Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (26 page)

There is no need to do deep packet inspection to determine traffic priority. The simple solution to the traffic congestion problem consists of IPv6,
the long-delayed IP protocol, and Internet usage pricing. IPv6 has two
fields, one for type of service (VoIP, web browsing using http, SMTP for
email, etc.), and one for the quality of service designated by the user (e.g.,
email can go slowly, VoIP must have priority, etc.). Instead of the ISP
determining the traffic shaping, the customer can do so, and can pay for
the privilege of employing the faster service. That is common for all forms
of package transfer, from the U.S. Post Office to FedEx. Doing this would
require that ISPs move from a model of all-you-can-eat data consumption
to one of paying by the gigabit. This change is probably overdue now that
video streaming and other data-rich applications are surging across the
network. Such a change would leave the customer in charge of what type of service they receive, removing any incentive for the networks to block
legal applications on the Internet. It would be a win for all involved.

DPI also has another use: censorship. Both China and Iran are reported
to be using DPI tools for censorship and surveillance.

6.7 Legally Authorized Spyware

Not content with eavesdropping capabilities already in place, the FBI has
also been building its own spyware. The first hint of this came in 1999,
when the bureau placed a hardware keystroke logger on a computer belonging to Nicodemo S. Scarfo. Scarfo was the son of a former crime boss in
south Jersey and was suspected of running a gambling ring. The FBI had
been unable to decrypt records secured on Scarfo's computer. Armed with
a search warrant, in a black-bag job, agents placed a keystroke logger (a
small device placed between the keyboard and the computer to log all
keyboard activity) on Scarfo's machine.34 Shortly afterward the logger sent
out the needed information over radio waves,35 and the FBI was able to
decrypt Scarfo's files. With the evidence, the bureau won a conviction.36
Implanting the physical keylogger was a complicated solution; within
several years, it became known that the FBI was working on delivering
keystroke loggers the same way the hackers delivered viruses: through the
network. The FBI program, "Magic Lantern," was written to be downloaded
by unwitting users. Of course, it was to be used subject to a search warrant.37

Over the years, FBI online eavesdropping efforts have grown in sophistication. In an affidavit filed in an Olympia, Washington, courtroom in
June 2007, the FBI revealed it was using an online pen register, Computer
and Internet Protocol Address Verifier (CIPAV), to acquire user IP address,
list of open TCP and UDP ports, list of running programs, operating-system
type, including the version, the default browser, the currently logged-on
user (which may or may not be the actual user), and the last website visited.
The FBI would then monitor all outgoing communications, transmitting
the IP address of each, along with the time and date.38 This tool has been
in use since at least 2005 and utilized in cases involving extortion, identity
theft, and harassment.39

6.8 Mobility

Aside from the convenience, it would seem that mobility would not create
any fundamental changes in Internet usage. After all, mobility has long
been part of the Internet; for well over a decade, laptops, BlackBerrys, and other IP-enabled devices have been moving on and off the network, requiring IP addresses for anything from just a few minutes to several hours.

Mobility does change things. Just consider the phone systems and the
differences in usage between cell phones and wireline devices. Both phones
are used for brief calls-"Pick up milk on your way home"-but wireline
phones are also used for long conversations, including business conference
calls, while cell phone calls exhibit a pattern of short, frequent calls.4o

Because full-size web pages will not fit on phones or handheld computers,
web design, and thus web usage,41 will be different to accommodate the
smaller devices.42 Communications will be brief and timely-think Twitter
rather than email-and not necessarily meant to be kept until the "end of
recorded time." So while Internet protocol needs may not be any different
depending on whether one is connecting via an iPhone or a laptop, usage
will be. And that will in turn change Internet functionality and protocols.

6.9 Traffic Analysis

Backing down from its previous stance, the U.S. government acknowledged
in 2000 that strong encryption was needed to protect civilian communications and that export controls would be loosened. The expectation was
that content would become protected, and so NSA expected to amplify its
focus on traffic analysis, the study of who is talking to whom, when, and
for how long.

Traffic analysis, part of signals intelligence, has long been an important
military tool. Patterns of communication can show the chain of command,
where activity is about to occur, and often what type of activity is likely
to occur.

Traffic analysis started with the advent of radio, which gave admirals
and generals great ability to command from a distance. At the same time,
it gave the enemy unprecedented capability to listen in, not only for
content, but also for the existence of the communications. Within two
weeks of the outbreak of World War I, for example, using the volume of
the signal as a measure of its strength, the French mapped the likely locations of senders and receivers on the German front (later the French used
direction finders to help with this). The French recorded call signs (identifiers from transmitting stations), traffic volume, and correspondents from
all the German stations. From this information they had a detailed picture
of the German forces they were facing, a picture that was largely correct.43
Historian David Kahn calls this the "first radio traffic analysis;"" it was a
highly successful one at that.

During World War II, the Americans had decoded the Japanese cryptosystem and enjoyed a tremendous advantage over the Japanese as a result
(the Japanese military had not accomplished the reverse). But many of the
U.S. successes had nothing to do with understanding the actual communication. The radio operators learned, for example, that messages on a particular
frequency meant that an evening air raid was in the offing. Such deduction
was faster and simpler than decryption. Analysts could often determine the
target simply from a study of the call signs used in the Japanese message.4s

For much of the Cold War, NSA analysts were unable to listen in to the
Soviet leadership's telephone calls. One problem was accessing the signal,
which no longer traveled by radio but by buried landlines and microwave
relays.46 By the late 1960s the United States had solved this problem
through satellites, which provided the ability to acquire microwave-relay
communications traffic. The other difficulty was decrypting this traffic: on
October 29, 1948, "Black Friday," the Soviets deployed new encryption
systems that the United States was unable to break for the next three
decades. This changed in the late 1970s, but success was brief because spies
in NSA and GCHQ,47 the British equivalent, revealed the breaks to the
Soviets, and the systems closed off again.

The NSA used other means to determine what was happening in
the Soviet Union. One method involved eavesdropping on unprotected
modes of Soviet communications; the "Gamma Guppy" intercepts of
Soviet leaders chatting via their mobile phones while in their cars were
particularly useful in this regard.48 The other valuable source of Soviet
intentions was traffic analysis. Such was the case during the invasion of
Czechoslovakia in 1968. Although the NSA could hear what Soviet leaders
were saying through the Gamma Guppy intercepts, the members of the
Politburo were speaking in code, and the intelligence analysts had no idea
what the words meant regarding an invasion; instead, intercepted traffic
indicating troop movements was a more accurate predictor of Soviet
behavior.49 Traffic analysis was also heavily used by the NSA to correctly
predict the Soviet invasion of Afghanistan in December 1979.s°

Traffic analysis is useful not just in determining enemy plans; the
United States uses it to find out about the plans of its friends. Increased
diplomatic traffic between Israel and France on the eve of what turned out
to be the 1956 Suez War led the CIA to correctly conclude that France
might be joining Israel in the efforts'

During the Vietnam War the NSA was unable to decrypt well-protected
communications used by the North Vietnamese and the Viet Cong leadership. Instead the agency had to use other techniques to discover enemy plans, including exploiting low-level communications in the field, unencrypted communications, and traffic analysis.52 The last was particularly
useful. For example, NSA SIGINT (signals intelligence) analysts realized
that before a big attack, traffic volumes would substantially increase.
North Vietnamese and Viet Cong radio operators would also take precautionary measures, changing radio frequencies and encryption systems. By
1966 the NSA was using traffic analysis to predict not only when and
where an attack was to occur but even which enemy units would be
involved.53 Traffic analysis could even determine whether North Vietnamese forces or the Viet Cong would be using the Ho Chi Minh Trail to South
Vietnam."

In civilian life, traffic analysis can similarly discover the existence of
personal relationships,55 organization within a corporation, even whether
a merger discussion is occurring. Thus, governments, both U.S. and European, have became quite interested in using CDRs as a possible tool to find
communities of interest (COIs) for a specific phone number. (A community
of interest is a small group of users whose communications are almost
entirely within the group.) Communities of interest may be as innocuous
as knitters in the upper Midwest or as potentially dangerous as the September 11 hijackers. Governments are typically not interested in knitters
in the Midwest or elsewhere. But the idea that applying data-mining techniques to CDRs to uncover terrorist cells has proved irresistible to policymakers. In the United States the NSA began accessing CDRs in secret rooms
in telephone switching offices across the country.56 As it happens, the
telephone companies were also interested in finding COIs, for it helped
them uncover fraudulent activity. They had developed tools to discover
such groups.57

In 2002 Europol-a European Union agency consisting mainly of police
from member states and concerned with counterterrorism-proposed a
European Union law requiring that telephone companies retain call data
information for law enforcement. This proposal was not greeted with
delight. Even with the dropping costs of storage (essentially by half every
eighteen months), keeping such voluminous records would add substantial
costs for telephone companies and ISPs.s$ And, unlike wiretapping, for
which court orders delineated wiretapping specific suspects, the Europol
proposal was that the communications providers keep records on every
transaction of every person, not just suspects. Civil libertarians argued that
this collection was disproportionate to the security needs of the state and
thus violated Article 8 of the European Convention on Human Rights.
These protectors of privacy contended there was no proof that there was any security gain whatsoever. In 2005 the European Parliament rejected
the initiative, but in 2006 the Parliament passed it.59

The European data-retention directive has a wide scope. Under it, all
data necessary to trace and identify the source and destination of a phone,
email, and VoIP communications are to be retained.60 Time, date, and
duration of a completed communication, all the information needed to
identify the communication itself, as well as type of communication device
and its location at the start of and for the duration of the conversation are
also to be kept.61 Because the law applies to Internet communications,
every web search and access is subject to retention. Not surprisingly, implementation has been slow. While the directive obliged every member state
to pass a national law supporting data retention by September 2007,62
many member states took advantage of a loophole that allowed delaying
implementation for another eighteen months.

The temptation that traffic analysis will yield valuable results impossible
or too expensive to discover in other ways has proved great and the
research technique has become a business. In the United States, unless you
are the phone company or have an order for a pen register or trap and
trace, mapping who is talking to whom is illegal; in much of the rest of
the world, it is not. ThorpeGlen, a British firm, is one of several companies
that offer commercial traffic analysis.

ThorpeGlen sells systems that analyze vast amounts of communications
data in order to discover the people worth investigating. Well-connected
people with many links to others are not of interest. It is the isolated
groups, the pairs and small groups who only connect with a few others,
that draw suspicion. Indonesia is one government that uses ThorpeGlen
products,63 but it is far from the only one. The company won a 2009 U.K.
government award for having grown substantially in international trade.
ThorpeGlen grew out of 1990s British Telecom work in fraud detection.
The company has a business because computer storage and search have
become inexpensive and because law enforcement believes that searching
out the people who have odd communications patterns can uncover the
bad guys.

Certainly drug dealers exhibit such patterns. Throughout the "working
day," the dealer repeatedly gets a page and responds by making a telephone
call. But unlike plumbers, doctors, and other salespeople, the dealer never
calls family, friends, or the office. And while a drug dealer's calling patterns
may form a recognizable pattern, many other bad guys do not fall into
such types. Nonetheless, studying calling records to find unnatural communications patterns appears to offer great benefit to law enforcement at relatively low cost. Instead of uniformed men and women walking the beat
and developing relationships that enable them to search out anomalous
behavior, computers working behind locked doors, coolly sifting calling
patterns, can do the same. Researchers at MIT, Northeastern University,
and the Santa Fe Institute report, for example, that it is easy to infer friendship networks simply based on contextualized proximity and communications transactional data,64 while a research group from Cambridge
University has observed that knowing even a limited amount of personal
information-eight "friends" of a person's Facebook friends-can enable a
full mapping of someone's social network.61