X

How the U.S. forces Net firms to cooperate on surveillance

Officially, Uncle Sam says it doesn't interfere. But behind the scenes, the feds have been trying to browbeat Internet firms into helping with surveillance demands.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read
Russian supporters of Edward Snowden, who leaked classified National Security Agency surveillance documents, rally today in central Moscow.
Russian supporters of Edward Snowden, who leaked classified National Security Agency surveillance documents, rally today in central Moscow. Getty Images

By wielding a potent legal threat, the U.S. government is often able to force Internet companies to aid its surveillance demands. The threat? Comply or we'll implant our own eavesdropping devices on your network.

Under federal law, the National Security Agency can serve real-time "electronic surveillance" orders on Internet companies for investigations related to terrorism or national security.

These orders, authorized by the Foreign Intelligence Surveillance Act, are used to feed data into the NSA's PRISM software program that was revealed last month by former intelligence analyst Edward Snowden. PRISM documents indicate that the NSA can receive "real-time notifications" of user log-ins.

Some Internet companies have reluctantly agreed to work with the government to conduct legally authorized surveillance on the theory that negotiations are less objectionable than the alternative -- federal agents showing up unannounced with a court order to install their own surveillance device on a sensitive internal network. Those devices, the companies fear, could disrupt operations, introduce security vulnerabilities, or intercept more than is legally permitted.

"Nobody wants it on-premises," said a representative of a large Internet company who has negotiated surveillance requests with government officials. "Nobody wants a box in their network...[Companies often] find ways to give tools to minimize disclosures, to protect users, to keep the government off the premises, and to come to some reasonable compromise on the capabilities."

Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks.

One example, which has not been previously disclosed, arose out of a criminal investigation in which the Drug Enforcement Administration suspected a woman of trafficking in 1,4-Butanediol. The butane-derived chemical is used industrially as a solvent and recreationally as a date rape drug or sedative.

The DEA's Special Operations Division, which includes FBI representatives, obtained a real-time intercept order -- sometimes called a Title III order -- against EarthLink and WorldCom, a network provider that's now part of Verizon Business. Both companies were targeted by the order because EarthLink routed outgoing e-mail messages through equipment leased from WorldCom.

WorldCom technicians were required to help the DEA install surveillance equipment that the agency had purchased and provided. Over the course of the wiretap, the government's hardware vacuumed up over 1,200 e-mail messages from the targeted account. EarthLink did not respond to a request for comment this week.

FISA gives the government a powerful club to wield against Internet companies. The law requires the firms to "furnish all information, facilities, or technical assistance necessary to accomplish the electronic surveillance" as long as it can be done with a "minimum of interference" with other users.

In another case that was closely watched within the industry, the FBI invoked similar language to force EarthLink to install a Carnivore network monitoring device, over the company's strenuous objections. EarthLink challenged the surveillance order in court because it was concerned that Carnivore would vacuum up more user metadata than the court order authorized.

It lost. A federal magistrate judge sided with the government, despite the fact that "Carnivore would enable remote access to the ISP's network and would be under the exclusive control of government agents," Robert Corn-Revere, an attorney for EarthLink, told Congress at the time.

Those legal victories allowed the government to strong-arm Internet companies into reworking their systems to aid in surveillance -- under the threat of having the FBI install NarusInsight or similar devices on their networks. "The government has a lot of leverage," including contracts and licenses, said a representative for an Internet company. "There is a lot of pressure from them. Nobody is willingly going into this."

Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society, said, referring to the government's pressure tactics:

They can install equipment on the system. And I think that's why companies are motivated to cooperate [and] use their own equipment to collect for the government. They would rather help than let any government equipment on their service, because then they lose oversight and control.

In 1994, then-President Bill Clinton signed into law the Communications Assistance for Law Enforcement Act, or CALEA, which required telephone companies to configure their systems to perform court-authorized lawful intercepts in a standard way. In 2004, that requirement was extended to cover broadband providers, but not Web companies.

A survey of earlier litigation shows, however, that the Justice Department was able to convince courts to force companies to take steps to permit surveillance through their networks long before CALEA became law.

In 1977, the U.S. Supreme Court ruled that surveillance law is a "direct command to federal courts to compel, upon request, any assistance necessary to accomplish an electronic interception."

Other courts followed suit. The U.S. Court of Appeals for the Third Circuit concluded in 1979 that the Bell Telephone Company of Pennsylvania must comply with a surveillance order because it would cause only "a minimal disruption of normal operations." The Ninth Circuit ruled against Mountain Bell a year later, saying a surveillance order "recognized the practical fact that the actions ordered were technical ones which only that company could perform."

Edward Snowden speaks earlier today after meeting with leading Russian rights activists and lawyers at Moscow's Sheremetyevo airport, where he has been stuck in transit for the last three weeks.
Edward Snowden speaks earlier today after meeting with leading Russian rights activists and lawyers at Moscow's Sheremetyevo airport, where he has been stuck in transit for the last three weeks. Getty Images

If an Internet company offers encryption designed in such a way that even its engineers can't access users' files or communications, it would be unable to comply with a FISA or other surveillance order.

But with a few exceptions, such as SpiderOak and Fogpad, nearly all companies use encryption only in transit, meaning data stored on servers remains unencrypted.

That's why Microsoft could be compelled to work with the NSA and the FBI's Data Intercept Technology Unit to aid in surveillance of Outlook.com and Hotmail messages, a situation the Guardian disclosed yesterday, citing documents provided by Snowden.

Internet companies have, on occasion, created "teams of in-house experts" to figure out how to respond to FISA surveillance orders, The New York Times reported last month.

Microsoft's engineers have quietly designed a system to comply with government orders, which manages to avoid having a surveillance device implanted on a internal network. (Microsoft declined to comment for this article.)

One case that used it arose out of a probe into illegal drug sales in Philadelphia. As part of that investigation, the government obtained a court order for a real-time wiretap against a Hotmail account.

Microsoft's wiretap compliance system worked by forwarding a copy of two suspects' e-mail messages to a "shadow account" located elsewhere on Hotmail's servers. Each address under surveillance had a separate "shadow account" associated with it.

Every 15 minutes, an automated process logged in to these shadow accounts and transferred the retrieved e-mails into "case folders" on computers at a DEA office in Lorton, Va.

Homeland Security agents separately obtained a real-time wiretap of a Hotmail account used by a man suspected of possessing pornography involving minors. A case associated with that criminal prosecution, which might reveal more about surveillance techniques used by Immigration and Customs Enforcement, remains under seal in a New Jersey federal court.

A Google spokesman declined to say this week whether the company could comply with a wiretap order targeting a Google Hangout or Google Talk conversation.

The government's ability to perform surveillance even when armed with a court order depends in large part on the decisions engineers made when designing a product. "Many implementations include an ability to monitor sessions as a debugging tool," one government official said this week. "Depending on how things have been built, a real-time wiretap may be nothing more than turning that on. As an example, all enterprise-grade Ethernet switches include a monitor port -- not because the FBI demands it, but because sysadmins need it."

Christopher Soghoian, principal technologist for the ACLU's Speech, Privacy and Technology Project, said the PRISM disclosures show Internet companies should embrace strong encryption for their users. "This is a place where the companies have an opportunity to do something that doesn't hurt their ability to make money and [that wins] them praise," he said.