Has the FBI Turned to a "Broad New Wiretap Method"?
It's pretty rare for a law school conference to generate news that draws links from Slashdot and the Drudge Report. But the digital search and seizure conference I recently attended at Stanford generated such a story: Declan McCullagh's CNet News report, "FBI turns to broad new wiretap method".
Here's what Declan reported:
First, implementing wiretap orders always requires "minimization," and it wasn't clear to me whether Paul was just talking about the usual minimization procedures. Minimization is a fancy name for screening through the collected data to distinguish which data falls within the scope of the warrant and which doesn't. If a warrant seeks e-mails relating to narcotics trafficking, for example, someone has to go through the e-mails to identify which of the e-mails intercepted actually relate to narcotics trafficking. The idea is to protect privacy by making sure that only communications that relate to the crime are obtained by investigators. It wasn't clear to me if Paul was referring to this kind of common minimization procedure or something else.
Second, whatever the FBI is doing, it seems that they're doing only in the 10-15 cases a year in which the government obtains a full-content wiretap order to intercept electronic (that is, non-voice computer) communications. The legal issue that Paul and Richard discussed at the conference involved how to implement very-hard-to-obtain "super warrants," which can only be obtained based on a showing of probable cause, necessity, predicate felonies, and all the rest. Further, the implementation of Title III orders requires considerable disclosure to the courts as to what information was intercepted — as well as disclosure to third-parties whose communications were intercepted. Given all of this judicial oversight, the chances that the FBI and DOJ would try to abuse that authority strikes me as pretty low.
When you add in DOJ's response — which unfortunately hasn't received a lot of attention — it suggests to me that Declan's story is inaccurate. DOJ not only says that its practices haven't changed, it discusses the two types of minimization it has long performed to implement Wiretap orders: minimization within a particular target, and use of a tool (such as a descendant of the privacy-enhancing Carnivore) to screen for particular traffic.
Although we can't be entirely sure, as it's always hard to figure out the details of surveillance systems without all the facts, my sense is that this is much ado about nothing.
Here's what Declan reported:
The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.The Justice Department responded to Declan's story with an e-mail which was reprinted in a post over at the ZDNet blog:
Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.
Such a technique is broader and potentially more intrusive than the FBI's Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what's legally permissible.
Call it the vacuum-cleaner approach. It's employed when police have obtained a court order and an Internet service provider can't "isolate the particular person or IP address" because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department's Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)
That kind of full-pipe surveillance can record all Internet traffic, including Web browsing--or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider's network at the junction point of a router or network switch.
The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University's law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium.
Nothing has changed from our long-standing practice in implementing court-authorized law enforcement interception orders. The FBI records and retains only that data which it is authorized under law to record and retain — namely, the communications associated with court-approved targets.So what's going on? I was at the conference and heard the exchange between Paul Ohm and DOJ's Richard Downing. My conclusion at the time was that this was probably nothing of significance for two different reasons.
…[Wh]at law enforcement does is isolate the communications associated with the target facility and record only those communications. After law enforcement collects the targeted communications, as specified in the court order, we "minimize" the captured information by sorting it into relevant and non-relevant material (i.e., depending on whether the contents relate to the criminal activity specified in the court's order).
Such after-the-fact minimization is done with explicit authorization from the court, and no further use may be made of minimized (non-relevant) communications.
On rare occasions involving technical obstacles, we perform real-time filtering on large data connections carrying the traffic of multiple unrelated facilities, but only using automated filters that isolate and retain only the communications associated with the facility identified in the order. All data not relating to the targeted facility is instantly and irreversibly deleted. This data is therefore never read or comprehended by anyone in law enforcement.
The bottom line: Nothing has changed. We believe that Professor Ohm, quoted in the article, either was misquoted or misspoke.
First, implementing wiretap orders always requires "minimization," and it wasn't clear to me whether Paul was just talking about the usual minimization procedures. Minimization is a fancy name for screening through the collected data to distinguish which data falls within the scope of the warrant and which doesn't. If a warrant seeks e-mails relating to narcotics trafficking, for example, someone has to go through the e-mails to identify which of the e-mails intercepted actually relate to narcotics trafficking. The idea is to protect privacy by making sure that only communications that relate to the crime are obtained by investigators. It wasn't clear to me if Paul was referring to this kind of common minimization procedure or something else.
Second, whatever the FBI is doing, it seems that they're doing only in the 10-15 cases a year in which the government obtains a full-content wiretap order to intercept electronic (that is, non-voice computer) communications. The legal issue that Paul and Richard discussed at the conference involved how to implement very-hard-to-obtain "super warrants," which can only be obtained based on a showing of probable cause, necessity, predicate felonies, and all the rest. Further, the implementation of Title III orders requires considerable disclosure to the courts as to what information was intercepted — as well as disclosure to third-parties whose communications were intercepted. Given all of this judicial oversight, the chances that the FBI and DOJ would try to abuse that authority strikes me as pretty low.
When you add in DOJ's response — which unfortunately hasn't received a lot of attention — it suggests to me that Declan's story is inaccurate. DOJ not only says that its practices haven't changed, it discusses the two types of minimization it has long performed to implement Wiretap orders: minimization within a particular target, and use of a tool (such as a descendant of the privacy-enhancing Carnivore) to screen for particular traffic.
Although we can't be entirely sure, as it's always hard to figure out the details of surveillance systems without all the facts, my sense is that this is much ado about nothing.