Posts

The Section 215 Dragnet Started as Abusive Exigent Letter Practice Wound Down

/7 Comments/in , /by

Screen shot 2013-06-11 at 8.17.13 PMJulian Sanchez (who, if you’re not already following, you should, @normative) just made an important observation about the Section 215 collection that collects metadata on all phone calls every day.

Carriers keep call detail records for years. No earthly reason to demand DAILY updates just to preserve.

Thunk. The penny dropped.

In theory, no, there’s no reason to demand daily updates from the telecoms. In fact, in theory, you could always just ask the telecoms to conduct the kind of data analysis that is now being done by NSA.

But there’s a very good reason why they’re not doing it that way.

They tried. It was badly abused.

And they started moving away from that approach in March 2006, precisely when we know the Section 215 program started.

Most of what we know about the exigent letters program comes from a report DOJ’s Inspector General did in March 2007 [ed 6/16: oops–all this time I had the least damning report linked. read this one]  (my posts are here, here, here, here, here, here, here). But the short version is that the NY FBI office set up an office to have representatives of the three major telecom companies come in and directly access their data with FBI Agents looking over their back. As such, it’s probably similar to what PRISM accomplishes for internet providers (except that an NSA employee rather than a telecom employee does the search), and presumably akin to whatever NSA does with the Section 215 dragnet information (which, after all, replicates the telecom databases perfectly).

The problems — that that we know about from the unclassified report (there are secret and TS/SCI versions which probably have bigger horrors) — include:

  • FBI General Counsel had no apparent knowledge of 17% of the searches
  • Thousands of searches never got recorded
  • FBI lied to the telecoms about how urgent the information was to get the information
  • FBI did an unknown number of sneak peeks into the data to see if there was something worth getting formally

Altogether, the unclassified IG Report described 26 abuses that should have been reported to then (and once again, since Chuck Hagel became Defense Secretary) inoperable Intelligence Oversight Board.

That includes the tracking of journalist call records in at least three cases (one of which I suspect is James Risen).

In short, it violated many legal principles. And that’s just the stuff that actually got recorded and showed up in an unclassified report.

The Executive spent years trying to clean up the legal mess, with four OLC opinions between November 8, 2008 and January 8, 2010 making one after another argument to justify the mess.

And just as it became clear what a godforsaken mess all this was in March 2006, they started using Section 215 to collect all call records.

The effectively created the same databases that had been abused when the FBI had telecom employees doing the work, to have NSA or FBI do the very same work as well.

In short, the reason we don’t do what Sanchez is absolutely right we should do — ask the telecoms for information as we need it — is it’s not easy enough.

What I look forward to learning, though, is how having government employees do the work that telecom employees — who at least were bound by ECPA — avoids the same kind of abusive fishing expeditions.

Update: Here’s a description I wrote to summarize this 3 years ago.

This IG Report was the third DOJ’s Inspector General, Glenn Fine, has done on the FBI’s use of National Security Letters and “exigent letters,” though this is the first to focus almost exclusively on exigent letters. In 2003, the FBI installed representatives of AT&T and (later) Verizon and MCI onsite, with computers hooked up to their respective companies’ databases. Rather than using a subpoena or a National Security Letter to get phone records from them (both of which would have required a higher level of review), the FBI basically gave them a boilerplate letters saying it was an emergency (thus the “exigent”) and could they please give the FBI the phone data; the FBI promised grand jury subpoenas to follow. Only, in many cases, these weren’t emergencies, they never sent the grand jury subpoenas, and many weren’t even associated with investigations into international terrorism. In other words, FBI massively abused this system to get phone data without necessary oversight. Fine has been pressing FBI to either establish some legal basis for getting this data or purging it from FBI databases for three years, and they have done that with some, but not all, of the data collected. But the FBI has tried about three different ways to bring this practice into conformity with legal guidelines, all unpersuasive to Fine. The OLC opinion is the most recent of these efforts.

Also, here’s a timeline.

Once Upon a Time the PRISM Companies Fought Retroactive Immunity

/12 Comments/in , /by

Screen shot 2013-06-09 at 8.30.08 AMSince the disclosure of the PRISM program, I have thought about a letter the industry group for some of the biggest and earliest PRISM participants — Google, Microsoft, and Yahoo — wrote to then House Judiciary Chair John Conyers during the 2008 debate on FISA Amendments Act. (The screen capture reflects a partial list of members from 2009.)

Remarkably, the letter strongly condemned the effort to grant companies that had broke the law under Bush’s illegal wiretap program immunity.

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact.

CCIA dismisses with contempt the manufactured hysteria that industry will not aid the United States Government when the law is clear. As a representative of industry, I find that suggestion insulting. To imply that our industry would refuse assistance under established law is an affront to the civic integrity of businesses that have consistently cooperated unquestioningly with legal requests for information. This also conflates the separate questions of blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support.

Therefore, CCIA urges you to reject S. 2248. America will be safer if the lines are bright. The perpetual promise of bestowing amnesty for any and all misdeeds committed in the name of security will condemn us to the uncertainty and dubious legalities of the past. Let that not be our future as well. [my emphasis]

Microsoft, Yahoo, and Google all joined PRISM within a year of the date of the February 29, 2008 letter (Microsoft had joined almost six months before, Google would join in January 2009).

Screen shot 2013-06-07 at 11.08.29 AMClearly, the demand that the companies that broke the law not receive retroactive immunity suggests none of the members had done so. It further suggests that those companies that did break the law — the telecoms, at a minimum — had done something the email providers wanted them held accountable for. This suggests, though doesn’t prove, that before PRISM, the government may have accessed emails from these providers by taking packets from telecom switches, rather than obtaining the data from the providers themselves.

Google had also fought a DOJ subpoena in 2006 for a million URLs and search terms, purportedly in the name of hunting child pornographers.

And those of us who follow this subject have always speculated (with some support from sources) that the plaintiff in a 2007 FISA Court challenge to a Protect America Act (the precursor to FISA Amendments Act) was an email provider.

All of those details suggest, at the very least, that email providers (unlike telecoms, which we know were voluntarily giving over data shortly after 9/11) fought government efforts to access their data.

But it also suggests that the email providers may have treated PRISM as a less worse alternative than the government accessing their data via other means (which is a threat the government used to get banks to turn over SWIFT data, too).

It seems likely the way the government “negotiates” getting data companies to willingly turn over their data is to steal it first.

Section 215 Order Reveals Secrecy Only Serves to Prevent Court Challenge

/21 Comments/in /by

Last March, when Hank Johnson asked him a poorly worded question about what NSA was doing with its data center in Utah, NSA head Keith Alexander kept saying the NSA had no power to collect in the US.

Johnson: “NSA’s signals intercepts include eavesdropping on domestic phone calls and inspection of domestic emails.” Is that true?

Alexander: No, not in that context. I think what he’s trying to raise is are we gathering all the information on the United States? No, that is not correct.

Johnson: What judicial consent is required for NSA to intercept communications and information involving American citizens?

Alexander: Within the United States, that would be the FBI lead.  If it was foreign actor in the United States the FBI would still have the lead and could work that with the NSA or other intelligence agencies as authorized. But to conduct that kind of collection in the United States it would have to go through a court order and a court would have to authorize it. We’re not authorized to do it nor do we do it.

As I noted at the time, Alexander didn’t actually deny it happens. He just said the FBI would have that authority in the US.

Alexander never denies that such capabilities exist. Rather, he says that FBI would intercept communications–with a court order–and FBI would search for certain content–with a warrant.

I even pointed to the great deal of circumstantial evidence that the FBI uses Section 215 to do bulk collection.

We know several things about the government’s collection in the US. First, the telecoms own the equipment–they’re the ones that do the intercepts, not FBI or NSA. Second, the FBI can and does get bulk data information from telecoms and other businesses using Section 215 of the PATRIOT Act.

I will have more to say about this later–until then, read this post and this post as background.

There is a great deal of circumstantial information to suggest that after the 2004 hospital confrontation–which was in part a response to Congress prohibiting any DOD use of data mining on Americans–chunks of the illegal wiretap program came to be authorized under Section 215 of the PATRIOT Act, which authorizes FBI data collection.

There’s nothing General Alexander said in this non-denial denial that would conflict with the notion that FBI collects data the telecoms intercept using Section 215 of the PATRIOT Act.

The Guardian’s publication of a 215 Order collecting metadata from all of Verizon Network Business Services customers proves that I was correct. It proves that Alexander’s obviously false non-denial was just that: a dodge of the truth.

Indeed, the order also shows that FBI’s role is simply to provide legal cover by submitting the 215 request, but NSA gets the data.

The (anonymous, of course) Administration response to last night’s disclosure is to claim it is no big deal.

An administration official called the phone data a “critical tool in protecting the nation from terrorist threats to the United States.”

“It allows counter terrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States,” the official added.

[snip]

“The order reprinted in the article does not allow the Government to listen in on anyone’s telephone calls, said the administration official Thursday defending the decision. “The information acquired does not include the content of any communications or the name of any subscriber. It relates exclusively to metadata, such as a telephone number or the length of a call.”

Note: congratulations to The Hill’s Meghashyam Mali, who actually repeated this anonymous person’s claim that 1) the program allows the government to ID terrorists but 2) the 215 Order does not return the ID of any subscriber, as if doing so constituted journalism. (Note: Marc Ambinder just posts the talking points, without noting how internally contradictory they are–I’ll return to them shortly.)

Here’s the question, though: if this program is no big deal, as the Administration and some members of Congress are already claiming in damage control, then why has the Administration been making thin non-denial denials about it for years? If it is so uncontroversial, why is it secret?

Is there anything about the order that tips people off to whom, precisely, is being targeted? Does it explain how good (or bad) NSA’s data analysis tools are?

No. The collection is so broad, it could never provide hints of who is being investigated.

The WaPo suggests this order is just regular, routine collection, that quarterly 215 order sent to Verizon NBS. But even if, as I wondered last night, it’s triggered to a specific investigation, is there anything in there that tells people what or who is being investigated?

No.

There is nothing operational about this Section 215 order that needs to be secret. Nothing. A TS/SCI classification for zero operational reason.

The secrecy has been entirely about preventing American citizens from knowing how their privacy had been violated. It serves the same purpose as Alexander’s obviously dishonest answer.

And the most important reason to keep this secret comes from this claim, from the Administration’s LOL talking points.

As we have publicly stated before, all three branches of government are involved in reviewing and authorizing intelligence collection under the Foreign Intelligence Surveillance Act. Congress passed that act and is regularly and fully briefed on how it is used, and the Foreign Intelligence Surveillance Court authorizes such collection.

The Administration wants you to believe that “all three branches” of government have signed off on this program (never mind that last year FISC did find part of this 215 collection illegal — that’s secret too).

But our court system is set up to be an antagonistic one, with both sides represented before a judge. The government has managed to avoid such antagonistic scrutiny of its data collection and mining programs — even in the al-Haramain case, where the charity had proof they had been the target of illegal, unwarranted surveillance — by ensuring no one could ever get standing to challenge the program in court. Most recently in Clapper v. Amnesty, SCOTUS held that the plaintiffs were just speculating when they argued they had changed their habits out of the assumption that they had been wiretapped.

This order might just provide someone standing. Any of Verizon’s business customers can now prove that their call data is, as we speak, being collected and turned over to the NSA. (Though I expect lots of bogus language about the difference between “collection” and “analysis.”)

That is what all the secrecy has been about. Undercutting separation of powers to ensure that the constitutionality of this program can never be challenged by American citizens.

It’s no big deal, says the Administration. But it’s sufficiently big of a deal that they have to short-circuit the most basic principle of our Constitution.

What an Overbroad Section 215 Order Looks Like

/30 Comments/in , , /by

Screen shot 2013-06-05 at 10.02.05 PMGlenn Greenwald has a tremendous scoop, for the first time I know of publishing a Section 215 warrant — in this case one asking for all US-based traffic metadata from Verizon Business Services from April until July.

Now, I think that this actually affects just a subset of all Verizon traffic: the business-focused traffic rather than Verizon Wireless or similar consumer products most people subscribe to (and if that’s so, the shitstorm that is about to break out will be all the more interesting given that rich businessmen will be concerned about their privacy for once).

Also, this does not ask for call content. It asks only for metadata, independent of any identifying data.

In other words, they’re using this not to wiretap the conversations of Occupy Wall Street activists but to do pattern analysis on the telecom traffic of (I think) larger businesses.

The request does, however, ask for location data (and Verizon does offer bundles that would include both cell and cloud computing). So maybe the FBI is analyzing where all Verizon’s business customers are meeting for lunch.

My extremely wildarsed guess is that this is part of hacking investigation, possibly even the alleged Iranian hacking of power companies in the US (those stories were first reported in early May).

I say that because cybersecurity is a big part of what Verizon Enterprise (as I believe they now go by) sells to its business customers; the infographic above, warning of data breaches when you least expect it (heh), is part of one they use to fear-monger its customers. Energy consumers are one of its target customer bases. And the case studies it describes involve several Smart Grid projects. Precisely the kind of thing the government is most freaked out about right now.

After all, aside from Medicare fraud, the government simply doesn’t investigate businesses, ever. Certainly not the kind of bankster businesses we’d like them to investigate. One of the few things they investigate business activities for is to see if they’ve been compromised. Moreover, the Section 215 order requires either a counterintelligence or a counterterrorist nexus, and the government has gone to great lengths to protect large businesses, like HSBC or Chiquita, that have materially supported terrorists.

Anyway, that’s all a wildarsed guess, as I said.

Ah well. If the government can use Section 215 orders to investigate all the Muslims in Aurora, CO who were buying haircare products in 2009, I’m sure big business won’t mind if the government collects evidence of their crimes in search of Iran or someone similar.

Update: Note, this order seems to show a really interesting organizational detail. This is clearly an FBI order (I’m not sure who, besides the FBI, uses Section 215 anyway). But the FISA Court orders Verizon to turn the data over to the NSC. This seems to suggest that FBI has NSA store and, presumably, do the data analysis, for at least their big telecom collections in investigations. That also means the FBI, which can operate domestically, is getting this for DOD, which has limits on domestic law enforcement.

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

/9 Comments/in , /by

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

•  Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

•  Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Read more

The Sevenfold Increase in Emergencies at AT&T

/13 Comments/in /by

In its response to Ed Markey’s questions about law enforcement requests for cellphone data, AT&T attributed the growing number of requests it gets to its expanding customer base.

To keep these numbers in perspective, AT&T serves over 103,200,000 wireless customers (in 2007, by contrast AT&T served just over 70,000,000 wireless customers).

But that can’t explain the entire increase: only one category of request–requests like orders and warrants requiring court oversight–has gone up at or below the 47% increase in AT&T’s customer base. All other categories have increased at a faster pace.

What’s particularly striking is how many more non-PSAP (that is, non 911 call) exigent requests AT&T has gotten: a more than sevenfold increase.

Now, AT&T doesn’t explain how it treats such requests legally or practically. By comparison, US Cellular cites the language from 18 USC 2518(7)–including language permitting the release of information for “conspiratorial activities threatening the national security interest”–in its exigent request section (see Exhibit 1, page 1); that law requires requestors to submit paperwork for the order or warrant within 48 hours. Sprint cites 18 USC 2702(c)(4) explicitly, which doesn’t include the time limit; but Sprint imposes one itself, even while emphasizing providing this information is voluntary.

For example, Section 2702(c)(4) of the SCA permits Sprint to comply with law enforcement requests in emergency situations when Sprint believes there is an emergency involving danger of imminent death or serious physical injury. In those circumstances, our processes require law enforcement to fax in a form which we use to authenticate the law enforcement requestor and to help verify that an appropriate emergency exists. After being satisfied that the statutory requirements have been met, the Sprint analyst will comply with the request but only for 48 hours, providing law enforcement with sufficient time to obtain appropriate legal processes. To be clear, in these particular circumstances, providing information to law enforcement is not required and Sprint could decide that it will not comply with these emergency requests. Sprint has determined, though, that on balance it is in the interest of our customers and members of the general public who may be at risk to comply with emergency requests, particularly since they often involve very serious life-threatening situations such as kidnapping, child abduction and carjacking.

AT&T doesn’t cite the law directly, but its description matches 2702(c)(4) and therefore would not legally require a follow-up application. Verizon cites 2702(c)(4) explicitly.

Note that this means AT&T, Verizon, and Sprint are treating cell location as a record, not content. Sprint provides this–sort of–explanation for it.

Nonetheless, there are circumstances, which are outlined in the applicable statutes, where information can be disclosed to law enforcement with the consent of the customer or in certain emergency situations. In those cases, Sprint still requires appropriate documentation, and although it may not be a legal demand, per se, it is legally permissible for Sprint to provide the information under the statute, as discussed herein.

[snip]

Sprint has business records that contain information on the location of a wireless device based on that device’s proximity to nearby cell towers. The information in Sprint’s records is often referred to as “historic” or “stored” location as it is customer information of a historic nature that is stored by Sprint for its own business purposes. For example, Sprint uses this information for certain billing, taxing, network troubleshooting and capacity planning purposes. Sprint also has the capability to determine the location of a cell phone in real time by using GPS technology.

The location information contained in Sprint’s business records is not basic subscriber information as defined by the statute but is information Sprint has relating to its customers’ mobile device usage. Consequently, a court order based on “specific and articulable facts” is required prior to disclosure of that information to law enforcement.

[snip]

There is no statute that directly addresses the provision of location data of a mobile device to the government.

The explanation doesn’t really say whether it treats a GPS reading as a stored record or not–probably because that’s where this interpretation gets dicey.

Sprint goes on to suggest Congress provide some clarity about this cell location data. (It also note the government interprets the law to require the cell company to provide not just the target caller location, but also the “location of associates on a call with the target.”)

Not so AT&T, which seems to be giving this information out like candy in the name of exigent circumstances. And unlike Sprint, it’s not clear AT&T (or Verizon) imposes any requirements on how long such emergencies can last.

But then, it’s not just AT&T. The government, too, seems to want to declare a permanent state of emergency so it can get all our cell data anytime it wants.

Update: Transcription error fixed per joberly.

Update: Table corrected per Anchard.

The Global Crisis of SOME Institutional Legitimacy

/14 Comments/in , , /by

Felix Salmon has a worthwhile (but, IMO, partly mistaken) post on what he deems “the global crisis of institutional legitimacy.” I think he’s right to see this as a significant challenge to our current political economy.

While watching another Arab government get toppled on Sunday evening — this time that of Muammar Gaddafi, in Libya — I was also reading George Magnus’s excellent note for UBS, entitled “The Convulsions of Political Economy”; you can find it chez Zero Hedge.

Convulsions is right — not only in the Arab world, of course, but also in Europe and the US. And the result is arguably the most uncertain outlook, in terms of the global political economy, since World War II ended and the era of the welfare state began.

As Magnus says:

It seems that we are having sometimes esoteric tiffs between Keynesians and Austrians about if and how governments should sustain jobs and growth. But, deep down, we are having a much more significant debate as we are being forced to redefine what we think about the rights and obligations of citizens and the State.

Most fundamentally, what I’m seeing as I look around the world is a massive decrease of trust in the institutions of government.

But I think Salmon makes two mistakes. First, he maintains an unwarranted distinction between the Arab Spring and the UK riots.

Where those institutions are oppressive and totalitarian, the ability of popular uprisings to bring them down is a joyous and welcome sight. But on the other side of the coin, when I look at rioters in England, I see a huge middle finger being waved at basic norms of lawfulness and civilized society, and an enthusiastic embrace of “going on the rob” as some kind of hugely enjoyable participation sport. The glue holding society together is dissolving, whether it’s made of fear or whether it’s made of enlightened self-interest.

From the perspective of the underclass in our society, it has been some time since “enlightened self-interest” counseled compliance. And from most perspectives, it’s clear that the elites, not the underclass, were the first to wave a huge middle finger at basic norms of lawfulness.

A more problematic error, though, is Salmon’s claim that corporations have retained their legitimacy.

Looked at against this backdrop, the recent volatility in the stock market, not to mention the downgrade of the US from triple-A status, makes perfect sense. Global corporations are actually weirdly absent from the list of institutions in which the public has lost its trust, but the way in which they’ve quietly grown their earnings back above pre-crisis levels has definitely not been ratified by broad-based economic recovery, and therefore feels rather unsustainable.

As a recent Pew poll shows, Americans are just as disgusted with banks and other large corporations as they are with their government.

While anti-government sentiment has its own ideological and partisan basis, the public also expresses discontent with many of the country’s other major institutions. Just 25% say the federal government has a positive effect on the way things are going in the country and about as many (24%) say the same about Congress. Yet the ratings are just as low for the impact of large corporations (25% positive) and banks and other financial institutions (22%). And the marks are only slightly more positive for the national news media (31%) labor unions (32%) and the entertainment industry (33%).

Notably, those who say they are frustrated or angry with the federal government are highly critical of a number of other institutions as well. For example, fewer than one-in-five of those who say they are frustrated (18%) or angry (16%) with the federal government say that banks and other financial institutions have a positive effect on the way things are going in the country.

But there are institutions that Americans still trust: colleges, churches, small businesses, and tech companies.

Distinguishing between those institutions (government and big corporations) people distrust and those (churches, small businesses, and tech companies) they do is important for several reasons. First, because it prevents us from assuming (as big corporations might like us to) that Americans will be content with corporatist solutions. People may or may not like the the post office, but there’s no reason to believe they like FedEx, Comcast, AT&T, or Verizon any more, particularly the latter three, which all score very badly in customer satisfaction. (Update: as joberly points out, Pew found that the postal service was by one measure the most popular government agency, with 83% of respondents saying they had a favorable view of the postal service.)

Such polling also suggests where Americans might turn during this convulsion. Barring Apple buying out the federal government, it seems likely Americans, at least, will turn to local institutions: to their church, their neighborhood, their local businesses.

That’s got some inherent dangers–particularly if people decide they want to change my governance with their church. But it also provides a nugget of possible stability amid the convulsion, one that might have salutary benefits for our environment and economy.

Apple aside, it’s the big institutions that have lost their institutional legitimacy. But we’re not entirely without institutions with which to rebuild.

Quasi-Governmental Entities AT&T and Verizon Blocking Wikileaks Sites

/51 Comments/in /by

We know the government is blocking Wikileaks sites: the Air Force, the Library of Congress, the Department of Education, as well as orders from the State Department that its employees should not read the leaked cables.

Which is why I find it so interesting that AT&T and Verizon are blocking Wikileaks sites internally, too. From Greg Mitchell’s liveblog:

Just received email tip from man purporting to be Verizon employee at a headquarters and offering to send screen shots.  Here’s an excerpt:  “Last week, I was browsing several news sites at work when I noticed something strange: any time I tried to read a story about Wikileaks, the site was blocked. Typically, our intranet blocks the usual ‘time-waster’  sites…. In these cases, the entire domain is blocked and any content offered up by that domain on a separate site (such as videos embedded from YouTube) would be blocked on the other site as well.”In this case, though, only specific URLs were being blocked, while the rest of the site was fine. In the screenshots, you can see I can access, for example, the Guardian front page, as well as another, non-Wikileaks related article. But if I tried to go to any of the cable articles, I received the block message…. It appears there’s a blanket URL block for any URL containing the word “wikileaks” no matter what the context. Also, I’ve confirmed with a friend of mine who works for AT&T that they’re doing similar blocking.   I have screen shots available.”  He also claims that a friend at AT & T says same thing going on there.

I wonder whether the block has anything to do with the large amount of domestic and international spying these telecoms do for the government, effectively making them high security quasi-governmental entities. Is it possible that these telecoms are working under governmental orders not to access anything to do with WikiLeaks, in the same way actual governmental agencies have been told that accessing the cables might constitute a security violation.

Maybe we can just find out who is spying for the government based on which companies implement these kinds of blocks on Wikileaks?

[bmaz here – We have received word from a trusted source at AT&T that they are not blocked, at least not consistently or completely; so consider the post so updated]

“Dude, that’s what they want.”

/109 Comments/in , /by

Babak Pasdar’s affidavit on Verizon’s Quantico Circuit reveals something about the government’s back-door access to all of Verizon’s data, one which might be familiar to you from the missing White House emails saga.

When the Steven McDevitt tried to reconstruct all OVP the emails from the period when Scooter Libby and Dick Cheney were coordinating their cover story, he discovered no logs from the emails of that period existed; thus, there’s no way to be sure that the 250 pages of email turned over to Patrick Fitzgerald constitute all the missing emails.

Golly. What a surprise, then, that the government didn’t want any logs taken of its back-door access to (presumably) Verizon’s data.

Pasder notes that (presumably) Verizon’s log collection system was very primitive.

I specifically remembered being shocked at the primitiveness and inadequacy of their log collection system. After all, this was a major carrier. After a cursory overview I was able to point out to C1 and C2 that their log collection system might not have been collecting all logs. This surprised C1 and C2. A subsequent test showed that the client’s log collection system was missing as many as 75% of the logs being generated, essentially rendering the whole system useless.

Mind you, that covered the whole system, not just the Quantico Circuit the government was using to access the system. But when Pasdar describes learning about the Circuit itself, he explains that there was no logging system for the Circuit. None.

This is a little narrative he tells about learning of the Circuit when testing the firewalls of the new system he was putting in.

At one point I overheard C1 and C2 talking about skipping a location. Not wanting to do a shoddy job I stopped and said "we should migrate all sites."

C1 told me this site is different.

I asked, "Who is it? Carrier owned or affiliate?"

C1 said, "This is the ‘Quantico Circuit.’"

Pasdar goes on to learn that this is a 45 mega bit per second circuit that supports data and voice communication. The consultants he was working with made it clear they weren’t supposed to put any access controls on it.

C1 said that this circuit should not have any access control. He actually said it should not be firewallled.

I suggested to migrate it and implement an "Any-Any" rule. ("Any-Any" is a nickname for a completely open policy that does not enforce any restrictions.) That meant we could log any activity making a record of the source, destination and type of communication. It would have also allowed easy implementation of access controls at a future date. "Everything at least SHOULD be logged," I emphasized.

C1 said, "I don’t think that is what they want."

Read more

The Quantico Circuit

/16 Comments/in /by

Yesterday, Wired’s Threat Level reported on the Quantico Circuit, what appears to be Verizon’s back door to give the government complete access to our telecommunications.

A U.S. government office in Quantico, Virginia, has direct, high-speed access to a major wireless carrier’s systems, exposing customers’ voice calls, data packets and physical movements to uncontrolled surveillance, according to a computer security consultant who says he worked for the carrier in late 2003.

"What I thought was alarming is how this carrier ended up essentially allowing a third party outside their organization to have unfettered access to their environment," Babak Pasdar, now CEO of New York-based Bat Blue told Threat Level. "I wanted to put some access controls around it; they vehemently denied it. And when I wanted to put some logging around it, they denied that."

Pasdar won’t name the wireless carrier in question, but his claims are nearly identical to unsourced allegations made in a federal lawsuit filed in 2006 against four phone companies and the U.S. government for alleged privacy violations. That suit names Verizon Wireless as the culprit. [my emphasis]

To which John Dingell and friends respond, this is another reason not to pass telecom immunity.

Because legislators should not vote before they have sufficient facts, we continue to insist that all House Members be given access to the necessary information, including the relevant documents underlying this matter, to make an informed decision on their vote. After reviewing the documentation and these latest allegations, Members should be given adequate time to properly evaluate the separate question of retroactive immunity.

Yeah, and while we’re at it, let’s figure out why the email providers are actually opposed to retroactive immunity.