Online communications poses law enforcement hurdles
WASHINGTON — Federal law enforcement and intelligence authorities say they are increasingly struggling to conduct court-ordered wiretaps on suspects because of a surge in chat services, instant-messaging and other online communications that lack the technical means to be intercepted.
A “large percentage” of wiretap orders to pick up the communications of suspected spies and foreign agents are not being fulfilled, FBI officials said. Law enforcement agents are citing the same challenge in criminal cases; agents, they say, often decline to even seek orders when they know firms lack the means to tap into a suspect’s communications in real time.
“It’s a significant problem, and it’s continuing to get worse,” Amy Hess, executive assistant director of the FBI’s Science and Technology Branch, said in a recent interview.
One former U.S. official said that each year “hundreds” of individualized wiretap orders for foreign intelligence are not being fully executed because of a growing gap between the government’s legal authority and its practical ability to capture communications — or what bureau officials have called “going dark.”
Officials have expressed alarm for several years about the expansion of online communication services that — unlike traditional landlines and cellphone communications — lack intercept capabilities because they are not required by law to build them in.
But the proliferation of these services and a greater wariness — if not hostility — toward government agencies in the wake of revelations about broad National Security Agency (NSA) surveillance have become a double-whammy for law enforcement and intelligence agencies, according to FBI officials and others.
Today, at least 4,000 companies in the United States provide some form of communication service, and a “significant portion” are not required by law to make sure their platforms are wiretap-ready, Hess said. Among the types of services that were unthinkable not long ago are photo-sharing services, which say they allow users to send photos that are automatically deleted, and peer-to-peer Internet phone calls, for which there are no practical means for interception.
Meantime, the disclosures by former NSA contractor Edward Snowden have fostered a widespread view that the government is excessively sweeping up all manner of Americans’ communications. Founded or not, that impression, FBI officials argue, has unfairly extended to the investigations of law enforcement and intelligence agencies that obtain individual warrants to intercept the calls, chats and instant messages of criminals and spies.
Industry officials, security experts and others counter that the government already has many tools available to get the information it needs, that officials brought the predicament on themselves by failing to protect the secrecy around surveillance programs, and that forcing companies to build wiretap solutions will make systems more insecure.
“I do think that more and more they’ll see less and less,” said Albert Gidari, a partner at Perkins Coie law firm who represents tech firms, referring to the government’s quandary. “But it’s their own fault,” he added. “No one now believes they were ever going dark. It’s just that they had the lights off so you couldn’t see what they were collecting.”
Last year, the Obama administration readied legislation aimed at enhancing the government’s ability to enforce court-issued wiretap orders. But the fallout from the Snowden revelations derailed the effort.
“Politically, it’s plutonium now for a member of Congress in this environment to be supporting something that would enhance the government’s ability to conduct electronic surveillance,” said Jason Weinstein, a former deputy assistant attorney general for the Justice Department’s criminal division and now a partner at Steptoe &Johnson.
Although online communication services are not required to build in intercept capabilities, the law requires them to provide “technical assistance” to an official with a valid intercept order, which requires a judge to find probable cause that the surveillance will yield evidence of a crime. But the phrase “technical assistance” is vague, permitting different interpretations.
Some companies draw out the process of negotiating with the government. Others provide suspects’ Internet-based messages hours after they are sent, or offer minimal forms of compliance — weekly screenshots of a suspect’s communications, for instance — and argue they have fully complied, government officials said.
One industry official, who spoke on condition of anonymity to be candid, acknowledged the trend. “No company wants to be doing more surveillance than its neighbor,” he said.
Last year, judges authorized 3,600 federal and state criminal wiretaps and 1,588 foreign intelligence surveillance orders. In many of them, law enforcement said, the inability to fully execute the orders hampered their investigations.
In one recent case, Las Vegas police were unable to identify and gain evidence against a suspect in a burglary, robbery and kidnapping investigation because he was using an Internet phone service that lacked an intercept capability, according to FBI officials.
More than a dozen Internet-based instant messaging applications commonly used in child-exploitation networks lack a full capability to provide real-time intercepts.
Often a company might be asked to provide several types of communications but furnish only one, said Rich Littlehale, a Tennessee Bureau of Investigation special agent speaking on behalf of the Association of State Criminal Investigative Agencies. “They’ll say, ‘We can give you X, but we can’t give you Y,’ ” he said.
In 1994, Congress mandated that all phone companies make their systems wiretap-ready. In later years, broadband and some Internet phone services also were covered under the law, known as the Communications Assistance for Law Enforcement Act. At issue now is whether companies that provide communications that traverse the Internet ought to be required to build such a wiretap capability.
Security experts — including some former NSA officials — say a wiretap mandate poses security risks. Building a wiretap solution requires a backdoor into a system, one that foreign adversaries and others may be able to exploit.
“When you’re building in a backdoor, you’re building in an ability to give away information that’s supposed to be protected,” said Richard “Dickie” George, former technical director at NSA.
In one notable example in 2004, an unidentified hacker or hackers broke into the phone network of Vodafone Greece and modified the intercept capability to eavesdrop on the conversations of at least 100 high-ranking Greek officials, including the prime minister.
FBI officials said that developing intercept solutions during a product’s design phase allows the designer to minimize risk from the outset.
Industry officials, however, are also wary of government regulation that they say would stifle innovation. “I just don’t think you should go out and tell every technology company that it has to build surveillance capability into whatever it’s doing,” said Michael Sussmann, also a Perkins Coie partner who represents tech firms. “I realize the government prefers that to having companies retrofit their systems, but you know what? Too bad.”