A technician at an AT&T switching
office in San Francisco leaked documents showing that a fiber-optic signal
at the office was being split: a copy of
the signal went into a “secret room,”
where it was analyzed and part of its
contents sent elsewhere for further
analysis. The leaked documents—
whose authenticity was confirmed by
AT&T during a subsequent court case—
reveal that the San Francisco office was
only one of a number of offices set up
this way.
From the wiretapper’s viewpoint, the
end of the rainbow would be the ability
to store all traffic and then decide later
which messages were worthy of further
study. Although this is usually not feasible, storing the transactional information about telephone calls—calling
and called numbers, time, duration—
is. These CDRs (call detail records) are
routinely retained by the carriers who
use them for planning and billing purposes. Law enforcement had previously
been able to obtain call details—in
police jargon pen register and
trap-and-trace—collected in response to court
orders targeted at individual phones.
By comparison, the CDR database provides information on all the subscrib-ers over long periods of time, a rich
source of information about customer
activities, revealing both the structure
of organizations and the behavior of
individuals. Several telephone companies appear to have surrendered them
in response to government pressure
without demanding court orders.
Wiretapping in an iP-based World
Internet communications cannot be
effectively exploited using the facilities of traditional telephony, so as early
as 2000 the FBI developed a tool for
wiretapping at ISPs. The tool—initially
named Carnivore but eventually given
the less menacing title DCS-3000—
examined packets passing through the
ISP and copied those that met intercept criteria stored in internal tables.
The tables were set through a remote
connection to the FBI’s own offices.
Surprisingly for law enforcement,
which places great store on the chain
of custody of evidence, Carnivore had
little provision for auditing and overall
poor internal security. Rather than having a separate name and password for
each user, it relied on a single shared
from the
wiretapper’s
viewpoint,
the end of the
rainbow would
be the ability to
store all traffic
and then decide
later which
messages were
worthy of
further study.
login. More significant from a privacy
standpoint, Carnivore bypassed the
traditional process of wiretapping in
which the court issues an order but the
carrier’s personnel execute the order.
This gives the carrier both the obligation and opportunity to challenge the
order in court if it believes the order
to be illegal. When the order is implemented by a message sent directly
from the FBI to the Carnivore box, this
additional layer of oversight is lost.
In parallel with its technical activities, the FBI worked to extend wiretapping law to the Internet. CALEA had
been passed with an exemption for
“information services” (that is, the Internet), and with the rise of VoIP (voice
over IP), the FBI feared it would lose
an important investigative tool. VoIP
comes in many flavors, from the peer-to-peer model employed by Skype to
others in which the path between the
subscriber and the telephone central
office is traditional telephony but IP
communications are used throughout
most of the call’s path.
The FBI began slicing the salami
with the “easy” cases in which VoIP
communications behave most like
traditional phone calls, and it was successful in getting the courts to agree to
this extension. Most IP communications, however, do not behave as telephone calls; peer-to-peer VoIP systems,
for example, use a centralized mechanism to provide the communicating
parties with each other’s IP addresses
but rely on the Internet for actual communication. In this scheme there is no
central point at which a wiretap could
be authorized. If regulation were to require that IP-based communications
adopt a centralized architecture like
the telephone network, the innovation
that is the engine of high-tech industry
could be stifled.
In 2007, Congress legalized warrantless wiretapping; in 2008, it went
a long step further, not only legalizing
new wiretapping practices but also giving retroactive immunity to telephone
companies that had colluded with the
government in performing warrantless
electronic eavesdropping. The FISA
court previously had reviewed individual warrants; now certain classes of
wiretaps would not be reviewed individually but conducted under procedures
reviewed periodically by the court.