BIG BROTHER REALLY DOES WANT TO WATCH YOU
FBI's Internet surveillance proposal raises privacy, legal concerns
CNET News writers Declan McCullagh and Anne Broache wrote an excellent article this week on the extent of FBI Internet surveillance ambitions, reporting that the FBI director and a Republican congressman have a far-reaching plan for warrantless activity in monitoring Internet users.
The article recounts that during a House of Representatives Judiciary Committee hearing this week, the FBI's Robert Mueller and Rep. Darrell Issa of California discussed a two-step approach to a potentially wide-ranging monitoring plan.
Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; but Step 2 would be a federal law forcing companies to do just that.
Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets.
Mueller had a more direct approach and said that "legislation has to be developed" for "some omnibus [read: all-embracing] search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt it."
The writer accurately opines that these are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic - akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising - plus additional processing to detect and thwart any "illegal activity."
"That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law."
Unfortunately, neither Issa nor Mueller recognised that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year.
"I think there's a substantial problem with what [Director] Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside."
Strangely, the FBI seemed reluctant to expand on its efforts when CNet pursued the matter.
McCullagh reports: "After we made repeated attempts to get the bureau to explain what Mueller was talking about, FBI spokesman Paul Bresson responded by saying, "At this point, I'm going to let the director's comments, in the context of the exchange with Rep. Issa, speak for themselves."
So what is 'consent?'
What Step 1 appears to involve is persuading Internet providers to amend their terms of service and insert an 'FBI-can-monitor-everything clause.' Informed consent is one thing. But does anyone actually read the fine print on their contracts with their broadband or wireless provider? If not, is that fine print good enough?
Informed consent is important because of the wording of the Electronic Communications Privacy Act, or ECPA, which says providers may share the contents of customers' communications only "with the lawful consent" of the user. Otherwise, providers are breaking the law and can be sued for damages. And without consent, the FBI would bump up against the Fourth Amendment's prohibition on unreasonable searches.
The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers one useful measuring stick on proving consent. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."
The Federal Trade Commission, too, has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.
McCullagh translates these findings as: "Obtaining "lawful consent" for FBI monitoring means making sure that your customers actually know what's going on and agree. Hiding it in the terms of service doesn't qualify."
Step 2 is more draconian
Having examined the practical and legal rights problems associated with following Step 1, the CNet piece then turns to Step 2, observing that this would require a revision of U.S. surveillance law.
Because the FBI would run into serious problems doing wide-scale Internet surveillance under existing state and federal law, step 2 may be necessary.
In the closed hearings, Rep. Issa said he wants to "craft" legislation that would give the FBI the power to look "for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process."
He worried about "national-security secrets and just the common information of private individuals" being at risk.
In his response, Mueller said he wants Congress to "give us the ability to pre-empt that illegal activity."
"Looking for" a crime in progress on the Internet can take multiple paths. If it's a denial-of-service attack against eBay or Amazon.com originating from Russian servers, it can be detected by measuring the amount of traffic without inspecting the contents each packet.
But to detect fraud and "national-security secrets," as well as personal information being transferred, deep packet inspection would be necessary - roughly on a scale of the Great Firewall of China, McCullagh observes.
Needless to say, detecting "illegal activity" would soon be extended to copyright infringement and peer-to-peer networks.
"I think you bump squarely into the Fourth Amendment when you get into the required waiver of constitutional protections to use a service," said attorney Gidari. "Why don't we extend it to include not criticizing the government? Which right is next? You've still got to have, at the end of the day, a constitutionally supportable legal process to get access to anyone's communications. This cannot be an end run around that."
The problem of how to "shut down a crime in process" and "pre-empt that illegal activity" is more difficult and, perhaps, more worrisome.
The surveillance society is the best society?
Given a copy of the hearings transcript, Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation in San Francisco, said: "It certainly is [Director] Mueller's responsibility to explain what it is that he's looking for.
"But it seems that he's saying, essentially, that the surveillance society is the best society. A society in which the government has complete information about illegal activities and is able to enforce that. Throughout our country's existence, we've lived in a society where the government doesn't have perfect information.
"The FBI has some obligation to explain: what is it going to focus on here? Once you have the technology in place, will it then be used for more and more?"
If you thought the tussles over Net neutrality were heated before, imagine a broadband provider throttling certain applications - and being able to blame that throttling capability on law enforcement. At the very least, it would be a wonderful excuse.
Which is why it's a shame, and somewhat troubling, that the FBI has chosen not to say what its director is proposing (and apparently will be working with Congress to write into law).
The Einstein plan
McCullagh postulates that one possible germ for this Internet-monitoring idea lies in Homeland Security's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. Not much about Einstein is public, but a privacy impact assessment offers some details.
Homeland Security Spokeswoman Laura Keehner said in a telephone interview with CNet that the primary focus of Einstein at the moment is protecting federal-government networks.
"Obviously, the FBI could clarify or elaborate on what they said," Keehner said. "I do know that (from Homeland Security's perspective) we now first need to get our .gov in order. We need to concentrate on our federal networks...We're also bringing in the private sector to open those lines of discussion and figure out ways that the private sector can better equip themselves to stop any cyber-incursions."
Secret orders
Another possibly related effort is the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23 - that apparently deal with detecting and preventing Internet disruptions.
Rep. Issa is a member of the House Intelligence Committee, which held a closed-door hearing on Thursday devoted to the Cyber Initiative - and, during the exchange with Mueller a day earlier, he said his monitoring idea was related.
The House Intelligence committee didn't want to talk when pressed by CNet. But a representative of the House Homeland Security committee chaired by Rep. Bennie Thompson (D-Miss.) sent three bullet points in an e-mail message:
1. Chance of a legislative initiative that would allow FBI to place filters to identify illegal activity at choke points on the .com space:
2. We still have concerns and questions about the initiative, and we continue to do oversight.
3. Legislation is not being considered for any of the new proposals, outside of the budget requests made by the administration.
Point 3 seems to relate to the administration's 2009 budget request, which asks Congress for $293.5 million to expand Einstein to the entire federal government.
The Senate Homeland Security and Governmental Affairs Committee, which is headed by Joe Lieberman of Connecticut, also held a classified hearing last month on the administration's Cyber Initiative.
But a committee aide told CNet: "The idea of filtering for criminal activity has never been discussed with us. Nor has any new statutory authority been discussed. In fact, the administration explicitly said it didn't need any legislation. Furthermore, the idea of monitoring non-government domains has never been proposed in briefings the committee has received."
Of some comfort is McCullagh's observation that at least in the current political climate, legislation of the sort Rep. Issa wants to draft isn't likely to slide through Congress unopposed.
Still, as McCullagh opines, it's worth keeping in mind that the FBI has a recent, and not very flattering, history of trying to expand the scope of surveillance methods. Bureau agents used so-called exigent letters to obtain records from telephone companies, claiming that an emergency situation existed.
In reality, there was often no emergency at all. The Justice Department's inspector general found similar abuses of national-security letters. The FBI also tried to bypass the Foreign Intelligence Surveillance Court when it denied requests to obtain records.
The CNet article ends with the valid comment that maybe Director Mueller can provide a convincing argument for why laws giving the FBI "omnibus search capability utilizing filters that would identify the illegal activity" would be wise. Or not.
But when politicians weigh the idea of trusting the FBI with such broad and unprecedented authority, they should consider the abuses that have already taken place with far less powerful tools.
FBI's Internet surveillance proposal raises privacy, legal concerns
CNET News writers Declan McCullagh and Anne Broache wrote an excellent article this week on the extent of FBI Internet surveillance ambitions, reporting that the FBI director and a Republican congressman have a far-reaching plan for warrantless activity in monitoring Internet users.
The article recounts that during a House of Representatives Judiciary Committee hearing this week, the FBI's Robert Mueller and Rep. Darrell Issa of California discussed a two-step approach to a potentially wide-ranging monitoring plan.
Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; but Step 2 would be a federal law forcing companies to do just that.
Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets.
Mueller had a more direct approach and said that "legislation has to be developed" for "some omnibus [read: all-embracing] search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt it."
The writer accurately opines that these are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic - akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising - plus additional processing to detect and thwart any "illegal activity."
"That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law."
Unfortunately, neither Issa nor Mueller recognised that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year.
"I think there's a substantial problem with what [Director] Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside."
Strangely, the FBI seemed reluctant to expand on its efforts when CNet pursued the matter.
McCullagh reports: "After we made repeated attempts to get the bureau to explain what Mueller was talking about, FBI spokesman Paul Bresson responded by saying, "At this point, I'm going to let the director's comments, in the context of the exchange with Rep. Issa, speak for themselves."
So what is 'consent?'
What Step 1 appears to involve is persuading Internet providers to amend their terms of service and insert an 'FBI-can-monitor-everything clause.' Informed consent is one thing. But does anyone actually read the fine print on their contracts with their broadband or wireless provider? If not, is that fine print good enough?
Informed consent is important because of the wording of the Electronic Communications Privacy Act, or ECPA, which says providers may share the contents of customers' communications only "with the lawful consent" of the user. Otherwise, providers are breaking the law and can be sued for damages. And without consent, the FBI would bump up against the Fourth Amendment's prohibition on unreasonable searches.
The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers one useful measuring stick on proving consent. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."
The Federal Trade Commission, too, has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.
McCullagh translates these findings as: "Obtaining "lawful consent" for FBI monitoring means making sure that your customers actually know what's going on and agree. Hiding it in the terms of service doesn't qualify."
Step 2 is more draconian
Having examined the practical and legal rights problems associated with following Step 1, the CNet piece then turns to Step 2, observing that this would require a revision of U.S. surveillance law.
Because the FBI would run into serious problems doing wide-scale Internet surveillance under existing state and federal law, step 2 may be necessary.
In the closed hearings, Rep. Issa said he wants to "craft" legislation that would give the FBI the power to look "for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process."
He worried about "national-security secrets and just the common information of private individuals" being at risk.
In his response, Mueller said he wants Congress to "give us the ability to pre-empt that illegal activity."
"Looking for" a crime in progress on the Internet can take multiple paths. If it's a denial-of-service attack against eBay or Amazon.com originating from Russian servers, it can be detected by measuring the amount of traffic without inspecting the contents each packet.
But to detect fraud and "national-security secrets," as well as personal information being transferred, deep packet inspection would be necessary - roughly on a scale of the Great Firewall of China, McCullagh observes.
Needless to say, detecting "illegal activity" would soon be extended to copyright infringement and peer-to-peer networks.
"I think you bump squarely into the Fourth Amendment when you get into the required waiver of constitutional protections to use a service," said attorney Gidari. "Why don't we extend it to include not criticizing the government? Which right is next? You've still got to have, at the end of the day, a constitutionally supportable legal process to get access to anyone's communications. This cannot be an end run around that."
The problem of how to "shut down a crime in process" and "pre-empt that illegal activity" is more difficult and, perhaps, more worrisome.
The surveillance society is the best society?
Given a copy of the hearings transcript, Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation in San Francisco, said: "It certainly is [Director] Mueller's responsibility to explain what it is that he's looking for.
"But it seems that he's saying, essentially, that the surveillance society is the best society. A society in which the government has complete information about illegal activities and is able to enforce that. Throughout our country's existence, we've lived in a society where the government doesn't have perfect information.
"The FBI has some obligation to explain: what is it going to focus on here? Once you have the technology in place, will it then be used for more and more?"
If you thought the tussles over Net neutrality were heated before, imagine a broadband provider throttling certain applications - and being able to blame that throttling capability on law enforcement. At the very least, it would be a wonderful excuse.
Which is why it's a shame, and somewhat troubling, that the FBI has chosen not to say what its director is proposing (and apparently will be working with Congress to write into law).
The Einstein plan
McCullagh postulates that one possible germ for this Internet-monitoring idea lies in Homeland Security's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. Not much about Einstein is public, but a privacy impact assessment offers some details.
Homeland Security Spokeswoman Laura Keehner said in a telephone interview with CNet that the primary focus of Einstein at the moment is protecting federal-government networks.
"Obviously, the FBI could clarify or elaborate on what they said," Keehner said. "I do know that (from Homeland Security's perspective) we now first need to get our .gov in order. We need to concentrate on our federal networks...We're also bringing in the private sector to open those lines of discussion and figure out ways that the private sector can better equip themselves to stop any cyber-incursions."
Secret orders
Another possibly related effort is the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23 - that apparently deal with detecting and preventing Internet disruptions.
Rep. Issa is a member of the House Intelligence Committee, which held a closed-door hearing on Thursday devoted to the Cyber Initiative - and, during the exchange with Mueller a day earlier, he said his monitoring idea was related.
The House Intelligence committee didn't want to talk when pressed by CNet. But a representative of the House Homeland Security committee chaired by Rep. Bennie Thompson (D-Miss.) sent three bullet points in an e-mail message:
1. Chance of a legislative initiative that would allow FBI to place filters to identify illegal activity at choke points on the .com space:
2. We still have concerns and questions about the initiative, and we continue to do oversight.
3. Legislation is not being considered for any of the new proposals, outside of the budget requests made by the administration.
Point 3 seems to relate to the administration's 2009 budget request, which asks Congress for $293.5 million to expand Einstein to the entire federal government.
The Senate Homeland Security and Governmental Affairs Committee, which is headed by Joe Lieberman of Connecticut, also held a classified hearing last month on the administration's Cyber Initiative.
But a committee aide told CNet: "The idea of filtering for criminal activity has never been discussed with us. Nor has any new statutory authority been discussed. In fact, the administration explicitly said it didn't need any legislation. Furthermore, the idea of monitoring non-government domains has never been proposed in briefings the committee has received."
Of some comfort is McCullagh's observation that at least in the current political climate, legislation of the sort Rep. Issa wants to draft isn't likely to slide through Congress unopposed.
Still, as McCullagh opines, it's worth keeping in mind that the FBI has a recent, and not very flattering, history of trying to expand the scope of surveillance methods. Bureau agents used so-called exigent letters to obtain records from telephone companies, claiming that an emergency situation existed.
In reality, there was often no emergency at all. The Justice Department's inspector general found similar abuses of national-security letters. The FBI also tried to bypass the Foreign Intelligence Surveillance Court when it denied requests to obtain records.
The CNet article ends with the valid comment that maybe Director Mueller can provide a convincing argument for why laws giving the FBI "omnibus search capability utilizing filters that would identify the illegal activity" would be wise. Or not.
But when politicians weigh the idea of trusting the FBI with such broad and unprecedented authority, they should consider the abuses that have already taken place with far less powerful tools.
