While we’re watching government snooping expand from the NSA to the DEA, don’t forget the FBI. CNet’s tech reporter Declan McCullough reported on Friday that the FBI has pressured Internet providers to install software that would allow the government to conduct real-time intercepts of Internet activity without notifying users, and claims that the PATRIOT Act requires their compliance:
The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies’ internal networks to facilitate surveillance efforts.
FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI’s legal position during these discussions is that the software’s real-time interception of metadata is authorized under the Patriot Act.
Attempts by the FBI to install what it internally refers to as “port reader” software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the “harvesting program.”
There are a couple of differences between this and the activities of the DEA. The FBI has legitimate jurisdiction for counter-terrorism and national security activities, while the DEA has little if any claim to operate in those areas. This program might be limited to those activities, although it’s almost impossible to imagine that no one would ever cross the line if the data looked germane to a criminal probe. The legal framework for this kind of intercept capability precedes the PATRIOT Act, but PATRIOT allowed the FBI to get the data using a “pen register” order, which is much easier to get from a court than a search warrant. It only requires a representation from law enforcement that the data — which should be limited to trap-and-trace data — has some value to an ongoing criminal investigation.
The 1994 CALEA law forced providers to standardize pen-register information for surveillance purposes. That’s why the FBI can threaten to get contempt-of-court orders for providers unwilling to install real-time taps to get pen-register data, which is generally defined as IP connections and time data. However, the FBI’s definition is apparently broader, which is why the providers are fighting the effort:
An industry source said the FBI wants providers to use their existing CALEA compliance hardware to route the targeted customer’s communications through the port reader software. The software discards the content data and extracts the metadata, which is then provided to the bureau. (The 1994 Communications Assistance for Law Enforcement Act, or CALEA, requires that communication providers adopt standard practices to comply with lawful intercepts.)
Whether the FBI believes its port reader software should be able to capture Subject: lines, URLs that can reveal search terms, Facebook “likes” and Google+ “+1s,” and so on remains ambiguous, and the bureau declined to elaborate this week. The Justice Department’s 2009 manual (PDF) requires “prior consultation” with the Computer Crime and Intellectual Property Section before prosecutors use a pen register to “collect all or part of a URL.” …
Some metadata may, however, not be legally accessible through a pen register. Federal lawsays law enforcement may acquire only “dialing, routing, addressing, or signaling information” without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.
But the FBI has configured its port reader to intercept all metadata — including packet size, port label, and IPv6 flow data — that exceeds what the law permits, according to one industry source.
The larger issue is the expansion of comprehensive snooping by government agencies. Regardless of the application of these laws and the definitions of data, Americans simply may not be prepared for the scope of data mining conducted by various agencies, nor for the pressure on telecoms to comply with even more intrusion into their communications. The NSA and FBI may have legitimate needs to conduct the surveillance on the scope and scale they demand, and the recent plot might tend to argue in favor of those programs. The entry of the DEA into the mix, along with their apparent instructions in how to cover it up, changes that calculus significantly by reminding Americans of the slippery slopes involved in government snooping. There seems to be no limit to these demands, and Congress seems ineffective in checking the aggregating power in the executive branch.