Saturday, August 4, 2007

Ghosts in the Machine


So asking the reasonable question - "Who can monitor my computer and phone activity without bothering to do something unkind to the system I am using to communicate with?" - ends up with more answers than most people might find comfortable. While wiretapping and network monitoring (nearly one in the same now) are time honored techniques in television and written fiction, what is really out there? This is based on publicly available data and court information. It seems reasonable to assume that there exists a great deal of illegal activity as well, but really the stuff that is out there in the open is bad enough. Because of this, I will mainly focus on the lawful interception of data. There will be some interesting information on the more suspicious NSA activity which will end up in the unlawful pile

A real problem has been exactly how to tackle this topic. There is so much data some of which is quite complex (both from a technical and legal perspective) that I have been at a loss for how to best convey an overall message. To begin with, I will just try to answer a few questions that I have accumulated over the years. Hopefully there will then be time enough to go back and fill in the more useful generalizations. There are a number of sites with excellent technical overviews (and details), so they will probably be referenced with alarming regularity. In general details will be left to the links, except in the unlikely event that I have something relevant to add. And for the record this is just relevant to data communications that are in or pass through US carriers.

Here goes ...

Ghost in the Machine

Index:
Legal Aspects
  • Laws
  • CALEA
  • FISA
  • USA Patriot Act
  • Recent FISA Changes
Players:
  • FBI
  • NSA
  • DOD
  • CIA
  • Others



Legal Aspects
This first section is lifted verbatim from Wikipedia:
Laws

In the United States, two laws cover most of the governance of lawful interception. The 1968 Omnibus Crime Control and Safe Streets Act, Title III pertains mainly to lawful interception criminal investigations. The second law, the 1978 Foreign Intelligence Surveillance Act, or FISA, governs wiretapping for intelligence purposes where the subject of the investigation must be a foreign (non-US) national or a person working as an agent on behalf of a foreign country. Most of the congressionally mandated wiretap records indicate that the cases are related to illegal drug distribution, with cell phones as the dominant form of intercepted communication.

During the 1990s, to help law enforcement and the FBI more effectively carry out wiretap operations, especially in view of the emerging digital voice and wireless networks at the time, the US Congress passed the Communications Assistance for Law Enforcement Agencies Act (CALEA) of 1994 [1] This act provides broad guidelines to network operators on how to assist the LEAs in setting up interceptions and the types of data to be delivered. CALEA does not, as many believe, provide specific implementation directives on interception. More recently, the US Federal Communications Commission (FCC) mandated that CALEA be extended to include interception of publicly-available broadband networks and Voice over IP services that are interconnected to the Public Switched Telephone Network (PSTN).

As a response to the terrorist events of 9/11, the US Congress incorporated various provisions related to enhanced electronic surveillance in the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” Act (USA Patriot Act). These wiretap provisions are mainly updates to those expressed under the FISA law.

(end of wikipedia)

CALEA
From my perspective, things really started getting interesting with the integration of the FCC decision on extending CALEA to non-PSTN networks. This is really not a surprising decision given the increasing use of IP networking in traditional phone communication networks.

CALEA is quite interesting in that it is a significant interface for one part of law enforcement to intercept data communications. It is currently in place and operational on the entire telco infrastructure. This is just to maintain perspective - as of right now a system is in place that allows for the collection of network communications under the monitoring and control of the Judiciary. Exactly how successful this monitoring and control has been is a matter of (strong) opinion.

An exceptionally useful document for finding out about CALEA is the March 2006 audit report from the DOJ Inspector General named "The Implementation of the Communications Assistance for Law Enforcement Act". Good clean fun. Equally illuminating is the shots fired back from the telco industry found in the "Comments to the Report" report. Within these long reads we find a clear illustration of the voracious hostility that exists between the two factions (FCC/DOJ and the telco industry). These issues are not over such things as civil liberties, but rather over who has to pay for all these shiny new gizmos...

For a person such as myself, the most illuminating parts of a report come with the technical descriptions of the various components. As this is an audit type report, this will be in the form of equipment costs. Needless to say, I think that I am in the wrong side of the business... Looking at the report we see:

Equipment Costs
In order to conduct CALEA wiretaps, law enforcement agencies must maintain or have access to a wireroom. A wireroom consists of a computerized system that intercepts, decodes, records, and plays back telephone communications. The installation of these facilities is both time-consuming if not already in place (it must be ordered weeks or months in advance) and expensive. [CHOP] Although law enforcement officials noted that their wirerooms are also available for use by other
law enforcement agencies in their general vicinity, the smaller law enforcement agencies are limited in conducting electronic surveillance due to the fees charged by carriers.

Of the 82 responses to our survey from law enforcement officials indicating that their agency conducts electronic surveillance, 48 agencies (59 percent) maintain their own wireroom. Law enforcement officials representing the 82 agencies indicated that the number of intercepts conducted by their agencies is hindered by the cost to purchase equipment (16 of 82 responses) and the cost of equipment
maintenance (11 of 82 responses).

According to law enforcement officials we interviewed and those who responded to our survey, law enforcement agencies have spent between hundreds of thousands to several million dollars to equip their wirerooms. The equipment costs depend upon the desired capacity of simultaneous wiretaps and the need to accommodate the carriers’ various delivery methods (as discussed in the following section). A
typical wireroom, as pictured below, consists of the following equipment:

As an example, the equipment listed below was located in one of the wirerooms that we visited. This particular wireroom has the capacity to conduct eight regular wiretaps or four [LAW ENFORCEMENT SENSITIVE INFORMATION REDACTED] wiretaps simultaneously.
• 8 computer workstations;
• 3 servers (one to conduct regular cell phone intercepts, one to conduct [LAW ENFORCEMENT SENSITIVE INFORMATION REDACTED] intercepts, and one to conduct pager and Internet intercepts);
• 1 jukebox, which saves the data on a magnetic drive;
• 1 separate router for [LAW ENFORCEMENT SENSITIVE INFORMATION REDACTED] intercepts (all other carriers are on a Virtual Private Network (VPN)); and
• 1 computer monitor to switch between the 3 servers.

In addition to the initial purchase of equipment, law enforcement agencies also pay approximately $30,000 per year in maintenance fees to their equipment vendor. Law enforcement agencies said they spend additional funds for hardware and software upgrades to keep up with improvements and emerging technology.
When reading the report, there is another table listing current and foreseen threats to data monitoring as perceived by law enforcement, may of the redacted sections in the above listing become somewhat more guessable. This will be left as an exercise for the gentle reader to help ensure class participation.

The report also reveled the answer to a question that I have had for a while - CALEA defines an interface for law enforcement, but how does the FBI feed it's Carnivore like (now DCS-1000 like) systems? Indirectly it also reveled that I am a Big Fucking Dork for thinking about these things. For the record, the agreement says that the following for options for data transport between the CALEA capture system and the law enforcement systems (described above) :

The four delivery methods are dial-out, virtual private network (VPN), frame relay, and T-1 lines. While dial-out and VPN are increasingly popular and favored among law enforcement agencies,some carriers only deliver data via a T-1 line which we found to be the most expensive delivery method. Using a T-1 line costs law enforcement agencies approximately $1,300 for each switch, and can take up to two months to install. One law enforcement official told us that his agency pays approximately $20,000 per month to carriers to maintain T-1 line connections.
Like I said, there is a hostile relationship between law enforcement and the telcos. In this day and age, that is a lot of money to be put into a set of T1 connections probably within a telco building.

Where am I going with this? Really I am just trying to understand how this stuff all works together and am using this writing assignment as a tool for said cause. There is a huge amount of technical detail that is hard to get around without writing a book. I do not want to write a book. What have I tried to say so far? There is this legal requirement for telecommunications providers to give law enforcement a way to access an individuals data stream via court order. It has requited both groups to pony up a great deal of money to do so. Some groups in DOJ seemed to think that this was a Right Fine Idea. Perhaps the report might give us some indication as to who is using this mighty instrument of justice?

Indeed it can. As part of the report, there was a user survey. In this survey a number (82 agencies, ~ 1200 individuals) described there discussed there use of the system. Responses were grouped into 5 major groups: FBI, DEA, Attorneys, sheriff / co police, and police dept. From the information in the report, the significant majority of all wiretap instances were non-CALEA related. This seems more or less consistent with a summary in wired.com "Why the U.S. News is Wrong About Internet Taps" which summarizes a series of annual reports reports from the Administrative Office of the US Courts:

But according to annual reports on incidents of wiretapping issued by the Administrative Office of the U.S. Courts, the hype from this particular law may be overplayed. The vast majority of wiretaps granted through this avenue, known as a "Title III" surveillance, are issued for phones. In 2006, only 13 of the 1,714 intercept orders were for electronic communication, down from 23 out of a total of 1,694 in 2005.
While I find the conclusions drawn in the article interesting, the real importance to the small numbers of official warrants rests with the relationship of the DOJ with other means of gathering data that they are interested in .

The CALEA legislation and rules are enormously interesting and complex. In light of the large cross section of information that needs to be covered, it will be left here for now. The importance of CALEA in this case can be seen as a first major step in the monitoring of user activity in a contemporary telco environment.

FISA



[TO BE CONTINUED...]

No comments: