Read Surveillance or Security?: The Risks Posed by New Wiretapping Technologies Online
Authors: Susan Landau
• Only 11 percent of the exigent letters were appropriately specific on what
data was being requested. In particular, date ranges were often missing.
The result was that often telephone-company personnel supplied far more
data than the FBI was legally authorized to receive.84
• FBI agents frequently used one company's community-of-interest search
tool without determining whether the additional information supplied by
the tool was relevant to the investigation.85 The automatic supply of additional information was done without the relevance determination required
by ECPA86 and thus this information was inappropriately collected.87
• Many of the exigent letters were not related to genuine emergencies. In
one case, exigent letters were used to obtain records for "hundreds of telephone numbers associated with a dead terrorist" when there was no apparent emergency;88 exigent letters were also used for investigating media
leaks, fugitives, and other non-life-threatening cases.89 Such searches
severely impede reporters' ability to uncover issues, especially those concerning the government (this is discussed further in chapter 9).
• FBI agents routinely used "sneak peeks"-verbal, email, or telephone
requests to see CDRs-to determine if there was data of interest. The agents
would either describe what they were interested in or, in some cases, simply
sit with the phone company analyst and view phone company records
without any legal process in place first. If the agents found data of interest,
then they would issue an exigent letter or start a legal process to officially
obtain the data.90 This aberration occurred quite often; one company
reported that half of the FBI requests were for sneak peeks.91 The data
requested included "whether the telephone number belonged to a particular
subscriber, the number of calls to and from the telephone number within
certain date parameters, the area codes [redacted] called, and call duration."" According to DoJ's Office of Legal Counsel, this violated ECPA.93
• A similar situation arose with "hot numbers," numbers agents sought to
investigate. Prior to starting any legal process, FBI agents would inform the
telephone companies that a number was hot; if the number belonged to
one of the company's subscribers, the company would respond to the FBI
and inform the agent whether the number was active (e.g., there was
calling activity).94 Sometimes the companies would provide more information, including call origination and termination information.95 In 2006,
the National Security Law Branch deputy general counsel who reviewed
the FBI contracts with the telephone companies concluded that a pen
register was required for obtaining this type of information.96
• Finally, in multiple cases, information submitted as part of FISA Court
applications was described as having been obtained through NSLs even
though the NSLs were obtained weeks after the FBI had acquired the
information-through the use of exigent letters.97
It seems that this activity occurred without the knowledge of the senior
levels of FBI management, a serious procedural error.98 After the 2007
Inspector General report detailing problems with FBI access of CDRs,
employees of the three telephone companies moved from the FBI offices.99
While the physical proximity was not illegal, breaking down the wall
between law enforcement and telephone-company personnel let the phone
employees lose sight of where their responsibilities lay. In addition, the FBI purged records for 18 percent of the phone numbers on which records
were collected through the exigent-letter system (739 telephone numbers
out of 4,091).100
If wiretapping modern communication systems leads to large-scale
tapping of nontargets, the legal basis for wiretapping is undermined. In
addition, public support for wiretapping will fade.101
8.7 Never Underestimate Murphy's Law
Architects start with an image of a beautiful building and many designs
look appealing on paper. Building codes, which affect the design, are there
to ensure that the buildings withstand hurricanes, earthquakes, and other
potentially structurally damaging threats.102 Computer scientists design
networks. Engineers build them. It is from experience in the nitty-gritty of
the real world that Murphy's law-"Anything that can go wrong will go
wrong"-comes. That knowledge should also inform the thinking about
communications interception systems.
Sometimes it does. In 2000, the IETF's Network Working Group considered including wiretapping requirements as part of the design process for
IETF standards. The IETF is an open, public standards-setting organization
responsible for establishing the Internet's communication standards. These
ensure that computers around the world can communicate over the
network. IETF standards work because they are based on sound engineering
practice (in engineering understatement, this is described as "technical
competence").
The Network Working Group decided that wiretapping did not fit into
the communication protocols that the IETF develops. One problem was
scope: IETF is an international technical standards body, while wiretapping
is a part of a legal process that varies from jurisdiction to jurisdiction. The
main issue, however, was technical. Adding wiretapping requirements to
a protocol increases complexity, creating a security risk (wiretapping is an
intentional security breach). The Network Working Group said that Internet protocols should not include wiretapping capabilities. 103
The group further observed that many network features "if deployed
intelligently" already provided the ability to wiretap, the exception being
when end-to-end encryption was in place.104 As the events in Greece and
Italy, and the overcollection in the United States, showed, experience bore
the working group's conclusions out. So did other evidence.
In 1993 the U.S. government announced the Clipper chip, the federal
encryption standard with 80-bit keys for protecting voice, fax, and computer information transmitted over a telephone system. The plan was a failure;
there were strong public objections to the system, and very few Clipper
phones were ever made or sold.105 Clipper was a failure in another way as
well. An AT&T researcher, Matt Blaze, discovered a way to spoof the system
so that communications were encrypted without the government having
access to the keys.106
A decade later a group of researchers, including Blaze, found flaws in
wiretapping technologies that allowed the tapped party to manipulate the
wiretapping, disabling pen registers and disrupting wiretaps. The techniques were similar in style to the 1960s blue-box attacks in which the
hacker would spoof the phone system by sending a false signal of the
correct frequency down the line. The flaws used the fact that analog decoders for dialed digit signals have different built-in tolerances for reading the
dialed signal based on manufacturer. Law enforcement wiretap equipment
was not sensitive to all the different tones, and the wiretapping equipment
made mistakes when received signals were at the end of the tolerance
limits. The researchers were able to deceive law enforcement pen registers
into believing the number dialed was 215-898-5000 (Matt Blaze) rather
than 987-654-3210 (Tony Soprano).107 This means that criminals could
manipulate pen-register information to finger innocent parties and/or clear
themselves. In these systems, law enforcement equipment used a single
in-band channel to carry signaling information rather than having separate call content and call data channels. Thus the wiretapping system could
be fooled through a target's false use of a signal of the right frequency to
signal the call was "idle."108
Nor was this the only problem in implementing CALEA. As has already
been discussed earlier in this chapter, there are also problems in the auditing systems the FBI developed for remote delivery of wiretaps and pen
registers in DCS3000, resulting in weak cryptographic systems for securing
auditing data109 permissions, auditing formats that could easily be spoofed,
and so on.
In 2010 an IBM researcher, Tom Cross, described major security holes
he had found in a Cisco wiretapping architecture for IP networks;''' the
architecture was designed based on standards published by the European
Telecommunications Standards Institute (ETSI) for law enforcement telecommunications interception. Systems based on the Cisco architecture
were already being used by service providers throughout the world.
Cross showed that it was easy to spoof the system to allow unauthorized
parties to receive intercepted communications. With relatively little
effort, a criminal could produce a request for interception that had a valid username and password, thus enabling him to get the fruits of a wiretap."'
To make matters worse, audit mechanisms for detecting unauthorized use
of the interception mechanism were inadequate and easily bypassed.112 As
the IETF Network Working Group had both predicted and feared, wiretapping systems create security risks.
Aside from two people walking into a field out of the range of potential
eavesdroppers and parabolic microphones, there is no communications
security. As the NSA once put it, "No deliberate transmission is free from
the possibility of hostile interception," for if a communication were really
uninterceptible, then "the intended recipient, your own distant receiver,
could not pick it up.i13 Clearly interception of some transmissions is easier
than others. Whether communications are targeted is a combination of
the ease of targeting and the value of the information gained.
Just as every electronic communication runs the risk of being intercepted, so does every interception capability run the risk of being exploited.
The lessons from the ways interception systems can be fooled should teach
us about the risks of fielding them. A critical lesson to be learned is that
the efficacy of interception systems must be weighed against the increased
risk that one's own communications may be exploited.
The internationalization of the supply chain adds risks.14 A problem
that recently came to light concerned corrupted Seagate hard drives manufactured in China. They came equipped with a virus that searched for
passwords to online games, sending them to a server in China.11' What if
these hard drives, rather than sending passwords for online games, had
been sending bank or email account passwords instead? The quantity of
data leaked was small, and unless it is looked specifically for, unlikely to
be uncovered.
A generation ago the telephone company was AT&T, and interception
was done by placing a "friendly" line between the telephone switch and
the subscriber (recall that a friendly line is one used for monitoring; it
feeds directly into a secure location). The risks from corrupted software
and corrupted suppliers were essentially nonexistent. (This was not true
outside the United States, however.) That is no longer true today. Foreignmanufactured switches are often less expensive than U.S.-manufactured
ones. Federal purchasing rules require that government agencies buy from
the lowest bidder, so intelligence agents take apart the systems to check
for bugs before deploying them."' But do the small phone companies and
ISPs do this? Large corporations have security offices that perform due diligence on the security of their communications infrastructure. Small companies do not have the resources and are not likely to check whether their communication providers, often low bidders, have secured their networks.
That is simply not an issue that businesses are accustomed to raising.
Another risk comes from outsourcing interception. While the large carriers such as Verizon and AT&T can easily manage the law's surveillance
requirements, there are 3,400 wireless carriers in the United States. Many
of them are too small to develop a system for secure delivery of wiretapped
signals to law enforcement, so they outsource. Largely they outsource to
major suppliers such as Ericsson, but a security risk exists anytime a new
party is introduced into the wiretapping equation. The bottom line is that
the business of wiretapping has grown more complex. In so doing, it has
introduced new potential for error.
8.8 Security Has to Be Built into the System
Nowhere is communications security more important than for the military
during wartime. The surprise attack on Pearl Harbor succeeded because
the Japanese strike force of aircraft carriers, destroyers, and battleships
maintained radio silence during their thirteen-day trip across the Pacific."'
Yet even the military has trouble in having troops follow through on
communications security. An NSA history of military communications
during the Vietnam War observed that "no matter how dramatic the
evidence of threat, if we simply go out and say, 'Stop using your black
telephone,' it's likely to be effective for two weeks.""' Old habits reasserted
themselves.
It was clear that the enemy could eavesdrop on tactical communications
of U.S. soldiers in the field, but service members did not believe that the
North Vietnamese Army or the Viet Cong would actually monitor these
communications. When it was shown that the enemy was doing so, the
U.S. soldiers argued that "[the enemy] couldn't understand us, especially
given our arcane tactical communications jargon." Or that if the Vietnamese could comprehend the import of the eavesdrops, they were not in a
position to exploit the information. Even when U.S. forces captured an
entire Vietnamese unit devoted to communications interception, with
radios, intercept operators, and linguists filled with "transcriptions of thousands of US tactical voice communications with evidence that their operators were able to break our troops' home-made point-origin, thrust line,
and shackle codes in real time," the communications security situation of
the U.S. forces did not improve. The American combatants simply did not
like the NSA-supplied secure communications equipment but since they
had to communicate, they did so-insecurely."'