Wednesday, January 26, 2011

DOJ's push for data retention & competing on privacy

On Tuesday, January 25, 2011, the Republican controlled House Subcommittee on Crime, Terrorism and Homeland Security held a hearing on the topic of data retention. Chairing the hearing was Jim Sensenbrenner, the author of the much-loved USA Patriot Act.

The video of the hearing is online as is the written testimony of Jason Weinstein of the Department of Justice.

Data retention is (for most people) an obscure and boring topic, even if it has a significant impact on end user privacy. As such, I want to try and analyze DOJ's latest attempt to kickstart the debate about this issue, in order to enable those watching at home to understand the politics at play.

A gentle introduction to the DOJ increased powers playbook

The Department of Justice is actually fairly predictable, and each time it calls for increased powers, it follows the same formula.

First, it will repeatedly mention one or two horrific crimes that everyone in society agrees are awful (usually terrorism and child pornography), and claim that those committing these crimes are not getting caught because of the issue at hand.

Second, the government will put out a couple examples, which have never before been disclosed to the public (even if they are several years old), in which horrible things happened because the government didn't have the information or power it now wants.

Third, the government will highlight companies that currently have particularly bad practices (but without naming those firms), and may also specifically identify one or two companies whose practices are excellent, and that should be models for the entire industry.

Fourth, the government will completely dismiss the concerns of the privacy community.

This formula has been used, just in the last couple years, to try and require emergency, warrantless disclosure of cell-tower data, mandatory registration of prepaid mobile phones, and back doors in encryption technology.

Why doesn't DOJ name names?

One of the most interesting things for me, is the practice of not naming names. That is, while the specific problematic practices may be discussed in some detail, the companies that are currently not doing what the government wants are rarely named by the government, either in testimony before Congress, or through the intentional leaks to the government-friendly journalists that are used to seed the debate.

Consider the following quote from yesterday's testimony:
"One mid-size cell phone company does not retain any records, and others are moving in that direction. A cable Internet provider does not keep track of the Internet protocol addresses it assigns to customers, at all. Another keeps them for only seven days—often, citizens don’t even bring an Internet crime to law enforcement’s attention that quickly."
Or, from a New York Times article last year:
Starting in late 2008 and lasting into 2009, another law enforcement official said, a "major" communications carrier was unable to carry out more than 100 court wiretap orders. The initial interruptions lasted eight months, the official said, and a second lapse lasted nine days.

This year, another major carrier experienced interruptions ranging from nine days to six weeks and was unable to comply with 14 wiretap orders. Its interception system "works sporadically and typically fails when the carrier makes any upgrade to its network," the official said.

The official declined to name the companies, saying it would be unwise to advertise which networks have problems or to risk damaging the cooperative relationships the government has with them. For similar reasons, the government has not sought to penalize carriers over wiretapping problems.

Even though the government could significantly increase the pressure on particular firms by naming them, it (wisely) doesn't do so. The reason is that the law gives companies a significant amount of flexibility in the way that they design their networks, the data that they voluntarily retain, and over the warrantless disclosures made to government investigators when they claim an emergency. The government knows that if it plays hardball with these firms, they are perfectly within their rights to stop voluntarily retaining data, and insist on a valid court order or other legal process whenever the government wants to investigate one of their customers.

Naming names

Even though the government won't identify the companies with "good" and "bad" data retention practices, there is nothing stopping me from doing so.

In his testimony, Mr Weinstein stated that "One mid-size cell phone company does not retain any records". If I had to guess, I would bet that Mr. Weinstein is speaking about T-Mobile, which is the largest carrier I know of that does not keep IP allocation logs.

At the ISS World surveillance conference in 2009, I made an audio recording of a panel which featured executives from several telecommunications companies speaking about their relationship with law enforcement agencies, and their own data retention practices (the audio recording of the panel is available here). At that event, a representative from Cricket Communications (a relatively small pre-paid carrier aimed at low income users) told the audience that:
"One of the challenges for Cricket, and a challenge for the law enforcement community, is that we now have broadband and internet access from the handset. And in both instances, the signal goes to our switch, and then is relayed to Level 3 Communications, which then is the conduit to the Internet. From the outside, from the point of capture of the IP address, it is the generic or regional IP address that is picked up. There is no way to come back through our firewall to see which subscriber had a per-session identification on that, and that is something that even if you go to Level 3, they’re not going to have any information either."

T-Mobile's director of law enforcement relations spoke next, and revealed that his company was largely in the same position:
"[T-mobile is] in the same boat that Cricket is, in terms of determining the IP address --- determining the subscriber attached to that IP address.”
Contrast this to the approach taken by Sprint:
Nextel’s system, they statically assign IP addresses to all handsets ... We do have logs, we can go back to see the IP address … On the Sprint 3G network, we have IP data records back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don’t store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that’s why we store the data ... It’s because marketing wants to rifle through the data.

Unfortunately, representatives from Verizon an AT&T didn't appear at that conference, and so I don't have an on the record statement from those firms describing their IP allocation policies. Luckily, a slide presentation for the law enforcement community detailing Verizon's data retention policies leaked onto the Internet.

From this, it is clear that Verizon keeps logs on the individual IP addresses given to users for a 1 year period, and, even more troubling, it appears that the company retains the "destination" addresses of all sites that its users visit from their mobile handsets for 30 days.

Finally, while we do not know AT&T's data retention policy, this 2009 study by a team at Microsoft Research confirms that AT&T wireless users are at least given individual IP addresses (as compared to the NAT-based scheme that T-Mobile and Cricket use). As such, the only question is if AT&T chooses to retain these IP address allocation logs (and given the company's repeated collusion with law enforcement and intelligence agencies, I think it is fair to assume that it does keep them.)

Competing on privacy

Over the last few years, firms in a few specific markets have begun to compete on privacy. For example, just in the last month, three of the four main web browsers have each announced privacy enhancing features designed to protect their users from online tracking.

Unfortunately, even though telecommunications firms' data retention policies differ in ways that significantly impact end user privacy, these companies do not compete on these differences, and often go out of their way to keep this information secret. Were it not for the work of activists and whistleblowers inside the firms who have leaked key documents, we would never know some of these details.

This widespread lack of public information about data retention policies poses a significant problem for consumers wishing to evaluate potential service providers on their respective privacy merits. Furthermore, differences among providers operating in the same market do vary considerably, which means that the decision to pick a particular service provider can have a significant impact on a user’s privacy.

As a result of these policies, for example, a Sprint Nextel customer can be later tracked down based on an anonymous comment left on a blog, or a P2P file downloaded over the company’s cellular network, while customers of T-Mobile and Cricket can freely engage in a variety of online activities without any risk of later discovery.

This lack of public information about key privacy differences would be bad enough if the firms generally kept quiet about the general topic of privacy. However, these companies actually proudly boast about their commitment to protecting user privacy, while simultaneously going out of their way to keep the substantive details of their practices (and often, their collusion with government surveillance) secret.

Consider, for example, the following statements by Verizon:

"Verizon has a longstanding and vigorous commitment to protecting its customers’ privacy and takes comprehensive steps to protect that privacy."

"At Verizon, privacy is a key priority. We know that consumers will use the full capabilities of our communications networks only if they trust that their information will remain private."

Strangely enough, the Verizon has also argued in court that it has a First Amendment right to voluntarily provide information about its customers’ private communications to the National Security Agency. This may be a valid legal argument, but it is not the kind of position that a company that has pledged to protect users’ privacy should take. Certainly, it is not an official position that the company advertises to its customers on its website or in its privacy policy. Likewise, nowhere on Verizon's website does the company disclose the $1.8 million dollars it has received per year to provide the FBI with "near real-time access to [two years of stored] United States communications records (including telephone and Internet records)."

Why the silence on data retention matters

The fact that most companies do not compete, or even publicly disclose their data retention policies means that the government has the upper-hand in any effort to get firms to retain more data, or keep it for longer periods.

Over the last year or two, multiple wireless carriers have extended the retention period for historical cell site location information. Retention periods of six months to one year for cell site data are now common across the industry, a significant increase over the 30 days or less that the data was retained two years ago.

These companies faced no push-back from consumers or privacy groups when they extended these retention periods, because consumers were never told that it happened.

Likewise, between 2007 and 2008, MySpace and Facebook both increased their data retention periods for user login IP session data. In 2006, MySpace logged IP addresses associated with account logins for 90 days. In 2007, the company expanded its logging of this data to 1 year. Facebook logged IP addresses for 30 days in 2007, but by 2008, the company had opted to keep the logs for 90 days.

Bringing this back to the current debate -- because T-Mobile doesn't compete on privacy, and because its customers are often unaware of the advantage benefit they receive from the firm's current IP network design, the firm has no real incentive to resist pressure from the government to retain data. The only real sticking point for the company, I suspect, will be cost of modifying its network to permit it to uniquely identify and track its users. As such, I fully expect T-Mobile (and any other companies that DOJ leans on) to quietly fold, and establish voluntary data retention policies that are long enough to keep the government happy.

1 comment:

Mike C. said...

I had seen a few articles on the subject and was hoping you'd weigh in. Glad you did; thanks for the exposition, which was excellent as usual.