Wednesday, September 29, 2010

On surveillance transparency

In 1998, FBI Director Louis Freeh went before Congress to argue for restrictions on the domestic use of encryption technology:
"We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism. Not just Bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices


We believe that an unrestricted proliferation of products without any kind of court access and law enforcement access, will harm us, and make the fight against terrorism much more difficult."
Of course, Freeh wasn't the only one to engage in encryption scaremongering. A year later, Janet Reno joined in, claiming:

"When stopping a terrorist attack or seeking to recover a kidnapped child, encountering encryption may mean the difference between success and catastrophic failures."

In 2000, Senators Leahy and Hatch, in a bi-partisan effort, successfully amended the existing wiretap reporting requirements to also include statistics on the number of intercept orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted pursuant to such order.

In support of his amendment, Senator Leahy argued that compiling the statistics would be a "far more reliable basis than anecdotal evidence on which to assess law enforcement needs and make sensible policy in this area."

Since then, each year, the Administrative Office of the US Courts has compiled an annual wiretap report, which reveals that encryption is simply not frequently encountered during wiretaps, and when it is, it never stops the government from collecting the evidence they need.

These numbers are actually not that surprising, when you dig into the other parts of the wiretap report, and discover how few Internet connections law enforcement agencies intercept in real-time each year (at least using an intercept order or "superwarrant", which is the most difficult to get). Simply put, it is extremely unlikely that federal law enforcement officials are going to encounter an encrypted computer communication when they only obtain one or two computer intercept orders each year.

This is not to say that law enforcement agencies don't look through thousands of individuals' email communications, search engine requests or private, online photo albums each year, because they probably do. They just don't obtain wiretap orders to intercept that data in real time. Instead, simply wait a few minutes, and then obtain what they want after the fact as a stored communication under 18 USC 2703.

There are no good ECPA stats

Unfortunately, while we have a pretty good idea about how many wiretaps law enforcement agencies obtain each year, we have no idea how many times they go to email, search engine and cloud computing providers to compel them to disclose their customers' communications and other private data.

Just last week, Indiana University Law Professor Fred Cate testified about this very issue before the House Judiciary Committee:

"Congress already requires mandatory annual reports for the use of wiretap, pen register, and trap and trace orders. As a result, academics, public interest advocates, and policy makers are generally able to determine the extent to which such surveillance methods are used.

Congress has not created similar statutory reporting requirements for law enforcement agencies’ use of warrants, "27303(d)" orders, and subpoenas to obtain individuals’ communications contents and other private data. The only information about the scale of such activities available to policy makers comes from voluntary disclosures by a few service providers willing to discuss such practices.

Because most service providers do not disclose this information, Congress and the people have no reliable data to determine the scale of this form of electronic surveillance, which is likely to outnumber the 2,376 wiretap orders granted in 2009, and the 11,126 pen registers and 9,773 trap and trace orders granted in 2008."
And today, a copy of the Senate Judiciary Committee's Republican minority memo on the subject of ECPA reform leaked onto the Internet. One of the claims made by the unknown author of the memo is that:
"Although there is no data collected on this subject, anecdotally, it is the experience of the former federal prosecutors on Committee staff that the largest group of cases, by far, where ECPA authority is used is in child exploitation investigations and prosecutions. If Congress makes follows Digital Due Process’s recommendations, the largest impact of such changes might be to protect those who harm children behind a wall of “privacy protections” (i.e., these changes will make it more difficult and time-consuming for law enforcement to use ECPA to bring these offenders to justice)."
And thus, we find ourselves in the same situation as 12 years ago, where law enforcement officials were making anecdotal claims for which no evidence existed to prove, or disprove them.

We need solid, aggregate statistics on the use of ECPA by law enforcement agencies, so that Congress can make well-informed, data-driven policy choices in this complex area.

No comments: