Sophos Cloud Optix
Crime-fighting authorities in the United States can snoop upon your email activity, who you are instant messaging, and what you are up to on Facebook, Google Plus and other social networks in real-time, not only without your permission – but without even requiring a warrant.
And, according to the American Civil Liberties Union (ACLU), this real-time access by federal investigators to your online activity is on the rise.
Documents released by the ACLU on Thursday show that law enforcement agencies in the United States have greatly increased surveillance of Americans’ electronic communications, and often the surveillance happens without a warrant or judicial oversight.
The documents were released by the U.S. Department of Justice in response to a February 2012 Freedom of Information Act (FOIA) request (PDF) by the ACLU.
They show a sharp rise in the use of two types of surveillance in the last five years: “trap and trace” and “pen register”.
Orders for pen registers and trap and trace devices used to spy on phones increased by 60% between 2009 and 2011, from 23,535 to 37,616. The number of individuals whose communications were the subject of surveillance more than tripled in the same period, from approximately 15,000 to 45,000, ACLU said.
Requests to eavesdrop on electronic communications such as email and network data jumped during the same period, also. Trap and Trace requests for electronic data, for example, increased from just over 100 in 2009 to 800 in 2011, the ACLU found.
Pen registers capture outgoing data from a subject over telecommunications lines. Trap and trace surveillance tools capture incoming data.
Historically, the tools were physical devices attached to telephone lines in order to covertly record the incoming and outgoing numbers dialed. Today, no special equipment is required to record this information, as interception capabilities are built into the call-routing hardware of telecoms firms.
According to the ACLU, the surveillance requests do not require a warrant, because American courts consider the data in question – phone numbers, the “to” and “from” addresses in an email, records about IM conversations, etc – to be “non-content” information, which is not covered by the Constitution’s 4th Amendment protection against unlawful search and seizure.
To initiate pen register or trap and trace surveillance under the act, therefore, law enforcement can simply request approval from a judge by saying that the information they are likely to obtain is “relevant to an ongoing criminal investigation”.
Judges don’t get to weigh the merits of that claim.
The ACLU took the United States Department of Justice (DOJ) to court in May to force the government to release the data about its electronic surveillance activities. The ACLU said that the DOJ is required to release the surveillance statistics to Congress each year, but rarely does so.
Past FOIA requests by the ACLU also document the sharp increase in surveillance requests. A 2010 request covering 2006 to 2009 showed that original requests for pen register and trap and trace doubled in that period, as well, from 11,000 to 24,000.
Together with the data released this week, the evidence suggests that law enforcement surveillance requests have more than tripled between 2006 and 2012.
The ACLU said that legislation is needed to toughen the requirement for the government to regularly update the public about its surveillance activities.
The civil liberties group also said that courts should reconsider the 1979 ruling (Smith v. Maryland) that set a lower standard for pen register and trap and trace monitoring than for traditional wire taps.
ACLU wrote:
The distinction from which these starkly different legal requirements arise is based on an erroneous factual premise, specifically that individuals’ lack a privacy interest in non-content information... Non-content information can still be extremely invasive, revealing who you communicate with in real time and painting a vivid picture of the private details of your life... The low legal standard currently applied to pen register and trap and trace devices allows the government to use these powerful surveillance tools with very little oversight in place to safeguard Americans’ privacy.
You can view the Pen Register and Trap and Trace documents online here.
Private investigator and man with magnifying glass images courtesy of Shutterstock.
Why anyone would trust communications via the internet or any other form of digital transmission is beyond me. It's no secret that interception of traffic has been going on for a long time. It should be common sense, that if you have something to say that is for certain ears only, to say it off the grid.
I knew I should have long ago, but I'm sure I'm not keeping this iPhone anymore. We're all blinded by this 'gotta have it now' mentality and being 'oohed and ahhed' by these devices. If you try, it's not hard to not have everything right that very second. I have no social accounts.
This article makes it sound as though as law enforcement officers across the US are engaging in this sort of activity on a daily basis. What this article lacks is the context within which these trap & trace and pen registers are being authorized. This activity is authorized without a supporting probable cause affidavit at the federal level. At the state and local level, the rules and requirements vary from state to state. In Pennsylvania, an affidavit of probable cause is required to be included with the application for a trap & trace or pen register authorization.
It has long been an incomprehensible fact of life that the overwhelming majority of people are not even aware of secure (encrypted) communication, much less actually use it.
And it's not just private individuals who are completely blind to the importance of securing their communications. I know of only one company — JUST ONE — that can accommodate a customer's request to communicate with them via encrypted email. The rest of them don't even know what I'm talking about when I request that they send me a message signed with an X.509 certificate so I can securely send them the sensitive information they've requested. It’s always the same response: "Huh…?"
Translation: "Duh…"
The classic mindless argument against encrypted email, of course, is that, "Only people who are doing something wrong would want to hide it behind encryption", an assertion so breathtakingly idiotic that one wonders what its proponents use for sense.
Any credible email client provides encryption capability. It’s easy to find X.509 certs that are free of charge for personal use. Every message I send is signed with one. In my view, communicants who use that capability are more a part of the solution than a part of the problem.