FBI turns to broad new wiretap method

By Declan McCullagh, CNET News.com

The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

Such a technique is broader and potentially more intrusive than the FBI’s Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what’s legally permissible.

Call it the vacuum-cleaner approach. It’s employed when police have obtained a court order and an Internet service provider can’t “isolate the particular person or IP address” because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department’s Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)

That kind of full-pipe surveillance can record all Internet traffic, including Web browsing–or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider’s network at the junction point of a router or network switch.

The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University’s law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium.

In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agents’ default method for Internet surveillance. “You collect wherever you can on the (network) segment,” he said. “If it happens to be the segment that has a lot of IP addresses, you don’t throw away the other IP addresses. You do that after the fact.”

“You intercept first and you use whatever filtering, data mining to get at the information about the person you’re trying to monitor,” he added.

On Monday, a Justice Department representative would not immediately answer questions about this kind of surveillance technique. (Late Tuesday, the Justice Department responded with a statement taking issue with this description of the FBI’s surveillance practices.)

“What they’re doing is even worse than Carnivore,” said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation who attended the Stanford event. “What they’re doing is intercepting everyone and then choosing their targets.”

When the FBI announced two years ago it had abandoned Carnivore, news reports said that the bureau would increasingly rely on Internet providers to conduct the surveillance and reimburse them for costs. While Carnivore was the subject of congressional scrutiny and outside audits, the FBI’s current Internet eavesdropping techniques have received little attention.

Carnivore apparently did not perform full-pipe recording. A technical report (PDF: “Independent Technical Review of the Carnivore System”) from December 2000 prepared for the Justice Department said that Carnivore “accumulates no data other than that which passes its filters” and that it saves packets “for later analysis only after they are positively linked by the filter settings to a target.”

9-7