Tuesday, December 01, 2009

8 Million Reasons for Real Surveillance Oversight

Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University. This data was gathered and analyzed on my own time, without using federal government resources. This data, and the analysis I draw from it will be a major component of my PhD dissertation, and as such, I am releasing it in order to receive constructive criticism on my theories from other experts in the field. The opinions I express in my analysis are my own, and do not reflect the views of the Federal Trade Commission, any individual Commissioner, or any other individual or organization with which I am affiliated.

UPDATE 12/3/2009 @ 12:20PM: I received a phone call from an executive at TeleStrategies, the firm who organized the ISS World conference. He claimed that my recordings violated copyright law, and asked that I remove the mp3 recordings of the two panel sessions, as well as the YouTube/Vimeo/Ikbis versions I had embedded onto this blog. While I believe that my recording and posting of the audio was lawful, as a good faith gesture, I have taken down the mp3s and the .zip file from my web hosting account, and removed the files from Vimeo/YouTube/Ikbis.

Executive Summary

Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint's Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics -- since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

Introduction

"[Service providers] have, last time I looked, no line entry in any government directory; they are not an agent of any law enforcement agency; they do not work for or report to the FBI; and yet, you would never know that by the way law enforcement orders them around and expects blind obedience."
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.

"The reason we keep [search engine data] for any length of time is one, we actually need it to make our algorithms better, but more importantly, there is a legitimate case of the government, or particularly the police function or so forth, wanting, with a Federal subpoena and so forth being able to get access to that information."
-- Eric Schmidt, CEO of Google, All Things Considered, NPR interview between 5:40 and 6:40, October 2, 2009.

Internet service providers and telecommunications companies play a significant, yet little known role in law enforcement and intelligence gathering.

Government agents routinely obtain customer records from these firms, detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and of course, huge amounts of geolocation data, detailing exactly where an individual was located at a particular date and time.

These Internet/telecommunications firms all have special departments, many open 24 hours per day, whose staff do nothing but respond to legal requests. Their entire purpose is to facilitate the disclosure of their customers' records to law enforcement and intelligence agencies -- all following the letter of the law, of course.

'Juking' the stats

If you were to believe the public surveillance statistics, you might come away with the idea that government surveillance is exceedingly rare in the United States.

Every year, the US Courts produce the wiretap report which details every 'intercept' order requested by Federal, state and local law enforcement agencies during that year. Before the police, FBI, DEA or other law enforcement agents can tap a phone, intercept an Internet connection, or place a covert bug into a suspect's home, they must obtain one of these orders, which law professor and blogger Orin Kerr describes as a "super warrant," due to the number of steps the government must go through in order to obtain one.

The official wiretap reports reveal that there are approximately 2000 intercept orders sought and approved by judges each year.



As you might expect, the vast majority of these intercept orders are for phone wiretaps. Thus, for example, of the 1891 intercept orders granted in 2008, all but 134 of them were issued for phone taps.



The number of electronic intercept orders, which are required to intercept Internet traffic and other computer assisted communications is surprisingly low. There were just 10 electronic intercept orders requested in 2008, and only 4 of those were from the Federal government -- which was itself a massive increase over the one single order sought by the entire Department of Justice in both 2006 and 2007.



This graph, and the information contained within it, simply does not make sense. The number of electronic intercepts should, like the number of phone wiretaps, be going up over time, as more people purchase computers, and as criminals or other persons of government interest start to use computers to communicate and plan their business activities. Why were there almost 700 total (federal and state) electronic intercept orders obtained in 1998, but only 10 in 2008?

While I have no way of proving it, I suspect that there have never been a large amount of electronic intercept orders obtained in order to monitor computer communications. The electronic intercept orders, as reported by the US Courts, include those used to monitor computers, fax machines, and pagers. The wiretap report doesn't break down the numbers for these individual technologies -- but I suspect that the nearly 700 electronic intercept orders granted in 1998 were largely for fax machines and pagers. Thus, as these technologies died out, it is only natural that the number of electronic intercept orders declined

That still leaves us with one large question though: How often are Internet communications being monitored, and what kind of orders are required in order to do so.

The stats don't cover all forms of law enforcement surveillance

As I described at the beginning of this article, the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time.

However, while there are many ways the government can monitor an individual, very few of these methods require an intercept order.

In general, intercept orders are required to monitor the contents of real time communications. Non-content information, such as the To/From and Subject lines for email messages, URLs of pages viewed (which includes search terms), and telephone numbers dialed can all be obtained with a pen register/trap & trace order.

While wiretaps require a "superwarrant" which must be evaluated and approved by a judge following strict rules, government attorneys can obtain pen register orders by merely certifying that the information likely to be obtained is relevant to an ongoing criminal investigation -- a far lower evidentiary threshold.

In addition to the fact that they are far easier to obtain, pen register orders are also not included in the annual US courts wiretap report. Not to fear though -- a 1999 law requires that the Attorney General compile annual statistics regarding DOJ's use of pen register orders, which he must submit to Congress.

Unfortunately, the Department of Justice has ignored this law since 2004 -- when five years worth of reports were provided to Congress in the form of a single document dump covering 1999-2003. Since that one submission, both Congress and the American people have been kept completely in the dark regarding the Federal government's extensive use of pen registers.



Since we don't have any pen register stats for the last five years, it is difficult to do a current comparison. However, for the five years worth of data that we do have, it is possible to make a few observations.

First, in 2003, Federal agents used 15 times more pen registers and trap & traces than intercepts. Perhaps this was because each of the 578 Federal intercept orders obtained in 2003 had to be thoroughly evaluated and then approved by a judge, while the 5922 pen registers or 2649 trap & trace devices each received a cursory review at best.

Second, the number of pen registers and trap & trace orders went down after 9/11, at a time when the FBI and other parts of DOJ were massively increasing their use of surveillance. 4210 pen registers were used in 2000, 4172 in 2001, and 4103 in 2002.

It is important to note that these numbers only reveal part of the picture, as these statistics only cover the use of pen registers/trap & traces by the Department of Justice. There are no public stats that document the use of these surveillance methods by state or local law enforcement. Likewise, these stats only cover the requests made for law enforcement purposes -- pen register surveillance performed by the intelligence community isn't reported, even in aggregate form.

Stored Communications

The reporting requirements for intercepts and pen registers only apply to the surveillance of live communications. However, communications or customer records that are in storage by third parties, such as email messages, photos or other files maintained in the cloud by services like Google, Microsoft, Yahoo Facebook and MySpace are routinely disclosed to law enforcement, and there is no legal requirement that statistics on these kinds of requests be compiled or published.

There is currently no way for academic researchers, those in Congress, or the general public to determine how often most email, online photo sharing or social network services deliver their customers' data to law enforcement agents.

While these firms deliver sensitive customer data to government agents on a daily basis, they go out of their way to avoid discussing it.
"As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google."

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws."

"Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws."
Only Facebook and AOL have publicly disclosed the approximate number of requests they receive from the government -- 10-20 requests per day and 1000 requests per month, respectively.

Follow the money

"When I can follow the money, I know how much of something is being consumed - how many wiretaps, how many pen registers, how many customer records. Couple that with reporting, and at least you have the opportunity to look at and know about what is going on.
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.
Telecommunications carriers and Internet firms do not just hand over sensitive customer information to law enforcement officers. No -- these companies charge the government for it.

Cox Communications, the third largest cable provider in the United States, is the only company I've found that has made its surveillance price list public. Thus, we are able to learn that the company charges $2,500 for the first 60 days of a pen register/trap and trace, followed by $2,000 for each additional 60 days, while it charges $3,500 for the first 30 days of a wiretap, followed by $2,500 for each additional 30 days. Historical data is much cheaper -- 30 days of a customer's call detail records can be obtained for a mere $40.

Comcast does not make their price list public, but the company's law enforcement manual was leaked to the Internet a couple years ago. Based on that 2007 document, it appears that Comcast charges at least $1000 for the first month of a wiretap, followed by $750 for each month after that.

In the summer of 2009, I decided to try and follow the money trail in order to determine how often Internet firms were disclosing their customers' private information to the government. I theorized that if I could obtain the price lists of each ISP, detailing the price for each kind of service, and invoices paid by the various parts of the Federal government, then I might be able to reverse engineer some approximate statistics. In order to obtain these documents, I filed Freedom of Information Act requests with every part of the Department of Justice that I could think of.

The first agency within DOJ to respond was the U.S. Marshals Service (USMS), who informed me that they had price lists on file for Cox, Comcast, Yahoo! and Verizon. Since the price lists were provided to USMS voluntarily, the companies were given the opportunity to object to the disclosure of their documents. Neither Comcast nor Cox objected (perhaps because their price lists were already public), while both Verizon and Yahoo! objected to the disclosure.

I then filed a second request, asking for copies of the two firms' objection letters. Those letters proved to be more interesting than the price lists I originally sought.

Click here for the complete Verizon price list letter.
Click here for the complete Yahoo! price list letter.

First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."


Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics. That doesn't mean the published stats are necessarily incorrect -- merely that most types of surveillance are not reported.

In its letter, Verizon lists several reasons why it believes that its price list should remain confidential. Of these reasons -- two stand out. First, the company argues, customers might "become unnecessarily afraid that their lines have been tapped, or call Verizon to ask if their lines are tapped (a question we cannot answer.)"

The second interesting reason is that:
"Our pricing schedules reveal (for just two examples) that upon the lawful request of law enforcement we are able to [redacted by USMS]. In cooperation with law enforcement, we do not release that information to the general public out of concern that a criminal may become aware of our capabilities, see a change in his service, correctly assume that the change was made at the lawful request of law enforcement and alter his behavior to thwart a law enforcement investigation."

I'm not sure what capabilities this section is referring to -- but I'd love to find out more.

Yahoo!'s letter is far less exciting, and doesn't even hint at the number of requests that the company receives. There is one interesting tidbit in the letter though:
"It is reasonable to assume from these comments that the [pricing] information, if disclosed, would be used to "shame" Yahoo! and other companies -- and to "shock" their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies."



Geolocation

"Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers." Ellen Nakashima, Cellphone Tracking Powers on Request, The Washington Post, November 23, 2007.

"Law enforcement routinely now requests carriers to continuously 'ping' wireless devices of suspects to locate them when a call is not being made ... so law enforcement can triangulate the precise location of a device and [seek] the location of all associates communicating with a target."
-- Christopher Guttman-McCabe, vice president of regulatory affairs for CTIA -- the Wireless Association, in a July 2007 comment to the Federal Communications Commission.

As mobile phones have become ubiquitous, the law enforcement community has learned to leverage the plentiful, often real-time location information that carriers can be compelled to provide. Location requests easily outnumber wiretaps, and as this article will reveal, likely outnumber all other forms of surveillance request too.

In terms of legal requirements, this information can often be gained through the use of a hybrid order, combining a Stored Communications Act request and a Pen Register request. As noted before, the former law has no reporting requirement, and the law requiring reports for the Pen Register requests has been ignored by the Department of Justice since 2004.

In March of this year, telecommunications lawyer Al Gidari, who represents many of the major telcos and ISPs, gave a talk at the Berkman Center at Harvard University. During his speech, he revealed that each of the major wireless carriers receive approximately 100 requests per week for customers' location information.

100 requests per week * 4 wireless major carriers (Sprint, Verizon, AT&T, T-Mobile) * 52 weeks = 20k requests per year.

While Gidari's numbers were shocking when I first heard them, I now have proof that he significantly underestimated the number of requests by several orders of magnitude.

Hanging with the spooks

Several times each year, in cities around the globe, representatives from law enforcement and intelligence agencies, telecommunications carriers and the manufacturers of wiretapping equipment gather for a closed door conference: ISS World: Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering.

ISS World is no stranger to the privacy community. Back in 2000, FBI agents showed off a prototype of the Carnivore interception system to attendees at ISS World. Days later, stories appeared in both the Wall Street Journal and The New York Times after one attendee leaked information to the press.

ISS World had been on the list of events that I'd wanted to attend for a long time, even moreso after my research interests started to focus on government surveillance. Thus, in October of this year, just a month after moving to Washington DC, I found myself at the Washington DC Convention Center, attending ISS World.

Looking around at the name badges pinned to the suits milling around the refreshment area, it really was a who's who of the spies and those who enable their spying. Household name telecom companies and equipment vendors, US government agencies (both law enforcement and intel). Also present were representatives from foreign governments -- Columbia, Mexico, Algeria, and Nigeria, who, like many of the US government employees, spent quite a bit of time at the vendor booths, picking up free pens and coffee mugs while they learned about the latest and greatest surveillance products currently on the market.

The main draw of the event for me was two panel discussions: A presentation on "Regulatory and CALEA Issues Facing Telecom Operators Deploying DPI Infrastructure", and a "Telecom Service Providers Roundtable Discussions"

Not knowing ahead of time what the speakers would say, and not wanting to be called a liar if I later cited an interesting quote in a research paper, I decided to make an audio recording of the two panels.

One wireless company, 50 million customers, 8 million law enforcement requests for customer GPS information in one year

Both panels are fascinating, and worth listening to in full.
Click here for an mp3 of the complete the Deep Packet Inspection Panel.
Click here for mp3 of entire telecom panel.

However, by far the most jaw-dropping parts of the telecom service providers roundtable were the following quotes:
"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in.
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There's like 110 all together."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel, describing the number of employees working full time to comply with requests for customer records.

"Cricket doesn't have as many subscribers so our numbers are going to be less. I think we have 4.5 - 5 million subscribers. We get approximately 200 requests per calendar day, and that includes requests for records, intercepts. We don't have the type of automation they do, and we can't do the location specificy that they can, because we don't have GPS."
-- Janet A. Schwabe, Subpoena Compliance Manager, Cricket Communications

"Nextel's system, they statically assign IP addresses to all handsets ... We do have logs, we can go back to see the IP address that used MySpace. By the way - MySpace and Facebook, I don't know how many subpoenas those people get, or emergency requests but god bless, 95% of all IP requests, emergencies are because of MySpace or Facebook... On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

"Two or three years ago, we probably had less than 10% of our requests including text messaging. Now, over half of all of our surveillance includes SMS messaging."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.


Conclusion

As the information presented in this article has demonstrated, the publicly available law enforcement surveillance statistics are, at best misleading, and at worst, deceptive. It is simply impossible to have a reasonable debate amongst academics, public policy makers, and members of the public interest community when the very scale of these surveillance programs is secret.

As an example, consider the following quote from the November 4, 2009 markup hearing of the House Judiciary Committee, which is currently considering a bill to expand the government's PATRIOT Act surveillance powers. During the hearing, Rep. Lamar Smith, the Ranking (Minority) Member said the following:
Unlike other tools which actually collect content, such as wiretaps, pen registers and trap-and-trace devices merely request outgoing and incoming phone numbers. Because the government cannot collect any content using pen registers, a minimization requirement makes no sense. What is there is there to minimize?
After reading this article, it should be clear to the reader that pen registers and trap & trace devices are used for far more than just collecting phone numbers dialed. They are used to get email headers (including To, From and Subject lines), the URLs of web pages viewed by individuals, and in many situations, they are used (along with a Stored Communications Act request) to get geolocation information on mobile phone users.

The reason I'm quoting Rep. Smith isn't to poke fun at his expense, but to make a serious point. How can we have a serious public debate about law enforcement surveillance powers, when the senior most Republican on the committee responsible for the oversight of those powers doesn't understand how they are being used? Likewise, this paragraph should by no means be read as an attack on Rep. Smith. How can he be expected to understand the extensive modern use of pen registers, when the Department of Justice continues to break the law by failing to provide yearly statistics on the use of pen registers to Congress?

My point is this: The vast majority of the government's access to individuals' private data is not reported, either due to a failure on DOJ's part to supply the legally required statistics, or due to the fact that information regarding law enforcement requests for third party stored records (such as email, photos and other data located in the cloud) is not currently required to be collected or reported.

As for the millions of government requests for geo-location data, it is simply disgraceful that these are not currently being reported...but they should be.