The firestorm of controversy

Transcription

1 US Government Eavesdropping on Electronic Communications: Where Are We Going? by konrad l. trope The firestorm of controversy from the June 2013 revelations by Edward Snowden of the unprecedented scope of government eavesdropping on electronic communications has enveloped people from all degrees of the political spectrum. Moreover, the controversy seems to keep growing with monthly, if not weekly, developments that keep fueling the maelstrom. Interestingly, it seems that most members of the public and the media perceived the eavesdropping or data-gathering activity by the National Security Agency (NSA) as the first indication of any large-scale telecommunication interception or telecommunication data gathering by the US government. Nothing could be further from the truth. Wiretapping by the federal government has been the subject of Supreme Court decisions dating back as far as By 1962, Congress established the core statutory basis for interception of telecommunications that continues to the present. Indeed, since 1994, Congress has passed additional critical legislation, which various agencies have implemented, that has greatly expanded the breadth and depth of government interception of private citizen communications. In short, the NSA is perhaps only the newest publicly identified player within the federal government s arsenal of telecommunication interception. Second, and related to the first, many articles and comments posted on the Internet indicate a lack of knowledge Konrad Trope is the managing shareholder of Centurion Law Group, P.C., located in Beverly Hills, California. Mr. Trope serves an international clientele focusing on technology, ecommerce, telecommunications, health care, and intellectual property matters. He currently is active with the Health Law and Life Sciences Committee and the Cyberspace Committee of the ABA Business Law Section. He formerly served as the chairman of the American Bar Association s Section of Science & Technology Law s VoIP Committee.

2 about the relationship between developing technologies in communication and the legislative and regulatory mandates implemented to access use those technologies for telecommunication interception. The purpose of this article is to provide a description of the recent expansion of electronic government eavesdropping. [For a brief history of government wiretapping along with an examination of government interception of private citizen communications, please visit our magazine website at org/publications/scitech_lawyer/web_ exclusives/government_eavesdropping_ communications_how_get_here.html.] The article then closes with a brief synopsis of recent developments and suggestions regarding where the debate between national security and information privacy seems to be heading. Expansion of Government Eavesdropping A new method of communicating is creating intriguing services that beat old ways of sending information. But law enforcement makes a somber claim: these new networks have become a boon to criminals and terrorists unless the US government can easily listen in. This was the position in the mid- 1990s when the Clinton administration supported and achieved the passage of the Communications Assistance Law Enforcement Act (CALEA), which is codified at 47 U.S.C. sections CALEA s purpose is to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real-time. The original reason for adopting CALEA was the Federal Bureau of Investigation s (FBI) worry that increasing use of digital telephone exchange switches would make tapping phones at the phone company s central office harder and slower to execute or (in some cases) impossible. Because the original requirement to add CALEAcompliant interfaces required phone companies to modify or replace hardware and software in their systems, Congress included funding for a limited time to cover such network upgrades. CALEA was passed into law on October 25, 1994, and came into force on January 1, However, the FBI was not satisfied with just asking manufacturers and carriers to make their equipment CALEA compliant. By the mid-1990 s, the FBI foresaw the explosive growth of the Internet as a means by which criminals and terrorists could take advantage of and electronic communications. Thus, the FBI decided to develop its own system for monitoring the Internet called Carnivore. Carnivore, later renamed DCS1000, was a system designed to monitor and electronic communications. It used a customizable packet sniffer that can monitor all of a target user s Internet traffic. Carnivore was implemented in October Carnivore grew out of an earlier FBI project called Omnivore, which itself replaced an older surveillance tool migrated from the US Navy by FBI Director of Integrity and Compliance Patrick W. Kelley, which had a still undisclosed name. In September 1998, the FBI s Data Intercept Technology Unit (DITU) in Quantico, Virginia, launched a project to migrate Omnivore from Sun s Solaris operating system to a Windows NT platform. This was done to facilitate the miniaturization of the system and support a wider range of personal computer (PC) equipment. The resulting system was named Carnivore. The Carnivore system was a Microsoft Windows-based workstation with packet-sniffing software and a removable disk drive. This computer must be physically installed at an Internet service provider (ISP) or other location where it can sniff traffic on a LAN segment to look for messages in transit. The technology itself was not highly advanced it used a standard packet sniffer and straightforward filtering. The critical components of the operation were the filtering criteria. To accurately match the appropriate subject, an elaborate content model was developed. As the 21st century commenced, law enforcement and related agency authority to engage in data interception was greatly expanded. The USA PATRIOT Act, enacted following the attacks of September 11, 2001, made several changes to US law intended to combat terrorism. It expanded the ability of law enforcement agencies to search communications, medical, and financial records. It also extended the use of wiretaps to include Internet connections. Also, the Bush administration authorized the NSA to conduct warrantless domestic wiretaps in 2001, possibly earlier. This was first revealed in the media in The New York Times in December The FBI eventually dropped Carnivore in 2005, in favor of commercial software packages such as NarusInsight; frequent cooperation from ISPs often made the technology unnecessary anyway. Post-Carnivore Government Eavesdropping In the years since CALEA was passed, it has been greatly expanded to include all VoIP and broadband Internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA and more than 3,000 percent growth in interception of Internet data such as . By 2007, the FBI had spent $39 million on its DCSNet system, which collects, stores, indexes, and analyzes communications data. State and federal authorities have had 30,975 wiretap requests authorized since 1968, with only 30 rejections, according to the Electronic Privacy Information Center. Some 1,710 wiretaps were authorized last year, the most ever, with zero denied. Since 1980, authorities also have been able to set secret wiretaps with the approval of the Foreign Intelligence Surveillance Court (FISC), which privacy watchdogs say requires a lower standard of evidence than the general warrant

3 process. For the first two decades, Foreign Intelligence Surveillance Act (FISA) orders numbered less than 1,000 annually; 2003 and 2004 each saw more than 1,700. Only four FISA applications have been rejected, all in In addition, during the first decade of the 21st century, Congress has quietly expanded the authority of the NSA to engage in domestic surveillance. The Protect America Act of 2007 and FISA Amendments Act of 2008 extended the NSA s authority on domestic wiretaps. In order to take advantage of these expanded powers, the NSA established a system called Echelon that intercepted millions of international telephone calls and fed them into the agency s maw for analysis. Justifiably or not, each of these steps unsettled privacy activists. And it is that unease that colors the possible expansion of CALEA to include VoIP and broadband networks, as will be discussed below. Where Are We Today? Federal Government Seeks to Expand the Scope of CALEA It s now no secret that the NSA, the FBI, and the CIA engage in eavesdropping and interception of both foreign originating and domestic originating data and voice communications. The 2001 PATRIOT Act, which essentially expanded CALEA into all communications, was overwhelmingly renewed in With the press coverage of NSA interception activities, and despite intense public pressure, in July 2013 Congress rejected a proposal to prevent the NSA from collecting data on phone calls. However, giant data companies such as Facebook, Google, Yahoo, and Microsoft have recently been exposed by the NSA scandal as cooperating with the NSA and other agencies. This revelation has these megadata collectors eager to tell the extent of their cooperation to their customers, but Attorney General Eric Holder is refusing to allow such transparency to the general public. The Snowden revelations, from Spring and Summer 2013, have exposed that the NSA has a new top secret program called XKeyscore, which essentially makes available everything ever done on the Internet browsing history, searches, content of , online chats, even your metadata all at the tap of a keyboard But it doesn t stop there. A task force comprised of representatives from the US Department of Justice, the FBI, and other agencies have been pressing since January 2011 for amendments to future CALEA requests. CALEA (CALEA II) to make it easier for the government to eavesdrop, intercept, or wiretap a broader variety of communications going over the Internet, not just telephone calls. The Obama administration seeks to expand CALEA coverage to all services that enable communications. This would extend CALEA to cover a broad swath of nontraditional communications companies, particularly those on the Internet for example, and instant messaging providers, social networks, and peer-to-peer communications services like Skype Thus, the revisions being considered for expanding CALEA would greatly expand the types of businesses to which CALEA will apply. Currently, CALEA CALEA systems. applies only to telecommunications carriers, which the law defines as entities: (1) engaged in the transmission or switching of wire or electronic communications, or (2) providing commercial mobile service. 47 U.S.C. 1001(8). Under the substantial replacement arm the DOJ and FCC with significantly stronger enforcement powers. Although a carrier s failure to comply with CALEA is currently punishable by court and FCC fines, 18 U.S.C. 2522(c), In re CALEA and Broadband Access & Services, 21 F.C.C.R. 5360, 5390 (2006), the DOJ has traditionally not pressed the issue against carriers with faulty CALEA systems, preferring to preserve a working relationship in order to facilitate However, recent news reports have surfaced indicating that FBI officials have grown frustrated with CALEA system failures at two major carriers, and that the FBI s technical assistance budget spent to help carriers fix bugs in or retrofit their wiretapping systems is close to $20 million annually. Two specific proposals are circulating within the task force to address these issues: (1) retroactive fines on carriers; and (2) the ability to impose FBI engineering charges upon the carriers. These proposals signal that the DOJ will begin shifting to carriers more costs of technical CALEA compliance, which may force carriers to more proactively manage and update their Michael Sussmann, a former DOJ lawyer who advises communications providers, said that aspect of the plan appeared to be modeled on the British version of CALEA, the Regulation of Investigatory Powers Act of Foreign-based communications services that do business in the United States would be subject to the same procedures, and would be required to have a point of contact on domestic soil who could be served with a wiretap order, provision (SRP), the FCC may also designate as telecommunications carriers companies that provide a service that supplants a substantial portion of local telephone exchange service. Under this SRP authority, the FCC officials said. has designated broadband Internet providers and VoIP providers as telecommunications carriers, finding that they supplanted a user s need for a local telephone exchange service. See In re CALEA and Broadband Access & Services, 20 F.C.C.R (2005); American Council on Educ. v. FCC, 451 F.3d 226 (D.C. Cir. 2006) (upholding FCC s designation of broadband and VoIP providers) The proposed revisions would also this, Mr. Gidari said Albert Gidari Jr., who represents technology companies on law enforcement matters, criticized that proposal. He argued that if the United States started imposing fines on foreign Internet firms, it would encourage other countries, some of which may be looking for political dissidents, to penalize American companies if they refused to turn over users information. We ll look a lot more like China than America after

4 National Security or Mediocre Security With greater ability for the government to eavesdrop or intercept, the less secure the data transmissions are from interception by nongovernment sources. With industrial espionage at an all-time high, it seems incredulous that the FBI wants a more open system for eavesdropping on the Internet, but still believes that it can still secure the US part of the World Wide Web from thirdparty interception. The public tends to forget that with CALEA-compliant equipment being sold overseas as well as domestically, criminals have now expanded their enterprises to include industrial espionage through data interception. There were public scandals about such activities in Greece in 2005 and Italy in In 2012, every phone switch sold to the Department of Defense had security vulnerabilities in its surveillance system. In May 2012, Chinese hackers breached Google s system, revealing Google s protocols for providing surveillance data to the FBI. Obama Administration s Responses to Snowden Revelations/Criticism The Snowden revelations have embarrassed and pushed the Obama administration into a delicate debate between advocates of a strong national security policy and advocates of citizen privacy in accordance with the Fourth Amendment. Indeed, on August 9, 2013, President Obama held a press conference in which he refused to curtail secret surveillance efforts. Nevertheless, he conceded the need for greater openness and safeguards to make the public comfortable with them. The president also stated that he wanted to work with Congress to improve the oversight and auditing of the NSA program so that public confidence was improved in how the data gathered is being used. Moreover, in response to the firestorm over the Snowden/NSA scandal, the Obama administration, in August 2013, also released a 22-page unclassified white paper explaining in greater detail why the government believes that its bulk collection of domestic phone logs and related metadata is lawful. At the same time, the NSA released a seven-page paper outlining its role and authority for its activities. Concurrent with the announcements from the White House, the NSA also indicated, in August 2013, that it is creating a full-time civil liberties and privacy officer position. However, the NSA was silent about the scope of authority for this proposed civil liberties/privacy officer or when such a position would be actually created and funded. Furthermore, the Obama administration announced in August 2013 the creation of a task force that will include outside intelligence specialists and civil liberties advocates to advise the government about how to balance security and privacy as improving computer technology makes it possible to gather an expanding volume about people s private affairs. The task force is formally known as the Review Group on Intelligence and Communications Technology (RGICT). The August 2013 Obama Administration White Paper: Don t Be Alarmed? Since the revelations of massive illegal telephonic interception by the NSA by Edward Snowden, President Obama has at least visually taken several steps to try to assure other governments, as well as the public, that the United States, from here on, will be more transparent concerning interception of telephonic communications. On August 9, 2013, the Obama administration released a white paper concerning its telephone metadata collection program. The paper was supposed to explain the legal basis for the government s collection of information about all Americans phone calls. However, it appears that the release of the August 9th white paper raised more questions than it provided answers. As described earlier in this article, the increase in surveillance, especially by the NSA, was in large part justified by provisions contained in the PATRIOT Act. In addition, it has been revealed that the secretive FISC issues frequent, if not regular, orders to various phone carriers, directing them to send information about every single phone call made in this country time, length, recipient to the NSA on a weekly, if not daily, basis. The white paper sets forth this citation of authority. However, there are several issues that appear not to be discussed and are noticeably missing from the white paper. First, what other electronic data is the government collecting? The paper speaks of phone metadata being collected because the NSA finds such data relevant for filtering out and extrapolating previously unknown associations. However, what other types of personal information is being used and collected? Although medical and library records are not collected in bulk, what about credit card records, which the Wall Street Journal has reported are being gathered by the NSA? If the NSA is not gathering credit card data, who is to say that the IRS is not gathering such credit card data? The government appears to have cryptically denied reports of the NSA gathering such credit card information (because the NSA s mandate is limited to analyzing communications information), but such a prohibition doesn t apply to other agencies. Section 215 of the PATRIOT Act does permit requests for credit card records, and the IRS has reportedly been reviewing bulk credit card databases. It appears that the US government is using section 215 to collect massive amounts of protected telephone data, instead of pen register and trapand-trace orders. These orders allow the government to obtain information about phone calls without recording the content of the calls. Amendments to the PATRIOT Act make it considerably easier to obtain this information, as it relates to foreign intelligence. Regardless, Congress did establish a statutory protocol for intelligence agencies to obtain this type of information. Why did the administration reject it in favor of section 215 of the PATRIOT Act? Third, there seems to be little information about the Executive Branch s interpretation of the term relevance for its gathering of materials under section

5 215 of the PATRIOT Act, as this relates to an investigation concerning counterintelligence or counter-terrorism. There has not been a full delineation or recitation by the IRS on what is the scope and breadth of the term relevant as it applies to gathering of telephonic communications and related data. Furthermore, how is the administration defining an investigation? Under the PATRIOT Act, an order to gather information has to be part of an authorized investigation. However, what constitutes an authorized investigation? In fact, what metadata would be relevant to some aspect of that investigation? The white papers are totally silent on this issue. The Response From ISPs and Social Media Sites ISPs as well as social media services were keenly aware of US government eavesdropping long before the Snowden scandal. The US government, armed with subpoenas and requests under FISA, as well as court orders issued by the secret FISC, has imposed an ever-increasing load of customer data demands on various Internet service providers and social media services such as Twitter, Facebook, Google, and Microsoft. For instance, according to Twitter, Inc. s Transparency Report, the US government led the way among world governments by making 902 user information requests for 1,319 accounts since January The 902 requests made up 70 percent of all requests received by Twitter during that time period. Twitter tallies up the number of requests using information it receives from governments worldwide, usually in response to pending criminal investigations or copyright infringement notices. Nevertheless, the data provided by Twitter seems to parallel other requests issued to Google, Facebook, and Microsoft. For instance, in June 2013, Microsoft and Facebook agreed to a deal that would allow them to disclose FISA requests, but only if they combined those numbers with requests received from local, state, and federal law enforcement agencies and presented the number in a lump sum without breakdowns. Google refused to sign off on the deal, saying it should be allowed to publish FISA requests separately from general law enforcement requests. Google also announced in November 2013 that it was increasing its encryption of traffic flowing between its data centers, as a way to block interception by the US government and NSA. Indeed, this is not the first time Google has been targeted by a government seeking to intercept its communications. Google also suffered a hacking attack by the Chinese government in What is noteworthy is that, as these communications by Google are not considered to be telephone conversations, they would not fall within the mandate of CALEA. Thus, Google can rightfully say to the world that it is doing its best to make its network more secure, not only from Chinese or American government interception, but also from generalized forms of industrial espionage. However, the fact that Google can tighten up its encryption and openly claim to have a more secure network begs the question about US government mandates requiring that cellular or Internet communications be interceptable. Moreover, the extent to which Google can implement this announced policy remains to be seen. As discussed previously, the Obama administration s desire for CALEA II and for a broader reach into Internet communications factors into Google s plans. Proposals for Reforming US Government Eavesdropping In mid-december 2013, recommendations from the Presidential RGICT Task Force had been presented to the White House. Those recommendations were as follows: New constraints on the bulk collection of metadata on phone calls. This is a response to the ongoing, daily transmission of information about the calls an individual makes what phone numbers are involved, how long the call lasts to the NSA. The NSA claims the right to do so under section 215 of the PATRIOT Act, and the secret court that authorizes its spying (FISC) has agreed to it. This provision has increasingly come under fire, both for having walked up to (and maybe over) the line of the Fourth Amendment but also because there s little evidence that it has been effective in stopping terror acts. The proposed change appears to be that phone carriers would be required to maintain those records (which they already do) instead of regularly shipping them to the government. Changes to international surveillance. The ongoing revelations of NSA spying on foreign citizens and, to a greater extent, its surveillance of foreign leaders gave the Obama administration an enormous black eye in the wake of the Snowden leaks. We re not leaving it to Jim Clapper anymore, one official told the Times about foreign surveillance judgment calls, given how infrequently the agency has been challenged to weigh the intelligence benefits of its foreign collection operations against the damage that could be done if the programs were exposed. Introducing opposing lawyers at FISC hearings. Right now, the FISC hears only from one set of lawyers the government s when considering whether or not something should be allowed. The court insists that it applies pressure, but privacy advocates have called for including an opposing point of view. It appears that the panel will recommend doing so. Make the head of the NSA a civilian position. This proposal would move the military s Internet warfare division, the Cyber Command, out of the NSA, allowing the spy agency to be run by a civilian.

6 Separating the codemakers from codebreakers. One of the more alarming Snowden revelations was that the NSA was, on one hand, working to strengthen online security (to block hackers), while on the other hand working to undermine online encryption algorithms (to catch terrorists). One proposal would move the agency s encryption team away from the people working to undermine those tools. If all of these proposals were to be implemented, there s little question that the effect would be sweeping. However, the NSA and its advocates like Director of National Intelligence James Clapper will offer fierce resistance, and it s not clear how the president himself will respond. The Washington Post notes that the proposals, particularly the one about reforming phone records, will bolster ongoing congressional attempts to curtail the spying, but any such measures would also need to be signed into law by President Obama. A Federal Judge Declares the NSA Eavesdropping/Surveillance Program Unconstitutional Just as the Obama administration was navigating the NSA surveillance program debate with issuing a report of possible reforms, a federal judge in Washington, DC, on almost the same day in December 2013, ruled the NSA mass phone surveillance program as likely unconstitutional. See Klayman v. Obama, Memorandum Opinion, Docket Entry #48, Case # (D.D.C. December 16, 2013). In an issuing a restraining order in excess of 50 pages, US District Court Judge Richard Leon declared the NSA s bulk collection of metadata phone records of the time and numbers called without any disclosure of content apparently violates the Fourth Amendment s protections of citizen privacy. I cannot imagine a more indiscriminate and arbitrary invasion than this systematic and high-tech collection and retention of personal data on The progress of science in furnishing the Government with means of espionage is not likely to stop with wire-tapping. Ways may someday be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.... Can it be that the Constitution affords no protection against such invasions of individ virtually every citizen for purposes of querying and analyzing it without prior judicial approval, said Leon, an appointee of President George W. Bush. Surely, such a program infringes on that degree of privacy that the cellular networks. Founders enshrined in the Fourth Amendment It s no secret that the NSA, the FBI, and the CIA engage in eavesdropping and interception be thinking about of both foreign originating and domestic originating data and voice communications Despite issuing the injunction, Judge Leon has stayed enforcement of the injunction, while the parties appeal the decision, which likely will end up in the US Supreme Court Conclusion In closing, one needs to recognize that cellular telephone companies talk about having the fastest network or the network with the broadest coverage. These cellular companies never talk about having the most secure network or the most heavily encrypted network. To do so would put the cellular companies in direct violation of CALEA. However, it is more than a debate between national security and citizen privacy. Although CALEA imposes that telecommunication providers developing encryption standards set a lower bar for interception, these same cellular/internet networks are then open to interception or attack by foreign governments as well as by foreign corporations seeking to gain a competitive advantage in the world marketplace. Indeed, the global economy now obviously consists of law firms, health ual security? u care companies, insurance companies, and large marketing concerns that are gathering huge amounts of data and transmitting that data over cellular networks or discussing such data over If those networks are intentionally designed to be able to be intercepted by the US government, the Canadian government, or the other governments pursuant to various forms of a government-imposed communications assistance statute, those networks are not as secure as they could be, and thus are open to industrial cyberattack espionage. These are matters that every citizen, not just every attorney, needs to The actions and statements of the Obama administration, and the highly anticipated resolution of the Klayman case over whether the NSA data gathering program is constitutional, create a plethora of questions and few answers. However, this entire debate once again brings home the 1928 prophecy of Justice Brandeis in his dissent in the Olmstead wiretapping decision: Subtler and more far-reaching means of invading privacy have become available to the Government. Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.