Saturday, January 21, 2006

Cringely surveys the Bush surveilance program

Why did Bush bypass FISA? The story he gives doesn't hold water; FISA would have supported his stated goals. So either Bush is mad with power lust or he needed to do something else. Most of us suspect a combination of both, but really more of the latter. He wanted to do untargeted surveilance of some sort. That's the strong consensus of the mainstream geek security community.

The next question is whether the NSA was studying the content of messages, or whether they were studying "message metadata". If it was the latter, they could apply social network tools to study communication networks (directed graphs) and correlate message length and duration with other parameters. The message metadata might then be used to target further surveilance and/or intercepts, with our without FISA approval. Interstingly, depending on how the post-Nixon laws were written, metadata surveilance may have been omitted -- providing a loophole the NSA could exploit.

A secondary question is whether this is a good use of resources. Schneier argues it wasn't, that the available evidence suggests a high level of false positive probes and a lot of wasted attention -- not to mention harm to the 'false positives'. I confess analyzing metadata to focus seconary probes sounds plausibly effective to a novice like me, but this is Schneier's domain.

Now Cringely, one of my favorite tech gurus, weighs in (the title of the article is based on surveilance of the weekly conversations between Hitler and ITT during WW II, a rather shocking and suspect business): (emphases mine)
PBS | I, Cringely . January 19, 2006 - Hitler on Line One

To this point what we have been considering are technically called "intercepts" -- listening to phone calls and recording the information they contain. Most phone taps in the U.S. aren't conducted that way at all. On top of the approximately 3,500 CALEA and FISA intercepts conducted each year, there are another 75,000 domestic phone taps called "pen/traps" by the telephone company.

While interceptions capture the voice portion of a telephone call or the data portion of an electronic communication, such as the content of e-mail, pen/traps capture just the outgoing digits dialed (the pen register portion of the technology) and the numbers of the incoming callers (the trap and trace portion of the technology). In CALEA terms, these are "call-identifying information." [jf: metadata]

Court authorizations for interceptions are difficult to obtain for many reasons. Pen/traps are easy to obtain. While the government has to obtain court authorization to install a pen/trap, the role of the court in this review and approval procedure is merely "ministerial" -- primarily a form of record-keeping. The government has a very low hurdle to meet to obtain judicial approval for pen/traps, and if that hurdle is met, the court MUST approve the order. Pen/traps are very useful in a criminal investigation, and inexpensive compared to a court-approved interception. So, it is not surprising that there are so many more pen/traps than there are interceptions.

To get this far, I had to talk to a lot of former and current telco people, and one thing I learned is that they generally don't like having to do either type of phone tap. Under both laws, telephone companies that do this kind of work are supposed to be reimbursed for it, yet many phone companies never send a bill. Whether that is because of patriotism or fear of liability, I don't know. Many phone companies also outsource their phone taps to smaller firms that specialize in that kind of work. These firms handle the legal paperwork, and generally more than pay for themselves by billing the Feds, too, on behalf of the telco.

It feels a little creepy to me knowing that our telephone systems can be accessed at will by "rent-a-tap" outfits, and that the technology has advanced to the point where such intercepts can apparently be done from a properly-authorized PC.

Is all of this worth worrying about? What led me on this quest in the first place was the fact that I simply couldn't understand why the Administration felt the need to go beyond FISA, given that the court nearly always granted warrants and warrants could be done retroactively. But does it really matter? I didn't know whether to be outraged or bored, and I feared that most Americans were in similar positions.

Given that this is all about National Security, we'll probably never know the full answer. Even if the proper research is conducted and answers obtained, they won't be shared with you or me. But here's a hint from a lawyer who used to be in charge of exactly these compliance issues for one of the largest RBOCs: "While it is true the FISA court approves nearly all applications submitted to it, this is due primarily to the close vetting the DOJ attorneys give to applications before they are submitted to the court. In fact, the FISA appellate court noted that the DOJ standards had been higher than the statute required. I am unaware that the court has 'retroactively' approved any electronic surveillance that was not conducted in an emergency situation. There are four emergency situations enumerated in the statute. Even in an emergency, the government has to apply for approval of what they have already started or in some case finished and these applications have to meet the same strict standards as any other application."

So the probable answer is that the several hundred NSA communication intercepts wouldn't have qualified for submission by the DoJ to the FISA court, and some of those might not have qualified for FISA court orders even if they had been submitted. It looks like the difference between using a rifle or a shotgun, with the Bush Administration clearly preferring the shotgun approach. Only time will tell, though, if what they are doing is legal.
So Cringely argues that it's harder to get intercepts than FISA's record shows, and that there's a low hurdle for monitoring metadata. Interesting. It is interesting that the "dirty work" has been outsourced by phone companies; I suspect those independent firms are staffed by people with some interesting but unstated employment records. The technique of outsourcing the dirty work to the "private sector" has allowed many agencies, including the FBI to bypass the law.

No comments: