Internet Surveillance (e.g. AT&T’s NSA Rooms)

The issues concerning internet surveillance

Most of us are aware of government surveillance as it pertains to wiretapping to listen in on phone conversations. This type of government surveillance has had many laws developed around it and how and when it may be done. With the growth of internet traffic, similar surveillance has appeared in the realms of email, voice over IP (VOIP), and general internet traffic. The same problems that occurred years ago for the telephone communications networks have been approached for internet communications.

The first issue that surrounds internet surveillance is how to make it possible. In order to conform to Communications Assistance for Law Enforcement Act (CALEA), phone networks had to be designed so that wiretapping was an easy thing to do if an appropriate government organization requested it. However, much internet traffic is optical instead of electrical. When electricity travels through a wire, it emits a small magnetic field. Something very close to the wire could intercept the electrical communication without affected it. Optical communication doesn't "leak" any of the light, so the communication has to be disturbed in order to intercept it. This is usually done with a splitter which diverts a percentage of the light down another path.

The second issue is authority. Mainly, who decides whether and how much internet surveillance can take place. Should there be a different authority or amount of evidence in order to intercept foreign communications as opposed to domestic? Does the person whose information is being gathered have to be notified? Does the court have to issue a warrant for a government agency to investigate internet traffic? If so, how much information can be gathered without a warrant?

Links

• Basics of internet surveillance
• Conforming to CALEA

Ethical issues with CALEA

Making it possible to intercept internet communications has several privacy issues surrounding it. A large amount of information passing through the internet is encrypted making it difficult to intercept. "Wiretapping" optical lines involves splitting which degrades the signal strength unlike typical phone line wiretapping. Because the information is essentially anonymous once it leaves the local network and enters the world wide web, is it even possible to filter out a single person's communication? If there is a backdoor for government internet surveillance capabilities, how can the typical American be assured that this backdoor is only used by the government?

Encryption

Especially when talking about VOIP, much communication is encrypted. Even the networks serving such content cannot decrypt the content without the decryption key. The United States government has requested a backdoor to such communication in the past, but it could not be provided by the VOIP networks that supported such encryption. If these networks can allow for criminal communication without a method for the government to intercept the communication, should they be allowed to exist? Or should citizens be allowed to have a form of communication that they can be reasonably assured is completely private?

Splitting optical communication

With electrical communications, government organizations could easily start intercepting information without affecting that communication in any way. This can not be done with optical communications. Therefore, in order to allow surveillance effectively, the intercepting of information must have already been started before it was requested. This means that average citizens of the United States will have the information intercepted (even if not recorded) regardless of whether the citizen is under suspicion. Shouldn't unsuspected people be allowed privacy of their communications?

Difficulty of filtering

Most legal surveillance depends upon the governments right to intercept communication from or to a particular person or organization. However, in many circumstances, this is impossible without intercepting a large amount of communication between other people. Since this information is intercepted, a government agent could stumble upon private communications. The only method preventing this accidental invasion of privacy is programs that attempt to filter out only certain types of data. Since it cannot be proven that such filters will actually prevent invasion of privacy, should the government be allowed to intercept communications when they can't intercept only the suspected persons' data? What if the program could filter out all unsuspected individuals? Would it not still be an invasion of privacy for those communications to be intercepted and stored even if they are later filtered out?

Backdoor security

Having a backdoor for internet surveillance must be extremely secure. If a government agency can use the backdoor to intercept communications when given the appropriate authority, how can we be sure that such a backdoor can't be used without appropriate authority? Especially when dealing with the NSA, citizens fear that given an inch, they will take a mile. Allowing the backdoor to exist gives them the opportunity to use it at their own discretion no matter what the legal authority says. Just as well, building a backdoor into a system that doesn't intrinsically have such a backdoor lowers the security of the entire system. It may be possible for criminals to use the backdoor created in order to combat them for their own cybercrime.

Links

• Recent bill passed against NSA surveillance
• Conforming to CALEA
• Full information on AT&T secret rooms

Ethical issues with the limits of internet surveillance

Internet surveillance is a very touchy issue for many people. There is a wide range of thought and laws regarding the limits to which such surveillance can go. Especially recently and due to the Patriot Act, their is an increasing difference between how much surveillance can be done on foreign communications versus domestic communications. There is a question, especially due to the NSA's recent actions to make it easier for them to intercept data, about how much data can be acquired before a warrant or other such authority is given. Along with how much data, is what type of data. Can government agencies freely collect information about where you send emails as long as they don't collect the content?

Foreign and domestic communications

There is a general idea that foreign communications should be closely monitored in order to prevent terrorism. However, most Americans also value their personal privacy and think that unsuspected citizens shouldn't have their everyday communications recorded and scrutinized by government officials. Therefore, there exists the Foreign Intelligence Surveillance Act (FISA) which allows a great deal of intelligence gathering for foreign communications that are not allowed for domestic law enforcement. In recent times, many citizens believe that the NSA is gathered information on internet traffic that is unrelated to international matters. Another interesting international surveillance issue deals with the Council of Europe Cybercrime Convention. This would have allowed foreign governments to request the NSA to intercept Americans. Should foreign governments be allowed to intercept internet data of Americans? Should domestic government agencies be allowed to investigate crimes through internet communications? Should the United States have different policies regarding international communications and domestic communications?

Requiring a warrant

Naturally, requiring a warrant to intercept internet communication is desired by most Americans. However, much surveillance or alledged surveillance has occurred specifically by the NSA without such a warrant being given. Some people have pursued a lawsuit against the NSA for such information gathering. However, the lawsuit was thrown out because the people could not show that the NSA's gathering of information damaged them in any way regardless to whether the NSA had gathered the data. The EFF also sued AT&T for allowing the NSA to illegally gather data through the use of secret rooms. Should a warrant be required for putting the technology in place for surveillance? Or should a warrant simply be required for using such surveillance technology? If the NSA is brought to court for gathering data, shouldn't the proof needed to find the NSA guilty simply be the gathering of data without warrant rather than whether the data gathered caused any harm to the individual?

What types of data can be collected?

During police investigations, what types of information can be gathered about an individual's internet communication before a warrant is issued? This is an especially important question because the data that can be collected without getting a warrant is the data that can be used as evidence to request a warrant. The typical idea is that meta-data about the communications can be collected whereas the content of the communication can not. This meta-data typically consists of who sent the communication, to whom the communication was sent, the time and date of the communication, and (where applicable) the length of communication. This is all information that can be gathered about email and VOIP communication without the ability to intercept the actual content of the message. Are these types of data invasion of privacy? Should such data require a warrant as well? Should such data require at least suspicion of one of communicators in a currently investigated crime?

Links

• ACLU against 'wiretapping' of VOIP
• Allowing email surveillance without warrant
• International law enforcement agreements
• Whistle-blowing about NSA rooms
• Full information on AT&T secret rooms
• Recent dismissal of case against NSA
• Recent bill passed against NSA surveillance
• EFF sues AT&T for helping NSA

Prompt

During the mid 1990s, one would consider himself/herself lucky to find what one was looking for though an internet search. As internet usage has grown, better search technologies has emerged displacing many human created directory-based search engines with ones providing a vast array of dynamically-created and helpful results. Technologies such as Google Alerts allows the tracking of yourself and others content on the internet based on keyword identifiers. Voluntary technologies such as blogs, online photo albums, and social networking have added a wealth of information available about us online.

AT&T has come under scrutiny by members of the public for allegedly constructing “NSA rooms” containing equipment that has the capability to monitor large amounts of internet traffic and are only accessible special US Government-affiliated staff members.

Examine a variety of ethical concerns related to tracking of both voluntarily and non-voluntarily provided information on the internet by members of the public, employers, government, and schools. Cite relevant laws, policies, and/or actions taken that are related to these concerns.

Public and Government Surveillance

With the convenience of electronic communication via the Internet, it has become very apparent more and more services are moved over to the Internet. For instance, it is fairly common to pay one's bills online instead of waiting for the bill and mailing a check. The ethical issues of Internet surveillance, as with most technologies, is determined by how it is used and by whom.

When discussing the issues of Internet surveillance, there are times when the boundaries between public and government are indistinguishable. For instance, how does one determine the ethical "rightness/wrongness" when the issue in question is pertinent to both sides? Some of these issues are addressed at SourceWatch (a subset of the Center for Media and Democracy). Three such cross boundary issues are the Echelon Project, Carnivore System, and DPI.

Echelon

The Echelon Project first became prominent during the 1990's as the "freaking" and other underground communities became aware of such surveillance systems. It was speculated that the Echelon system was essentially an array of supercomputers designed to sniff out and analyze all forms of electronic communications with primary interest in telephone systems. The belief was partly fueled by huge increases in government spending on buying supercomputers during the 1990s. Due to the conflict with civilian rights, some believe the U.S. government was able to bypass the law by moving the monitoring offshore (thus no longer under U.S. privacy laws). It should be noted that the U.S. is believed to be one of the contributers to the system. The main Echelon installation is believed to reside in Australia.

One of the issues is not the technology itself but how it is used. From the standpoint of national security, it could be argued that it may intrude on some "rights," but the benefits outweigh the costs and infringments on personal liberties. From the individual point of view, it could be argued that it is in fact an invasion, and with that invasion, the information obtained may be used with malice.

Some useful links:

• Echelon - SourceWatch
• Wiki of Echelon
• 60minute transcript 60-Minutes Transcript discussing Echelon
• Google Search for Echelon

Carnivore

The Carnivore system (aka DCS1000) also became prominent during the 1990's when the FBI and other government agencies began to install the devices at major ISP locations. Carnivore is another analysis tool that allowed the system to sniff out and analyze network traffic. The commotion became apparent at the time primarily because of the scope of the abilities of the device in question. At the time, there were available network sniffers and analysis tools that served the same functions as Carnivore, but not at the same scale. Additionally, at the time most emails were sent over the network in plaintext.

The primary issue here is again the same as Echelon; the technology by itself has no ethical value, it is the use of it. The same argument was used for or against Carnivore.

Some useful links:

• Carnivore - SourceWatch
• The actual program itself.
• Google Search for Carnivore
• Google Search for DCS1000

DPI

DPI (Deep Packet Inspection) is essentially an examination of the IP packets as it traversed the OSI layers. DPI spawned from the same technology as SPI (Stateful Packet Inspection), first made prominent by Check Point Software's Firewall-1. Again, the technology of DPI is not something new. With the speed of computers increasing at such a rapid pace, it has allowed DPI to dig down from Layer 7 to Layer 2 and reconstruct whole transmissions; compared to the static packet inspection, which primarily inspected the packet headers. Network tools and analysis have had these types of capabilities for many years. The only difference now is how deep the inspection is going and scale of the inspection. What makes DPI implementations dangerous is the fact that current technology allows these inspections to be done in real time on hundreds of thousands of simultaneous connections. What makes the potential for abuse even more dangerous is that it applies to all network traffic, everything from application specific to services such as VOIP. Along with the potential abuse of civil rights, the issue of Net Neutrality comes into play.

Resources

Relevant External Links:

• EFF suing AT&T for helping NSA

Relevant Class Website Links:

• http://ethics.csc.ncsu.edu/privacy/web/
• http://ethics.csc.ncsu.edu/privacy/mining/
• http://ethics.csc.ncsu.edu/privacy/surveillance/
• http://ethics.csc.ncsu.edu/privacy/financial/