Read Surveillance or Security?: The Risks Posed by New Wiretapping Technologies Online
Authors: Susan Landau
In July 2008, Congress acceded, not only legalizing the warrantless
wiretapping practices, but also, in what was a very controversial move,
giving the telephone companies retroactive immunity.163 Under the FISA
Amendments Act,164 the FISA Court would continue to review individual
warrants for wiretapping communications that were purely domestic; the
new law meant that certain classes of wiretaps-the ones in which one end
was believed to be outside the United States-would not be reviewed
individually but handled under procedures subject to periodic FISA Court
review. A concession to privacy advocates was that FISA warrants
would be required for wiretapping U.S. persons abroad. Prior to September
11, NSA practice had been to require a warrant when targeting U.S.
persons overseas even though FISA did not require this. NSA changed its
practice after the 2001 terrorist attacks. The FISA Amendments Act effectively ended the Hepting case and, with it, any chance for fully understanding the activities that had actually occurred. The FISA Amendments Act
expires in 2012.
In March 2010, the government's warrantless wiretapping program suffered a non-fatal blow. Federal judge Vaughn Walker ruled that the warrantless wiretapping of al-Haramain had violated FISA.165 Because FISA
permits civil remedies to "aggrieved persons" whose rights have been violated, the government was liable for damages. But Walker's ruling was
narrow. The government's defense had been limited to blocking the alHaramain suit through the state-secrets privilege, and Walker's decision
was similarly limited. He ruled that using state-secrets privilege to circumvent the warrant procedure for foreign-surveillance wiretapping violated
FISA. Walker did not rule on whether the PSP itself was legal.166
Meanwhile similar activities were occurring elsewhere. Sweden passed
a law167 permitting its government to do warrantless wiretapping of all
transit telecommunications. It was discovered that the German foreign
intelligence agency, the Bundesnachrichtendienst (BND), was spying on
communications between the Afghan foreign ministry and a German journalist,168 the result of a Trojan-horse program placed on a computer in the
Afghan Ministry of Commerce. This electronic eavesdropping violated
Article 10 of the German constitution, which requires that "the privacy of
letters, posts, and telecommunications shall be inviolable."169 The BND has
also searched through thousands of foreign PCs through installing software
key loggers, which capture keystrokes and can thus reveal anything on a
user's machine.170
The United States itself was also apparently wiretapping journalists.
Russell Tice, a former intelligence analyst, claimed that U.S. news organizations and journalists were targeted by the NSA.171 In the absence of a congressional investigation and sworn testimony, it is impossible to know what
is true-the government has issued vehement denials-but there is supporting evidence to this claim. Lawrence Wright, a reporter for the New Yorker
and author of The Looming Tower: Al Qaeda and the Road to 9/11, had reason
to suspect he was one of them. Federal agents asked him about some of his
phone calls to sources; it was clear from the conversation that he had been
wiretapped.172 New York Times reporter James Risen, who, with Eric Lichtblau,
had broken the story of the PSP, found that Bush administration officials
had copies of his phone records.173 As of this writing, Risen and his lawyers
have been unable to determine if the records had been obtained through
a subpoena-the government was investigating the leaks that fed his 2006
book on the CIA-or through the Terrorist Surveillance Program that he
and Lichtblau had revealed to the nation. In either case, the effect was
chilling, not so much for Risen, who had the support of his newspaper, but
for his government sources, who lacked such protection.174
Hoover's ghost did not die; to this day wiretaps enable political manipulation. In 2005 Representative Jane Harman, a member of the House Intelligence Committee, put pressure on the New York Times not to publish its
story on the administration's warrantless wiretapping. In an odd shake of
events, Harman was herself captured on a wiretap, this one a legally authorized one of two Israeli agents suspected of illegally distributing nationalsecurity documents.15 Congressional leaders were to be informed of
Harman's involvement, but Attorney General Alberto Gonzalez intervened
and asked the CIA to delay briefing congressional leadership. Gonzalez's
stated reason was concern that Harman would learn of the wiretaps before
being interviewed by the FBI investigators. But government sources said the
real reason for the delay was to "protect" Harman because she was a valuable ally in urging the Times not to publish anything on the President's
Surveillance Program.176 Harman was never interviewed by the bureau on
this issue.177
During the period when the public was loudly decrying the warrantless
wiretapping, the president authorized the Comprehensive National Cybersecurity Initiative, a little-noticed, but seemingly sweeping, project to
install surveillance capabilities across the Internet in order to protect U.S.
critical infrastructure against cyberattacks.178 The surveillance being proposed was not only for government networks, but also for private ones.
Because virtually all aspects of the project were classified, there was essentially no public discussion of the program. This was not the first time this
had occurred for a Bush administration surveillance program.
I now turn to examining the effects of this surveillance.
Immediately after the September 11 attacks, the United States embarked
on a series of efforts to protect itself. Some measures, such as physical protection of critical infrastructure, were adopted without controversy
(although these were not always implemented as well as they might
have been). Others such as data mining, analyzing massive data sets for
"interesting" patterns, and behavioral surveillance, monitoring peoples'
involuntary reactions' to determine what they are actually thinking, were
highly controversial. There were strong protests that these techniques
abused civil rights, but generally the programs continued during the Bush
administration.2
The critics had been asking the wrong question. In 2005, a panel formed
by the National Research Council, the research arm of the U.S. National
Academies of Science and Engineering and the Institute of Medicine, was
tasked with examining privacy in light of government programs in data
mining and behavioral surveillance. The group's most important conclusion: before a program is deployed, its effectiveness should be examined.'
If a program is not effective, then there is no reason to deploy it, and no
effort needs to be expended regarding its potential infringement of civil
liberties.
The same criterion should, of course, apply to communications surveillance: how effective is wiretapping? There are problems with answering
this question. There is little way to determine how a case would have
turned out had there been no wiretapping and no way to see how a jury
would have reacted with the wiretapping evidence-or without it. In
national-security cases, the details of the investigation rarely come to light.
Nonetheless, some information is available despite limitations on the
answers.
Wiretapping is particularly useful in conspiracies such as organized
crime and drug cases. Anecdotally we know, for example, that in 2007 wiretaps were used in a Tennessee narcotics investigation in which forty
people were convicted, in a New York City investigation of a theft ring
with thirty-three convictions, and in an Ohio drug investigation with
thirty convictions.' Although details of the role wiretapping plays are
rarely available, it is clear the tool is heavily used in national-security
investigations. One example was the case of CIA counterintelligence officer
Aldrich Ames, who was convicted of spying for the Soviet Union and
Russia.' Transactional information, which lets investigators know who
spoke with whom where and when, is particularly useful. Whether a group
is a drug-trafficking ring or a terrorist cell, such data can reveal the organization's structure, which is of great value to investigators. Cell phones,
typically tied to a person, reveal where a person is at a particular time.
Transactional information can be revealing even if no conversation
takes place. In 2002, investigators began an almost two-year investigation
tracking Al-Qaeda members through their use of prepaid phone cards,
which had been anonymously purchased in bulk. The original tracked
call had "lasted less than a minute and involved not a single word of conversation," but the agents exploited it to map out an Al-Qaeda network
involving members in the United States, Pakistan, Saudi Arabia, Germany,
Britain, and Italy. Calling it "one of the most effective tools" they'd had,
a law enforcement official said, "The perception of anonymity may have
lulled [the Al-Qaeda members] into a false sense of security." A number of
cell members were arrested. One person whose location was discovered
through this was Khalid Sheikh Mohammed, said to be the architect of the
September 11 attacks.'
The ability to track makes electronic surveillance quite useful to intelligence and law-enforcement agencies-and particularly threatening to
those who might be the subject of such investigations. This risk has kept
Osama bin Laden off electronic communications since the late 1990s.'
Preventing criminals and terrorists from using modern forms of communication is a strong benefit of electronic surveillance.
Clearly wiretapping can be remarkably effective in criminal, foreignintelligence, and terrorism cases. Yet since full data are not publicly available, evaluation is difficult. Consider an analogous situation. In 1996, a
National Research Council report on cryptography concluded that it was
possible to have a reasonable public debate on cryptography on an unclassified basis.' I conjecture that the same is true here: there is sufficient public
data on wiretapping to have an informed public discussion on wiretap
effectiveness, even while omitting discussion of specific cases. That is the
intent of this chapter.
5.1 New Gold: Transactional Data
The biggest use of wiretapping tools is not actually the capture of conversation but something that is not really wiretapping at all: the capture of
transactional information. The last decade has seen a huge investigatory
use of communications location information. This is through both the
use of pen registers and trap and traces, which provide real-time access to
location information, and access to CDRs-the customer call-detail records
amassed by the telephone companies that are a treasure trove of peoples'
activities.
Under the Smith ruling, little privacy protection is afforded to transactional information. ECPA established that subpoenas, which are easier to
obtain than warrants, would be required for installation of pen-register and
trap-and-trace devices. That level of legal protection seemed appropriate,
because transactional information is information shared with the telephone company-a third party-and therefore is not subject to stringent
Fourth Amendment protections. But then things changed.
Cell phones and, more recently, mobile computing, including smart
phones such as the iPhone, have entered the scene. Behavior with cell
phones is very different than with landlines. Users broadcast their location
whenever their phone is turned on-and the phones can be manipulated
to do such broadcasting even when the phone is off. People use their communications devices frequently, often for very brief conversations. This has
proved to be a major boon for law enforcement.
In criminal investigations, if law enforcement wants the past history of
a suspect's calls, it will seek a court order for access to the CDRs; if, instead,
prospective information is the object, then law enforcement will seek an
order for a pen register. Minimal court oversight exists in both instances.
In contrast, in intelligence investigations, the FBI may use a National
Security Letter (NSL), which is served directly on the communications
provider.
Originally created in 1978 to give FBI investigators in foreign intelligence
cases an exception to the privacy protections already in the law,9 NSLs were
limited to use against foreign powers and people believed to be their
agents.10 Because providing such proof was difficult, NSLs were rarely used.
The PATRIOT Act greatly expanded the FBI's authority to use NSLs, permitting field offices to issue them and changing the requirement that the
information sought must pertain to a foreign power, or agent of one, to
the requirement that the information sought must be relevant to protecting
against "international terrorism or clandestine intelligence activities."11 The new law also allowed the bureau to require the recipient of an NSL
to keep it secret, not informing the subject-or anyone else-about the
request.12
Use of NSLs vastly increased after the PATRIOT Act; between 2003 and
2006, the FBI issued 192,000 NSLs,13 the overwhelming majority for telephone records.14 The FBI increasingly relies on NSLs as the primary investigative tool in terrorism and espionage investigations,15 often using the
records to support FISA applications. 16 One knowledgeable government
source called NSLs "a real game changer." In 1995, the bureau wanted
spoken content, because that "was the most important information we
could get." But listening in turned out to be far less valuable than link
analysis: connecting who was talking with whom. The fact that many
people were using cell phones made such information even more valuable,
for the devices reveal their owners' location.