DOJ's surveillance reporting failure

In both 2004, and 2009, the US Department of Justice provided Congress with a "document dump", covering 5 years of Pen Register and Trap & Trace surveillance reports. Although the law clearly requires the Attorney General to submit annual reports to Congress, DOJ has not done so, nor has it provided any reason for its repeated failure to submit the reports to Congress in a timely manner, as the law requires.

Professor Paul Schwartz, who first highlighted DOJ's pen register reporting deficiencies in a law review article, has argued that the lack of timely reporting creates "blank spaces on the map of telecommunications surveillance law."

In his 2008 article, Schwartz stated:

[T]he reports do not appear to have been made annually, but as one document dump with five years of reports in November 2004. The reports also fail to detail all of the information that the Pen Register Act requires to be shared with Congress.

The cover letter for the 2004 document dump to Congress can be seen embeded below and the yearly reports (later obtained through a FOIA by the Electronic Frontier Foundation) can be viewed here: 1999, 2000, 2001, 2002, 2003,



Unfortunately, it appears that after the 2004 document dump, DOJ went back to its old ways, and stopped providing the reports to Congress. As a result, in April 2009, the Electronic Privacy Information Center wrote a letter to Senator Leahy, to ask him to look into the issue.

There is no indication that the DOJ provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008.19 This failure would demonstrate ongoing, repeated breaches of the DOJ's statutory obligations to inform the public and the Congress about the use of electronic surveillance authority....

We request that you ask the Attorney General to make public pen register and trap and trace reports from 2004 through the present, and to publicly disclose all future reports as a matter of course. This might be accomplished by requiring the DOJ to submit the annual pen register reports to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

Earlier this year, I obtained (via a FOIA request) copies of the reports for the years 2004-2008. I also obtained the cover letter that DOJ sent to members of Congress in October of 2009, attached to the reports. The wording of the October 2009 letter is practically identical to the letter that accompanied the 2004 document dump, suggesting that DOJ failed to comply with the annual reporting requirements in 2005, 2006, 2007 and 2008.



Based on 10 years of repeated failures, it seems clear that the Department of Justice is unable to supply Congress with annual reports for pen register and trap & trace surveillance. As such, I think it is time for Congress to take a serious look at this problem, and consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

In a forthcoming law review article, I dig through the currently published surveillance statistics, and find many of them to be woefully lacking. I also propose several ways that Congress could overhaul the reporting requirements. Hopefully, if Congress does look into this issue, they will expand the scope of their inquiry to cover all surveillance reporting, and not just the pen register reports.

While my article is still in very rough shape, I've extracted the section on surveillance statistics, and included it here. I'd love feedback.

In Praise of Google

Regular readers of this blog will know that I have long been a vocal critic of Google. Today, in response to the news that the company has published stats on the number of requests it receives from governments for private user data, I have nothing but praise for the company.

Until this announcement, the privacy community in the United States had just four data points regarding the scale of government requests to Internet and telecommunications providers: A 2006 New York Times article revealing that AOL was getting 1000 requests regarding criminal and civil cases per month; a 2009 Newsweek article revealing that Facebook was getting 10-20 police requests per day; a 2009 letter from Verizon's general counsel in response to a FOIA request that I filed, revealing that the company gets "tens of thousands of requests for customer records and other customer information from law enforcement" per year; and Sprint's 2009 disclosure at a surveillance industry conference that it let law enforcement agencies initiate 8 million GPS pings as part of "thousands" of requests for its customers' location data.

Google's new Government Requests Tool quite simply blows away the competition, in terms sharing useful information about governments' ever growing appetite for individuals' private data, and in particular, per-country level transparency.

Just a few weeks ago, one of Microsoft's lawyers told Wired News that "We would like to see more transparency across the industry ... But no one company wants to stick its head up to talk about numbers."

It seems that at least one company has now bravely stuck its head up by disclosing these numbers. Hopefully, the other big Internet firms will see the positive press that Google received from this move, and voluntarily follow Google's lead.

What other data do we need

Hopefully, Google will share even more detailed data on government requests in the future. In particular, I'd like to know the following:

1. How many requests from the government were under exigent or emergency circumstances, in which there was no accompanying subpoena,search warrant or other court order? In such situations, the company is permitted to voluntarily disclose data to the government, but is under no legal obligation to do so. Thus, it is also important to know how many times the company refused these requests.
   
2. Of the government requests that Google received, how many were subpoenas, search warrants, 2703(d) orders, "hybrid" location requests, and electronic intercept/wiretap orders?
   
3. For each of these categories of government requests, how many did the company comply, and how many did the company go to court to fight the request?
   
4. For each of these categories of requests, how many (or a %) were by local, state or federal agencies?
   
5. For each of these categories of requests, what kind of information was being asked for? (e.g. 15% of requests were for search records, 50% were for email, 20% for GPS location info, etc).
   
6. What is the median and mean age of the customer information requested by and disclosed to law enforcement? (e.g. Are most requests for private user data that is a week old, or 200 days old?)
   

Making sense of the numbers

Let us imagine that over the next few months, Microsoft, Yahoo, Facebook, Apple, Skype, Comcast, AT&T, Verizon, Sprint and T-Mobile follow Google's lead and publish these stats. While this'll be a great source of information for researchers, for those in Congress who are considering an update to the Electronic Communications Privacy Act, and for concerned citizens wishing to observe the rate of transformation of this country into a surveillance state, these statistics won't actually be that useful to privacy conscious consumers wishing to make a wise choice in picking a service provider.

As a hypothetical example, if Yahoo receives 6000 requests for customer email data per year and Google receives 3000 requests, what does that mean? How should consumers interpret it if they wish to vote with their feet, and pick an ISP that will best protect their privacy?

Unfortunately, the number of requests a company receives doesn't really reveal how much the company values user privacy -- it merely reveals how often government agencies are willing to type up a subpoena and fax it off. Furthermore, while companies may be willing to fight unreasonable requests, if the request is lawful, even the most pro-privacy company can't do much to protect its customers.

At the end of the day, what matters most is the privacy enhancing technologies that companies build into their products -- such as minimal/no data retention and the use of encryption with a key only known to the user -- which effectively neutralize the ability of governments to compel service providers into violating their customers' privacy.

Transparency is great -- but meaningful competition on privacy will come through privacy enhancing technologies, baked into products, enabled by default.

Disclaimer: These are my own personal views, and do not reflect those of any other individual or organization with which I am affiliated.

New paper

My latest paper, co-authored with Sid Stamm, is now online:

Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

The abstract:

This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.

The first paragraph describing the threat:

A pro-democracy dissident in China connects to a secure web forum hosted on servers outside the country. Relying on the training she received from foreign human rights groups, she makes certain to look for the SSL encryption lock icon in her web browser, and only after determining that the connection is secure does she enter her login credentials and then begin to upload materials to be shared with her colleagues. However, unknown to the activist, the Chinese government is able to covertly intercept SSL encrypted connections. Agents from the state security apparatus soon arrive at her residence, leading to her arrest, detention and violent interrogation. While this scenario is fictitious, the vulnerability is not.

We are hoping to release the CertLock browser add-on described in the paper in the next few weeks. In the mean time, we welcome any feedback on our paper.

In general, the SSL/Certificate Authority system is horribly broken, and it needs to be fixed. However, broken SSL is still better than no SSL -- which is why the big name email providers, social networks and any other site that handles sensitive data needs to step up and protect their users.

FOIA returns 91 invoices for Yahoo surveillance, 1 for Google

In June of 2009, I filed a Freedom of Information Act Requests with the US Marshals Service (USMS). That request asked for:

all records, invoices, memos and any other information detailing the amount of money paid by the U.S. Marshals Service to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests, location information requests, and national security letters.

Essentially, I want to know how much the U.S. Marshals Service has paid for each type of surveillance and records request, and to whom. I also request any “price lists” detailing the standard prices for various forms of surveillance and records requests (per request, or hourly rates) for the various Internet companies.

At the very least, this request shall include documents relating to Skype (eBay), Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

Back in December, I published copies of letters sent to the USMS FOIA office by Verizon and Yahoo!, objecting to the disclosure of their surveillance price lists. Yahoo!'s formal objection, and its subsequent legal demand proved to be rather futile, as the company's law enforcement handbook made its way onto the Internet.

Those price lists were just one part of the FOIA request. I also sought copies of invoices for actual surveillance requests.

A few weeks ago, the US Marshals Service sent me 92 pages of invoices, covering three years worth of surveillance. Interestingly enough, while I asked for documents relating to every major ISP, the only documents they gave me related to Yahoo and Google. I have no idea why invoices for the other companies were not discovered and disclosed.

Those invoices can be downloaded here: part 1, part 2, part 3.

Analyzing the invoices

Of the 92 pages of invoices that I received, 91 were for Yahoo!, while I only one invoice is from Google.

The single Google invoice is for a pen register/trap and trace. Google provided an individual subscriber's information, recent session logs (including IP address and timestamps), and header information for emails sent/received by the account. For this information, Google charged $25.

Of the 91 Yahoo! invoices, 62 are for "requests for subscriber information", which probably means Yahoo provided the name, address and IP addresses used by a particular customer(s) to check their email account. Per 18 USC 2703(c)(2), this information can be provided with a simple administrative subpoena. The price for these requests range from $20 to $70.

Two other invoices were in response to "subpoenas". I am not sure what the difference is between these and requests for subscriber information.

A further 12 invoices were for "court orders for records", which I believe are 18 USC 2703 (d) orders, and which were likely used to obtain email in storage for more than 180 days (as well as for stored, sent emails and drafts).

12 invoices were for pen register and trap & trace requests (which can be used to get email headers), and three were for search warrants (which can be used to obtain email less than 180 days old).

Finally, as the handy spreadsheet provided by USMS makes clear, most of the invoices were not for round numbers, even though Yahoo's law enforcement manual states that subscriber records can be obtained for $20, and the contents of a subscriber account (including email) can be obtained for $30-$40. Instead, we see lots of invoices for $20.39, $20.41, $20.42, $30.41, $40.42, etc. That is, a round number followed by a ".39", ".41" or ".42".

Full credit goes to Julian Sanchez for figuring this out. By comparing the dates of the invoices to the prices listed, he determined that Yahoo! is charging the US Marshals Service for the cost of a stamp.

Each time the US Postal Service raised the cost of a first class stamp, the prices for Yahoo's requests went up by an identical number of pennies. Way to stick it to the man Yahoo!

I'm still waiting for the results of similar FOIAs filed with other parts of DOJ.

---

Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University. This data was gathered and analyzed on my own time, without using federal government resources. The opinions I express in my analysis are my own, and do not reflect the views of any other individual or organization with which I am affiliated.

Who is Neustar?

Brad Stone at the New York Times reports on an industry group working on a new platform for portable digital movie downloads:

The [Digital Entertainment Content Ecosystem or DECE] is setting out to create a common digital standard that would let consumers buy or rent a digital video once and then play it on any device... Under the proposed system, proof of digital purchases would be stored online in a so-called rights locker, and consumers would be permitted to play the movies they bought or rented on any DECE-compatible device.

[DECE is] selecting Neustar, a company based in Sterling, Va., to create the online hub that will store records of people’s digital purchases, with their permission.

Most consumers have likely never heard of Neustar, yet the firm plays an important role in the telecommunications industry, and has built a highly profitable business faciliating the disclosure of information regarding consumers' communications to law enforcement and intelligence agencies.

The company created and operates the Number Portability Administration Center (NPAC), which enables US and Canadian consumers to keep their phone number when they switch carriers. Each time a consumer attempts to transfer their number from one phone company to another, Neustar is involved, and thus, it has a database of every one of these transfers.

Neustar also provides law enforcement agencies with a web-based front-end (as well as an API) to access to this database, enabling government agents to instantly determine which telecommunications company any particular phone number is assigned to. In a typical investigation, before law enforcement or intelligence agencies can obtain a suspect's call records, they must first contact Neustar in order to figure out which phone company he or she is using.

How many times a year does Neustar hand over information on individuals to law enforcement and intelligence agencies? Who knows. The company is not required to disclose this by law, and (as far as I know), has not disclosed any statistics to the general public.

On the firm's website, Neustar describes its LEAP service:

Savvy criminals stop at nothing to cover their tracks - including switching telephone carriers repeatedly. Fortunately, law enforcement professionals can now arm themselves with a powerful weapon against the most elusive perpetrators.

Neustar's Local Number Portability Enhanced Analytical Platform (LEAP) gives LEAs information about recent telephone number porting activity, so you're on the case faster than ever before. Whether your investigations involve pen registers, trap-and-trace, Title III wiretaps or Title 50 wiretaps, LEAP from Neustar puts you in control - and keeps perpetrators within reach.

Neustar also offers a turn-key service for firms that wish to outsource their own legal compliance departments. Telecos and ISPs that don't want to dedicate the manpower to dealing with wiretap, intercept and other surveillance requests from law enforcement and intelligence agencies can pay Neustar to do it for them. The company even has a fancy sales brochure describing the service in detail.

Who better to manage that legal compliance unit than Joel M. Margolis, a former Department of Justice/Drug Enforcement Administration attorney, who up until 2008, "served as DEA's legal representative on Department of Justice working groups responsible for matters of telecommunications legislation and regulation" and previously "advised [the] Federal Bureau of Investigation on the implementation of the CALEA (lawful surveillance) statute."

(The practice of hiring a former DOJ attorney to manage the group within a company responsible for receiving and responding to law enforcement and intelligence agency requests is actually rather common. Google, Microsoft, and MySpace have made similar hires.)

Back in October of 2009, I attended a surveillance industry conference in Washington DC, and taped several of the panels. One of the panel recordings already lead to headlines just one month ago, regarding comments made by a Sprint employee discussing the extent of the firm's disclosure of customer GPS data to law enforcement agencies.

At the same conference, Mr. Margolis spoke on a panel discussing the methods by which law enforcement and intelligence agencies can compel Internet and telecom companies into using already deployed Deep Packet Inspection technology for intercepts. While I took down my copy of the audio recordings in response to a request from the conference organizers, the Electronic Frontier Foundation continues to mirror them here. Mr Margolis' comments are enlightening -- and highly recommended for anyone interested in surveillance and privacy related issues.

Something to consider

The main reason I highlight all this information regarding Neustar's various products and services is that I believe that privacy, and in particular, law enforcement access to consumer video purchase records, should be part of any serious debate regarding the Digital Entertainment Content Ecosystem.

To be clear - I have no reason to suspect that Neustar has done anything improper or illegal, and I am confident that the firm's lawyers know CALEA, Title III and the Patriot Act inside out.

However, I am concerned about the fact that Neustar has already built a business around faciliating law enforcement and intelligence agency access to consumer data (both the phone number portability data held by the firm, and its outsourced legal compliance unit), and that I am not sure if consumers should be dependent on a firm of this type to protect their highly confidential video purchase and rental records.

As a technologist concerned about privacy, I'm really not keen on the idea of any firm which provides an easy to use API to law enfordcement agencies holding any of my private data, particularly one which does not disclose any information on the number of law enforcement requests it receives, responds to, and more importantly, rejects and fights in court.

Because of the complete lack of statistical and other information regarding Neustar's disclosures to the government, consumers have no way of knowing how often, if ever, Mr. Margolis says no to his former colleagues at the US Department of Justice.

Will the movie studios and other entertainment companies disclose to consumers that they will provide detailed records for each individual's movie purchases to a company that pledges to put "[the police] in control - and keeps perpetrators within reach"?

I doubt it.

Disclaimer: These are my own personal views, and do not reflect those of any other individual or organization with which I am affiliated.