Tiburon, Calif., is a twee little place. If you aren't familiar with the old-country colloquialism "twee," it means, well, something like "precious." Like one of those dogs Paris Hilton used to carry in her purse.
When one wanders through its little streets, just north of San Francisco, one gets the sense that a few of the residents, on seeing someone who appears not to be from around those parts, reach for their handkerchief and hand sanitizer.
How can one, therefore, be surprised that a meeting of the Tiburon Town Council voted on Wednesday by 4 to 0 to install cameras to photograph every single car that enters or leaves this little Disneyland?
The San Francisco Chronicle reported that this may be the first community in the country to have defended itself with cameras in such a way. The idea is to photograph the license plates of every car that treads Tiburon's hallowed roads and compare the information with the police's list of the stolen and nefarious.
The Tiburon police chief, Michael Cronin, told the Chronicle: "I think it makes the community safer."
There are certainly even more definitions of the word "safety" than of the word "twee." However, it is heartwarming that the Tiburon police--inspired, perhaps, by Google--promise that the information will be kept for only 30 days.
The strange thing is that Tiburon, a northern suburb of San Francisco, isn't exactly Oakland. It doesn't enjoy high crime figures. Indeed, some might say that the most criminal elements in the place are to be seen on the racks of its clothes stores.
The town is fortunate, however, in that it is on a peninsula, from which there are only two roads. So the total cost of putting up six cameras is estimated to be no more than $200,000, which works out at something near $20 per resident. (Tiburon residents enjoy, by the way, a median income somewhere above $125,000.)
I know there will be some who believe you can never have enough security cameras in this heinous and half-witted world. But perhaps some will worry that the police might make rather instinctive judgments about the provenance of certain cars and their intentions.
Others will wonder whether this decision might affect businesses in Tiburon. Still others will ponder whether the police might be willing to offer a Web site showing the movements of all its officers.
I merely wonder how many people, knowing they might have to go to Tiburon for a meal of organic Kobe beef, rosemary ice cream, and plenty of Stags Leap cabernet, will choose to remove their front license plates. You know, just to be on the safe side.
On August 4, White House aide Macon Phillips announced the launch of flag@whitehouse.gov, which encouraged Americans to report "fishy" information related to the Obama health care proposal. Phillips' announcement was titled "Facts Are Stubborn Things."
Well, so is public opinion, as the White House acknowledged on Monday by quietly pulling the plug on the flag@whitehouse.gov e-mail address.
Messages sent there are now bounced back with this response:
<flag@whitehouse.gov>: host mailhub-wh2.whitehouse.gov[63.161.169.140] said: 550 5.2.1 <flag@whitehouse.gov>... The email address you just sent a message to is no longer in service.We are now accepting your feedback about health insurance reform via:http://www.whitehouse.gov/realitycheck (in reply to RCPT TO command
The "Reality Check" Web page on WhiteHouse.gov doesn't encourage reporting misinformation to Washington, D.C.; instead, it features some videos about President Obama's proposal. There is an option to submit comments, but the Web form stresses "Please refrain from submitting any individual's personal information, including their e-mail address, without their permission."
That's almost the opposite of the original flag@whitehouse.gov program, which had no obvious privacy safeguards--and which became the focus of spirited criticism over the last two weeks.
Sen. John Cornyn, a Texas Republican, wrote in a letter to the president that: "I am not aware of any precedent for a president asking American citizens to report their fellow citizens to the White House for pure political speech that is deemed 'fishy' or otherwise inimical to the White House's political interests."
Cornyn wasn't alone. On his radio program, Glenn Beck dubbed flag@whitehouse.gov an "enemies list," and talk show host Rush Limbaugh characterized it as "Obama's own exclusive private domestic spying program." A t-shirt saying "REPORT ME" has appeared, and some conservatives mocked it by reporting themselves to the White House on grounds they were spreading "disinformation" by criticizing the Democratic health care legislation.
This hasn't been a very good month for the White House and its attempts to use e-mail communications. Earlier on Monday, the White House changed its e-mail sign-up procedures so make sure that people won't get spammed.
A joint venture of Siemens AG and Nokia Corp., two large European technology firms, is denying reports that Iran uses its Web-monitoring technology to censor and spy on its citizens' online activities.
Nokia Siemens Networks said Monday that it has sold telecommunications systems to the Iranian government but that any built-in monitoring technology was for voice communications and not the Internet.
"The lawful intercept capability is purely for local voice calls," spokesman Ben Roome said in an interview. "We don't know who may have provided other Internet technologies to Iran."
The company's denial comes as protests over Iran's disputed election enter their second week, amplified by Twittering from the Iranian diaspora and cell phone videos showing ongoing street conflicts and the apparent death of young Iranian woman called Neda.
Images and video clips trickling in from the streets of Tehran--even ones whose authenticity may never be established--have electrified the West and demonstrated the limits of power that the government is able to wield. Because foreign correspondents are being pressured by authorities and forced to leave, according to journalist advocacy groups, the country's relatively tiny Internet pipe to the outside world is offering a unique glimpse of the situation on the streets.
Iran's Internet restrictions are no secret, of course. As CNET News reported last week, Web sites including Facebook, YouTube.com, and the BBC have been deemed off-limits by government censors, and there have been recurring reports that Twitter.com and Yahoo Messenger have been blocked as well. Except for some hiccups, though, Iran's Internet authorities have chosen not to pull the plug on the nation's connections to the outside world.
The source of the surveillance technology used by Iran's Internet service providers remains an unresolved political question that could prove an embarrassment for any Western company linked to Tehran's censorial regime. Few technology executives have forgotten the spectacle of Washington politicians calling Yahoo CEO Jerry Yang to a hearing and denouncing him as "spineless" for doing business in China, or Cisco being dubbed as "collaborating with the Chinese government" for supplying Internet switches and routers.
This recent dispute erupted in the form of a front-page article in Monday's editions of The Wall Street Journal, which claimed that the Iranian government has developed "one of the world's most sophisticated mechanisms for controlling and censoring the Internet" with the help of Nokia Siemens Networks. The headline read: "Iran's Web Spying Aided By Western Technology." (In April, the Washington Times published a similar report that also named Nokia Siemens Networks.)
But Roome, the Nokia Siemens Networks spokesman, said that the newspaper's report was incorrect. He said in a blog post, "Unfortunately, I was unable to clarify for the Wall Street Journal the limited scope of the lawful intercept capability (voice calls only) and rule out...deep packet inspection and Web filtering."
Roome argued that, whatever its faults, even Iran's wiretap-ready mobile phone network has proven vital in spreading word about the political upheaval unfolding amid widespread protests. "Mobile networks in Iran, and the subsequent widespread adoption of mobile phones, have allowed Iranians to communicate what they are seeing and hearing with the outside world," he said. "The proof of this is in the widespread awareness of the current situation."
Complicating the matter is the difficulty of identifying the technology used. It's relatively easy to figure out which Web sites that are off-limits--groups like Harvard University's Berkman Center for Internet & Society have made a practice of compiling such lists--but much harder to know what hardware or software is being used to monitor Internet links.
"For the filtering work we are able to verify the actual functionality," said Rob Faris, research director for the Berkman Center. "It's just about impossible to document surveillance with the same level of confidence."
In terms of Web blocking, a Berkman Center report compiled in 2005 said that Iran used Secure Computing's SmartFilter. It quoted the company's chief executive, John McNulty, as saying: "We have been made aware of ISPs in Iran making illegal and unauthorized attempts to use of our software. Secure Computing is actively taking steps to stop this illegal use of our products."
McAfee now owns Secure Computing and sells the software as McAfee SmartFilter. A product description boasts of "a proven repository of more than 25 million blockable websites across more than 90 categories."
"We have never seen any direct evidence or hard proof that Iran has ever used any McAfee or Secure Computing product," McAfee said in an e-mailed statement on Monday. "McAfee complies with all export laws and regulation applicable to its products. Rigorous due diligence was conducted prior to the acquisition of Secure Computing and there was no indication of any contract in Iran or support being provided in Iran." (A U.S. economic embargo restricts trade with Iran.)
More recent reports suggest that Iranian Internet providers have developed or adapted their own Web filtering technology, but shed little light on the question of surveillance.
Compared with a few years ago, traffic analysis and inspection have become more common for Internet providers; their legitimate purposes include detecting malicious activity, prioritizing online phone calls over e-mail, and for mobile providers, charging different fees for different types of data.
Cisco's Service Control Engine series boasts of conducting "deep packet inspection" and "detection and control of virtually any network application, including: Web browsing, multimedia streaming, and peer-to-peer (P2P)." WireShark, free software for intercepting and decoding traffic, can record and display what's taking place on a network. And most modern routers can block or log access to Web sites based on a list of Internet addresses or domain names.
"I don't know how one could actually determine" what Iran is using for surveillance, said Tony Barbagallo, vice president of marketing at WildPackets of Walnut Creek, Calif., which sells Internet monitoring tools including OmniPeek Network Analyzer. "It's pretty easy to conceive that they could be using homegrown technology."
"Our products are used in the United States and elsewhere specifically for lawful intercept," Barbagallo said. "We've actually developed extensions to our products to make it easier to do lawful intercept. Any of our customers with a maintenance contract can download the same products the governments are using."
This echoes the argument that Nokia Siemens Networks has made: that selling voice-only lawful intercept gear to Iran is acceptable because built-in wiretappability is required in the United States and Europe. Ever since the 1994 Communications Assistance to Law Enforcement Act, U.S. telephone companies have been legally required to make sure their networks can easily be wiretapped by police; in 2006, a federal appeals court upheld the Bush administration's decision to extend those rules to Internet providers.
On the other hand, the United States and Europe tend not to imprison people for criticizing their respective governments, something that responses posted on Nokia Siemens Networks' blog pointed out on Monday. One response asked: "What happens when your 'lawful intercept' capability is sold to regimes which are likely to use it a way which would be considered unlawful under European and U.N. Human Rights conventions -- say to suppress freedom of speech?"
Jay Botelho, WildPackets' director of product management, said the best way for an Iranian Internet provider to monitor its customers would be to use one bank of monitoring equipment for e-mail, another for Web browsing, a third for VoIP calls, and so on. "Using our product, the easiest way to monitor everything is to hook onto an (extra port) port off your main switch," Botelho said. "The problem is that depending on the traffic, that could overload an appliance. But if you slowed everything down, you'd get everything."
That's not a problem in Iran, which has limited connectivity to the outside world, and where download speeds are far slower than what many other countries enjoy. Some Iran watchers have speculated for years that those sluggish connections represented a form of social control--it dramatically curbs Web video usage, for instance--and point to a 2006 decree saying that Internet connections should be limited to 128 Kbps (kilobits per second).
The largest Internet provider in Iran is Tehran-based Pars Online, which claims to employ over 400 people. It claims to have three satellite stations that can send data at 155 Mbps (megabits per second), amounting to the size of the virtual pipe connecting much of Iran to the outside world. By contrast, Verizon's FIOS service offers each home subscriber a connection of 50 Mbps for downloads and 20 Mbps for uploads.
A federal judge in San Francisco has tossed out a slew of lawsuits filed against AT&T and other telecommunications companies alleged to have illegally opened their networks to the National Security Agency.
U.S. District Judge Vaughn Walker on Wednesday ruled that, thanks to a 2008 federal law retroactively immunizing those companies, approximately 46 lawsuits brought by civil liberties groups and class action lawyers will be dismissed.
Congress has created a "'focused immunity' for private entities who assisted the government with activities that allegedly violated plaintiffs' constitutional rights," Walker wrote in a 46-page opinion. That has not, he said, "affected plaintiffs' underlying constitutional rights."
Wednesday's ruling is a bitter defeat to groups including the Electronic Frontier Foundation and the American Civil Liberties Union, which are coordinating the lawsuits over warrantless wiretapping. They had hoped to convince the judge that the law improperly infringed upon the separation of powers described in the U.S. Constitution and handed too much power to the executive branch.
The 2008 law, called the Foreign Intelligence Surveillance Amendments Act, was approved by a Democratic-controlled Congress last summer. As a senator, President Obama voted for the measure even though he had previously pledged to oppose it.
It says that no "civil action" may take place in state or federal court "against any person for providing assistance to an element of the intelligence community"--and will be automatically dismissed as long as the attorney general claims the surveillance was authorized.
Former Attorney General Michael Mukasey sent the court a letter saying the surveillance was authorized, but without offering any further information. The Justice Department under President Obama has not changed its position.
EFF said it would appeal to the 9th Circuit Court of Appeals. "We're deeply disappointed in Judge Walker's ruling today," EFF Legal Director Cindy Cohn said in a statement. "The retroactive immunity law unconstitutionally takes away Americans' claims arising out of the First and Fourth Amendments, violates the federal government's separation of powers as established in the Constitution, and robs innocent telecom customers of their rights without due process of law."
The ruling does not affect lawsuits that have been filed directly against the NSA or other government agencies, including the EFF's Jewel v. NSA case. (A congressional report accompanying the 2008 law explicitly says: "Nothing in this bill is intended to affect these suits against the government or individual government officials.")
Walker left one possible opening for EFF, ACLU, and their allies. Because the 2008 law exempts surveillance "authorized by the president" during the time from September 11, 2001 and January 17, 2007, telecom firms could be held liable if they surreptitiously cooperated with NSA or other agencies more recently.
He gave the plaintiffs 30 days to amend their complaint to focus on surveillance that took place after January 17, 2007, the date that President Bush decided to amend the program to include supervision by courts.
The National Security Agency tried to wiretap a member of the U.S. Congress without a warrant, and has engaged in "significant and systemic" illegal surveillance activities in the last few months including e-mail and telephone call interceptions, according to a report this week.
The article in Wednesday's New York Times said the Obama administration acknowledged there had been abuses but said they had been resolved. The attempted eavesdropping on a congressman came about because he or she was part of a delegation to the Middle East in 2005 or 2006, and was ultimately blocked.
The NSA said in a statement on Wednesday that "intelligence operations, including programs for collection and analysis, are in strict accordance with U.S. laws and regulations."
The Times reported, without giving details, that the "overcollection" problems were discovered as part of a twice-a-year certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court.
Salon.com columnist Glenn Greenwald wrote on Thursday that it was "inevitable" that more NSA surveillance abuses would happen after the Democratic-controlled Congress approved legislation in 2008 that eliminated safeguards and blessed surveillance activities that would otherwise have been illegal.
Greenwald wrote: "That was the purpose of the law: to gut the safeguards in place since the 1978 passage of FISA, destroy the crux of the oversight regime over executive surveillance of Americans, and enable and empower unchecked government spying activities." (FISA is the Foreign Intelligence Surveillance Act.)
At the time, in June 2008, the ACLU highlighted a long list of concerns including "loopholes" in the bill to rewrite FISA. Presidential candidate Barack Obama supported the FISA bill--which also granted retroactive immunity to telecommunications companies that illegally opened their networks to the NSA--saying it has "appropriate safeguards."
Two new federal proposals that Republican supporters claim will protect children have alarmed Internet companies, who say the measures could make it a crime to provide e-mail.
The bills, each named the Internet Safety Act and announced at a press conference on Thursday, have mostly attracted attention for a sweeping requirement saying broadband providers and Wi-Fi access points must keep records on users for two years.
Another section of the legislation, however, is numbered 1960B. It says anyone employed at a provider who "knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography" will be fined and imprisoned for not more than 10 years.
For Internet firms, the quandary is this: The mere provision of e-mail, electronic storage, cloud-computing services, and social-networking sites could be viewed as an act that "facilitates access to" illegal content, especially if the provider knows that some users in the past have been less than law-abiding. (And the threat of arrest, indictment, and imprisonment makes them unwilling to hope prosecutors interpret the language conservatively.)
"The legislation, as currently drafted, appears to raise the specter of imputing criminal liability on ISPs and others for the provision of routine services, such as e-mail," said Kate Dean, executive director of the U.S. Internet Service Provider Association, or US ISPA.
US ISPA's members include Verizon, Comcast, AOL, AT&T, and EarthLink.
(The relevant text explicitly mentions e-mail: "Whoever, being an Internet content hosting provider or e-mail service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography...shall be fined under this title or imprisoned not more than 10 years, or both.")
The pair of Texas Republicans who announced the proposal at a press conference on Thursday--Rep. Lamar Smith, the ranking member on the House Judiciary Committee, and Sen. John Cornyn--said it's necessary to protect children online. The Internet's "limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," Cornyn said.
In an opinion article published in the Dallas Morning News on Thursday, Smith defended his legislation by saying, "How many times have we seen TV detectives seek call logs of a suspect in order to determine who he has been talking to? What if the telephone companies simply said to the detectives, 'Sorry, we get rid of that information after 24 hours?'"
Neither Smith nor Cornyn responded to repeated inquiries from CNET News on Friday.
Two bills have been introduced so far--S.436 in the Senate and HR 1076 in the House. Each of the bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.
If a new federal proposal announced this week requiring Internet providers and Wi-Fi access points to keep records on users for two years becomes law, police would not be the only ones to benefit.
So would individuals and companies bringing civil lawsuits, including the Recording Industry Association of America and other large copyright holders, many of which have lobbied for similar data retention laws in other countries.
When filing lawsuits over suspected online piracy, lawyers for the RIAA and other plaintiffs typically have an Internet Protocol address they hope to link with someone's identity. But if the network operator doesn't retain the logs, the lawsuit can be derailed.
Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., said the Internet Safety Act would "create new risk" for Internet users and expose them to "possible liability in civil suits and supboena fishing expeditions--it's a terrible idea."
The pair of Texas Republicans who announced the proposal at a press conference on Thursday--Rep. Lamar Smith, the ranking member on the House Judiciary Committee, and Sen. John Cornyn--said it's necessary to protect children online. The Internet's "limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," Cornyn said.
Large copyright holders that are members of the RIAA and the Motion Picture Association of America have supported similar data retention regulations in Europe. They wrote in a 2005 letter to a committee of the European Parliament that "it is essential that service providers retain the relevant data for a reasonable period and that the data can be disclosed for appropriate purposes."
The letter--which argued for a data retention period of at least six months and preferably longer--was signed by Time Warner, Universal Music Group, Walt Disney, Warner Music, Sony Pictures, Sony BMG, and EMI, along with the MPAA and IFPI, the RIAA's international affiliate.
The MPAA and RIAA did not immediately respond to a request for comment on Friday. The FBI referred calls to the Justice Department, which did not comment. Neither of the bill's sponsors, Smith or Cornyn, would comment.
Under the new House and Senate bills, one benefit to companies bringing copyright lawsuits is that universities, schools, libraries, and commercial broadband providers would have to keep records of who's using which IP address for at least two years.
Few universities, which have been targeted by the RIAA as part of their anti-file-sharing campaign, seem to do that. Cornell University's Web site says it "typically keeps these logs 6 months." The University of Nebraska-Lincoln, according to a local newspaper report, keeps logs for a month. When contacted for an earlier CNET News story, Georgetown University refused to disclose how long it kept logs.
In the past, at least, the RIAA has not always filed cases quickly, and would benefit from longer data retention durations. In one 2007 case, the suit was filed in September, even though the IP addresses listed as sources of piracy dated back to February. Another RIAA case against 21 "John Does" at Boston University was filed four months after the alleged infringing activity.
In addition, the millions of American homes with Wi-Fi networks or wired routers would have to keep logs.
Paul Levy, an attorney at the Ralph Nader-founded Public Citizen group who has litigated Internet anonymity cases, says: "I have a Wi-Fi network at home, and i would have no idea how to retain IP information."
"This has a chilling effect on speaking, the fact that your information remains around for such a long time," Levy said.
In an opinion article published in the Dallas Morning News on Thursday, Rep. Smith defended his legislation by saying: "How many times have we seen TV detectives seek call logs of a suspect in order to determine who he has been talking to? What if the telephone companies simply said to the detectives, 'Sorry, we get rid of that information after 24 hours?'"
Two bills have been introduced so far -- S 436 in the Senate and HR 1076 in the House. Each of the bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet SAFETY Act.
Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.
The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.
"While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," U.S. Sen. John Cornyn, a Texas Republican, said at a press conference on Thursday. "Keeping our children safe requires cooperation on the local, state, federal, and family level."
Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a measure would let "law enforcement stay ahead of the criminals."
Two bills have been introduced so far--S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.
Each contains the same language: "A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."
Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on--but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.)
"Everyone has to keep such information," says Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in this area of electronic privacy law.
The legal definition of electronic communication service is "any service which provides to users thereof the ability to send or receive wire or electronic communications." The U.S. Justice Department's position is that any service "that provides others with means of communicating electronically" qualifies.
That sweeps in not just public Wi-Fi access points, but password-protected ones too, and applies to individuals, small businesses, large corporations, libraries, schools, universities, and even government agencies. Voice over IP services may be covered too.
Under the Internet Safety Act, all of those would have to keep logs for at least two years. It "covers every employer that uses DHCP for its network," Gidari said. "It covers Aircell on airplanes--those little pico cells will have to store a lot of data for those in-the-air Internet users."
In the Bush administration, Attorney General Alberto Gonzales had called for a very similar proposal, saying that subscriber information and network data should be logged for two years.
Until Gonzales' remarks in 2006, the Bush administration had generally opposed laws requiring data retention, saying it had "serious reservations" about them. But after the European Parliament approved such a requirement for Internet, telephone and VoIP providers, top administration officials began talking about the practice more favorably.
After Gonzales left the Justice Department, the political will for data retention legislation seemed to ebb for a time, but then FBI Director Robert Mueller resumed lobbying efforts last spring.
This tends to be a bipartisan sentiment: Attorney General Eric Holder, a Democrat, said in 1999 that "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement." Rep. John Conyers, the Democratic chairman of the House Judiciary Committee, said that FBI proposals for data retention legislation "would be most welcome."
Smith, who sponsored the House version of the Internet Safety Act, had previously introduced a one-year requirement as part of a law-and-order agenda in 2007.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
The Internet Safety Act is broader than just data retention. Other portions add criminal penalties to other child pornography-related offenses, increase penalties for sexual exploitation of minors, and give the FBI an extra $30 million for the "Innocent Images National Initiative."
A secret federal appeals court has ruled that federal agencies can be authorized to conduct warrantless e-mail and telephone surveillance without violating the U.S. Constitution.
In a 29-page redacted opinion (PDF) released Thursday, the court ruled that presidents do not need to obtain warrants to conduct "foreign intelligence for national-security purposes"--which is effectively at least a partial endorsement of President Bush's views on expansive executive powers.
The central question in this case was how the Fourth Amendment's prohibition on "unreasonable searches and seizures" applies to intelligence agencies wishing to compel AT&T and other providers to open their networks to federal snoops hoping to listen in on international communications.
The U.S. Foreign Intelligence Surveillance Court of Review concluded that as long as the executive branch has "several layers of serviceable safeguards to protect individuals against unwarranted harms and to minimize incidental intrusions, its efforts to protect national security should not be frustrated by the courts."
The case arose because an unnamed telecommunications company believed that a now-lapsed surveillance law was unconstitutional and challenged it in the secret court.
Also on Thursday, Attorney General-designate Eric Holder was answering questions about warrantless wiretapping during his Senate confirmation hearing. Holder indicated that he would seek curbs on such National Security Agency programs.
Orders of the secret appeals court, which meets behind closed doors, are a rarity. (An earlier opinion, also siding with the Bush administration, was released in November 2002. The original classified, unredacted version of Thursday's opinion was finished in August 2008.)
That's because the Foreign Intelligence Surveillance Court typically hears only from one side--lawyers from the U.S. Department of Justice--and appeals happen only when the requests are denied. More than two decades went by without any appeals taking place.
The FISC appeals court's ruling is more important for what it says about its view of the Fourth Amendment than what it says about the particular statute in question, the Protect America Act.
The August 2007 law expanded the Foreign Intelligence Information Act and allowed warrantless eavesdropping on people "reasonably believed" to be outside the United States. It permitted the attorney general and the director of national intelligence to issue directives--valid for one year--to force communications providers to open their networks for that purpose.
By February 16, 2008, the Protect America Act had sunset, and was eventually repealed and revised in July 2008. But the directives issued during that time were still in effect, which led to the court challenge.
The Justice Department on Thursday said it "is pleased with this important ruling by the Foreign Intelligence Surveillance Court of Review, which upholds the constitutionality of foreign intelligence surveillance conducted under the Protect America Act of 2007."
Police Blotter is a regular CNET News report on the intersection of technology and the law.
What: Feds want to eavesdrop on touch tones pressed during phone calls without obtaining a court-authorized wiretap order first.
When: U.S. Magistrate Judge James Orenstein in the Eastern District of New York rules on December 16, 2008.
Outcome: Surveillance request rejected.
What happened, according to court records and other documents:
Just about everyone knows that the FBI must obtain a formal wiretap order from a judge to listen in on your phone calls legally. But the U.S. Department of Justice believes that police don't need one if they want to eavesdrop on what touch tones you press during the call.
Those touch tones can be innocuous ("press 0 for an operator"). Or they can include personal information including bank account numbers, passwords, prescription identification numbers, Social Security numbers, credit card numbers, and so on--all of which most of us would reasonably view as private and confidential.
That brings us to New York state, where federal prosecutors have been arguing that no wiretap order is necessary. They insist that touch tones cannot be "content," a term of art that triggers legal protections under the Fourth Amendment.
On June 11, 2008, U.S. Magistrate Judge James Orenstein denied prosecutors' request to obtain in-call touch tones, a denial that the Justice Department appealed to a district judge. After being asked for more information, prosecutors said that they would configure their wiretap gear not to record in-call touch tones received from the wireless provider, presumably using tone-detection equipment. (In industry lingo, in-call touch tones are called "post-cut-through dialed digits," or PCTDD, and the government's request is called a pen register.)
That was enough for U.S. District Judge Nicholas Garaufis to approve the idea on November 26.
Probably thinking that ruling would be the last word on the topic, the Justice Department came back on December 16 for what was supposed to be a routine pen register request. It would let federal agents receive all phone numbers dialed by a suspect. A pen register is easy to get; all the Feds have to do is claim it's possibly "relevant" to an ongoing investigation.
The case happened to be referred to Orenstein, who was working with a different district judge this time, and concluded he didn't have to follow Garaufis' opinion because it was not binding precedent. Orenstein rejected the government's request.
This isn't the first time that the Justice Department has expressed a keen interest in post-call touch tones, and claimed it didn't need a wiretap order to obtain them. In 2007, Police Blotter covered yet another judge--also in the Eastern District of New York--rejecting the warrantless surveillance request. Two years earlier, Police Blotter revealed that the Justice Department believed that pen register orders could also be used to track mobile phones.
The FBI and other police agencies have always liked access to lists of numbers dialed; knowing who's talking to whom at a particular time can be almost as good as knowing what they're saying.
The debate is really over the in-call touch tones, and it dates back to at least 1994, when FBI director Louis Freeh was lobbying Congress to expand wiretap laws. Here's an excerpt from a hearing:
Sen. Patrick Leahy (D-VT): You say this would not expand law enforcement's authority to collect data on people, and yet if you're going to the new technologies, where you can dial up everything from a video movie to do your banking on it, you are going to have access to a lot more data, just because that's what's being used for doing it.FBI Director Louis Freeh: I don't want that access, and I'm willing to concede that. What I want with respect to pen registers is the dialing information, telephone numbers which are being called, which I have now under pen register authority. As to the banking accounts and what movie somebody is ordering in Blockbuster, I don't want it, don't need it, and I'm willing to have technological blocks with respect to that information, which I can get with subpoenas or other process. I don't want that in terms of my access, and that's not the transactional data that I need.
That was then. Now the Justice Department claims it does want it, does need it, and is unwilling to go through the trouble of obtaining a wiretap order--but without publicly saying why. The court documents aren't helpful; Judge Orenstein's order last month was actually redacted and the requests are filed under seal.
Which invites speculation: Are police most interested in voicemail passwords? Online banking logins? Regulatory proceedings from almost a decade ago suggest that police were especially interested in the digits pressed after using an 800 number to reach a long distance carrier.
Excerpt from U.S. Magistrate Judge James Orenstein's opinion:
I find that proposal insufficient for the following reason. The pen register statute does not merely forbid the government as such from decoding content such as PCTDD; if it did, I would agree that the government's proposal is workable. Rather, the statute also makes it unlawful for a pen register itself to record the contents of a communication.
The government explicitly seeks authorization to have its agents install and use, or cause to be installed and used, a device or process that will record all dialing, routing, addressing, and signaling information but that will only exclude the decoding of any PCTDD within such information. Thus, as a result of the orders the government would have me issue, agents of the government (or employees of a service provider, acting at their behest) would install and use a device or process to record the contents of communications. In doing so, they would be using a device or process that cannot be considered a "pen register," and would thereby violate the law. That the same agents, or others acting on their behalf, would somehow later delete the portion of the recording that constituted the contents of the communication would not serve to undo the already completed unlawful act, nor would it retroactively transform something that was not a pen register into something that was.
I emphasize that my basis for denying the requested relief in part is a narrow matter of statutory interpretation. I see no constitutional difficulty with allowing the government to obtain the information it seeks to use for investigative purposes by means of a device or process that would qualify as a pen register but for the fact that, during the collection process, PCTDD information is initially recorded and then quickly deleted. Nor do I mean to convey a belief that Congress would or should, if presented with the issue, do anything other than endorse the methodology the government proposes. However, Congress has taken great care to establish a finely calibrated statutory regime to regulate various forms of electronic surveillance; to the extent that I cannot reconcile an otherwise seemingly appropriate surveillance technique with the relevant statutory provisions, I conclude that I must leave it to Congress to change the law rather than accept the government's implicit invitation to do so.
For the reasons set forth above, I grant the government's application only to the extent that the relevant service provider would in any event record the relevant post-cut-through dialed digits for its own purposes and only to the extent that the provider is able to delete such information before disclosing any other dialing, routing, addressing, or signaling information to the government. To the extent that the provider would not in any event record post-cut-through dialed digits without the requested orders, or is unable to delete all such information from the dialing, routing, addressing, and signaling information it would disclose to the government, I deny the government's application.
