home

An 'Inadvertent' Loss of Privacy

It doesn't matter how carefully laws are tailored to preserve a balance between the interests of national security and the privacy interests protected by the Fourth Amendment when those laws are ignored (as they have been in the Bush administration) or when those tasked with releasing private information to the government inadvertently go too far. National attention has focused on the former threat to privacy, but the NY Times reminds us that the latter threat is just as real.

A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network — perhaps hundreds of accounts or more — instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode. ...

The episode is an unusual example of what has become a regular if little-noticed occurrence, as American officials have expanded their technological tools: government officials, or the private companies they rely on for surveillance operations, sometimes foul up their instructions about what they can and cannot collect. The problem has received no discussion as part of the fierce debate in Congress about whether to expand the government’s wiretapping authorities and give legal immunity to private telecommunications companies that have helped in those operations.

How often do the distributors of private information screw up? [more..]

A report in 2006 by the Justice Department inspector general found more than 100 violations of federal wiretap law in the two prior years by the Federal Bureau of Investigation, many of them considered technical and inadvertent. ...

Past violations by the government have also included continuing a wiretap for days or weeks beyond what was authorized by a court, or seeking records beyond what were authorized. The 2006 case appears to be a particularly egregious example of what intelligence officials refer to as “overproduction” — in which a telecommunications provider gives the government more data than it was ordered to provide.

The problem of overproduction is particularly common, F.B.I. officials said. In testimony before Congress in March 2007 regarding abuses of national security letters, Valerie E. Caproni, the bureau’s general counsel, said that in one small sample, 10 out of 20 violations were a result of “third-party error,” in which a private company “provided the F.B.I. information we did not seek.”

An FBI spokesman assures us that the improperly collected emails were "destroyed through unspecified means." Maybe, but what assurance do we have that they weren't read before they were destroyed by "unspecified means"?

The spokesman also assures us that "The system worked exactly the way it’s designed." Really? The system is designed to foul up, giving the FBI access to hundreds or thousands of private emails that it has no right to view? Maybe it's time to design a system that works.

< Obama Flies to N.C. to Meet With John Edwards | In a Vote By Numbers World, Who Rules? >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft


  • Display: Sort:
    Great to see you here TChris (none / 0) (#1)
    by Jeralyn on Sun Feb 17, 2008 at 04:43:53 PM EST
    excellent post too.

    Ditto (5.00 / 1) (#5)
    by Big Tent Democrat on Sun Feb 17, 2008 at 06:04:39 PM EST
    Save us from these political wars. Do issues please. Seriously.

    Jeralyn and I are hooked.

    Parent

    It's just (none / 0) (#2)
    by Firefly4625 on Sun Feb 17, 2008 at 04:46:53 PM EST
    neverending, isn't it? So-called technical glitches,  third-party errors, inadvertent mistakes - never the administration's fault - all specifically designed to ratchet up the spying on us, decrease civil liberties, increase privatization and increase Bush's power - under our very noses.

    And all the while they're laughing their *sses off!

    This sort of thing is my business (none / 0) (#3)
    by Joliphant on Sun Feb 17, 2008 at 05:11:20 PM EST
    So let me ask a question.
    Do your computers work perfectly all of the time ?

    Never dial a wrong number ?

    Open a wrong email and find yourself infected by viruses ?

    Click on a link and find an endless stream of advertisements popping up and your computer slowed to crawl ?

    Law enforcement has a difficult and often thankless job. It doesn't do anyone any good to make their lives harder.

    As a side note the people that most often complain about surveillance and  loss of privacy usually have lives nobody would want to know about or take the effort to spy on.

    Ummm (none / 0) (#6)
    by badger on Sun Feb 17, 2008 at 06:25:56 PM EST
    If I dial a wrong number, I find out pretty quickly and then hang up. I don't get viruses or endless streams of popups, because I run Linux and Firefox - maybe people who run Windows accept that kind of thing as normal. Those are also intentional, not accidental, events.

    But I could definitely tell if I was getting the email from a single account or hundreds of accounts on a network. Even if the volume wan't noticeable, I could figure out pretty quickly that the "To" addresses were wrong, just like any other "wrong number".

    So while machine errors and human errors occur, I'd be pretty skeptical that something like this couldn't be instantly recognized and remedied.

    And they sure seem to make a lot of "mistakes".


    Parent

    How would you recognize it instantly ? (none / 0) (#7)
    by Joliphant on Sun Feb 17, 2008 at 06:38:02 PM EST
    You have a system dumping data onto a disk or flash memory just how do you recognize it instantly ?

    Or someone hands you a database or a set of files just how do you divine their content instantly ?

    Making a lot of mistakes ?

    Just where would you place their percentage ? This is the only incident I have heard of in the past year. I can't quantify the rate because I have no idea how many times they undertake this kind of operation or how many times we hear about the result.

    Parent

    For starters (none / 0) (#8)
    by badger on Sun Feb 17, 2008 at 06:56:19 PM EST
    email is in text format - at least the headers are. You can just view it. If you couldn't view it there wouldn't be much point in collecting it.

    To deliver it to an account requires information specified in the RFC for mail - things like a 'To' address as well as a 'Deliver-To' header, so I can either look at a random sample of messages or write a simple script to check every message. Or something like sendmail can be used to validate it too, although it's easily scripted in Python or Perl (having done it a number of times).

    In fact if I don't do something like that, I have no idea if I'm collecting the mail I want to examine at all - mistakes can omit things just as easily as include hundreds of wrong addresses.

    Delivering mail to the correct address is not some unfathomable, error-prone process - how often do you receive email intended for someone else's account?

    So assuming they were smart to enough to check that they were receiving the mail they were interested in, they had to know they were receiving lots of other mail they weren't authorized to receive. There's no way around that that I can see.


    Parent

    That makes assumptions (none / 0) (#9)
    by Joliphant on Sun Feb 17, 2008 at 07:08:03 PM EST
    without facts in evidence to support them.

    1. The email is being intercepted as text streams at time of transmission and not being retrieved as extracts from an exchange server or other email server.

    2. If they are being intercepted in real time you assume they have they have remote monitoring of the device used to do the interception. Simply mistyping a wildcard can throw your intercept filter way off.

    I don't want to drill down into endless detail on this. So lets cut to the chase.

    Your argument rests on two pillars. One, that software and I.T. operations are being conducted with a very low error rate. That people don't make frequent mistakes with very complex equipment and that these mistakes may not persist until subsequent review.

    Experience argues otherwise.

    The second pillar is that this happens often. You haven't presented anything into evidence that supports that argument.

    Parent

    The assumption it makes (none / 0) (#10)
    by badger on Sun Feb 17, 2008 at 07:56:00 PM EST
    is that everyone is receiving RFC-compliant email. If that's the case, then once the message leaves the sender, anywhere in the datastream you access the message the RFC-envelope will contain the necessary information to differentiate between the suspect and anyone else.

    It isn't necessary to drill-down any farther than knowing how an email message is structured, routed and processed by mail transfer agents. To screw up the way they did you either have to a) set things up with absolutely no concern for the privacy rights of others on the same network or, b) do it intentionally.

    But to strectch a point, I suppose someone who is incredibly lazy could collect all of that mail by accident, in which case he'd be lucky to collect or find the mail he's actually interested in. I'm not sure which is scarier - the FBI being that invasive or that incompetent, but there is no third choice.

    As to the frequency of 'errors', there is a report from the DOJ itself (I believe) that indicates how many times the FBI and others have violated the limits of the law and legitimate warrants. If you really aren't aware of that, I'll try to look it up for you.


    Parent

    No (none / 0) (#11)
    by Joliphant on Sun Feb 17, 2008 at 08:18:09 PM EST
    You are making assumptions again.

    1. That the mail is RFC compliant
    2. All the data is passing through a central point in text format accessible to the FBI.

    Both are just not so as often as not.

    Remember unless its an ISP hosted email, you will want to intercept internal mail to the address as well. In which case you may have to deal with anything from groupwise to notes. There is also the matter of companies that use secure or otherwise encrypted email systems.

    As I stated earlier your argument rests on the idea that its possible to provide a very high level of accuracy in collecting this information. Given the arbitrary variance in I.T. environments this will not always be the case. It all boils down to the error rates.


    Parent

    Civics 101.... (none / 0) (#13)
    by kdog on Mon Feb 18, 2008 at 08:35:00 AM EST
    Law enforcement has a difficult and often thankless job. It doesn't do anyone any good to make their lives harder.

    I could not disagree more.  The whole purpose of the Bill of Rights is too make law enforcement's job harder, and for good reason, to prevent tyranny and preserve liberty.  I wouldn't have it any other way.

    Parent

    First thats not the purpose of the bill of rights (none / 0) (#15)
    by Joliphant on Mon Feb 18, 2008 at 09:01:34 AM EST
    The purpose of the bill of rights is to prevent tyrannical rule. To say that its purpose is to make law enforcement more difficult is a complete misinterpretation. Its much like saying that the purpose of roads is to remove farmlands.

    Whats funny is that you recognize this and then make the unneeded addition anyway.

    Parent

    To prevent tyrannical rule.... (none / 0) (#16)
    by kdog on Tue Feb 19, 2008 at 03:16:24 PM EST
    limits must be placed on government power, which includes law enforcement power.  These limits make law enforcement's job more difficult, and I am grateful for these limits.

    Do you dispute that the Bill of Rights makes law enforcement's job more difficult?  

    Parent

    Supplying e-mail is (none / 0) (#4)
    by PlayInPeoria on Sun Feb 17, 2008 at 05:20:16 PM EST
    tricky. It depends on the company and if the back-up or archive email. Simple terms is...

    If it was a large corp then they normally archive (enables them to pull a single or multiple email)

    If it was a smaller company then they could just backup email. This complicates the restore of email. Sometimes you end up with a complete email server. I had to do this one for a law suite... it was not fun.

    joliphant, (none / 0) (#12)
    by cpinva on Mon Feb 18, 2008 at 02:56:01 AM EST
    for an "IT pro" you make a lot of idiotic statements, that any 16 year-old high school geek could blow away.

    • simply put, the best security are the people on the receiving end; if you don't recognize the sender, delete the email. virus problem solved.

    • if you get data, from an unknown source, delete it. if you get data internally, it's presumptively been cleared by the IT dept. virus and pop-up problem solved.

    • restrict admin authority to only those that need it to do their jobs. no admin authority, no d/l of apps off the net, virus and pop-up problem solved.

    these are all basic system security precautions, that even the smallest company can implement.

    please spare us your so-called expertise, these events aren't the result of a glitch in technology, but a glitch in the human operating it; garbage in-garbage out (gigo).

    the only thing unusual about this particular event is that we heard about it. that was a slipup, and i'm sure they'll try to make sure it doesn't happen again.

    LOL (none / 0) (#14)
    by Joliphant on Mon Feb 18, 2008 at 08:52:07 AM EST
    Your statements are insane and betray a serious lack of comprehension of anything that was said. I'll address them after I deal with the central theme.

    "the only thing unusual about this particular event is that we heard about it. that was a slipup, and i'm sure they'll try to make sure it doesn't happen again."

    Is this something you actually know or just a paranoid delusion that has slipped past your meds ?

    Now on to the rest

    " simply put, the best security are the people on the receiving end; if you don't recognize the sender, delete the email. virus problem solved"

    Of course thats why things like

    Storm
    Rbot
    and Bobax happen

    heres a little background for you
    http://www.darkreading.com/document.asp?doc_id=138610&WT.svl=news1_1

    Your second statement verges on the incomprehensible. This website per example has data from three sources not under its direct control. Just how do you propose rejecting them ?  If you meant email I am sure many people will be happy to know you have solved the problems of forged identities.

    Three, The people you can put in a nice neat box are never the problem.

    Parent