EFF Asks How Big Brother Is Watching The Internet 354
MacDork writes "The EFF filed a FOIA request yesterday with the FBI and other offices of the US DOJ regarding expanded powers granted by the USA PATRIOT Act. The EFF is making the request in an attempt to find out whether or not Section 216 is being used to monitor web browsing without a warrant. The DOJ has already stated they can collect email and IP addresses, but has not been forthcoming on the subject of URL addresses. It seems the EFF is seeking any documentation to confirm such activity is taking place. One can only hope the automated FOIA search doesn't produce any false negatives or cost the EFF $372,999."
Always assume (Score:2, Informative)
Considerations (Score:5, Informative)
The story is that an individual made an FOIA request to the FBI for some specific information.
The FBI claimed that no such information was available.
The claimant found out in the meantime that such information WAS available and had been previously provided by the FBI as the result of another FOIA request, and, as such, requested a court order the FBI to provide it again.
The FBI is arguing that its search was reasonable within department regulations and guidelines, and that it cannot and should not be expected to always undercover every single possible document in response to every request. And documents being indexed electronically doesn't make it as easy as one might think: it's precisely because documents are indexed electronically that is creating the difficulty: the FBI is claiming, essentially, that it can't predict every possibly keyword it should associate with a document for search purposes, and therefore shouldn't be held accountable if it misses documents during a good-faith search.
Whether or not the FBI was intentionally hiding OKBOMB memos, etc., is another story altogether.
Additionally, the article summary is awfully pessimistic: we don't yet know how DOJ will respond to this request. Perhaps it itself hasn't determined whether or not it considers "URLs" to be subject to pen-trap regulations. Additionally, for those who didn't RTFA:
At issue is PATRIOT Section 216, which expanded the government's authority to conduct surveillance in criminal investigations using pen registers or trap and trace devices ( "pen-traps" ). Pen-traps collect information about the numbers dialed on a telephone but do not record the actual content of phone conversations. Because of this limitation, court orders authorizing pen-trap surveillance are easy to get -- instead of having to show probable cause, the government need only certify relevance to its investigation. Also, the government never has to inform people that they are or were the subjects of pen-trap surveillance.
Remember, pen-traps were already allowed before PATRIOT. At issue is what exactly PATRIOT's expansion to these provisions further allows. It clearly has been determined to allow email addresses and IP addresses. However, whose IP addresses? The suspect, or a host the suspect is visiting? It would seem clear to me that, virtual hosting aside, if the a target host's IP may be logged, and since DNS names, embodied here as "URLs" and IP are very obviously interrelated, again, virtual hosts aside, it seems this argument is somewhat of a smokescreen to force debate on whether or not pen-traps in general should be allowed.
And since they were allowed before PATRIOT, the answer seems clear: if PATRIOT's expansions to the existing statues to accommodate new communications technologies were appropriate, all that's left is determining what exactly is included. And if "IP addresses" are included, which would logically include target hosts, it would seem that DNS names used to arrive at said IP addresses are intrinsic to the nature of their usage. So disagree with pen-traps if you want, but don't rant and rave about PATRIOT, because it's not about that (though many would desperately want you to think so).
Re:80% redaction (Score:3, Informative)
Well, if they did the redaction digitally in a PDF, the information could be pretty damned useful after all [securityfocus.com], as long as you render the PDF on a sufficiently slow PC.
Not to nitpick (Score:2, Informative)
Oddly enough, EFF wants to monitor traffic (Score:3, Informative)
It's not paranoia... (Score:1, Informative)
Wanna keep a secret? Create a cheesy one-page website and offer something for sale that nobody wants for more than anyone would willingly spend - nobody will read it, and you're safe.
Seriously, anyone who believes privacy, secrecy or security exist anywhere on a network-connected computer is in for a deep disillusionment.
But, most people already knew *that*.
Re:Quibble... (Score:4, Informative)
And a single IP address can resolve to tens of thousands of hostnames/urls by using virtual hosts.
Re:Quibble... (Score:5, Informative)
1. The protocol.
2. The domain name.
3. Port numbers.
4. Page addresses.
5. Data, such as login names, page parameters, and so on.
The last item, in particular, has far greater scope than an IP address. It's much more like content; it can contain data that you provide for, say, addressing an email, or adjusting an account balance. (Just extemporising here. The actual usage varies enormously.)
So no, URLs are very different to IP numbers.
Re:It seems odd to want privacy on the 'net. (Score:4, Informative)
The Metropipe Tunneler [metropipe.net] is pretty cool. Cross platform client software to encrypt all of your Internet traffic out to a server that keeps no logs. Kind of steep at $99 a year
Also cool is the free Metropipe VPM [metropipe.net] which is a complete linux system that fits on a USB drive, and somehow includes their tunneling service for free...
Re:Quibble... (Score:3, Informative)
Let's not forget dynamic DNS entries. One website, many IPs.
Are the waters muddy enough yet?
Re:Which is more important? (Score:3, Informative)
link [nytimes.com], second source [missouri.edu]
From the NYT article:
Federal authorities made a total of 1,727 applications last year before the Foreign Intelligence Surveillance Court, the secret panel that oversees the country's most delicate terrorism and espionage investigations, according to the new data.
The total represents an increase of about 500 warrant applications over 2002 and a doubling of the applications since 2001, the Justice Department said in its report, which was submitted to the federal courts and to Vice President Dick Cheney as required by law.
All but three of applications for electronic surveillance and physical searches of suspects were approved in whole or part by the court....
The F.B.I. told the commission that "there is now less hesitancy" in seeking the intelligence warrants, the report said. Nonetheless, it added, "requests for such approvals are overwhelming the ability of the system to process them and to conduct the surveillance."
I don't remember exactly what the number of warrants requested were before sept 11th, but I know it was very few. 1,727 is a lot of warrants - more than the number killed in Iraq. To put that in perspective, if you know of somebody killed in Iraq, you are more likely to know somebody whom the FBI is watching.
Re:Doesn't Matter (Score:5, Informative)
Man, that's HARDLY putting it into perspective.
Death Stats [the-eggman.com]
An American is about FIFTEEN TIMES more likely to die of renal failure than terrorism. TEN TIMES more likely to be killed by a gun than die of terrorism. About four times more likely to die from falling (ahem, presumably this doesn't count falling off the WTC). An American is statistically more likely to drownd than die of terrorism, and yes that includes people living in the desert.
If you're going to put it into perspective, use some hard evidence. ;)
Re:Set up a "Honey pot"? (Score:3, Informative)
'False Negative' seems more than likely (Score:3, Informative)
Re:Creepy stuff (Score:2, Informative)
Have you read the Patriot Act ? Actually,the Patriot Act specificly says that you DO need a warrant to view content. In the realm of online security, the Patriot Act does not give the government any new powers. If anything, it further RESTRICTED their powers.
What it did was extend the differences between envelope/routeing information (IE, a phone number log, aka "Pen register" and content (IE, a wiretap, which you need a warrant for) to the Internet. Previously while the government was essentially useing these guidelines, they were not codeified in any way.
They started getting pen register orders because it's what they knew how to do. Most judges signed off on them anyway, but at least one did not, reading the pen register law narrowly as applying to phones only. But if you read it that way, then the government doesn't need ANYTHING to get that type of information. So in this case, the Patriot Act's "pen register" provision put into law what the government has to do to get this information.
Re:Be alert (Score:3, Informative)
Support Tor (Score:2, Informative)
Tor: An anonymous Internet communication system [eff.org]
-silence