The NSA and FBI have direct access to the servers of numerous tech industry giants.
On June 9, two reporters from the Guardian newspaper announced to the world the source of one of the most significant classified-document leaks in history. Edward Snowden, a 29-year-old national-security contractor from Hawaii, revealed that he was compelled by conscience to inform the world about a massive abuse of authority perpetrated by the US National Security Agency. According to the documents Snowden provided, which have been authenticated, the US government has been systematically collecting the phone records and online communications of millions of American citizens.
Both the media and the public were shocked by the news that the NSA had such broad digital surveillance capabilities. A program utilised by the agency, code-named PRISM, provides intelligence analysts with the ability to intercept almost any form of online communication, from any person. Government officials claim the program cannot be used to target US citizens. However, US intelligence agencies have planned to implement this type of program domestically for years.
We learned earlier this year that the FBI's top priority for 2013 is to increase their online surveillance authority. This directive – they claim – developed from an ever-widening gap between existing wiretap laws and the accelerated growth of online communications. According to the FBI, the limitations on their surveillance powers may now pose a “threat to public safety.” This problem is officially referred to by the bureau as “Going Dark.”
In 2011, before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security, then General Counsel of the FBI Valerie Caproni made the following statement: "…the FBI and other government agencies are facing a potentially widening gap between our legal authority to intercept electronic communications pursuant to court order and our practical ability to actually intercept those communications." It isn't a stretch to describe the scenario given as fictitious taken recent revelations about the true power of the FBI to intercept our data.
This year, Andrew Weissmann, the current FBI general counsel, publicly expressed that the bureau wants to wiretap all forms of internet communication, in real time. Applications such as Skype, Gmail, and Dropbox were specifically named (he even joked about a chat feature he and a colleague use while playing online games of Scrabble). To be clear, the proposed expansion of power would not exclude the ability of the bureau to spy on American citizens. The law in question, which Weissmann discussed in detail, is the Communications Assistance for Law Enforcement Act (CALEA).
During this speech before the American Bar Association, Weissman described the necessity for new technologies, particularly those which could be implemented by the FBI for use in domestic surveillance. After opening up for questions, he was asked about the agency's ability to access Gmail in real time. Weissman responded, "What I was discussing is what's covered by CALEA. I'm not going to get into what we can and cannot do with respect to particular providers today." Now that we have an understanding of exactly what the FBI's capabilities are, it's clear a public debate over any potential expansion of CALEA is necessary, and may be imperative.
The challenge for Mr. Weissman's agency is how to effectively implement programs like PRISM without being hampered by legal restrictions, such as those imposed by certain sections of the FISA Amendments Act, which dictate that only non-US citizens may be intentionally targeted for real-time digital surveillance. By Mr. Weissman's own admission, the effort to reform CALEA to accomplish this is goal has been tasked to multiple US intelligence agencies.
This past April I reported on the FBI's plans for CALEA and discussed with a privacy expert the ramifications. Trevor Timm, an activist with the Electronic Frontier Foundation (EFF), explained that by expanding the powers of CALEA, the US government would gain the ability to build back-doors into the system of every internet company. Under current law, enforcement agencies must acquire a data warrant and provide it to companies like Facebook or Google, who then provide the agency with the requested information – or, so we thought.
Recently we've learned from investigations at the Guardian and Washington Post that the NSA and FBI have direct access to the servers of numerous tech industry giants including Google, Facebook, and Apple through the use of PRISM. It was also revealed that the “call records” of millions of Verizon customers are being harvested. Ironically, the EFF uses a metaphor about wiretapping cell phones to explain the government's thought process behind CALEA 2.0: “If we applied the FBI's logic to the phone system it would state that every individual phone should be designed with built-in bugs.”
Nearly every US official who has come forward to defend PRISM has cited Section 702 of the Foreign Intelligence Surveillance Act (FISA) as justification for the program. A DNI fact sheet released on July 6 says of Section 702: “Targeting procedures are designed to ensure that an acquisition targets non-US persons reasonably believed to be outside the United States for specific purposes.“ But to what extent must an NSA analyst be sure that their target is a non-US person? Only 51 percent according to Edward Snowden (who was also revealed to be the Washington Post's source on this story). The sheer volume of data being collected by the FBI and NSA means that even if the margin of error was below 1 percent, the amount of data illegally accessed by these agencies would be massive.
In a statement released on June 8, the director of National Intelligence, James Clapper, claimed that “[PRISM] cannot be used to intentionally target any US citizen.” The same day, an anonymous senior White House official also defended the program by stating, “This law does not allow the targeting of any US citizen or of any person located within the United States.” Aside from the fact that these statements are essentially false, it's important to note that this limitation contradicts the stated objectives of the FBI. Any limitation that restricts direct access to the servers of companies like Google and Facebook for the monitoring of non-US citizens only is in fact viewed by the intelligence community as a hindrance.
What can be considered of utmost importance is the fact that the FBI has stated that they are not content with federal agencies alone having the power to access your private data. During Valerie Caproni’s 2011 testimony before the House Judiciary Committee, she also made this statement: “The challenge facing our state and local counterparts is exacerbated by the fact that there is currently no systematic way to make existing federally developed electronic intercept solutions widely available across the law enforcement community.” Now imagine the Oakland Police Department or the NYPD having direct access to your conversations over Skype or Google chat messages in real time at the drop of a hat.
According to the EFF, who obtained documents from the FBI in 2011 via Freedom of Information Act request, the bureau has been working to expand CALEA since at least 2006. This effort includes coordination with state and local law enforcement agencies as well as private government contractors. One such contractors was Booz, Allen & Hamilton (BAH), the company Edward Snowden worked for prior to fleeing Hawaii and exposing the PRISM program.
BAH has worked for the FBI facilitating an implementation of CALEA for some time. In 1999, they were tasked with developing a custom system for the FBI (one called DCS-3000, but other versions were created as well) which allowed for the collection and recording of both “call content and call detail information” from personal communication services (PCS).
If FBI testimony that “existing federally developed electronic intercept solutions” should be shared with local law enforcement agencies means that a program similar to PRISM could eventually be at their disposal, a new wave of constitutional issues will result. For instance, it's possible that local law enforcement agencies will mistakenly wiretap individuals outside of their physical jurisdiction. Andrew Weissman even admitted, "Sometimes you don't even know where the search is occurring. "Essentially, this means the results of enhanced digital wiretapping capabilities in the hands of local law enforcement agents would be unpredictable.
A sheriff's department in Texas might, for instance, initiate a wiretap on the Gmail account of a California resident. Neither the individual nor the server on which the information sits is within the department's enforcement jurisdiction. If local law enforcement is to be held to the same 51 percent standard as NSA analysts, this would likely be a common occurrence. It is important to note that wiretap laws that differ state to state in regards to state and local law enforcement.
It may be true that when the FBI was required to serve warrants for user data directly to tech companies, it may have taken longer to initiate surveillance on a target. However, this process provided an important check on the FBI’s power to acquire said data. If tech companies no longer directly receive warrants for user data beforehand, the only oversight remaining to monitor the use of a wiretap is the FISA court. But, as we've recently discovered with Verizon, the FISC is willing to surreptitiously authorise the collection of millions of innocent Americans’ private records. The fact that this is even perceived as constitutional by the court at all, only goes to show how shockingly impaired their interpretation of the Fourth Amendment really is.
Normally, if the FBI mistakenly enters the wrong residence and seizes materials belonging to an innocent person, the citizen is aware of the search. In contrast, the secret nature of FISA warrants prevents citizens from discovering that their privacy has been violated – online.
What is equally distressing is the scope of criminal activity to which these new digital surveillance techniques may be applied. The US government has tried to propitiate the media and the public by justifying the application of PRISM using references to weapons of mass destruction and the ever-impending threat of terrorism. However, the FBI has no intention of limiting the use of digital wiretaps on American citizens solely to facilitate the war on terror.
Caproni's testimony before Congress highlighted two primary examples of why an expansion of CALEA was necessary: a two-year investigation by the Drug Enforcement Agency involving the importation of illegal narcotics and an investigation into the distribution of child pornography. It's unclear if a blanket law that references probable cause or individual warrants would be sought in pursuant of these cases.
Now that we are more aware of what potentially lies in store for our privacy it is the responsibility of the public, the press, and of Congress to openly engage in debates about the level of access that law enforcement should have to our personal data, at any point in time. The notion that “I'm not doing anything wrong, so why should I care,” is unquestionably inappropriate in this instance. As we have seen from the past, simply entrusting the federal government to act alone with regards to our constitutionally protected right to privacy is a terrible idea. And with the amount of information currently being recorded off of the internet and cellular networks, the impact from a program like PRISM is incomprehensible.
Follow Dell on Twitter: @dellcam
For more stuff on the NSA, check these out: