FBI Pushing Real-Time Metadata-Harvesting 'Port Readers' On Service Providers

from the when-will-it-be-'enough'-data? dept

Tue, Aug 6th 2013 9:57am — Tim Cushing

The FBI seems to be of the same mindset as the NSA -- it's better to have it all and not need it than to show any sense of restraint when it comes to harvesting data. Declan McCullagh at CNET has uncovered yet another surveillance program aimed at collecting vast amounts of data simply because the current legal climate allows it.

The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies' internal networks to facilitate surveillance efforts.

FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI's legal position during these discussions is that the software's real-time interception of metadata is authorized under the Patriot Act.

Attempts by the FBI to install what it internally refers to as "port reader" software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the "harvesting program."

Isn't that great? Carriers don't know what effects the FBI's new toy will have on their systems and are perhaps even a little concerned that they're violating their customers' last remnants of privacy by allowing this, but turning down this "opportunity" means facing contempt charges. The situation presents only unappealing choices.

The FBI quickly responded with a statement declaring its actions to be "playing by the rules," as well as expressing its pure desire to help telecoms and service providers become better corporate citizens.

"Pen Register and Trap and Trace orders grant law enforcement the authority to collect dialing, routing, addressing, or signaling information associated with a target's communications. This information includes source and destination IP addresses and port numbers. In circumstances where a provider is unable to comply with a court order utilizing its own technical solution(s), law enforcement may offer to provide technical assistance to meet the obligation of the court order."

The FBI statement specifies "pen register" and "trap and trace," but the port readers gather far more information than the limited data available to those processes.

Federal law says law enforcement may acquire only "dialing, routing, addressing, or signaling information" without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.

But the FBI has configured its port reader to intercept all metadata -- including packet size, port label, and IPv6 flow data -- that exceeds what the law permits, according to one industry source.

Knowing that the FBI is harvesting much more than basic metadata calls into question the recent court decision declaring warrantless cell phone location tracking constitutional. According to the majority's argument, metadata created by phone usage is nothing more than a "business record." something that is freely available to law enforcement and intelligence agencies because it carries with it no reasonable expectation of privacy.

At what point is that "expectation" reestablished? If the court's argument holds for location data, it will likely hold for any sort of metadata created, no matter how specific it is. The same warrantless process is being used by the FBI to capture metadata on internet usage, email and phone information -- all without being challenged for privacy violations.

There's every indication that the FBI has had more metadata than pen registers/trap and trace were ever intended to harvest for quite some time now. Late last year, hackers broke into an FBI laptop which contained a .csv file full of iPhone users' data.

[The csv file contained] a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

Why an agent had the data of 12 million iPhone users stored on his laptop is inexplicable. According to the narrative, any "inadvertent" data gets swept into storage where it can only be "asked questions." This file dump shows the FBI isn't necessarily discarding or segregating "irrelevant" information, a problem that is only worsened by each additional form of "metadata" it scoops up.

At a bare minimum, the outdated laws applying to the limits of pen registers and trap and trace need to be updated, as does the general argument that phone users' interaction with their providers (via calls, internet usage, etc.) create nothing more than "business records." Continuing to ignore the fact that these agencies are abusing outdated laws to scoop up massive amounts of metadata on non-targeted users will only ensure this problem will get worse in the future.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fbi, metadata, port readers, privacy, surveillance, telcos

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 6 Aug 2013 @ 10:10am

there needs to be a serious new look at all the ridiculous laws Congress has brought into play in the last 15 years and wherever necessary, remove those laws! trying to change them to cover what they should rather than what they actually do, according to more or less every 'security' agencies, will be an impossible task.
[ link to this | view in thread ]
thane, 6 Aug 2013 @ 10:12am

Wow, the Feds are really pushing harder and faster than ever since the Snowden leaks. It seems something new is being reported daily about programs they are already using to illegally get data or about things they want to get in place before too many people wake up and get really pissed off.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 10:28am

If they're not playing by the 4th Amendment, they can't say they're "playing by the rules."
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 6 Aug 2013 @ 10:31am

While Techdirt front page has 200K of javascript, you should talk!
Most of it from Google, of course. Javascript is spyware plus advertising-ware. You and Google are pushing spyware onto every system that visits Techdirt. -- Of course, anyone with the least sense doesn't let it run: Get the Noscript extension for Firefox (and remove Google from the whitelisting it pays for).

Here's part of your oxymoronic "Privacy" page:

When you access Techdirt or open one of our HTML emails, we may automatically record certain information from your system by using different types of tracking technology. This "automatically collected" information may include Internet Protocol address ("IP Address"), a unique device or user ID, version of software installed, system type, the content and pages that you access on Techdirt, and the dates and times that you visit Techdirt.
[ link to this | view in thread ]
TheLastCzarnian (profile), 6 Aug 2013 @ 10:39am

Who is paying for this?
So we have a sequester, fired thousands of government employees, and this is how the remaining money is being spent.

I don't understand how some Republicans can be for "smaller government" and still condone these expenditures.
[ link to this | view in thread ]
Calvin (profile), 6 Aug 2013 @ 10:42am

Contempt of Court
How can non-compliance be 'contempt of court' when there is no court order to request compliance?
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 10:42am

Re: While Techdirt front page has 200K of javascript, you should talk!
NoScript, AdBlock, Flashblock, and Ghostery AT LEAST should be part of every Firefox installation. Only whitelist what you need. It makes the web a saner and safer place.

Of course NoScript might be annoying for non-technical users.

As for the rest...well...It's hard to run a server without collecting IP addresses...Also - in particular - it is hard to run a webserver without collecting some "private and unique" information, starting by your user-agent string, which your browser happily sends away with (almost) every request.

That bit in the privacy page is just boiler-plate that any minimally technically knowledgeable user should already be aware of. If it bothers you, use tor.
[ link to this | view in thread ]
jackn, 6 Aug 2013 @ 10:43am

Re: While Techdirt front page has 200K of javascript, you should talk!
I guess we know how really dumb you are now.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 10:43am

Re: Who is paying for this?
Because they're not for "smaller government." They're for a government that keeps its hands out of the pockets of big business.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 10:45am

Re: Re: While Techdirt front page has 200K of javascript, you should talk!
Oh, and if you use tor, don't be a moron. Disable javascript, cookies and every other fancy shit you may have, or else you'll still get tracked.

Also, be aware of this: http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-use rs/.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 10:46am

Re: While Techdirt front page has 200K of javascript, you should talk!
If you don't like it there are plenty of other sites for you to troll.
[ link to this | view in thread ]
Internet Zen Master (profile), 6 Aug 2013 @ 11:00am

Y'know, this isn't all that surprising
Considering that the NSA is very reluctant to share any of the data it collects with the other government agencies, the DEA being the sole exception because drugs are generally considered to be imported from other countries, which (according to NSA logic) makes the suspects involved foreigners by default.

It's true that, I am less than thrilled by the NSA's invasive surveillance programs, I'll give them credit for (mostly) keeping all that data to themselves (*see caveat about sharing with the DEA above*).

Problem with that is now it sounds like the FBI wants to get in on the data-mining game because the NSA won't share data (even though they're not supposed to be collecting info on Americans, but that's beside the point right now).

In the end, I find myself trusting the NSA more than I trust the FBI. It's depressing when you find yourself having more faith in the massive spy agency than you do in the FBI.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 11:05am

Re: While Techdirt front page has 200K of javascript, you should talk!
one mans tracking is another mans plausible deniability

i also see youre now condoning being a freetard. who ARE you?
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 11:21am

Re: Re: While Techdirt front page has 200K of javascript, you should talk!
Also - in particular - it is hard to run a webserver without collecting some "private and unique" information, starting by your user-agent string, which your browser happily sends away with (almost) every request.

And that is why the Calomel SSL validation extension is useful for more than just doing what it name implies: one of the things it lets you do is anonymize your user-agent. Of course, the User Agent Switcher let's you do that too.

Calomel: https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/
User Agent Switcher: http://chrispederick.com/work/user-agent-switcher/

Incidentally, the maintainers of this site might be curious to know that Calomel's extension is currently flagging it.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 11:26am

The CNET article mentions IPv6 flow data
(Curiously, it singles out IPv6 and does not mention IPv4, or just say IP.)

Flow data is incredibly rich in the hands of someone who understands it. It's usually not that hard to re-identify it even if the sender/receiver pair is supposed anonymous -- or at least to partially re-identify it.

Moreover, it yields copious clues as to what operating systems are in use, what services/applications are running on them, even what revision level some of these are.

In the wrong hands (are there are any "right" hands for this?) this data would be devastating. Given that the FBI has already lost all kinds of laptops, some of which contained large data collections (see elsewhere in this discussion) we can reasonably expect that they'll start losing this data too. So much for their role in allegedly helping to "defend" us from cyberattack.
[ link to this | view in thread ]
Kenneth Michaels, 6 Aug 2013 @ 12:04pm

Packet Size is Content of Communication
Even when streaming voice is encrypted, it is possible to determine what is said via a side-channel attack by knowing the *packet size* of the VoIP stream. A variable bit-rate for the encoder/decoder leaks information as to what is said, which is revealed by the packet size. See Bruce Schneier: http://www.schneier.com/blog/archives/2008/06/eavesdropping_o_2.html

Thus, packet size is not metadata, it is content.
[ link to this | view in thread ]
mmrtnt (profile), 6 Aug 2013 @ 12:16pm

Declan McCullagh at CNET has uncovered yet another surveillance program aimed at collecting vast amounts of data...

So when will Declan be leaving for Russia?
[ link to this | view in thread ]
Adirondack, 6 Aug 2013 @ 12:33pm

This extreme violations of rights needs to get to the Supreme Court immediately. The government has no right to track every single person, or record every email, chat, and website a person visits without probable cause, and creating software to violate TOR or any other anon server.
Police cars recording every license plate and keeping data bases of where we go. We all cringed at 1984 , and we now live with government recording our movements, Internet, probably phones. Is there no limit to abuse of rights, freedom, liberty? Innocent until proven guilty have any meaning? Probable cause is gone out the window. Everyone needs to start using encrypted email so some government pervert isn't ogling pictures of our daughters and wives.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 1:02pm

Re: Re: While Techdirt front page has 200K of javascript, you should talk!
"I guess we know how really dumb you are now."

No we don't. I suspect the dumbness he displays is only the tip of the iceberg.

I sense more stupidity in this one.
[ link to this | view in thread ]
Stubinz, 6 Aug 2013 @ 4:35pm

Re: Re: Re: While Techdirt front page has 200K of javascript, you should talk!
But guess what? Thanks to FireFox CLEARLY bending over and letting the NSA shove the cock of tyranny up it's ass, with version 23 - you can no longer turn javascript off in the tools interface, and off course, it's on by default.
[ link to this | view in thread ]
Spooge, 6 Aug 2013 @ 4:42pm

Re:
Any such case would be rejected without comment. The NSA has dirt on every one of them, according to Mr. Tice.
[ link to this | view in thread ]
Anonymous, 6 Aug 2013 @ 4:47pm

Hey, you FBI guys...
Read THIS port, muthaf****s!
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 6:33pm

So - these port readers basically stream unauthorized data ... and they want to make this a felony.
lol
[ link to this | view in thread ]
jingoi, 6 Aug 2013 @ 6:38pm

Re:
We can't depend on the system to take down this level of corruption. We need to humiliate those who support the NSA and other 1% bullshit in the most painful and disgusting ways.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2013 @ 9:52pm

Re: Re: Re: Re: While Techdirt front page has 200K of javascript, you should talk!
And that's what FlashBlock is for. All java is off by default.
[ link to this | view in thread ]
aldestrawk (profile), 6 Aug 2013 @ 10:19pm

Re: Contempt of Court
Sshh..., It's a threat, don't give it away.
[ link to this | view in thread ]
aldestrawk (profile), 6 Aug 2013 @ 10:22pm

Re: Packet Size is Content of Communication
one protocol's metadata is another protocol's content.
[ link to this | view in thread ]
Anonymous Howard (profile), 7 Aug 2013 @ 1:02am

Re: Re: Re: Re: Re: While Techdirt front page has 200K of javascript, you should talk!
I think you confuse java, javascript and flash..

Also, calling a programming language malware is just plain stupid (but that's what we expect from OOTB, right?).
[ link to this | view in thread ]
James, 7 Aug 2013 @ 6:11am

They didn't get into an FBI laptop, they got the list from iOS developer BlueToad.
[ link to this | view in thread ]
John Fenderson (profile), 7 Aug 2013 @ 9:54am

Re: Re: Packet Size is Content of Communication
I fear that the less technical here may fail to recognize how true this is on many levels, including literally. "Metadata" is a relative term. Using it without explaining the context it appears in is meaningless.

This business of lying through using incomplete definitions has been really irritating me lately. It's an ancient rhetorical technique, but I've been seeing it so much more than usual over the last decade or so.
[ link to this | view in thread ]