February 1, 2007

When the FBI announced two years ago that it no was longer using its controversial Carnivore Internet surveillance software -- in fact, hadn't used it since 2003 -- it seemed like an important victory for privacy advocates. The FBI was instead relying on Internet service providers to provide agents with information on targeted individuals, including e-mail exchanges and Web-browsing activity. To privacy groups, this was a small step up from Carnivore, since Carnivore could, in practice if not in legal right, capture any electronic communication it wanted. The idea was that at least the ISP could stand as a wall between the FBI and the people who used the Internet for purposes other than terrorist activity. It could, in theory, filter out everything except what was explicitly called for in the FBI's court order. (When the ISP refuses to provide the information the FBI wanted, the FBI simply resorts to commercially available surveillance software that is actually much more technically advanced than Carnivore. But still.)

What has come out only recently via CNET is that the information-gathering techniques employed in the ISP-based surveillance approach may actually be more invasive and far-reaching than Carnivore ever was. According to CNET reporter Declan McCullagh, the FBI is now using a "vacuum cleaner" method of surveillance. This means that if you happen to share an ISP with a suspected terrorist, your personal e-mails and your browsing history might be sitting in an FBI database alongside the suspected terrorist's.

What we're talking about here is "full-pipe recording." In this method of surveillance, the information the FBI collects goes far beyond the targets listed in the court order it obtained.

­When the FBI supplies one or more ISPs with all the information it has on a targeted individual, ideally the ISP then gives the FBI all of the information that individual is uploading or downloading via the ISP's network. The ISP programs its networks to flag, for instance, an e-mail message travelling to the IP address associated with the surveillance target. The network then knows to grab this message when it reaches one of the ISP's network hubs. All of these snagged e-mails are then turned over to the FBI. This is all perfectly legal according to digital wiretapping laws.

The problem that has come to light may have already occurred to you if you've been using the Internet for more than five minutes: IP addresses can be disguised, and apparently no one uses his real name (or even his criminal alias) online. Just ask MySpace. Or ask the programmers who build spam-filtering software that catches maybe 1 percent of the spam attempting to slam our inboxes every day. So what's the FBI to do when the ISPs can't identify the IP address associated with a particular suspect? According to CNET and its sources, which include current and former FBI agents and at least one former employee of the Justice Department's Computer Crime and Intellectual Property Section, the agency just takes everything and sorts it out back at home.

In this funneling approach, if the FBI requests everything an ISP has on a surveillance target, and the ISP is unable to identify the IP address associated with that target, the FBI takes entire chunks of data from the ISP's network database and looks through it for the information it needs. This data could include communications and Web-surfing histories on people not named in the court order and not suspected of any crime.

As posted on reporter Declan McCullagh's CNET blog, the Justice Department has responded to CNET's report with a denial that the FBI is collecting information on individuals not listed on a court order. The agency claims that the FBI is adhering to electronic surveillance laws and makes every effort at "minimization," an edict requiring law-enforcement bodies to take the least amount of information possible and get rid of any non-relevant communications immediately when conducting surveillance of a targeted individual. Responding to the "vacuum cleaner" characterization of its surveillance technique, Justice Department spokesman Dean Boyd explained that when an ISP cannot identify a targeted individual, the FBI performs automated "real-time filtering" on mass amounts of information in order to weed out irrelevant information. And since it's automated, no actual person is reading your filtered-out e-mail messages. Once a computer program deems them unrelated to the surveillance target, Boyd says, they are instantly deleted from the FBI's system.

If you are worried about how you are perceived in your emails, then click here to learn more about e-mail etiquette.

For more information on electronic surveillance and related topics, check out the links on the following page.