FBI Pushing Real-Time Metadata-Harvesting 'Port Readers' On Service Providers

from the when-will-it-be-'enough'-data? dept

The FBI seems to be of the same mindset as the NSA -- it's better to have it all and not need it than to show any sense of restraint when it comes to harvesting data. Declan McCullagh at CNET has uncovered yet another surveillance program aimed at collecting vast amounts of data simply because the current legal climate allows it.

The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies' internal networks to facilitate surveillance efforts.

FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI's legal position during these discussions is that the software's real-time interception of metadata is authorized under the Patriot Act.

Attempts by the FBI to install what it internally refers to as "port reader" software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the "harvesting program."

Isn't that great? Carriers don't know what effects the FBI's new toy will have on their systems and are perhaps even a little concerned that they're violating their customers' last remnants of privacy by allowing this, but turning down this "opportunity" means facing contempt charges. The situation presents only unappealing choices.

The FBI quickly responded with a statement declaring its actions to be "playing by the rules," as well as expressing its pure desire to help telecoms and service providers become better corporate citizens.

"Pen Register and Trap and Trace orders grant law enforcement the authority to collect dialing, routing, addressing, or signaling information associated with a target's communications. This information includes source and destination IP addresses and port numbers. In circumstances where a provider is unable to comply with a court order utilizing its own technical solution(s), law enforcement may offer to provide technical assistance to meet the obligation of the court order."

The FBI statement specifies "pen register" and "trap and trace," but the port readers gather far more information than the limited data available to those processes.

Federal law says law enforcement may acquire only "dialing, routing, addressing, or signaling information" without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.

But the FBI has configured its port reader to intercept all metadata -- including packet size, port label, and IPv6 flow data -- that exceeds what the law permits, according to one industry source.

Knowing that the FBI is harvesting much more than basic metadata calls into question the recent court decision declaring warrantless cell phone location tracking constitutional. According to the majority's argument, metadata created by phone usage is nothing more than a "business record." something that is freely available to law enforcement and intelligence agencies because it carries with it no reasonable expectation of privacy.

At what point is that "expectation" reestablished? If the court's argument holds for location data, it will likely hold for any sort of metadata created, no matter how specific it is. The same warrantless process is being used by the FBI to capture metadata on internet usage, email and phone information -- all without being challenged for privacy violations.

There's every indication that the FBI has had more metadata than pen registers/trap and trace were ever intended to harvest for quite some time now. Late last year, hackers broke into an FBI laptop which contained a .csv file full of iPhone users' data.

[The csv file contained] a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

Why an agent had the data of 12 million iPhone users stored on his laptop is inexplicable. According to the narrative, any "inadvertent" data gets swept into storage where it can only be "asked questions." This file dump shows the FBI isn't necessarily discarding or segregating "irrelevant" information, a problem that is only worsened by each additional form of "metadata" it scoops up.

At a bare minimum, the outdated laws applying to the limits of pen registers and trap and trace need to be updated, as does the general argument that phone users' interaction with their providers (via calls, internet usage, etc.) create nothing more than "business records." Continuing to ignore the fact that these agencies are abusing outdated laws to scoop up massive amounts of metadata on non-targeted users will only ensure this problem will get worse in the future.

Filed Under: fbi, metadata, port readers, privacy, surveillance, telcos