The National Security Agency tried to wiretap a member of the U.S. Congress without a warrant, and has engaged in "significant and systemic" illegal surveillance activities in the last few months including e-mail and telephone call interceptions, according to a report this week.
The article in Wednesday's New York Times said the Obama administration acknowledged there had been abuses but said they had been resolved. The attempted eavesdropping on a congressman came about because he or she was part of a delegation to the Middle East in 2005 or 2006, and was ultimately blocked.
The NSA said in a statement on Wednesday that "intelligence operations, including programs for collection and analysis, are in strict accordance with U.S. laws and regulations."
The Times reported, without giving details, that the "overcollection" problems were discovered as part of a twice-a-year certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court.
Salon.com columnist Glenn Greenwald wrote on Thursday that it was "inevitable" that more NSA surveillance abuses would happen after the Democratic-controlled Congress approved legislation in 2008 that eliminated safeguards and blessed surveillance activities that would otherwise have been illegal.
Greenwald wrote: "That was the purpose of the law: to gut the safeguards in place since the 1978 passage of FISA, destroy the crux of the oversight regime over executive surveillance of Americans, and enable and empower unchecked government spying activities." (FISA is the Foreign Intelligence Surveillance Act.)
At the time, in June 2008, the ACLU highlighted a long list of concerns including "loopholes" in the bill to rewrite FISA. Presidential candidate Barack Obama supported the FISA bill--which also granted retroactive immunity to telecommunications companies that illegally opened their networks to the NSA--saying it has "appropriate safeguards."
The Bush administration secretly concluded after the September 11, 2001, terrorist attacks that it had the authority to wiretap the Internet and telephone calls with virtually no limitations, restrict free speech, and use the U.S. military domestically against suspected terrorists.
Those legal opinions came in a series of memorandums written by U.S. Department of Justice lawyers, including deputy assistant attorney general John Yoo, which were disclosed by the Obama administration on Monday.
Although the broad outlines of the Bush administration's claims to sweeping executive powers were previously known, the newly released memorandums provide a glimpse at both the legal arguments used and the scope of the claims.
An October 2001 memorandum (PDF) by Yoo and special counsel Robert Delahunty, for instance, says that "the president has the legal and constitutional authority to use military force within the United States to respond to and combat future acts of terrorism, and that the Posse Comitatus Act does not bar deployment."
It also envisions the possibility of censorship restrictions that could be slapped on newspapers and the Internet, saying "First Amendment speech and press rights may also be subordinated to the overriding need to wage war successfully."
A September 2001 memorandum (PDF) previews what would become an extensive debate over the National Security Agency's warrantless surveillance program, saying "the president must be able to use whatever means necessary to prevent attacks on the United States; this power, by implication, includes the authority to collect information necessary for its effective exercise."
Yoo is now a law professor at the University of California at Berkeley. Salon columnist Glenn Greenwald has suggested that Yoo could be prosecuted for war crimes; he has been sued by Jose Padilla, the American citizen who detained by the U.S. military for more than three years as an enemy combatant and was subsequently convicted by the criminal justice system.
Some of the Bush administration's sweeping claims to unchecked executive branch powers were struck down by federal courts, including the U.S. Supreme Court--a fact that lawyers from the outgoing administration noted at the last minute in a set of memorandums that explicitly backed away from the earlier claims.
On January 15, just days before Barack Obama took office, Steven Bradbury, principal deputy assistant attorney general, informed federal agencies that the 2001-era memos were no longer valid.
Bradbury's memo (PDF) revised the Office of Legal Counsel's opinions on topics including treaties, torture, and wiretapping, saying those "do not reflect the current views of this office."
One 2002 memorandum (PDF) hinted at how a suspect could be tortured: "So long as the United States does not intend for a detainee to be tortured post-transfer, however, no criminal liability will attach to a transfer, even if the foreign country receiving the detainee does torture him."
"Americans deserve a government that operates with transparency and openness," said Attorney General Eric Holder in a statement on Monday. "It is my goal to make OLC opinions available when possible while still protecting national security information and ensuring robust internal executive branch debate and decision-making."
A secret federal appeals court has ruled that federal agencies can be authorized to conduct warrantless e-mail and telephone surveillance without violating the U.S. Constitution.
In a 29-page redacted opinion (PDF) released Thursday, the court ruled that presidents do not need to obtain warrants to conduct "foreign intelligence for national-security purposes"--which is effectively at least a partial endorsement of President Bush's views on expansive executive powers.
The central question in this case was how the Fourth Amendment's prohibition on "unreasonable searches and seizures" applies to intelligence agencies wishing to compel AT&T and other providers to open their networks to federal snoops hoping to listen in on international communications.
The U.S. Foreign Intelligence Surveillance Court of Review concluded that as long as the executive branch has "several layers of serviceable safeguards to protect individuals against unwarranted harms and to minimize incidental intrusions, its efforts to protect national security should not be frustrated by the courts."
The case arose because an unnamed telecommunications company believed that a now-lapsed surveillance law was unconstitutional and challenged it in the secret court.
Also on Thursday, Attorney General-designate Eric Holder was answering questions about warrantless wiretapping during his Senate confirmation hearing. Holder indicated that he would seek curbs on such National Security Agency programs.
Orders of the secret appeals court, which meets behind closed doors, are a rarity. (An earlier opinion, also siding with the Bush administration, was released in November 2002. The original classified, unredacted version of Thursday's opinion was finished in August 2008.)
That's because the Foreign Intelligence Surveillance Court typically hears only from one side--lawyers from the U.S. Department of Justice--and appeals happen only when the requests are denied. More than two decades went by without any appeals taking place.
The FISC appeals court's ruling is more important for what it says about its view of the Fourth Amendment than what it says about the particular statute in question, the Protect America Act.
The August 2007 law expanded the Foreign Intelligence Information Act and allowed warrantless eavesdropping on people "reasonably believed" to be outside the United States. It permitted the attorney general and the director of national intelligence to issue directives--valid for one year--to force communications providers to open their networks for that purpose.
By February 16, 2008, the Protect America Act had sunset, and was eventually repealed and revised in July 2008. But the directives issued during that time were still in effect, which led to the court challenge.
The Justice Department on Thursday said it "is pleased with this important ruling by the Foreign Intelligence Surveillance Court of Review, which upholds the constitutionality of foreign intelligence surveillance conducted under the Protect America Act of 2007."
Libertarian Party presidential candidate Bob Barr talks up privacy last week at a political conference in Las Vegas, saying there's little difference between Barack Obama and John McCain on the topic.
(Credit: Declan McCullagh/News.com)LAS VEGAS--Bob Barr hopes his enthusiasm for electronic privacy will boost his Libertarian Party campaign for the White House. Call it a long-shot bid for the geek vote.
Absent Barack Obama and John McCain found in flagrante delicto with, say, Osama bin Laden and a 12-year old, Barr will not be the next president of the United States. But he is polling surprisingly well, with a Zogby poll last week putting him at 6 percent nationally, meaning he could siphon away enough limited-government votes from McCain to affect the November election.
Barr was a GOP member of Congress best known for leading the floor battle to impeach President Clinton. After losing his Georgia congressional seat in 2002, he became an ACLU consultant and privacy activist, and won the Libertarian presidential nod after a pitched floor battle in which some delegates angrily accused him of being more right-wing than right-thinking.
Speaking here at a political conference on Friday, Barr focused almost exclusively on privacy and eavesdropping--and argued that both major parties are far too surveillance-happy. "Both of them will continue down the same track," Barr said, noting that both McCain and Obama supported last week's bill to immunize telecommunications companies that illegally opened their networks to government snoops.
Congress' legislative rewrite of the Foreign Intelligence Surveillance Act (FISA) is "not about surveilling al-Qaida," Barr said. "It's about surveilling U.S. citizens in America." He added, for good measure: "This administration is the most anti-privacy, the most anti-individual freedom, in our nation's history, certainly in my lifetime."
This is hardly a Bush-McCain species of Republican speaking. It underlines Barr's appeal: If you're a traditional conservative who disagrees with the big-government policies, the surveillance, the inflation, the deficit spending, and the wars of the Bush administration, vote for me. I was one of you, once.
It might work. More precisely, it might work well enough--think a Republican equivalent of Ralph Nader--to make a difference in states that would have tilted toward McCain otherwise. It's certainly a more attractive message than that of the Libertarians' 2004 candidate, a telemarketer-turned-programmer.
Rep. Ron Paul, a Texas Republican with a libertarian bent who made an unsuccessful bid for the 2008 presidency, represents one argument for the theory of a third candidate potentially hurting McCain. More than 10 percent of the Republican electorate, and far more in some states--like Idaho, where he won 24 percent of the primary vote--share his libertarian view. Plus there's the remarkable post-primary success of Paul's book (No. 1 on The New York Times bestseller list and at or near the top of the lists on Amazon.com).
Barr would surely do anything, except perhaps shave his prominent mustache, if he could lure those tech-savvy, Internet-donating Paul-istas. But his arch-conservative voting record could be a hindrance.
Barr, a former CIA employee and federal prosecutor, voted for the Patriot Act; he voted for the Iraq War resolution; he voted for a 2002 warrantless surveillance bill called the Cyber Security Enhancement Act; he tried to restrict the practice of Wicca in the military; he wanted to ban a subset of computer-generated porn. On each of those votes, Paul went in the opposite direction.
For his part, Barr says he has become an honest-to-goodness convert to the cause of electronic privacy and limited government. He said a long time ago that he regrets voting for the Patriot Act; he wants an Iraq withdrawal "without undue delay"; the head of the Marijuana Policy Project formally nominated Barr at the Libertarian convention; Barr even endorsed a Libertarian presidential candidate in 2004. He founded a group called the American Freedom Agenda that opposes the White House's policies in the so-called war on terror, and his supporters note he embraced a wealth of privacy measures while in Congress (see our coverage from 2002).
"Electronic privacy has been his forte for a long time," said Brad Jansen, an ex-Paul staffer turned Barr enthusiast who runs a group advocating greater financial privacy. "It was his signature issue with the ACLU, and is topical now with the FISA ruling last week. He certainly differentiates himself from both McCain and now Obama on the issue."
It's true that under the we-absolutely-must-recapture-the-White-House theory, many Democrats will vote for Obama, no matter that he flip-flopped on retroactive immunity for telecommunications companies. (He voted for an unsuccessful amendment stripping it out, but then for the entire bill with it included.) But some progressive bloggers are finding that decision impossible to forgive.
McCain's position on wiretapping and retroactive immunity has been mostly, but not entirely, consistent--see our tech voters' guide from January. That makes the Arizona senator a more stationary target for Barr. "Sen. McCain has made very, very clear that he basically embraces the notion of unfettered executive power," Barr said.
Barr also likes to swipe at the Real ID Act, a law creating a federalized identity card that's effectively on hold until December 31. "It was passed by the Congress not as a national ID, which it is in every way except a name," he said. "It is a national ID for the first time in our nation's history...If certain people were elected president, it would not go into effect."
During the Libertarian Party's presidential debate in Denver, the candidates were asked what they'd do about Real ID and the Patriot Act. Barr's reply was captured on video by C-SPAN: "Fear has become the driving force behind all public policy in our country...(For the Patriot Act), I'd drive a stake through its heart, shoot it, burn it, cut off its head, burn it again, and scatter its ashes to the four corners of the world."
The Zogby poll released last week puts Obama at 44 percent, McCain at 38 percent, and Barr at 6 percent--a combination that hands Obama a handsome electoral college majority.
"Bob Barr could really hurt McCain's chances," pollster John Zogby said. "McCain can't afford the level of slippage to Barr we found among conservatives in this polling...Bob Barr has some juice among conservatives and is hurting him in several states."
On one hand, Barr's breadth of support doesn't seem to be an aberration: a Rasmussen poll released May 18 also gives him 6 percent of the nationwide vote, including 7 percent of Republicans and 5 percent of Democrats. On the other hand, support for third parties tends to wane as the November election nears, as pollster Mark Blumenthal points out on NationalJournal.com.
For now, Barr seems enthusiastic about positioning himself as the candidate who most supports digital privacy.
"The best way to control the populace is to take away their privacy," he said. "The digital age, and what will come after that, makes it much, much easier for the government to abuse those powers and erode the Fourth Amendment."
The Democratic-controlled Senate handed President Bush a major political victory on Wednesday by voting to derail lawsuits against telecommunications companies that unlawfully opened their networks to the National Security Agency.
Senators voted 69 to 28 for the bill, which would rewrite federal wiretap laws by granting retroactive immunity to telecommunications companies as long as the government claims the request was "lawful" and authorized by the president.
Wednesday's vote followed a last-minute effort by liberal and libertarian activists to convince enough Democrats to kill or modify the bill. DailyKos called the bill "a pardon to Bush"; some activists created a Wiki to hone their message; a Salon columnist dubbed the bill a "coverup of surveillance crimes."
Many of those efforts were aimed at Sen. Barack Obama, the Democratic presidential candidate, who told us half a year ago that he would definitely not support retroactive immunity. That was then. Now he does--and he voted for the final bill on Wednesday.
Sen. Hillary Clinton voted against it. Sen. John McCain, the Republican presidential candidate, wasn't present for the vote but has repeatedly stressed his support for the measure (including in our voters' guide published earlier this year).
Earlier, by a 32-66 vote, the Senate rejected an amendment that would have removed the portion of the legislation offering retroactive immunity to telecommunications companies that engaged in illegal activities. The U.S. House of Representatives already approved the underlying legislation last month.
Opponents of the bill said it would allow Bush to cover up illegal warrantless wiretapping. "If Congress short-circuits these lawsuits, we will have lost a prime opportunity to finally achieve accountability for these years of law-breaking," said Sen. Russ Feingold, a Wisconsin Democrat who is a member of the Senate Intelligence Committee. "That's why the administration has been fighting so hard for this immunity."
It's not yet clear what this means for the lawsuits against telecommunications companies, including one that the Electronic Frontier Foundation brought against AT&T that is currently before the 9th Circuit Court of Appeals in San Francisco.
Under Sec. 802 of the Senate bill, which amends the Foreign Intelligence Surveillance Act, no lawsuit may proceed against any "electronic communication service provider" if either one of two conditions is met.
The first is that the company provided assistance "in connection with an intelligence activity" authorized by the president between September 11, 2001 and January 17, 2007, when the wiretap program was altered to include more judicial oversight. The second condition involves a company that received a "written request" from the U.S. Justice Department saying the activity was lawful and authorized by the president. (AT&T has suggested once, and twice, that such a paper trail exists.)
Kevin Bankston, an EFF staff attorney, says his group will continue to pursue its lawsuit. "We'll be challenging the constitutionality of this law," he said. "We think it unconstitutionally violates separation of powers and due process... We are going to be challenging this immunity as unconstitutional."
One of the more interesting tidbits from News.com's survey published this morning on instant messaging privacy came from Skype.
The eBay-owned company says it is unable to comply with court-authorized wiretap requests.
We asked Skype: "Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?"
Jennifer Caukin, Skype's director of corporate communications replied to us: "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."
This isn't entirely a surprise. Skype, which claims something like 300 million user accounts, has said in the past that it "cooperates fully with all lawful requests from relevant authorities" but that it is not subject to the U.S. must-provide-a-wiretapping-backdoor law called the Communications Assistance for Law Enforcement Act. Police in Germany, for instance, already have complained of Skype's lack of ready wiretappability.
Because the company's SkypeIn and SkypeOut services send data through the traditional telecommunications network, they presumably can be wiretapped at that point. But voice communications that flow exclusively through the company's peer-to-peer network--and are encrypted using AES--are a different story.
There's no guarantee that Skype's AES encryption is implemented properly or that there aren't lingering security flaws. A 2006 presentation at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists. A Skype-commissioned independent evaluation, however, gave it a thumbs-up. Here's more.
The upshot is that if Yahoo, AOL, Microsoft, or so on received a wiretap order for text or voice flowing through their IM networks, they could (and would) be able to comply because the services are centralized. Even if the users' conversations are encrypted through the Off-the-Record Messaging protocol, an eavesdropper still knows who's talking to whom--this is called a pen register or trap and trace device in wiretapping parlance, and it can still be privacy-invasive.
Skype says it doesn't permit even that. Which means that it's the most privacy-protective mainstream method of communicating through voice or instant messaging. To the FBI's legions of eavesdroppers, that sounds a lot like a challenge.
The number of interested parties eager to listen in on your online conversations, including what you type through instant messaging, has never been higher.
It's trivial to monitor unencrypted wireless networks and snatch IM passwords as they flow through the ether. Broadband providers and their business partners are enthusiastically peeking into their customers' conversations. A bipartisan majority in Congress has handed the FBI and shadowy government agencies greater surveillance authority than ever before.
The need, in other words, for secure IM communication has never been greater. But not all IM networks offer the same privacy and security. To chart the differences, CNET News.com surveyed companies providing popular IM services and asked them to answer the same 10 questions.
One focus was how secure the IM service was--in other words, does it protect users against eavesdropping? It's been 12 years since the introduction of ICQ in 1996, and 20 years since the Usenix paper (PDF) describing the Zephyr IM protocol that spread to MIT and Carnegie Mellon University. By now, encryption should be commonplace.
We found that only half of the services provide complete encryption: AOL Instant Messenger, Google Talk, IBM's Lotus Sametime, and Skype do. To their credit, not one service says it keeps logs of the content of users' communications (a certain lure for federal investigators or snoopy divorce attorneys). For connection logs, Microsoft alone said it keeps none at all--though Google and Skype said their logs were deleted after a short time.
Encryption is important. If you're using an open wireless connection, anyone who downloads free software like dSniff can intercept unencrypted IM communications streams. WildPackets sells to police an EtherPeek plug-in it says can intercept and decode unencrypted IM conversations in wiretap situations (plus Web-based e-mail, VoIP calls, and so on).
All surveys have limitations, including ours. The fact that IM encryption is used is insufficient; it could always be a poor choice of an algorithm or there could be implementation errors that allow it to be bypassed in practice. Our survey will not be the final word in this area.
Jabber is worth a special note. While nearly all of our survey respondents use proprietary, closed systems, Jabber is based on open standards set by the Internet Engineering Task Force. Formally called XMPP, Jabber lets organizations run their own servers and tends to be more flexible.
Google adopted it for Google Talk, and other clients that support Jabber include Apple's iChat, Adium (OS X), Trillian Pro (with a plug-in), and Psi. Jabber uses encryption both to log on and to protect conversations once a connection is established. We didn't formally include it in our survey because anyone can set up their own Jabber server with their own configuration.
Facebook Chat is the least secure and privacy-protective of the lot. As far as we can determine, it fails to use encryption to protect logging in (thus passwords can be gleaned) and fails to secure the conversations, too. We'd like to tell you more about Facebook Chat, but the company sent us a one-line e-mail message saying it was refusing to answer the same questions that its competitors did with little fuss.
We intentionally left out Apple because its iChat software uses the AOL Instant Messenger network. Macintosh users who have purchased a .Mac membership can activate encryption for IM, audio and video chats, and file transfers.
| Secure logging-in | Secure conversations | Logs kept of user logins | Logs kept of message content | For how long | Government wiretapping | |
| AOL AIM | Yes | Yes | Yes | No | Won't say | Won't say |
| AOL ICQ | Yes | No | Yes | No | Won't say | Won't say |
| Facebook Chat[1] | No | No | Refused to answer | Refused to answer[2] | Refused to answer | Refused to answer |
| Google Talk | Yes | Yes[3] | Yes | No[4] | Four weeks | Won't say |
| IBM Lotus Sametime | Yes | Yes | Yes | Configurable | Configurable | N/A |
| Microsoft's Windows Live Messenger | Yes | No[5] | No | No | N/A | Won't say |
| Skype | Yes | Yes | Yes | No | "A short time" | Cannot comply with wiretaps[6] |
| Yahoo Messenger | Yes | No | Yes | No | As long as "necessary" | Won't say |
[1] Over the course of a week, Facebook refused to reply to questions.
[2] Facebook has said both that chat history "is not logged permanently" and that it is archived for 90 days.
[3] Encryption is on by default for the downloadable client, off by default for the Web, and not supported with the Google Talk Gadget.
[4] Configurable: users can choose to log conversations in their Gmail chat archives if they wish.
[5] Conversations are unencrypted, but files exchanged via Windows Live Messenger are encrypted.
[6] Skype was the only IM company that said it could not perform a live interception if presented with a wiretap request: "Because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."
Q: Does your service use encryption for authentication when users log on?
Yes
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yes
Q: Is encryption turned on or off by default?
On by default
Q: Does your service support the OTR (Off the Record) standard? If it uses non-OTR encryption, what kind?
No. AIM supports TLS. [Ed. Note: TLS, or Transport Layer Security, is the successor to Secure Sockets Layer. It supports a variety of cryptographic ciphers for scrambling the content of messages, including AES and Triple DES. It also provides methods for authentication.]
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Yes, we keep logs of connection information, such as sign on/off and IP address.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
No
Q: If any connection or content logs are stored, how long is each type kept?
Connection logs are retained according to the needs of the business for operational and quality control purposes and then regularly deleted.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
Yes
Q: If so, how many law enforcement requests have you received?
We do not share details about requests we receive from law enforcement.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
We do not share details about requests we receive from law enforcement.
Q: Does your service use encryption for authentication when users log on?
Yes
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
No. Message delivery encryption is under consideration for future product releases.
Q: Is encryption turned on or off by default?
N/A
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
No
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Yes, we keep logs of connection information, such as sign on/off and IP address.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
No
Q: If any connection or content logs are stored, how long is each type kept?
Connection logs are retained according to the needs of the business for operational and quality control purposes and then regularly deleted.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
Yes
Q: If so, how many law enforcement requests have you received?
We do not share details about requests we receive from law enforcement.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
We do not share details about requests we receive from law enforcement.
Q: Does your service use encryption for authentication when users log on?
Yes.
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Our download client uses encryption. Our Web client sends messages in plain text, but users can opt in to HTTPS if they want encryption. HTTPS does not currently work with the Google Talk Gadget.
Q: Is encryption turned on or off by default?
Encryption is turned on by default for the download client and off by default for the Web client.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Google clients do not currently support OTR. We use TLS for XMPP client to server, and HTTPS for Web clients if users opt in. [Ed. Note: TLS, or Transport Layer Security, is the successor to Secure Sockets Layer. It supports a variety of cryptographic ciphers for scrambling the content of messages, including AES and Triple DES. It also provides methods for authentication.]
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
The service logs standard data, including the IP address, user name, time stamp, and client type, but does not log chat content.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
Users may choose to chat "off the record' in which case chats are not saved in their Gmail chat archives. If a user does not go "off the record," then chat communications are saved and viewable to the participants of the chat within their Gmail account.
Q: If any connection or content logs are stored, how long is each type kept?
The service logs standard data (including the IP address, user name, time stamp, and client type), and stores this data for four weeks. Connection logs not tied to a Gmail account are kept for as long as they are useful. Users may choose to chat "off the record" in which case chats are not saved in their Gmail chat archives. If a user does not go "off the record" then chat communications are saved and viewable to the participants of the chat within their Gmail account.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google. Whenever possible, we do our best to notify the subject named in such requests in order to give them the opportunity to object.
Q: If so, how many law enforcement requests have you received?
As a matter of policy, we do not share this information.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google. Whenever possible, we do our best to notify the subject named in such requests in order to give them the opportunity to object.
[Ed. Note: IBM appended this explanation to its response: "Lotus Sametime is an enterprise on-premise unified communications solution. While IBM Global Technology Services offers managed hosting services for Lotus Sametime, it is typically sold as an on-premise solution. Answers below reflect Sametime as an on-premise solution. The answers would also apply for a hosted offering from IBM or IBM Business Partners."]
Q: Does your service use encryption for authentication when users log on?
As enterprise-grade software, Lotus Sametime offers the security that businesses require. Lotus Sametime authentication gives businesses the confidence of knowing that the people they communicate with are who they say they are, while password protection helps ensure that only invited participants can attend Web conferences. By default, all authentication and authorization credentials are encrypted using 128-bit encryption. Lotus Sametime also supports compliance with FIPS-140, the U.S. Department of Defense standard.
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yes, Lotus Sametime software can encrypt presence, instant messages, Web conferences, VoIP voice chats, and point-to-point video conversations to help businesses protect sensitive information. By default, Lotus Sametime uses 128-bit encryption, Lotus Sametime also supports compliance with FIPS-140, the U.S. Department of Defense standard.
Q: Is encryption turned on or off by default?
Encryption is turned on by default.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Lotus Sametime does not support the OTR standard. By default Lotus Sametime uses 128-bit RC2 encryption. Lotus Sametime also supports compliance with FIPS-140, the U.S. Department of Defense standard.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address?
Yes, Lotus Sametime provides a variety of logging options that are configurable by the system administrator. Through the Sametime Tool Kits, Sametime also integrates with a variety of third-party compliance software.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
The system administrator has the ability to configure these types of capabilities. This type of information can also be captured by third-party compliance software such as Facetime, Akonix, and Symantec.
Q: If any connection or content logs are stored, how long is each type kept?
Lotus Sametime provides the flexibility to keep the logs for as long as a business requires. The system administrator sets the duration of the storage of the logs based on the needs of the enterprise.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
This question does not apply to Sametime because it is not a service.
Q: If so, how many law enforcement requests have you received?
This question does not apply to Sametime because it is not a service.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
This question does not apply to Lotus Sametime because it is not a service.
Q: Does your service use encryption for authentication when users log on?
Windows Live Messenger accounts that are accessed upon authentication of a user's Windows Live ID and password are protected by industry standard SSL encryption. [Ed. Note: SSL is Secure Sockets Layer, also known as Transport Layer Security.]
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
We do not provide encryption for instant messages at this time. However, if a customer chooses to send or receive messages that contain a file, like a document or photo, Windows Live Messenger protects those files with the industry standard SSL encryption.
Q: Is encryption turned on or off by default?
Encryption of file transfer functions automatically and cannot be turned off.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Windows Live does not use the OTR standard. Windows Live Messenger accounts are protected by industry standard SSL encryption.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Windows Live Messenger does not maintain server-based logs of connection information. Microsoft is committed to protecting the privacy of its customers and believes they deserve to have their personal data used only in ways described to them. Microsoft's privacy policy informs our customers of the ways in which they can control the collection, use and disclosure of their personal information. More information is available on Microsoft's privacy policy at: http://privacy.microsoft.com/en-us/default.aspx.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
Windows Live Messenger does not maintain server-based logs of the content of messages that our customers send or receive. Microsoft is committed to protecting the privacy of its customers and believes they deserve to have their personal data used only in ways described to them. Microsoft's privacy policy informs our customers of the ways in which they can control the collection, use and disclosure of their personal information. More information is available on Microsoft's privacy policy at: http://privacy.microsoft.com/en-us/default.aspx.
Q: If any connection or content logs are stored, how long is each type kept?
Not applicable.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws. In particular, the Electronic Communications Privacy Act ("ECPA") protects customer records and the communications of customers of online services. As set forth above, however, Microsoft does not maintain records about our customers' use of the IM service and would have no information to provide in response to a request from law enforcement.
Q: If so, how many law enforcement requests have you received?
We do not disclose how many government requests we receive; in certain circumstances, we are not permitted by law to disclose that we have received a government order. However, we follow ECPA in responding to all requests.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
We do not comment on specific requests from the government, but in general, we provide the government with the contents of communications intercepted in real-time only pursuant to a court order.
Q: Does your service use encryption for authentication when users log on?
Yes.
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yes. Skype's tight security model is integrally linked to its underlying peer-to-peer (P2P) architecture. As a result, Skype's traffic cannot be intercepted and decoded while in transit. In short, Skype provides transport-layer security to ensure that message content traveling over Skype cannot be tapped or intercepted.
Q: Is encryption turned on or off by default?
Skype's encryption is always on and cannot be turned off.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
No. Skype employs strong end-to-end encryption using 256-bit AES, which is then authenticated by PKI cryptography, to guarantee authenticity, secrecy, and integrity of communication over Skype.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Where servers are used to facilitate the offering of a product such as SkypeOut, only username, version, and IP address are stored.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
No. Skype does not record any content from communications.
Q: If any connection or content logs are stored, how long is each type kept?
Connection logs are kept for only a short time.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
Yes. We co-operate with law enforcement agencies as much as is legally and technically possible.
Q: If so, how many law enforcement requests have you received?
That is confidential information.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request.
Q: Does your service use encryption for authentication when users log on?
Yahoo Messenger for the Web and the current downloadable Yahoo Messenger uses SSL to protect the user's password during authentication. [Ed. Note: SSL is Secure Sockets Layer, also known as Transport Layer Security.]
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yahoo Messenger does not use encryption for message delivery.
Q: Is encryption turned on or off by default?
The encryption as described above in No. 1 is on by default.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Yahoo Messenger does not use Off-the-Record cryptographic protocol. We use the Secure Sockets Layer (SSL) standard during password authentication as described in our answer to No. 1.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Yahoo logs Messenger activity consistent with Web-based services generally.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
Yahoo Messenger provides users with the ability to store and retrieve their IM messages. Users can choose not to use this convenient feature. Most versions of the downloadable Yahoo Messenger store conversations on the user's computer while Yahoo Messenger for the Web stores these conversations on Yahoo servers.
Q: If any connection or content logs are stored, how long is each type kept?
Yahoo retains data as necessary to help comply with financial, legal, and security obligations, and for research purposes to improve our users' experience with Messenger.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user's IM account?
Yahoo responds to law enforcement in compliance with all applicable laws.
Q: If so, how many law enforcement requests have you received?
Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?
Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.
News.com's Anne Broache contributed to this report
A series of statements about immunizing telecommunications companies that violated federal wiretapping laws have become something of an embarrassment, and perhaps even a problem, for John McCain's presidential campaign.
The statements revolve around whether McCain, like President Bush, supports legislation that could be voted on this month extending retroactive immunity to those companies and perhaps many more. The problem for the onetime captain of the Straight Talk Express is that his varying statements at different times are starting to seem -- dare we say it? -- almost Clintonian.
John McCain (left) meets with President Bush on March 5. In endorsing McCain's presidential bid, Bush said "he's not going to change when it comes to taking on the enemy. He understands this is a dangerous world."
(Credit: White House photo by Chris Greenberg)When news about the National Security Agency's warrantless wiretapping program became public years ago, McCain was critical of it. McCain told the Associated Press that he wanted to know more about the program but "theoretically, I obviously wouldn't like it." He agreed with Matt Lauer on The Today Show that "it is up to a court of law to find out if someone broke the law here and where punishment should be handed out."
That seems pretty clear. In 2005, at least, McCain was in favor of letting the courts decide whether AT&T and other telecos violated the law.
Last fall, while preparing our Tech Voter's Guide, we asked McCain point-blank whether he would support the bill (S.2248) providing retroactive immunity. On November 30, 2007 McCain sent us this response via e-mail:
Every effort in this struggle and other efforts must be done according to American principles and the rule of law. When companies provide private records of Americans to the government without proper legal subpoena, warrants, or other legal orders, their heart may be in the right place, but their actions undermine our respect for the law.
I am also a strong supporter of protecting the privacy of Americans. The issues raised by S.2248, and the events and actions by all parties that preceded it, reach to the core of our principles. They merit careful and deliberate consideration, fact-finding, and exploration of options. That process should be allowed to proceed before drawing conclusions that may prove to be premature.
If retroactive immunity passes, it should be done with explicit statements that this is not a blessing, there should be oversight hearings to understand what happened, and Congress should include provisions that ensure that Americans' private records will not be dealt with like that again.
A few weeks later, McCain told the Boston Globe this: "I think that presidents have the obligation to obey and enforce laws that are passed by Congress and signed into law by the president, no matter what the situation is."
What McCain told us isn't exactly what he told the Globe. But the import of the two statements is that the Arizona Republican either flatly opposes retroactive immunity -- or is severely critical of it and would only vote for it only if there are oversight hearings and "explicit statements" and "provisions" that it won't happen again.
As I've written before, when McCain sent us that e-mail, Zogby polls gave him a mere 8 or 9 percent of the vote nationally, behind Rudy Giuliani, Fred Thompson, and Mike Huckabee, and at best tied with Mitt Romney.
A change of heart?
But after McCain became the all-but-official nominee, his political principles appear to have become more malleable. He voted in February for retroactive immunity -- even though there were no explicit statements telling AT&T and other telecommunications companies that this is not a "blessing." There were no deals providing for "oversight hearings." And there certainly were no "provisions" to ensure this won't happen again.
Our story may have ended there. Except that campaign representative Chuck Fish (not an actual campaign lawyer, as has been incorrectly reported, but a surrogate) subsequently suggested that his candidate still wanted "hearings," which The Washington Post picked up on last week. McCain's campaign fired off a nastygram to the Post saying that their candidate's "position on immunity has not changed."
Ahead of the New Hampshire primary earlier this year, McCain toured the state in a bus he calls the "Straight Talk Express."
(Credit: Anne Broache/CNET News.com)Meanwhile, McCain was questioned about his position at a town hall meeting the next day -- he replied that Congress needs to "have hearings" -- which The Wall Street Journal dutifully reported. The fuss became enough to prompt the conservative National Review to begin questioning McCain's the-executive-can-wiretap-as-it-pleases credentials. Salon entered the fray too.
This has become suddenly important -- and timely -- again because a long-running stalemate in Congress over wiretapping, telecom immunity, and the Foreign Intelligence Surveillance Act may be about to end. We reported last week that Congress may vote soon on a bill, and an article on National Journal's Web site on Wednesday said that the House Intelligence Committee's top Democrat has now signed on.
The latest draft of the surveillance law rewrite would effectively pull the plug on lawsuits against telcos, including an important one that the Electronic Frontier Foundation is pursuing against AT&T. It's before the 9th Circuit right now, which seems to be content to wait to rule until Congress figures out what it's going to do.
Thanks to McCain's statements, at least some Democrats are smelling blood. Rep. Robert Wexler of Florida, who is a member of the House Judiciary committee, sent us this statement on Wednesday:
I am appalled by Senator John McCain's reaffirmation of support for the use of warrantless wiretapping on American citizens. Senator McCain has once again chosen to align himself with President George Bush, whose reprehensible spying program on Americans is a grave threat to our Constitutions guarantees of privacy and limited executive power. It is clear that Senator McCain, President Bush, and their Republican allies in Congress will continue to use scare tactics and fear mongering to claim that a president can simply chose to ignore America's laws... Senator McCain opposes a bipartisan House compromise bill that preserves appropriate court review of all surveillance of US citizens and gives judges the discretion to review all the necessary documents related to telecom lawsuits without offering blanket immunity.
From McCain's perspective, this is a perilous topic, especially because Barack Obama has been consistent and clear in saying he opposes retroactive immunity. Obama voted against immunity at the same time McCain voted for it.
If McCain defends his earlier statements, which hinted at reasonable pro-privacy, limited-government instincts, he risks alienating many Republicans who are already suspicious of him because of the McCain-Feingold bill, his opposition to some gun rights, and his votes against the Bush tax cuts.
Conversely, if McCain amends his position, he risks looking like he's flip-flopping, a potent charge that Republicans memorably leveled against John Kerry four years ago. So instead his campaign is insisting, improbably, that their candidate has never changed his mind. Here's an excerpt from the statement that they sent us (the full, unedited version is here):
Senator McCain supports the FISA modernization bill passed by the Senate without qualification. He believes no additional steps should be necessary to secure immunity for the telecoms; both the 109th and 110th Congresses have conducted extensive evaluation and examination of this topic and have satisfied the public's need for appropriate oversight; hearings purportedly designed to "get to the bottom of things" have already occurred; and neither the administration nor the telecoms need apologize for actions that most people, except for the ACLU and the trial lawyers, understand were constitutional and appropriate in the wake of the attacks on September 11, 2001.
One problem with that is it seems to contradict what McCain himself said at the town hall meeting a day or two before, which is that Congress should hold hearings (nowhere did he say the ones that took place already were sufficient).
Yet there's a more important issue here, which is why the neo-cons are pressing McCain to adhere to the Bush administration's line. And that's the administration's theory of the so-called unitary executive, which says that the president's use of military force cannot be reviewed by courts.
McCain's earlier statements -- especially where he says presidents must "obey and enforce laws that are passed by Congress" -- seem to question the administration's interpretation. Beyond wiretapping, that touches on topics such as John Yoo's so-called torture memos, the applicability of the Geneva Convention to detainees, Bush's signing statements, and military commissions. Questioning the justifications for Bush's warrantless wiretapping means questioning the rest; no wonder McCain seems a little worried about where this may lead.
An innocent discussion about Lowenhart chrome wheels, or a cover for clandestine drug transactions? Guess what the DEA thought...
(Credit: Dazz Motorsports)When police ask a judge to grant a wiretap order, there's no defense lawyer present to raise objections. The judge has a limited amount of information, all provided by the cops and prosecutors, who in theory will take this solemn responsibility seriously and never lie or twist the facts.
Which brings us to U.S. v. Romero, a relatively routine case in Massachusetts in which Alberto Romero and 17 others were charged with conspiracy to manufacture and distribute crack cocaine.
To get a wiretap against the alleged crack cocaine ring, Drug Enforcement Administration agent Joao Monteiro filed an affidavit on July 8, 2005. The only problem is that Monteiro exaggerated an innocent conversation about automobile wheels--to convince a judge to grant a wiretap.
This, in other words, is where theory meets reality.
Here are excerpts from U.S. District Judge Reginald Lindsay's opinion, dated March 7:
That brings me to the question of the claimed selective editing of the transcript of the May 31, 2005 communications between Romero and Willie. Romero claims that intentional, selective editing, together with Agent Monteiro's interpretation, in light of his "training and experience," made innocent conversations about automobile wheels appear to be conversations about drug trafficking.
After reviewing both Romero's and the government's translations of the conversation in question, I conclude that the portion of the transcript included in the Supporting Affidavit was, at the least, an overstatement of the degree of certainty with which Agent Monteiro could reasonably have interpreted the conversation to be one concerning drug transactions. The conversations appear to be, in fact, about chrome wheels for an automobile, the wheels being sold under the brand name "Lowenhart."
The government, in its brief in opposition to the present motion, argues that Agent Monteiro, in quoting the conversation, made, at worst, an innocent error. The government explains that Agent Monteiro did not monitor or translate the May 31, 2005 calls from Spanish to English: the monitoring and translation were done by a government contract interpreter. Neither Agent Monteiro nor any of the other officers engaged in the investigation spoke Spanish, the government says.
The problem with the government's explanation is that it is based on information outside the four corners of the Supporting Affidavit. On the other hand, by presenting the full transcript of the conversations in question, Romero has made the showing necessary to justify a Franks hearing, unless the Supporting Affidavit contains other indicia of probable cause justifying the issue of the interception order. I therefore will disregard the May 31, 2005 intercepted conversations. (Note: This is named after Franks v. Delaware, a U.S. Supreme Court case that said when a defendant makes a substantial preliminary showing of false statements by cops, a hearing must be held. --DBM)
I will examine the other information in the Supporting Affidavit to see whether, without the questioned conversations, the Supporting Affidavit fails to provide probable cause for the order authorizing the interception, or whether, at minimum, a Franks hearing is required to determine whether the order is valid without the questioned conversations.
The Supporting Affidavit also was based on information said to have been provided by codefendant Gregory Bing, who, as described in the May 20 Affidavit, and the April 19 Affidavit, had given information to law enforcement officers to the effect that Romero was a large-scale drug dealer...The Supporting Affidavit also points to the following incident as support of the application in question. On May 6, 2005, officers of the Boston Police Department seized $5,000 in alleged drug proceeds from Jose Gonzalez-Padilla (who was linked to Romero)...
I find that the information from the Supporting Affidavit, as described in the preceding several paragraphs, amply provided the issuing judge with a basis on which to find probable cause to authorize the interception of communications on Romero's direct-connect telephone, even in the absence of the questioned, intercepted conversations between Romero and Willie on May 31, 2005.
Kudos to Judge Lindsay for exercising independent judgment and questioning Agent Monteiro's tortured explanation of why he needed to selectively edit a conversation about Lowenhart chrome wheels. Wiretaps are a messy and uniquely invasive investigative tool, and police should be held to exacting standards when swearing out affidavits requesting one. Let's hope Monteiro and his employer, the DEA, will take the judge's rebuke to heart.
The U.S. House of Representatives on Friday narrowly approved an electronic surveillance expansion without immunization for any telecommunications companies that illegally opened their networks to intelligence agencies.
The 213-197 split, with most Democrats voting in favor of the bill (PDF) and most Republicans opposing it, hardly means that the political tussle over retroactive immunity is over. It now shifts to the Senate, where Majority Leader Harry Reid, a Democrat, said he was "encouraged" to see the House vote.
But the primary obstacle remains President Bush, who has threatened a veto. The White House circulated a statement after the vote calling it a "a significant step backward in defending our country against terrorism" that was "not a serious effort to move the legislative process forward."
Another section that the Republicans dislike is this, which I'll excerpt:
ESTABLISHMENT OF COMMISSION.--There is established in the legislative branch a commission to be known as the "Commission on Warrantless Electronic Surveillance Activities"
The Commission shall ascertain, evaluate, and report upon the facts and circumstances relating to electronic surveillance activities conducted without a warrant between September 11, 2001 and January 17, 2007 (and shall) evaluate the lawfulness of such activities
Especially because the commission would be organized under the legislative branch, and would have subpoena power with the authority to enforce its subpoenas in court, it could result in some embarrassing disclosures about the National Security Agency's surveillance program.
Friday's vote also signals that the political climate has changed since last August, when Republicans outmaneuvered their opponents into voting for surveillance legislation with scant debate or hearings. Democrats acquiesced for fear of being perceived as soft on terror, with House Speaker Nancy Pelosi saying the bill did violence to the U.S. Constitution.
But now, with Hillary Clinton and Barack Obama both opposing retroactive immunity, with a new Justice Department report critical of FBI surveillance abuses, and with a stronger public perception of the Bush administration as having gone too far, the Democrats are more willing to fight back. Nineteen Democrats released a statement this week saying that they've seen classified documents and no immunity was necessary; an unusual closed session on Thursday was intended to make the same point.
Before the vote, House Intelligence Committee Chairman Sylvestre Reyes (D-Texas), said the measure gives telephone companies the ability to present otherwise-classified evidence, one-on-one with a judge, that could show they deserve such immunity. "If they did nothing wrong, as they have said, then they will be immune from any lawsuit," he said before the vote.
The debate before the vote was contentious, with more hoots and catcalls than usual. The lack of retroactive legal immunity for telephone companies also drew accusations from several Republicans that Democrats were handing out favors to lawyers who would ostensibly profit from the court proceedings moving forward. The bill is "nothing more than an earmark for the trial bar," charged Rep. Marsha Blackburn (R-Tenn.)
Republicans also assailed the Democratic leadership for failing to permit an up-or-down vote on the Senate version. They attempted, but failed to push through, a procedural move that would have allowed the House to consider the Senate version of the bill automatically if the House version didn't pass.
Republican leader John Boehner accused Democrats of failing to bring up the Senate bill "because it would pass."
Democrats repeatedly accused the Republicans and the Bush administration of engaging in a smear campaign designed to undermine their bill's passage. "The president has said our legislation will not make Americans safe," House Speaker Nancy Pelosi said. "The president is wrong, and I think he knows it."
Some pointed out that telephone companies and other corporations who open their networks lawfully to the government already have "immunity" under law. Rep. Zoe Lofgren (D-Calif.) read from that passage of existing law and then proclaimed, "I think the administration is more concerned about their liability than the phone companies."
News.com's Anne Broache contributed to this report.
