Politics and Law

(Credit: CNET/Declan McCullagh)

SAN FRANCISCO--The director of the National Security Agency on Tuesday downplayed reports of the NSA's attempt to wrest control of cybersecurity responsibilities from rival federal agencies.

"We do not want to run cybersecurity for the U.S. government," Lt. Gen. Keith Alexander said at the RSA security conference here.

Instead, Alexander said, the Department of Homeland Security should continue to oversee Internet and computer security for civilian agencies, while the NSA would provide that service for military agencies.

Alexander's remarks come during a 60-day review of the federal government's cybersecurity efforts ordered by President Obama that could end with responsibilities being reshuffled between agencies. Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and is conducting the review, is scheduled to give a public talk on Wednesday.

The announcement of the review led to speculation that the White House's National Security Council or NSA would be handed more cybersecurity responsibilities, along with a larger budget to carry them out. Although the 2002 law creating DHS centralized cybersecurity responsibilities, it has been repeatedly criticized by government auditors who concluded that DHS failed to live up to its responsibilities and may be "unprepared" for emergencies.

On Tuesday, Alexander did note that the NSA "has tremendous technical abilities" and suggested that crisis management might benefit from centralization. "The question is: What happens in a time of crisis? We don't have a way of seeing and sharing networks today in a timely manner."

Much of Alexander's remarks appeared to be a response to Rod Beckstrom, former director of Homeland Security's National Cybersecurity Center, whose resignation letter last month blasted what he described as an NSA power grab that could threaten "our democratic processes." That led some members of Congress -- including the Democratic chairman of the House Homeland Security Committee -- to object to NSA control, which Clinton-era FBI director Louis Freeh echoed a day later.

Other topics of discussion at the RSA conference included cyberattacks by foreign governments--a Wall Street Journal report on Tuesday said some sensitive files related to the Pentagon's Joint Strike Fighter Project had been electronically viewed--and the recent Conficker worm.

On Tuesday, Robert Lentz, chief information assurance officer for the Department of Defense, said the agency is attempting to protect 15,000 networks, 7 million computers, and 1.1 billion Defense Department Internet users worldwide. There are 360 million probes targeted at Defense Department networks each day, compared to the 1 million probes an average major U.S. bank gets per month, he said.

"2009 is the tipping point," Lentz said. "The reality is the bad guys are going to be in our networks," and officials have to figure out how to best detect and contain the threats, he said.

High-level officials understand the seriousness of cyberthreats and understand that "airplanes can't fly if the network is down," he said. "The biggest challenge is turning geek-speak into things they can understand."

The department has a lot of work to do to change the network protection policy from one based on bolting together disparate security tools to one where protective tools are interoperable and integrated, according to Lentz.

Within the next week or so the agency expects to have an identity assurance strategy that will include biometrics for authenticating identity of network users and identification of devices like routers and switches, he said.

Asked after his talk if he believed reports that Chinese cyber spies had infiltrated the department's network, Lentz said "probably."

CNET's Elinor Mills contributed to this report.

The U.S. Senate is investigating allegations by two National Security Agency whistleblowers who have described widespread monitoring of innocuous telephone conversations by the Bush administration's clandestine program.

The reports fill in some details about how the NSA's program works in practice. The two whistleblowers, Adrienne Kinne and David Murfee Faulk, are former military linguists who worked for a secretive NSA operation they say routinely intercepted phone calls of U.S. military officers, American journalists, American aid workers, and others who were calling home from abroad.

The two ex-military employees came forward independently and spoke to ABC News and journalist Jim Bamford for his book on the NSA called The Shadow Factory that's due out next week.

Jay Rockefeller, the West Virginia Democrat who heads the Senate Intelligence Committee, on Thursday called the allegations "extremely disturbing" and said there would be an investigation.

If the allegations prove true, that would fly in the face of assertions by President Bush that innocent conversations would never be intercepted.

Bush said in December 2005, after The New York Times published its original article on the government's warrantless wiretapping efforts, that the NSA program would "intercept the international communications of people with known links to al Qaeda and related terrorist organizations. Before we intercept these communications, the government must have information that establishes a clear link to these terrorist networks."

The NSA whistleblowers tell a different story -- including that phone sex conversations were intercepted, recorded, and passed around the office for laughs. "These were just really everyday, average, ordinary Americans who happened to be in the Middle East, in our area of intercept and happened to be making these phone calls on satellite phones," Kinne told ABC News. Faulk said that he listened in on American troops "calling home to the United States, talking to their spouses, sometimes their girlfriends, sometimes one phone call following another."

A pair of extraordinary articles (#1 and #2) published last month in the Washington Post indicate that Bush was kept ill-informed about much of the program by Vice President Cheney and the vice president's staff.

The articles, by Barton Gellman, were excerpted from his new book called Angler: The Cheney Vice Presidency. They describe how Cheney's lawyer, David Addington, and the vice president himself defended the surveillance program, overruled concerns from the Justice Department about the legality of the program -- and came within a hairsbreadth of sparking a mass Justice Department resignation that would have put Richard Nixon's Saturday Night massacre to shame.

What is unclear is Sen. Rockefeller's own role in staying mum about the NSA scheme after being briefed on it. So, to one extent or another, were other Democratic politicians, including Nancy Pelosi and Harry Reid.

Rockefeller wrote a two-page handwritten letter to Cheney on July 17, 2003 -- over a year before the NSA program became public -- saying he had "concerns" about the surveillance. But Rockefeller never did anything beyond that, such as contacting a lawyer, even though the Senate Intelligence committee is officially charged with "vigilant legislative oversight over the intelligence activities of the United States to assure that such activities are in conformity with the Constitution and laws of the United States."

That history could make Rockefeller less than enthusiastic about investigating what truly happened, as Salon's Glenn Greenwald has not so delicately suggested.

We've been down this road before
It should be no surprise that when the NSA (or any government agency) receives broad surveillance powers with scant oversight, they end up being used not to nab al-Qaida members, but to eavesdrop on phone sex conversations between a lonely G.I. and a paramour back home. Video surveillance cameras supposedly designed to let cops catch criminals are used for voyeuristic purposes too.

History echoes this point. In decades past, government agencies have subjected hundreds of thousands of law-abiding Americans to unlawful surveillance, illegal wiretaps and warrantless searches. Eleanor Roosevelt, Martin Luther King Jr., feminists, gay rights leaders, and Catholic priests were spied upon. The FBI used secret files and hidden microphones to blackmail the Kennedy brothers, sway the Supreme Court, and influence presidential elections.

One way that the United States finally put this era behind it in the mid-1970s was to have a Senate committee perform a true independent investigation. It was chaired by Democratic Sen. Frank Church and called the Church Committee. Here are some excerpts from its report:

* The intelligence community engaged in some activities which violated statutory law and the constitutional rights of American citizens.

* Legal issues were often overlooked by many of the intelligence officers who directed these operations.

* On some occasions when agency officials assume, or were told, that a program is illegal, they still permitted it to continue. They justified their conduct in some cases on the ground that the failure of "the enmemy" to play by the rules granted them the right to do likewise, and in other cases on the ground that the "national security" permitted programs that would otherwise be illegal.

* Internal recognition of the illegality or the questionable legality of many of these activities frequently led to a tightening of security rather than to their termination. Partly to avoid exposure and a public "flap," knowledge of these programs was tightly held within the agencies. Special filing procedures were used, and "cover stories" were devised.

* On occasion, intelligence agencies failed to disclose candidly their programs and practices to their own General Counsels, and to Attorneys General, Presidents. and Congress.

* When senior administration officials with a duty to control domestic intelligence activities knew, or had a basis for suspecting, that questionable activities had occurred, they often responded with silence or approval. In certain cases, they were presented with a partial description of a program but did not ask for details, thereby abdicating their responsibility. In other cases, they were fully aware of the nature of the practice and implicitly or explicitly approved it.

Sound familiar? Today, though, the senator heading the modern equivalent of that committee is on record opposing legislation to make it more difficult to snoop on Americans overseas, while endorsing retroactive immunity for telephone companies that illegally opened their networks to the NSA. Alas, Jay Rockefeller is no Frank Church.

The Electronic Frontier Foundation filed a lawsuit Thursday against the Bush administration on behalf of AT&T customers to halt what it called the "massively illegal" warrantless surveillance of Americans' Internet and telephone communications.

In addition to suing the National Security Agency, the nonprofit Internet advocacy group also names President George Bush, Vice President Dick Cheney, Cheney's chief of staff David Addington, and former Attorney General Alberto Gonzales, as well as others.

"For years, the NSA has been engaged in a massive and massively illegal fishing expedition through AT&T's domestic networks and databases of customer records," senior staff attorney Kevin Bankston said in a statement. "Our goal in this new case against the government, as in our case against AT&T, is to dismantle this dragnet surveillance program as soon as possible."

The EFF said the evidence it would present is the same evidence central to a class-action lawsuit it filed in 2006 accusing AT&T of opening up its telecommunications facilities to the NSA for use in spying on the phone calls and e-mails of "millions of ordinary Americans." Such a practice violates free speech and privacy rights spelled out by the U.S. Constitution and also runs afoul of federal wiretapping law, the EFF claimed.

The ACLU won a brief victory in a similar case filed against the NSA when a federal judge ruled in 2006 that the NSA's surveillance program "ran roughshod" over Americans' constitutional rights Americans and violated federal wiretapping law. However, the 6th U.S. Circuit Court of Appeals dismissed the suit in 2007 on narrow procedural grounds without addressing the legality of the program. The suit effectively died earlier this year when the U.S. Supreme Court declined to intervene in an appeal.

In July, the Senate approved a bill that would rewrite federal wiretap laws by granting retroactive immunity to telecommunications companies as long as the government claims the request was "lawful" and authorized by the president.

After the EFF's 2006 lawsuit was filed, reports of a secret room in an AT&T building in San Francisco surfaced and have become central to the nonprofit group's litigation.

Although EFF's lawsuit was filed before allegations about the room surfaced, reports of its existence have become central to the nonprofit group's attempts to prove AT&T opened its network to the NSA. Former AT&T employee Mark Klein released documents in 2006 alleging the company spliced its fiber optic cables and ran a duplicate set of cables to Room 641A at its 611 Folsom Street building.

The deleted portions of a legal brief accidentally released in 2006 sought to offer benign reasons why AT&T would allegedly have a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic. (AT&T has publicly neither confirmed nor denied cooperating with the National Security Agency.)

Initial details of the surveillance program surfaced in late 2005 in a Los Angeles Times article that quoted an unnamed source as saying the NSA has a "direct hookup" into an AT&T database that stores information about all domestic phone calls, including how long they lasted.

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

The potential for eroding Internet users' right to remain anonymous, which is protected by law in the United States and recognized in international law by groups such as the Council of Europe, has alarmed some technologists and privacy advocates. Also affected may be services such as the Tor anonymizing network.

"What's distressing is that it doesn't appear that there's been any real consideration of how this type of capability could be misused," said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C. "That's really a human rights concern."

Nearly everyone agrees that there are, at least in some circumstances, legitimate security reasons to uncover the source of Internet communications. The most common justification for tracebacks is to counter distributed denial of service, or DDoS, attacks.

But implementation details are important, and governments participating in the process -- organized by the International Telecommunication Union, a U.N. agency -- may have their own agendas. A document submitted by China this spring and obtained by CNET News said the "IP traceback mechanism is required to be adapted to various network environments, such as different addressing (IPv4 and IPv6), different access methods (wire and wireless) and different access technologies (ADSL, cable, Ethernet) and etc." It adds: "To ensure traceability, essential information of the originator should be logged."

The Chinese author of the document, Huirong Tian, did not respond to repeated interview requests. Neither did Jiayong Chen of China's state-owned ZTE Corporation, the vice chairman of the Q6/17's parent group who suggested in an April 2007 meeting that it address IP traceback.

A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes:

Steve Bellovin

(Credit: Declan McCullagh/mccullagh.org)

A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.

That document was provided to Steve Bellovin, a well-known Columbia University computer scientist, Internet Engineering Steering Group member, and Internet Engineering Task Force participant who wrote a traceback proposal eight years ago. Bellovin says he received the ITU document as part of a ZIP file from someone he knows and trusts, and subsequently confirmed its authenticity through a second source. (An ITU representative disputed its authenticity but refused to make public the Q6/17 documents, including a ZIP file describing traceback requirements posted on the agency's password-protected Web site.)

Bellovin said in a blog post this week that "institutionalizing a means for governments to quash their opposition is in direct contravention" of the U.N.'s own Universal Declaration of Human Rights. He said that traceback is no longer that useful a concept, on the grounds that few attacks use spoofed addresses, there are too many sources in a DDoS attack to be useful, and the source computer inevitably would prove to be hacked into anyway.

Another technologist, Jacob Appelbaum, one of the developers of the Tor anonymity system, also was alarmed. "The technical nature of this 'feature' is such a beast that it cannot and will not see the light of day on the Internet," Appelbaum said. "If such a system was deployed, it would be heavily abused by precisely those people that it would supposedly trace. No blackhat would ever be caught by this."

Jacob Appelbaum

(Credit: Declan McCullagh/mccullagh.org)

Adding to speculation about where the U.N. agency is heading are indications that some members would like to curb Internet anonymity more broadly:

•  An ITU network security meeting a few years ago concluded that anonymity should not be permitted. The summary said: "Anonymity was considered as an important problem on the Internet (may lead to criminality). Privacy is required but we should make sure that it is provided by pseudonymity rather than anonymity."

•  A presentation in July from Korea's Heung-youl Youm said that groups such as the IETF should be "required to develop standards or guidelines" that could "facilitate tracing the source of an attacker including IP-level traceback, application-level traceback, user-level traceback." Another Korean proposal -- which has not been made public -- says all Internet providers "should have procedures to assist in the lawful traceback of security incidents."

•  An early ITU proposal from RAD Data Communications in Israel said: "Traceability means that all future networks should enable source trace-back, while accountability signifies the responsibility of account providers to demand some reasonable form of identification before granting access to network resources (similar to what banks do before opening a bank accounts)."

Multinational push to curb anonymous speech
By itself, of course, the U.N. has no power to impose Internet standards on anyone. But U.N. and ITU officials have been lobbying for more influence over the way the Internet is managed, most prominently through the World Summit on the Information Society in Tunisia and a followup series of meetings.

The official charter of the ITU's Q6/17 group says that it will work "in collaboration" with the IETF and the U.S. Computer Emergency Response Team Coordination Center, which could provide a path toward widespread adoption -- especially if national governments end up embracing the idea.

Patrick Bomgardner, the NSA's chief of public and media affairs, told CNET News on Thursday that "we have no information to provide on this issue." He would not say why the NSA was participating in the process (and whether it was trying to fulfill its intelligence-gathering mission or its other role of advancing information security).

Toby Johnson, a communications officer with the ITU's Telecommunication Standardization Bureau in Geneva, also refused to discuss Q6/17. "It may be difficult for experts to comment on what state deliberations are in for fear of prejudicing the outcome," he said in an e-mail message on Thursday.

When asked about the impact on Internet anonymity, Johnson replied: "I am not fully acquainted with this topic and therefore not qualified to provide an answer." He said that he expects that any final ITU standard would comport with the U.N.'s Universal Declaration of Human Rights.

It's unclear what happens next. For one thing, the traceback proposal isn't scheduled to be finished until 2009, and one industry source stressed that not all members of Q6/17 are in favor of it. The five "editors" are: NSA's Richard Brackney; Tian Huirong from China's telecommunications ministry; Korea's Youm Heung-Youl; Cisco's Gregg Schudel; and Craig Schultz, who works for a Japan-based network security provider. (In keeping with the NSA's penchant for secrecy, Brackney was the lone ITU participant in a 2006 working group who failed to provide biographical information.)

In response to a question about the eventual result, Schultz, one of the editors, replied: "The long answer is, as you can probably imagine, this subject can get a little 'tense.' The main issue is the protection of privacy as well as not having to rely on 'policy' as part of a process. A secondary issue is feasibility and cost versus benefit." He said a final recommendation is at least a year off.

Another participant is Tony Rutkowski, Verisign's vice president for regulatory affairs and longtime ITU attendee, who wrote a three-page summary for IP traceback and a related concept called "International Caller-ID Capability."

In a series of e-mail messages, Rutkowski defended the creation of the IP traceback "work item" at a meeting in April, and disputed the legitimacy of the document posted by Bellovin. "The political motivation text was not part of any known ITU-T proposal and certainly not the one which I helped facilitate," he wrote.

Rutkowski added in a separate message: "In public networks, the capability of knowing the source of traffic has been built into protocols and administration since 1850! It's widely viewed as essential for settlements, network management, and infrastructure protection purposes. The motivations are the same here. The OSI Internet protocols (IPv5) had the capabilities built-in. The ARPA Internet left them out because the infrastructure was a private DOD infrastructure."

Because the Internet Protocol was not designed to be traceable, it's possible to spoof addresses -- both for legitimate reasons, such as sharing a single address on a home network, and for malicious ones as well. In the early part of the decade, a flurry of academic research focused on ways to perform IP tracebacks, perhaps by embedding origin information in Internet communications, or Bellovin's suggestion of occasionally automatically forwarding those data in a separate message.

If network providers and the IETF adopted IP traceback on their own, perhaps on the grounds that security justifications outweighed the harm to privacy and anonymity, that would be one thing.

But in the United States, a formal legal requirement to adopt IP traceback would run up against the First Amendment. A series of court cases, including the 1995 decision in McIntyre v. Ohio Elections Commission, provides a powerful shield protecting the right to remain anonymous. In that case, the majority ruled: "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority."

More broadly, the ITU's own constitution talks about "ensuring the secrecy of international correspondence." And the Council of Europe's Declaration on Freedom of Communication on the Internet adopted in 2003 says nations "should respect the will of users of the Internet not to disclose their identity," while acknowledging law enforcement-related tracing is sometimes necessary.

"When NSA takes the lead on standard-setting, you have to ask yourself how much is about security and how much is about surveillance," said the Electronic Privacy Information Center's Rotenberg. "You would think (the ITU) would be a little more sensitive to spying on Internet users with the cooperation of the NSA and the Chinese government."

A series of statements about immunizing telecommunications companies that violated federal wiretapping laws have become something of an embarrassment, and perhaps even a problem, for John McCain's presidential campaign.

The statements revolve around whether McCain, like President Bush, supports legislation that could be voted on this month extending retroactive immunity to those companies and perhaps many more. The problem for the onetime captain of the Straight Talk Express is that his varying statements at different times are starting to seem -- dare we say it? -- almost Clintonian.

John McCain (left) meets with President Bush on March 5. In endorsing McCain's presidential bid, Bush said "he's not going to change when it comes to taking on the enemy. He understands this is a dangerous world."

(Credit: White House photo by Chris Greenberg)

When news about the National Security Agency's warrantless wiretapping program became public years ago, McCain was critical of it. McCain told the Associated Press that he wanted to know more about the program but "theoretically, I obviously wouldn't like it." He agreed with Matt Lauer on The Today Show that "it is up to a court of law to find out if someone broke the law here and where punishment should be handed out."

That seems pretty clear. In 2005, at least, McCain was in favor of letting the courts decide whether AT&T and other telecos violated the law.

Last fall, while preparing our Tech Voter's Guide, we asked McCain point-blank whether he would support the bill (S.2248) providing retroactive immunity. On November 30, 2007 McCain sent us this response via e-mail:

Every effort in this struggle and other efforts must be done according to American principles and the rule of law. When companies provide private records of Americans to the government without proper legal subpoena, warrants, or other legal orders, their heart may be in the right place, but their actions undermine our respect for the law.

I am also a strong supporter of protecting the privacy of Americans. The issues raised by S.2248, and the events and actions by all parties that preceded it, reach to the core of our principles. They merit careful and deliberate consideration, fact-finding, and exploration of options. That process should be allowed to proceed before drawing conclusions that may prove to be premature.

If retroactive immunity passes, it should be done with explicit statements that this is not a blessing, there should be oversight hearings to understand what happened, and Congress should include provisions that ensure that Americans' private records will not be dealt with like that again.

A few weeks later, McCain told the Boston Globe this: "I think that presidents have the obligation to obey and enforce laws that are passed by Congress and signed into law by the president, no matter what the situation is."

What McCain told us isn't exactly what he told the Globe. But the import of the two statements is that the Arizona Republican either flatly opposes retroactive immunity -- or is severely critical of it and would only vote for it only if there are oversight hearings and "explicit statements" and "provisions" that it won't happen again.

As I've written before, when McCain sent us that e-mail, Zogby polls gave him a mere 8 or 9 percent of the vote nationally, behind Rudy Giuliani, Fred Thompson, and Mike Huckabee, and at best tied with Mitt Romney.

A change of heart?
But after McCain became the all-but-official nominee, his political principles appear to have become more malleable. He voted in February for retroactive immunity -- even though there were no explicit statements telling AT&T and other telecommunications companies that this is not a "blessing." There were no deals providing for "oversight hearings." And there certainly were no "provisions" to ensure this won't happen again.

Our story may have ended there. Except that campaign representative Chuck Fish (not an actual campaign lawyer, as has been incorrectly reported, but a surrogate) subsequently suggested that his candidate still wanted "hearings," which The Washington Post picked up on last week. McCain's campaign fired off a nastygram to the Post saying that their candidate's "position on immunity has not changed."

Ahead of the New Hampshire primary earlier this year, McCain toured the state in a bus he calls the "Straight Talk Express."

(Credit: Anne Broache/CNET News.com)

Meanwhile, McCain was questioned about his position at a town hall meeting the next day -- he replied that Congress needs to "have hearings" -- which The Wall Street Journal dutifully reported. The fuss became enough to prompt the conservative National Review to begin questioning McCain's the-executive-can-wiretap-as-it-pleases credentials. Salon entered the fray too.

This has become suddenly important -- and timely -- again because a long-running stalemate in Congress over wiretapping, telecom immunity, and the Foreign Intelligence Surveillance Act may be about to end. We reported last week that Congress may vote soon on a bill, and an article on National Journal's Web site on Wednesday said that the House Intelligence Committee's top Democrat has now signed on.

The latest draft of the surveillance law rewrite would effectively pull the plug on lawsuits against telcos, including an important one that the Electronic Frontier Foundation is pursuing against AT&T. It's before the 9th Circuit right now, which seems to be content to wait to rule until Congress figures out what it's going to do.

Thanks to McCain's statements, at least some Democrats are smelling blood. Rep. Robert Wexler of Florida, who is a member of the House Judiciary committee, sent us this statement on Wednesday:

I am appalled by Senator John McCain's reaffirmation of support for the use of warrantless wiretapping on American citizens. Senator McCain has once again chosen to align himself with President George Bush, whose reprehensible spying program on Americans is a grave threat to our Constitutions guarantees of privacy and limited executive power. It is clear that Senator McCain, President Bush, and their Republican allies in Congress will continue to use scare tactics and fear mongering to claim that a president can simply chose to ignore America's laws... Senator McCain opposes a bipartisan House compromise bill that preserves appropriate court review of all surveillance of US citizens and gives judges the discretion to review all the necessary documents related to telecom lawsuits without offering blanket immunity.

From McCain's perspective, this is a perilous topic, especially because Barack Obama has been consistent and clear in saying he opposes retroactive immunity. Obama voted against immunity at the same time McCain voted for it.

If McCain defends his earlier statements, which hinted at reasonable pro-privacy, limited-government instincts, he risks alienating many Republicans who are already suspicious of him because of the McCain-Feingold bill, his opposition to some gun rights, and his votes against the Bush tax cuts.

Conversely, if McCain amends his position, he risks looking like he's flip-flopping, a potent charge that Republicans memorably leveled against John Kerry four years ago. So instead his campaign is insisting, improbably, that their candidate has never changed his mind. Here's an excerpt from the statement that they sent us (the full, unedited version is here):

Senator McCain supports the FISA modernization bill passed by the Senate without qualification. He believes no additional steps should be necessary to secure immunity for the telecoms; both the 109th and 110th Congresses have conducted extensive evaluation and examination of this topic and have satisfied the public's need for appropriate oversight; hearings purportedly designed to "get to the bottom of things" have already occurred; and neither the administration nor the telecoms need apologize for actions that most people, except for the ACLU and the trial lawyers, understand were constitutional and appropriate in the wake of the attacks on September 11, 2001.

One problem with that is it seems to contradict what McCain himself said at the town hall meeting a day or two before, which is that Congress should hold hearings (nowhere did he say the ones that took place already were sufficient).

Yet there's a more important issue here, which is why the neo-cons are pressing McCain to adhere to the Bush administration's line. And that's the administration's theory of the so-called unitary executive, which says that the president's use of military force cannot be reviewed by courts.

McCain's earlier statements -- especially where he says presidents must "obey and enforce laws that are passed by Congress" -- seem to question the administration's interpretation. Beyond wiretapping, that touches on topics such as John Yoo's so-called torture memos, the applicability of the Geneva Convention to detainees, Bush's signing statements, and military commissions. Questioning the justifications for Bush's warrantless wiretapping means questioning the rest; no wonder McCain seems a little worried about where this may lead.

The National Security Agency was once known for its skill in eavesdropping on the world's telephone calls through radio dishes in out-of-the-way places like England's Menwith Hill, Australia's Pine Gap, and Washington state's Yakima Training Center.

Today those massive installations, which listened in on phone conversations beamed over microwave links, are becoming something akin to relics of the Cold War. As more communications traffic travels through fiber links, and as e-mail and text messaging supplant phone calls, the spy agency that once intercepted telegrams is adapting yet again.

Recent evidence suggests that the NSA has been focusing on widespread monitoring of e-mail messages and text messages, recording of Web browsing, and other forms of electronic data-mining, all done without court supervision. Taken together, those activities raise unique privacy and oversight concerns greater than those posed by large-scale monitoring of voice communications.

Documents released last week by a security consultant (PDF) indicate that an unnamed major wireless provider has opened its network to the U.S. government, allowing customers' e-mail, text messaging, and Web use to be monitored. And Assistant Attorney General for National Security Kenneth Wainstein said last week that surveillance of e-mail was the real concern raised by the debate over amending the Foreign Intelligence Surveillance Act.

That led some high-ranking House Democrats, including Energy and Commerce Chairman John Dingell, to circulate a letter (PDF) advising their colleagues to look skeptically at a Republican proposal that would grant retroactive immunity to companies that illegally let the Feds plug into their networks. The Republicans' blanket of retroactive immunity would likely cover e-mail providers, search engines, Internet service providers, and instant-messaging services too.

On Monday, the Wall Street Journal published an article saying that the NSA can, "without a judicial warrant," obtain the Subject line and other header information from e-mail messages, plus information about Web sites visited and queries to search engines. Phone records, credit card usage information, and airline passenger data are also reportedly vacuumed up by the NSA.

"According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called 'transactional' data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns," the article said.

For its part, the NSA says that it abides by U.S. law. Last week, Donald Kerr, the principal deputy director of national intelligence, blamed critical reports on the NSA's culture of "stand-offishness" and said "we've lost something we never knew we needed until we didn't have it--the support of a grateful nation. The question we have to ask now, and this is something everyone here should help think about, is how do we get it back?"

If the reports are correct, what this transactional-data-dragnet amounts to is a rebuilding of the Defense Department's Total Information Awareness program, which promised to do extensive warrantless data-mining to identify "information signatures" that could identify criminals. After a public outcry, the department renamed it Terrorism Information Awareness; Congress zeroed funding for it in September 2003.

But that law referred only to "the program known either as Terrorism Information Awareness or Total Information Awareness, or any successor program"--leaving the door open, given sufficiently clever lawyering, to a similar program that wasn't quite close enough to be called a "successor" to TIA.

Elements of this data dragnet have been disclosed before. USA Today reported two years ago on how the NSA has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon, and BellSouth; the latter two have narrowly denied it. Qwest reportedly was approached but rejected the request.

A survey CNET News.com published in February 2006 asked the major telecommunications and Internet companies this question: "Have you turned over information or opened up your networks to the NSA without being compelled by law?" AT&T, Adelphia, Google, Level 3, Verizon, and Yahoo would not answer the question; the rest said they had not.

A subsequent article by Seymour Hersh in the New Yorker said the NSA had returned to "intercepting large numbers of electronic communications made by Americans"--the same kind of legally dubious tactic that led to the Foreign Intelligence Surveillance Act being enacted in 1978.

FISA reinforced the notion that the NSA could conduct widespread surveillance of foreigners, but specified that a court order (or authorization from the attorney general) was needed to spy on American citizens. That means the world's largest intelligence agency is, legally speaking, on very shaky ground when operating its e-mail/text-messaging/Web-site-visiting/search-term dragnet.

The Electronic Frontier Foundation's Kurt Opsahl posted a stinging critique of the data-dragnet's legality. Here are some excerpts from what Opsahl wrote, referring to the Journal article:

The infobox incorrectly asserts that the subject lines of email are not "content," and can be obtained without a warrant... But this is contradicted by the Department of Justice's own 2002 Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual, which states that "the subject headers of e-mails are also contents."

The infobox incorrectly asserts that the NSA can review "[s]ites visited and searches conducted" without a warrant. "According to current and former intelligence officials, the spy agency now monitors huge volumes of records of ... Internet searches." "The [NSA's] haul can include ... records of Internet browsing." To the contrary, courts have held that search terms are "content" within the meaning of the Electronic Communications Privacy Act.

The infobox asserts that the NSA can get cellphone location data without a warrant. "The information [obtained by the NSA] can give such transactional information as a cellphone's location..." The issue of obtaining cell phone location information has been contentious for some time, but the vast weight of judicial interpretation is that a probable cause warrant is required.

If you get the feeling that a lot of this depends on a set of legal definitions that the NSA would like to keep as fuzzy and ambiguous as possible, you're probably right.

One thing the recent disclosures are likely to do is put the Bush administration on the defensive, which will happen just as Congress is preparing to vote on extending retroactive immunity to telecommunications companies. It has looked likely to pass if the House Democratic leadership had held an up-or-down vote; the Senate already approved its version by a 68-29 margin.

Add in FBI Director Robert Mueller's acknowledgment last week of additional surveillance abuses, and his admission that retroactive immunity may not be all that necessary, and retroactive immunity looks a lot less compelling a prospect than it did a week ago. Then again, the NSA didn't need it to create an electronic dragnet in the first place.

A shadowy federal court that meets behind closed doors to hear wiretapping requests says it won't publicly release even portions of its rulings.

In response to a formal request from the ACLU, the Foreign Intelligence Surveillance Court said on Tuesday that it won't divulge the abridged text of the orders dealing with the Bush administration's eavesdropping scheme on grounds that it could endanger national security.

The 24-page opinion (PDF) disagreed with the Bush administration's suggestion that the ACLU's request be necessarily dismissed out of hand. But after considering the request, the court rejected it on grounds that the public enjoys no general (or First Amendment-based) right of access to its proceedings under the Foreign Intelligence Surveillance Act.

The opinion is noteworthy for two other reasons: It is the first time that anyone except the U.S. Department of Justice has argued, even in writing, before the court. Second, it's only the third time in the history of the court that an opinion has been released publicly.

Here's an excerpt from Tuesday's opinion:

The ACLU acknowledges that there is no tradition of public access to FISC orders. The ACLU argues, nonetheless, that the orders at issue here are distinguishable because they are "of broader significance and include legal analysis and legal rulings concerning the meaning of FISA."

Even assuming that it is proper to apply the "experience" test to a narrow subset of FISC decisions of broad legal significance, however, the FISC has, in fact, issued other legally significant decisions that remain classified and have not been released to the public (although, in fairness to the ACLU, it has no way of knowing this).

Thus, the FISC is not a court whose place or process has historically been open to the public, and the ACLU Motion does not satisfy the experience test for a First Amendment right of access.

The Bush administration has released formerly classified documents that show how it is pressing Congress to rewrite surveillance law and immunize telecommunications companies from lawsuits.

What's also interesting about the documents, which were released in response to the Freedom of Information Act on Monday, is how much is redacted. Entire pages have been excised, in one case leaving only two paragraphs visible.

A few highlights from the the files (1 and 2) obtained by the Electronic Frontier Foundation after a court battle:

• Pages 6-8 of file 1: National Intelligence Director Mike McConnell told Congress three months ago that surveillance red tape required intelligence agencies to wait 12 hours to tap an Iraqi phone number--a claim that already has been called into question.

These documents give a detailed timeline that doesn't exactly jibe with what McConnell claimed. They say that the the NSA notified the Justice Department at 12:53 p.m. on May 15 that it believed it had the authorization to conduct domestic eavesdropping in this situation. The Justice Department received a formal request at 5:15 p.m. Because Attorney General Alberto Gonzales was traveling, he was not able to authorize it until 7:18 p.m. That's not exactly 12 hours.

• Page 35 of file 1: McConnell argues in a "TOP SECRET" document that retroactive immunity for AT&T and other telecommunications companies is necessary: "It is equally critical that private entities that are alleged to have assisted the (intelligence community) in preventing further attacks on the United States be insulated from liability for doing so."

So that's all the nation's top spook is willing to say in a "TOP SECRET" document? Maybe "TOP SECRET" classifications are like U.S. dollars: They used to be worth a lot more than they are today.

• Pages 59-64 of file 1: In a kind of governmental FAQ, the National Security Agency claims that its "minimization procedures" that limit electronic eavesdropping of U.S. citizens protect Americans' privacy rights. If the NSA is targeting a foreigner overseas, it says, its eavesdroppers will take extra precautions.

The NSA says, however, that it is "not reasonable to impose time limits" on when it should "drop that individual"--a U.S. citizen inside the United States--as a person of interest. It also objects to enshrining those internal procedures in law, claiming it would "be difficult to change" if necessary.

• Page 6 of file 2: The Office of the Director of National Intelligence has located a "telephone message slip that contains the handwritten personal notes" from an employee. It's being withheld under FOIA on four separate grounds--including that it's been classified.

A federal judge has ordered the Bush administration to divulge documents related to immunizing telecommunications companies from lawsuits, saying they illegally opened their networks to the National Security Agency.

U.S. District Judge Susan Illston in San Francisco gave the Office of the Director of National Intelligence until November 30 (Friday) to turn over documents relating to conversations it had with Congress and telecommunications carriers about how to rewrite wiretapping laws.

The Electronic Frontier Foundation had filed this case to seek faster processing of a Freedom of Information Act request it filed, which could help buttress its ongoing lawsuit against AT&T. There are approximately 250 pages of unclassified material and 65 pages of classified material, which would be redacted, that the administration has identified but said could not be turned over until December 31.

Note that Illston's order doesn't deal with the NSA's wiretapping program itself (how it works, what companies are involved, whether there really is a secret room at AT&T's 611 Folsom Street location). Instead the documents relate only to conversations and communications about retroactive immunity for companies like AT&T that are accused of violating the law.

Note also that if AT&T and other telecommunications companies followed the law, no retroactive immunity is necessary. Because AT&T and the Bush administration are supporting such a legal shield, you can draw your own conclusions about what's really going on.

The Friday deadline means that the documents will likely be available in time to influence congressional debate over amending the Foreign Intelligence Surveillance Act. Some FISA amendments expire in February 2008, which means that Congress is likely to return to the topic soon.

The House of Representatives rejected retroactive immunity on November 16. The Senate Judiciary Committee seemed to like the idea of immunity, but the debate is expected to resume on the Senate floor next month.