[Infowarrior] - Wiretapping focus shifts to e-mail communications

[Richard Forno]

Wiretapping focus shifts to e-mail communications
Posted by Chris Soghoian Post a comment
http://www.cnet.com/8301-13739_1-9886766-46.html

The FISA fight is all about the e-mails, according to public comments made
on Tuesday by a Department of Justice official.

For months, the debate has centered around immunity for telecom companies
including AT&T, Verizon, and Sprint. The primary focus has been on the
warrantless wiretapping of the phone calls made by millions of Americans. In
comments made at a public meeting on Tuesday, Assistant Attorney General for
National Security Kenneth Wainstein made clear that the FISA fight is not
about foreign-to-foreign calls, but actually about Internet data. The
Washington Post reports:

    At the breakfast yesterday, Wainstein highlighted a different problem
with the current FISA law than other administration officials have
emphasized. Director of National Intelligence Mike McConnell, for example,
has repeatedly said FISA should be changed so no warrant is needed to tap a
communication that took place entirely outside the United States but
happened to pass through the United States.

    But in response to a question at the meeting by David Kris, a former
federal prosecutor and a FISA expert, Wainstein said FISA's current
strictures did not cover strictly foreign wire and radio communications,
even if acquired in the United States. The real concern, he said, is
primarily e-mail, because "essentially you don't know where the recipient is
going to be" and so you would not know in advance whether the communication
is entirely outside the United States.

What this means, of course, is that while the public outcry has been focused
on AT&T, it should have included a few other firms, including perhaps
Microsoft, Yahoo and Google.

If the NSA is interested in getting email messages, it can do so in one of
two ways. First, it can tap the Internet backbone, through which almost all
communications flow. Second, it can go directly to the major email
providers.

The Backbone Providers

According to the relevant Wikipedia page, the Internet backbone (commonly
understood to mean the collection of Tier 1 internet Service Providers) is
made up of: AOL Transit Data Network, AT&T, Global Crossing, Verizon
Business (formerly UUNET), NTT Communications, Qwest, SAVVIS, and Sprint.

>From numerous press reports, we already know that AT&T, Verizon, and Sprint
are involved in the shady NSA wiretapping program. Furthermore, we also know
that Qwest refused to participate as the government would not provide a FISA
warrant.

That leaves AOL, Global Crossing, NTT Communications, and SAVVIS as other
potential participants in any NSA effort to sniff email communications.

The Email Providers

With www.alqaeda.com, www.alqaeda.net and www.alqaeda.org owned by domain
squatters, where should a would-be terrorist go for email? Microsoft's
Hotmail of course.

In all seriousness, no terrorist worth his or her salt would advertise
themselves by using a domain name related to their cause, and so it is far
more likely that they would want to blend into the crowd of the hundreds of
millions of other users the major free email providers -- Yahoo, Microsoft
Hotmail, and Google Mail.

The Protect America Act of 2007 permitted intelligence agencies to force
Google, Yahoo and Microsoft to hand over a copy of every email passing
through their systems which lists one non-US recipient. While the law
expired in February, any orders initiated under the act can continue until
August of this year.

It is unclear what the major email providers could have been forced to do
before the Protect America Act. However, if email communications are the
most important issue in the telecom immunity debate, we should certainly be
looking carefully at these and other email providers. As other bloggers have
previously discussed, the proposed legislation would provide immunity for
all companies that assisted the administration in its illegal spying, not
just AT&T and the other 2 telcos.

Public Comment and Denial

I made an effort to get a comment from a few of the major free email
provider. However, I didn't bother with the backbone providers -- as I
assumed I'd get the same "we respect privacy and will respond to lawful
requests" line that is common in the industry.

Microsoft's PR people were nice enough to let me know that the company has
over 300 million active email accounts. When asked how many of those
accounts the company had turned over to US intelligence agencies, the
company declined to comment.

Google was a bit more verbose. Its spokeperson told me that: "As our privacy
policy states, we comply with law enforcement requests made with proper
service. We do not discuss specific law enforcement requests and generally
do not share aggregate information about them. There are also some legal
restrictions on what information we can share about law enforcement
requests.

As Wired's Ryan Singel has often noted, Google could easily tell us how many
divorce lawyers, copyright holders and law enforcement agencies are probing
people's search histories and emails. The company chooses not to, primarily
because doing so would shed light on how much information the company has,
and how often it is forced to share it with third parties.

One thing is clear: With the proposed immunity bill looking like it will
pass this week, members of the media and the privacy community should pay
close attention to Google, Microsoft, Yahoo, and the major operators of the
Internet backbone. The immunity provisions will just as equally apply to
them -- and up until now, they've received almost no scrutiny at all.