Tag: wiretaps

What the Manual by DOJ’s Top Intelligence Lawyer Says About the FISA Amendments Act

To a casual observer, debates about national security spying can seem like a hopeless game of he-said/she-said. Government officials and congressional surveillance hawks characterize the authorities provided by measures like the FISA Amendments Act of 2008 in one way, while paranoid civil libertarians like me tell a more unsettling story. Who can say who’s right?

Fortunately, there is an authoritative unclassified source that explains what the law means: the revised 2012 edition of National Security Investigations and Prosecutions by David S. Kris (who headed the Justice Department’s National Security Division from 2009–2011) and J. Douglas Wilson. As the definitive (unclassified) treatise on what foreign intelligence surveillance law says, means, and permits, it’s the same resource you’d expect the government attorneys who apply for surveillance authority to consult for guidance on what the law does and doesn’t allow spy agencies to do. Let’s see what it says about the scope of surveillance authorized by the FAA:

[The FAA’s] certification provision states that the government under Section 1881a is “not required to identify the specific facilities, places premises, or property at which an acquisition … will be directed or conducted.” This is a significant grant of authority, because it allows for authorized acquisition—surveillance or a search—directed at any facility or location. For example, an authorization targeting “al Qaeda”—which is a non-U.S. person located abroad—could allow the government to wiretap any telephone that it believes will yield information from or about al Qaeda, either because the telephone is registered to a person whom the government believes is affiliated with al Qaeda, or because the government believes that the person communicates with others who are affiliated with al Qaeda, regardless of the location of the telephone. Unless the FISC attempts to address the issue under the rubric of minimization, no judge will contemporaneously review the government’s choice of facilities or places at which to direct acquisition. [….] Review of the certification is limited to the question “whether [it] contains all the required elements”; the FISC does not look behind the government’s assertion’s. Thus, for example, the FISC could not second-guess the government’s foreign intelligence purpose of conducting the acquisition, as long as the certification in fact asserts such a purpose.

Got that? The requirement that surveillance have a foreign “target” is satisfied if the general purpose of a wiretap program is to gather information about a foreign group like al Qaeda, and it employs procedures designed for that purpose. It does not mean that the particular phone numbers or e-mail accounts or other “facilities” targeted for surveillance have to belong to a foreigner: those could very well belong to an American citizen located within the United States, and no court or judge is required to approve or review the choice of which individuals to tap.

Kris and Wilson elaborate in a discussion of surveillance under the Protect America Act, the stopgap legislation that preceded the FAA, explaining how the language of the law could be exploited to conduct what most of us would think of as domestic surveillance despite the nominal requirement of a “foreign” target:

The concern was that the government could be said to “direct” surveillance at the entity abroad, but still monitor communications on a facility used (or used exclusively) by an individual U.S. person in this country. Indeed, the government in the recent past had taken the position that surveillance of a U.S. person’s home and mobile telephones was “directed at” al Qaeda, not at the U.S. person himself. Applied to the PAA, this logic seemed to allow surveillance of Americans’ telephones and e-mail accounts, inside the United States, without adherence to traditional FISA, as long as the government could persuade itself that the surveillance was indeed “directed” at al Qaeda or another foreign power that was reasonably believed to be abroad. When confronted with these concerns the government explicitly equated the PAA’s “directed at” standard with FISA’s “targeting” standard, meaning that acquisition was “directed” at an entity when the government was trying to acquire information from or about that entity.

More importantly for present purposes, the government’s equation of the “targeting” and “directed at” standards meant that concerns raised about the PAA applied equally to the FAA, which (as discussed above) authorizes acquisition “targeting” a “person” reasonably believed to be abroad, and explicitly adopts traditional FISA’s broad definition of the term “person.” The concern was that the government could use Section 1881a for an acquisition “targeting” al Qaeda, but “directed” at a facility or place used (or used exclusively) by John Smith, a U.S. person located in the United States, for Smith’s domestic communications. [Emphasis added.]

As Kris and Wilson note, Congress ultimately added a further limitation designed to allay such concerns, but it did not do so by prohibiting any flagging of Americans’ e-mail accounts or phone lines for interception and recording without a warrant. That is still allowed—though “minimization procedures” are then supposed to limit the retention and use of such information.

What Congress prohibited instead was the use of FAA surveillance to “intentionally acquire any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.” But as Kris and Wilson point out, this restriction  “is imperfect because location is difficult to determine in the modern world of communications, and the restriction applies only when the government ‘knows’ that the communication is domestic.”

So to review: under the FAA, a court approves general procedures for surveillance “targeting” a foreign group. But the court does not approve or (necessarily) review any intelligence agency’s own discretionary determination about which specific people’s e-mail addresses, phone lines, or online accounts should be flagged for interception in order to gather information about that foreign group. The government’s past arguments indicate that it believes it may spy on the accounts or phones of individual American citizens located in the United States under an authorization to gather information about a foreign “target.” All the law requires is that they not intentionally record the American’s calls and e-mails when they are are known in advance to be to or from another American.

Remember: this isn’t my interpretation of the law. This isn’t speculation from someone at the American Civil Liberties Union or the Electronic Frontier Foundation about how the government might try to read the statute. This a legal reference text written by the lawyer who, until quite recently, ran the show at DOJ when it came to FISA surveillance. The next time you hear a member of Congress declare that the FAA has nothing to do with eavesdropping on Americans, ask yourself who is more likely to have  an accurate understanding of what the law really says.

Three Lessons from the Increasingly Irrelevant Annual Wiretap Report

The 2011 Wiretap Report was released this weekend, providing an overview of how federal and state governments used wiretapping powers in criminal investigations. (Surveillance for intelligence purposes is covered in a separate, far less informative report.) There’s plenty of interesting detail, but here’s the bottom line:

After climbing 34 percent in 2010 the number of federal and state wiretaps reported in 2011 deceased 14 percent. A total of 2,732 wiretaps were reported as authorized in 2011, with 792 authorized by federal judges and 1,940 authorized by state judges…. Compared to the numbers approved during 2010 the number of applications reported as approved by federal judges declined 34 percent in 2011, and the number of applications approved by state judges fell 2 percent. The reduction in wiretaps resulted primarily from a drop in applications for narcotics.

So is the government really spying on us less? Is the drug war cooling off? Well, no, that’s lesson number one: Government surveillance is now almost entirely off the books.

The trouble, as Andy Greenberg of Forbes explains, is that we’ve got analog reporting requirements in a digital age. The courts have to keep a tally of how often they approve traditional intercepts that are primarily used to pick up realtime phone conversationse—96 percent of all wiretap orders. But phone conversations represent an ever-dwindling proportion of modern communication, and police almost never use a traditional wiretap order to pick up digital conversations in realtime. Why would they? Realtime wiretap orders require jumping all sorts of legal hurdles that don’t apply to court orders for stored data, which is more convenient anyway, since it enables investigators to get a whole array of data, often spanning weeks or month, all at once. But nobody is required to compile data on those types of information requests, even though they’re often at least as intrusive as traditional wiretaps.

From what information we do have, however, it seems clear that phone taps are small beer compared to other forms of modern surveillance. As Greenberg notes, Verizon reported fielding more than 88,000 requests for data in 2006 alone. These would have ranged from traditional wiretaps, to demands for stored text messages and photos, to “pen registers” revealing a target’s calling patterns, to location tracking orders, to simple requests for a subscriber’s address or billing information. Google, which is virtually unique among major Internet services in voluntarily disclosing this sort of information, fielded 12,271 government requests for data, and complied with 11,412 of them. In other words, just one large company reports far more demands for user information than all the wiretaps issued last year combined. And again, that is without even factoring in the vast amount of intelligence surveillance that occurs each year: the thousands of FISA wiretaps, the tens of thousands of National Security Letters (which Google is forbidden to include in its public count) and the uncountably vast quantities of data vacuumed up by the NSA. At what point does the wiretap report, with its minuscule piece of the larger surveillance picture, just become a ridiculous, irrelevant formality?

Lesson two: The drug war accounts for almost all criminal wiretaps. Wiretaps may be down a bit in 2011, but over the long term they’ve still increased massively. Since 1997, even as communication has migrated from telephone networks to the internet on a mass scale, the annual number of wiretaps has more than doubled. And as this handy chart assembled by security researcher Chris Soghoian shows, our hopeless War on Drugs is driving almost all of it: for fully 85 percent of wiretaps last year, a drug offense was the most serious offense listed on the warrant application—compared with “only” 73 percent of wiretaps in 1997. Little surprise there: when you try to criminalize a transaction between a willing seller and a willing buyer, enforcement tends to require invasions of privacy. Oddly, law enforcement officials tend to gloss over these figures when asking legislators for greater surveillance authority. Perhaps citizens wouldn’t be as enthusiastic about approving these intrusive and expensive spying powers if they realized they were used almost exclusively to catch dope peddlers rather than murderers or kidnappers.

Speaking of dubious claims, lesson three: The encryption apocalypse is not nigh. As those of you who are both extremely nerdy and over 30 may recall, back in the 1990s we had something called the “Crypto Wars.” As far as the U.S. government was concerned, strong encryption technology was essentially a military weapon—not the sort of thing you wanted to allow in private hands, and certainly not something you could allow to be exported around the world. Law enforcement officials (and a few skittish academics) warned of looming anarchy unless the state cracked down hard on so-called “cypherpunks.” The FBI’s Advanced Telephony Unit issued a dire prediction in 1992 that within three years, they’d be unable to decipher 40 percent of the communications they intercepted.

Fortunately, they lost, and strong encryption in private hands has become the indispensable foundation of a thriving digital economy—and a vital shield for dissidents in repressive regimes. Frankly, it would probably have been worth the tradeoff even if the dire predictions had been right. But as computer scientist Matt Blaze observed back when the 2010 wiretap report was released, Ragnarok never quite arrives. The latest numbers show that investigators encountered encryption exactly 12 times in all those thousands of wiretaps. And how many times did that encryption prevent them from accessing the communication in question? Zero. Not once.

Now, to be sure, precisely because police seldom use wiretap orders for e-mail, that’s also a highly incomplete picture of the cases where investigations run up against encryption walls. But as the FBI once again issues panicked warnings that they’re “going dark” and demands that online companies be requried to compromise security by building surveillance backdoors into their services, it’s worth recalling that we’ve heard this particular wolf cry before. It would have been a disastrous mistake to heed it back then, and on the conspicuously scanty evidence being offered during the encore, it would be crazy to approach these renewed demands with anything less than a metric ton of salt.

Revise the Maryland Wiretap Law?

As I said in this piece in the Baltimore Sun, Maryland police officers are misusing that state’s wiretap law to deter anyone who would film them performing their duties. Maryland officers have asserted that any audio recording of a conversation, even in a public place, is a violation of the state’s wiretapping law and a felony punishable by five years in prison and a $10,000 fine. Officers made this claim to deter filming of an arrest at the Preakness, and when motorcyclist Anthony Graber videotaped his traffic stop.

As Radley Balko points out, the officers’ reading of the law is out of step with the language of the statute itself and Maryland rulings interpreting the scope of the law. Is it time for a revision of this law, or is it just the officers’ interpretation that is the problem? I discussed this on the Kojo Nnamdi Show with the prosecutor pressing charges against Anthony Graber, State’s Attorney Joseph Cassilly, and Graber’s lawyer, David Rocah of the Maryland ACLU.

If you ask some officers in Maryland, any recording of a conversation violates the wiretap statute. If you ask a judge, you will get an entirely different reading of the law. Even though Maryland’s wiretapping statute is considered a “unanimous consent” or “two-party consent” law, its language is different from other states put in the same category such as Massachusetts and Illinois. Where Massachusetts and Illinois have no protection for recordings of conversations outside of electronic means of communication, the first section of the Maryland wiretapping law restricts unlawful interceptions of “oral communications” to words spoken in a “private conversation.”

While the analysis for wire communications is made without regard to privacy, Maryland courts held in Fearnow v. C & P Telephone Co. that a “private conversation” is one where there is a “reasonable expectation of privacy.” Fourth Amendment jurisprudence provides plenty of guidance on where a “reasonable expectation of privacy” exists. Simply put, a traffic stop on an interstate is not a place where Anthony Graber or the officers who cited him have a reasonable expectation of privacy.

This conclusion is bolstered by the guidance given to the Montgomery County Police by the Maryland Attorney General in this 2000 advisory opinion on recording traffic stops. Since 1991, the wiretapping statute had an exemption for police dash cameras where officers could record interactions with motorists when they warned the citizen that the traffic stop would be recorded. The 2000 letter addresses the possibility that other people could show up after the receipt of consent from a motorist and potential “inadvertent interceptions.” The opinion concludes that there is little for officers to worry about, but the state legislature expanded the law enforcement exception in 2002 to address this concern anyway. In a footnote, the advisory opinion makes the point that, in any case, the motorists being pulled over have no reasonable expectation of privacy:

It is also notable that many encounters between uniformed police officers and citizens could hardly be characterized as “private conversations.” For example, any driver pulled over by a uniformed officer in a traffic stop is acutely aware that his or her statements are being made to a police officer and, indeed, that they may be repeated as evidence in a courtroom. It is difficult to characterize such a conversation as “private.”

The Attorney General’s office provided further guidance on the issue in this letter to a state legislator in 2009, advising that surreptitious recording of a meeting of the Democratic Club would probably not be a violation of the Maryland wiretapping law because statements made in this setting lack a “reasonable expectation of privacy.”

So, under the interpretation of the law supporting Anthony Graber’s prosecution, dash camera footage of Anthony Graber’s traffic stop is not a violation of the law, but Graber’s helmet-mounted footage is. The law enforcement officer, a public official performing public duties, retains a “reasonable expectation of privacy” on the side of I-95, but Anthony Graber has none. This is an assertion made contrary to the interpretation of the courts of Maryland, the Maryland Attorney General, and common sense.

This injustice could be resolved in several ways. First, as Radley suggests, the Maryland Attorney General could issue an opinion clarifying the wiretapping law with regards to recording police activity. Advisory opinions are not generally given sua sponte, so a state legislator or other official would have to request the AG’s interpretation. Second, Anthony Graber’s case may provide a rebuttal to an expansive reading of the statute by Maryland law enforcement officers. Third, the legislature could step in to deter future abuse of the statute by expressly stating that public discussions are not “private conversations.”

I discussed this on the Kojo Nnamdi Show with David Rocah and Joseph Cassilly. Rocah wants to preserve the “two-party consent” statute. The legislature, in fact, can clarify the  definition of “private conversations” without changing the consent requirement of the law with regard to electronic communications.

On the other hand, State’s Attorney Joseph Cassilly recalled occasions when citizens have come to his office with recordings of threats or extortion demands and he was required to tell them that under Maryland law (1) their recording was not admissible as evidence because it did not have the consent of the threatening or extorting party (though I see no reason that a letter with the same communication would be inadmissible); and (2) the victim of the threat or extortion committed a felony violation of the wiretapping law by making the recording in the first place. That may be the law, but it’s not justice.

In any case, the prosecution of Anthony Graber is an abuse of police power. If Maryland law enforcement officers continue to use the state’s wiretapping law to shield their activities from public view, the backlash may result in a revision of the law in its entirety.

How Much Government Snooping? Google It Up!

The secrecy surrounding government surveillance is a constant source of frustration to privacy activists and scholars: It’s hard to have a serious discussion about policy when it’s like pulling teeth to get the most elementary statistics about the scope of state information gathering, let alone any more detailed information. Even when reporting is statutorily required, government agencies tend to drag their heels making statistics available to Congress – and it can take even longer to make the information more widely accessible. Phone and Internet companies, even when they join the fight against excessive demands for information, are typically just as reluctant to talk publicly about just how much of their customers’ information they’re required to disclose. That’s why I’m so pleased at the news that Google has launched their Government Requests transparency tool.  It shows a global map on which users can see how many governmental demands for user information or content removal have been made to Google’s ever-growing empire of sites – now including Blogger, YouTube, and Gmail – starting with the last six months.

So far, the information up there is both somewhat limited and lacking context.  For instance, it might seem odd that Brazil tops the list of governmental information hounds until you bear in mind that Google’s Orkut social network, while little-used by Americans, is the Brazilian equivalent of Facebook.

There are also huge gaps in the data: The United States comes in second with 3,580 requests from law enforcement at all levels, but that doesn’t include intelligence requests, so National Security Letters (tens of thousands of which are issued every year) and FISA warrants or “metadata” orders (which dwarf ordinary federal wiretaps in number) aren’t part of the tally. And since China considers all such government information requests to be state secrets – whether for criminal or intelligence investigations – no data from the People’s Republic is included.

Neither is there any detail about the requests they have counted – how many are demands for basic subscriber information, how many for communications metadata, and how many for actual e-mail or chat contents. The data on censorship is similarly limited: They’re counting governmental but not civil requests, such as takedown notices under the Digital Millennium Copyright Act.

For all those limits – and the company will be striving to provide some more detail, within the limits of the law – this is a great step toward bringing vital transparency to the shadowy world of government surveillance, and some nourishment to the data-starved wretches who seek to study it. We cannot have a meaningful conversation about whether censorship or invasion of privacy in the name of security have gone too far if we do not know, at a minimum, what the government is doing. So, for a bit of perspective, we know that U.S. courts reported a combined total of 1,793 (criminal, not intel) wiretaps sought by both federal and state authorities. Almost none of these (less than 1 percent) were for electronic interception.

This may sound surprising, unless you keep in mind that federal law establishes a very high standard for the “live” interception of communications over a wire, but makes it substantially easier – under some circumstances rather terrifyingly easy – to get stored communications records. So there’s very little reason for police to jump through all the hoops imposed on wiretap orders when they want to read a target’s e-mails.

If and when Google were to break down that information about requests – to show how many were “full content” as opposed to metadata requests – we would begin to have a far more accurate picture of the true scope of governmental spying. Should other major players like Yahoo and Facebook be inspired to follow Google’s admirable lead here, it would be better still.  Already, though, that one data point from a single company – showing more than twice as many data requests as the total number of phone wiretaps reported for the entire country – suggests that there is vastly more actual surveillance going on than one might infer from official wiretap numbers.

Surveillance, Security, and the Google Breach

Yesterday’s bombshell announcement that Google is prepared to pull out of China rather than continuing to cooperate with government Web censorship was precipitated by a series of attacks on Google servers seeking information about the accounts of Chinese dissidents.  One thing that leaped out at me from the announcement was the claim that the breach “was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” That piqued my interest because it’s precisely the kind of information that law enforcement is able to obtain via court order, and I was hard-pressed to think of other reasons they’d have segregated access to user account and header information.  And as Macworld reports, that’s precisely where the attackers got in:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

This is hardly the first time telecom surveillance architecture designed for law enforcement use has been exploited by hackers. In 2005, it was discovered that Greece’s largest cellular network had been compromised by an outside adversary. Software intended to facilitate legal wiretaps had been switched on and hijacked by an unknown attacker, who used it to spy on the conversations of over 100 Greek VIPs, including the prime minister.

As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.

The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic.  Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.

The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.

A Chance to Fix the PATRIOT Act?

As Tim Lynch noted earlier this week, Barack Obama’s justice department has come out in favor of renewing three controversial PATRIOT Act provisions—on face another in a train of disappointments for anyone who’d hoped some of those broad executive branch surveillance powers might depart with the Bush administration.

But there is a potential silver lining: In the letter to Sen. Patrick Leahy (D-VT) making the case for renewal, the Justice Department also declares its openness to “modifications” of those provisions designed to provide checks and balances, provided they don’t undermine investigations. While the popular press has always framed the fight as being “supporters” and “opponents” of the PATRIOT Act, the problem with many of the law’s provisions is not that the powers they grant are inherently awful, but that they lack necessary constraints and oversight mechanisms.

Consider the much-contested “roving wiretap” provision allowing warrants under the Foreign Intelligence Surveillance Act to cover all the communications devices a target might use without specifying the facilities to be monitored in advance—at least in cases where there are specific facts supporting the belief that a target is likely to take measures to thwart traditional surveillance. The objection to this provision is not that intelligence officers should never be allowed to obtain roving warrants, which also exist in the law governing ordinary law enforcement wiretaps. The issue is that FISA is fairly loosey-goosey about the specification of “targets”—they can be described rather than identified. That flexibility may make some sense in the foreign intel context, but when you combine it with similar flexibility in the specification of the facility to be monitored, you get something that looks a heck of a lot like a general warrant. It’s one thing to say “we have evidence this particular phone line and e-mail account are being used by terrorists, though we don’t know who they are” or “we have evidence this person is a terrorist, but he keeps changing phones.” It’s another—and should not be possible—to mock traditional particularity requirements by obtaining a warrant to tap someone on some line, to be determined. FISA warrants should “rove” over persons or facilities, but never both.

The DOJ letter describes the so-called “Lone Wolf” amendment to FISA as simply allowing surveillance of targets who are agents of foreign powers without having identified which foreign power (i.e. which particular terrorist group) they’re working for. They say they’ve never invoked this ability, but want to keep it in reserve. If that description were accurate, I’d say let them. But as currently written, the “lone wolf” language potentially covers people who are really conventional domestic threats with only the most tenuous international ties—the DOJ letter alludes to people who “self-radicalize” by reading online propaganda, but are not actually agents of a foreign group at all.

Finally, there’s the “business records” provision, which actually covers the seizure of any “tangible thing.”  The problems with this one probably deserve their own post, and ideally you’d just go through the ordinary warrant procedure for this. But at the very, very least there should be some more specific nexus to a particular foreign target than “relevance” to a ongoing investigation before an order issues. The gag orders that automatically accompany these document requests also require more robust judicial scrutiny.

Some of these fixes—and quite a few other salutary reforms besides—appear to be part of the JUSTICE Act which I see that Sen. Russ Feingold (D-WI) introduced earlier this afternoon.  I’ll take a closer look at the provisions of that bill in a post tomorrow.

DoJ Fails to Report Electronic Surveillance Activities

Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content - who is talking to whom, how often, and for how long.)

The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:

The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).

EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.

It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.