By Declan McCullagh and David Warner
James Comey was confirmed as the new FBI director by the Senate Judiciary Committee confirmation at a hearing on Capital Hill recently. But Comey has a lot of explaining to do as new revelations emerge that the U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies’ internal networks to facilitate surveillance efforts.Unbeknownst to many, a little-noticed section of the Patriot Act that added one word – “process” – to existing law authorized the FBI to implant its own surveillance technology on carriers’ networks. It was in part an effort to put the bureau’s Carnivore device, which also had a pen register mode, on a firmer legal footing. As a result of this near carte blanche surveillance, the FBI has developed custom “port reader” software to intercept Internet metadata in real time. And, in some cases, it wants to force Internet providers to use the software.
FBI officials have been sparring with service providers and carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI’s legal position during these discussions is that the software’s real-time interception of metadata is authorized under thePatriot Act.
Attempts by the FBI to install what it internally refers to as “port reader” software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the “harvesting program.”
Carriers are “extra-cautious” and are resisting installation of the FBI’s port reader software, an industry participant in the discussions said, in part because of the privacy and security risks of unknown surveillance technology operating on an sensitive internal network.
It’s “an interception device by definition,” said the industry participant, who spoke on condition of anonymity because court proceedings are sealed. “If magistrates knew more, they would approve less.” It’s unclear whether any carriers have installed port readers, and at least one is actively opposing the installation.
In a statement from a spokesman, the FBI said it has the legal authority to use alternate methods to collect Internet metadata, including source and destination IP addresses: “In circumstances where a provider is unable to comply with a court order utilizing its own technical solution(s), law enforcement may offer to provide technical assistance to meet the obligation of the court order.”
AT&T, T-Mobile, Verizon, Comcast, and Sprint declined to comment. A government source familiar with the port reader software said it is not used on an industry-wide basis, and only in situations where carriers’ own wiretap compliance technology is insufficient to provide agents with what they are seeking.
For criminal investigations, police are generally required to obtain a wiretap order from a judge tointercept the contents of real-time communication streams, including e-mail bodies, Facebook messages, or streaming video. Similar procedures exist for intelligence investigations under theForeign Intelligence Surveillance Act, which has received intense scrutiny after Edward Snowden’s disclosures about the National Security Agency’s PRISM database.
There’s a significant exception to both sets of laws: large quantities of metadata can be intercepted in real time through a so-called pen register and trap and trace order with minimal judicial review or oversight. That metadata includes IP addresses, e-mail addresses, identities of Facebook correspondents, Web sites visited, and possibly Internet search terms as well.
FBI headquarters on Pennsylvania Avenue NW in Washington, D.C.
“The statute hasn’t caught up with the realties of electronic communication,” says Colleen Boothby, a partner at the Washington, D.C. firm of Levine, Blaszak, Block & Boothby who represents technology companies and industry associations. Judges are not always in a position, Boothby said, to understand how technology has outpaced the law.
Judges have concluded in the past that they have virtually no ability to deny pen register and trap and trace requests. “The court under the Act seemingly provides nothing more than a rubber stamp,” wrote a federal magistrate judge in Florida, referring to the pen register law. A federal appeals court has ruled that the “judicial role in approving use of trap and trace devices is ministerial in nature.”
Even though the Patriot Act would authorize the FBI to deploy port reader software with a pen register order, the legal boundaries between permissible metadata and impermissible content remain fuzzy.
“Can you get things like packet size or other information that falls somewhere in the grey area between traditional pen register and content?” says Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center. “How does the judge know the box is actually doing? How does the service provider know? How does anyone except the technician know what’s going on?”
An industry source said the FBI wants providers to use their existing CALEA compliance hardware to route the targeted customer’s communications through the port reader software. The software discards the content data and extracts the metadata, which is then provided to the bureau. (The 1994 Communications Assistance for Law Enforcement Act, or CALEA, requires that communication providers adopt standard practices to comply with lawful intercepts.)
Whether the FBI believes its port reader software should be able to capture Subject: lines, URLs that can reveal search terms, Facebook “likes” and Google+ “+1s,” and so on remains ambiguous, and the bureau declined to elaborate this week. The Justice Department’s 2009 manual (PDF) requires “prior consultation” with the Computer Crime and Intellectual Property Section before prosecutors use a pen register to “collect all or part of a URL.”
“The last time I had to ask anybody that, they refused to answer,” says Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, referring to Subject: lines. “They liked creative ambiguity.”
Some metadata may, however, not be legally accessible through the aforementioned pen registers. Federal law says law enforcement may acquire only “dialing, routing, addressing, or signaling information” without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.
But the FBI has configured its port reader to intercept all metadata – including packet size, port label, and IPv6 flow data – that exceeds what the law permits, according to one industry source.
Here’s a link to a 2006 court case elaborating on what counts as metadata for pen register and trap and trace orders. In it, the U.S. District Court in Washington, D.C., ruled that federal law “unambiguously authorize[s]” the government to use such an order to obtain all information about an e-mail account except “the Subject: line and body of the communication.”
In 2007, the FBI, the Justice Department, and the Drug Enforcement Administration asked the Federal Communications Commission for an “expedited rulemaking” process to expand what wireless providers are required to do under CALEA.
The agencies said they wanted companies to be required to provide more information about Internet packets, including the “field identifying the next level protocol used in the data portion of the Internet datagram,” which could reveal what applications a customer is using. The FCC never ruled on the law enforcement request.
Because it’s relatively easy to secure a pen register and trap and trace order — they only require a law enforcement officer to certify the results will likely be “relevant” to an investigation — they’re becoming more common. The Justice Department conducted 1,661 such intercepts in 2011 (PDF), up from only 922 a year earlier (PDF).
That less privacy-protective standard is no accident. A U.S. Senate report accompanying the pen register and trap and trace law said its authors did “not envision an independent judicial review of whether the application meets the relevance standard.” Rather, the report said, judges are only permitted to “review the completeness” of the paperwork.
Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation and a former federal public defender, said he’s concerned about port reader software doing more than the carriers know. “The bigger fear is that the boxes are secretly storing something,” he said, “or that they’re doing more than just simply allowing traffic to sift through and pulling out the routing information.”
“For the Feds to try to push the envelope is to be expected,” Fakhoury said. “But that doesn’t change the fact that we have laws in place to govern this behavior for a good reason.”