Wiretapping focus shifts to e-mail communications

The FISA fight is all about the e-mails, according to public comments made on Tuesday by a Department of Justice official.

For months, the debate has centered around immunity for telecom companies including AT&T, Verizon, and Sprint. The primary focus has been on the warrantless wiretapping of the phone calls made by millions of Americans. In comments made at a public meeting on Tuesday, Assistant Attorney General for National Security Kenneth Wainstein made clear that the FISA fight is not about foreign-to-foreign calls, but actually about Internet data. The Washington Post reports:

At the breakfast yesterday, Wainstein highlighted a different problem with the current FISA law than other administration officials have emphasized. Director of National Intelligence Mike McConnell, for example, has repeatedly said FISA should be changed so no warrant is needed to tap a communication that took place entirely outside the United States but happened to pass through the United States.

But in response to a question at the meeting by David Kris, a former federal prosecutor and a FISA expert, Wainstein said FISA's current strictures did not cover strictly foreign wire and radio communications, even if acquired in the United States. The real concern, he said, is primarily e-mail, because "essentially you don't know where the recipient is going to be" and so you would not know in advance whether the communication is entirely outside the United States.

What this means, of course, is that while the public outcry has been focused on AT&T, it should have included a few other firms, including perhaps Microsoft, Yahoo and Google.

If the NSA is interested in getting email messages, it can do so in one of two ways. First, it can tap the Internet backbone, through which almost all communications flow. Second, it can go directly to the major email providers.

The Backbone Providers

According to the relevant Wikipedia page, the Internet backbone (commonly understood to mean the collection of Tier 1 internet Service Providers) is made up of: AOL Transit Data Network, AT&T, Global Crossing, Verizon Business (formerly UUNET), NTT Communications, Qwest, SAVVIS, and Sprint.

From numerous press reports, we already know that AT&T, Verizon, and Sprint are involved in the shady NSA wiretapping program. Furthermore, we also know that Qwest refused to participate as the government would not provide a FISA warrant.

That leaves AOL, Global Crossing, NTT Communications, and SAVVIS as other potential participants in any NSA effort to sniff email communications.

The Email Providers

With www.alqaeda.com, www.alqaeda.net and www.alqaeda.org owned by domain squatters, where should a would-be terrorist go for email? Microsoft's Hotmail of course.

In all seriousness, no terrorist worth his or her salt would advertise themselves by using a domain name related to their cause, and so it is far more likely that they would want to blend into the crowd of the hundreds of millions of other users the major free email providers -- Yahoo, Microsoft Hotmail, and Google Mail.

The Protect America Act of 2007 permitted intelligence agencies to force Google, Yahoo and Microsoft to hand over a copy of every email passing through their systems which lists one non-US recipient. While the law expired in February, any orders initiated under the act can continue until August of this year.

It is unclear what the major email providers could have been forced to do before the Protect America Act. However, if email communications are the most important issue in the telecom immunity debate, we should certainly be looking carefully at these and other email providers. As other bloggers have previously discussed, the proposed legislation would provide immunity for all companies that assisted the administration in its illegal spying, not just AT&T and the other 2 telcos.

Public Comment and Denial

I made an effort to get a comment from a few of the major free email provider. However, I didn't bother with the backbone providers -- as I assumed I'd get the same "we respect privacy and will respond to lawful requests" line that is common in the industry.

Microsoft's PR people were nice enough to let me know that the company has over 300 million active email accounts. When asked how many of those accounts the company had turned over to US intelligence agencies, the company declined to comment.

Google was a bit more verbose. Its spokeperson told me that: "As our privacy policy states, we comply with law enforcement requests made with proper service. We do not discuss specific law enforcement requests and generally do not share aggregate information about them. There are also some legal restrictions on what information we can share about law enforcement requests.

As Wired's Ryan Singel has often noted, Google could easily tell us how many divorce lawyers, copyright holders and law enforcement agencies are probing people's search histories and emails. The company chooses not to, primarily because doing so would shed light on how much information the company has, and how often it is forced to share it with third parties.

One thing is clear: With the proposed immunity bill looking like it will pass this week, members of the media and the privacy community should pay close attention to Google, Microsoft, Yahoo, and the major operators of the Internet backbone. The immunity provisions will just as equally apply to them -- and up until now, they've received almost no scrutiny at all.