The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies’ internal networks to facilitate surveillance efforts.
FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI’s legal position during these discussions is that the software’s real-time interception of metadata is authorized under the Patriot Act.
Attempts by the FBI to install what it internally refers to as “port reader” software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the “harvesting program.”
Carriers are “extra-cautious” and are resisting installation of the FBI’s port reader software, an industry participant in the discussions said, in part because of the privacy and security risks of unknown surveillance technology operating on an sensitive internal network.
It’s “an interception device by definition,” said the industry participant, who spoke on condition of anonymity because court proceedings are sealed. “If magistrates knew more, they would approve less.” It’s unclear whether any carriers have installed port readers, and at least one is actively opposing the installation.
In a statement from a spokesman, the FBI said it has the legal authority to use alternate methods to collect Internet metadata, including source and destination IP addresses: “In circumstances where a provider is unable to comply with a court order utilizing its own technical solutions, law enforcement may offer to provide technical assistance to meet the obligation of the court order.”
AT&T, T-Mobile, Verizon, Comcast, and Sprint declined to comment. A government source familiar with the port reader software said it is not used on an industry-wide basis, and only in situations where carriers’ own wiretap compliance technology is insufficient to provide agents with what they are seeking.
For criminal investigations, police are generally required to obtain a wiretap order from a judge to intercept the contents of real-time communication streams, including e-mail bodies, Facebook messages, or streaming video. Similar procedures exist for intelligence investigations under the Foreign Intelligence Surveillance Act, which has received intense scrutiny after Edward Snowden’s disclosures about the National Security Agency’s PRISM database.
There’s a significant exception to both sets of laws: large quantities of metadata can be intercepted in real time through a so-called pen register and trap and trace order with minimal judicial review or oversight. That metadata includes IP addresses, e-mail addresses, identities of Facebook correspondents, Web sites visited, and possibly Internet search terms as well.
“The statute hasn’t caught up with the realties of electronic communication,” says Colleen Boothby, a partner at the Washington, D.C. firm of Levine, Blaszak, Block & Boothby who represents technology companies and industry associations. Judges are not always in a position, Boothby said, to understand how technology has outpaced the law.
Judges have concluded in the past that they have virtually no ability to deny pen register and trap and trace requests. “The court under the Act seemingly provides nothing more than a rubber stamp,” wrote a federal magistrate judge in Florida, referring to the pen register law. A federal appeals court has ruled that the “judicial role in approving use of trap and trace devices is ministerial in nature.”
A little-noticed section of the Patriot Act that added one word — “process” — to existing law authorized the FBI to implant its own surveillance technology on carriers’ networks. It was in part an effort to put the bureau’s Carnivore device, which also had a pen register mode, on a firmer legal footing.
A 2003 compliance guide prepared by the U.S. Internet Service Provider Association reported that the Patriot Act’s revisions permitted “law enforcement agencies to use software instead of physical mechanisms to collect relevant pen register” information.
Even though the Patriot Act would authorize the FBI to deploy port reader software with a pen register order, the legal boundaries between permissible metadata and impermissible content remain fuzzy.
“Can you get things like packet size or other information that falls somewhere in the grey area between traditional pen register and content?” says Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center. “How does the judge know the box is actually doing? How does the service provider know? How does anyone except the technician know what’s going on?”
An industry source said the FBI wants providers to use their existing CALEA compliance hardware to route the targeted customer’s communications through the port reader software. The software discards the content data and extracts the metadata, which is then provided to the bureau. (The 1994 Communications Assistance for Law Enforcement Act, or CALEA, requires that communication providers adopt standard practices to comply with lawful intercepts.)
Whether the FBI believes its port reader software should be able to capture Subject: lines, URLs that can reveal search terms, Facebook “likes” and Google+ “+1s,” and so on remains ambiguous, and the bureau declined to elaborate this week. The Justice Department‘s 2009 manual requires “prior consultation” with the Computer Crime and Intellectual Property Section before prosecutors use a pen register to “collect all or part of a URL.”
“The last time I had to ask anybody that, they refused to answer,” says Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, referring to Subject: lines. “They liked creative ambiguity.”