A technician at an AT&T switching office in San Francisco leaked documents showing that a fiber-optic signal at the office was being split: a copy of the signal went into a “secret room,” where it was analyzed and part of its contents sent elsewhere for further analysis. The leaked documents— whose authenticity was confirmed by AT&T during a subsequent court case— reveal that the San Francisco office was only one of a number of offices set up this way.

From the wiretapper’s viewpoint, the end of the rainbow would be the ability to store all traffic and then decide later which messages were worthy of further study. Although this is usually not feasible, storing the transactional information about telephone calls—calling and called numbers, time, duration— is. These CDRs (call detail records) are routinely retained by the carriers who use them for planning and billing purposes. Law enforcement had previously been able to obtain call details—in police jargon pen register and trap-and-trace—collected in response to court orders targeted at individual phones. By comparison, the CDR database provides information on all the subscrib-ers over long periods of time, a rich source of information about customer activities, revealing both the structure of organizations and the behavior of individuals. Several telephone companies appear to have surrendered them in response to government pressure without demanding court orders.

 

Wiretapping in an iP-based World Internet communications cannot be effectively exploited using the facilities of traditional telephony, so as early as 2000 the FBI developed a tool for wiretapping at ISPs. The tool—initially named Carnivore but eventually given the less menacing title DCS-3000— examined packets passing through the ISP and copied those that met intercept criteria stored in internal tables. The tables were set through a remote connection to the FBI’s own offices. Surprisingly for law enforcement, which places great store on the chain of custody of evidence, Carnivore had little provision for auditing and overall poor internal security. Rather than having a separate name and password for each user, it relied on a single shared

from the
wiretapper’s
viewpoint,
the end of the
rainbow would
be the ability to
store all traffic
and then decide
later which
messages were
worthy of
further study.

login. More significant from a privacy standpoint, Carnivore bypassed the traditional process of wiretapping in which the court issues an order but the carrier’s personnel execute the order. This gives the carrier both the obligation and opportunity to challenge the order in court if it believes the order to be illegal. When the order is implemented by a message sent directly from the FBI to the Carnivore box, this additional layer of oversight is lost.

In parallel with its technical activities, the FBI worked to extend wiretapping law to the Internet. CALEA had been passed with an exemption for “information services” (that is, the Internet), and with the rise of VoIP (voice over IP), the FBI feared it would lose an important investigative tool. VoIP comes in many flavors, from the peer-to-peer model employed by Skype to others in which the path between the subscriber and the telephone central office is traditional telephony but IP communications are used throughout most of the call’s path.

The FBI began slicing the salami with the “easy” cases in which VoIP communications behave most like traditional phone calls, and it was successful in getting the courts to agree to this extension. Most IP communications, however, do not behave as telephone calls; peer-to-peer VoIP systems, for example, use a centralized mechanism to provide the communicating parties with each other’s IP addresses but rely on the Internet for actual communication. In this scheme there is no central point at which a wiretap could be authorized. If regulation were to require that IP-based communications adopt a centralized architecture like the telephone network, the innovation that is the engine of high-tech industry could be stifled.

In 2007, Congress legalized warrantless wiretapping; in 2008, it went a long step further, not only legalizing new wiretapping practices but also giving retroactive immunity to telephone companies that had colluded with the government in performing warrantless electronic eavesdropping. The FISA court previously had reviewed individual warrants; now certain classes of wiretaps would not be reviewed individually but conducted under procedures reviewed periodically by the court.