Politics and Law

Ever wonder just how anonymous your online searches from a public library were? Ask Richard Leon Goyette, arrested Tuesday on federal charges involving 64 threatening letters with white powder and one bomb threat that were mailed October 17.

Goyette, 47, was arrested in an Albuquerque, N.M., airport after an investigation that involved the FBI and the U.S. Postal Service regarding the case. The letters, sent to JP Morgan Chase offices, the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) from Amarillo, Texas, contained unidentified white powder and a threat that the person breathing it would die within 10 days. Tests showed the powder to be harmless--not like the fatal letters with anthrax powder sent in 2001--but threats are enough to trigger criminal charges.

It's no surprise that authorities can piece together digital information to pursue perpetrators. But it is revealing to see just how it was done in this case.

Goyette apparently gave investigators a head start by allegedly sending angry e-mails, according to investigation details released in a complaint filed by the U.S. Attorney's Office for the Northern District of Texas.

Upset about losing $63,525 in stock value during the closing of Washington Mutual Bank, a person using the Yahoo Mail address richgoyet@yahoo.com and including Goyette's name and address sent messages on September 26 to the FDIC and the OTS, according to the complaint, which details the FBI investigation in an arrest warrant affidavit. In September, the OTS had placed WaMu into receivership; the FDIC took over the bank then sold the assets to JP Morgan Chase.

"I told myself I was not going to accept any more losses due to the reasons I mentioned. I have pursued a path of doing things right, but unfortunately I've paid a terrible price for those who will do whatever it takes to defraud, steal, manipulate, and screw over average stockholders. This seizure was the final straw and I will now pursue any path to get the return of my investment. Since legal means are apparently useless, I will have to consider any viable method applicable to rightfully reclaim my stolen funds," another e-mail sent September 29 to the OTS said, according to the affidavit.

And in an October 7 letter to an attorney handling WaMu investor inquiries, Goyette said he would "most likely have to employ the same type of tactics used to cheat WaMu shareholders to recover stolen assets if all meaningful efforts to rectify this situation don't come to fruition," the affidavit said.

Next comes the search evidence.

Records obtained from Yahoo through a federal search warrant showed the FDIC and OTS letters were sent from a computer at Central New Mexico Community College in Albuquerque, the affidavit said. Five days later, a computer at the college also was used to search for the location of Chase branch offices. Six days after that, the affidavit said, a library computer at the University of New Mexico's Albuquerque campus was used to search for nearly all the Chase Bank branch locations that received the threatening letters; "The Chase branch locator services from the UNM computer were the only searches conducted in the months leading up to the mailings which covered that many victim branches," the affidavit said.

Scottrade account records also showed Goyette used computers at the Central New Mexico Community College and University of New Mexico, the affidavit said.

Formatting on the envelopes matched that on the Web sites, including one case in which the word "freeway" was bumped from the end of the first line of the address to the beginning of the second, the affidavit said.

Then comes a detour from the virtual world to the real world.

The Goyette address in the e-mails was for a post office box in Tijeras, N.M, near Albuquerque, but the physical address on its application form wasn't Goyette's. On December 7, a surveillance team saw Goyette pick up his mail from the P.O. box and drive away; the license plate showed his truck registered to Michael Jurek of Albuquerque. The driver's license photos showed Goyette and Jurek to be the same person, the affidavit said.

Then we have the credit card charge.

Citibank records showed that Michael Jurek used a credit card at Enterprise Rent-a-Car on October 17, the affidavit said. Using his driver's license with the Jurek name, Goyette rented a car and obtained permission to drive to Texas. He drove 618 miles; and the U.S. Attorney's Office points out it's 284 miles from Albuquerque to Amarillo.

The letters began arriving October 20.

Regardless of whether Goyette is guilty--and it should be noted that people charged with crimes are presumed innocent until convicted--the case shows just how many digital fingerprints people leave as they go about their daily lives.

Tracking people through digital records will only become more important to law enforcement as more people live their lives online through e-mail accounts, Web site comment posts, Yahoo Search Pad research, and other activity. And, of course, it will become more important to others as well, such as private investigators, hiring managers, nosy parents, and former and future boyfriends.

WASHINGTON--The threat of cybersecurity attacks are on the rise from organized crime, terrorists, and foreign governments, an FBI official warned on Wednesday.

There are a "couple dozen" countries interested in breaching U.S. networks, said Shawn Henry, assistant director of the FBI cyber division, though he declined to list any specific countries.

The attempted attacks on U.S. networks are "increasingly sophisticated" and "the amount of information that has been stolen is significant," Henry said.

In particular, the use of botnets continues to increase, he said, while companies have lost tens of millions of dollars from "pump and dump" schemes in which criminals buy and sell stocks with other people's account information harvested online.

"A lot of the financial loss we see (due to) organized (crime) has increased because of the greater sense of money to be made, the awareness of the access to a greater rewards," Henry said.

There is also the perception that the prosecutorial risks for cybercrime are relatively minimal, he said.

Just five years ago, "in terms of judicial action, this was seen to be almost juvenile and more disruptive" than as a serious problem, Henry said. However, he said judges, law enforcement, and Congress have all come to recognize cybersecurity as a priority in recent years.

President Bush in January established the Comprehensive National Cyber Security Initiative, of which the Homeland Security Department has taken the lead, though it is up to the FBI to investigate any discovered cyberattacks.

The DHS has received a good deal of criticism for its leadership--or lack thereof--over cybersecurity matters, but Henry said his experience with the DHS has been positive so far.

Henry said the FBI has made significant progress in the past couple of years developing partnerships with foreign law enforcement to crack down on cybercrime, including partnerships with the U.K., Turkey, Russia, Canada, and Romania. The FBI made more than 90 arrests this year, Henry said, after stationing cybersecurity agents in Romania to crack down on cybercrime against financial institutions and retail networks.

"We've been able to convey that we're in a global economy and more often than not there's a victim in their country as well," he said.

The FBI was recently revealed to be operating an online forum called DarkMarket, as part of a sting operation against criminals buying and selling stolen identities and credit card information online.

Henry said infiltrations and electronic surveillance of illegal activity are preferred over taking reactive action against cybercrime because it creates the "opportunity to ultimately dismantle the organization" at fault.

WASHINGTON--The FBI's chief information officer announced his resignation Wednesday, nearly five years after inheriting an information technology program fraught with disaster and dramatically turning it around.

"In 2004, everyone was asking when the FBI would join the 21st century," said CIO Zalmai Azmi. "Today I can tell you that we are in the 21st century and continue to move forward."

Zalmai Azmi

(Credit: FBI)

When Azmi joined the FBI as the acting CIO, the bureau was scheduled to roll out Virtual Case File, a software program meant to replace its archaic, paper-based criminal tracking system. Instead, the system was scrapped--and Azmi got to break the news to FBI Director Robert Mueller that the $170 million system, designed by Science Applications International, was unsalvageable.

Officially named the CIO in 2004, Azmi has since been working to build the bureau's IT branch and build confidence both within the agency and on Capitol Hill, where he meets with lawmakers twice a week.

The biggest challenge for his successor, Azmi said, "will be maintaining those relationships. More than anything, it's about the transparency we've brought."

Azmi's last official day will be October 17, and he said his successor will likely be named a few weeks after that. From a large pool of applicants from the public and private sectors, the bureau has narrowed its choices to candidates from the private sector.

The FBI's IT branch currently has 54 IT projects in development and plans to complete 20 by the end of the calendar year. It's already deployed the first phase of Sentinel, the program developed to replace VCF, and the rest of the project is on schedule and on budget, Azmi said. Sentinel is expected to be completed and fully deployed by 2012.

The FBI has been slow with providing its employees with desktop Internet access, since its closed network infrastructure was its first priority, but now more than 20,000 BlackBerrys have been deployed to its agents, analysts, and task force officers.

"We should be measured not where some think we should be, but on where we have come from and what we have accomplished," Azmi said.

After 24 years working for the federal government, Azmi said he is resigning to spend more time with his family.

One of the more interesting tidbits from News.com's survey published this morning on instant messaging privacy came from Skype.

The eBay-owned company says it is unable to comply with court-authorized wiretap requests.

We asked Skype: "Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?"

Jennifer Caukin, Skype's director of corporate communications replied to us: "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."

This isn't entirely a surprise. Skype, which claims something like 300 million user accounts, has said in the past that it "cooperates fully with all lawful requests from relevant authorities" but that it is not subject to the U.S. must-provide-a-wiretapping-backdoor law called the Communications Assistance for Law Enforcement Act. Police in Germany, for instance, already have complained of Skype's lack of ready wiretappability.

Because the company's SkypeIn and SkypeOut services send data through the traditional telecommunications network, they presumably can be wiretapped at that point. But voice communications that flow exclusively through the company's peer-to-peer network--and are encrypted using AES--are a different story.

There's no guarantee that Skype's AES encryption is implemented properly or that there aren't lingering security flaws. A 2006 presentation at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists. A Skype-commissioned independent evaluation, however, gave it a thumbs-up. Here's more.

The upshot is that if Yahoo, AOL, Microsoft, or so on received a wiretap order for text or voice flowing through their IM networks, they could (and would) be able to comply because the services are centralized. Even if the users' conversations are encrypted through the Off-the-Record Messaging protocol, an eavesdropper still knows who's talking to whom--this is called a pen register or trap and trace device in wiretapping parlance, and it can still be privacy-invasive.

Skype says it doesn't permit even that. Which means that it's the most privacy-protective mainstream method of communicating through voice or instant messaging. To the FBI's legions of eavesdroppers, that sounds a lot like a challenge.

The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet.

During a House of Representatives Judiciary Committee hearing, the FBI's Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that.

Both have their problems, legal and practical, but let's look at step 1 first. Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said "legislation has to be developed" for "some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt" it.

These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any "illegal activity." (See the complete transcript here.)

"That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law."

Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year. (I say "probably illegal" because their exchange didn't offer much in the way of details.)

"I think there's a substantial problem with what Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside."

For its part, the FBI isn't talking. After we made repeated attempts to get the bureau to explain what Mueller was talking about, FBI spokesman Paul Bresson responded by saying, "At this point, I'm going to let the director's comments, in the context of the exchange with Rep. Issa, speak for themselves."

What step 1 appears to involve is persuading Internet providers to amend their terms of service and insert an FBI-can-monitor-everything clause. Informed consent is one thing. But does anyone actually read the fine print on their contracts with their broadband or wireless provider? If not, is that fine print good enough?

Informed consent is important because of the wording of the Electronic Communications Privacy Act, or ECPA, which says providers may share the contents of customers' communications only "with the lawful consent" of the user. Otherwise, providers are breaking the law and can be sued for damages. And without consent, the FBI would bump up against the Fourth Amendment's prohibition on unreasonable searches.

Originally, Congress seemed to take a liberal view of what constituted "lawful consent." When ECPA was enacted in 1986, a House committee report said "consent may be inferred from a course of dealing," and if "those rules are available to users," consent can be implied.

But that was written way back in the early, pre-Internet days of Compuserve and bulletin board systems. More recently, courts have interpreted ECPA more strictly.

The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers one useful measuring stick. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."

The Federal Trade Commission, too, has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.

Translation: Obtaining "lawful consent" for FBI monitoring means making sure that your customers actually know what's going on and agree. Hiding it in the terms of service doesn't qualify.

But assume that the FBI can persuade Internet providers to include a prominent notice in every monthly bill, or some other mechanism that would be legally sufficient. Another problem is that even if the person who pays the bills consents to monitoring, other people may use the connection--think homes with open wireless connections. ECPA's legal protections follow individual people, not customer accounts.

Rewriting U.S. surveillance laws
Because the FBI would run into serious problems doing wide-scale Internet surveillance under existing state and federal law, step 2 may be necessary. That means rewriting U.S. surveillance law.

Issa said he wants to "craft" legislation that would give the FBI the power to look "for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process." He worried about "national-security secrets and just the common information of private individuals" being at risk. In his response, Mueller said he wants Congress to "give us the ability to pre-empt that illegal activity."

"Looking for" a crime in process on the Internet can take multiple paths. If it's a denial-of-service attack against eBay or Amazon.com originating from Russian servers, it can be detected by measuring the amount of traffic without inspecting the contents each packet. But to detect fraud and "national-security secrets," as well as personal information being transferred, deep packet inspection would be necessary--roughly on a scale of the Great Firewall of China.

Needless to say, detecting "illegal activity" would soon be extended to copyright infringement and peer-to-peer networks. Under the No Electronic Theft Act, swapping music or video files is a federal crime, if the total value of the files exceeds $1,000. If the value tops $2,500, the penalties jump up to not more than five years in prison. And as Jammie Thomas found out last year, allegedly sharing 24 files can lead to $222,000 in civil penalties.

"I think you bump squarely into the Fourth Amendment when you get into the required waiver of constitutional protections to use a service," said Gidari, the attorney at Perkins Coie. "Why don't we extend it to include not criticizing the government? Which right is next? 'You may use our service, as long as you don't disparage Verizon?' Why not that one?...You've still got to have, at the end of the day, a constitutionally supportable legal process to get access to anyone's communications. This cannot be an end run around that."

The problem of how to "shut down a crime in process" and "pre-empt that illegal activity" is more difficult and, perhaps, more worrisome.

Here's what Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation in San Francisco, had to say when I asked him to read the transcript of Wednesday's hearing:

It certainly is Mueller's responsibility to explain what it is that he's looking for. But it seems that he's saying, essentially, that the surveillance society is the best society. A society in which the government has complete information about illegal activities and is able to enforce that. Throughout our country's existence, we've lived in a society where the government doesn't have perfect information.

Is (Mueller) suggesting that there's a search capability using filters that would identify an infringing work and fail to deliver a message containing that work? Is that the choke point? If that is the case, how can that be done well? How about fair uses? How will the government tell whether a copyrighted work is sent pursuant to a license? Will it have a centralized database of licenses? How does he propose to have this work, so it only identifies illegal activities and doesn't overly choke?

The FBI has some obligation to explain: what is it going to focus on here? Once you have the technology in place, will it then be used for more and more?

If you thought the tussles over Net neutrality were heated before, imagine a broadband provider throttling certain applications--and being able to blame that throttling capability on law enforcement. At the very least, it would be a wonderful excuse.

Which is why it's a shame, and somewhat troubling, that the FBI has chosen not to say what its director is proposing (and apparently will be working with Congress to write into law).

Odds of FBI-filtering legislation: Zero?
One possible germ for this Internet-monitoring idea lies in Homeland Security's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. Not much about Einstein is public, but a privacy impact assessment offers some details.

Homeland Security Spokeswoman Laura Keehner said in a telephone interview that the primary focus of Einstein at the moment is protecting federal-government networks. "Obviously, the FBI could clarify or elaborate on what they said," Keehner said. "I do know that (from Homeland Security's perspective) we now first need to get our .gov in order. We need to concentrate on our federal networks...We're also bringing in the private sector to open those lines of discussion and figure out ways that the private sector can better equip themselves to stop any cyberincursions."

Another possibly related effort is the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23--that apparently deal with detecting and preventing Internet disruptions. Issa is a member of the House Intelligence Committee, which held a closed-door hearing on Thursday devoted to the Cyber Initiative--and, during the exchange with Mueller a day earlier, he said his monitoring idea was related.

The House Intelligence committee didn't want to talk. But a representative of the House Homeland Security committee chaired by Rep. Bennie Thompson (D-Miss.) sent us three bullet points in an e-mail message:

1. Chance of a legislative initiative that would allow FBI to place filters to identify illegal activity at choke points on the .com space: 0

2. We still have concerns and questions about the initiative, and we continue to do oversight.

3. Legislation is not being considered for any of the new proposals, outside of the budget requests made by the administration.

Point No. 3 seems to relate to the administration's 2009 budget request, which asks Congress for $293.5 million to expand Einstein to the entire federal government.

The Senate Homeland Security and Governmental Affairs Committee, which is headed by Joe Lieberman of Connecticut, also held a classified hearing last month on the administration's Cyber Initiative.

But a committee aide told us, "The idea of filtering for criminal activity has never been discussed with us. Nor has any new statutory authority been discussed. In fact, the administration explicitly said it didn't need any legislation. Furthermore, the idea of monitoring nongovernment domains has never been proposed in briefings the committee has received."

It's true that, at least in the current political climate, legislation of the sort Issa wants to draft isn't likely to slide through Congress unopposed.

Still, it's worth keeping in mind that the FBI has a recent, and not very flattering, history of trying to expand the scope of surveillance methods. Bureau agents used so-called exigent letters to obtain records from telephone companies, claiming that an emergency situation existed.

In reality, there was often no emergency at all. The Justice Department's inspector general found similar abuses of national-security letters. The FBI also tried to bypass the Foreign Intelligence Surveillance Court when it denied requests to obtain records.

Perhaps Mueller can provide a convincing argument for why laws giving the FBI "omnibus search capability utilizing filters that would identify the illegal activity" would be wise. Perhaps not. But when politicians weigh the idea of trusting the FBI with such broad and unprecedented authority, they should consider the abuses that have already taken place with far less powerful tools.

CNET News.com's Anne Broache contributed to this report.

When the FBI suggested that it should be able to perform wide-scale Internet monitoring to detect "illegal activity" on Wednesday, the bureau raised more questions than it answered.

To help clear things up, we're providing the transcript of FBI Director Robert Mueller's exchange at a House of Representatives hearing with Rep. Darrell Issa, a California Republican. Issa made his fortune by founding Directed Electronics, a publicly traded company that sells car alarms and home theater loudspeakers.

Issa also is a member of the House Intelligence Committee, which is holding a closed hearing on Thursday devoted to the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23--that apparently deal with detecting and preventing Internet disruptions.

Here's the relevant section of the transcript from the House Judiciary hearing on Wednesday:

Rep. Issa: Director, there isn't enough time in five minutes to open and close the subject of the Cyber Initiative, but this committee, in my opinion, is going to be the lead committee on, ah, the actual effectiveness of that initiative. As we both know it's compartmented, highly classified. But I'd like to concentrate just on what laws or changes that you would need from this committee if you were to do the following, and I'll set out a scenario.

If you go into a place and there's a crime actively being committed, let's say there's a bookie joint, and there's tens of thousands of illegal transactions going on every minute. And you know that. And you have proof of that. You don't question your ability to go in and to harvest the fruit of all the activities in there, is that correct?

Mueller: That's correct.

Mueller: With a search warrant, quite honestly.

Rep. Issa: With a search warrant. Today every ISP is being maliciously attacked--this goes beyond the .mils and .govs--but I think that's the important reason that we approach it today. Every ISP is being attacked, maliciously both from in the United States and outside of the United States, by those who want to invade people's privacy.

FBI director Robert Mueller, shown here at Wednesday's hearing, says 'legislation has to be developed' that would 'identify the illegal activity as it comes through and give us the ability to preempt that illegal activity.'

(Credit: Anne Broache/CNET News.com)

But more importantly they want to take control of computers, they want to hack them, they want to steal information. This is also true of the .mils and .govs. Every one of our congressional offices, every day, is under attack.

Every portal leading out of the United States, some of them going in and out of the United States, but talking only about your jurisdiction in the United States. Every portal coming into this country is being attacked by those who would harvest information, both national security secrets and just the common information of private individuals and private individuals.

That crime is going on, every day, on a single entity known as the Internet. What authorities do you need to monitor, looking for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process?

Now, I'm a civil libertarian. I was with Bob Barr arguing some of the elements of the Patriot Act that we still don't agree should have been there. But when I set up the crime scenario, how is it that you're going to get the right to react when today, people would say that if they, if you're addressing an action from an American person, you don't have that right? How are you going to do it, and how can we help you do it appropriately and constitutionally?

Mueller: I think legislation has to be developed that balances on one hand, the privacy rights of the individual who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the Internet.

And it is a question of the legislation catching up to the technology. Understanding that these crimes are being committed every moment. But then identifying our ability to focus on the particular criminal element as it's coming through and preempt that criminal element, whether it be .mil, .gov, .com, whichever network you're talking about.

Rep. Issa: OK, and one follow-up question, or two follow-up questions, because I know we're not going to get it all resolved today. One, can you have someone on your staff designated to work with members of Congress on trying to craft that legislation? I'd appreciate being able to work with that person.

And secondly, and this goes to a legal opinion you may or may not be able to help us with today, but I'd like you to try to work on it. If ISPs or other private entities, a Lockheed Martin on one hand, and my old company, Directed Electronics on the other, if they consented to participation voluntarily in being, in fact, defended in a Cyber Initiative--and that includes ISPs that hypothetically got consent from every single person who signed up to operate under their auspices.

If that consent were granted, do you believe that current laws either can or reasonably easily could be made to protect them? In other words, a voluntary program that would begin allowing federal agencies to counter-attack and to defend on behalf of those who waive current possible restrictions in that sense. And that's probably my most important question to get this committee thinking of.

Mueller: I think that's going to require some thought because an individual company can say "OK, I consent to have somebody protect me." But if the filter is inappropriately placed just protecting that particular company, it may have to be one or two or three institutions or ISPs off, and that's where you would have a problem. whether it would be, i forget what company you mentioned, but Lockheed Martin saying," I'm willing for somebody to protect me," but the protection may be two or three companies off. Lockheed Martin has no mechanism in order to affect the company that's two or three off, if you see what I'm getting at.

Rep. Issa: Thank you, and thank you, Mr. Chairman. Hopefully 163.33.33.0 will be protected if they ask to be, whoever they are. (Editor's note: 163.33.33 seems to be an Internet protocol address near San Jose, Calif.)

Rep. Conyers: As you wish, Mr. Issa.

Rep. Issa: Mr. Chairman, I do hope that when we look at the Cyber Initiative, we view ourselves as the primary committee that has to clear the way for appropriate action on behalf of our government, all branches.

Rep. Conyers: (Nods)

FBI director Robert Mueller calls for new federal data retention laws forcing Internet companies to keep records of what their customers are doing, but without providing details. Several politicians endorsed the idea during a hearing on Tuesday.

(Credit: Anne Broache/News.com)

WASHINGTON--The FBI and multiple members of Congress said on Wednesday that Internet service providers must be legally required to keep records of their users' activities for later review by police.

Their suggestions for mandatory data retention revive a push for potentially sweeping federal laws--which civil libertarians oppose--that flagged last year after the resignation of Attorney General Alberto Gonzales, the idea's most prominent proponent.

FBI Director Robert Mueller told a House of Representatives committee that Internet service providers should be required to keep records of users' activities for two years.

"From the perspective of an investigator, having that backlog of records would be tremendously important if someone comes up on your screen now," Mueller said. "If those records are only kept 15 days or 30 days, you may lose the information you may need to bring that person to justice."

Also lending their support for data retention were Rep. Ric Keller, R-Fla., who said that Internet chat rooms were crammed with sexual predators, and Rep. Lamar Smith of Texas, the senior Republican on the House Judiciary committee and a previous data retention enthusiast. Rep. John Conyers, the senior Democrat and chairman, added that any proposed data retention legislation submitted by the FBI "would be most welcome."

"Records retention by ISPs would be tremendously helpful in giving us a historic basis to make a case on a number of child pornographers who use the Internet to push their pornography" or lure children, Mueller said.

Replied Smith: "I think a number of us may well follow up on that suggestion."

An aide to Rep. Smith said in response to questions from News.com that the congressman was offering no details and would not be commenting at this point.

Based on the statements at Wednesday's hearing and previous calls for new laws in this area, the scope of a mandatory data retention law remains fuzzy. It could mean forcing companies to store data for two years about what Internet addresses are assigned to which customers (Comcast said in 2006 that it would be retaining those records for six months).

Or it could be far more intrusive. It could mean keeping track of e-mail and instant-messaging correspondence and what Web pages users visit. Some Democratic politicians have called for data retention laws to extend to domain name registries and Web hosting companies and even social-networking sites. During private meetings with industry officials, FBI and Justice Department representatives have said it would be desirable to force search engines to keep logs--a proposal that could gain additional law enforcement support, but raise additional privacy concerns and potentially conflict with European laws.

Kate Dean, director of the U.S. Internet Service Provider Association, which counts as members AT&T, AOL, Comcast, and Verizon, said in an e-mail message:

Without specifics, it's hard to know what Director Mueller is looking for from industry. The idea of data retention is complex, and Congress will need to examine many issues including which providers would be covered by a retention regime, for what period of time would those organizations be required to keep the data, does the policy idea fit with the today's and tomorrow's technologies, and what are the effects on the consumer--what are the potential risks to subscriber privacy and security? US ISPA members have been at the forefront of child protection initiatives with the National Center for Missing and Exploited Children and law enforcement, so we welcome a continued dialogue.

As attorney general until last summer, Gonzales rarely passed up an opportunity to call for data retention. In April 2006, he said Internet providers must retain records for a "reasonable amount of time" and the issue "must be addressed." In September 2006, he added: "This is a national problem that requires federal legislation."

After Gonzales' departure, the Bush administration has been less vocal on lobbying for data retention legislation. During Wednesday's hearing, however, Mueller called for new laws at least three times.

Multiple proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, said that any Internet service that "enables users to access content" must indefinitely retain records that would permit police to identify each user. Another came from Wisconsin Rep. F. James Sensenbrenner, a close ally of President Bush, and a third was written by Rep. Smith, who endorsed the idea again on Wednesday.

At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

News.com's Anne Broache reported from Washington, D.C.

WASHINGTON -- The FBI is pressuring states to become more secretive and limit even routine oversight of the bureau's data-sharing arrangements with local police, a new document shows.

A memorandum of understanding written by the FBI and signed by the state of Virginia in February 2008 aims to curb congressional and press oversight of a joint venture called a Fusion Center. Here's more on Fusion Centers.

The memorandum, obtained by the Electronic Privacy Information Center and released on Friday, says that any "disclosure" to Congress of information shared with the Fusion Center can happen only "after consultation with the FBI." It also says that requests from media organizations even for non-classified material made under Virginia's open government laws will be referred to the FBI and then strongly opposed.

It also indicates that the FBI is responsible for a Virginia state bill called HB1007 -- introduced two days after the FBI signed the memorandum on January 6 -- that would exempt the Fusion Center from open government laws.

That bill is worrisome. It rewrites open government laws to say that even non-classified statistics about the total number of investigations targeting "an individual who or organization which is reasonably suspected of involvement in criminal activity" will be exempt from disclosure to news organizations and the public.

Nobody wants truly confidential or classified information to be disclosed (except, perhaps, to the historians of the next generation). But the Virginia proposal goes too far, and exempts even reports and statistics that could show overzealous surveillance and other possible misbehavior by Fusion Center staff.

In reality, there's no need to amend Virginia's open government law; it already includes a slew of can't-disclose-these exemptions including "public safety" records, anti-terrorist plans, and reports given to "state and local law enforcement agencies."

This hasn't stopped police from misrepresenting what's going on. "Federal agencies aren't going to share with us classified information if they think we're going to share that information," Capt. Tom Martin, commander of the Virginia State Police Criminal Intelligence Division and the administrative head of the Fusion Center, told the Virginian-Pilot. "We're going to protect it."

If Martin and the other Fusion Center honchos want a narrow state law reiterating that classified information can't be disclosed, perhaps it makes sense to enact one. But that's a far cry from HB1007's broad exceptions, and not an argument that the currently-proposed law is either wise or necessary.

Screen snapshot: This now-defunct site is reportedly where an FBI undercover agent posted hyperlinks purporting to be illegal videos. Clicking the links brought a raid from the Feds.

The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.

A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who's using an open wireless connection--and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police.

Roderick Vosburgh, a doctoral student at Temple University who also taught history at La Salle University, was raided at home in February 2007 after he allegedly clicked on the FBI's hyperlink. Federal agents knocked on the door around 7 a.m., falsely claiming they wanted to talk to Vosburgh about his car. Once he opened the door, they threw him to the ground outside his house and handcuffed him.

AUDIO

News.com daily podcast
Reporter Declan McCullagh talks about the FBI's
hyperlinking tactic for getting child porn suspects.

Download mp3 (6.36MB)

Vosburgh was charged with violating federal law, which criminalizes "attempts" to download child pornography with up to 10 years in prison. Last November, a jury found Vosburgh guilty on that count, and a sentencing hearing is scheduled for April 22, at which point Vosburgh could face three to four years in prison.

The implications of the FBI's hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography--and raid people who click on the links embedded in the spam messages. The bureau could register the "unlawfulimages.com" domain name and prosecute intentional visitors. And so on.

"The evidence was insufficient for a reasonable jury to find that Mr. Vosburgh specifically intended to download child pornography, a necessary element of any 'attempt' offense," Vosburgh's attorney, Anna Durbin of Ardmore, Penn., wrote in a court filing that is attempting to overturn the jury verdict before her client is sentenced.

In a telephone conversation on Wednesday, Durbin added: "I thought it was scary that they could do this. This whole idea that the FBI can put a honeypot out there to attract people is kind of sad. It seems to me that they've brought a lot of cases without having to stoop to this."

Durbin did not want to be interviewed more extensively about the case because it is still pending; she's waiting for U.S. District Judge Timothy Savage to rule on her motion. Unless he agrees with her and overturns the jury verdict, Vosburgh--who has no prior criminal record--will be required to register as a sex offender for 15 years and will be effectively barred from continuing his work as a college instructor after his prison sentence ends.

How the hyperlink sting operation worked
The government's hyperlink sting operation worked like this: FBI Special Agent Wade Luders disseminated links to the supposedly illicit porn on an online discussion forum called Ranchi, which Luders believed was frequented by people who traded underage images. One server allegedly associated with the Ranchi forum was rangate.da.ru, which is now offline with a message attributing the closure to "non-ethical" activity.

In October 2006, Luders posted a number of links purporting to point to videos of child pornography, and then followed up with a second, supposedly correct link 40 minutes later. All the links pointed to, according to a bureau affidavit, a "covert FBI computer in San Jose, California, and the file located therein was encrypted and non-pornographic."

Excerpt from an FBI affidavit filed in the Nevada case showing how the hyperlink-sting was conducted.

Some of the links, including the supposedly correct one, included the hostname uploader.sytes.net. Sytes.net is hosted by no-ip.com, which provides dynamic domain name service to customers for $15 a year.

When anyone visited the upload.sytes.net site, the FBI recorded the Internet Protocol address of the remote computer. There's no evidence the referring site was recorded as well, meaning the FBI couldn't tell if the visitor found the links through Ranchi or another source such as an e-mail message.

With the logs revealing those allegedly incriminating IP addresses in hand, the FBI sent administrative subpoenas to the relevant Internet service provider to learn the identity of the person whose name was on the account--and then obtained search warrants for dawn raids.

Excerpt from FBI affidavit in Nevada case that shows visits to the hyperlink-sting site.

The search warrants authorized FBI agents to seize and remove any "computer-related" equipment, utility bills, telephone bills, any "addressed correspondence" sent through the U.S. mail, video gear, camera equipment, checkbooks, bank statements, and credit card statements.

While it might seem that merely clicking on a link wouldn't be enough to justify a search warrant, courts have ruled otherwise. On March 6, U.S. District Judge Roger Hunt in Nevada agreed with a magistrate judge that the hyperlink-sting operation constituted sufficient probable cause to justify giving the FBI its search warrant.

The defendant in that case, Travis Carter, suggested that any of the neighbors could be using his wireless network. (The public defender's office even sent out an investigator who confirmed that dozens of homes were within Wi-Fi range.)

But the magistrate judge ruled that even the possibilities of spoofing or other users of an open Wi-Fi connection "would not have negated a substantial basis for concluding that there was probable cause to believe that evidence of child pornography would be found on the premises to be searched." Translated, that means the search warrant was valid.

Entrapment: Not a defense
So far, at least, attorneys defending the hyperlink-sting cases do not appear to have raised unlawful entrapment as a defense.

"Claims of entrapment have been made in similar cases, but usually do not get very far," said Stephen Saltzburg, a professor at George Washington University's law school. "The individuals who chose to log into the FBI sites appear to have had no pressure put upon them by the government...It is doubtful that the individuals could claim the government made them do something they weren't predisposed to doing or that the government overreached."

The outcome may be different, Saltzburg said, if the FBI had tried to encourage people to click on the link by including misleading statements suggesting the videos were legal or approved.

In the case of Vosburgh, the college instructor who lived in Media, Penn., his attorney has been left to argue that "no reasonable jury could have found beyond a reasonable doubt that Mr. Vosburgh himself attempted to download child pornography."

Vosburgh faced four charges: clicking on an illegal hyperlink; knowingly destroying a hard drive and a thumb drive by physically damaging them when the FBI agents were outside his home; obstructing an FBI investigation by destroying the devices; and possessing a hard drive with two grainy thumbnail images of naked female minors (the youths weren't having sex, but their genitalia were visible).

The judge threw out the third count and the jury found him not guilty of the second. But Vosburgh was convicted of the first and last counts, which included clicking on the FBI's illicit hyperlink.

In a legal brief filed on March 6, his attorney argued that the two thumbnails were in a hidden "thumbs.db" file automatically created by the Windows operating system. The brief said that there was no evidence that Vosburgh ever viewed the full-size images--which were not found on his hard drive--and the thumbnails could have been created by receiving an e-mail message, copying files, or innocently visiting a Web page.

From the FBI's perspective, clicking on the illicit hyperlink and having a thumbs.db file with illicit images are both serious crimes. Federal prosecutors wrote: "The jury found that defendant knew exactly what he was trying to obtain when he downloaded the hyperlinks on Agent Luder's Ranchi post. At trial, defendant suggested unrealistic, unlikely explanations as to how his computer was linked to the post. The jury saw through the smokes (sic) and mirrors, as should the court."

And, as for the two thumbnail images, prosecutors argued (note that under federal child pornography law, the definition of "sexually explicit conduct" does not require that sex acts take place):

The first image depicted a pre-pubescent girl, fully naked, standing on one leg while the other leg was fully extended leaning on a desk, exposing her genitalia... The other image depicted four pre-pubescent fully naked girls sitting on a couch, with their legs spread apart, exposing their genitalia. Viewing this image, the jury could reasonably conclude that the four girls were posed in unnatural positions and the focal point of this picture was on their genitalia.... And, based on all this evidence, the jury found that the images were of minors engaged in sexually explicit conduct, and certainly did not require a crystal clear resolution that defendant now claims was necessary, yet lacking.

Prosecutors also highlighted the fact that Vosburgh visited the "loli-chan" site, which has in the past featured a teenage Webcam girl holding up provocative signs (but without any nudity).

Civil libertarians warn that anyone who clicks on a hyperlink advertising something illegal--perhaps found while Web browsing or received through e-mail--could face the same fate.

When asked what would stop the FBI from expanding its hyperlink sting operation, Harvey Silverglate, a longtime criminal defense lawyer in Cambridge, Mass. and author of a forthcoming book on the Justice Department, replied: "Because the courts have been so narrow in their definition of 'entrapment,' and so expansive in their definition of 'probable cause,' there is nothing to stop the Feds from acting as you posit."