[Infowarrior] - Feds want new ways to tap the Web
Richard Forno
rforno at infowarrior.org
Mon Mar 7 08:55:35 CST 2011
Feds want new ways to tap the Web
By: Jennifer Martinez
March 7, 2011 04:32 AM EST
http://dyn.politico.com/printstory.cfm?uuid=8E59FC52-B301-DD35-F0823F631C3A0F4D
When it comes to criminal investigations, federal law enforcement is eager to get access to the bread crumb trail that suspects leave on the Web.
In the age of Facebook, Twitter and Skype, however, the FBI and other agencies often must operate within the constraints of laws and regulations that haven’t been updated in more than a decade.
The Obama administration is considering new regulations to require Web-based communications services to incorporate surveillance capabilities in their products, so law enforcement can conduct digital wiretaps if suspects message Facebook “friends” or conspire via Skype.
FBI General Counsel Valerie Caproni told the House Judiciary Committee in late February about a case the agency was investigating involving a pimp allegedly trafficking underage girls and producing child pornography on a social-networking service. But that social network — which she didn’t name — lacked “the necessary technological capability to intercept the electronic communications.”
The result was “a weaker case and a lighter sentence than might otherwise have occurred,” she said.
The administration has not yet submitted a formal proposal to Congress, but already forces are mobilizing against the idea, warning that new regulations may jeopardize privacy and deter innovation.
“It’s clear that some kind of mandate at the application level to build in what’s essentially a back door is going to be chilling to innovation,” said Leslie Harris, president of the Center for Democracy & Technology.
Here are five social media technologies that the administration could target:
1. Web-based e-mail and real-time chat
The challenge for law enforcement is that these cyber conversations are often encrypted — meaning the data are scrambled — and sometimes companies don’t store the exchanges on their servers so that authorities can retrieve them later.
Google operates such services in Gmail, the Web-mail program, and Google Chat, an instant messaging platform. Within Gmail, users can opt to take a Google Chat conversation “off the record” so it’s not saved within their Gmail account. Google said it does not store these “off the record” chats.
From January to June of last year, the search company received more than 4,280 requests for user data from the U.S. government, up from 3,580 requests made during the previous six-month period.
Google is still the only major tech company to provide figures on the number of user-information requests it receives. The company does not release the number of requests it grants. In addition, spokesman Brian Richardson said the company sometimes fills requests only partially.
“The hope is we can one day provide that information in a useful way for people, but we haven’t figured out the best way to do that yet,” Richardson told POLITICO.
It’s also unclear whether law enforcement can tap instant-message conversations over Google Chat in real time. Google declined to comment on specifics, but a company spokesman said, “We do comply with valid legal processes.”
2. Private tweets
Most information people share in their Twitter profile and their tweets is public. However, there is an option to keep your tweets private — for a select audience — and users can send private messages directly to another user. That’s an area where law enforcement might want to eavesdrop.
Twitter notes in its law-enforcement guidelines that “some information may only be stored for a very brief period” because of the service’s real-time nature, and it “is not able to provide images or videos that a user may share through their account” other than a person’s profile image and decorative background they may choose for their profile.
Twitter declined to comment, noting its guidelines are on its site.
But the San Francisco-based company recently broke from those guidelines after receiving a request for the account information of three people associated with WikiLeaks.
Twitter states on its website that the company will notify a user if information about that user’s account is being sought, unless it is “prohibited from doing so by statute or court order.” In the WikiLeaks case, there was a court order. Twitter decided to challenge that order, which eventually was unsealed and now is subject to a challenge by the Twitter users.
“The easiest way to go about it when you have to comply with [law enforcement] is to tell the user, ‘These people want your information. It’s up to you what to do, but here are public resources you might want to contact,’” Twitter cofounder Biz Stone recently told POLITICO.
3. Your whereabouts from IP “addresses”
Internet service providers and other Web-based services store a key piece of data about customers: their Internet Protocol — or IP — addresses, which help keep track of customers’ whereabouts. An IP address is a numeric label tagged to a computer, printer or other device on a network.
Internet providers such as Comcast maintain a 180-day, rolling log of IP addresses assigned to a subscriber’s account. If law enforcement contacts Comcast after that, the company is not able to provide that information. As a caveat, a Comcast spokesperson noted that an IP address is assigned only to a customer’s account and not to an actual person, “so we can’t tell you who was actually using that account or what they were doing.”
In addition, Comcast also provides an e-mail service to subscribers. If law enforcement provides the proper legal request for information, the Internet provider will turn over e-mail messages for a requested period. However, there are always ways for savvy Web users to keep their e-mail messages out of Comcast’s grasp. “If they delete [an e-mail] quickly, it’s gone. Or if they copy it to a hard disk, it’s gone — it’s out of our reach,” a Comcast spokesperson said.
4. Social networks
Social networks are repositories for everything from résumés, photos and contacts to conversations on instant messaging services and “wall” posts.
Facebook, the Palo Alto, Calif.-based social network, said any of this data can be retrieved by law enforcement, provided authorities show probable cause and obtain a court order.
All of Facebook’s user information is stored on its servers in the United States and therefore is subject to law enforcement requests for that. However, Facebook weighs each request for user information before taking any action, and if a request is “deemed appropriate,” the social network will share only the “minimum amount of information,” the company said.
If Facebook believes the law does not support a request for information, it has sometimes gone to court to object to government demands.
Facebook declined to comment about whether law enforcement can tap real-time conversations on its instant-message feature.
The social network may notify a user first before taking any action on an information request. “It varies, depending on the situation,” Facebook Chief Security Officer Joe Sullivan told POLITICO. “We don’t have a blanket notification policy.”
5. Peer-to-peer calling services
Skype allows people to make voice or video calls on the Web, much like the traditional telephone. But a potential snag for law enforcement is that the Luxembourg-based company only provides the technology that enables people to make calls and does not store any users’ conversations.
“There’s no central Skype server where the government can say, ‘This is where we’re going to place our wiretap,’” said Josh Gruenspecht, the cybersecurity fellow at the Center for Democracy & Technology.
However, Skype can tell you whether a user is online and logged in to the service. “All it does is act as a signal that this person is online and this person is not online,” Gruenspecht said.
Skype has filed for an initial public offering so the company was unable to comment, a spokesman said, because of a Securities and Exchange Commission-mandated “silent period.”
More information about the Infowarrior
mailing list