Wednesday, September 29, 2010

On surveillance transparency

In 1998, FBI Director Louis Freeh went before Congress to argue for restrictions on the domestic use of encryption technology:
"We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism. Not just Bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices


We believe that an unrestricted proliferation of products without any kind of court access and law enforcement access, will harm us, and make the fight against terrorism much more difficult."
Of course, Freeh wasn't the only one to engage in encryption scaremongering. A year later, Janet Reno joined in, claiming:

"When stopping a terrorist attack or seeking to recover a kidnapped child, encountering encryption may mean the difference between success and catastrophic failures."

In 2000, Senators Leahy and Hatch, in a bi-partisan effort, successfully amended the existing wiretap reporting requirements to also include statistics on the number of intercept orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted pursuant to such order.

In support of his amendment, Senator Leahy argued that compiling the statistics would be a "far more reliable basis than anecdotal evidence on which to assess law enforcement needs and make sensible policy in this area."

Since then, each year, the Administrative Office of the US Courts has compiled an annual wiretap report, which reveals that encryption is simply not frequently encountered during wiretaps, and when it is, it never stops the government from collecting the evidence they need.

These numbers are actually not that surprising, when you dig into the other parts of the wiretap report, and discover how few Internet connections law enforcement agencies intercept in real-time each year (at least using an intercept order or "superwarrant", which is the most difficult to get). Simply put, it is extremely unlikely that federal law enforcement officials are going to encounter an encrypted computer communication when they only obtain one or two computer intercept orders each year.

This is not to say that law enforcement agencies don't look through thousands of individuals' email communications, search engine requests or private, online photo albums each year, because they probably do. They just don't obtain wiretap orders to intercept that data in real time. Instead, simply wait a few minutes, and then obtain what they want after the fact as a stored communication under 18 USC 2703.

There are no good ECPA stats

Unfortunately, while we have a pretty good idea about how many wiretaps law enforcement agencies obtain each year, we have no idea how many times they go to email, search engine and cloud computing providers to compel them to disclose their customers' communications and other private data.

Just last week, Indiana University Law Professor Fred Cate testified about this very issue before the House Judiciary Committee:

"Congress already requires mandatory annual reports for the use of wiretap, pen register, and trap and trace orders. As a result, academics, public interest advocates, and policy makers are generally able to determine the extent to which such surveillance methods are used.

Congress has not created similar statutory reporting requirements for law enforcement agencies’ use of warrants, "27303(d)" orders, and subpoenas to obtain individuals’ communications contents and other private data. The only information about the scale of such activities available to policy makers comes from voluntary disclosures by a few service providers willing to discuss such practices.

Because most service providers do not disclose this information, Congress and the people have no reliable data to determine the scale of this form of electronic surveillance, which is likely to outnumber the 2,376 wiretap orders granted in 2009, and the 11,126 pen registers and 9,773 trap and trace orders granted in 2008."
And today, a copy of the Senate Judiciary Committee's Republican minority memo on the subject of ECPA reform leaked onto the Internet. One of the claims made by the unknown author of the memo is that:
"Although there is no data collected on this subject, anecdotally, it is the experience of the former federal prosecutors on Committee staff that the largest group of cases, by far, where ECPA authority is used is in child exploitation investigations and prosecutions. If Congress makes follows Digital Due Process’s recommendations, the largest impact of such changes might be to protect those who harm children behind a wall of “privacy protections” (i.e., these changes will make it more difficult and time-consuming for law enforcement to use ECPA to bring these offenders to justice)."
And thus, we find ourselves in the same situation as 12 years ago, where law enforcement officials were making anecdotal claims for which no evidence existed to prove, or disprove them.

We need solid, aggregate statistics on the use of ECPA by law enforcement agencies, so that Congress can make well-informed, data-driven policy choices in this complex area.

Tuesday, September 28, 2010

CALEA and encryption

Reading through Charlie Savage's New York Times piece yesterday, which arguably marks the beginning of the 2nd crypto wars, one might get the impression that law enforcement officials are merely seeking to tweak the law, in order to maintain the existing status quo:

"We're talking about lawfully authorized intercepts," said Valerie E. Caproni, general counsel for the Federal Bureau of Investigation. "We're not talking expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and national security."


To counter such problems, officials are coalescing around several of the proposal’s likely requirements:

* Communications services that encrypt messages must have a way to unscramble them.

I think it is reasonable to assume that very few people have read the text of the Communications Assistance for Law Enforcement Act (CALEA), and so it is quite reasonable that the average layperson (or even interested technologist) might assume that existing US law has nothing to say about encryption, since, after all, Skype didn't exist when CALEA was passed in 1994. That is incorrect -- not only does the law speak about encryption, but it specifically protects the right of companies to build strong encryption for which only the customer has the decryption key into their products.

47 USC 1002(b)(3):
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

Also from the CALEA legislative history:

Finally, telecommunications carriers have no responsibility to decrypt encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. This obligation is consistent with the obligation to furnish all necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access


Nothing in the bill is intended to limit or otherwise prevent the use of any type of encryption within the United States. Nor does the Committee intend this bill to be in any way a precursor to any kind of ban or limitation on encryption technology.
To the contrary, section 2602 protects the right to use encryption.”

If the FBI and other law enforcement agencies get their way, they will not be tweaking existing law to deal with new technologies, but fundamentally changing how the government regulates technology.