iMEGA One Year Later...By Hartley Henderson

[Rogthedodger]

Almost one year ago Ed Leyden and Joe Brennan made noise at the GIGSE conference when they announced the formation of iMEGA, a trade group formed to protect freedom of the internet. While their larger goal was to ensure that basic freedoms set out in the constitution were not infringed on just because they took place on the internet, their more immediate concern was to somehow repeal the UIGEA, which Joe Brennan called "an unjust law that was cynically crafted to provide red meat for social conservatives for the 2006 mid term elections". The group saw the UIGEA as the start of a slippery slope that would allow Congress to pass other laws which would curtail internet growth under the guise of national security. The group may have been correct.

Just last month, FBI agent Robert Mueller and Representative Darrell Issa drew up a proposal called the Cyber Initiative which would force ISPs to open all the browsing activities done through their networks without the need of a warrant. The FBI is hoping that a law could be passed which would require all ISPs to amend their terms of service forcing users to allow all their browsing activities to be monitored by the FBI under the guise of protection for the individual and companies against malicious attacks. The eventual hope of those supporting the initiative is that it would allow the FBI to "shut down a crime in process". What entails a crime would be left up to the FBI to determine. No doubt that would include, but would not be limited to, p2p file transfers, bit torrent downloads and internet gambling. Clearly this is part of the slippery slope to curtailing basic freedoms just because the activity occurs on the internet.

iMEGA`s first initiative back in June was to sue the Attorney General's office in an attempt to block the writing of the UIGEA regulations. Officially the motion failed, as the Treasury did release the regulations in October of 2007. However, what was released by the Treasury was clearly done in haste, which in part could have been due to the lawsuit. Ed Leyden spoke for iMEGA at a house subcommittee meeting regarding the UIGEA regulations in April of this year where he stated: "the inalienable rights that each of us holds under the Constitution to freedom of privacy, speech, expression, and conduct should not lessened in any way when we are using the Internet." He, along with many other speakers from banks and various agencies showed the failings of the regulations, which are so severe they could actually lead to the crippling of the U.S. banking industry if the banks are forced to try and implement them. Leyden made one of the most poignant comments at the hearing when he stated: "by imposing unprecedented burdens on the intricate system of financial transactions and payment system instrumentalities - which has up until now been universally recognized as being inherently content-neutral - these proposed regulations run the grave risk of sharply stifling the growth of electronic commerce." It is evident to anyone who witnessed that hearing that the regulations will not and can not be implemented as written, and therefore iMEGA may have indeed blocked meaningful regulations from being drafted. As Ed Leyden stated to me today: "the overreaching rules that the regulations set out will be difficult, if not impossible, to implement. Thus our initial goal of injunctive relief may have happened as a matter of course."

iMEGA also has a strong presence on Capital Hill where they continue to lobby for the industry. The company hired New York lobby group Ogilvy Public Relations Worldwide, which has been building brand awareness of iMEGA and has also been encouraging politicians to support UIGEA repeal and to consider counter bills such as those proposed by Barney Frank, Shelley Berkley and Robert Wexler. The lobbying efforts could prove to be of extreme importance if a Democrat is voted in as President this fall. Most of those opposed to the UIGEA are Democrats, but they have had difficulty being heard while George Bush has been in power. If a Democrat with thoughts similar to iMEGA regarding the UIGEA takes power, the voices of Frank, Berkley, Wexler and others may be considered more seriously. Don't forget, the Attorney General is appointed by the President of the United States, and both the Senate and House of Representatives are now in control of the Democrats. If the American Banking Association can illustrate to the new president how any UIGEA regulations can potentially harm the industry, and if the right lobby groups such as iMEGA or Poker Player's Alliance can illustrate how the UIGEA has the potential to curtail freedom of the internet and also demonstrate how online gambling could reap huge financial benefits for the country, there is no reason to think the new President's views on gambling can't be swayed if he/she isn't already in support of it. While a few politicians have some issues with online gambling, just as many are appalled by the law that was shoved through without a hearing.

Asked whether he has been happy with the progress of iMEGA this last year, Mr. Leyden stated that he has been very pleased with the organization's progress. Certainly he was disappointed that the lawsuit against the AGs office was dismissed by Judge Cooper initially, but he was pleased that the group was given standing to challenge the law. "That was a huge development," Mr. Leyden stated. "It clearly affirms our right to be represented on this issue." Mr. Layden said that the organization has grown steadily and that people are coming forward all the time expressing interest in their movement. As for the future, Mr. Leyden said that they will continue fighting for the defeat of the UIGEA, but more importantly iMEGA will fight against any laws that could result in censorship of the internet. iMEGA issued an appeal to the dismissal of its lawsuit in the 3rd district court of Philadelphia. Also, in an open letter to the gaming industry, iMEGA tried to illustrate that appeals are often upheld citing numerous examples. In the letter the organization stated the following:

The next step for iMEGA is to take this battle to the Third Circuit Court of Appeals in Philadelphia, an appellate court that has been traditionally protective of the fundamental rights of speech and expression. One need only look to that Court's striking down (multiple times) of the Child Online Protection Act (COPA) - another well intentioned but over-reaching Federal law - for an example of how favourable that Court can be to iMEGA's challenge.

A positive result for iMEGA in the Third Circuit, affirming our "digital civil rights", would represent a truly landmark victory with historic consequences.

iMEGA also tries to indicate why freedom of the internet is so important, providing numerous news articles on its website (imega.org) where basic freedoms of Americans are being challenged simply because they occur on the internet. Without question iMEGA has been a strong voice in America for the gambling industry.

05-28-2008
Hartley Henderson
MajorWager.com
henderson@majorwager.com

http://www.majorwager.com/frontline-664.html

[Myron]

The FBI is hoping that a law could be passed which would require all ISPs to amend their terms of service forcing users to allow all their browsing activities to be monitored by the FBI under the guise of protection for the individual and companies against malicious attacks. The eventual hope of those supporting the initiative is that it would allow the FBI to ?shut down a crime in process." What entails a crime would be left up to the FBI to determine. No doubt that would include, but would not be limited to, p2p file transfers, bit torrent downloads and internet gambling. Clearly this is part of the slippery slope to curtailing basic freedoms just because the activity occurs on the internet.


no court would allow that to happen

[Hartley]

I wouldn't put anything past the Bush administration.

[stevo]

I can't imagine them pulling that off.

[Hartley]

It appears even members of Congress are concerned what the real motive behind the cyber initiative is.

http://hsgac.senate.gov - Technical difficulties.

[Hartley]

May 02, 2008

LIEBERMAN AND COLLINS STEP UP SCRUTINY OF CYBER SECURITY INITIATIVE
Secrecy, Overuse of Contractors, Role of Private Sector at Stake

WASHINGTON – Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., are seeking detailed explanations from the Department of Homeland Security regarding a new initiative to secure federal information technology systems.

In a letter to Department of Homeland Security Secretary Michael Chertoff, the Senators reiterate their support for the Administration’s heightened attention to cyber security as evidenced by creation of the Comprehensive National Cybersecurity Initiative (CNCI). The CNCI, formally established in January, is intended to strengthen the federal government’s ability to secure the electronic networks and databases upon which it relies.

But, given the Administration’s request to triple DHS’ cyber security budget over the past year, the Senators are asking for specific information on issues ranging from the secrecy of the project to its heavy reliance on contractors to the lack of involvement by the private sector, which controls the vast majority of the nation’s cyber infrastructure.

“Overall, we are pleased that the Department is taking additional steps to secure federal computer networks and that you have decided to make cyber security one of the Department’s top four priorities for this year,” the Senators write. “At the same time we believe that increased openness and information sharing with Congress, the private sector, and the American public will aid in the eventual success of the initiative.”

DHS has a significant role to play in implementation of CNCI, which is still under development, although other agencies, including the National Security Agency are also involved. HSGAC conducted a classified briefing on the initiative in March, but the Administration has been reluctant to share unclassified portions of the program with Congress and the public.

Following is full text of the letter:


May 1, 2008

The Honorable Michael Chertoff
Secretary
U.S. Department of Homeland Security
Washington DC 20528

Dear Secretary Chertoff:

On March 4th, Robert Jamison, Under Secretary of National Protection and Programs, and other government officials, testified before the Senate Homeland Security and Governmental Affairs Committee in a closed hearing on the role of the Department of Homeland Security (DHS or “the Department”) in the Comprehensive National Cybersecurity Initiative (CNCI). This initiative will fundamentally change, and we hope strengthen, the government’s efforts to secure the critical cyber networks on which our government, indeed our way of life, depend.

When the Department was established five years ago, we were optimistic that it would play a key role in securing cyber networks. Given the extent of the threat, it is clear that there must be a greater emphasis on securing our information technology systems. The CNCI is evidence that the Department, and the Administration, is rethinking its approach to cybersecurity, and we welcome this initiative.

Overall, we are pleased that the Department is taking additional steps to secure federal computer networks and that you have decided to make cybersecurity one of the Department’s top four priorities for this year. Nonetheless, we are writing to ask some additional questions on the Department’s role in the CNCI and its goals for cybersecurity overall. To aid our examination of this program, we also request certain documents relating to the CNCI.

The CNCI – officially established in January when President Bush signed National Security Presidential Directive 54 / Homeland Security Presidential Directive 23 – is a multi-agency, multi-year plan that lays out twelve steps to securing the federal government’s cyber networks. DHS has been tasked to lead or play a major role in many of these tasks. This bold, much-needed approach to cyber security will lead to a fundamental shift in the way the Department approaches the security of U.S. networks.

DHS has requested substantial new resources for cyber security, and it is critical that the funds are spent carefully and appropriately. The Department has requested an additional $83 million dollars for the National Cyber Security Division (NCSD) for fiscal year 2009. Including the $115 million that was awarded for the initiative in the FY 2008
omnibus appropriations bill, this would be a nearly $200 million dollar increase, tripling the amount of money spent on cyber security in DHS since 2007.

The Department’s plan to use contractor personnel to support the initiative merits some scrutiny in light of this Committee’s past work in this area. On January 16, DHS issued an RFP for “Mission Support for NCSD” seeking services to support the Directorate for 10 months, presumably to assist with the additional responsibility given to DHS under the CNCI. However, the request does not appear to incorporate the recommendations made to the Department by the Government Accountability Office (GAO) in a report we requested last year (“Department of Homeland Security: Improved Assessment and Oversight Needed to Manage Risk of Contracting for Selected Services,” GAO-07-990). One of these recommendations, which the Department agreed with, was that contract requirements should be defined to “clearly describe roles, responsibilities, and limitations of selected contractor services as part of the acquisition planning process.” We have several questions to better understand the Department’s intentions with respect to staffing and for the procurement of service to support the NCSD.

We also have concerns about how information has been shared with Congress and other stakeholders concerning this initiative and the potential impact this lack of collaboration may have on the success of the initiative. While certain operational details of the program are necessarily classified, additional efforts, where appropriate, to downgrade the classification or declassify information regarding the initiative would aid congressional oversight and permit broader collaboration with the private sector and outside experts. Given the scope of this initiative and the broad cross section of stakeholders – both in the government, the private sector, and elsewhere – this oversight and collaboration are critical components of a successful program.

We are also concerned that the lack of information about the CNCI being provided to the public, other agencies, and private entities that conduct business with the government might be creating confusion and concern about the initiative. Given the broad nature and goals of this initiative, agencies may be less likely to plan for their future information technology needs, fearing that systems they purchase might not comply with the initiative. Similarly, industry will be less likely to do business with the government given the uncertainty about future technical requirements. Additionally, the public, of course, must be reassured that efforts to secure cyber networks will be appropriately balanced with respect for privacy and civil liberties.

At the same time, there appears to be some confusion within the Executive Branch concerning what information about the CNCI is and is not classified. In some cases, DHS officials have publicly revealed information that had previously been presented to Committee staff as classified. For example, on March 20th, you announced that Rod Beckstrom would be the Director of the new National Cyber Security Center (NCSC) within DHS. Prior to this announcement, committee staff had been instructed that the existence of the NCSC itself was classified. Moreover, the Department has yet to publicly disclose very many details on the role of the NCSC beyond the brief press release. To clarify these matters, we renew our request for an unclassified summary of the CNCI – a request made by Committee staff over five months ago.

Given the confusion over what the NCSC will do and a lack of clarity over what information pertaining to the NCSC is classified, we also request additional information to better understand the role of the NCSC within the Department. Additionally, we have questions about the nature and duration of the position of Director of the National Cyber Security Center.

We are also concerned about of the relative lack of private industry involvement in this initiative to date. The private sector controls the vast majority of our nation’s cyber infrastructure and is an important partner in our efforts to protect government systems. While the CNCI takes immediate steps to secure government systems, identifying the actions necessary to secure private networks must be a long term goal. We are pleased that “Project 12,” a component of the CNCI, will assemble a group of industry leaders to help the Department issue a report on how the government should work to protect the larger cyber infrastructure. However, beyond “Project 12,” we are not aware of any substantial industry involvement with the development or implementation of the CNCI. Given their expertise, and the role that private industry must necessarily play in securing government and private sector networks, we urge you to ensure that they are appropriately involved in this initiative.

We would like to reiterate our support for the Administration’s increased focus on cyber security. At the same time, we believe that increased openness and information sharing with the Congress, the private sector, and the American public will aid in the eventual success of the initiative. To that end, we would appreciate your responses to the following questions:

THE NATIONAL CYBER SECURITY CENTER

1. What is the role of the National Cyber Security Center?

2. Why was the determination made to create the National Cyber Security Center?

3. In Acting Deputy Secretary Schneider’s answers to pre-hearing questions for his nomination, Mr. Schneider stated that the appointment of Mr. Beckstrom as Director of the National Cyber Security Center “is for two years.”

a. Under what authority was Mr. Beckstrom appointed and is he serving? For example, was he given a Schedule C Excepted Appointment, or was he appointed under some other legal authority?

b. Please explain what is meant by a “two-year” appointment. What obligations and/or rights do Mr. Beckstrom and the federal government have under this arrangement?

c. Under what legal authority was Mr. Beckstrom’s appointment made “for two years”?

d. Please provide to the Committee a copy of any document or other record that effectuates Mr. Beckstrom’s appointment or that memorializes any terms or conditions of the appointment.

CONTRACTING

4. For their role with CNCI, the Department intends to increase quickly the number of staff supporting the program. How do you intend to find and recruit people with sufficient qualifications?

5. In the Department’s view, what is the right balance between contract and government staff to carry out the responsibilities of the NCSD at DHS?

6. On January 16, DHS issued an RFP (Solicitation HSHQDC-08-R-00025) for Mission Support for the National Cyber Security Division. This RFP lays out 18 pages of responsibilities under the contract, which include supporting numerous activities under NCSD.

a. Is this RFP designed to extend current services that contractors are providing for NCSD or to expand the services that contractors will provide?

b. Why was the determination made that this contract would be for a 10-month period?

c. Does the Department have a plan for transitioning from contractor support to FTE’s after the 10-month period?

d. What contractor has been performing this work to date, and why is it being recompeted at this time?

7. Several of the tasks requested in the statement of work appear integral to DHS's mission and will closely support certain inherently governmental functions. These tasks include: intelligence analysis, coordinating with law enforcement, coordinating between government offices, and responding to congressional requests.

a. How will DHS provide appropriate oversight to ensure that the contractors support efforts do not intrude on inherently governmental functions?


b. How will DHS ensure enhanced scrutiny of contractor performance as required by federal procurement regulation and guidance?

c. How many Contracting Officer's Technical Representatives (COTRs) does the Department plan to have overseeing this contract?

8. In the response to the recommendations in GAO’s report, DHS stated “Better requirements definition for service contracts will lead to fewer Time and Materials type contracts and more effective use of Performance Based Service Contracts throughout DHS.” Additionally, in a memo written in August of last year, Chief Procurement Officer Elaine Duke wrote, “requirements for services must be clearly defined with appropriate performance standards and, to the maximum extent practicable structured as performance-based.” Despite this statement, this RFP anticipates the award of a Time and Material task order.

a. Why was the determination made to make this a Time and Materials task order?

b. How will DHS ensure that costs are being controlled after this contract is awarded?

CLASSIFICATION

9. Given that this initiative is highly classified, how will you ensure that government officials and members of the private sector have the necessary information to carry out their respective roles in the initiative?

10. Are there plans to issue an unclassified version of HSPD-23, similar to President Clinton’s release of an unclassified version of PDD-63?


ROLE OF THE PUBLIC

11. How does this new policy comport with privacy and public comment requirements in existing statute, such as the E-Government Act (P.L. 107-347) and the Privacy Act (P.L. 93-579)?

12. As this initiative is deployed, how will you ensure that American citizens retain the maximum possible electronic access to government agencies’ websites?

13. How will you ensure that the privacy of Americans who access government websites and provide personally identifiable information through electronic means will be protected?


METRICS

14. On March 1, OMB reported that for FY07 there were 12,986 security incidents, more than doubling the number of incidents reported in FY06. Much of this increase may be attributable to increased reporting, and consequently we might expect that number to rise as the Einstein program is further deployed.

a. Given the likelihood that this number will rise, how will we determine when this initiative is succeeding and Einstein is measuring something tangible?

b. Overall, what metrics will be used to evaluate success?


PRIVATE SECTOR

15. Its our understanding that the private sector was not consulted before the CNCI was drafted and that very few members of the private sector have been briefed on CNCI to date.

a. To what extent were private sector experts involved in the development of the CNCI?

b. Is it possible that important cyber security experts who might have valuable expertise were not consulted?

c. Given that private sector cooperation is crucial to effectively protect federal government networks, how do you plan to work with this sector in the implementation of the CNCI?

d. Will there be a chance for select portions of industry to provide feedback on the CNCI, other than “Project 12,” prior to the finalization of ongoing implementation plans currently being prepared?

e. Will there be a chance for the public to comment on the non-classified portions of CNCI?

PRIVACY IMPACT ASSESSMENTS

16. The new version of Einstein, instead of only looking at information traffic to and from government networks, could be used to look at the content of this traffic as well. Undersecretary Jamison testified before the House Homeland Security Committee that a privacy impact assessment (PIA) is being conducted as the new version of Einstein is developed. The PIA requirement from the E-government Act of 2002 requires PIAs to be conducted and published before the development of new information technology systems that will collect or store personal information electronically.

a. When do you expect the Privacy Impact Assessment to be completed for the new version of Einstein?

b. When do you expect the new version of Einstein to be deployed?

c. How will any identified privacy concerns be addressed in the new version of Einstein?

OTHER RESPONSIBILITIES OF DHS

17. While securing federal government networks is clearly an important goal, the NCSD has a number of other priorities in securing cyberspace outside of government systems.

a. How will the Department ensure that its responsibilities under the CNCI do not divert resources from its other cybersecurity missions?

b. What are the goals for the NCSD for this year, beyond the protection of government networks, to ensure that cyber security is enhanced overall, and not just within government networks?


In addition, please provide the following information to the Committee:

• A classification guide that clarifies which portions of the CNCI are classified and at what level;

• A summary document describing all portions of the CNCI deemed unclassified;

• An unclassified, detailed 5-year breakdown of the DHS budget for the CNCI;

• An unclassified summary of the roles and responsibilities of the NCSC, including the level at which the Center will be funded;

• A detailed implementation plan of DHS’s responsibilities under the CNCI, including how contract staff will be used to support the NCSD; and

• Any plans pertaining to enhancements of the Einstein Program.

Thank you in advance for your attention to this matter. We look forward to reviewing the information that you provide. Please feel free to have your office contact Adam Sedgewick or Deborah Parkinson with Senator Lieberman at (202) 224-2627 or John Grant or Asha Mathew with Senator Collins at (202) 224-4751 if you have any questions.


cc: The Honorable Robert Jamison, Undersecretary, National Protection and Programs Directorate;
Rod Beckstrom, Director, National Cyber Security Center

###

[Hartley]

Transcript: FBI director on surveillance of 'illegal' Internet activity | The Iconoclast - politics, law, and technology - CNET News.com

Transcript: FBI director on surveillance of 'illegal' Internet activity
Posted by Declan McCullagh 4 commentsWhen the FBI suggested that it should be able to perform wide-scale Internet monitoring to detect "illegal activity" on Wednesday, the bureau raised more questions than it answered.

To help clear things up, we're providing the transcript of FBI Director Robert Mueller's exchange at a House of Representatives hearing with Rep. Darrell Issa, a California Republican. Issa made his fortune by founding Directed Electronics, a publicly traded company that sells car alarms and home theater loudspeakers.

Issa also is a member of the House Intelligence Committee, which is holding a closed hearing on Thursday devoted to the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23--that apparently deal with detecting and preventing Internet disruptions.

Here's the relevant section of the transcript from the House Judiciary hearing on Wednesday:

Rep. Issa: Director, there isn't enough time in five minutes to open and close the subject of the Cyber Initiative, but this committee, in my opinion, is going to be the lead committee on, ah, the actual effectiveness of that initiative. As we both know it's compartmented, highly classified. But I'd like to concentrate just on what laws or changes that you would need from this committee if you were to do the following, and I'll set out a scenario.

If you go into a place and there's a crime actively being committed, let's say there's a bookie joint, and there's tens of thousands of illegal transactions going on every minute. And you know that. And you have proof of that. You don't question your ability to go in and to harvest the fruit of all the activities in there, is that correct?

Mueller: That's correct.

Mueller: With a search warrant, quite honestly.

Rep. Issa: With a search warrant. Today every ISP is being maliciously attacked--this goes beyond the .mils and .govs--but I think that's the important reason that we approach it today. Every ISP is being attacked, maliciously both from in the United States and outside of the United States, by those who want to invade people's privacy.


FBI director Robert Mueller, shown here at Wednesday's hearing, says 'legislation has to be developed' that would 'identify the illegal activity as it comes through and give us the ability to preempt that illegal activity.'

(Credit: Anne Broache/CNET News.com)But more importantly they want to take control of computers, they want to hack them, they want to steal information. This is also true of the .mils and .govs. Every one of our congressional offices, every day, is under attack.

Every portal leading out of the United States, some of them going in and out of the United States, but talking only about your jurisdiction in the United States. Every portal coming into this country is being attacked by those who would harvest information, both national security secrets and just the common information of private individuals and private individuals.

That crime is going on, every day, on a single entity known as the Internet. What authorities do you need to monitor, looking for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process?

Now, I'm a civil libertarian. I was with Bob Barr arguing some of the elements of the Patriot Act that we still don't agree should have been there. But when I set up the crime scenario, how is it that you're going to get the right to react when today, people would say that if they, if you're addressing an action from an American person, you don't have that right? How are you going to do it, and how can we help you do it appropriately and constitutionally?

Mueller: I think legislation has to be developed that balances on one hand, the privacy rights of the individual who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the Internet.

And it is a question of the legislation catching up to the technology. Understanding that these crimes are being committed every moment. But then identifying our ability to focus on the particular criminal element as it's coming through and preempt that criminal element, whether it be .mil, .gov, .com, whichever network you're talking about.

Rep. Issa: OK, and one follow-up question, or two follow-up questions, because I know we're not going to get it all resolved today. One, can you have someone on your staff designated to work with members of Congress on trying to craft that legislation? I'd appreciate being able to work with that person.

And secondly, and this goes to a legal opinion you may or may not be able to help us with today, but I'd like you to try to work on it. If ISPs or other private entities, a Lockheed Martin on one hand, and my old company, Directed Electronics on the other, if they consented to participation voluntarily in being, in fact, defended in a Cyber Initiative--and that includes ISPs that hypothetically got consent from every single person who signed up to operate under their auspices.

If that consent were granted, do you believe that current laws either can or reasonably easily could be made to protect them? In other words, a voluntary program that would begin allowing federal agencies to counter-attack and to defend on behalf of those who waive current possible restrictions in that sense. And that's probably my most important question to get this committee thinking of.

Mueller: I think that's going to require some thought because an individual company can say "OK, I consent to have somebody protect me." But if the filter is inappropriately placed just protecting that particular company, it may have to be one or two or three institutions or ISPs off, and that's where you would have a problem. whether it would be, i forget what company you mentioned, but Lockheed Martin saying," I'm willing for somebody to protect me," but the protection may be two or three companies off. Lockheed Martin has no mechanism in order to affect the company that's two or three off, if you see what I'm getting at.

Rep. Issa: Thank you, and thank you, Mr. Chairman. Hopefully 163.33.33.0 will be protected if they ask to be, whoever they are. (Editor's note: 163.33.33 seems to be an Internet protocol address near San Jose, Calif.)

Rep. Conyers: As you wish, Mr. Issa.

Rep. Issa: Mr. Chairman, I do hope that when we look at the Cyber Initiative, we view ourselves as the primary committee that has to clear the way for appropriate action on behalf of our government, all branches.

Rep. Conyers: (Nods)

[Hartley]

FBI's Net surveillance proposal raises privacy, legal concerns | The Iconoclast - politics, law, and technology - CNET News.com

FBI's Net surveillance proposal raises privacy, legal concerns
Posted by Declan McCullagh 1 commentThe FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet.

During a House of Representatives Judiciary Committee hearing, the FBI's Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that.

Both have their problems, legal and practical, but let's look at step 1 first. Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said "legislation has to be developed" for "some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt" it.

These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any "illegal activity." (See the complete transcript here.)

"That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law."

Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year. (I say "probably illegal" because their exchange didn't offer much in the way of details.)

"I think there's a substantial problem with what Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside."

For its part, the FBI isn't talking. After we made repeated attempts to get the bureau to explain what Mueller was talking about, FBI spokesman Paul Bresson responded by saying, "At this point, I'm going to let the director's comments, in the context of the exchange with Rep. Issa, speak for themselves."

What step 1 appears to involve is persuading Internet providers to amend their terms of service and insert an FBI-can-monitor-everything clause. Informed consent is one thing. But does anyone actually read the fine print on their contracts with their broadband or wireless provider? If not, is that fine print good enough?

Informed consent is important because of the wording of the Electronic Communications Privacy Act, or ECPA, which says providers may share the contents of customers' communications only "with the lawful consent" of the user. Otherwise, providers are breaking the law and can be sued for damages. And without consent, the FBI would bump up against the Fourth Amendment's prohibition on unreasonable searches.

Originally, Congress seemed to take a liberal view of what constituted "lawful consent." When ECPA was enacted in 1986, a House committee report said "consent may be inferred from a course of dealing," and if "those rules are available to users," consent can be implied.

But that was written way back in the early, pre-Internet days of Compuserve and bulletin board systems. More recently, courts have interpreted ECPA more strictly.

The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers one useful measuring stick. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."

The Federal Trade Commission, too, has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.

Translation: Obtaining "lawful consent" for FBI monitoring means making sure that your customers actually know what's going on and agree. Hiding it in the terms of service doesn't qualify.

But assume that the FBI can persuade Internet providers to include a prominent notice in every monthly bill, or some other mechanism that would be legally sufficient. Another problem is that even if the person who pays the bills consents to monitoring, other people may use the connection--think homes with open wireless connections. ECPA's legal protections follow individual people, not customer accounts.

Rewriting U.S. surveillance laws
Because the FBI would run into serious problems doing wide-scale Internet surveillance under existing state and federal law, step 2 may be necessary. That means rewriting U.S. surveillance law.

Issa said he wants to "craft" legislation that would give the FBI the power to look "for those illegal activities, and then act on those, both defensively and, either yourselves or certainly other agencies, offensively in order to shut down a crime in process." He worried about "national-security secrets and just the common information of private individuals" being at risk. In his response, Mueller said he wants Congress to "give us the ability to pre-empt that illegal activity."

"Looking for" a crime in process on the Internet can take multiple paths. If it's a denial-of-service attack against eBay or Amazon.com originating from Russian servers, it can be detected by measuring the amount of traffic without inspecting the contents each packet. But to detect fraud and "national-security secrets," as well as personal information being transferred, deep packet inspection would be necessary--roughly on a scale of the Great Firewall of China.

Needless to say, detecting "illegal activity" would soon be extended to copyright infringement and peer-to-peer networks. Under the No Electronic Theft Act, swapping music or video files is a federal crime, if the total value of the files exceeds $1,000. If the value tops $2,500, the penalties jump up to not more than five years in prison. And as Jammie Thomas found out last year, allegedly sharing 24 files can lead to $222,000 in civil penalties.

"I think you bump squarely into the Fourth Amendment when you get into the required waiver of constitutional protections to use a service," said Gidari, the attorney at Perkins Coie. "Why don't we extend it to include not criticizing the government? Which right is next? 'You may use our service, as long as you don't disparage Verizon?' Why not that one?...You've still got to have, at the end of the day, a constitutionally supportable legal process to get access to anyone's communications. This cannot be an end run around that."

The problem of how to "shut down a crime in process" and "pre-empt that illegal activity" is more difficult and, perhaps, more worrisome.

Here's what Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation in San Francisco, had to say when I asked him to read the transcript of Wednesday's hearing:

It certainly is Mueller's responsibility to explain what it is that he's looking for. But it seems that he's saying, essentially, that the surveillance society is the best society. A society in which the government has complete information about illegal activities and is able to enforce that. Throughout our country's existence, we've lived in a society where the government doesn't have perfect information.

Is (Mueller) suggesting that there's a search capability using filters that would identify an infringing work and fail to deliver a message containing that work? Is that the choke point? If that is the case, how can that be done well? How about fair uses? How will the government tell whether a copyrighted work is sent pursuant to a license? Will it have a centralized database of licenses? How does he propose to have this work, so it only identifies illegal activities and doesn't overly choke?

The FBI has some obligation to explain: what is it going to focus on here? Once you have the technology in place, will it then be used for more and more?

If you thought the tussles over Net neutrality were heated before, imagine a broadband provider throttling certain applications--and being able to blame that throttling capability on law enforcement. At the very least, it would be a wonderful excuse.

Which is why it's a shame, and somewhat troubling, that the FBI has chosen not to say what its director is proposing (and apparently will be working with Congress to write into law).

Odds of FBI-filtering legislation: Zero?
One possible germ for this Internet-monitoring idea lies in Homeland Security's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. Not much about Einstein is public, but a privacy impact assessment offers some details.

Homeland Security Spokeswoman Laura Keehner said in a telephone interview that the primary focus of Einstein at the moment is protecting federal-government networks. "Obviously, the FBI could clarify or elaborate on what they said," Keehner said. "I do know that (from Homeland Security's perspective) we now first need to get our .gov in order. We need to concentrate on our federal networks...We're also bringing in the private sector to open those lines of discussion and figure out ways that the private sector can better equip themselves to stop any cyberincursions."

Another possibly related effort is the Bush administration's so-called Cyber Initiative. In January, President Bush signed a pair of secret orders--National Security Presidential Directive 54/Homeland Security Presidential Directive 23--that apparently deal with detecting and preventing Internet disruptions. Issa is a member of the House Intelligence Committee, which held a closed-door hearing on Thursday devoted to the Cyber Initiative--and, during the exchange with Mueller a day earlier, he said his monitoring idea was related.

The House Intelligence committee didn't want to talk. But a representative of the House Homeland Security committee chaired by Rep. Bennie Thompson (D-Miss.) sent us three bullet points in an e-mail message:

1. Chance of a legislative initiative that would allow FBI to place filters to identify illegal activity at choke points on the .com space: 0

2. We still have concerns and questions about the initiative, and we continue to do oversight.

3. Legislation is not being considered for any of the new proposals, outside of the budget requests made by the administration.

Point No. 3 seems to relate to the administration's 2009 budget request, which asks Congress for $293.5 million to expand Einstein to the entire federal government.

The Senate Homeland Security and Governmental Affairs Committee, which is headed by Joe Lieberman of Connecticut, also held a classified hearing last month on the administration's Cyber Initiative.

But a committee aide told us, "The idea of filtering for criminal activity has never been discussed with us. Nor has any new statutory authority been discussed. In fact, the administration explicitly said it didn't need any legislation. Furthermore, the idea of monitoring nongovernment domains has never been proposed in briefings the committee has received."

It's true that, at least in the current political climate, legislation of the sort Issa wants to draft isn't likely to slide through Congress unopposed.

Still, it's worth keeping in mind that the FBI has a recent, and not very flattering, history of trying to expand the scope of surveillance methods. Bureau agents used so-called exigent letters to obtain records from telephone companies, claiming that an emergency situation existed.

In reality, there was often no emergency at all. The Justice Department's inspector general found similar abuses of national-security letters. The FBI also tried to bypass the Foreign Intelligence Surveillance Court when it denied requests to obtain records.

Perhaps Mueller can provide a convincing argument for why laws giving the FBI "omnibus search capability utilizing filters that would identify the illegal activity" would be wise. Perhaps not. But when politicians weigh the idea of trusting the FBI with such broad and unprecedented authority, they should consider the abuses that have already taken place with far less powerful tools.

CNET News.com's Anne Broache contributed to this report.

[Uncle B]

holy shiat....thats a whole butt-load of reading material.