Protection from prying NSA eyes

A (Classified) proposal

Top 5 reasons to deploy VMware with Tegile

The law has always recognised a distinction between listening in on the contents of a communication and just looking at data about the conversation. It is for that reason that the postal inspectors are allowed to put a "mail cover on mail to record the outside information without a warrant.

The US wiretap law, contained in Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (just called Title II for short) makes it illegal to intercept or disclose the contents of intercepted communications without an appropriate warrant, either for law enforcement purposes, or under the Foreign Intelligence Surveillance Act. For international telephone calls, the government has asserted that the inherent powers of the executive branch, or the 18 September, 2001 Authorisation for the Use of Military Force against those responsible for the attacks on the World Trade Centre, and the Pentagon as limited authority (or so they said at the time) to listen in on the contents of international communications if the President suspects (or more accurately, if some NSA employee suspects) that they are relevant to some terrorism investigation. This program was discussed previously.

Other US laws also regulate the improper disclosure of the contents of both telephone communications and electronic communications. These include the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act. However, with the exception of the provisions of the SCA discussed below, these laws (like FISA and Title III) tend to focus on the contents of the communications – what was said or typed or emailed.

Wrapper information

So what if the government wants to know what telephone numbers you called, when you called them, and how long the calls lasted? The US Supreme Court, in a case called Smith v. Maryland in 1979 essentially said that the Fourth Amendment did not protect such data. You see, everybody knows, the Court reasoned, that the phone company keeps these records (unlike recording the contents of the communications). The Supreme Court noted:

"[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realise that they must 'convey' phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realise, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. In fact, pen registers and similar devices are routinely used by telephone companies 'for the purposes of checking billing operations, detecting fraud, and preventing violations of law'...Electronic equipment is used not only to keep billing records of toll calls, but also 'to keep a record of all calls dialed from a telephone which is subject to a special rate structure'."

So, how could you expect this to be private? Even if YOU thought it might be private, the Supreme Court disabused you of this notion saying that you of course can't expect anything you give over to third parties (like the phone company) to be private. The court observed:

"When he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and 'exposed' that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed. The switching equipment that processed those numbers is merely the modern counterpart of the operator who, in an earlier day, personally completed calls for the subscriber."

The problem with this analysis is its application then to the contents of, lets say emails or VoIP calls. You see, the contents of such communications are routinely "exposed" to the ISPs in the ordinary course of business. They are also routinely stored by the ISP as well – albeit for greater or shorter periods of time. While the laws noted above – mostly the ECPA and the SCA - protect the disclosure of these communications, applying the rationale of the Smith case apparently the Constitution of the United States wouldn't protect even these contents.

So does this mean that the numbers you call have no legal protection at all? Not so fast. Smith just decided that the Fourth Amendment didn't protect the numbers dialed. Congress stepped in and passed the Pen-register statute, which provided that it was illegal to install a "pen register" or "trap and trace" device (a device to record numbers dialed, etc.) without first obtaining a court order after a certification by a federal or state prosecutor, or under FISA.

However, these trap and trace statutes, either for national security under FISA or for criminal matters under the trap and trace statute, are more akin to a rifle than a shotgun. They are designed to obtain the calling records of a particular individual or small group of individuals, with a showing that the records are either relevant to a particular criminal investigation or anti-terrorism investigation. It is not designed to permit access to tens of thousands of such records (or millions) in the hope that they might later be helpful in some terrorism case. Besides, if there was a FISA warrant here, don't you think the government would have said so? It's pretty clear there was no trap and trace order, so the turning over the records was illegal, right? Not so fast. I love the law.

You see, there was no "trap and trace" or "pen register" installed on the phone company. In fact, the government did not even ask the phone company to create the massive databases which indicated what telephone numbers were dialed by whom and when. In fact, the phone company routinely does this on its own, for billing, call completion and anti-fraud purposes, and maybe even for load distribution, direct marketing, and other purposes as well. The law doesn't prohibit this. Indeed, the trap and trace law expressly states that it doesn't apply to a phone company or ISP's actions, "relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service". Any lawyer with a subpoena can - and usually does – get copies of your phone bills. They are particularly useful to show things like adultery in divorce cases.

Choosing a cloud hosting partner with confidence


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.