court order. "The obligation should be on both the (Internet provider) and the government to make sure that only the information responsive to the warrant is disclosed to the government," he said.

Courts have been wrestling with minimization requirements for over a generation. In a 1978 Supreme Court decision, Scott v. United States, the justices upheld police wiretaps of people suspected of selling illegal drugs.

But in his majority opinion, Justice William Rehnquist said that broad monitoring to nab one suspect might go too far. "If the agents are permitted to tap a public telephone because one individual is thought to be placing bets over the phone, substantial doubts as to minimization may arise if the agents listen to every call which goes out over that phone regardless of who places the call," he wrote.

Another unanswered question is whether a database of recorded Internet communications can legally be mined for information about unrelated criminal offenses such as drug use, copyright infringement or tax crimes. One 1978 case, U.S. v. Pine, said that investigators could continue to listen in on a telephone line when other illegal activities--not specified in the original wiretap order--were being discussed. Those discussions could then be used against a defendant in a criminal prosecution.

Ohm, the former Justice Department attorney who presented a paper on the Fourth Amendment, said he has doubts about the constitutionality of full-pipe recording. "The question that's interesting, although I don't know whether it's so clear, is whether this is illegal, whether it's constitutional," he said. "Is Congress even aware they're doing this? I don't know the answers."

FBI gotta be able to go after the hackers...

Homeland Insecurity: Hackers Strike DHS
Jun 20, 2007 Homeland Security Department Acknowledges Own Computer Break-Ins, Virus Outbreaks

Quote:

The Homeland Security Department, the lead U.S. agency for fighting cyber threats, suffered more than 800 hacker break-ins, virus outbreaks and other computer security problems over two years, senior officials acknowledged to Congress. In one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. The agency's headquarters sought forensic help from the department's own Security Operations Center and the U.S. Computer Emergency Readiness Team it operates with Carnegie Mellon University.

In other cases, computer workstations in the Coast Guard and the Transportation Security Administration were infected with malicious software detected trying to communicate with outsiders; laptops were discovered missing; and agency Web sites suffered break-ins. The chairman of the House Homeland Security Committee, Rep. Bennie Thompson, D-Miss., said such problems undermine the government's efforts to encourage companies and private organizations to improve cyber security. "What the department is doing on its own networks speaks so loudly that the message is not getting across," Thompson said.

Congressional investigators, expected to testify Wednesday during an oversight hearing about the department's security lapses, determined that persistent weaknesses "threaten the confidentiality, integrity and availability of key DHS information and information systems," according to a new report from the Government Accountability Office being released later in June. The Homeland Security Department's chief information officer, Scott Charbo, assured lawmakers his organization was working to prevent such problems. "We need to increase our vigilance to ensure that such incidents do not happen again," Charbo wrote in testimony prepared for Wednesday's hearing. "The department takes these incidents very seriously and will work diligently to ensure they do not recur."

More ABC News: Homeland Insecurity: Hackers Strike DHS

See also:

This gonna put a dent in the Patriot Act...

Court: Constitution Protects Your E-Mails
June 20, 2007 - Court Grants E-Mail Users New Privacy Protections

Quote:

A federal court decision this week could give e-mail users broad new privacy protections against the government but may hamper criminal investigations, legal experts told ABC News. Monday, the Sixth Circuit Court of Appeals in Ohio held that Internet users had a reasonable expectation of privacy in the content of personal e-mails being stored by Internet service providers such as Yahoo! and Google.

It was the first federal appellate court decision to recognize a wide constitutional right to privacy in personal e-mails. Though the ruling only applies in the Sixth Circuit, if followed by other federal courts, the case could shift the debate in the unsettled area of Internet privacy law, lawyers said. The case is "a blockbuster decision," said Orin Kerr, a former trial lawyer with the Department of Justice's computer crimes division who now teaches at George Washington University School of Law. "It's a ringing endorsement of strong privacy protection in e-mail."

The three-person panel of the Sixth Circuit upheld a lower court order that found federal investigators in an Ohio fraud investigation had overstepped their constitutional power by obtaining e-mails from an Internet service provider without a warrant. "It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in past," the court said.

'Back to the Drawing Board'

Trying to contain the leaks...

Congress: P2P networks harm national security
July 24, 2007, Politicians charged on Tuesday that peer-to-peer networks can pose a "national security threat" because they enable federal employees to share sensitive or classified documents accidentally from their computers.

Quote:

At a hearing on the topic, Government Reform Committee Chairman Henry Waxman (D-Calif.) said, without offering details, that he is considering new laws aimed at addressing the problem. He said he was troubled by the possibility that foreign governments, terrorists or organized crime could gain access to documents that reveal national secrets. Also at the hearing, Mark Gorton, the chairman of Lime Wire, which makes the peer-to-peer software LimeWire, was assailed for allegedly harming national security through offering his product.

The documents at risk of exposure supposedly include classified government military orders, confidential corporate-accounting documents, localized terrorist threat assessments, as well as personal information such as federal workers' credit card numbers, bank statements, tax returns and medical records, according to recent studies by the U.S. House of Representatives Committee on Oversight and Government Reform, the U.S. Patent and Trademark Office, and private researchers.

Evidence that sensitive information is accessible through peer-to-peer networks illustrates "the importance of strengthening the laws and rules protecting personal information held by federal agencies" and other organizations, said Rep. Tom Davis (R-Va.), the committee's ranking member, who has sponsored a bill that would impose new requirements on government agencies that discover security breaches. "We need to do this quickly." The politicians present Tuesday generally said they believe that there are benefits to peer-to-peer technology but that it will imperil national security, intrude on personal privacy and violate copyright law, if not properly restricted. Both Waxman and Rep. Paul Hodes (D-N.H.) dubbed P2P networks ongoing national security threats.

MORE

[waltky]

Fearless W pushin' for more surveillance of terrorists...

Bush Urges Action on Terrorist Surveillance Legislation
01 August 2007 - President Bush is urging the U.S. Congress to move quickly to rewrite rules for terrorist surveillance.

Quote:

White House Spokesman Tony Snow says reforming the current terrorist surveillance law, the 30-year-old Foreign Intelligence Surveillance Act (FISA) - is a top priority for the administration. "Prior to recess, probably the most important short-term goal for Congress, a requirement really, is to reform the FISA law," he said. Under current law, the government must get a warrant from a special court before it can conduct surveillance on communications between people in the United States and contacts abroad believed to have terrorist ties.

Snow argues the law was drafted decades before the September 11, 2001 terrorist attacks on the United States, and predated the advent of cellphones and e-mail. He says it is time to reduce constraints on the government's ability to conduct wiretaps without prior court approval. "It is absolutely vital at the time of a heightened threat environment to realize the present system simply is not as responsive as it needs to be in terms of providing the flexibility and speed in acting on actionable intelligence," he said.

The president personally made the case for change to congressional leaders Wednesday during a private meeting at the White House. After the session, the top Democrats told reporters they will do all they can to bring the issue up for a vote as soon as possible.

More VOA News - Bush Urges Action on Terrorist Surveillance Legislation

See also:

Judge ruled against NSA surveillance in US
Thursday 2nd August 2007 - The Bush administration's attempt to change laws governing wiretapping by US spies was prompted by a defeat in the FISA secret star-chamber court, it has emerged.

Quote:

Newsweek reporters Michael Isikoff and Mark Hosenball, quoting an unnamed legal source "who has been briefed on the order", revealed yesterday that a FISA(Foreign Intelligence Surveillance Act) judge has refused to renew a warrant for at least part of the National Security Agency (NSA) mass surveillance programme. Originally, in the aftermath of 9/11, the President's men claimed that the executive branch needed no judicial or legislative approval for its actions.

Even the compliant dial-a-judges of the star-chamber weren't consulted, and no provision for mass domestic surveillance was requested in the already draconian post-9/11 Patriot Act. Since the matter became public knowledge, however, parts of the NSA campaign have been placed under FISA review: and this has led to some activities being blocked. Hints of the spooks' clash with the star-chamber beaks emerged this week in a Fox News interview with Congressional Republican leader John Boehner.

"There's been a ruling, over the last four or five months, that prohibits the ability of our intelligence services and our counterintelligence people from listening in to two terrorists in other parts of the world where the communication could come through the United States," Boehner told the Fox anchor. Now there's confirmation that it was, in fact, an FISA judge who issued that ruling, and that it was this judicial decision which had led the Bush administration to push for changes in the law.

More Judge ruled against NSA surveillance in US | The Register

[waltky]

Is There No Way to Escape Hackers?

Experts: Nothing Is 100 Percent Secure
Aug. 7, 2007 - With the Right Resources, Any Entity Can Monitor What You Do Online

Quote:

You can install all the computer virus protection software you want, but if someone is determined to find out who you're e-mailing, technically they can, security experts say. And that may be particularly true if that someone -- or something -- is the federal government.

"There's a lot you can do to make it hard," said Charles Miller, the principal security analyst at Independent Security Evaluators, a Maryland-based firm that successfully took over the iPhone a few weeks ago, prompting Apple to release a security patch last week. "If they have the resources of the federal government, they're going to be able to see [what you do] no matter what you do."

On Monday, President Bush signed into law an expansion of the Foreign Intelligence Surveillance Act, or FISA, which gives the government expanded rights to intercept phone calls and e-mails without warrants as long as the information being intercepted relates to foreign terror intelligence. Democrats and some civil liberties groups have said that the law goes too far.

MORE

[waltky]

FISA unnecessary?...

FISA Law Irrelevant and Unconstitutional, Critics Say
October 31, 2007 - When the U.S. Supreme Court said in 1967 that the 4th Amendment protects telephone conversations in a phone booth from surveillance without a warrant, Justice Potter Stewart said in the majority opinion that the ruling did not address "a situation involving national security."

Quote:

The following year, when Congress crafted a bill to comply with the court ruling on surveillance, the language said nothing in the new rules "shall limit the constitutional power of the president to take such measures as he deems necessary to protect the nation against actual or potential attack or other hostile acts of a foreign power, to obtain foreign intelligence information deemed essential to the security of the United States or to protect national security information." In fact, Presidents Jimmy Carter and Bill Clinton both utilized warrantless wiretapping against U.S. citizens on American soil to protect national security, and few people cried foul.

Still, warrantless surveillance of international communications has been a raging controversy in the nation's capital for more than a year, as Congress has argued over how to hold the Bush administration accountable to the Foreign Intelligence Surveillance Act (FISA), passed in 1978 to require a judicial review prior to surveillance done within the United States for national security reasons. The latest dust-up over FISA came after revelations that the National Security Agency had collected data on suspected communications to and from the United States with suspected terrorists abroad.

On Wednesday, the Senate Judiciary Committee will hold a hearing on a proposal to expand the surveillance powers of the executive branch while also granting immunity to telecommunications companies. However, scholars and lawmakers question whether warrants - required under the Fourth Amendment to the Constitution - apply to national security matters and if FISA is even constitutional given past legal precedent.

Besides the 1967 ruling in Katz v. United States , the high court also issued a notable ruling in United States v. United States District Court , better known as the "Keith decision." In this case, the court ruled the Fourth Amendment applied to the surveillance of a domestic terrorist group, but the decision went on to say, "We have not addressed and express no opinion as to the issue which may be involved with respect to activities of foreign powers and their agents."

The decision not to rule on foreign surveillance affirms the 1968 congressional action that put intelligence-gathering in the hands of the executive branch, said Robert F. Turner, co-founder of the Center for National Security Law at the University of Virginia School of Law. Besides the Katz and Keith rulings, the court opted not to consider four other cases regarding foreign surveillance - in effect upholding their earlier rulings.

MORE

[waltky]

Feds appeal Patriot Act case...

Feds Fight Ruling on Patriot Act
Tuesday, Nov. 06, 2007— The U.S. government on Monday appealed a ruling that it shouldn't be able to get personal phone, e-mail and financial records without a judge's approval, as now allowed under the USA Patriot Act.

Quote:

The decision to appeal the September ruling by U.S. District Judge Victor Marrero prompted the American Civil Liberties Union to put out a release quoting the unidentified plaintiff in the lawsuit. Identified only as the president of a small Internet service provider who has faced a gag order for more than three years, the plaintiff complained that the statutes in the act "give the government far too much power and that the secrecy surrounding the statutes is excessive."

The Patriot Act prevents Internet service providers and others from telling their customers — here or abroad, citizens or not — if the government has demanded private information from them. The law also lets the government, by means of a so-called national security letter, or NSL, to impose gag orders that prevent the recipients of the letters from acknowledging the probes.

That provision makes "it difficult or impossible for people like me — people who have firsthand experience with the NSL statute — to discuss their specific concerns with the public, the press and Congress," the plaintiff, called John Doe by his lawyers, said in the press release. In March, the government released a report showing the FBI issued approximately 8,500 national security letter requests in 2000, the year before the passage of the Patriot Act. The number of requests rose to 39,000 by 2003 and to 56,000 in 2004 before falling to 47,000 in 2005. Most of the requests sought telephone billing records, telephone or e-mail subscriber information or electronic communication transactional records.

MORE

[waltky]

FISA change up for vote...

House to Vote on Eavesdropping Bill
WASHINGTON Nov 15, 2007 - House Democrats are hoping changes they made to a bill to expand court oversight of government surveillance inside the United States will find enough to support to win passage on a second try.

Quote:

A vote was expected Thursday on the second attempt in a month to amend the Foreign Intelligence Surveillance Act, which dictates when the government must obtain court permission to carry out electronic eavesdropping. Last month House Republicans used a procedural maneuver to force the withdrawal of a similar bill just before a vote. Democratic aides think the small changes they made in the bill since then will garner majority approval and protect the bill from a similar fate.

The Democratic bill lacks one key feature President Bush is insisting on: legal immunity for telecommunications companies alleged to have secretly helped the government monitor Americans' phone calls and e-mails without court permission. About 40 civil lawsuits have been filed against telecom companies, alleging they broke wiretapping and privacy laws, and the White House has threatened to veto any surveillance bill that does not protect the companies. The White House contends lawsuits could bankrupt the companies and reveal classified information.

The House bill would allow unfettered telephone and e-mail surveillance of foreign intelligence targets, but would require special authorization if the foreign targets are likely to be in contact with people inside the United States - a provision designed to safeguard Americans' privacy. The special authorization is called a "blanket warrant," and would allow the government to obtain a single order authorizing the surveillance of multiple targets.

More My Way News - House to Vote on Eavesdropping Bill

Update:

U.S. House passes bill to strengthen oversight on gov't's surveillance program
Nov. 15, 2007 -- The U.S. House of Representatives Thursday passed a bill that would strengthen court oversight of the government's surveillance program but not grant legal immunity to telecommunication companies that helped in the program.

Quote:

With a vote of 227 in favor and 189 against, House Democrats pushed the bill through, in defiance of President George W. Bush's earlier threat to veto any legislation that does not provide telecom companies with legal immunity. House Judiciary Committee Chairman John Conyers, a Democrat, urged the Bush administration to first give Congress access to classified documents specifying how the telecom companies were involved in the surveillance program.

The Bush administration has demanded that authorities monitor foreign communications with Americans without first applying for court warrants, as long as the American intelligence service is not the intended target of surveillance. By contrast, the newly passed bill requires that the government can only conduct surveillance on telephone calls and e-mails of foreign intelligence targets that are likely to be in contact with people inside the United States after it gets special court authorization.

The special authorization is called a "blanket" or "umbrella" warrant that would let the government obtain a single order to authorize the surveillance of multiple targets, but Republicans criticized the warrant for impeding security agents' abilities to collect intelligence about terrorist suspects.

Source

[waltky]

Ma Bell trumps John Law...

FBI wiretaps lost over its unpaid bills
WASHINGTON, Jan. 10, 2008 -- Telephone companies have terminated FBI wiretaps used to eavesdrop on suspected criminals because the bureau failed to pay the bills on time.

Quote:

An audit by the Justice Department Inspector General Glenn Fine also found that more than half of the nearly 1,000 telecommunications bills reviewed by investigators were not paid on time, The Washington Post reported Thursday.

"Late payments have resulted in telecommunications carriers actually disconnecting phone lines established to deliver surveillance results to the FBI, resulting in lost evidence," Fine wrote in a seven-page summary of the audit's findings released Thursday.

In one FBI office alone, unpaid costs for wiretaps from one telephone company totaled $66,000, according to audit results, the newspaper reported. FBI Assistant Director John Miller said in a statement that "there is widespread agreement that the current (agency) financial management system, first introduced in the 1980s, is inadequate."

The seven-page document issued Thursday was only a summary of the Justice Department inspector general's 87-page audit, which is classified and unavailable to the public.

Source

[waltky]

Liability protection for companies?...

A Key Gap In Fighting Terrorism
Friday, February 15, 2008; Private Firms Need Liability Protection

Quote:

One of the most critical weapons in the fight against terrorists and other foreign intelligence threats -- the Foreign Intelligence Surveillance Act (FISA) -- has not kept up with the technology revolution we have experienced over the past 30 years. We are on the brink of bringing this 20th-century tool in line with 21st-century technology and threats. The Senate has passed a strong bill, by an overwhelmingly bipartisan margin, that would modernize FISA and do the right thing for those companies that responded to their country's call for assistance in its hour of need. It would also protect the civil liberties we Americans cherish. The bill is now before the House of Representatives.

For almost two years, we have worked with Congress to modernize FISA and ensure that the intelligence community can effectively collect the information needed to protect our country from attack -- a goal that requires the willing cooperation of the private sector. Unfortunately, there were significant gaps in our ability to collect intelligence on terrorists and other national security threats because the 1978 law had not been modernized to reflect today's global communications technology.

The Protect America Act, passed by Congress last August, temporarily closed the gaps in our intelligence collection, but there was a glaring omission: liability protection for those private-sector firms that helped defend the nation after the Sept. 11 attacks. This month, I testified before Congress, along with the other senior leaders of the intelligence community, on the continuing threats to the United States from terrorists and other foreign intelligence targets. We stated that long-term legislation that modernized FISA and provided retroactive liability protection was vital to our operations. The director of the FBI told the Senate that "in protecting the homeland it's absolutely essential" to have the support of private parties.

MORE