Feeds

Protection from prying NSA eyes

A (Classified) proposal

Beginner's guide to SSL certificates

The law has always recognised a distinction between listening in on the contents of a communication and just looking at data about the conversation. It is for that reason that the postal inspectors are allowed to put a "mail cover on mail to record the outside information without a warrant.

The US wiretap law, contained in Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (just called Title II for short) makes it illegal to intercept or disclose the contents of intercepted communications without an appropriate warrant, either for law enforcement purposes, or under the Foreign Intelligence Surveillance Act. For international telephone calls, the government has asserted that the inherent powers of the executive branch, or the 18 September, 2001 Authorisation for the Use of Military Force against those responsible for the attacks on the World Trade Centre, and the Pentagon as limited authority (or so they said at the time) to listen in on the contents of international communications if the President suspects (or more accurately, if some NSA employee suspects) that they are relevant to some terrorism investigation. This program was discussed previously.

Other US laws also regulate the improper disclosure of the contents of both telephone communications and electronic communications. These include the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act. However, with the exception of the provisions of the SCA discussed below, these laws (like FISA and Title III) tend to focus on the contents of the communications – what was said or typed or emailed.

Wrapper information

So what if the government wants to know what telephone numbers you called, when you called them, and how long the calls lasted? The US Supreme Court, in a case called Smith v. Maryland in 1979 essentially said that the Fourth Amendment did not protect such data. You see, everybody knows, the Court reasoned, that the phone company keeps these records (unlike recording the contents of the communications). The Supreme Court noted:

"[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realise that they must 'convey' phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realise, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. In fact, pen registers and similar devices are routinely used by telephone companies 'for the purposes of checking billing operations, detecting fraud, and preventing violations of law'...Electronic equipment is used not only to keep billing records of toll calls, but also 'to keep a record of all calls dialed from a telephone which is subject to a special rate structure'."

So, how could you expect this to be private? Even if YOU thought it might be private, the Supreme Court disabused you of this notion saying that you of course can't expect anything you give over to third parties (like the phone company) to be private. The court observed:

"When he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and 'exposed' that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed. The switching equipment that processed those numbers is merely the modern counterpart of the operator who, in an earlier day, personally completed calls for the subscriber."

The problem with this analysis is its application then to the contents of, lets say emails or VoIP calls. You see, the contents of such communications are routinely "exposed" to the ISPs in the ordinary course of business. They are also routinely stored by the ISP as well – albeit for greater or shorter periods of time. While the laws noted above – mostly the ECPA and the SCA - protect the disclosure of these communications, applying the rationale of the Smith case apparently the Constitution of the United States wouldn't protect even these contents.

So does this mean that the numbers you call have no legal protection at all? Not so fast. Smith just decided that the Fourth Amendment didn't protect the numbers dialed. Congress stepped in and passed the Pen-register statute, which provided that it was illegal to install a "pen register" or "trap and trace" device (a device to record numbers dialed, etc.) without first obtaining a court order after a certification by a federal or state prosecutor, or under FISA.

However, these trap and trace statutes, either for national security under FISA or for criminal matters under the trap and trace statute, are more akin to a rifle than a shotgun. They are designed to obtain the calling records of a particular individual or small group of individuals, with a showing that the records are either relevant to a particular criminal investigation or anti-terrorism investigation. It is not designed to permit access to tens of thousands of such records (or millions) in the hope that they might later be helpful in some terrorism case. Besides, if there was a FISA warrant here, don't you think the government would have said so? It's pretty clear there was no trap and trace order, so the turning over the records was illegal, right? Not so fast. I love the law.

You see, there was no "trap and trace" or "pen register" installed on the phone company. In fact, the government did not even ask the phone company to create the massive databases which indicated what telephone numbers were dialed by whom and when. In fact, the phone company routinely does this on its own, for billing, call completion and anti-fraud purposes, and maybe even for load distribution, direct marketing, and other purposes as well. The law doesn't prohibit this. Indeed, the trap and trace law expressly states that it doesn't apply to a phone company or ISP's actions, "relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service". Any lawyer with a subpoena can - and usually does – get copies of your phone bills. They are particularly useful to show things like adultery in divorce cases.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.