Monday, January 18, 2010

FOIA returns 91 invoices for Yahoo surveillance, 1 for Google

In June of 2009, I filed a Freedom of Information Act Requests with the US Marshals Service (USMS). That request asked for:
all records, invoices, memos and any other information detailing the amount of money paid by the U.S. Marshals Service to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests, location information requests, and national security letters.

Essentially, I want to know how much the U.S. Marshals Service has paid for each type of surveillance and records request, and to whom. I also request any “price lists” detailing the standard prices for various forms of surveillance and records requests (per request, or hourly rates) for the various Internet companies.

At the very least, this request shall include documents relating to Skype (eBay), Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

Back in December, I published copies of letters sent to the USMS FOIA office by Verizon and Yahoo!, objecting to the disclosure of their surveillance price lists. Yahoo!'s formal objection, and its subsequent legal demand proved to be rather futile, as the company's law enforcement handbook made its way onto the Internet.

Those price lists were just one part of the FOIA request. I also sought copies of invoices for actual surveillance requests.

A few weeks ago, the US Marshals Service sent me 92 pages of invoices, covering three years worth of surveillance. Interestingly enough, while I asked for documents relating to every major ISP, the only documents they gave me related to Yahoo and Google. I have no idea why invoices for the other companies were not discovered and disclosed.

Those invoices can be downloaded here: part 1, part 2, part 3.

Analyzing the invoices

Of the 92 pages of invoices that I received, 91 were for Yahoo!, while I only one invoice is from Google.

The single Google invoice is for a pen register/trap and trace. Google provided an individual subscriber's information, recent session logs (including IP address and timestamps), and header information for emails sent/received by the account. For this information, Google charged $25.

Of the 91 Yahoo! invoices, 62 are for "requests for subscriber information", which probably means Yahoo provided the name, address and IP addresses used by a particular customer(s) to check their email account. Per 18 USC 2703(c)(2), this information can be provided with a simple administrative subpoena. The price for these requests range from $20 to $70.

Two other invoices were in response to "subpoenas". I am not sure what the difference is between these and requests for subscriber information.

A further 12 invoices were for "court orders for records", which I believe are 18 USC 2703 (d) orders, and which were likely used to obtain email in storage for more than 180 days (as well as for stored, sent emails and drafts).

12 invoices were for pen register and trap & trace requests (which can be used to get email headers), and three were for search warrants (which can be used to obtain email less than 180 days old).

Finally, as the handy spreadsheet provided by USMS makes clear, most of the invoices were not for round numbers, even though Yahoo's law enforcement manual states that subscriber records can be obtained for $20, and the contents of a subscriber account (including email) can be obtained for $30-$40. Instead, we see lots of invoices for $20.39, $20.41, $20.42, $30.41, $40.42, etc. That is, a round number followed by a ".39", ".41" or ".42".

Full credit goes to Julian Sanchez for figuring this out. By comparing the dates of the invoices to the prices listed, he determined that Yahoo! is charging the US Marshals Service for the cost of a stamp.

Each time the US Postal Service raised the cost of a first class stamp, the prices for Yahoo's requests went up by an identical number of pennies. Way to stick it to the man Yahoo!

I'm still waiting for the results of similar FOIAs filed with other parts of DOJ.

Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University. This data was gathered and analyzed on my own time, without using federal government resources. The opinions I express in my analysis are my own, and do not reflect the views of any other individual or organization with which I am affiliated.

Monday, January 04, 2010

Who is Neustar?

Brad Stone at the New York Times reports on an industry group working on a new platform for portable digital movie downloads:
The [Digital Entertainment Content Ecosystem or DECE] is setting out to create a common digital standard that would let consumers buy or rent a digital video once and then play it on any device... Under the proposed system, proof of digital purchases would be stored online in a so-called rights locker, and consumers would be permitted to play the movies they bought or rented on any DECE-compatible device.

[DECE is] selecting Neustar, a company based in Sterling, Va., to create the online hub that will store records of people’s digital purchases, with their permission.
Most consumers have likely never heard of Neustar, yet the firm plays an important role in the telecommunications industry, and has built a highly profitable business faciliating the disclosure of information regarding consumers' communications to law enforcement and intelligence agencies.

The company created and operates the Number Portability Administration Center (NPAC), which enables US and Canadian consumers to keep their phone number when they switch carriers. Each time a consumer attempts to transfer their number from one phone company to another, Neustar is involved, and thus, it has a database of every one of these transfers.

Neustar also provides law enforcement agencies with a web-based front-end (as well as an API) to access to this database, enabling government agents to instantly determine which telecommunications company any particular phone number is assigned to. In a typical investigation, before law enforcement or intelligence agencies can obtain a suspect's call records, they must first contact Neustar in order to figure out which phone company he or she is using.

How many times a year does Neustar hand over information on individuals to law enforcement and intelligence agencies? Who knows. The company is not required to disclose this by law, and (as far as I know), has not disclosed any statistics to the general public.

On the firm's website, Neustar describes its LEAP service:
Savvy criminals stop at nothing to cover their tracks - including switching telephone carriers repeatedly. Fortunately, law enforcement professionals can now arm themselves with a powerful weapon against the most elusive perpetrators.

Neustar's Local Number Portability Enhanced Analytical Platform (LEAP) gives LEAs information about recent telephone number porting activity, so you're on the case faster than ever before. Whether your investigations involve pen registers, trap-and-trace, Title III wiretaps or Title 50 wiretaps, LEAP from Neustar puts you in control - and keeps perpetrators within reach.
Neustar also offers a turn-key service for firms that wish to outsource their own legal compliance departments. Telecos and ISPs that don't want to dedicate the manpower to dealing with wiretap, intercept and other surveillance requests from law enforcement and intelligence agencies can pay Neustar to do it for them. The company even has a fancy sales brochure describing the service in detail.

Who better to manage that legal compliance unit than Joel M. Margolis, a former Department of Justice/Drug Enforcement Administration attorney, who up until 2008, "served as DEA's legal representative on Department of Justice working groups responsible for matters of telecommunications legislation and regulation" and previously "advised [the] Federal Bureau of Investigation on the implementation of the CALEA (lawful surveillance) statute."

(The practice of hiring a former DOJ attorney to manage the group within a company responsible for receiving and responding to law enforcement and intelligence agency requests is actually rather common. Google, Microsoft, and MySpace have made similar hires.)

Back in October of 2009, I attended a surveillance industry conference in Washington DC, and taped several of the panels. One of the panel recordings already lead to headlines just one month ago, regarding comments made by a Sprint employee discussing the extent of the firm's disclosure of customer GPS data to law enforcement agencies.

At the same conference, Mr. Margolis spoke on a panel discussing the methods by which law enforcement and intelligence agencies can compel Internet and telecom companies into using already deployed Deep Packet Inspection technology for intercepts. While I took down my copy of the audio recordings in response to a request from the conference organizers, the Electronic Frontier Foundation continues to mirror them here. Mr Margolis' comments are enlightening -- and highly recommended for anyone interested in surveillance and privacy related issues.

Something to consider

The main reason I highlight all this information regarding Neustar's various products and services is that I believe that privacy, and in particular, law enforcement access to consumer video purchase records, should be part of any serious debate regarding the Digital Entertainment Content Ecosystem.

To be clear - I have no reason to suspect that Neustar has done anything improper or illegal, and I am confident that the firm's lawyers know CALEA, Title III and the Patriot Act inside out.

However, I am concerned about the fact that Neustar has already built a business around faciliating law enforcement and intelligence agency access to consumer data (both the phone number portability data held by the firm, and its outsourced legal compliance unit), and that I am not sure if consumers should be dependent on a firm of this type to protect their highly confidential video purchase and rental records.

As a technologist concerned about privacy, I'm really not keen on the idea of any firm which provides an easy to use API to law enfordcement agencies holding any of my private data, particularly one which does not disclose any information on the number of law enforcement requests it receives, responds to, and more importantly, rejects and fights in court.

Because of the complete lack of statistical and other information regarding Neustar's disclosures to the government, consumers have no way of knowing how often, if ever, Mr. Margolis says no to his former colleagues at the US Department of Justice.

Will the movie studios and other entertainment companies disclose to consumers that they will provide detailed records for each individual's movie purchases to a company that pledges to put "[the police] in control - and keeps perpetrators within reach"?

I doubt it.

Disclaimer: These are my own personal views, and do not reflect those of any other individual or organization with which I am affiliated.