Feeds

Protection from prying NSA eyes

A (Classified) proposal

Security for virtualized datacentres

Comment From the US Fourth Amendment, the Stored Communications Act and US wiretap laws to the Pen-register statute, Mark Rasch looks at legal protections available to the telecommunications companies and individual Americans in the wake of the NSA's massive spying program.

Imagine being the head of a major telecommunications company in the United States. You and your lawyers have developed a carefully worded privacy policy to conform with the law. In it you tell your customers that you do not share information about your customers' use of your services except for particular business purposes, and to ensure that the calls get through. You also tell your customers that you, of course, give information in response to lawful subpoenas or lawful mandates of law enforcement agencies. And that's about it.

One day, you receive a visit from agents of the National Security Agency (NSA), who make a formal "request" that you, as a patriotic American company, turn over records of telephone calls made by millions of customers in the interests of "national security". If you don't do it, the agent reminds you, you probably wont get those lucrative government contracts, and you certainly won't get any work with any classified government agencies. If you do it, you may open yourself up to class action litigation. What do you do?

Unfortunately, there currently is no way for you do go to any court and get a definitive ruling on what you are allowed – or required – to do. I propose that we open up the super-secret FISA court to allow private citizens or companies that receive requests or demands from the government to demand judicial intervention in a way that would protect national security, and act as a check and balance on any unlimited powers of the Executive Branch.

NSA monitoring millions of Americans

On Thursday, 11 May, USA Today disclosed that several US telephone companies gave over records relating to telephone calls made by millions of Americans to the National Security Agency in the wake of the events of 11 September, 2001.

We do not know the scope of this program. As reported to date, the government requested that various telephone companies turn over calling pattern information on millions of US origin telephone calls – these are reportedly calls that both originated and terminated in the United States.

At least one report has suggested that the program worked as follows: the government would have a suspected al-Qaeda suspect, and would learn of telephone numbers he or she called, or merely possessed. If any of these telephone numbers were located in the United States, the NSA would then attempt to learn what these numbers were, and who these people had called. Thus, if you operate a local Dominoes pizza, and received a call from someone who received a call from someone who the government suspected was associated with a terrorist, then Dominoes would make it to the list of suspects.

The President has suggested that the program is more narrow than this, stating so in his weekly radio address on 13 May, 2006.

"It is important for Americans to understand that our activities strictly target al Qaeda and its known affiliates...The privacy of all Americans is fiercely protected in all our activities. The government does not listen to domestic phone calls without court approval. We are not trolling through the personal lives of millions of innocent Americans. Our efforts are focused on links to al Qaeda terrorists and its affiliates who want to harm the American people."

Does this mean that the records of telephone calls requested from the telephone companies were only those of al Qaeda and its known affiliates? Does that mean that the NSA neither sought nor received the records of phone calls of "millions of innocent Americans" so it could troll through them? Or does it mean that, while the government didn't listen in on purely domestic calls (where the source and destination were in the United States), the NSA might have obtained records of the calls made by many millions of other callers, but did so in order to "target" al Qaeda or others? Or that the President doesn't believe that reviewing the records of calls made and received constitutes "trolling" into a part of American's "personal lives?" Right now, we just don't know, and if the NSA has anything to say about it, we probably will never know.

Other reports indicate that the program may not have even been as narrow as suggested. It is possible that the NSA requested all calling data from the phone companies – that is every telephone number called by every other telephone number. Indeed, this would not be very different from what the government did with the airlines in the wake of 9/11, when it asked for records of every flight taken by every person in America, despite the fact that the airlines had promised they wouldn't give that information out.

In the airline case, at least one federal court held that these records, being records of the airlines themselves, could lawfully be turned over to the government (in that case, NASA, not the NSA) privacy policies notwithstanding. So it is altogether possible that the NSA has requested, and the phone companies have disclosed, records of every call made and received. Assuming this to be the case, is it illegal? The answer is not so clear.

Whose data is it anyway?

The reports to date tend to indicate that the records turned over to the NSA were records of telephone calls from numbers within the United States. This would essentially be "raw data" – for example, that telephone number (202) 555-1213 called telephone number (313) 555-0802 on a particular date, at a particular time, and that the conversation lasted for a particular period of time.

There are various laws that protect the privacy of telephone records in the United States. First and foremost, there is the Fourth Amendment which provides that:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

For some reason, when this Amendment was drafted in 1791, the drafters left out the terms "telephone records" and "intercepted communications" and "Voice Over Internet Protocol". Possibly just an 18th Century oversight. Indeed, the United States Supreme Court initially found in 1928 that you can't "seize" a telephone call, and therefore the Fourth Amendment didn't apply to phone calls. It wasn't until 1967 that the Court finally realised that the Constitution protects the rights of privacy of persons, not just places, and therefore warrants were required if you wanted to listen in on the contents of communications.

Business security measures using SSL

Next page: Wrapper information

More from The Register

next story
Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence
World's top Google-finding website calls it for the UK
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.