The judge in the EFF's surveillance case against AT&T handed out a last-minute homework assignment Tuesday -- a list of 11 written questions (.pdf) that attorneys on all three sides of the case "should be prepared to address" by Friday morning's oral arguments.

This is very suprising, IMHO!

27B Stroke 6 - Judge in AT&T v. EFF case looks critically at State Secrets claim

AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers' personal data with government officials.

AT&T rewrites rules: Your data isn't yours

noteworthy wrote:

By: Steven Bellovin, Columbia University; Matt Blaze, University of Pennsylvania; Ernest Brickell, Intel Corporation; Clinton Brooks, NSA (retired); Vinton Cerf, Google; Whitfield Diffie, Sun Microsystems; Susan Landau, Sun Microsystems; Jon Peterson, NeuStar; John Treichler, Applied Signal Technology

June 13, 2006

For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with the telephone system -- such as E9111 and the graceful accommodation of wiretapping -- should be able to be done readily with VoIP as well.

Thanks for posting this. I've been doing a lot of VoIP work @ work and this is both certainly relevent and not something I've seen elsewhere. Having skimmed it, let me make two observations:

1. My interpretation of the FCC's limit of CALEA to "interconnected" and "broadband" VoIP is to say that CALEA compliance is only required if the VoIP provider is interconnected with the PSTN (which eliminiates the problems described in this paper) or the VoIP provider is also providing their customers with physical internet access (which also eliminates the problems described in this paper). My understanding is that the FBI knows tapping p2p VoIP is hard and they can't easily require it.

2. The reality that Internet CALEA compliance is hard isn't stopping people from trying. And, yes, I think that a single snmp message that configures a tap with nothing more then password protection is insanely insecure. With a designated physical tap network, with carefully crafted packet filters, this could be done, but how many times are people going to get that wrong? A lot...

Its worth noting that temporarily, these Cisco routers can't tap IPv6.

RE: Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP

The story about phone number stations posted to Craigslist has been mentioned here before. This is one of those interesting little mysteries. The hearsay only adds to it..

People have suggested that the messages are pranks, or are some sort of commercial gimmick. But at least one person, who is in the U.S. military, says he sent a copy of one of the messages up the chain of command and was promptly notified that it was classified and he wasn’t cleared to know anything further about it. I don’t know whether this is standard operating procedure for any encrypted message or whether it indicates that there’s something to be found.

Third phone numbers station: 678-248-2352 - Homeland Stupidity

New Scientist has discovered that Pentagon's National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks.

I wonder what their MySpace account is. I wonder if they want to be my friend...

New Scientist Technology - Pentagon sets its sights on social networking websites

There is "a need to double surveillance and investigative capability" domestically, the report said, so that authorities can "find ways of broadening coverage to pick up currently unknown terrorist activity or plots."

"Surveillance is absolutely crucial,"

"You can't not do it,"

Lessons From Canada: Snooping Works

In a 2-1 decision, the U.S. Circuit Court for the District of Columbia found that cable modem providers and other companies are subject to the Communications Assistance for Law Enforcement Act, or CALEA, the 1997 law that requires phone companies to put law enforcement backdoors in their switching networks.

This is total bullshit. The deal that was cut in '94 was very clearly that the Internet was not covered by CALEA. The purpose of the deal was to require a political reconsideration of this at a later date.

"When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean -- neither more nor less."

27B Stroke 6 - CALEA extended to the Internet

finethen wrote:

The Justice Department is asking Internet companies to keep records on the Web-surfing activities of their customers to aid law enforcement, and may propose legislation to force them to do so.

I'm not sure why this would be so useful for them. It sounds like an expensive and complicated way to gather information regarding only a small percentage of crimes. Anyone care to explain?

This is the noxious fog of your worst orwellian nightmares being slowly, ever so slowly, pumped into the country in hopes you won't notice the gradual change in air quality.

In general, this information isn't expensive to retain. Its already collected by ISPs. The computers they have automatically log this information for troubleshooting, security, and billing purposes. Its just that the ISPs usually throw that information away when they don't need it anymore. The Government is asking them to keep it for a long time. (Its worth noting that the reason Google is viewed with suspicion by privacy advocates is because they already retain all of this sort of data forever.)

All kinds of information is involved. ISPs can see who you've emailed, who has emailed you, what websites you've visited or other computers you've accessed, what IP address you've been using, and what times you were online. All of this is kept automatically. Websites (like this one) know which pages have been viewed from particular IP addresses at particular times. The feds have talked about forcing us to retain data too. If you combined the information from a website with the information from the ISP's logs, you could determine who viewed particular pages on a website or who wrote particular posts.

Due to the (tortured, IMHO) reasoning of Smith V. Maryland this kind of information has no Fourth Amendment protection, although some limited statutory protection exists.

The given example of kiddy porn is simply raised here because its one of those issues wherein almost no one is willing to oppose the government lest they be accused of defending kiddy porn. Its a straw man that is used to prevent debate. This kind of information can come in handy in all kinds of civil and criminal cases. The government might want to know who was using an IP address at a particular time if a computer breakin occured from there, RICO or anti-terror prosecutors might want to know who you've been emailing, your spouse might also want to know that in the event you are getting divorced, even a murder trial might be impacted by evidence that you were online during a particular time period. In the past information about internet search terms has been used to butress a case against an accused murderer.

Basically, these computer logs tell me a heck of a lot about what you think about, who you interact with, and what your lifestyle is like. So much information is there that I don't really need the content of your emails if I want to build a case against you, and with no messy Fourth Amendment to worry about, we don't have to trifle with judicial oversight!

Ever do something illegal with your computer? Ever use the Internet for any purpose that you wouldn't want other people to know about? The Internet is Forever.

RE: U.S. Wants Companies to Keep Web Usage Records - New York Times

They'd gathered for the ISS World Conference, a trade show featuring the latest in mass communications intercept gear, held in the Washington, D.C., suburb of Crystal City, Virginia.

More surveillance journalism. Catch it before something else becomes popular.

Wired News: Crashing the Wiretapper's Ball

Apparently some guy at AT&T made the classic mistake of thinking that blacking text out in a PDF actually removes that text from the actual file. Apparently the information they're trying to hide is, in fact, exactly what I've been saying on this blog since information started to come out about this case:

"Although the plaintiffs ominously refer to the equipment as the 'Surveillance Configuration,' the same physical equipment could be utilized exclusively for other surveillance in full compliance with" the Foreign Intelligence Surveillance Act.

The only thing thats troubling is, typically, if you're accused of something you didn't do, you usually say "I wasn't doing that, I was doing this" rather then saying "The information you have indicates that I might have done that, but its also possible based on the same information that I might have been doing this, that, or the other thing... You can't prove that I was doing exactly that." For example, the redacted text also claims that this might have been an IDS system. It most certainly wasn't. They kind of sound guilty. If they just said "its for CALEA" that would be the end of the discussion, probably. CALEA is not a state secret.

AT&T leaks sensitive info in NSA suit | CNET News.com