Software

Who is protecting your electronic rights?

Materials provided to the Electronic Frontier Foundation (EFF) indicate that in 2006, the FBI received access to e-mail from an entire computer network instead of the single e-mail address that was approved by a secret intelligence court as a part of a national security investigation.

Materials provided to the Electronic Frontier Foundation (EFF) indicate that in 2006, the FBI received access to e-mail from an entire computer network instead of the single e-mail address that was approved by a secret intelligence court as a part of a national security investigation.

From the New York Times:

F.B.I. officials blamed an “apparent miscommunication” with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said.

Bureau officials noticed a “surge” in the e-mail activity they were monitoring and realized that the provider had mistakenly set its filtering equipment to trap far more data than a judge had actually authorized.

The problem has received no discussion as part of the fierce debate in Congress about whether to expand the government’s wiretapping authorities and give legal immunity to private telecommunications companies that have helped in those operations.

But an intelligence official, who spoke on condition of anonymity because surveillance operations are classified, said: “It’s inevitable that these things will happen. It’s not weekly, but it’s common.”

What set of checks and balances should be used to avoid this problem? So far, the response has been that “mistakes happen,” and the offenders are often the “third-party error” on the part of the private company that “provided the F.B.I. [with] information we did not seek,” according to Valerie E. Caproni, the bureau’s general counsel.

On Feb. 15, President Bush scolded Congress for not extending the government’s authority to spy on foreign phone calls and e-mails that pass through the United States.

From the Associated Press:

A temporary law that makes it easier to carry out that spying expires Saturday night at midnight, and Bush and his top intelligence officials say the consequences are dire. Al-Qaida, Bush says, is "thinking about hurting the American people again," and would be helped if U.S. eavesdropping is hampered.

The Democrats are equally adamant. Bush has all the authority he needs to intercept terrorist communications, even if the law expires, House Speaker Nancy Pelosi said Thursday. The congressional majority is simply trying to balance concerns about civil liberties against the government's spy powers, and needs time to do it, she said.

A quirk in the temporary eavesdropping law adopted by Congress last August complicates the answer. The law allows the government to initiate wiretaps for up to one year against a wide range of targets. It also explicitly compels telecommunications companies to comply with the orders, and protects them from civil lawsuits that may be filed against them for doing so.

But while the wiretap orders can go on for a year from the time they started, the compliance orders and the liability protections go away when the law expires, says Director of National Intelligence Mike McConnell.

"There is no longer a way to compel the private sector to help us," he said Thursday in an Associated Press interview.

That is not exactly true. Even with the expiration of the law, the government can get an order from the secret Foreign Intelligence Surveillance Court to compel their cooperation. That court was created 30 years ago for just such a purpose.

The question is whether there are sufficient protections in place to safe-guard information gleaned and to avoid “over production” of information beyond the scope of the request.

About 40 lawsuits have been filed accusing AT&T, Verizon, and Sprint Nextel of violating Americans’ privacy rights in the surveillance program. As a result of Congress’ refusal to extend the temporary law passed in August past the Feb. 16 deadline, those companies may face additional exposure.

Given that there are obvious issues with legally acquired information in the inadvertent over-production by third-party providers, is the extension of the “Protect America Act” the right way to go? Democrats in Congress think that the question of automatic retroactive immunity for companies that provided private data without warrants is enough to give the law a second and more considered look.

What do you think? Are you comfortable with the idea that your private information can be handed over to the government without due process? Do you think that FISA is enough to give intelligence agencies what they need? If you were voting on the issue, how would you vote?

More information:

Democrats accuse Bush of fanning terrorism fears (Reuters)

Internet provider gave hundreds of e-mails to FBI (Minnesota Star Tribune)

Electronic Freedom Frontier documents received from the FBI (PDF)

8 comments
Canuckster
Canuckster

The good news is that the Justice Department identified the issue and took the appropriate corrective action, (or so it would appear). The bad news is the attitude of many corporate entities that privacy is none of their business. Google being an exception I suppose.

gadgetgirl
gadgetgirl

I can see how these "accidents" happen. Very easily. Although our laws and statutes differ from yours, they are, in principal, very similar. What I tend to see over here is that if a provider or ISP received a judgement or court order, they automatically panic. They seem intent on providing *more* than the actual order allows. Is this the fault of the law for not stating "... and no more than is considered covered by the request as being needed or useful"? It still amazes me that these people hand over not only email information, but PII (personal identifiable information) at the drop of a hat, without first taking legal advice themselves. Don't they understand that they have retained lawyers precisely for that situation? Sheesh .... And yes, I've seen it happen in here, too. Fortunately, in all the cases, we've been able to stop it before it got away from us. Sadly, though, we've also seen the other route - staff being told to hand over original copies of notes/ not to inform their line manager/ certain "requestors" getting heavy handed/ and a lot of external people (police, solicitors and other legals) being totally unaware of the legal process. Makes me MAD, I tell you! If they have [b] legitimate [/b] justification for wanting/needing/using my details, I don't have a problem with that. (If they had that need, I probably deserved it) What I do have a problem with is my lack of confidence in the people supplying that information, and also its' security when it is in the hands of another third party...... GG

seanferd
seanferd

The laws are very clear about providing unrequested information. At least they were, prior to gov't ordered mass DPI and tapping.

Tig2
Tig2

As usual GG, you are spot on. And in this go-round, it appears that the Democrats of Congress are the ones asking the tough questions. What got me irked about this was that we won't get 2008 data until 2010. A two year lapse, in conjunction with the fact that the information is only available because a watch-dog organization requested it under the Freedom of Information Act makes it egregious in my opinion. I think that we all understand that boo-boos happen. What I think that we are growing intolerant of the the perception of secrecy about those mistakes and the sense of Big Brother government deciding that we aren't to know. I know that this has a solution. I just am not sure what that should look like. Edit- missed a decade

gadgetgirl
gadgetgirl

miss a decade, I mean! :p :D GG Solution: educate both the requestors and providers of information to accredited parameters, preferably legal. But - who pays for that education?

Tig2
Tig2

In my opinion, if they want to make sweeping laws like this, a provision for education must be an element. Unfortunately, at least in the States, lawmakers rarely consider that an element and write incomplete laws with few it any teeth. The good news is that a bad law was allowed to expire. The bad news is that a good law is not likely to be forwarded. *sigh*

Tig2
Tig2

And what steps should be taken? When Congress reconvenes, they will take up the question of what the government's scope should be. So far, the place they are balking is the question of automatic immunity to service providers that supply information to the government. They feel that blanket immunity is just too broad. If you had the ability to vote on this issue, what would that vote be?

seanferd
seanferd

Less immunity should be afforded those who ordered such. Mandatory prosecution for violators and their advisors, as well as the ISPs and telcos.

Editor's Picks