The FBI Might Do More Domestic Surveillance than the NSA

This is a long article about the FBI's Data Intercept Technology Unit (DITU), which is basically its own internal NSA.

It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies -- an operation that the NSA once conducted, was reprimanded for, and says it abandoned.

[...]

The unit works closely with the "big three" U.S. telecommunications companies -- AT&T, Verizon, and Sprint -- to ensure its ability to intercept the telephone and Internet communications of its domestic targets, as well as the NSA's ability to intercept electronic communications transiting through the United States on fiber-optic cables.

[...]

After Prism was disclosed in the Washington Post and the Guardian, some technology company executives claimed they knew nothing about a collection program run by the NSA. And that may have been true. The companies would likely have interacted only with officials from the DITU and others in the FBI and the Justice Department, said sources who have worked with the unit to implement surveillance orders.

[...]

Recently, the DITU has helped construct data-filtering software that the FBI wants telecom carriers and Internet service providers to install on their networks so that the government can collect large volumes of data about emails and Internet traffic.

The software, known as a port reader, makes copies of emails as they flow through a network. Then, in practically an instant, the port reader dissects them, removing only the metadata that has been approved by a court.

The FBI has built metadata collection systems before. In the late 1990s, it deployed the Carnivore system, which the DITU helped manage, to pull header information out of emails. But the FBI today is after much more than just traditional metadata -- who sent a message and who received it. The FBI wants as many as 13 individual fields of information, according to the industry representative. The data include the route a message took over a network, Internet protocol addresses, and port numbers, which are used to handle different kinds of incoming and outgoing communications. Those last two pieces of information can reveal where a computer is physically located -- perhaps along with its user -- as well as what types of applications and operating system it's running. That information could be useful for government hackers who want to install spyware on a suspect's computer -- a secret task that the DITU also helps carry out.

[...]

Some federal prosecutors have gone to court to compel port reader adoption, the industry representative said. If a company failed to comply with a court order, it could be held in contempt.

[...]

It's not clear how many companies have installed the port reader, but at least two firms are pushing back, arguing that because it captures an entire email, including content, the government needs a warrant to get the information. The government counters that the emails are only copied for a fraction of a second and that no content is passed along to the government, only metadata. The port reader is designed also to collect information about the size of communications packets and traffic flows, which can help analysts better understand how communications are moving on a network. It's unclear whether this data is considered metadata or content; it appears to fall within a legal gray zone, experts said.

[...]

The Operational Technology Division also specializes in so-called black-bag jobs to install surveillance equipment, as well as computer hacking, referred to on the website as "covert entry/search capability," which is carried out under law enforcement and intelligence warrants.

[...]

But having the DITU act as a conduit provides a useful public relations benefit: Technology companies can claim -- correctly -- that they do not provide any information about their customers directly to the NSA, because they give it to the DITU, which in turn passes it to the NSA.

There is an enormous amount of information in the article, which exposes yet another piece of the vast US government surveillance infrastructure. It's good to read that "at least two" companies are fighting at least a part of this. Any legislation aimed at restoring security and trust in US Internet companies needs to address the whole problem, and not just a piece of it.

Posted on November 26, 2013 at 6:29 AM • 32 Comments

Comments

BiafraNovember 26, 2013 7:55 AM

Yep, and one Mr Hector Xavier 'Sabu' Monsegur is still doing black bag jobs for the FBI, much to Ross Ulbricht's chagrin. After the FBI had the CIA director turfed through political blackmail of exposing his mistress I assumed they had become NSA 2.0

Tom T.November 26, 2013 8:50 AM

FDR was the first to use the FBI for domestic political espionage. After the COINTEL era folks thought it was...over.

No way. Their power as THE secret police has increased immensely.

I am surprised the FBI has had such an easy ride so far. As I recall the new director, Comey, said he would be proud to lead a "domestic intelligence agency".

And of course, let not reality get in the way, for example, the numerous plots thwarted by the FBI that were planned by their own informants, the Boston fumble and don't even ask how the Boston Buddy got killed...that's top secret.

We are all targets, prey, adversaries, the enemy, bad guys, crooks, suckers and sheep in the eyes of our government/corporate masters, now.

Likely there is no way to stop it in the foreseeable future. Indeed most people don't know or care what's happening right in front of them and they don't understand what they are doing so wrong to deserve a massively lowered life style and freedom to do just about anything.

It's for our own good they say.

Is it?

WinterNovember 26, 2013 9:08 AM

@Tom T.
"Indeed most people don't know or care what's happening right in front of them and they don't understand what they are doing so wrong to deserve a massively lowered life style and freedom to do just about anything."

It is a sad truism:
Every people get the government they deserve

Whenever I question "foreigners" about it, it is clear to me why they deserve their government, but they themselves never see it.

But I am guilty too. I do not see what I do to deserve my government. But there must be something.

WinterNovember 26, 2013 9:11 AM

And here is an update:

UPDATE: Encrypt the Web Report: Who's Doing What
https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what

With that in mind, EFF has asked service providers to implement strong encryption. We would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.

For starters, we have asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to their website, it will automatically use a channel that encrypts the communications from their computer to the website.

We have also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users' identities by sniffing authentication cookies going over insecure connections.

Rolf WeberNovember 26, 2013 9:22 AM

As a sidenote, maybe it's helpful for somebody:
To avoid the paywall, you can download the pages with wget and then open the local files.

From reading the published Lavabit court documents, I'm quite sure about two facts:
1. Before a port reader is installed, the government first tries to ask the provider to produce the data with his own means.
2. The port reader is installed for a limited time only (ordered by the court).

Whta I still ask myself:
We know that the government can force the provider to hand over encryption keys, so that the port reader really can read everything.
But what happens if PFS is enabled? Is the port reader capable of man-in-the-middle attacks? I mean technically and legally.

joeNovember 26, 2013 9:42 AM

"The data include the route a message took over a network, Internet protocol addresses, and port numbers, which are used to handle different kinds of incoming and outgoing communications. Those last two pieces of information can reveal where a computer is physically located -- perhaps along with its user -- as well as what types of applications and operating system it's running."

1) Since when do e-mail headers contain port numbers (which one would assume would be 25, most of the time) in addition to IP addresses?
2) How does a port number reveal the physical location of a computer?
3) How do you go from knowing the port that the SMTP client is running on to knowing which ports are open on the client machine?

If they are indeed getting this last piece of information, they must be getting it in some other, more invasive way. They're not going to find it in e-mail headers...

NobodySpecialNovember 26, 2013 10:00 AM

At some point 100% of the USA will be busy spying on the rest of the USA - the rest of the world will be safe.

kashmarekNovember 26, 2013 10:19 AM

The long article is behind a paywall whose registration window would not close unless you registered or vacated their web site.

Brian M.November 26, 2013 10:22 AM

With that in mind, EFF has asked service providers to implement strong encryption. We would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.

Let's see:
service | tee NSA | tee FBI | tee WHOEVERELSE | user

Yes, encryption is always effective...

Anybody else notice the article about Snowden's alleged doomsday file?

The data is protected with sophisticated encryption, and multiple passwords are needed to open it, said two of the sources, who like the others spoke on condition of anonymity to discuss intelligence matters. The passwords are in the possession of at least three different people and are valid for only a brief time window each day, they said. The identities of persons who might have the passwords are unknown.

Somebody needs a better script writer.

JacksonNovember 26, 2013 11:06 AM

Encrypt everything will set the stage for something far worse.

Besides, who cares if Dropbox encrypts your stuff - they have the keys. And you will never know if and when they turned them over, and what about insiders? They want to encrypt it for you so they can dedupe and index. Sure, you can encrypt it yourself, but then you have the same endpoint problem to deal with.

When these guys talk about encrypting your stuff, it's all about control and who gets blamed when something goes wrong. When they say "we can't even see your stuff" it's really about, "it's your fault, you had the keys."

SofakinbdNovember 26, 2013 11:16 AM

kashmarek, Safari's Reader button allows you to read it without registering. I imagine using Readability might as well. Hitting escape to stop the load works too. There are many ways around the basic annoyance.

-Sofa

Clive RobinsonNovember 26, 2013 1:02 PM

@ Brian M.,

    Somebody needs a better script writer.

I also found this unatributed quip funny,

    One former senior U.S. official said that the Chinese and Russians have cryptographers skilled enough to open the cache if they find it.

The British Government has gone to court after in effect plundering by way of piracy (in the old sense) the possessions of Mr Greenwalds partner and claimed by way of hearsay various things about the strength of the encryption used as a reason to not returning the items they have taken.

Are the likes of the NSA and GCHQ realy that unskilled at breaking encryption compared to the "skilled" Chinese and Russian cryptographers, and if so how will that play out in court ;-)

Also the idiotic self serving comments of Louise Mensch (Ex British Conservative Party MP for Corby and wife of US rock promoter Peter Mensch) who has a history of making rather inapropriate and ill thought out comment both verbaly and on twitter. Although unlike the wife of the house of commons speaker (who has "flapped her fingers" and got found guilty in court and had to pay damages) the delightless and lackluster Mensch appears to preffer to pick on those who cann't defend themselves in court...

SkepticalNovember 26, 2013 1:11 PM

The FBI has about 35,000 employees to handle investigations ranging from government corruption to kidnapping to counterintelligence to terrorism. They gather evidence of criminal activities for prosecution, and do so according to the law. Any such evidence, when used in a prosecution, can be tossed if it was illegally obtained.

Describing them as though they're some American version of the Stasi, or some enabler of the transformation of the US into a Panopticon, is a bit much isn't it?

I'd expect there to be significant gray area as to what constitutes metadata with respect to electronic communications. Litigation and legislation will draw the lines within the areas; that's how the system works. I'd expect to see the FBI take a more expansive view of metadata, and I'd expect companies (and, more certainly, the defense attorneys of anyone prosecuted using such evidence) to challenge that expansive view. And an independent judiciary will decide, though Congress can choose to draw some lines of its own if it so desires.

Bob RobertsonNovember 26, 2013 1:35 PM

Obviously, the "government corruption" investigative department isn't working.

This whole thing makes me want BitMessage development to get better.

John FNovember 26, 2013 1:57 PM

@skeptical

Any such evidence, when used in a prosecution, can be tossed if it was illegally obtained.

Assuming, of course, that you can afford to pay sufficient legal fees to get to that point.

That's a dangerous assumption. The vast majority of the US Proletariat^Wpopulation don't have sufficient resources available to pay an attorney for the 5-10 years it can take to make its way through the court system.

The reality is, if you pop up on the radar of the US Government and you're not extremely wealthy and/or news worthy with a sympathetic public, you have two options available to you to help you and your family possibly avoid financial ruin: a plea bargain or death.

So yes, in theory, you can get a fair trail and get inadmissible evidence thrown out, clear your name, etc. In reality, the judicial system in the US has completely and utterly failed.

Brian M.November 26, 2013 2:26 PM

@Clive Robinson
Are the likes of the NSA and GCHQ realy that unskilled at breaking encryption compared to the "skilled" Chinese and Russian cryptographers, and if so how will that play out in court ;-)

Well, they did need the password that David Miranda carried on a piece of paper to decrypt some of the files on the USB drive. Maybe the Russian and Chinese spooks would use a binary editor to view the plaintext password in ZIP files.

But of course, it does depend which court would hold a hearing. If Snowden were in a US court, he'd be put in a small cell for life. Since he's sitting in Russia for a while, it won't be a Russian court. A Chinese court would just shuffle him back to the US if it bothered to do anything with him at all.

It will be interesting to see what happens to him next year after his asylum in Russia runs out.

anonymousNovember 26, 2013 2:43 PM

> It is a sad truism:
> Every people get the government they deserve


The problem is that I get the government other people deserve.

SnowmanNovember 26, 2013 3:13 PM

@anonymous quoting someone else here
> It is a sad truism:
> Every people get the government they deserve

That is not even a truism, really. It is just a dumb myth created to justify the fact that rulership is actually unsolvable.

It is like the Hindu answer to the question "why is there suffering?" A Hindu might answer "every person gets the life they deserve".

Thus: no need to change anything. And realistically speaking, how could you even?

Clive RobinsonNovember 26, 2013 3:39 PM

@ Snowman,

    As if that sort of condemnation now would have any effect...but if it did I would not mind them condemning the government surveillance
.

The Holy See made surveillance / spying "the second oldest profession" remember their roots go back through the Holy Roman Empire through the Roman Empire to times effectivly befor the written record in Europe. Without "church" surveillance and spying they could not control their flock to profit from them, which is a similaer business model to google / facebook etc. They are no more going to vote for it to end than turkeys are going to vote for Xmas.

Matt from CTNovember 26, 2013 3:46 PM

>Any such evidence, when used in a prosecution, can be tossed if it
>was illegally obtained.

Oh naive one. You don't tell the court, or even the prosecutor, about illegal evidence. It's called evidence laundering and happens routinely. Just like money laundering, you conceal the source of the original lead with a new source that is clean.

The laundering may be done to protect legitimately obtained information, for instance an undercover officer. I-84 at the CT/MA border routinely has stories about a speeding car, Trooper pulls it over, another Trooper is nearby with a drug sniffing dog, wow, holy smokes...major drug bust! It's a pretty nice road for pulling people over on too -- wide shoulders, traffic is usually modest for the size of the highway, not much of a risk of creating an accident should someone try to flee.

Do you think for a second most of those busts are just coincidence? Or rather word comes down to look for a certain vehicle, perhaps including license plates, and any traffic violation becomes the pretext for the stop.

My immediate area we have a State Police "Quality of Life Task Force" that pinches the minor drug dealers distributing in the area, and the method is the same -- gee, a traffic violation! Hey, we have a drug sniffing canine on duty tonight, let's bring him over...why lookey here a hit! The press releases ooze evidence laundering because you don't just get that lucky.

That same process of evidence laundering, creating a plausible second source of the information other than the original confidential source, can work for anything else you desire.

Dirk PraetNovember 26, 2013 6:22 PM

@ Rolf Weber, @ kashmarek, @ Sofakinbd

Firefox: Adblock Plus, Ghostery, NoScript
Opera: Adblock Plus, Ghostery, Scriptweeder

-> No paywall/registration

@ Matt from CT, @ John F, @ Skeptical

Any such evidence, when used in a prosecution, can be tossed if it was illegally obtained.

I believe we have recently heard of similar evidence laundring with the NSA sharing certain information with the Special Operations Division of the DEA and with the IRS. Anybody who wants to stake his/her life/fortune on the prosecution playing nice, please raise your hand. What, no takers ?

@ Clive

Recommended reading: "The Entity: Five Centuries of Secret Vatican Espionage" by Eric Frattini.

@ Jackson

Encrypt everything will set the stage for something far worse.

Like what ? Taking matters into your own hands because you know you can't trust your service/cloud provider ?

If you're putting any confidential data into Dropbox, you add a second encryption layer using Truecrypt, Boxcryptor or other solutions. Same goes for Skydrive, Google Drive and the likes.

@ Brian M.

The data is protected with sophisticated encryption, and multiple passwords are needed to open it ...

Which would suggest he's been using Shamir's Secret Sharing Scheme, probably in combination with something like Tomb or Truecrypt. A wise choice, I think.

TFNovember 26, 2013 9:58 PM

@Bob Robertson:

This whole thing makes me want BitMessage development to get better.

You should look at I2P-Bote. It has a solid foundation (I2P) and a better design (DHT). The only potential problem is its use of the NIST curves.

Guy_In_A_DinerNovember 27, 2013 12:00 AM

"F!@# these guys."

This government has completely fallen apart. Cut their budgets, lay them off, and leave them in rags.

So how do we achieve the goal of shutting down the surveillance machine? There are technical solutions. Why are the political solutions so difficult to attain?

AspieNovember 27, 2013 1:55 AM

Google seems to be determined to help them. Why skulk in the shadows about sharing user data when you can just modify the TOS and share without fear of a backlash.

When I created a pristine gmail account, not so very long ago, I sent no mail to or from it. Within a week I began to get regular requests to upload a profile photo.

After a couple of months the requests mysteriously stopped and the account has gone quiet. Another gmail account (now deleted) was getting regular messages listing the other people I "may know" on Google.

Not content with connecting the dots, they're actually bragging about it. I found it quite sinister. Rather like a shoe salesman turning up on my doorstep and asking me how my friends are.

Michael MoserNovember 27, 2013 6:53 AM

Very similar to what Russia is doing:

http://en.wikipedia.org/wiki/SORM

"According to some reports, under SORM-2 Russian Internet service providers (ISPs) must install a special device on their servers to allow the FSB to track all credit card transactions, e-mail messages and web use. The device, which has been estimated to cost $10,000-$30,000, must be installed at the ISP's expense. Other reports note that some ISPs have had to install direct communications lines to the FSB and that costs for implementing the required changes were in excess of $100,000."

SkepticalNovember 27, 2013 8:36 AM

Matt, Dirk,

Without getting into the thicket of discovery rules and obligations in criminal cases, the issues touched on by the Reuters story are more complicated than the article describes. The SOD material likely concerns intelligence gathered from persons or things other than the individual arrested, and unless the state used that intelligence as the legal basis for effecting a search of the individual arrested or used that intelligence in trial, or the material is relevant to the defense, it's not necessarily the case that the defendant has a right to that material. Nor is it necessarily improper to seek alternative avenues of inquiry if one does not wish to rely upon that material to obtain warrants or in a prosecution. But it's very important that the prosecutor be aware of the role the material played in the investigation, as the prosecutor determines what is discoverable material and what is not. The instance of the DEA agent lying to the prosecutor is an example of misconduct.

By contrast, if the electronic surveillance is performed on the individual arrested, then the fact of it will almost certainly have to be disclosed, and there are regulations and procedures for doing so where the surveillance is of a classified nature (see the Classified Information Procedures Act and the synopsis of its substance and use in the USDOJ's US Attorneys' Manual). I saw nothing in the Reuters story alleging otherwise. If the surveillance conducted upon the defendant arguably violated the defendant's constitutional rights, and that surveillance led investigators to evidence, then it would be a clear and shocking violation for the fact of it not to be disclosed to the defendant.

There are bad prosecutors and there are bad agents, who will lie and disregard their sworn obligations. Who will commit clear and shocking violations of civil rights, professional duties, and ethical obligations. No question. Is that common practice? No, in my opinion, though the exceptions can readily be found in appellate opinions, journalism, and, yes, in the convictions obtained through investigations conducted by the FBI into government corruption. Even in the Reuters story, note that the prosecutor was outraged by the DEA agent's deception and refused to use the evidence tainted by it.

I think what we're concerned about is the scenario where the government sneaks into your house without a warrant, looks around, stumbles upon the box of cash tips from your bartending job that you never declared on your income tax forms, and then orders the IRS to come up with an alternative justification for conducting an audit and asking very particular questions about your tips.

And to the extent that agents are deliberately hiding investigative activities from prosecutors, I would agree that there's greater risk that gray-area practices resulting in evidence could receive less judicial scrutiny than they otherwise would. So, I'm looking forward to hearing more about this as at least two investigations into this subject move forward and report their findings. I doubt there will be any constitutional violations, but I think it's at least plausible that zeal for protecting sources and methods, and compartmentalizing knowledge about them, may have resulted in incomplete disclosure to prosecutors about the nature of the case they're handling.

But I think the chances are very slim that abuses such as we saw back in the 50s, 60s, and 70s continue to occur on an institutional or widespread level today.

Comrade MisfitNovember 27, 2013 10:19 AM

Any such evidence, when used in a prosecution, can be tossed if it was illegally obtained.

Bad assumption. They will "walk the cat back" to the point where they can say that they discovered the trail leading to the evidence by legal means. It is a technique called "parallel construction". You will never know that the evidence they are presenting was generated by illegal means.

65535November 28, 2013 1:13 AM

Since I am far down the thread I make my observations to the point.

It’s now clear that CALEA is the ultimate loophole for the NSA. CALEA links to the FBI, DEA, and the NSA’s PRISM database.

I doubt the lawmakers envisioned such expansive domestic surveillance. Further, it appears that CALEA has dramatically expanded. The “Port Reader” software coupled with 13 different information fields is in a very “grey” area.

[Cnet]

'For criminal investigations, police are generally required to obtain a wiretap order from a judge to intercept the contents of real-time communication streams, including e-mail bodies, Facebook messages, or streaming video. Similar procedures exist for intelligence investigations under the Foreign Intelligence Surveillance Act, which has received intense scrutiny after Edward Snowden's disclosures about the National Security Agency's PRISM database.'

‘There's a significant exception to both sets of laws: large quantities of metadata can be intercepted in real time through a so-called pen register and trap and trace order with minimal judicial review or oversight. That metadata includes IP addresses, e-mail addresses, identities of Facebook correspondents, Web sites visited, and possibly Internet search terms as well… Federal law says law enforcement may acquire only "dialing, routing, addressing, or signaling information" without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.’

‘But the FBI has configured its port reader to intercept all metadata -- including packet size, port label, and IPv6 flow data -- that exceeds what the law permits, according to one industry source…’

‘"The statute hasn't caught up with the realties of electronic communication," says Colleen Boothby, a partner at the Washington, D.C. firm of Levine, Blaszak, Block & Boothby who represents technology companies and industry associations. Judges are not always in a position, Boothby said, to understand how technology has outpaced the law. ‘

I will agree with Colleen Boothby that old crusty “…Judges are not in the position to understand how technology has outpaced the law.” –See Cnet

@ joe

“1) Since when do e-mail headers contain port numbers (which one would assume would be 25, most of the time) in addition to IP addresses?"

"2) How does a port number reveal the physical location of a computer?"

"If they are indeed getting this last piece of information, they must be getting it in some other, more invasive way.”

Good question. What else does this FBI “Port Reader” software do?

I will say that that LAMP servers with blog software top-ends in some cases initially listen on port 80 and then move the communication to a dynamic port up the range to allow another client to initiate a new communication link on port 80. This new communication also can be moved to a dynamic port.

The same may hold true for SMTP email servers (and if those dynamic ports are captured and time stamped they could provide a finger print of the client machines - how it's done is a question).

@ Comrade Misfit

“Bad assumption. They will "walk the cat back" to the point where they can say that they discovered the trail leading to the evidence by legal means. It is a technique called "parallel construction". You will never know that the evidence they are presenting was generated by illegal means.”

I agree. The US legal system is very difficult to take on. Parallel construction is hard to detect. Further, it is a sign of how unjust (or corrupted) the system has become.

@ Guy_In_A_Diner

“This government has completely fallen apart. Cut their budgets, lay them off, and leave them in rags.”

I agree. This seems to be the only quick way stop this runaway train.

Until, Gen. Alexandra and Clapper are removed from their privilaged positions there will be no reforms (Both have proven to be liars).

It’s unfortunate to note that Diane Feinstein promised to reform the NSA but did the opposite. Feinstein stabbed her voters in the back and cemented mass surveillance practices in place for the foreseeable future.

Moving to encryption, to make the cost of mass surveillance high (in Bruce’s terms), it does appear that Google and YouTube can be accessed via HTTPS.

But, will the encryption be by-passed as did Google’s encryption by the NSA’s tapping the unencrypted level 3's lines. Like wise as the Guardian says:

“The [NSA] agency already had pre-encryption stage access to email on Outlook.com, including Hotmail.” –Guardian

http://www.theguardian.com/world/2013/jul/11/...

How useful is Google’s and YouTube’s encryption? How will CALEA, the FBI’s “Port Reader” and NSA's Prism factor into the equation?


jimNovember 28, 2013 11:38 AM

W/r/t the tenous claim that no warrant is needed b/c the full email is only stored for the fractional second it takes to pull the header, what happens if there is a malformed header. Without knowing what ever exception handling this system has, theoretically could you thwart a system like this by passing junk headers around that the recipient expects but any other system barfs on?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..