ARTS & FARCES internet

Last month the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act turned 10 years old. In those 10 years, it’s abundantly clear that the law is being used more for domestic crime than terrorism.

The law enables the government to obtain telephone, internet, banking, and other personal information on individuals without first showing probable cause and obtaining a warrant. Instead, national security letters are used to subvert the warrant process. Instead of showing probable cause, law enforcement—most notably the Federal Bureau of Investigation (FBI)—need only assert that the requested information is “relevant” to an ongoing investigation involving terrorism or national security. Recipients of national security letters are generally prohibited from disclosing the receipt or the information requested.

To make matters worse, at least one politician—US Senator Ron Wyden (D-Oregon) suspects that the government has a secret interpretation of the Patriot Act. Wyden says he can’t expand upon his claims without revealing classified information.

An Inspector General report (.pdf; 4.3MB) reveals that while 143,000 national security letters were served by the FBI between 2003-05, only 53 cases were prosecuted and none were for terrorism.

Another big problem with the Patriot Act is that it allows “sneak-and-peak” searches—mostly for drug-related, not terrorism cases—whereby a property owner is not immediately notified that her property has been searched.

Last May, the US Congress punted yet again by reauthorizing three of the most egregious provisions of the Patriot Act. “Roving wiretaps” allow the FBI to obtain wiretaps from the secret Foreign Intelligence Surveillance Act (FISA) court without identifying a specific target. The “any tangible thing” provision allows secret FISA court warrants for any type of record or document without linking the document request to a specific terrorism or espionage investigation. The “lone wolf” provision allows secret FISA court warrants for electronic monitoring of a suspect without showing an agency connection to a foreign state.

These provisions were originally set to expire in December 2009 but were extended by Congress until the end of February 2010, then February 2011, then May 2011, and now June 2015. Yay Congress.

One bright, shining light on the 10th anniversary of the misguided Patriot Act is the move by the Electronic Frontier Foundation (EFF) to sue for answers to the secret interpretation alleged by Wyden and others under Section 215 (the “any tangible things” provision) of the Patriot Act.

The US government has obtained Jacob Appelbaum’s user information and private data from Google without a search warrant. Applebaum works on the Tor project and is a WikiLeaks volunteer. The Obama administration requested the information under a secret order made possible by the Electronic Communications Privacy Act (ECPA) which allows the government to obtain such information without a warrant and without notification of the target.

Julia Angwin, writing for the Wall Street Journal, reports that Santa Rosa, CA-based Sonic.net, Inc. also received the government’s secret order, resisted it, but lost in court and was forced to disclose the information. Angwin reports the secret order included the email addresses of people with whom Applebaum corresponded over the past two years but not the email content.

The ECPA was intended to extend the same protections to electronic communications as those already in place for land-line telephone calls and paper mail, but was enacted before the advent of the web and email services like Google’s Gmail and the widespread use of internet message access protocol (IMAP) where email is stored on a third-party’s server. If ever there were a time to go back to post office protocol (POP) email—where all email is stored on your local computer—this is it.

US law enforcement regularly uses the provisions of the ECPA to obtain email, mobile phone location information, and other digital data without a warrant (which would require showing probable cause that a crime had been committed). Under the provisions of the ECPA, the government need only show “reasonable grounds” that the material sought would be “relevant and material” to an investigation.

Because most of the orders are secret, and the targets usually never know that the government had gained access to their email and mobile phone records (the information providers are generally prohibited from disclosing the information release to targets), it’s difficult to know just how many such information disclosures take place under these secret orders. As an example, Angwin reports that Google, in the last six months of 2009, received 4,601 such requests and complied with 94 percent of them.

There is some movement to revise the ECPA, bringing it up to date with the existing technology. Angwin reports that US Senator Patrick Leahy (D-Vermont), the ECPA’s original author, has said the law is “significantly outdated and outpaced by rapid changes in technology.” Leahy has introduced revised legislation (.pdf; 66KB).

US Senators Al Franken (D-Minnesota) and Richard Blumenthal (D-Connecticut) introduced a bill, the Location Privacy Protection Act (.pdf; 82KB), that would require platform vendors and app developers to obtain user consent before collecting those users’ location information. It would apply only to non-governmental collection of location information.

US Senators Ron Wyden (D-Oregon) and US Representative Jason Chaffetz (R-Utah) introduced a similar bill, the Geolocation Privacy and Surveillance Act (.pdf; 53KB), that would apply to both government agencies and commercial entities. Law enforcement agencies would be required to show probable cause and obtain a warrant before accessing location information on individuals.

The US Justice Department has consistently maintained that it doesn’t need a warrant to track an individual’s historic movements or current location from transmission towers used by the subject’s mobile phone. Jennifer Valentino-DeVries, writing for the Wall Street Journal, cites an academic paper and a 2010 Newsweek article describing thousands of location requests from law enforcement to wireless carriers each month.

David Kravets, writing for Wired, notes that Wyden’s bill comes on the heels of the Obama administration’s request to the US Supreme Court to allow warrantless installation of GPS tracking devices on suspects’ vehicles. The legislation, as proposed, would apply to real-time tracking and include past location and movement information. This last bit puts it squarely in conflict with a bill introduced by US Senator Patrick Leahy (D-Vermont), the Electronic Communications Privacy Act Amendments of 2011 (.pdf; 66KB), that focuses mainly on requiring probable cause and a warrant to obtain email stored on servers (including in the cloud). Leahy’s bill would require probable cause and a warrant for real-time GPS tracking, but not for past location and movement information.

Scott Thurm and Yukari Iwatani Kane, writing for the Wall Street Journal, reported last year that 47 of 101 surveyed apps transmit location information to third parties without users’ consent (or even knowledge); 56 of the surveyed apps sent the phone’s device identification number. Five of the surveyed apps reported “age, gender, and other personal details.”

The US Federal Bureau of Investigation (FBI) is re-writing its manual, the Domestic Investigations and Operations Guide, to include loosened privacy restraints for surveilling domestic subjects. The new rules include permission to search databases and household trash with neither a warrant nor the requirement to open a record, according to Charlie Savage, writing for the New York Times.

The agency doesn’t need permission to change its manual, but the changes must fall within the attorney general’s guidelines.

The inspector general found in 2007 that the FBI had continuously abused national security letters since the agency began surveilling political advocacy groups. The new rules will do nothing to curtail the agency’s abuses. Savage reports the changes apply to agency “assessments,” a low-level proactive investigation created in 2008 to allow agents to surveil individuals and organizations without evidence. Agents are required to create a record of such surveillance; under the new rules, no such record will be required. The new rule will make it virtually impossible to detect abuse.

Agents have long been able to participate in organizations without disclosure, but the ground rules for such participation have never been made public. Under the new rules, agents—and informants—are allowed to attend up to five meetings before being subject to any rules at all.

In December 2005, after sitting on the story for more than a year, the New York Times exposed George W. Bush’s warrantless wiretapping program (which continues under Barack Obama) but kind of dropped the ball shortly after the initial set of articles. Jane Mayer, writing for the New Yorker, goes much deeper in her profile of Thomas Drake, the whistleblower at the National Security Agency (NSA) currently facing charges that he violated the Espionage Act.

If convicted, Drake faces up to 35 years in prison.

Drake, when he was still an NSA employee, became an anonymous source for various congressional committees investigating intelligence failures after 11 September 2001. He disclosed top-secret documents, revealing NSA mistakes including the failure to share critical information with other US intelligence agencies prior to the attacks. Mayer writes that the “NSA has a rule requiring employees to clear any contact with Congress.”

Mayer reports how former NSA director Michael Hayden early on encouraged a congressional staffer to remain quiet about the legality of the warrantless wiretapping program and told his staff that there weren’t privacy safeguards in the program because “We didn’t need them. We had the power.”

Mayer also cites the creator of the software used for the warrantless wiretaps, Bill Binney, as saying that privacy safeguards were initially built into the software but that the NSA modified the software to remove these safeguards, making it easier to surveil everyone promiscuously; “to eavesdrop on the whole world,” Binney told Mayer. Binney’s software was capable of processing information in real-time (or nearly so), mapping relationships between people, and discarding irrelevant information—drastically changing the way the NSA dealt with information overload. But it was an indiscriminate vacuum. It collected everything including domestic communications and foreign communications crossing switches in the US in clear violation of the US Foreign Intelligence Surveillance Act (FISA) forbidding collection of domestic communications without a warrant.

Binney, like many of Mayer’s sources, left the NSA on ethical grounds. “I couldn’t be an accessory to subverting the Constitution,” Binney told Mayer.

Binney told Mayer he “believes that the agency now stores copies of all emails transmitted in America, in case the government wants to retrieve the details later,” citing enormous storage facilities in Texas and Utah. “After 9/11, General Hayden reassured everyone that the NSA didn’t put out dragnets, and that was true. It had no need—it was getting every fish in the sea,” Binney told Mayer.