Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (36 page)

Nor are such threats the only problem. In 2006 the FBI prepared a bill
for Congress that would have required CALEA compliance for every possible communications service and application: Instant Messaging, massively multiplayer online role-playing games (MMORPGs), any online
application with real-time communication.48 This was highly problematic.
As Bellovin et al. note, "The Internet architecture is rich and flexible, and
VoIP is not the only real-time communication in which Internet users
indulge."49

Or consider Second Life, the virtual world launched in 2003. It was a
beginning of online games that were immersive experiences rather than
games with dragons to slay and pots of gold to find. In such worlds, participants create their own environments and build things (Second Life
allows users to create objects using the game's software and sell them in
the real world, and this has become a rather large business in itself). But
another aspect of Second Life is as an outlet for conducting real-world
efforts virtually. The site is used for news conferences, and many manufacturers have launched new products on Second Life, while politicians have held press conferences. Musicians release new music and universities
use the platform for education, and so on. Because Second Life was built
without any ability for privacy within the space, various companies,
including Sun and IBM, have been developing "secure" virtual worlds for
use by businesses, creating virtual worlds where employees can meet, collaborate, and chat over coffee.

Had CALEA compliance been required for Second Life, its development
in the United States would have been greatly impeded. The slow speed
of its standards development process50 and the fact that other nationsspecifically Japan and Korea, which have great interest and thriving industries in MMORPGs-lack CALEA-compliance requirements, might well
have caused the application to be developed elsewhere.51

The low barriers to entry for Internet products mean that many of the
network's most useful applications began experimentally, released to the
public in a "beta" version without charge or guarantees.52 The Internet's
high bandwidth and ability to support smart endpoints allow a richness
in applications, enabling diverse communication models within a single
application (e.g., combined with whiteboards for sharing documents, voice,
and the immersive environments of virtual worlds).53 Applying CALEAcompliance requirements to any application with communications would
have extremely negative impacts on innovation and the U.S. economy.

8.6 New Forms of Surveillance Create Risks of Excessive Collection

The Bill of Rights serves to protect the people from potential excesses of
the government, and the Fourth Amendment is present to protect against
potential excesses of the state's police power. That philosophy underlies
the tight restrictions on state wiretapping in Title III and FISA. The state
is very powerful; its right to enter people's homes and businesses would
constitute trespass were it done by anyone else.

One does not need too many examples of corrupt or totalitarian states
to understand the dangers of an unconstrained police force. Yale law professor Jed Rubenfeld has observed that the Fourth Amendment quite deliberately states that "the right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches and seizures,
shall not be violated" (emphasis added).54 Security is the point of the
Fourth Amendment, security of the people against excessive searches by
the state. In the decades before the American Revolution, the British used
writs of assistance to conduct searches, general warrants that were nonspecific as to person, place, or item to be searched and that could be arbitrarily extended wherever and however the British officers-or their appointeeswanted them to be. Objections against excessive taxation fueled the
American Revolution, but it was the "wanton exercisei55 of the writs that
raised the ire of the colonists.

Anger against the writs of assistance began to rise in 1761. James Otis
Jr. was at the time advocate general of the Boston Vice-Admiralty Court,
but he resigned his position when the British asked him to defend the
writs. Instead he argued in Boston's Old State House, "A man's house is
his castle; and whilst he is quiet, he is as well guarded as a prince in his
castle. This writ, if it should be declared legal, would totally annihilate this
privilege. Custom-house officers may enter our houses when they please;
we are commanded to permit their entry. Their menial servants may enter,
may break locks, bars, and everything in their way; and whether they break
through malice or revenge, no man, no court can inquire.i56 Otis's speech
reverberated over the next quarter century, greatly influencing the Fourth
Amendment. As the ideas that became the Bill of Rights coalesced, the
standard for search moved from a mere suspicion standard to the probablecause one present in the Fourth Amendment. As Rubenfeld points out, that
stipulation provides the security ensured by the amendment .17

Consider how the notion of security translates to the modern era. In a
world where many of the most valuable pieces of property are bits, wiretapping is not simply a violation of privacy, it is a violation of security.58
When collection is excessive, it creates a greater security violation.

One way excessive collection can occur is through a lack of clarity on
what data are being requested. With all its drawbacks, one value of CALEA
was that it required a standardized format for the output to law enforcement. This meant that the hard questions were answered in a-somewhat-public discussion. What data was law enforcement requiring and
how should it be received? In contrast, the pen-register statute does not
define or standardize what network information constitutes dialing, signaling, addressing, or routing information. The result, according to Al Gidari,
"is like a fire hose for the application. Manufacturers and carriers decided
what was included when CALEA was standardized-and the result was still
a lack of clarity in the various implementations. One manufacturer's solution did not realize that the data channel used to deliver pen register data
would also capture and deliver SMS messages, a clear error because such
messages are content, not pen register data."59

Even when just pen-register information is supplied, there are risks.
Transactional information is remarkably revelatory. It can be so at a personal level; one systems administrator, for example, read-protected his email logs because of a love triangle within his user community, which
led one person to monitor the email traffic of the other two.60 Transactional information can also reveal economic information. Anyone studying the communication patterns between the management of Sun
Microsystems and Oracle during the week of April 13, 2009, could have
easily discerned that an acquisition discussion was underway,61 a discovery
that would have been worth millions on the stock market-illegally
obtained millions-had such a purchase been known in advance of the
public announcement.

Since the September 11 attacks, the U.S. government has been highly
enamored of the idea that the terrorists can be easily found by simply
"connecting the dots" if sufficient data are collected and mined. It is
unlikely that groups of terrorists can be determined solely on the basis of
their communication patterns; such efforts are more likely to waste both
time and investigative resources, as well as creating a source of risk. Recall
that when Shishir Nagaraja examined seventeen hundred users62 on an
email network, he concluded: "Since close to 80% of the population must
be monitored to detect all the communities, it means that in the short run,
government surveillance budgets are more likely to cause harm to privacy
than to uncover hardened terrorist cells."63

Anonymization, perturbing the data sufficiently to prevent identification of the parties involved yet leaving the property in question able to be
determined,64 has been proposed for protecting privacy in data-mining
work. It turns out that the anonymization tools do not work as advertised.
Arvind Narayanan and Vitaly Shmatikov have shown that if a small
amount of "seed" data is known, reidentifying nodes on an anonymized
network is not only possible, but relatively simply done.65 Such seed information is, unfortunately, easily available. In recent years social networks,
networks of users who frequently connect with one other and whose connections are made relatively public (e.g., if Alice is a Facebook friend of
Bob's, then Alice knows who Bob's Facebook friends are66), have become
increasingly popular. This can function as seed data. Narayanan and Shmatikov showed that it is possible to use seed data, even seed data with inaccuracies, and reidentify the anonymized network. The short message: in
social networks, including calling networks, anonymization does not
provide protection. Thus Nagaraja's conclusion regarding privacy is likely
to be correct.

The combination of automating collection and removing the telephone
companies from a direct role in the implementation of wiretaps-situations
brought about through technology and law-creates risks of excessive collection. One of the values of the specificities required in wiretap warrants
is that the act of preparing and executing Title III and FISA wiretaps
brings several organizations into the loop: the law-enforcement or nationalsecurity investigator who prepares the warrant, the judge who approves it,
and the carrier who actually implements eavesdropping. The NSA's warrantless wiretapping, legalized under the FISA Amendments Act (FAA) and
apparently realized in the architecture of various switching offices, removes
the oversight provided by communications carriers.67 Such safeguards
provide more than legal window dressing. By furnishing a check on government investigators' work, oversight systems ensure the system works
correctly.

Less than a year after the passage of the FAA, in a practice described by
intelligence officials as "significant and systemic," NSA was overcollecting
domestic communications of Americans;` these included personal emails
of former President Bill Clinton."

A similar overcollection problem occurred with phone records. In 2002
the FBI created a Communication Analysis Unit (CAU) in which telephonecompany personnel worked in the FBI offices supplying telephone record
information to bureau agents. The idea behind this was that collocation
would provide timely dissemination of information found in the calling
activity.70 Of course, the records were to be provided only with proper legal
authorization. Because a glimpse into a subscriber's history has the potential to be remarkably invasive, the Electronic Communications Privacy Act
(ECPA) requires that service providers keep subscriber records private unless
the records are "relevant to an authorized investigation to protect against
international terrorism or clandestine intelligence activities, provided that
such an investigation of a United States person is not conducted solely
upon the basis of activities protected by the first amendment to the
Constitution of the United States .1171

There are two tools that law enforcement can use to access the CDRs:
grand jury subpoenas and NSLs. The latter can be used only for international terrorism and espionage investigation. Under FBI guidelines, NSLs
are authorized "only upon the written request of an FBI Special Agent in
Charge (SAC) or other specially delegated senior FBI official."72 This process
means that an agent cannot simply open such an investigation. Rather the
agent has to show that the information sought by the NSL is relevant to
an already open investigation against "international terrorism or clandestine
intelligence activities. 1171 In addition, there are four steps in the NSL
approval process: the agent's supervisor, the chief division counsel, an
assistant special agent in charge, and the special agent in charge.74

In the aftermath of September 11, the FBI signed contracts with three
telephone companies, arranging that each would supply employees for the
FBI's Communications Analysis Unit (CAU) (these employees were also on
call outside business hours)." The point was to give bureau agents easy,
real-time access to phone records during investigations. As one might
expect, the tight integration between the phone companies and the bureau
agents76 brought down the barriers on this information sharing. This was
to have serious consequences.

The FBI New York field office, involved in investigating the September
11 terrorism attacks, had begun using exigent letters, letters requesting
immediate access to telephone records stating that appropriate subpoenas
had already been submitted to the U.S. Attorney's Office." The process was
adopted by the CAU when one of the telephone-company employees
working at the New York field office moved to the CAU.78 But the situation
in the CAU was different from the New York field office. The CAU was
mostly working with NSLs, and nothing in ECPA permits exigent letters
with "legal process to follow."" In fact, the situation in the CAU was much
worse than that because often the legal process follow-on did not occur.
There were many problems in the FBI access of CDRs:

• Many of the exigent letters never received required legal follow-up with
an NSL. Such a process would not have been followed in any case, since
ECPA does not provide for after-the-fact NSLs.80 The process on preparing
the exigent letters was so lax that the telephone-company employees often
prepared the letters themselves.81 FBI requesters frequently did not determine if there was an open NSL at the time the exigent letter was issued.
As a result, "records for hundreds of telephone numbers" need to be purged
since there was no legal basis for requesting the information.82

• In a number of cases, private subscriber data was supplied without a
written request by FBI agents. Written requests followed weeks and months
later. In some cases, written requests were never submitted.83