The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet.
During a House of Representatives Judiciary Committee hearing, the FBI's Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that.
Both have their problems, legal and practical, but let's look at step 1 first. Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said "legislation has to be developed" for "some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt" it.
These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any "illegal activity." (See the complete transcript here.)
"That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law."
Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year. (I say "probably illegal" because their exchange didn't offer much in the way of details.)
"I think there's a substantial problem with what Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside."
For its part, the FBI isn't talking. After we made repeated attempts to get the bureau to explain what Mueller was talking about, FBI spokesman Paul Bresson responded by saying, "At this point, I'm going to let the director's comments, in the context of the exchange with Rep. Issa, speak for themselves."
What step 1 appears to involve is persuading Internet providers to amend their terms of service and insert an FBI-can-monitor-everything clause. Informed consent is one thing. But does anyone actually read the fine print on their contracts with their broadband or wireless provider? If not, is that fine print good enough?
Informed consent is important because of the wording of the Electronic Communications Privacy Act, or ECPA, which says providers may share the contents of customers' communications only "with the lawful consent" of the user. Otherwise, providers are breaking the law and can be sued for damages. And without consent, the FBI would bump up against the Fourth Amendment's prohibition on unreasonable searches.
Originally, Congress seemed to take a liberal view of what constituted "lawful consent." When ECPA was enacted in 1986, a House committee report said "consent may be inferred from a course of dealing," and if "those rules are available to users," consent can be implied.
But that was written way back in the early, pre-Internet days of Compuserve and bulletin board systems. More recently, courts have interpreted ECPA more strictly.
The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers one useful measuring stick. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."
The Federal Trade Commission, too, has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.
Translation: Obtaining "lawful consent" for FBI monitoring means making sure that your customers actually know what's going on and agree. Hiding it in the terms of service doesn't qualify.
But assume that the FBI can persuade Internet providers to include a prominent notice in every monthly bill, or some other mechanism that would be legally sufficient. Another problem is that even if the person who pays the bills consents to monitoring, other people may use the connection--think homes with open wireless connections. ECPA's legal protections follow individual people, not customer accounts.
Rewriting U.S. surveillance laws
Because the FBI would run into serious problems doing wide-scale Internet surveillance under existing state and federal law, step 2 may be necessary. That means rewriting U.S. surveillance law.
Issa said he wants to "craft" legislation that would give the FBI the power to look "for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process." He worried about "national-security secrets and just the common information of private individuals" being at risk. In his response, Mueller said he wants Congress to "give us the ability to pre-empt that illegal activity."
"Looking for" a crime in process on the Internet can take multiple paths. If it's a denial-of-service attack against eBay or Amazon.com originating from Russian servers, it can be detected by measuring the amount of traffic without inspecting the contents each packet. But to detect fraud and "national-security secrets," as well as personal information being transferred, deep packet inspection would be necessary--roughly on a scale of the Great Firewall of China.
Needless to say, detecting "illegal activity" would soon be extended to copyright infringement and peer-to-peer networks. Under the No Electronic Theft Act, swapping music or video files is a federal crime, if the total value of the files exceeds $1,000. If the value tops $2,500, the penalties jump up to not more than five years in prison. And as Jammie Thomas found out last year, allegedly sharing 24 files can lead to $222,000 in civil penalties.
"I think you bump squarely into the Fourth Amendment when you get into the required waiver of constitutional protections to use a service," said Gidari, the attorney at Perkins Coie. "Why don't we extend it to include not criticizing the government? Which right is next? 'You may use our service, as long as you don't disparage Verizon?' Why not that one?...You've still got to have, at the end of the day, a constitutionally supportable legal process to get access to anyone's communications. This cannot be an end run around that."
The problem of how to "shut down a crime in process" and "pre-empt that illegal activity" is more difficult and, perhaps, more worrisome.
Here's what Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation in San Francisco, had to say when I asked him to read the transcript of Wednesday's hearing:
It certainly is Mueller's responsibility to explain what it is that he's looking for. But it seems that he's saying, essentially, that the surveillance society is the best society. A society in which the government has complete information about illegal activities and is able to enforce that. Throughout our country's existence, we've lived in a society where the government doesn't have perfect information.
Is (Mueller) suggesting that there's a search capability using filters that would identify an infringing work and fail to deliver a message containing that work? Is that the choke point? If that is the case, how can that be done well? How about fair uses? How will the government tell whether a copyrighted work is sent pursuant to a license? Will it have a centralized database of licenses? How does he propose to have this work, so it only identifies illegal activities and doesn't overly choke?
The FBI has some obligation to explain: what is it going to focus on here? Once you have the technology in place, will it then be used for more and more?
If you thought the tussles over Net neutrality were heated before, imagine a broadband provider throttling certain applications--and being able to blame that throttling capability on law enforcement. At the very least, it would be a wonderful excuse.
Which is why it's a shame, and somewhat troubling, that the FBI has chosen not to say what its director is proposing (and apparently will be working with Congress to write into law).
Odds of FBI-filtering legislation: Zero?
One possible germ for this Internet-monitoring idea lies in Homeland Security's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. Not much about Einstein is public, but a privacy impact assessment offers some details.
Homeland Security Spokeswoman Laura Keehner said in a telephone interview that the primary focus of Einstein at the moment is protecting federal-government networks. "Obviously, the FBI could clarify or elaborate on what they said," Keehner said. "I do know that (from Homeland Security's perspective) we now first need to get our .gov in order. We need to concentrate on our federal networks...We're also bringing in the private sector to open those lines of discussion and figure out ways that the private sector can better equip themselves to stop any cyberincursions."
Another possibly related effort is the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23--that apparently deal with detecting and preventing Internet disruptions. Issa is a member of the House Intelligence Committee, which held a closed-door hearing on Thursday devoted to the Cyber Initiative--and, during the exchange with Mueller a day earlier, he said his monitoring idea was related.
The House Intelligence committee didn't want to talk. But a representative of the House Homeland Security committee chaired by Rep. Bennie Thompson (D-Miss.) sent us three bullet points in an e-mail message:
1. Chance of a legislative initiative that would allow FBI to place filters to identify illegal activity at choke points on the .com space: 0
2. We still have concerns and questions about the initiative, and we continue to do oversight.
3. Legislation is not being considered for any of the new proposals, outside of the budget requests made by the administration.
Point No. 3 seems to relate to the administration's 2009 budget request, which asks Congress for $293.5 million to expand Einstein to the entire federal government.
The Senate Homeland Security and Governmental Affairs Committee, which is headed by Joe Lieberman of Connecticut, also held a classified hearing last month on the administration's Cyber Initiative.
But a committee aide told us, "The idea of filtering for criminal activity has never been discussed with us. Nor has any new statutory authority been discussed. In fact, the administration explicitly said it didn't need any legislation. Furthermore, the idea of monitoring nongovernment domains has never been proposed in briefings the committee has received."
It's true that, at least in the current political climate, legislation of the sort Issa wants to draft isn't likely to slide through Congress unopposed.
Still, it's worth keeping in mind that the FBI has a recent, and not very flattering, history of trying to expand the scope of surveillance methods. Bureau agents used so-called exigent letters to obtain records from telephone companies, claiming that an emergency situation existed.
In reality, there was often no emergency at all. The Justice Department's inspector general found similar abuses of national-security letters. The FBI also tried to bypass the Foreign Intelligence Surveillance Court when it denied requests to obtain records.
Perhaps Mueller can provide a convincing argument for why laws giving the FBI "omnibus search capability utilizing filters that would identify the illegal activity" would be wise. Perhaps not. But when politicians weigh the idea of trusting the FBI with such broad and unprecedented authority, they should consider the abuses that have already taken place with far less powerful tools.
CNET News.com's Anne Broache contributed to this report.
When the FBI suggested that it should be able to perform wide-scale Internet monitoring to detect "illegal activity" on Wednesday, the bureau raised more questions than it answered.
To help clear things up, we're providing the transcript of FBI Director Robert Mueller's exchange at a House of Representatives hearing with Rep. Darrell Issa, a California Republican. Issa made his fortune by founding Directed Electronics, a publicly traded company that sells car alarms and home theater loudspeakers.
Issa also is a member of the House Intelligence Committee, which is holding a closed hearing on Thursday devoted to the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23--that apparently deal with detecting and preventing Internet disruptions.
Here's the relevant section of the transcript from the House Judiciary hearing on Wednesday:
Rep. Issa: Director, there isn't enough time in five minutes to open and close the subject of the Cyber Initiative, but this committee, in my opinion, is going to be the lead committee on, ah, the actual effectiveness of that initiative. As we both know it's compartmented, highly classified. But I'd like to concentrate just on what laws or changes that you would need from this committee if you were to do the following, and I'll set out a scenario.
If you go into a place and there's a crime actively being committed, let's say there's a bookie joint, and there's tens of thousands of illegal transactions going on every minute. And you know that. And you have proof of that. You don't question your ability to go in and to harvest the fruit of all the activities in there, is that correct?
Mueller: That's correct.
Mueller: With a search warrant, quite honestly.
Rep. Issa: With a search warrant. Today every ISP is being maliciously attacked--this goes beyond the .mils and .govs--but I think that's the important reason that we approach it today. Every ISP is being attacked, maliciously both from in the United States and outside of the United States, by those who want to invade people's privacy.
FBI director Robert Mueller, shown here at Wednesday's hearing, says 'legislation has to be developed' that would 'identify the illegal activity as it comes through and give us the ability to preempt that illegal activity.'
(Credit: Anne Broache/CNET News.com)But more importantly they want to take control of computers, they want to hack them, they want to steal information. This is also true of the .mils and .govs. Every one of our congressional offices, every day, is under attack.
Every portal leading out of the United States, some of them going in and out of the United States, but talking only about your jurisdiction in the United States. Every portal coming into this country is being attacked by those who would harvest information, both national security secrets and just the common information of private individuals and private individuals.
That crime is going on, every day, on a single entity known as the Internet. What authorities do you need to monitor, looking for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process?
Now, I'm a civil libertarian. I was with Bob Barr arguing some of the elements of the Patriot Act that we still don't agree should have been there. But when I set up the crime scenario, how is it that you're going to get the right to react when today, people would say that if they, if you're addressing an action from an American person, you don't have that right? How are you going to do it, and how can we help you do it appropriately and constitutionally?
Mueller: I think legislation has to be developed that balances on one hand, the privacy rights of the individual who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the Internet.
And it is a question of the legislation catching up to the technology. Understanding that these crimes are being committed every moment. But then identifying our ability to focus on the particular criminal element as it's coming through and preempt that criminal element, whether it be .mil, .gov, .com, whichever network you're talking about.
Rep. Issa: OK, and one follow-up question, or two follow-up questions, because I know we're not going to get it all resolved today. One, can you have someone on your staff designated to work with members of Congress on trying to craft that legislation? I'd appreciate being able to work with that person.
And secondly, and this goes to a legal opinion you may or may not be able to help us with today, but I'd like you to try to work on it. If ISPs or other private entities, a Lockheed Martin on one hand, and my old company, Directed Electronics on the other, if they consented to participation voluntarily in being, in fact, defended in a Cyber Initiative--and that includes ISPs that hypothetically got consent from every single person who signed up to operate under their auspices.
If that consent were granted, do you believe that current laws either can or reasonably easily could be made to protect them? In other words, a voluntary program that would begin allowing federal agencies to counter-attack and to defend on behalf of those who waive current possible restrictions in that sense. And that's probably my most important question to get this committee thinking of.
Mueller: I think that's going to require some thought because an individual company can say "OK, I consent to have somebody protect me." But if the filter is inappropriately placed just protecting that particular company, it may have to be one or two or three institutions or ISPs off, and that's where you would have a problem. whether it would be, i forget what company you mentioned, but Lockheed Martin saying," I'm willing for somebody to protect me," but the protection may be two or three companies off. Lockheed Martin has no mechanism in order to affect the company that's two or three off, if you see what I'm getting at.
Rep. Issa: Thank you, and thank you, Mr. Chairman. Hopefully 163.33.33.0 will be protected if they ask to be, whoever they are. (Editor's note: 163.33.33 seems to be an Internet protocol address near San Jose, Calif.)
Rep. Conyers: As you wish, Mr. Issa.
Rep. Issa: Mr. Chairman, I do hope that when we look at the Cyber Initiative, we view ourselves as the primary committee that has to clear the way for appropriate action on behalf of our government, all branches.
Rep. Conyers: (Nods)
FBI director Robert Mueller calls for new federal data retention laws forcing Internet companies to keep records of what their customers are doing, but without providing details. Several politicians endorsed the idea during a hearing on Tuesday.
(Credit: Anne Broache/News.com)WASHINGTON--The FBI and multiple members of Congress said on Wednesday that Internet service providers must be legally required to keep records of their users' activities for later review by police.
Their suggestions for mandatory data retention revive a push for potentially sweeping federal laws--which civil libertarians oppose--that flagged last year after the resignation of Attorney General Alberto Gonzales, the idea's most prominent proponent.
FBI Director Robert Mueller told a House of Representatives committee that Internet service providers should be required to keep records of users' activities for two years.
"From the perspective of an investigator, having that backlog of records would be tremendously important if someone comes up on your screen now," Mueller said. "If those records are only kept 15 days or 30 days, you may lose the information you may need to bring that person to justice."
Also lending their support for data retention were Rep. Ric Keller, R-Fla., who said that Internet chat rooms were crammed with sexual predators, and Rep. Lamar Smith of Texas, the senior Republican on the House Judiciary committee and a previous data retention enthusiast. Rep. John Conyers, the senior Democrat and chairman, added that any proposed data retention legislation submitted by the FBI "would be most welcome."
ISP snooping time line
In a series of events first reported by CNET News.com, Bush administration officials have lobbied to force Internet providers to keep track of what Americans are doing online:
June 2005: Justice Department officials quietly propose data retention rules.
December 2005: European Parliament votes for data retention of up to two years.
April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.
April 20, 2006: Attorney General Gonzales says data retention "must be addressed."
April 28, 2006: Rep. DeGette proposes data retention amendment.
May 16, 2006: Rep. Sensenbrenner drafts data retention legislation, but backs away from it two days later.
May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.
February 6, 2007: Rep. Smith introduces bill that would give the Justice Department broad authority to write data retention rules.
"Records retention by ISPs would be tremendously helpful in giving us a historic basis to make a case on a number of child pornographers who use the Internet to push their pornography" or lure children, Mueller said.
Replied Smith: "I think a number of us may well follow up on that suggestion."
An aide to Rep. Smith said in response to questions from News.com that the congressman was offering no details and would not be commenting at this point.
Based on the statements at Wednesday's hearing and previous calls for new laws in this area, the scope of a mandatory data retention law remains fuzzy. It could mean forcing companies to store data for two years about what Internet addresses are assigned to which customers (Comcast said in 2006 that it would be retaining those records for six months).
Or it could be far more intrusive. It could mean keeping track of e-mail and instant-messaging correspondence and what Web pages users visit. Some Democratic politicians have called for data retention laws to extend to domain name registries and Web hosting companies and even social-networking sites. During private meetings with industry officials, FBI and Justice Department representatives have said it would be desirable to force search engines to keep logs--a proposal that could gain additional law enforcement support, but raise additional privacy concerns and potentially conflict with European laws.
Kate Dean, director of the U.S. Internet Service Provider Association, which counts as members AT&T, AOL, Comcast, and Verizon, said in an e-mail message:
Without specifics, it's hard to know what Director Mueller is looking for from industry. The idea of data retention is complex, and Congress will need to examine many issues including which providers would be covered by a retention regime, for what period of time would those organizations be required to keep the data, does the policy idea fit with the today's and tomorrow's technologies, and what are the effects on the consumer--what are the potential risks to subscriber privacy and security? US ISPA members have been at the forefront of child protection initiatives with the National Center for Missing and Exploited Children and law enforcement, so we welcome a continued dialogue.
As attorney general until last summer, Gonzales rarely passed up an opportunity to call for data retention. In April 2006, he said Internet providers must retain records for a "reasonable amount of time" and the issue "must be addressed." In September 2006, he added: "This is a national problem that requires federal legislation."
After Gonzales' departure, the Bush administration has been less vocal on lobbying for data retention legislation. During Wednesday's hearing, however, Mueller called for new laws at least three times.
Multiple proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, said that any Internet service that "enables users to access content" must indefinitely retain records that would permit police to identify each user. Another came from Wisconsin Rep. F. James Sensenbrenner, a close ally of President Bush, and a third was written by Rep. Smith, who endorsed the idea again on Wednesday.
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
News.com's Anne Broache reported from Washington, D.C.
- prev
- 1
- next
