[syadasti]

The old

The new proposal:

http://judiciary.house.gov/hearings/pdf/Caproni02172011.pdf

As Online Communications Stymie Wiretaps, Lawmakers Debate Solutions
By CHARLIE SAVAGE
Published: February 17, 2011

WASHINGTON — Leading Democrats on the House Judiciary Committee on Thursday reacted skeptically to the idea of overhauling surveillance laws to make it easier to wiretap people who communicate online rather than by telephone, a major priority for the Federal Bureau of Investigation.

The lawmakers expressed their concerns at a House hearing devoted to a problem that law enforcement officials call “going dark” — investigators’ inability to carry out court-approved wiretap orders when the people who are the targets communicate using services that lack a surveillance capability.

The F.B.I. has been quietly laying the groundwork for years for a push to require Internet-based communications services — like Gmail, Facebook, Twitter, BlackBerry and Skype — to design their systems with a built-in way to comply with wiretap orders. On Thursday, the bureau made its first full airing of the “going dark” problem.

“Due to the revolutionary expansion of communications technology in recent years, the government finds that it is rapidly losing ground in its ability to execute court orders with respect to Internet-based communications,” said the F.B.I.’s general counsel, Valerie Caproni.

A 1994 law requires phone companies to build their networks with the capability of immediately starting to intercept a user’s communications when the company is presented with a wiretap order. But that law does not cover Internet-based communication providers.

As a result, while they, too, are subject to court wiretap orders, they are often unable to comply, for technical reasons, when presented with one.

Ms. Caproni stopped short of making any specific legislative proposal, saying that the Obama administration was still debating the issue internally. Last fall, The New York Times reported that law enforcement officials were developing a bill that would impose new regulations on Internet communications companies and phone and broadband carriers, making them easier to wiretap.

“We don’t have a specific request yet,” Ms. Caproni said. “The administration does not yet have a proposal. It is something that is actively being discussed within the administration, and I am optimistic that we will have a proposal in the near future.”

Still, Representative John Conyers Jr. of Michigan, the ranking Democrat on the Judiciary Committee, was one of several lawmakers who said he was likely to greet such a proposal with skepticism. Forcing Internet communications services to build in “back doors” for law enforcement surveillance, he said, would hamper innovation and create vulnerabilities for hackers and foreign governments to exploit.

“Requiring back doors in all communications systems by law runs counter to how the Internet works and may make it impossible for some companies to offer their services,” Mr. Conyers said.

Several lawmakers of both parties raised concerns about how such a mandate would affect the competitiveness of Internet companies that operate in the United States. Still, several Republicans suggested sympathy with law enforcement officials’ fear that changing technology could hamper their ability to investigate criminals and terrorists.

Ms. Caproni emphasized that the F.B.I. was not seeking new surveillance powers, but rather a way to keep its existing powers from eroding. She also said the F.B.I. was not seeking a decryption key that would allow the government to directly intercept and unscramble secure communications.

Rather, she said, the bureau hoped to require communication service providers to deploy, within their own systems, a wiretapping capability. The provider would have to be able to isolate, intercept and deliver to the government a particular user’s communications in response to a wiretap order.

Susan Landau, a Radcliffe Institute for Advanced Study fellow and former Sun Microsystems engineer, argued against building interception systems within a service, citing high-profile cases in which hackers exploited such mechanisms in Greece and Italy to illegally spy on politicians and other prominent people.

Ms. Caproni spoke with caution about several aspects of the F.B.I.’s broad goals that have attracted controversy. For example, law enforcement officials have said in the past that all companies that facilitate communications should be able to provide a plain-text version of messages in response to a wiretap order.

Such a mandate could require major changes for companies like Research in Motion, whose BlackBerry Enterprise Server system relays encrypted messages that the company says it cannot unscramble. Last year, Research in Motion came into conflict with several governments, including in India and the United Arab Emirates, over their inability to conduct surveillance of messages sent via its encrypted service.

Asked about encryption, Ms. Caproni said that if a provider encrypted communications but had the ability to decrypt them, then it should be required to give law enforcement unscrambled versions. And she said that if an individual encrypted his own communications, investigators would have to find some other way to monitor that person.

But crucially, she did not directly address whether a service provider should be allowed to encrypt a user’s communications in such a way that the provider is unable to unscramble them — even if a court orders it to do so.

The hearing came a day after the release of several hundred pages of internal F.B.I. documents showing that the bureau has been working with great urgency to push to change legislation for years. The documents were obtained under the Freedom of Information Act by the Electronic Frontier Foundation, an Internet freedom advocacy group.

The documents shed new light on how the F.B.I.’s interest in the “going dark” problem predates the Obama administration. The bureau commissioned a study from the RAND Corporation and Booz Allen Hamilton several years ago, and it conducted surveys of law enforcement officials seeking examples of encountering obstacles to carrying out wiretap orders.

One such document redacted a legislative proposal for the “going dark” surveillance issue. But beneath it, a related proposal was left uncensored: electronic communications service providers, it said, should be required “to retain for two years records showing the origination and termination of communications.”

Currently, law enforcement agencies are able to obtain such records only if the provider has chosen to preserve them for its own purposes, like billing.
A version of this article appeared in print on February 18, 2011, on page A15 of the New York edition.

See also EFF article and ACLU petition:

https://www.eff.org/deeplinks/2011/02/newly-released-documents-detail-fbi-s-plan-expand

The Obama administration is seeking to expand the government’s ability to conduct invasive surveillance online, according to The New York Times. The report says the administration is expected to submit legislation to Congress early this year that would mandate that all online communications services use technologies that would make it easier for the government to collect private communications and decode encrypted messages that Americans send over texting platforms, BlackBerries, social networking sites and other “peer to peer” communications software.

The administration has argued that it is simply hoping to emulate the Communications Assistance to Law Enforcement Act (CALEA), which mandated that telephone companies rework their networks to be wiretap-ready. The administration’s proposal, however, differs from CALEA as it would require reconfiguring of the Internet to provide easier access to online communications. This is particularly problematic because many of the privacy protections that governed the government’s wiretapping powers when CALEA passed in 1994 no longer exist or have been significantly weakened.

For example, Congress has granted the executive branch virtually unchecked power to conduct dragnet collection of Americans' international e-mails and telephone calls without a warrant or suspicion of any kind under the FISA Amendments Act of 2008 (FAA). The ACLU and the New York Civil Liberties Union filed a lawsuit in July 2008 challenging the unconstitutional law, and the case is currently on appeal before the U.S. Court of Appeals for the Second Circuit. A proposal expanding CALEA to online communications would provide the apparatus for the government to implement its overbroad surveillance authority.

Tell congress to reject the Obama administration’s proposal to make the Internet wiretap ready.

https://secure.aclu.org/site/Advocacy?cmd=display&page=UserAction&id=2853&s_src=UNW110001ACT&s_subsrc=110218_calea_fb

Stolen from JBP:

Americans - the people as much as their leaders - are so busy dismantling the social, political and economic foundations of their former greatness that they are unable to see how much they have become like the stereotype of the traditional Middle Eastern society...http://english.aljazeera.net/indepth/opinion/2011/02/201122518445333563.html

 

[narlus]

narus is too close to narlus for my google alerts.

 

[MikeD]

I've got little issue with lawful surveillance, obviously, but I think a mandate to design communication systems for the convenience of law enforcement is un-American.

I also think law enforcement has an absolute right to take advantage of third-party stored communications. Your email or SMS are NOT private, since you send the content of your communicatiion through a provider which must necessarily retain these communications as part of the function of the communications system. Fundamentally different than phone conversations, in which case the stored communication is the register of caller/called/duration. VOIP follows the telephone model, though, in my non-techy understanding of it.

 

[syadasti]

I've got little issue with lawful surveillance, obviously, but I think a mandate to design communication systems for the convenience of law enforcement is un-American.

Also making Internet security inherently flawed means you'll get more security problems - Wikileaks, hacking, etc will all occur more often.

I also think law enforcement has an absolute right to take advantage of third-party stored communications. Your email or SMS are NOT private, since you send the content of your communicatiion through a provider which must necessarily retain these communications as part of the function of the communications system. Fundamentally different than phone conversations, in which case the stored communication is the register of caller/called/duration. VOIP follows the telephone model, though, in my non-techy understanding of it.

As long as they have a warrant. They should never have the ability to monitor all communications regardless of a warrant which is what the current system can do and the reason for the retroactivity immunity for the telcos was passed by Congress in 2008. There is no reason to expand law enforcement tools when they are illegal and costly in many ways.

 

[MikeD]

As long as they have a warrant. They should never have the ability to monitor all communications regardless of a warrant which is what the current system can do and the reason for the retroactivity immunity for the telcos was passed by Congress in 2008. There is no reason to expand law enforcement tools when they are illegal and costly in many ways.

No. Warrants are required when privacy is violated. There is no privacy in third-party records; that's the point of what I said.

However, if the third party doesn't wish to reveal information--which is its right--the government must obtain a court order or subpoena to compel the involuntary release of this information.

Interception of protected communications in transit, of course, does require a warrant.

(heh. I said "involuntary release.")

 

[syadasti]

No. Warrants are required when privacy is violated. There is no privacy in third-party records; that's the point of what I said.

However, if the third party doesn't wish to reveal information--which is its right--the government must obtain a court order or subpoena to compel the involuntary release of this information.

Interception of protected communications in transit, of course, does require a warrant.

(heh. I said "involuntary release.")

Actually the whole point of the retroactive immunity was to protect telcos from fines - they broke the law. The warrantless wiretapping on the provider system was illegal and very costly without the immunity (up to $10K/per violation - millions of violations).

Warrantless wiretapping by the National Security Agency (NSA) was revealed publicly in late 2005 by The New York Times[2] and then discontinued in January 2007. See Letter from Attorney-General Alberto Gonzalez to Senators Patrick Leahy and Arlen Specter, CONG. REC. S646-S647 (Jan. 17, 2007).[3] Approximately forty lawsuits have been filed against telecommunications companies by groups and individuals alleging that the Bush administration illegally monitored their phone calls or e-mails.[4] Whistleblower evidence suggests that AT&T was complicit in the NSA's warrantless surveillance, which could have involved the private communications of millions of Americans.[5] The Foreign Intelligence Surveillance Act makes it illegal to intentionally engage in electronic surveillance under appearance of an official act or to disclose or use information obtained by electronic surveillance under appearance of an official act knowing that it was not authorized by statute; this is punishable with a fine of up to $10,000 or up to five years in prison, or both.[6] In addition, the Wiretap Act prohibits any person from illegally intercepting, disclosing, using or divulging phone calls or electronic communications; this is punishable with a fine or up to five years in prison, or both.

 

[MikeD]

Actually the whole point of the retroactive immunity was to protect telcos from fines - they broke the law. The warrantless wiretapping on the provider system was illegal and very costly without the immunity (up to $10K/per violation - millions of violations).

That doesn't have anything to do with third-party records or the lack of privacy therein...

You're talking about wiretapping, which is interception of protected communication in transit. I'm talking about disclosure of third-party records, which are not protected by the 4th amendment, but are generated as part of email correspondence.

I agree that warrants are and should be necessary for the government to access private information.

 

[syadasti]

Your point about the third party system records has nothing to do with the way the Narus system was implemented.

They still were able to wiretap everyone's email and phone communications. Groups and people were not suing over the records that those communications took place - they were suing over the real-time interception system (Narus deployments) being used on mass scale without a warrant.

Email messages are not stored in transit - they are stored in the sent folder of the sender and the recipient's inbox - both either local or on a server, depending the system. The government's implementation of the Narus system works by interception in transit - without a warrant - its illegal. They should not expand this ability to other communication protocols, its illegal and as you've said un-American.

"The (Narus) STA Platform consists of standalone traffic analyzers that collect network and customer usage information in real time directly from the message.... These analyzers sit on the message pipe into the ISP (internet service provider) cloud rather than tap into each router or ISP device" (Telecommunications magazine, April 2000). A Narus press release (1 Dec., 1999) also boasts that its Semantic Traffic Analysis (STA) technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) is the only technology that provides complete visibility for all internet applications."

To implement this scheme, WorldNet's high-speed data circuits already in service had to be rerouted to go through the special "splitter" cabinet. This was addressed in another document of 44 pages from AT&T Labs, titled SIMS, Splitter Cut-In and Test Procedure, dated 01/13/03. "SIMS" is an unexplained reference to the secret room. Part of this reads as follows:

 

[Silver]

So just attach a small piece of medical record to each email you send. Voila, instant HIPAA violation.

 

[X3pilot]

So just attach a small piece of medical record to each email you send. Voila, instant HIPAA violation.

So, if I make "my dick is too small" my signature, would that count?

 

[Silver]

So, if I make "my dick is too small" my signature, would that count?

No, that's common knowledge, not a private matter.

 

[MikeD]

I never said Narus looked at third-party records.