Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws.
The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors' Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12.
"The Justice Department is helping private companies evade federal wiretap laws," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which obtained over 1,000 pages of internal government documents and provided them to CNET this week. "Alarm bells should be going off."
Those documents show the National Security Agency and the Defense Department were deeply involved in pressing for the secret legal authorization, with NSA director Keith Alexander participating in some of the discussions personally. Despite initial reservations, including from industry participants, Justice Department attorneys eventually signed off on the project.
The Justice Department agreed to grant legal immunity to the participating network providers in the form of what participants in the confidential discussions refer to as "2511 letters," a reference to the Wiretap Act codified at 18 USC 2511 in the federal statute books.
The Wiretap Act limits the ability of Internet providers to eavesdrop on network traffic except when monitoring is a "necessary incident" to providing the service or it takes place with a user's "lawful consent." An industry representative told CNET the 2511 letters provided legal immunity to the providers by agreeing not to prosecute for criminal violations of the Wiretap Act. It's not clear how many 2511 letters were issued by the Justice Department.
In 2011, Deputy Secretary of Defense William Lynn publicly disclosed the existence of the original project, called the DIB Cyber Pilot, which used login banners to inform network users that monitoring was taking place. In May 2012, the pilot was turned into an ongoing program -- broader but still voluntary -- by the name of Joint Cybersecurity Services Pilot, with the Department of Homeland Security becoming involved for the first time. It was renamed again to Enhanced Cybersecurity Services program in January, and is currently being expanded to all types of companies operating critical infrastructure.
The NSA and DOJ declined to comment. Homeland Security spokesman Sy Lee sent CNET a statement saying:
DHS is committed to supporting the public's privacy, civil rights, and civil liberties. Accordingly, the department has implemented strong privacy and civil rights and civil liberties standards into all its cybersecurity programs and initiatives from the outset, including the Enhanced Cybersecurity Services program. In order to protect privacy while safeguarding and securing cyberspace, DHS institutes layered privacy responsibilities throughout the department, embeds fair practice principles into cybersecurity programs and privacy compliance efforts, and fosters collaboration with cybersecurity partners.
Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, compared the NSA and DOD asking the Justice Department for 2511 letters to the CIA asking the Justice Department for the so-called torture memos a decade ago. (They were written by Justice Department official John Yoo, who reached the controversial conclusion that waterboarding was not torture.)
"If you think of it poorly, it's a CYA function," Rosenzweig says. "If you think well of it, it's an effort to secure advance authorization for an action that may not be clearly legal."
A report (PDF) published last month by the Congressional Research Service, a non-partisan arm of Congress, says the executive branch likely does not have the legal authority to authorize more widespread monitoring of communications unless Congress rewrites the law. "Such an executive action would contravene current federal laws protecting electronic communications," the report says.
Because it overrides all federal and state privacy laws, including the Wiretap Act, legislation called CISPA would formally authorize the program without the government resorting to 2511 letters. In other words, if CISPA, which the U.S. House of Representatives approved last week, becomes law, any data-sharing program would be placed on a solid legal footing. AT&T, Verizon, and wireless and cable providers have all written letters endorsing CISPA.
Around the time that CISPA was originally introduced in late 2011, NSA, DOD, and DHS officials were actively meeting with the aides on the House Intelligence committee who drafted the legislation, the internal documents show. The purpose of the meeting, one e-mail shows, was to brief committee aides on "cyber defense efforts." In addition, Ryan Gillis, a director in DHS's Office of Legislative Affairs, sent an e-mail to Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Intelligence committee, discussing the pilot program around the same time.
AT&T and CenturyLink are currently the only two providers that have been publicly announced as participating in the program. Other companies have signed a memorandum of agreement with DHS to join, and are currently in the process of obtaining security certification, said a government official, who declined to name those companies or be identified by name.
Approval of the 2511 letters came after concerns from within the Justice Department and from industry. An internal e-mail thread among senior Defense Department, Homeland Security, and Justice Department officials in 2011, including associate deputy attorney general James Baker, outlines some of the obstacles:
[The program] has two key barriers to a start. First, the ISPs will likely request 2511 letters, so DoJ's provision of 3 2511 letters (and the review of DIB company banners as part of that) is one time requirement. DoJ will provide a timeline for that. Second, all participating DIB companies would be required to change their banners to reference government monitoring. All have expressed serious reservations with doing so, including the three CEOs [the deputy secretary of defense] discussed this with. The companies have informally told us that changing the banners in this manner could take months.
Another e-mail message from a Justice Department attorney wondered: "Will the program cover all parts of the company network -- including say day care centers (as mentioned as a question in a [deputies committee meeting]) and what are the policy implications of this?" The deputies committee includes the deputy secretary of defense, the deputy director of national intelligence, the deputy attorney general, and the vice chairman of the Joint Chiefs of Staff.
"These agencies are clearly seeking authority to receive a large amount of information, including personal information, from private Internet networks," says EPIC staff attorney Amie Stepanovich, who filed a lawsuit against Homeland Security in March 2012 seeking documents relating to the program under the Freedom of Information Act. "If this program was broadly deployed, it would raise serious questions about government cybersecurity practices."
In January, the Department of Homeland Security's privacy office published a privacy analysis (PDF) of the program saying that users of the networks of companies participating in the program will see "an electronic login banner [saying] information and data on the network may be monitored or disclosed to third parties, and/or that the network users' communications on the network are not private."
An internal Defense Department presentation cites as possible legal authority a classified presidential directive called NSPD 54 that President Bush signed in January 2008. Obama's own executive order, signed in February 2013, says Homeland Security must establish procedures to expand the data-sharing program "to all critical infrastructure sectors" by mid-June. Those are defined as any companies providing services that, if disrupted, would harm national economic security or "national public health or safety."
Those could be very broad categories, says Rosenzweig, author of a new book called "Cyber War," which discusses the legality of more widespread monitoring of Internet communications.
"I think there's a great deal of discretion," Rosenzweig says. "I could make a case for the criticality of several meat packing plants in Kansas. The disruption of the meat rendering facilities in Kansas would be very disruptive to the meat-eating habits of Americans."