This 2009 report, which was recently obtained via a Freedom of Information Act request by blogger Christopher Soghoian (which apparently took the DOJ 11 months to get the two-page report to him), highlights the fact that law enforcement agencies within the Department of Justice "sought and obtained communications content for 91 accounts." This number is worthy of note because if denotes a significant increase over previous years: 17 accounts in 2008 (pdf), 9 accounts in 2007 (pdf), and 17 accounts in 2006 (pdf). For those not in the know the agencies that fall under DOJ jurisdiction are:
- United States Marshals Service (USMS)
- Federal Bureau of Investigation (FBI)
- Federal Bureau of Prisons (BOP)
- Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF)
- Drug Enforcement Administration (DEA)
- Office of the Inspector General (OIG)
If You are just tuning in to this, you're going to need a bit of background:
Back when Congress passed the Electronic Communications Privacy Act (link details some history)in 1986, it granted law enforcement agencies the power to obtain stored communications and customer records in emergencies without the need for a court order.
According to DOJ interpretation of this law, in "certain scenarios" (an ambiguously worded phrase), a carrier may (but is not required to) disclose requested information if it:
“in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.”"OK, what's the big deal with that?" you might be saying. Well, "belief" translates to a law enforcement official just stating that he/she an emergency exists is grounds for surveillance. It is similar to how Public Intoxication arrests work here in Texas. A police office doesn't have to prove you are drunk in order to arrest you for P.I., they merely have to "believe" that you are drunk or under the influence. Essentially the use of PI arrests in Texas have been used as a means of getting troublesome people off of the street, and by "troublesome" I mean the citizen who has the gall to ask for an officers name and badge number.
So let's couple the discussion above and add to this equation the passage of the USA PATRIOT Act of 2005. If you'll recall, Congress initiated and instituted "specific statistical reporting requirements for the voluntary disclosure of the contents of subscriber communications in emergency situations." Senator Lungren, whilst describing his angle for introducing the requirement, stated that:
“I felt that some accountability is necessary to ensure that this authority is not being abused… This information [contained in the reports] I believe should be highly beneficial to the Committee, fulfilling our oversight responsibility in the future … this is the best way for us to have a ready manner of looking at this particular section. In the hearings that we had, I found no basis for claiming that there has been abuse of this section. I don’t believe on its face it is an abusive section. But I do believe that it could be subject to abuse in the future and, therefore, this allows us as Members of Congress to have an ability to track this on a regular basis.”So the senator references the reports given above. A cursory read of those reports will show you how and, more importantly why, they are seriously flawed.
This is how it works: The Attorney General compiles and submits the emergency request reports. These reports -and this is key- only apply to disclosures made to law enforcement agencies within the Department of Justice. Because of this, there are "no statistics [emphasis added] for emergency disclosures made to other federal law enforcement agencies, such as the Secret Service, as well as those made to state and local law enforcement agencies."
Compounding this even further, although 18 USC 2702 permits "both the disclosure of the content of communications, as well as non-content records associated with subscribers and their communications [such as geo-location data]," Congress only required that statistics be compiled for the disclosure of communications content. Why would congress limit the reports this way? Plausible denial, maybe?
So here's the rub about the reports and why, specifically, they are faulty. It is precisely because the requirements on reporting, requirements laid out by Congress, do not apply to disclosures made to law enforcement agencies outside the Department of Justice, that they do not include the disclosure of non-content communications data and other subscriber records, that the reports shortchange oversight in that they show a very limited portion of the scale and frequency of voluntary disclosures to law enforcement agencies. In other words the reports are a fog job...
Moreover, Congress at least superficially intended for these reports to shore-up public oversight of the emergency disclosure authority. I say superficially for two reasons. 1) Because of the fog job displayed above, and 2) Because the DoJ has virtually no initiative in making these reports available to the general public. According to Christopher Soghoian, the reports for 2006 and 2007 were leaked to him by "a friend with contacts on the Hill" and that he obtained the 2008 and 2009 reports via FOIA requests. In true stonewalling, bureaucratic style , it took DOJ full 11 months to get him a copy of the 2-page report for 2009.
To hammer this home for you all, consider this:
The reports and their accompanying failures only scratch the surface. This is a letter submitted by communications leviathan Verizon to Congressional committees in 2007. In this letter Verizon revealed that the company had received a full 25,000 emergency requests during the previous year. How many actually came from the feds? According to the letter out of 25,000 emergency requests, a mere 300 requests were from federal law enforcement agencies. Compare that to the reports submitted to Congress by the Attorney General where they reveal less than 20 disclosures for that year. This is a classic shell game!Verizon is one of the only telcoms to submit a report to congress with such high numbers. Indeed, no other service provider has disclosed similar numbers regarding emergency disclosures, at least not out in the open. However, it is clear that the Department of Justice statistics are not accurately reporting the scale of this form of surveillance. Indeed, there seems to be a concerted effort to underreport these disclosures by several orders of magnitude.
The fog job even covers state and local law enforcement agencies, who submit tens of thousands of warrantless requests to ISPs every year. If that doesn't show how the useless nature of the current reporting law, I don't know what else would. Moreover, this law doesn't apply to federal law enforcement agencies outside DOJ, such as the Secret Service. And finally, there is no accountability, provided by the law, regarding emergency disclosures of non-content information, such as geo-location data, subscriber information (such as name and address), or IP addresses used.
As a result, Congress currently has no idea how many warrantless requests are made to ISPs each year, they are able to keep up the appearance of oversight, and, if the shit house come down on them, they have plausible deniability foisting the blame on the DoJ. The DoJ can then employ it's favorite tactic of claiming 'State's secrets' thereby preventing any case from every seeing the light of day in a court of law
No comments:
Post a Comment