Followers

Monday, September 22, 2008

Analysis: new spying lawsuit asks "can computers eavesdrop?"

By Julian Sanchez

A second front



The Electronic Frontier Foundation Thursday opened what attorney Kevin Bankston called the "second front in our battle to stop the NSA's illegal surveillance of millions of ordinary Americans," with a lawsuit targeting top administration officials who approved or implemented the National Security Agency's program of warrantless surveillance. At the heart of the suit is a surprising and complex question that legal experts say remains radically unsettled: Can a computer eavesdrop?

The first front in this fight is EFF's ongoing lawsuit against telecom firms believed to have participated in the NSA program, which the group once thought would be the quickest way to get at the underlying question of whether the NSA program was itself lawful. But that litigation spurred Congress to pass the FISA Amendments Act this summer, granting retroactive immunity to the defendant companies, provided the Attorney General certifies that they received assurances from the government that the surveillance was lawful. While EFF believes the immunity provision to be unconstitutional, Bankston acknowledged in a press teleconference this afternoon that "litigating that question is going to slow us down." They've therefore decided to cut out the middleman and target the government directly.

The new suit, Jewel v. NSA, seeks both injunctive relief—the cessation of the program and the destruction of records obtained through it—and civil damages from the officials most responsible for the program. EFF's complaint alleges that the program violates the Constitution, the Foreign Intelligence Surveillance Act, the Wiretap Act, and the Stored Communications Act. Bankston believes the new suit is likely to be shunted to the docket of California judge Vaughn Walker, who has heard both the consolidated telecom lawsuits and a number of other cases implicating the NSA program.


President Bush is a named defendant

In addition to government agencies—the Department of Justice and National Security Agency—the lawsuit names a number of administration officials as defendants, in both their official capacities and as private individuals: President Bush, Vice President Dick Cheney, Cheney's chief of staff David Addington, as well as the the attorneys general, NSA directors, directors of national intelligence, and an indeterminate number of unknown "John Does" who played some role in authorizing and implementing the warrantless wiretapping. Bankston said that EFF is asking for civil damages from all of these officials—with the exception of the president, who enjoys immunity from civil liability for actions in office—in order to secure "personal accountability from the architects of the program, and to provide a strong incentive against future lawbreaking by these or other government officials."

The plaintiffs are the same as those in the telecom case, Hepting v. AT&T, with one more added for good measure. All are ordinary citizens of a "nationwide class of customers of all AT&T residential phone and internet service providers," and their standing to bring suit relies not on any contention that they were specific targets of NSA surveillance, but on the claim that the government was indiscriminately vacuuming up vast quantities of data, to be filtered by the government according to algorithms known only to them.

This claim rests in large part on evidence provided by AT&T whistleblower Mark Klein, who has provided documentation attesting to the existence of a secret room in AT&T's Folsom Street facility in San Francisco, where fiber optic cables were diverted through a sophisticated Narus traffic analysis machine. As EFF attorney Cindy Cohn notes, this is a hub facility through which both purely domestic and international traffic are routed, whereas a program targeting exclusively international or domestic-to-foreign communications should be situated at the point where "the wire hits the beach." The Folsom Street room is believed to be only one of many similar interception stations. According to a March report in the Wall Street Journal, "current and former intelligence officials confirmed a domestic network of hubs, but didn't know the number."

This is where things get murky.

The case EFF plans to make—and, indeed, their plaintiffs' standing to bring suit—rests on the premise that the wholesale diversion of domestic communications to the government's filtering device in itself constitutes a search or seizure beyond the bounds of both the Fourth Amendment and federal wiretap statutes—including the new FISA Amendments Act, which gave the Attorney General broad discretion to authorize the collection of communications, including domestic-to-international communications, provided the "target" of the investigation is a foreign person or group.

But the government has never accepted that premise. During the 2000 controversy over the FBI's use of (now superseded) packet-sniffing software dubbed "Carnivore," officials argued that the ephemeral copying of data into memory for the purpose of filtering out targeted material did not itself impinge upon privacy interests. Sifting that took place "inside the box" did not amount to a Fourth Amendment "search" until data was actually recorded in a human-readable form.

Judge Richard Posner applied this argument to still more intrusive data mining practices in a much-discussed 2006 article in The New Republic. "A computer search does not invade privacy or violate FISA, because a computer program is not a sentient being," wrote Posner. "But, if the program picked out a conversation that seemed likely to have intelligence value and an intelligence officer wanted to scrutinize it, he would come up against FISA's limitations."

Filtering and search


So when does computer filtering of traffic become a search? To answer that question, Ars turned to one of the foremost experts on national security surveillance law: David Kris, formerly the top foreign intel surveillance lawyer at the Department of Justice, and author of the definitive legal text on the subject.

"There isn't much in the way of case law on this," Kris acknowledged right off the bat. There is, as EFF's Bankston is quick to point out, a fair amount of precedent at the statutory level supporting the contention that—as one of the cases cited in EFF's reply brief to Verizon in the telecom suit puts it—"it is the act of diverting, and not the act of listening, that constitutes an 'interception.'" But the Department of Justice's own internal guidelines have always maintained that a communication is "collected" or "acquired" at the moment it is fixed in a human-readable format—a definition that would exclude the ephemeral copies of data made by NSA's filtering devices, unless they were ultimately flagged and recorded.


David Kris

It is helpful, Kris suggests, to consider two contrasting "easy cases" before wading into the thornier space between them. Suppose, he says, that the NSA takes a snapshot of the whole Internet to search and filter at its leisure—every Web page, every e-mail, every phone conversation. That, argues Kris, would clearly violate the Fourth Amendment, a range of wiretap statutes, and the government's own internal guidelines.

An equally easy call, Kris believes, is the judgment that something like Carnivore, which "may or may not resemble the splitter at Folsom Street, is not a seizure." Carnivore, crucially, was concerned with scanning the traffic stream for header data—the e-mail address of a specific target that the government had probable cause to believe was up to no good. Since the courts have traditionally made a strong distinction between "content" (that is, the "meaning or purport" of a communication) and "non-content" (encompassing information about the communication, such as the two phone numbers connected by a given call), the government should be considered to have "searched" or "seized" only what is copied into some more permanent storage medium, not everything that is filtered "inside the box."

"If EFF wants to say that a packet sniffer 'seizes' or 'acquires' every packet that it sniffs," argues Kris, "that's just not going to fly; nobody's going to believe that, and it just makes life too difficult for everybody. Not that the argument is crazy; I just think it's wrong and that it will not prevail. If all they were doing was splitting a fiber optic pipe, mirroring it, running it through some kind of packet sniffing or filtering device, and then keeping permanently whatever hit the filter, I think they 'seized' or 'acquired' only what met the filters or was copied permanently, not the entire thing."

But Kris thinks the situation changes if, as many have speculated, the NSA is capable of filtering the content of a communication in order to select a target. "It's not normally the case that you could justify a search according to what you find in the search," he said. "There is something I think the judges will find very problematic about justifying a search by what the filters produce, taking the 'dog sniff' principle [that a drug dog's sniff is not a 'search' because it only reveals contraband] to the point where you can literally review, albeit instantaneously, every communication everywhere with no justification."

Does that mean content filtering is ruled out altogether as an investigative technique? Kris thinks the agencies might have a "decent chance of pulling that off constitutionally if a judge approved the search terms." But he also doubts that, under the FISA Amendments Act, "targeting procedures are going to be that granular; they'd have to be going back to the court way too often, and they want speed and agility."

When the Bush administration finally consented to submit its surveillance program to the supervision of the FISA court, it cited recent legal developments that would allow it to craft innovative orders providing just that kind of speed and agility. Some observers, such as George Washington University law professor Orin Kerr, have speculated that the development in question was the Supreme Court ruling in United States v. Grubbs, which gave the Court's imprimatur to "anticipatory warrants"—in other words, warrants sketching out abstract conditions that, if satisfied, would constitute probable cause for a search.

That would dovetail with the pointed omission in the FISA Amendments Act of language requiring that surveillance orders describe a "specific" target—meaning some particular individual implicated in terrorism, whether or not his name is known, as opposed to a series of general traits or properties that would constitute grounds for considering anyone a terrorist suspect. All this suggests an attempt to shift toward a surveillance regime in which huge quantities of data are "filtered" but only those that trip the computer's alarm bells are "acquired."

Bankston, however, argues that the colloquial definition of "acquisition" must prevail. Under a theory that denies a "search" has taken place until a call or e-mail is recorded for human review, Bankston told Ars, the communication's "availability for scrutiny is hinged solely on how the government chooses to configure the device. The government has acquired that communication. There's nothing in the law indicating that how they handle the communication after they've acquired it makes any difference for whether they've violated the Fourth Amendment or the surveillance statutes." Less important than whether the government is able to inspect your message in any particular instance, he says, is that "they've acquired it in such a way that you've lost your control over how to dispose of that communication."

In support of his argument, Bankston invokes a Harvard Law Review article by Paul Ohm on the "right to delete." A target whose data is copied, writes Ohm, "is dispossessed of one of the bundle of rights in his property, and to deny that this is a seizure stretches the plain meaning of the word." The subtle but salient point here is that the moment of copying is the moment at which the individual loses control of his data to the government, and must rely on their scrupulousness to prevent the misuse of that information.

Judge Walker, who is likely to hear the new suit, appears to be sympathetic to this view. He has already ruled that "the alleged dragnet" in the telecom litigation "here encompasses the communications of 'all or substantially all of the communications transmitted through [AT&T’s] key domestic telecommunications facilities,'" and therefore "it cannot reasonably be said that the program as alleged is limited to tracking foreign powers." As a result Walker concluded, participation in the NSA wiretap program violated established constitutional rights, such that "AT&T cannot seriously contend that a reasonable entity in its position could have believed that the alleged domestic dragnet was legal."

Still, many questions remain, and many of them would appear to turn on sensitive operational details of the NSA program—details the government is sure to claim are protected by the state secrets privilege. Where, for example, does the line between "content" and "non-content" lie? What if a computer filter is able to detect, at some level of reliability, the voice of a particular suspected terrorist? What if it is able to detect the signature elements of a particular national accent, then combine that with other suggestive data? Are these and other features of a person's verbal or prose style elements of the communication, or merely facts about it?

While the experts Ars spoke with differed on what they felt was the most reasonable answer to these questions, all conceded that there are, at any rate, no well-established answers. That means EFF's lawsuit is wading into a realm where the NSA program has long resided: the unknown.

Original here

No comments: