The forces that led to the DigiNotar hack

Last week, the New York Times finally covered the DigiNotar hacks, more than two weeks after security experts and the tech media first broke the story. Unfortunately, the top 2-3 newspapers in the US (which is what legislative staff, regulators and policy makers read) have missed most of the important details. The purpose of this blog post is to fill in those gaps, providing key context to understand this incident as part of the larger Internet trust (and surveillance) debate.

Lawful access

As consumers around the world have embraced cloud computing, large Internet firms like Google, Facebook, Twitter, Yahoo, all of them based in the United States, increasingly hold users' most private documents and other data. This has been a boon for law enforcement agencies, which can often obtain these files without a court issued search warrant, or have to provide the investigated individual with the kind of prompt notice that would otherwise occur had their home been searched.

Law enforcement and intelligence agencies in the US, EU, Canada, Brasil, India, Japan, Israel and several other countries all regularly obtain private user data from Google. The company will insist on a court order for some kinds of user data, but will disclose many other types of data and subscriber records without first insisting on an order issued by an independent judge. This isn't because Google is evil, but because privacy laws in these countries, the US included, are so weak.

Google does not treat all governments equally though. For example, the company will not honor requests from the governments of Iran, Libya, Zimbabwe, Vietnam and several other countries. You might be inclined to believe that Google has taken this position because of the poor human rights record in these countries - that is part of the reason (but not the whole one, otherwise, Google would refuse requests from the US government which has a documented track record of assassination, rendition/kidnapping and torture). Google's policy of refusing these requests, I believe, largely comes down to the fact that Google does not have an office or staff in those countries. Without a local presence, employees to threaten with arrest or equipment to seize, these governments lack leverage over Google.

This situation is not specific to Google - Facebook, Yahoo, Microsoft and other large US firms all disclose user data to governments that have leverage over them, and ignore requests from others. Thus, lacking any "legitimate" way to engage in what they believe is lawful surveillance of their citizens, these governments that lack leverage have turned to other methods. Specifically, network surveillance.

An unintended consequence of HTTPS by default

When users connect to Facebook, Twitter, or Hotmail—as well as many other popular websites—they are vulnerable to passive network surveillance and active attacks, such as account hijacking. These services are vulnerable because they do not use HTTPS encryption to protect all data as it is transmitted over the Internet.

Such attacks are trivially easy for hackers to perform against users of an open WiFi network using tools like Firesheep. They are also relatively easy for government agencies to perform on a larger scale, when they can compel the assistance of upstream ISPs.

As I described above, because Google will not respond to formal requests for user data from certain governments, it is likely that the state security agencies in these countries have come to depend on network interception, performed with the assistance of domestic ISPs.

Unfortunately for these governments, in January 2010, Google enabled HTTPS by default for Gmail and a few other services. Once the firm flipped the default setting, passive network surveillance became impossible. Thus, in January 2010, the governments of Iran and a few other countries lost their ability to watch the communications of domestic Google users.

For now, these governments can still spy on Facebook, Twitter and Hotmail, as these services do not use HTTPS by default. That is changing though. Following the release of Firesheep in October 2010, (as well as two senior US government officials calling for encryption by default) all three services now offer configuration options to force the use of HTTPS. These firms are all moving towards HTTPS by default - for some firms, it will likely be a matter of weeks until it happens, for others, months.

Governments can see the writing on the wall - HTTPS by default will become the norm. Passive network surveillance will lose its potency as a tool of government monitoring, and once that happens, the state intelligence agencies will "go dark", losing the ability to keep tabs on their citizen's use of foreign, mostly US-based Internet communications services.

HTTPS Certificate Authorities and surveillance

As these large providers switch to HTTPS by default, government agencies will no longer be able to rely on passive network interception. By switching to active interception attacks, these governments can, in many cases, easily neutralize the HTTPS encryption, thus restoring their ability to spy on their citizens. One active attack, known as a "man in the middle attack" requires that the government first obtain a HTTPS certificate issued by a Certificate Authority (CA) trusted by the major web browsers.

In March of 2010, Sid Stamm and I published a paper on what we called compelled certificate creation attacks, in which a government simply requires a domestic Certificate Authority issue it one or more certificates for surveillance purposes. When we released a draft of our paper, we also published a product brochure I had obtained in the fall of 2009 at the ISS surveillance conference, for a Packet Forensics interception device that described how it could be used to intercept communications using these kinds of certificates.

The browsers trust a lot of Certificate Authorities, probably too many. These include companies located in countries around the world. They also include Certificate Authorities that are operated by government agencies. For example, Microsoft trusts a couple dozen governments, that include Tunisia and Venezuela. It is perhaps worth noting that Microsoft continues to trust the Tunisian government even after it was caught in December 2010 actively hijacking the accounts of Facebook users -- an act that led to Facebook enabling HTTPS by default for all users in the country.)

In any case, as Sid an I described, governments can compel domestic Certificate Authorities to provide them with the certificates necessary to intercept their own citizens' communications. However, not all governments around the world are as lucky as Tunisia to be trusted by the browsers, nor do all of them have a domestic certificate authority that they can bully around. Some countries, like Iran, have no way to obtain a certificate that will let them spy on Google users (yes, I know that you can buy intermediate CA issuing powers, but I am assuming that no one will sell this to the Iranian gov).

In recent weeks, we have learned that the encrypted communications of 300,000 people in Iran were monitored by an entity using a certificate that DigiNotar issued. While the Iranian government has not admitted to conducting this man in the middle surveillance against its citizens, it seems reasonable to assume they were behind it. The reason for this certificate theft seems pretty clear, when you consider the other details described in this blog post:

Iran wants to spy on its citizens. It wants the same interception and spying capabilities that the US and other western governments have. Unfortunately for the Iranian government, it has no domestic CA, and Google doesn't have an office in Tehran. So, it used a certificate obtained by hacking into a CA already trusted by the browsers - a CA that had weak default passwords, and that covered up the attack for weeks after it learned about it, giving the Iranian government plenty of time to use the stolen certificate to spy on its citizens.

As Facebook, Twitter and other big sites embrace HTTPS by default, the temptation will grow for for governments without other ways to spy their citizens to hack into certificate authorities with weak security. Can you blame them?

NSA and other US government agencies have gambled with our security

In December 2009, after I had obtained Packet Forensics' product marketing materials, I met with a former senior US intelligence official. I told him that I believed that governments around the world were abusing this flaw to spy on their own citizens, as well as foreigners. When I told him I would be going public in a few months, motivated by my concerns about China and other governments spying on Americans, he said I would be aiding "terrorists in Peshawar" by helping to secure their communications. Needless to say, our meeting wasn't particularly productive.

US intelligence agencies have long known about the flaws associated with the current certificate authority web of trust. For example, in 1998, James Hayes, an air force captain working for the National Security Agency published an academic paper in which he described the ease with which certificates could be used to intercept traffic:

Certificate masquerading allows a masquerader to substitute an unsuspecting server’s valid certificate with the masquerader’s valid certificate. The masquerader could monitor Web traffic, picking up unsuspecting victims’ surfing habits, such as the various net shopping malls and stores a victim may visit. The masquerader could change messages at will without detection, or collect the necessary information and go shopping on his or her own time.

Of course, it isn't too surprising that NSA has known about these vulnerabilities. If the agency hadn't know about these risks, it would have been grossly incompetent.

The question to consider then, is what has and hasn't the NSA done with this knowledge. In addition to attacking the computers of foreign governments, NSA is supposed to protect US government electronic assets. In the 10 years since NSA first acknowledged it knew about the problems with certificate authorities, what steps has the agency taken to protect US government computers from these attacks? Likewise, what has it done to protect US businesses and individuals?

The answer, I believe, is "nothing". The reason for this, I suspect, is that NSA wanted to exploit the flaws itself and didn't want to do anything that would lead to the elimination of what is likely a valuable source of intelligence information -- even though this meant that the governments of China, Turkey, Israel, Tunisia and Venezuela would have access to this surveillance method too.

Perhaps this was a reasonable choice to make, when the intelligence agencies abusing the flaw could be trusted to do so discreetly (The first rule of State-run CA Club is...). The Iranians have upset that delicate understanding. They have acquired and used certificates in a manner that is anything but discreet, thus forcing the issue to the front page of newspapers around the world.

Now, any state actor or criminal enterprise with a budget to hire hackers can likely get its hands on fraudulent certificates sufficient to intercept users' communications, as Comodo and DigiNotar will not be the last certificate authorities with weak security to be hacked. Hundreds of millions of computers around the world remain vulnerable to this attack, and will likely stay this way, until the web browser vendors decide upon and deploy effective defenses.

Had the US defense and intelligence community acted 10 years ago to protect the Internet, instead of exploiting this flaw, we would not be in the dire situation that we are currently in, waiting for the next hacked certificate authority, or the next man in the middle attack.

Warrantless "emergency" surveillance of Internet communications by DOJ up 400%

According to an official DOJ report, the use of "emergency", warrantless requests to ISPs for customer communications content has skyrocketed over 400% in a single year.

The 2009 report (pdf), which I recently obtained via a Freedom of Information Act request (it took DOJ 11 months (pdf) to give me the two-page report), reveals that law enforcement agencies within the Department of Justice sought and obtained communications content for 91 accounts. This number is a significant increase over previous years: 17 accounts in 2008 (pdf), 9 accounts in 2007 (pdf), and 17 accounts in 2006 (pdf).

Background

When Congress passed the Electronic Communications Privacy Act in 1986, it permitted law enforcement agencies to obtain stored communications and customer records in emergencies without the need for a court order.

In such scenarios, a carrier can (but is not required to) disclose the requested information if it, "in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency." Typically, belief means that a police officer states that an emergency exists.

With the passage of the USA PATRIOT Improvement and Reauthorization Act of 2005, Congress created specific statistical reporting requirements for the voluntary disclosure of the contents of subscriber communications in emergency situations. In describing his motivation for introducing the requirement, Senator Lungren stated that:

"I felt that some accountability is necessary to ensure that this authority is not being abused… This information [contained in the reports] I believe should be highly beneficial to the Committee, fulfilling our oversight responsibility in the future … this is the best way for us to have a ready manner of looking at this particular section. In the hearings that we had, I found no basis for claiming that there has been abuse of this section. I don't believe on its face it is an abusive section. But I do believe that it could be subject to abuse in the future and, therefore, this allows us as Members of Congress to have an ability to track this on a regular basis."

The current reports are deeply flawed

The emergency request reports are compiled and submitted by the Attorney General, and only apply to disclosures made to law enforcement agencies within the Department of Justice. As such, there are no statistics for emergency disclosures made to other federal law enforcement agencies, such as the Secret Service, as well as those made to state and local law enforcement agencies.

Furthermore, although 18 USC 2702 permits both the disclosure of the content of communications, as well as non-content records associated with subscribers and their communications (such as geo-location data), Congress only required that statistics be compiled for the disclosure of communications content. It is not clear why Congress limited the reports in this way.

Because the reporting requirements do not apply to disclosures made to law enforcement agencies outside the Department of Justice, and do not include the disclosure of non-content communications data and other subscriber records, the reports reveal a very limited portion of the scale of voluntary disclosures to law enforcement agencies.

Likewise, although Congress intended for these reports to assist with public oversight of the emergency disclosure authority, the Department of Justice has not proactively made these reports available to the general public. The reports for 2006 and 2007 were leaked to me by a friend with contacts on the Hill. I obtained the 2008 and 2009 reports via FOIA requests -- and disgracefully, it took DOJ 11 months to provide me with a copy of the 2-page report for 2009.

The emergency requests documented in these reports only scratch the surface

A letter (pdf) submitted by Verizon to Congressional committees in 2007 revealed that the company had received 25,000 emergency requests during the previous year. Of these 25,000 emergency requests, just 300 requests were from federal law enforcement agencies. In contrast, the reports submitted to Congress by the Attorney General reveal less than 20 disclosures for that year. Even though no other service provider has disclosed similar numbers regarding emergency disclosures, it is quite clear that the Department of Justice statistics are not adequately reporting the scale of this form of surveillance. In fact, they underreport these disclosures by several orders of magnitude.

The current reporting law is largely useless. It does not apply to state and local law enforcement agencies, who make tens of thousands of warrantless requests to ISPs each year. It does not apply to federal law enforcement agencies outside DOJ, such as the Secret Service. Finally, it does not apply to emergency disclosures of non-content information, such as geo-location data, subscriber information (such as name and address), or IP addresses used.

As such, Congress currently has no idea how many warrantless requests are made to ISPs each year. How can it hope to make sane policy in this area, when it has no useful data?

DEA rejects FOIA for 38 pages of docs related to Sprint's digital surveilance API

As some of my regular readers know, in October 2009, I attended an invitation-only surveillance industry conference in Washington DC. It was at that event where I recorded an executive from Sprint bragging about the 8 million GPS queries his company delivered via a special website to law enforcement agencies in a 13 month period.

At that same event, Paul W. Taylor, the manager of Sprint/Nextel’s Electronic Surveillance team revealed that the wireless carrier also provides a next-generation surveillance API to law enforcement agencies, allowing them to automate and digitally submit their requests for user data:

"We have actually our LSite [Application Programming Interface (API)] is, there is no agreement that you have to sign. We give it to every single law enforcement manufacturer, the vendors, the law enforcement collection system vendors, we also give it to our CALEA vendors, and we've given it to the FBI, we've given it to NYPD, to the Drug Enforcement Agency. We have a pilot program with them, where they have a subpoena generation system in-house where their agents actually sit down and enter case data, it gets approved by the head guy at the office, and then from there, it gets electronically sent to Sprint, and we get it ... So, the DEA is using this, they're sending a lot and the turn-around time is 12-24 hours. So we see a lot of uses there."

My PhD research is focused on the relationship between communications and applications service providers and the government, and the way that these companies voluntarily facilitate (or occasionally, resist) surveillance of their customers. As such, this sounded pretty interesting, and so on December 3, 2009, I filed a FOIA request with the DEA to get documents associated with the Sprint LSite API and the DEA's use of the system.

On March 8, 2011, I received a letter (pdf) from the DEA, telling me that although they found 38 pages of relevant material, they are withholding every single page.

I will of course be appealing this rejection, either by myself, or with any luck, someone experienced with FOIA appeals and litigation will contact me and offer to help.

It is bad enough that Sprint is bending over backwards to assist the government in its surveillance of Sprint customers, but what is even worse, is that the DEA is refusing to allow the public to learn anything about this program. If, as Mr Taylor suggested, there is a computer in every DEA office connected directly to Sprint's computer systems, the public has a right to know.

No New Surveillance Powers For The War On Drugs

At two hearings over the past month, including one yesterday, senior officials from the Department of Justice asked Congress to significantly expand its ability to monitor and investigate the online communications of Americans.

Law enforcement officials claim that it is too difficult to snoop on users of modern services like Skype, Blackberry, Facebook and Google, as the companies have not built wiretap capabilities into their services. The Department of Justice would also like wireless and residential Internet Service Providers to keep records that would make it easier to determine after-the-fact which particular customer visited specific websites.

These officials argue that technology companies should be required to build new surveillance capabilities in order to more effectively investigate child pornographers and terrorists. This is a politically savvy argument, as no member of Congress will want to risk appearing weak on terrorism or child pornography.

The reality is that most law enforcement surveillance powers are used in support of the war on drugs, not to investigate terrorists or pedophiles. As such, Congress should first demand reliable statistics on law enforcement’s existing Internet surveillance activities before even considering the FBI’s request for more powers.

The American public may be willing to give up their privacy and civil liberties in order to actually prevent terrorism and the sexual exploitation of children. This deal is far less attractive if the new surveillance powers will instead be used to to continue a failed prohibition opposed by millions of Americans.

Statistics are useful

Each year, federal and state law enforcement agencies obtain thousands of court orders that allow them to secretly wiretap the telephones of American citizens. We know this because Congress requires annual reports regarding the use of these surveillance powers.

The first documented instances of law enforcement wiretaps were used to investigate bootleggers during the prohibition. Decades later, as the wiretap reports confirm, the vast majority of intercepts are used to enforce our modern day prohibition: the war on drugs. For example, of the 2,376 wiretap orders issued in 2009, 86% (2,046) were obtained as part of narcotics investigations.

Similarly, of the 763 “sneak and peek” search warrants obtained in 2009, 474 were obtained in investigations of drugs, and only 3 were used in investigations of terrorism. These surveillance orders allow government agents to search a home without telling the owner or resident until weeks or months later. Law enforcement agencies were given this authority as part of the Patriot Act, after the Department of Justice claimed that the powers were necessary to allow “law enforcement to conduct investigations without tipping off terrorists.” However, a report published by the Administrative Office of the Courts in 2009 revealed that the powers are primarily used to investigate drugs, not terrorism.

Unfortunately, while accurate statistics exist for wiretaps, and for the sneak and peek authority granted as part of the Patriot Act, we are largely in the dark regarding most of the tens of thousands of requests made each year to phone companies and Internet service providers. There are no statistics that document law enforcement requests for email, instant messaging, social network profiles, search engine history, or geographic location information from mobile phones.

Not only do we have no way of knowing the total number of requests made by law enforcement officers each year, but we also do not know what kinds of crimes they are investigating. Instead, all we have are unverifiable anecdotes from law enforcement officials, who selectively reveal them in order to justify their push for increased surveillance powers.

If the statements of law enforcement officials are to be believed, most of their online investigations involve child pornography. However, the published statistics for other forms of surveillance suggest that they are likely in support of the war on drugs. The only way to be sure would be for Congress to require the collection and publication of statistics covering law enforcement agencies’ surveillance of Internet applications and communications. As Senator Leahy noted more than 10 years ago, surveillance statistics serve as a “more reliable basis than anecdotal evidence on which to assess law enforcement needs and make sensible policy in this area.”

Rather than granting the Department of Justice the sweeping new surveillance powers it seeks, Congress should first seek and obtain detailed reports on the use of modern surveillance techniques. There is no need to rush the passage of new authority; especially since, as the debate over the renewal of the Patriot Act has clearly demonstrated, rolling back powers is much tougher than granting new ones.

DOJ's "hotwatch" real-time surveillance of credit card transactions

A 10 page Powerpoint presentation (pdf) that I recently obtained through a Freedom of Information Act Request to the Department of Justice, reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transaction. The government's guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections.

Background

On October 11, 2005, the US Attorney from the Eastern District of New York submitted a court filing in the case of In re Application For Pen Register and Trap and Trace Device With Cell Site Location Authority (Magistrate's Docket No. 05-1093), which related to the use of pen register requests for mobile phone location records.

In that case, the US Attorney’s office relied on authority they believed was contained in the All Writs Act to justify their request for customer location information. In support of its claim, the office stated that:

Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction.

A search of Google, Lexisnexis and Westlaw revealed nothing related to "hotwatch" orders, and so I filed a FOIA request to find out more. If the government "routinely" applies for and obtains hotwatch orders, why wasn't there more information about these.

It took a year and a half to learn anything. The Executive office of US Attorneys at the Department of Justice located 10 pages of relevant information, but decided to withhold them in full. I filed my first ever FOIA appeal, which was successful, albeit very slow, and finally received those 10 pages this week.



As the document makes clear, Federal law enforcement agencies do not limit their surveillance of US residents to phone calls, emails and geo-location information. They are also interested in calling cards, credit cards, rental cars and airline reservations, as well as retail shopping clubs.

The document also reveals that DOJ's preferred method of obtaining this information is via an administrative subpoena. The only role that courts play in this process is in issuing non-disclosure orders to the banks, preventing them from telling their customers that the government has spied on their financial transactions. No Fourth Amendment analysis is conducted by judges when issuing such non-disclosure orders.

While Congress has required that the courts compile and publish detailed statistical reports on the degree to which law enforcement agencies engage in wiretapping, we currently have no idea how often law enforcement agencies engage in real-time surveillance of financial transactions.

DOJ has granted itself new surveillance powers

Update @ 8PM 11/22/2010: EFF first sounded the alarm about roving 2703(d) orders back in 2005, which were being used to obtain phone information.

Electronic communications privacy law in the United States is hopelessly out of date. As several privacy groups have noted, the statute that governs when and how law enforcement agencies can obtain individual's private files and electronic documents hasn't really been updated since it was first written in 1986.

Over the past year, privacy groups, academics and many companies have gotten together to push for reform of the Electronic Communications Privacy Act (ECPA). These stakeholders have lobbied for reform of this law, and in turn, both the House and Senate have held hearings on various issues, ranging from cloud computing to cellular location data.

Of course, complaints about the existing statute are not limited to those wishing to protect user privacy -- law enforcement agencies would very much like to expand their authority. However, as I document in this blog post, rather than going to Congress to ask for new surveillance powers, the Department of Justice, and in particular, the US Marshals Service, have simply created for themselves a new "roving" order for stored communications records.

Let that sink in for a second. Rather than wait for Congress to give it new authority, the Department of Justice has instead just given itself broad new surveillance powers.

Roving Wiretaps

For nearly 15 years, law enforcement agencies have had "roving wiretap" authority, meaning that they can get a court order that does not name a specific telephone line or e-mail account but allows them to wiretap any phone line, cell phone, or Internet connection that a suspect uses. In order to use this expanded authority, prosecutors have to show probable cause that they believe that the individual under investigation is avoiding intercepts at a particular place.

Although there are more than 2000 wiretap orders issued each year, as the table below reveals, federal and local law enforcement agencies rarely seek to use this roving authority.



Roving Pen Registers and Trap & Trace orders

While wiretap orders are used for the real-time interception of communications content, pen register and trap & trace orders are used to intercept, in real-time, non-content information associated with communications. This includes the numbers dialed, to/from addresses associated with emails, etc.

Traditionally, like wiretap orders, pen register/trap & trace orders had to name the recipient (phone company or ISP) in the order. If the government wished to go to a different ISP, they'd need to return to the judge to get another order. However, the USA PATRIOT act expanded the scope of pen register and trap & trace orders, essentially turning them into roving orders by default:

The [pen register] order . . . shall apply to any person or entity providing wire or electronic communication service in the United States whose assistance may facilitate the execution of the order.

Whenever such an order is served on any person or entity not specifically named in the order, upon request of such person or entity, the attorney for the Government or law enforcement or investigative officer that is serving the order shall provide written or electronic certification that the order applies to the person or entity being served.

Thus, post PATRIOT Act, by using a wiretap or pen register authority, law enforcement agencies can use a single court order to obtain real-time non-content data from any 3rd party that may have it, even if the service provider was not named in the original court order.

Stored communications and customer records

The vast majority of surveillance requests are not for real-time data, but for historical information. That is, rather than seeking to intercept emails or web browsing activities as they are transmitted, law enforcement agencies often seek information after the fact. This is both easier, and often much cheaper.

For example, existing surveillance reports reveal that 1773 wiretap orders were issued in 2005, 625 of which were for federal agencies. Similarly in 2005, a total of 6790 pen registers and 4393 trap & trace orders were obtained by law enforcement agencies within the Department of Justice (the FBI, DEA, ATF and the Marshals).

In that same year, Verizon received 36,000 requests for customer information from federal law enforcement agencies and 54,000 requests from state and local law enforcement agencies.

That is, Verizon's requests alone dwarf the number of publicly reported wiretaps and pen registers, by nearly 700%. This doesn't mean that the wiretap numbers are incorrect -- merely that the vast majority of requests that Verizon received were for stored records, such as historical information on the phone numbers its customers dialed, old text messages, and stored emails. It is quite reasonable to assume that other major telecommunications carriers receive a similar number of requests.

2703(d) orders

Federal law requires that law enforcement agencies first obtain a special court order (known as a 2703(d) order) before they can compel third party service providers to deliver many types of stored user non-content data. Such court orders must name the service provider that has the data, and unlike in the case of wiretaps and pen registers, Congress has not granted roving authority to law enforcement agencies. This means that law enforcement agencies are supposed to obtain a 2703(d) order naming each ISP or phone company that has data that the government would like to get.

Roving 2703(d) orders

Updated at 8PM on 11/22/2010 to give credit to EFF for first discovering roving d orders

In 2005, the Electronic Frontier Foundation filed a brief in federal court, objecting to a request by the Department of Justice for an order requiring "relevant service providers… to provide subscriber information about [all] numbers obtained from the use of… pen/trap devices" upon oral or written demand by relevant law enforcement officials.

Section 2703 of 18 USC provides that:

"a governmental entity may require a provider of electronic communications service…to disclose a record or other information pertaining to a subscriber or customer of such service…only when the government… obtains a court order for such disclosure under subsection (d) of this section."

As the EFF told the court:

"This language [in 2703] clearly contemplates orders that require disclosure of particular records regarding particular customers of particular providers, not general orders that the government can use on its own discretion to continuously demand unspecified records about unspecified people from unspecified providers, for the entire duration of a related pen-trap surveillance.

. . .

The Stored Communications Act simply does not authorize open-ended or "roving" orders that are enforced based on the government’s oral or written representations of its pen-trap results. Indeed, such orders would leave the government in a dangerously unchecked position to obtain subscriber information for any telephone number without court oversight or approval."

The EFF's 2005 brief objected to the government's attempts to get roving 2703(d) orders for subscriber records from phone companies. It seems that the government has since expanded its use of these roving 2703(d) orders to email providers.

I recently obtained a copy of the US Marshals Electronic Surveillance Manual, which I obtained through a Freedom of Information Act (FOIA) request. As I highlighted in a previous blog post, that handbook reveals that the US Marshals have adopted a policy of always obtaining a 2703(d) order whenever they seek a pen register.


The surveillance manual lists several advantages to obtaining such "hybrid" 2703(d)/pen register orders - such as the ability to get geo-location data from providers, who are prohibited by law from revealing "any information that may disclose the physical location of the subscriber" in response to a pen register order. It is not until a few paragraphs later, when another advantage of the hybrid order (and its limitations) is hinted at.


What is happening here is a bit complex. In essence, federal surveillance law does not permit for roving 2703(d) orders, but it does permit for roving pen register authority. Therefore, DOJ believes that when it staples together a pen register order and a 2703(d) order, that the roving aspect of the pen register order automatically transfers to the 2703(d) order.

Thus, DOJ believes that law enforcement agencies can send a copy of a hybrid 2703(d)/pen register order to ISPs not named in the order, and force them to disclose stored subscriber records and communications non-content data, such as email headers.

DOJ's reason for doing this, at least according to the Marshals' surveillance manual, is "because we say so":

Although compelling compliance with a Pen/Trap order that also required disclosure of stored records (e.g. subscriber) is unclear under this section, investigators should assert that compliance with the entire order is mandatory irrespective of whether a provider is specifically named in the order.

Again -- even though the law does not grant the government this expanded authority, DOJ urges investigators to still assert that that companies must comply with the request.

DOJ is using this authority

Nearly a year ago, I obtained an invoice from Google to the US Marshals Service related to a pen register order from December 2007.
The invoice states that:

"We understand that you have requested customer information regarding the user account specified in the Pen Register/Trap Trace, which includes the following information: (1) Subscriber information for the gmail account [redacted]@gmail.com; (2) Information regarding session timestamps and originating IP addresses for recent logins by this account; and a CD containing (3) Header information for the specified date range."

The phrasing of this text reveals that the Marshals first delivered the pen register order to a different ISP, and that the gmail.com account appeared in the data delivered by that other service provider in response to the pen register request. As such, neither Google nor the particular gmail.com address were named in the original pen register order issued by the judge.

Google likely received a hybrid 2703/pen register order from the US Marshals Service, and, even though the company was not named in the original order, it provided historical, stored non-content data and subscriber information to law enforcement officials. The company could very easily have told the Marshals to get lost, and come back with a 2703(d) order signed by a judge, naming Google.

I'm not sure what is more alarming, that the US government abuses its already broad surveillance powers, or that Google, a company that pledges to "be a responsible steward of the information we hold" is not in fact insisting that law enforcement agencies follow the letter of the law.

US Marshal Service's Electronic Surveillance Manual

Last week, the FOIA fairy delivered 25 pages of internal rules that outline when and how the US Marshal Service uses electronic surveillance methods. According to the cover letters accompanying the documents, the policies are "obsolete" and that "the office is preparing to rewrite/revise it, which could take 30 days or longer to complete."

The full document can be downloaded here (pdf)

The most interesting things that jumped out to me:

1. One of the most heavily redacted sections relates to the use of trigger fish, or cell site analyzers, which allow the government to locate phones without the assistance of the phone company.


(click for a larger image)

2. The special rules that USMS investigators must follow before wiretapping VIPs such as Members of Congress, Governors and Judges:


(click for a larger image)

3. The revelation that USMS advises investigators to always seek "hybrid" 2703(d) + pen register orders, rather than plain pen register orders when they are investigating a suspect.


(click for a larger image)

On surveillance transparency

In 1998, FBI Director Louis Freeh went before Congress to argue for restrictions on the domestic use of encryption technology:

"We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism. Not just Bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices

...

We believe that an unrestricted proliferation of products without any kind of court access and law enforcement access, will harm us, and make the fight against terrorism much more difficult."

Of course, Freeh wasn't the only one to engage in encryption scaremongering. A year later, Janet Reno joined in, claiming:

"When stopping a terrorist attack or seeking to recover a kidnapped child, encountering encryption may mean the difference between success and catastrophic failures."

In 2000, Senators Leahy and Hatch, in a bi-partisan effort, successfully amended the existing wiretap reporting requirements to also include statistics on the number of intercept orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted pursuant to such order.

In support of his amendment, Senator Leahy argued that compiling the statistics would be a "far more reliable basis than anecdotal evidence on which to assess law enforcement needs and make sensible policy in this area."


Since then, each year, the Administrative Office of the US Courts has compiled an annual wiretap report, which reveals that encryption is simply not frequently encountered during wiretaps, and when it is, it never stops the government from collecting the evidence they need.

These numbers are actually not that surprising, when you dig into the other parts of the wiretap report, and discover how few Internet connections law enforcement agencies intercept in real-time each year (at least using an intercept order or "superwarrant", which is the most difficult to get). Simply put, it is extremely unlikely that federal law enforcement officials are going to encounter an encrypted computer communication when they only obtain one or two computer intercept orders each year.


This is not to say that law enforcement agencies don't look through thousands of individuals' email communications, search engine requests or private, online photo albums each year, because they probably do. They just don't obtain wiretap orders to intercept that data in real time. Instead, simply wait a few minutes, and then obtain what they want after the fact as a stored communication under 18 USC 2703.

There are no good ECPA stats

Unfortunately, while we have a pretty good idea about how many wiretaps law enforcement agencies obtain each year, we have no idea how many times they go to email, search engine and cloud computing providers to compel them to disclose their customers' communications and other private data.

Just last week, Indiana University Law Professor Fred Cate testified about this very issue before the House Judiciary Committee:

"Congress already requires mandatory annual reports for the use of wiretap, pen register, and trap and trace orders. As a result, academics, public interest advocates, and policy makers are generally able to determine the extent to which such surveillance methods are used.

Congress has not created similar statutory reporting requirements for law enforcement agencies’ use of warrants, "27303(d)" orders, and subpoenas to obtain individuals’ communications contents and other private data. The only information about the scale of such activities available to policy makers comes from voluntary disclosures by a few service providers willing to discuss such practices.

Because most service providers do not disclose this information, Congress and the people have no reliable data to determine the scale of this form of electronic surveillance, which is likely to outnumber the 2,376 wiretap orders granted in 2009, and the 11,126 pen registers and 9,773 trap and trace orders granted in 2008."

And today, a copy of the Senate Judiciary Committee's Republican minority memo on the subject of ECPA reform leaked onto the Internet. One of the claims made by the unknown author of the memo is that:

"Although there is no data collected on this subject, anecdotally, it is the experience of the former federal prosecutors on Committee staff that the largest group of cases, by far, where ECPA authority is used is in child exploitation investigations and prosecutions. If Congress makes follows Digital Due Process’s recommendations, the largest impact of such changes might be to protect those who harm children behind a wall of “privacy protections” (i.e., these changes will make it more difficult and time-consuming for law enforcement to use ECPA to bring these offenders to justice)."

And thus, we find ourselves in the same situation as 12 years ago, where law enforcement officials were making anecdotal claims for which no evidence existed to prove, or disprove them.

We need solid, aggregate statistics on the use of ECPA by law enforcement agencies, so that Congress can make well-informed, data-driven policy choices in this complex area.

DOJ's surveillance reporting failure

In both 2004, and 2009, the US Department of Justice provided Congress with a "document dump", covering 5 years of Pen Register and Trap & Trace surveillance reports. Although the law clearly requires the Attorney General to submit annual reports to Congress, DOJ has not done so, nor has it provided any reason for its repeated failure to submit the reports to Congress in a timely manner, as the law requires.

Professor Paul Schwartz, who first highlighted DOJ's pen register reporting deficiencies in a law review article, has argued that the lack of timely reporting creates "blank spaces on the map of telecommunications surveillance law."

In his 2008 article, Schwartz stated:

[T]he reports do not appear to have been made annually, but as one document dump with five years of reports in November 2004. The reports also fail to detail all of the information that the Pen Register Act requires to be shared with Congress.

The cover letter for the 2004 document dump to Congress can be seen embeded below and the yearly reports (later obtained through a FOIA by the Electronic Frontier Foundation) can be viewed here: 1999, 2000, 2001, 2002, 2003,



Unfortunately, it appears that after the 2004 document dump, DOJ went back to its old ways, and stopped providing the reports to Congress. As a result, in April 2009, the Electronic Privacy Information Center wrote a letter to Senator Leahy, to ask him to look into the issue.

There is no indication that the DOJ provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008.19 This failure would demonstrate ongoing, repeated breaches of the DOJ's statutory obligations to inform the public and the Congress about the use of electronic surveillance authority....

We request that you ask the Attorney General to make public pen register and trap and trace reports from 2004 through the present, and to publicly disclose all future reports as a matter of course. This might be accomplished by requiring the DOJ to submit the annual pen register reports to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

Earlier this year, I obtained (via a FOIA request) copies of the reports for the years 2004-2008. I also obtained the cover letter that DOJ sent to members of Congress in October of 2009, attached to the reports. The wording of the October 2009 letter is practically identical to the letter that accompanied the 2004 document dump, suggesting that DOJ failed to comply with the annual reporting requirements in 2005, 2006, 2007 and 2008.



Based on 10 years of repeated failures, it seems clear that the Department of Justice is unable to supply Congress with annual reports for pen register and trap & trace surveillance. As such, I think it is time for Congress to take a serious look at this problem, and consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

In a forthcoming law review article, I dig through the currently published surveillance statistics, and find many of them to be woefully lacking. I also propose several ways that Congress could overhaul the reporting requirements. Hopefully, if Congress does look into this issue, they will expand the scope of their inquiry to cover all surveillance reporting, and not just the pen register reports.

While my article is still in very rough shape, I've extracted the section on surveillance statistics, and included it here. I'd love feedback.

8 Million Reasons for Real Surveillance Oversight

Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University. This data was gathered and analyzed on my own time, without using federal government resources. This data, and the analysis I draw from it will be a major component of my PhD dissertation, and as such, I am releasing it in order to receive constructive criticism on my theories from other experts in the field. The opinions I express in my analysis are my own, and do not reflect the views of the Federal Trade Commission, any individual Commissioner, or any other individual or organization with which I am affiliated.

UPDATE 12/3/2009 @ 12:20PM: I received a phone call from an executive at TeleStrategies, the firm who organized the ISS World conference. He claimed that my recordings violated copyright law, and asked that I remove the mp3 recordings of the two panel sessions, as well as the YouTube/Vimeo/Ikbis versions I had embedded onto this blog. While I believe that my recording and posting of the audio was lawful, as a good faith gesture, I have taken down the mp3s and the .zip file from my web hosting account, and removed the files from Vimeo/YouTube/Ikbis.

Executive Summary

Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint's Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics -- since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

Introduction

"[Service providers] have, last time I looked, no line entry in any government directory; they are not an agent of any law enforcement agency; they do not work for or report to the FBI; and yet, you would never know that by the way law enforcement orders them around and expects blind obedience."
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.

"The reason we keep [search engine data] for any length of time is one, we actually need it to make our algorithms better, but more importantly, there is a legitimate case of the government, or particularly the police function or so forth, wanting, with a Federal subpoena and so forth being able to get access to that information."
-- Eric Schmidt, CEO of Google, All Things Considered, NPR interview between 5:40 and 6:40, October 2, 2009.

Internet service providers and telecommunications companies play a significant, yet little known role in law enforcement and intelligence gathering.

Government agents routinely obtain customer records from these firms, detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and of course, huge amounts of geolocation data, detailing exactly where an individual was located at a particular date and time.

These Internet/telecommunications firms all have special departments, many open 24 hours per day, whose staff do nothing but respond to legal requests. Their entire purpose is to facilitate the disclosure of their customers' records to law enforcement and intelligence agencies -- all following the letter of the law, of course.

'Juking' the stats

If you were to believe the public surveillance statistics, you might come away with the idea that government surveillance is exceedingly rare in the United States.

Every year, the US Courts produce the wiretap report which details every 'intercept' order requested by Federal, state and local law enforcement agencies during that year. Before the police, FBI, DEA or other law enforcement agents can tap a phone, intercept an Internet connection, or place a covert bug into a suspect's home, they must obtain one of these orders, which law professor and blogger Orin Kerr describes as a "super warrant," due to the number of steps the government must go through in order to obtain one.

The official wiretap reports reveal that there are approximately 2000 intercept orders sought and approved by judges each year.



As you might expect, the vast majority of these intercept orders are for phone wiretaps. Thus, for example, of the 1891 intercept orders granted in 2008, all but 134 of them were issued for phone taps.



The number of electronic intercept orders, which are required to intercept Internet traffic and other computer assisted communications is surprisingly low. There were just 10 electronic intercept orders requested in 2008, and only 4 of those were from the Federal government -- which was itself a massive increase over the one single order sought by the entire Department of Justice in both 2006 and 2007.



This graph, and the information contained within it, simply does not make sense. The number of electronic intercepts should, like the number of phone wiretaps, be going up over time, as more people purchase computers, and as criminals or other persons of government interest start to use computers to communicate and plan their business activities. Why were there almost 700 total (federal and state) electronic intercept orders obtained in 1998, but only 10 in 2008?

While I have no way of proving it, I suspect that there have never been a large amount of electronic intercept orders obtained in order to monitor computer communications. The electronic intercept orders, as reported by the US Courts, include those used to monitor computers, fax machines, and pagers. The wiretap report doesn't break down the numbers for these individual technologies -- but I suspect that the nearly 700 electronic intercept orders granted in 1998 were largely for fax machines and pagers. Thus, as these technologies died out, it is only natural that the number of electronic intercept orders declined

That still leaves us with one large question though: How often are Internet communications being monitored, and what kind of orders are required in order to do so.

The stats don't cover all forms of law enforcement surveillance

As I described at the beginning of this article, the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time.

However, while there are many ways the government can monitor an individual, very few of these methods require an intercept order.

In general, intercept orders are required to monitor the contents of real time communications. Non-content information, such as the To/From and Subject lines for email messages, URLs of pages viewed (which includes search terms), and telephone numbers dialed can all be obtained with a pen register/trap & trace order.

While wiretaps require a "superwarrant" which must be evaluated and approved by a judge following strict rules, government attorneys can obtain pen register orders by merely certifying that the information likely to be obtained is relevant to an ongoing criminal investigation -- a far lower evidentiary threshold.

In addition to the fact that they are far easier to obtain, pen register orders are also not included in the annual US courts wiretap report. Not to fear though -- a 1999 law requires that the Attorney General compile annual statistics regarding DOJ's use of pen register orders, which he must submit to Congress.

Unfortunately, the Department of Justice has ignored this law since 2004 -- when five years worth of reports were provided to Congress in the form of a single document dump covering 1999-2003. Since that one submission, both Congress and the American people have been kept completely in the dark regarding the Federal government's extensive use of pen registers.



Since we don't have any pen register stats for the last five years, it is difficult to do a current comparison. However, for the five years worth of data that we do have, it is possible to make a few observations.

First, in 2003, Federal agents used 15 times more pen registers and trap & traces than intercepts. Perhaps this was because each of the 578 Federal intercept orders obtained in 2003 had to be thoroughly evaluated and then approved by a judge, while the 5922 pen registers or 2649 trap & trace devices each received a cursory review at best.

Second, the number of pen registers and trap & trace orders went down after 9/11, at a time when the FBI and other parts of DOJ were massively increasing their use of surveillance. 4210 pen registers were used in 2000, 4172 in 2001, and 4103 in 2002.

It is important to note that these numbers only reveal part of the picture, as these statistics only cover the use of pen registers/trap & traces by the Department of Justice. There are no public stats that document the use of these surveillance methods by state or local law enforcement. Likewise, these stats only cover the requests made for law enforcement purposes -- pen register surveillance performed by the intelligence community isn't reported, even in aggregate form.

Stored Communications

The reporting requirements for intercepts and pen registers only apply to the surveillance of live communications. However, communications or customer records that are in storage by third parties, such as email messages, photos or other files maintained in the cloud by services like Google, Microsoft, Yahoo Facebook and MySpace are routinely disclosed to law enforcement, and there is no legal requirement that statistics on these kinds of requests be compiled or published.

There is currently no way for academic researchers, those in Congress, or the general public to determine how often most email, online photo sharing or social network services deliver their customers' data to law enforcement agents.

While these firms deliver sensitive customer data to government agents on a daily basis, they go out of their way to avoid discussing it.

"As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google."

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws."

"Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws."

Only Facebook and AOL have publicly disclosed the approximate number of requests they receive from the government -- 10-20 requests per day and 1000 requests per month, respectively.

Follow the money

"When I can follow the money, I know how much of something is being consumed - how many wiretaps, how many pen registers, how many customer records. Couple that with reporting, and at least you have the opportunity to look at and know about what is going on.
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.

Telecommunications carriers and Internet firms do not just hand over sensitive customer information to law enforcement officers. No -- these companies charge the government for it.

Cox Communications, the third largest cable provider in the United States, is the only company I've found that has made its surveillance price list public. Thus, we are able to learn that the company charges $2,500 for the first 60 days of a pen register/trap and trace, followed by $2,000 for each additional 60 days, while it charges $3,500 for the first 30 days of a wiretap, followed by $2,500 for each additional 30 days. Historical data is much cheaper -- 30 days of a customer's call detail records can be obtained for a mere $40.

Comcast does not make their price list public, but the company's law enforcement manual was leaked to the Internet a couple years ago. Based on that 2007 document, it appears that Comcast charges at least $1000 for the first month of a wiretap, followed by $750 for each month after that.

In the summer of 2009, I decided to try and follow the money trail in order to determine how often Internet firms were disclosing their customers' private information to the government. I theorized that if I could obtain the price lists of each ISP, detailing the price for each kind of service, and invoices paid by the various parts of the Federal government, then I might be able to reverse engineer some approximate statistics. In order to obtain these documents, I filed Freedom of Information Act requests with every part of the Department of Justice that I could think of.

The first agency within DOJ to respond was the U.S. Marshals Service (USMS), who informed me that they had price lists on file for Cox, Comcast, Yahoo! and Verizon. Since the price lists were provided to USMS voluntarily, the companies were given the opportunity to object to the disclosure of their documents. Neither Comcast nor Cox objected (perhaps because their price lists were already public), while both Verizon and Yahoo! objected to the disclosure.

I then filed a second request, asking for copies of the two firms' objection letters. Those letters proved to be more interesting than the price lists I originally sought.

Click here for the complete Verizon price list letter.
Click here for the complete Yahoo! price list letter.

First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."


Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics. That doesn't mean the published stats are necessarily incorrect -- merely that most types of surveillance are not reported.

In its letter, Verizon lists several reasons why it believes that its price list should remain confidential. Of these reasons -- two stand out. First, the company argues, customers might "become unnecessarily afraid that their lines have been tapped, or call Verizon to ask if their lines are tapped (a question we cannot answer.)"

The second interesting reason is that:

"Our pricing schedules reveal (for just two examples) that upon the lawful request of law enforcement we are able to [redacted by USMS]. In cooperation with law enforcement, we do not release that information to the general public out of concern that a criminal may become aware of our capabilities, see a change in his service, correctly assume that the change was made at the lawful request of law enforcement and alter his behavior to thwart a law enforcement investigation."

I'm not sure what capabilities this section is referring to -- but I'd love to find out more.

Yahoo!'s letter is far less exciting, and doesn't even hint at the number of requests that the company receives. There is one interesting tidbit in the letter though:

"It is reasonable to assume from these comments that the [pricing] information, if disclosed, would be used to "shame" Yahoo! and other companies -- and to "shock" their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies."

Geolocation

"Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers." Ellen Nakashima, Cellphone Tracking Powers on Request, The Washington Post, November 23, 2007.

"Law enforcement routinely now requests carriers to continuously 'ping' wireless devices of suspects to locate them when a call is not being made ... so law enforcement can triangulate the precise location of a device and [seek] the location of all associates communicating with a target."
-- Christopher Guttman-McCabe, vice president of regulatory affairs for CTIA -- the Wireless Association, in a July 2007 comment to the Federal Communications Commission.

As mobile phones have become ubiquitous, the law enforcement community has learned to leverage the plentiful, often real-time location information that carriers can be compelled to provide. Location requests easily outnumber wiretaps, and as this article will reveal, likely outnumber all other forms of surveillance request too.

In terms of legal requirements, this information can often be gained through the use of a hybrid order, combining a Stored Communications Act request and a Pen Register request. As noted before, the former law has no reporting requirement, and the law requiring reports for the Pen Register requests has been ignored by the Department of Justice since 2004.

In March of this year, telecommunications lawyer Al Gidari, who represents many of the major telcos and ISPs, gave a talk at the Berkman Center at Harvard University. During his speech, he revealed that each of the major wireless carriers receive approximately 100 requests per week for customers' location information.

100 requests per week * 4 wireless major carriers (Sprint, Verizon, AT&T, T-Mobile) * 52 weeks = 20k requests per year.

While Gidari's numbers were shocking when I first heard them, I now have proof that he significantly underestimated the number of requests by several orders of magnitude.

Hanging with the spooks

Several times each year, in cities around the globe, representatives from law enforcement and intelligence agencies, telecommunications carriers and the manufacturers of wiretapping equipment gather for a closed door conference: ISS World: Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering.

ISS World is no stranger to the privacy community. Back in 2000, FBI agents showed off a prototype of the Carnivore interception system to attendees at ISS World. Days later, stories appeared in both the Wall Street Journal and The New York Times after one attendee leaked information to the press.

ISS World had been on the list of events that I'd wanted to attend for a long time, even moreso after my research interests started to focus on government surveillance. Thus, in October of this year, just a month after moving to Washington DC, I found myself at the Washington DC Convention Center, attending ISS World.

Looking around at the name badges pinned to the suits milling around the refreshment area, it really was a who's who of the spies and those who enable their spying. Household name telecom companies and equipment vendors, US government agencies (both law enforcement and intel). Also present were representatives from foreign governments -- Columbia, Mexico, Algeria, and Nigeria, who, like many of the US government employees, spent quite a bit of time at the vendor booths, picking up free pens and coffee mugs while they learned about the latest and greatest surveillance products currently on the market.

The main draw of the event for me was two panel discussions: A presentation on "Regulatory and CALEA Issues Facing Telecom Operators Deploying DPI Infrastructure", and a "Telecom Service Providers Roundtable Discussions"

Not knowing ahead of time what the speakers would say, and not wanting to be called a liar if I later cited an interesting quote in a research paper, I decided to make an audio recording of the two panels.

One wireless company, 50 million customers, 8 million law enforcement requests for customer GPS information in one year

Both panels are fascinating, and worth listening to in full.
Click here for an mp3 of the complete the Deep Packet Inspection Panel.
Click here for mp3 of entire telecom panel.

However, by far the most jaw-dropping parts of the telecom service providers roundtable were the following quotes:

"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in.
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There's like 110 all together."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel, describing the number of employees working full time to comply with requests for customer records.

"Cricket doesn't have as many subscribers so our numbers are going to be less. I think we have 4.5 - 5 million subscribers. We get approximately 200 requests per calendar day, and that includes requests for records, intercepts. We don't have the type of automation they do, and we can't do the location specificy that they can, because we don't have GPS."
-- Janet A. Schwabe, Subpoena Compliance Manager, Cricket Communications

"Nextel's system, they statically assign IP addresses to all handsets ... We do have logs, we can go back to see the IP address that used MySpace. By the way - MySpace and Facebook, I don't know how many subpoenas those people get, or emergency requests but god bless, 95% of all IP requests, emergencies are because of MySpace or Facebook... On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

"Two or three years ago, we probably had less than 10% of our requests including text messaging. Now, over half of all of our surveillance includes SMS messaging."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

Conclusion

As the information presented in this article has demonstrated, the publicly available law enforcement surveillance statistics are, at best misleading, and at worst, deceptive. It is simply impossible to have a reasonable debate amongst academics, public policy makers, and members of the public interest community when the very scale of these surveillance programs is secret.

As an example, consider the following quote from the November 4, 2009 markup hearing of the House Judiciary Committee, which is currently considering a bill to expand the government's PATRIOT Act surveillance powers. During the hearing, Rep. Lamar Smith, the Ranking (Minority) Member said the following:

Unlike other tools which actually collect content, such as wiretaps, pen registers and trap-and-trace devices merely request outgoing and incoming phone numbers. Because the government cannot collect any content using pen registers, a minimization requirement makes no sense. What is there is there to minimize?

After reading this article, it should be clear to the reader that pen registers and trap & trace devices are used for far more than just collecting phone numbers dialed. They are used to get email headers (including To, From and Subject lines), the URLs of web pages viewed by individuals, and in many situations, they are used (along with a Stored Communications Act request) to get geolocation information on mobile phone users.

The reason I'm quoting Rep. Smith isn't to poke fun at his expense, but to make a serious point. How can we have a serious public debate about law enforcement surveillance powers, when the senior most Republican on the committee responsible for the oversight of those powers doesn't understand how they are being used? Likewise, this paragraph should by no means be read as an attack on Rep. Smith. How can he be expected to understand the extensive modern use of pen registers, when the Department of Justice continues to break the law by failing to provide yearly statistics on the use of pen registers to Congress?

My point is this: The vast majority of the government's access to individuals' private data is not reported, either due to a failure on DOJ's part to supply the legally required statistics, or due to the fact that information regarding law enforcement requests for third party stored records (such as email, photos and other data located in the cloud) is not currently required to be collected or reported.

As for the millions of government requests for geo-location data, it is simply disgraceful that these are not currently being reported...but they should be.