DEA rejects FOIA for 38 pages of docs related to Sprint's digital surveilance API

As some of my regular readers know, in October 2009, I attended an invitation-only surveillance industry conference in Washington DC. It was at that event where I recorded an executive from Sprint bragging about the 8 million GPS queries his company delivered via a special website to law enforcement agencies in a 13 month period.

At that same event, Paul W. Taylor, the manager of Sprint/Nextel’s Electronic Surveillance team revealed that the wireless carrier also provides a next-generation surveillance API to law enforcement agencies, allowing them to automate and digitally submit their requests for user data:

"We have actually our LSite [Application Programming Interface (API)] is, there is no agreement that you have to sign. We give it to every single law enforcement manufacturer, the vendors, the law enforcement collection system vendors, we also give it to our CALEA vendors, and we've given it to the FBI, we've given it to NYPD, to the Drug Enforcement Agency. We have a pilot program with them, where they have a subpoena generation system in-house where their agents actually sit down and enter case data, it gets approved by the head guy at the office, and then from there, it gets electronically sent to Sprint, and we get it ... So, the DEA is using this, they're sending a lot and the turn-around time is 12-24 hours. So we see a lot of uses there."

My PhD research is focused on the relationship between communications and applications service providers and the government, and the way that these companies voluntarily facilitate (or occasionally, resist) surveillance of their customers. As such, this sounded pretty interesting, and so on December 3, 2009, I filed a FOIA request with the DEA to get documents associated with the Sprint LSite API and the DEA's use of the system.

On March 8, 2011, I received a letter (pdf) from the DEA, telling me that although they found 38 pages of relevant material, they are withholding every single page.

I will of course be appealing this rejection, either by myself, or with any luck, someone experienced with FOIA appeals and litigation will contact me and offer to help.

It is bad enough that Sprint is bending over backwards to assist the government in its surveillance of Sprint customers, but what is even worse, is that the DEA is refusing to allow the public to learn anything about this program. If, as Mr Taylor suggested, there is a computer in every DEA office connected directly to Sprint's computer systems, the public has a right to know.

US Marshal Service's Electronic Surveillance Manual

Last week, the FOIA fairy delivered 25 pages of internal rules that outline when and how the US Marshal Service uses electronic surveillance methods. According to the cover letters accompanying the documents, the policies are "obsolete" and that "the office is preparing to rewrite/revise it, which could take 30 days or longer to complete."

The full document can be downloaded here (pdf)

The most interesting things that jumped out to me:

1. One of the most heavily redacted sections relates to the use of trigger fish, or cell site analyzers, which allow the government to locate phones without the assistance of the phone company.


(click for a larger image)

2. The special rules that USMS investigators must follow before wiretapping VIPs such as Members of Congress, Governors and Judges:


(click for a larger image)

3. The revelation that USMS advises investigators to always seek "hybrid" 2703(d) + pen register orders, rather than plain pen register orders when they are investigating a suspect.


(click for a larger image)

FOIA: Following the money trail

Sent by fax today to the Computer Crime & Intellectual Property Section (CCIPS) at the Department of Justice:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records, invoices and any other information detailing the amount of money paid by the Department of Justice to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests and national security letters.

Background

At the recent Computers, Freedom and Privacy Conference in Washington DC, Alan Davidson, Google’s Director of Government Relations and Public Policy revealed to the audience that Google routinely charges the government for the time and resources spent responding to requests by the Government for Google customers’ data.

This practice is permitted by various statutes. For example, 18 U.S.C. §§ 2518(4) states that:

Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance.

Likewise, the 2008 Protect America Act amended the Foreign Intelligence Surveillance Act to state:

The Director of National Intelligence and Attorney General may direct a person to …. immediately provide the Government with all information, facilities, and assistance necessary to accomplish the acquisition … The Government shall compensate, at the prevailing rate, a person for providing information, facilities, or assistance pursuant to subsection (e).

While Google is one of the first Internet based service providers to admit to this practice, it is likely that the practice is widespread.

My request

I request all records, invoices, memos and any other information detailing the amount of money paid by the Department of Justice to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests and national security letters.

At the very least, this request shall include documents relating to Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

The scope for this request shall include all documents created between January 01, 2006 and January 01, 2009.

My latest FOIA: DOJ's use of "hotwatch" orders for credit card transaction data

(sent by fax this morning)

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning the use of “hotwatch” orders directing credit card issuers to disclose prospective credit card transaction information.

Background

On October 11, 2005, the US Attorney from the Eastern District of New York submitted a court filing in the case of In re Application For Pen Register and Trap and Trace Device With Cell Site Location Authority (Magistrate's Docket No. 05-1093), which related to the use of pen register requests for mobile phone location records.

In that case, the US Attorney’s office relied on authority they believed was contained in the All Writs Act to justify their request for customer location information.

In support of its claim, the office revealed that:

Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction.

A Google search reveals no other mentions of “hotwatch” orders other than the government’s filing in this case. Likewise, a search of Federal and State cases via Lexis Nexis reveals no other information.

I request any records, including memoranda, policies, procedures, legal opinions and statistics concerning the use of “hotwatch” orders or other requests for prospective credit card transaction information. The scope for this request shall include all documents created between January 01, 2000 and May 10, 2009.

My latest White House FOIA

I sent this FOIA request (pdf) to to the Office of Administration today.

Essentially, I'm asking for a copy of all of the whitehouse.gov Web server logs, any analytics reports, data/log retention policies, as well as information on the amount of money paid by the White House for its use of Akamai and Amazon S3.

It'll be interesting to see how the White House counsel responds.

FOIA Fun

One of the benefits of moving back to this blog is that I'll be able to spend a bit more time talking about things that were not appropriate/of interest to the larger audience at CNET.

Case in point....

I recently received the result of a Freedom of Information Act request that I submitted to TSA, in July of 2007, for "my file" -- essentially, any documents relating to the boarding pass incident, and the several occasions when I've been stopped by the police at airports for refusing to fly without ID.

TSA found 436 pages of documents, 151 of these were released in full, 179 were heavily censored, and 106 were outright denied to me.

I've just started digging through the papers -- and have already found some really juicy stuff, which will give me fodder for several blog posts, and a few letters to TSA, and maybe even a lawsuit if I can find willing counsel.

Highlights include outright lies by TSA/DHS employees, my social security number showing up in some shadowy TSA investigative database, and information indicating that that a Joint Terrorism Task Force as well as someone at the Bush White House were keeping tabs on my boarding-pass saga.

In the coming weeks, I'll scan some of the goodies, and post a bit of commentary to go along with them. However, in the mean time, I have a request to the Internets:

If anyone has any experience with the process of appealing a FOIA denial, or better, knows a lawyer willing to help me out (for free), please get in touch. I have a copy of EPIC's FOIA bible here, but it's not exactly easy reading.

I have 60 days from February 19th to file my appeal.

FOIA Results: No evidence of Direct US Involvement in Pirate Bay Takendown

As the Electronic Frontier Foundation pointed out on their blog yesterday, the Freedom Of Information Act was signed into law on July 4 1966. It is a fantastic tool. Yes, it leaves much to be desired - as some agencies really like to stonewall. However, it does have its uses.

One of the perks of graduate school, is that as an academic researcher working in the public interest, I'm eligible for fee waivers for all of my FOIA requests. I can request whatever I want, and as along as it's reasonably related to my research, I'm spared the 10 cents per page photocopy charges + hourly fees for government employee research time.

FOIA requests take time. However, I've filed several over the past year, with some success, and some rejections. Using the Indiana State equivalent of FOIA a couple months ago, I was able to gain quite a bit of information on a phishing attack that targeted university students the year before. I've also successfully used it to get police reports from the Metropolitan Washington Airport Authority regarding a potentially illegal incident where a police officer compelled me to show my drivers license after I attempted to assert my right to fly without ID.

---

On May 31 2006, Swedish law enforcement raided and seized servers used by the popular bit torrent tracker/website The Pirate Bay. Press reports at the time claimed that the raid was a result of significant US pressure. Some reports hinted at more direct involvement by the US government.

Thus, in September of 2006, the first FOIA request I filed was to the US State Department to get a copy of any documents relating to US knowledge of or involvement in the raid on The Pirate Bay.

I recently got 27 pages of documents, mostly uncensored, back from the State Department. While it's possible that they're withholding some information, from the documents that they've given me, it looks like the Swedish authorities organized the raid on their own. The US government was clearly putting strong pressure on the Swedes, but it does not appear as though the US government had advanced notice of, or any direct involvement in the raid.

All 27 pages of documents have been scanned and placed online.

Happy birthday FOIA!

FOIA Fun. Or. How Phishers hacked into IU

This post should probably be called Indiana Public Records Act Fun - but that doesn't quite roll off the tongue.

I signed up for an Indiana University email account in March or so of 2006. Between signing up and the start of school in September, I'd never used the email address for anything, and a Google query at the time for the address came back negative.

In mid June of 2006, I received a phishing email claiming to be from the IU credit union. The Indiana Daily Student later covered this incident. The article merely mentioned that phishing emails targetting the credit union had been sent out, and that a bunch of students had typed in their info. The article didn't explain how the phishers had learned the email addresses of the students, nor who had launched the attack.

My IU email address is 'csoghoia'. Given that my email address was new, and wasn't published anywhere on the Internet, there was no way for a phisher to learn my address short of an exhaustive address space search (i.e. trying every possible combination of letters) - Unless, of course, the university was hacked, and information was stolen, or, if the university accidentally released my info. Either of these two potential scenarios were alarming, and so I began to look into the matter.

An email requesting information from IU's Incident Response Manager about how phishers had learned my email address resulted in this: "Unfortunately, I cannot comment on this activity as it relates to an active investigation. Be assured we are working aggressively to put a stop to it."

Alarm bells went off... Something phishy (ha ha) was going on.

Thus, on June 23 2006, I filed a Indiana Public Records Act Request with the University. I asked for: any and all information regarding theft or accidental loss of student data including but not limited to names, social security numbers, and email addresses. I am additionally requesting any and all information regarding any ongoing or completed investigations including those by the Office of the VP for Information Technology, of "phishing" emails sent to IU users pretending to be from the IU Credit Union. The scope for these two requests are for documents created within the last 6 months.

On January 11 2007, I received a fat envelope full of papers from the Office of the University Counsel. The response can be seen here. Most of the information was fairly boring, but there were some gems. I've scanned the interesting documents and put them online here.

Typically, when phishers send emails out - they will collect an email list of millions of email addresses, and then send the same email out to them. Thus, in an effort to get the most bang for their phishing buck, the fraudsters target major banks. The idea being, of course, that out of 5 million email addresses, perhaps 200,000 actually belong to Citibank customers. Thus, it doesn't make too much sense for a phisher to send out 5 million emails claiming to be from a small credit union in Bloomington, Indiana. It simply isn't worth it.

If the phisher can get his hands on an email list of every person in Bloomington, then sending an email to every one of those people on the off-chance that they have a bank account with one of the major credit unions in town starts to make sense. This kind of targeted phishing attack has a name: spear phishing.

And what happened in June 2006, was a case of spear phishing.

From reading the documents that I've placed online, I've been able to figure out the following:

Chinese hackers - or at least, someone connecting from a machine in China, broke into one of the accounts on the 'steel' research cluster at IU. This cluster serves the research needs of the student population, and the "about steel" page says that it has over 24,000 accounts active. It seems that most students have accounts - I have one, and I don't recall ever requesting one. Presumeably, it happens as part of the general account setup process.

Ok, so the hackers were able to gain access to Steel. What next?

Every unix machine has an "/etc/passwd" file that lists information on every active user account on the system. Steel has one of these. I just logged into steel a few moments ago to test this, and as of April 15 2007, Steel has over 30,000 user accounts listed in /etc/passwd.

With access to steel, the hackers were able to download the /etc/passwd file, and thus get a list of many many active user accounts. Your steel account name is the same as your IU email address. Thus, the hackers were able to get 30,000 email addresses.

The phishers then sent a large number of fake emails, claiming to be from the IU credit union, to IU users, directly from the steel cluser- that is, the fake emails were sent from within the IU network. A recent report indicates that between 70-80 users were duped by this attack. A subsequent attack happened in Feburary of 2007. It is more than likely that either the same phishers, or another gang using the same stolen email address list, caused this attack. We will probably continue to see attacks, every few months, using the same email list. Eventually, in 2-3 years, when most of the students on the list have graduated, will the list finally be useless. Thus, for the phishers, the capture of the email list is a gift that keeps on giving.

It's also worth noting that the very same phishers launched a similar attack against a credit union in Florida. They left a bunch of forensic evidence behind on steel which proves the link between the two credit union attacks. Clearly, these guys have found a niche (breaking into machines, gathering info, and then targeting small credit unions and banks). My guess is that it's quite profitable.

Which brings me to the most important point of this blog-post: Notification.

Indiana has a Breach Notification Law. However, it is very narrowly written to only kick in when the following information is lost:

• Sec. 3. (a) As used in this chapter, "personal information" means:
  
  
  • (1) an individual's
    
    
    • (A) first name and last name; or
    
    
    • (B) first initial and last name; and
  
  
  • (2) at least one (1) of the following data elements:
    
    
    • (A) Social Security number.
    
    
    • (B) Driver's license number or identification card number.
    
    
    • (C) Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account.


• (b) The term does not include the following:
  
  
  • (1) The last four (4) digits of an individual's Social Security number.
  
  
  • (2) Publicly available information that is lawfully made available to the public from records of a federal agency or local agency.
  
  

The act only went into force on June 30 2006 - which is sadly, a few weeks too late.

For the purposes of discussion, lets pretend that the law kicked in on Jan 1 2006. In such a scenario, the university would still not be required to tell any of their students that chinese phishers had access to their email addresses. Why?
Because an email address is not covered by the law. If the phishers had stolen SSN's, then the university would be required to notify the student body...

I want to make it perfectly clear that I am not criticizing the university. They followed the law, and acted in a perfectly legally manner. My criticism, is of the law, which is weak, and ineffective.

As a side note: if the university decided to track students by their full last name and all but the first letter of their full name (i.e. "hristopher Soghoian"), as the law is currently written, the university wouldn't be required to notify students if the school were hacked into, and the entire database of student records and SSN's were stolen. Obviously, tracking students in such a way would not be very practical, but it does demonstrate that the law is fairly narrow, and doesn't cover everything.

My goal in posting this isn't to heap criticism on the university staff. The staff here are overworked, underpaid, and do their jobs as best as they can. The problem here is the law. It is broken, and needs to be fixed. We should not depend on inquisitive graduate students filing Public Records Act requests to learn about these kinds of incidents. The law should be amended so that we're told when they happen.

If you surveyed the student body, and asked them: "If the university were hacked into, and criminals were able to learn your email address, which they could later use for phishing attacks, or even to sell to spammers - would you want to be told" - I'm guessing that a large number would answer yes. Admittedly, this is a fairly loaded question - but in any case...

(As a technical aside: As things currently stand, every one of the 30,000 users who has an account on the steel cluster can get a full list of student's email addresses. This should be fixed. Any evil student could quite easily download the list and then sell it to spammers.)

FOIA frustrations, lessons learned

I submitted a Freedom Of Information Act (FOIA) request to the FBI last month, to get "access to and copies of any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating or mentioning to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies""

I received word today that my request had come back empty. This is rather shocking, since I've personally spoken to FBI agents who know about Tor - and logically, it, or similar anonymizing proxies must have come up during investigations....

It turns out that with a standard FOIA request, no matter what you ask for, or how it is phrased, the FBI only searches their database for records that have the words of interest in the subject. If an FBI agent writes a case note about someone under investigation, and Tor comes up as part of the report, you won't get it back under a simple FOIA request. Simply put, an agent has to include the word "tor" in the subject of the memo/note for it to come back during a FOIA search.

The magic words, it seems, is to ask for a "full cross-reference search". If you do this, I'm told (by the FBI FOIA people), then they will actually search the contents of all records, instead of just the subject headers..

Grrr.. 1 month wasted just to find that out.

FOIA resubmitted....

My first FOIA request comes back empty

Late last year, liberal blogger Glenn Greenwald had reason to believe that someone from US customs and border patrol had looked up his border entry/exit records, and posted the information to the Internet. More on that can be viewed at Glenn's old blog site here.

Thus, I fired off a FOIA request to US customs and border patrol, now part of DHS, asking for any and all records and database searches done by an employee named 'Eric Wess' for data on Glenn Greenwald...

C&BP's FOIA office got back to me last week by telephone, and told me that they do not have now, or had in the past year (the scope of my request) any employee named 'Eric Wess' on their payroll. If I wanted to do a search for any agent who had done a search on Glenn, I'd need some kind of privacy act waiver....

Not the most fantastic result, but still, a useful FOIA writing experiene, and a chance to see the US government responding to them in a reasonable amount of time.

Sorry I couldn't be more helpful Glenn.

FOIA Fun

Much respect to the the reporters committee for freedom of the press for their kickass FOIA letter generator .


FOIA/PA Mail Referral Unit
Department of Justice
Room 114, LOC
Washington, DC 20530-0001

Dear FOI Officer:

Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of Any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies" . I am interested in anything that matches this description between the dates 01/01/2002 and 02/01/2007.

*edited*

Transportation Security Administration
TSA-20, West Tower
FOIA Division
601 South 12th Street
Arlington, VA 22202-4220

Dear FOI Officer:



Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of All documents including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to the storage and or data deletion policies for the data from chemical/explosive analysis of passengers, passengers bags, items and personal possessions. In particular, I am requesting information on how long TSA keeps the data generated by the machines that perform the explosive residue analysis on the swabs that TSA agents wipe on passenger's bags/objects. I am also requesting information on how long data is kept from the "puffer" machines used by TSA (these are typically made by either GE or Smiths), which shoot air at passengers and then analyze the particles that are dislodged. In addition to this data, I also request any and all information relating to how the information is matched or associated to specific passengers, in what format, and held in what databases, if it is at all. The scope of this request is for all information matching this description between the dates of 01/01/2003 and 02/01/2007.

Tor: Lies or Ignorance?

I went to a symposium on Search and Seizure in the digital age at Stanford last week.

One topic that kept popping up was the so called "Creepiness Factor" of various surveillance technologies. Just like the 'ol government standard for obscenity, we can't quite define creepy surveillance, but we know it when we see it.

One of the last speakers of the day was an Assistant US Attorney - based in Silicon Valley, and who focused on cyber crimes. I'm fairly sure that his name was Matthew Lamberti. Fairly early into his talk, it was plainly obvious that his opinions did not mesh too well with the rest of the room - at least after he quite proudly announced that he didn't think it was in any way creepy to go through someone's trash. Facial expressions around the room quickly changed.

After his talk was over, I walked up to him, introduced myself, and asked him what he thought of Tor.


(I'm paraphrasing here)

"What's that", he asked.

I explained that it was an anonymity preserving system that enabled hundreds of thousands of Internet users to browse the web and communicate anonymously.

He replied that he wasn't familiar with the technology, so he really couldn't answer my question.

----

Back in November, when I met with the Cybercrime specializing Assistant US Attorney in Indianpolis, his eyes lit up at the mere mention of Tor, and he proceeded to give me a long lecture on the evils of the technology, and how Indiana University has no business doing anything that even comes close to anonymity-promoting research.

I find it shocking, yet amazing that an Assistant US Attorney who works out of the San Jose DoJ office - who prosecutes Internet/IP crime cases all the time - in possibly the most high-tech areas in the country, and who has never heard of Tor.

Are the Indianapolis DoJ more Internet Savvy than those in Silicon Valley? Did I catch Mr Lamberti on an off day, or what?

And that's where my latest FOIA request will come in handy ;-)