Internet Wiretapping and Carnivore

In the absence of encryption export controls and key-escrow systems, there are widespread fears that the U.S. government will turn to extraordinary surveillance measures in order to obtain information about criminal suspects. This brings us to the issue of Internet wiretaps and the deployment of other surveillance techniques by law-enforcement officials. To what extent should the Internet infrastructure allow or support these electronic surveillance architectures? Are these architectures susceptible to any unacceptable risks? How can we balance privacy rights with the need to monitor some digital communications in order to combat cybercrime, computer-related crime, and cyberterrorism? In order to answer these questions some historical perspective is essential.

The legality of wiretaps has a long and convoluted history in the United States. The first-known telephone wiretaps can be traced back to 1890. Since that time, telephone wiretapping has become a favorite tool of law-enforcement authorities. The Internet creates new threats and problems for law-enforcement officials. In a world where crime, like all other activities, is facilitated by digital technology, the ability to tap Internet communications seems indispensable.

Telephone or Internet wiretapping cannot be indiscriminate or undertaken on a whim by local police or federal authorities. The relevant legal principle is embodied in the Fourth Amendment, which protects citizens against unwarranted searches and seizure. This Amendment stipulates, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." While the Fourth Amendment is a simple and hallowed right, its application to wiretapping is quite complex. In Olmstead v. the United States (277 U.S. 438 [1928]) the U.S. Supreme Court held that wiretaps did not violate the Fourth Amendment, since they did not amount to a physical search or a seizure of any property. But in Katz v. the United States (389 U.S. 347 [1967]) and Berger v. New York (388 U.S. 57 [1967]), this controversial decision was overturned. In the former case, Charles Katz was convicted of illegal gambling in a federal court based on evidence collected through a tap on his phone. He appealed, and ultimately the Supreme Court ruled that the evidence based on the wiretapped conversations was inadmissible; on that basis they threw out the conviction. This Supreme Court, unlike the Court that decided the Olmstead case, regarded electronic surveillance as the equivalent of search and seizure, so it was covered by the Fourth Amendment. According to the majority opinion in the Katz ruling, "The Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected."

Since the Katz decision it has been necessary to get a court-issued warrant in order to conduct a wiretap, and that wiretap must generally be of short duration and must be narrowly focused. Congress affirmed these rulings by adopting Title III of the Omnibus Crime Control and Safe Streets Act of 1968. This legislation requires a court order based on probable cause in order to engage in wiretapping.

While the Katz and Berger decisions are regarded as a great advancement for privacy rights, civil libertarians believe that the Supreme Court moved in the reverse direction in the case of United States v. Miller (425 U.S. 435 [ 1976]). In Miller the Court held that personal information provided to a third party loses its Fourth Amendment protection. As a result, if one's credit records are made available to law-enforcement authorities in the course of an investigation, they are no longer entitled to Fourth Amendment protection. Finally, in what some consider as another blow to privacy, in Smith v. Maryland (442 U.S. 750 [1979]) the Supreme Court held that the numbers one dials to make a phone call, data collected with a "pen register" device, are not protected under the auspices of the Constitution. According to Dempsey (2000), "While the Court was careful to limit the scope of its decision, and emphasized subsequently that pen registers collect only a very narrow range of information, the view has grown up that transactional data concerning communications is not constitutionally protected."

In the mid-1980s, as the computer revolution accelerated, Congress attempted to anticipate privacy problems that would surface due to new electronic technologies. In 1986 it passed the Electronic Communications Privacy Act (ECPA). The ECPA clarified that wireless communications were to be given the same protection as wireline telephone communications. It amended the federal wiretap law so that it would now apply to cellular telephones, electronic mail, and pagers. According to Dempsey (1997), "The ECPA made it a crime to knowingly intercept wireless communications and e-mail, but authorized law enforcement to do so with a warrant issued on probable cause." The ECPA also established more precise rules for the deployment of pen registers, which identify the numbers dialed in an outgoing call.

Under this statutory framework, law-enforcement officials have enough latitude to engage in electronic surveillance whenever they deem it necessary. Empirical evidence also supports this supposition: The number of wiretaps has increased steadily from 564 in 1980 to 1,350 in 1999 (Schwartz 2001b). According to Steinhardt (2000), "In the last reporting period, the Clinton Administration conducted more wiretaps in one year than ever in history, and the number of 'roving wiretaps' (wiretaps of any phone a target might use, without specifying a particular phone) nearly doubled."

Civil liberties groups believe that this trend of more wiretaps and increasing numbers of intercepted communications will intensify thanks to the advent of digital communications along with growing concerns about terrorism. There are particular worries about the FBI's new system, called Carnivore, an Internet wiretapping system. Carnivore is a packet sniffer that enables FBI agents working in conjunction with an ISP to intercept data passing to and from a criminal suspect. This monitoring close to the source of data transfers makes it easier to trace messages. The data are copied and then filtered to eliminate whatever information federal investigators are not entitled to examine. For the most part, Carnivore is used to track and log the senders and recipients of e-mail, so it functions primarily as a pen register or a "trap and trace" device (A pen register collects electronic impulses that identify the numbers dialed for outgoing calls and a trap and trace device collects the originating number for incoming calls). The threshold for court approval for such wiretaps is low, since investigators need only demonstrate that the information has relevance for their investigation. According to Schwartz (2001), the FBI believes that Carnivore's value lies in its ability to be less inclusive than predecessor wiretapping technologies: "Agents can fine-tune the system to yield only the sources and recipients of the suspect's e-mail traffic, providing Internet versions of the phone-tapping tools that record the numbers dialed by a suspect and the numbers of those calling in."

Nonetheless, this sort of surreptitious surveillance exemplified by the FBI's Carnivore technology has provoked the ire of civil libertarians. For example, the Electronic Frontier Foundation objects to Carnivore because the use of packet sniffers on the Internet captures more information than the use of pen registers and trap and trace devices used for traditional telephone wiretapping. In Internet communications the contents of messages and sender-recipient header data are not separate. According to the EFF (2000), even though Carnivore will be filtering out unwanted e-mail and other communications information, "The Carnivore system appears to exacerbate the over collection of personal information by collecting more information than it is legally entitled to collect under traditional pen register and trap and trace laws."

In response to these criticisms, the FBI explains that it relies on a complex and finely tuned filtering system that selects messages based on criteria expressly set out in the court order. Thus, it will not intercept all e-mail messages, but only those transmitted to and from a particular account. If, for example, Joe is a Carnivore target who e-mails three companions, Mike, Nancy, and George, and the FBI is interested only in his communications with George, the communication with Mike and Nancy will be filtered out. It appears, however, that those messages that are intercepted do include content as well as the sender and recipient addresses.

Another problem for civil libertarians is the trustworthiness of the FBI. The FBI claims that it will only record e-mail communications to which it is entitled by the court order. But there is no way to ensure their compliance. It has access to a massive stream of communications over an ISP's network, and no one, including the ISP, will be able to verify which information is intercepted. According to the ACLU, this type of surveillance constitutes a repudiation of the Fourth Amendment, which has been based on the premise "that the Executive cannot be trusted with carte blanche authority when it conducts a search" (Steinhardt 2000).

There are indeed good reasons to be unnerved by Carnivore. The initial scope of surveillance—the entire stream of communications of an ISP's clients—is truly unprecedented. The proximity to all of these data near their source (the ISP) and lack of oversight clearly creates the potential for abuse. Moreover, the FBI's poor track record in recent years, such as its inability to detect spying within its own ranks and its failure to hand over all of the evidence in the trial of the Oklahoma City bomber, Timothy McVeigh, have not inspired the public's confidence in its discretion and ability.

Civil liberties groups have also expressed dismay regarding the FBI's heavy-handed approach to the implementation of a law passed in 1994 known as the Communications Assistance for Law Enforcement Act (CALEA). According to this law,

A telecommunications carrier shall ensure that its equipment, facilities, or services ... are capable of expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to intercept, to the exclusion of other communications, all wire and electronic communications carried by the carrier within [its] service area.

The thrust of this regulation is that telephone companies must redesign their telecommunications infrastructure so that law-enforcement officials will continue to have the capability to engage in surveillance and wiretaps. Such redesign might be necessitated by new technologies that could impede interception of communications. One problem with CALEA has been the FBI's peremptory insistence that this legislation mandates that phone companies build in capabilities that exceed traditional interception procedures. For example, they insist that wireless service providers have location tracking capability built into their systems. Clearly, this poses another new threat to privacy. As Dempsey (1997) points out, the FBI will continue to dominate the implementation process and ignore privacy concerns "unless the other government institutions exercise the authority granted them under the statute to promote the counterbalancing values of privacy and innovation."

Nonetheless, the FBI and other federal law-enforcement officials are entrusted with safeguarding national security and public safety and September 11 reminds us of the need for a heightened security consciousness. Hence, there is a need for responsible surveillance and wiretapping on the Internet that respects the delicate balance between order and liberty. If Carnivore is to be retained by the FBI, there must be more public oversight of its various uses. It may be necessary for Congress to raise the standard for the use of pen registers on the Internet, given the difficulty of separating origin and destination addresses from the content of e-mail communications. Also, there is no national reporting requirement for pen register court orders (as there is for wiretaps), and this too must be changed. There needs to be more publicity and accountability about the collection of these data. These and other measures will be essential if the integrity of the Fourth Amendment is to be preserved in the face of technologies like Carnivore.

Finally, the need for convergence is acute. We now have a patchwork approach to surveillance rules, with different standards for telephone, cable, and other communication systems. For example, according to the Cable Act of 1984 there is a high burden for government agencies to meet when requesting permission to monitor computers that use cable modems. The act also requires that the target of the surveillance be provided an opportunity to challenge the request. It would clearly be preferable to have one standard for all of these technologies, and that standard should give judges greater discretion over the process of granting requests for surveillance and wiretaps.

No comments:

A big breakthrough: Cloud snapshots

The Microsoft HCS solution incorporates elements from backup, dedupe, and snapshot technologies to create a highly automated data protection...