FBI pressures Internet providers to install surveillance software

FBI pressures Internet providers to install surveillance software

CNET has learned the FBI has developed custom "port reader" software to intercept Internet metadata in real time. And, in some cases, it wants to force Internet providers to use the software.

Declan McCullagh by Declan McCullagh  August 2, 2013 12:26 PM PDT

The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies' internal networks to facilitate surveillance efforts.

FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI's legal position during these discussions is that the software's real-time interception of metadata is authorized under the Patriot Act.

Attempts by the FBI to install what it internally refers to as "port reader" software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the "harvesting program."

Carriers are "extra-cautious" and are resisting installation of the FBI's port reader software, an industry participant in the discussions said, in part because of the privacy and security risks of unknown surveillance technology operating on an sensitive internal network.

It's "an interception device by definition," said the industry participant, who spoke on condition of anonymity because court proceedings are sealed. "If magistrates knew more, they would approve less." It's unclear whether any carriers have installed port readers, and at least one is actively opposing the installation.

In a statement from a spokesman, the FBI said it has the legal authority to use alternate methods to collect Internet metadata, including source and destination IP addresses: "In circumstances where a provider is unable to comply with a court order utilizing its own technical solution(s), law enforcement may offer to provide technical assistance to meet the obligation of the court order."

AT&T, T-Mobile, Verizon, Comcast, and Sprint declined to comment. A government source familiar with the port reader software said it is not used on an industry-wide basis, and only in situations where carriers' own wiretap compliance technology is insufficient to provide agents with what they are seeking.

For criminal investigations, police are generally required to obtain a wiretap order from a judge to intercept the contents of real-time communication streams, including e-mail bodies, Facebook messages, or streaming video. Similar procedures exist for intelligence investigations under the Foreign Intelligence Surveillance Act, which has received intense scrutiny after Edward Snowden's disclosures about the National Security Agency's PRISM database.

There's a significant exception to both sets of laws: large quantities of metadata can be intercepted in real time through a so-called pen register and trap and trace order with minimal judicial review or oversight. That metadata includes IP addresses, e-mail addresses, identities of Facebook correspondents, Web sites visited, and possibly Internet search terms as well.

"The statute hasn't caught up with the realties of electronic communication," says Colleen Boothby, a partner at the Washington, D.C. firm of Levine, Blaszak, Block & Boothby who represents technology companies and industry associations. Judges are not always in a position, Boothby said, to understand how technology has outpaced the law.

Judges have concluded in the past that they have virtually no ability to deny pen register and trap and trace requests. "The court under the Act seemingly provides nothing more than a rubber stamp," wrote a federal magistrate judge in Florida, referring to the pen register law. A federal appeals court has ruled that the "judicial role in approving use of trap and trace devices is ministerial in nature."

A little-noticed section of the Patriot Act that added one word -- "process" -- to existing law authorized the FBI to implant its own surveillance technology on carriers' networks. It was in part an effort to put the bureau's Carnivore device, which also had a pen register mode, on a firmer legal footing.

A 2003 compliance guide prepared by the U.S. Internet Service Provider Association reported that the Patriot Act's revisions permitted "law enforcement agencies to use software instead of physical mechanisms to collect relevant pen register" information.

Even though the Patriot Act would authorize the FBI to deploy port reader software with a pen register order, the legal boundaries between permissible metadata and impermissible content remain fuzzy.

"Can you get things like packet size or other information that falls somewhere in the grey area between traditional pen register and content?" says Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center. "How does the judge know the box is actually doing? How does the service provider know? How does anyone except the technician know what's going on?"

An industry source said the FBI wants providers to use their existing CALEA compliance hardware to route the targeted customer's communications through the port reader software. The software discards the content data and extracts the metadata, which is then provided to the bureau. (The 1994 Communications Assistance for Law Enforcement Act, or CALEA, requires that communication providers adopt standard practices to comply with lawful intercepts.)

Whether the FBI believes its port reader software should be able to capture Subject: lines, URLs that can reveal search terms, Facebook "likes" and Google+ "+1s," and so on remains ambiguous, and the bureau declined to elaborate this week. The Justice Department's 2009 manual (PDF) requires "prior consultation" with the Computer Crime and Intellectual Property Section before prosecutors use a pen register to "collect all or part of a URL."

"The last time I had to ask anybody that, they refused to answer," says Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, referring to Subject: lines. "They liked creative ambiguity."

Some metadata may, however, not be legally accessible through a pen register. Federal law says law enforcement may acquire only "dialing, routing, addressing, or signaling information" without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.

But the FBI has configured its port reader to intercept all metadata -- including packet size, port label, and IPv6 flow data -- that exceeds what the law permits, according to one industry source.

In 2007, the FBI, the Justice Department, and the Drug Enforcement Administration asked the Federal Communications Commission for an "expedited rulemaking" process to expand what wireless providers are required to do under CALEA.

The agencies said they wanted companies to be required to provide more information about Internet packets, including the "field identifying the next level protocol used in the data portion of the Internet datagram," which could reveal what applications a customer is using. The FCC never ruled on the law enforcement request.

Because it's relatively easy to secure a pen register and trap and trace order -- they only require a law enforcement officer to certify the results will likely be "relevant" to an investigation -- they're becoming more common. The Justice Department conducted 1,661 such intercepts in 2011 (PDF), up from only 922 a year earlier (PDF).

That less privacy-protective standard is no accident. A U.S. Senate report accompanying the pen register and trap and trace law said its authors did "not envision an independent judicial review of whether the application meets the relevance standard." Rather, the report said, judges are only permitted to "review the completeness" of the paperwork.

Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation and a former federal public defender, said he's concerned about port reader software doing more than the carriers know. "The bigger fear is that the boxes are secretly storing something," he said, "or that they're doing more than just simply allowing traffic to sift through and pulling out the routing information."

"For the Feds to try to push the envelope is to be expected," Fakhoury said. "But that doesn't change the fact that we have laws in place to govern this behavior for a good reason."


http://news.cnet.com/8301-13578_3-57596791-38/fbi-pressures-internet-providers-to-install-surveillance-software/

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more