Revise the Maryland Wiretap Law?
As I said in this piece in the Baltimore Sun, Maryland police officers are misusing that state’s wiretap law to deter anyone who would film them performing their duties. Maryland officers have asserted that any audio recording of a conversation, even in a public place, is a violation of the state’s wiretapping law and a felony punishable by five years in prison and a $10,000 fine. Officers made this claim to deter filming of an arrest at the Preakness, and when motorcyclist Anthony Graber videotaped his traffic stop.
As Radley Balko points out, the officers’ reading of the law is out of step with the language of the statute itself and Maryland rulings interpreting the scope of the law. Is it time for a revision of this law, or is it just the officers’ interpretation that is the problem? I discussed this on the Kojo Nnamdi Show with the prosecutor pressing charges against Anthony Graber, State’s Attorney Joseph Cassilly, and Graber’s lawyer, David Rocah of the Maryland ACLU.
How Much Government Snooping? Google It Up!
The secrecy surrounding government surveillance is a constant source of frustration to privacy activists and scholars: It’s hard to have a serious discussion about policy when it’s like pulling teeth to get the most elementary statistics about the scope of state information gathering, let alone any more detailed information. Even when reporting is statutorily required, government agencies tend to drag their heels making statistics available to Congress — and it can take even longer to make the information more widely accessible. Phone and Internet companies, even when they join the fight against excessive demands for information, are typically just as reluctant to talk publicly about just how much of their customers’ information they’re required to disclose. That’s why I’m so pleased at the news that Google has launched their Government Requests transparency tool. It shows a global map on which users can see how many governmental demands for user information or content removal have been made to Google’s ever-growing empire of sites — now including Blogger, YouTube, and Gmail — starting with the last six months.
So far, the information up there is both somewhat limited and lacking context. For instance, it might seem odd that Brazil tops the list of governmental information hounds until you bear in mind that Google’s Orkut social network, while little-used by Americans, is the Brazilian equivalent of Facebook.
There are also huge gaps in the data: The United States comes in second with 3,580 requests from law enforcement at all levels, but that doesn’t include intelligence requests, so National Security Letters (tens of thousands of which are issued every year) and FISA warrants or “metadata” orders (which dwarf ordinary federal wiretaps in number) aren’t part of the tally. And since China considers all such government information requests to be state secrets — whether for criminal or intelligence investigations — no data from the People’s Republic is included.
Neither is there any detail about the requests they have counted — how many are demands for basic subscriber information, how many for communications metadata, and how many for actual e-mail or chat contents. The data on censorship is similarly limited: They’re counting governmental but not civil requests, such as takedown notices under the Digital Millennium Copyright Act.
For all those limits — and the company will be striving to provide some more detail, within the limits of the law — this is a great step toward bringing vital transparency to the shadowy world of government surveillance, and some nourishment to the data-starved wretches who seek to study it. We cannot have a meaningful conversation about whether censorship or invasion of privacy in the name of security have gone too far if we do not know, at a minimum, what the government is doing. So, for a bit of perspective, we know that U.S. courts reported a combined total of 1,793 (criminal, not intel) wiretaps sought by both federal and state authorities. Almost none of these (less than 1 percent) were for electronic interception.
This may sound surprising, unless you keep in mind that federal law establishes a very high standard for the “live” interception of communications over a wire, but makes it substantially easier — under some circumstances rather terrifyingly easy — to get stored communications records. So there’s very little reason for police to jump through all the hoops imposed on wiretap orders when they want to read a target’s e-mails.
If and when Google were to break down that information about requests — to show how many were “full content” as opposed to metadata requests — we would begin to have a far more accurate picture of the true scope of governmental spying. Should other major players like Yahoo and Facebook be inspired to follow Google’s admirable lead here, it would be better still. Already, though, that one data point from a single company — showing more than twice as many data requests as the total number of phone wiretaps reported for the entire country — suggests that there is vastly more actual surveillance going on than one might infer from official wiretap numbers.
Surveillance, Security, and the Google Breach
Yesterday’s bombshell announcement that Google is prepared to pull out of China rather than continuing to cooperate with government Web censorship was precipitated by a series of attacks on Google servers seeking information about the accounts of Chinese dissidents. One thing that leaped out at me from the announcement was the claim that the breach “was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” That piqued my interest because it’s precisely the kind of information that law enforcement is able to obtain via court order, and I was hard-pressed to think of other reasons they’d have segregated access to user account and header information. And as Macworld reports, that’s precisely where the attackers got in:
That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.
This is hardly the first time telecom surveillance architecture designed for law enforcement use has been exploited by hackers. In 2005, it was discovered that Greece’s largest cellular network had been compromised by an outside adversary. Software intended to facilitate legal wiretaps had been switched on and hijacked by an unknown attacker, who used it to spy on the conversations of over 100 Greek VIPs, including the prime minister.
As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.
The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic. Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.
The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.
A Chance to Fix the PATRIOT Act?
As Tim Lynch noted earlier this week, Barack Obama’s justice department has come out in favor of renewing three controversial PATRIOT Act provisions—on face another in a train of disappointments for anyone who’d hoped some of those broad executive branch surveillance powers might depart with the Bush administration.
But there is a potential silver lining: In the letter to Sen. Patrick Leahy (D-VT) making the case for renewal, the Justice Department also declares its openness to “modifications” of those provisions designed to provide checks and balances, provided they don’t undermine investigations. While the popular press has always framed the fight as being “supporters” and “opponents” of the PATRIOT Act, the problem with many of the law’s provisions is not that the powers they grant are inherently awful, but that they lack necessary constraints and oversight mechanisms.
Consider the much-contested “roving wiretap” provision allowing warrants under the Foreign Intelligence Surveillance Act to cover all the communications devices a target might use without specifying the facilities to be monitored in advance—at least in cases where there are specific facts supporting the belief that a target is likely to take measures to thwart traditional surveillance. The objection to this provision is not that intelligence officers should never be allowed to obtain roving warrants, which also exist in the law governing ordinary law enforcement wiretaps. The issue is that FISA is fairly loosey-goosey about the specification of “targets”—they can be described rather than identified. That flexibility may make some sense in the foreign intel context, but when you combine it with similar flexibility in the specification of the facility to be monitored, you get something that looks a heck of a lot like a general warrant. It’s one thing to say “we have evidence this particular phone line and e-mail account are being used by terrorists, though we don’t know who they are” or “we have evidence this person is a terrorist, but he keeps changing phones.” It’s another—and should not be possible—to mock traditional particularity requirements by obtaining a warrant to tap someone on some line, to be determined. FISA warrants should “rove” over persons or facilities, but never both.
DoJ Fails to Report Electronic Surveillance Activities
Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content – who is talking to whom, how often, and for how long.)
The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:
The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).
EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.
It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
