Tuesday, June 15, 2010

DOJ's surveillance reporting failure

In both 2004, and 2009, the US Department of Justice provided Congress with a "document dump", covering 5 years of Pen Register and Trap & Trace surveillance reports. Although the law clearly requires the Attorney General to submit annual reports to Congress, DOJ has not done so, nor has it provided any reason for its repeated failure to submit the reports to Congress in a timely manner, as the law requires.

Professor Paul Schwartz, who first highlighted DOJ's pen register reporting deficiencies in a law review article, has argued that the lack of timely reporting creates "blank spaces on the map of telecommunications surveillance law."

In his 2008 article, Schwartz stated:
[T]he reports do not appear to have been made annually, but as one document dump with five years of reports in November 2004. The reports also fail to detail all of the information that the Pen Register Act requires to be shared with Congress.
The cover letter for the 2004 document dump to Congress can be seen embeded below and the yearly reports (later obtained through a FOIA by the Electronic Frontier Foundation) can be viewed here: 1999, 2000, 2001, 2002, 2003,

Unfortunately, it appears that after the 2004 document dump, DOJ went back to its old ways, and stopped providing the reports to Congress. As a result, in April 2009, the Electronic Privacy Information Center wrote a letter to Senator Leahy, to ask him to look into the issue.

There is no indication that the DOJ provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008.19 This failure would demonstrate ongoing, repeated breaches of the DOJ's statutory obligations to inform the public and the Congress about the use of electronic surveillance authority....

We request that you ask the Attorney General to make public pen register and trap and trace reports from 2004 through the present, and to publicly disclose all future reports as a matter of course. This might be accomplished by requiring the DOJ to submit the annual pen register reports to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

Earlier this year, I obtained (via a FOIA request) copies of the reports for the years 2004-2008. I also obtained the cover letter that DOJ sent to members of Congress in October of 2009, attached to the reports. The wording of the October 2009 letter is practically identical to the letter that accompanied the 2004 document dump, suggesting that DOJ failed to comply with the annual reporting requirements in 2005, 2006, 2007 and 2008.

Based on 10 years of repeated failures, it seems clear that the Department of Justice is unable to supply Congress with annual reports for pen register and trap & trace surveillance. As such, I think it is time for Congress to take a serious look at this problem, and consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

In a forthcoming law review article, I dig through the currently published surveillance statistics, and find many of them to be woefully lacking. I also propose several ways that Congress could overhaul the reporting requirements. Hopefully, if Congress does look into this issue, they will expand the scope of their inquiry to cover all surveillance reporting, and not just the pen register reports.

While my article is still in very rough shape, I've extracted the section on surveillance statistics, and included it here. I'd love feedback.


Ethan said...

A caveat to the idea that Congress should "consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts" is the known shortcomings in the AO data. While admittedly much more copious than the non-existant DoJ data, it's not clear the AO data is thorough or complete, representative or unbiased. I'd suggest it's clear that the AO data is clearly incomplete and has known weaknesses. I strongly suspect there's a CRS report or 2 on the topic that may be worth chasing down. As several DoJ and FBI Inspectors General (among others) have illustrated, there are no shortages of instances of extra-judicial requests, misrepresentations to carriers, non-reporting, unpunished personal use, etc. And that's just at the federal level where OIGs are occasionally watching. At either the federal or state level, this data isn't captured by the AO of the Courts. Having the AO ask for it is presumably not any different than having Congress ask for it. The disclosures will still be at the whim of the agency.

Admittedly, this is a shortcoming of the agencies, not the AO gathering the data, but asking the AO to collect data it doesn't know about isn't going to get any better results than asking the DoJ to disclose what it does know about and apparently doesn't want to share.

Anonymous said...

Users already have the choice of opt-out of passing the referring keyword - at a browsers level e.g...

FireFox >> addOns > Install WebDeveloperToolbar > Disable > Referrer


[see screenshot] http://cafe.elharo.com/wp-content/uploads/2006/10/referer.png

Thus... there is no need for a Google FTC action.

Also, on GoogleMaps and GoogleSocial the zipcode entered in the search box is NOT passed in referrer, due to 200 status redirect > 200 status > landing page (rather than 200 status redirect > 302/301 > landing page).

Additionally, GoogleAdwords DOES anonymise referral keywords which contain PII`s shown in the Adwords SearchQueryPerformace reports, as these are shown as "other".