By Declan McCullagh, CNET News.com
The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.
Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.
Such a technique is broader and potentially more intrusive than the FBIâ€™s Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of whatâ€™s legally permissible.
Call it the vacuum-cleaner approach. Itâ€™s employed when police have obtained a court order and an Internet service provider canâ€™t â€œisolate the particular person or IP addressâ€ because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Departmentâ€™s Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)
That kind of full-pipe surveillance can record all Internet traffic, including Web browsing–or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet providerâ€™s network at the junction point of a router or network switch.
The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford Universityâ€™s law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium.
In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agentsâ€™ default method for Internet surveillance. â€œYou collect wherever you can on the (network) segment,â€ he said. â€œIf it happens to be the segment that has a lot of IP addresses, you donâ€™t throw away the other IP addresses. You do that after the fact.â€
â€œYou intercept first and you use whatever filtering, data mining to get at the information about the person youâ€™re trying to monitor,â€ he added.
On Monday, a Justice Department representative would not immediately answer questions about this kind of surveillance technique. (Late Tuesday, the Justice Department responded with a statement taking issue with this description of the FBIâ€™s surveillance practices.)
â€œWhat theyâ€™re doing is even worse than Carnivore,â€ said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation who attended the Stanford event. â€œWhat theyâ€™re doing is intercepting everyone and then choosing their targets.â€
When the FBI announced two years ago it had abandoned Carnivore, news reports said that the bureau would increasingly rely on Internet providers to conduct the surveillance and reimburse them for costs. While Carnivore was the subject of congressional scrutiny and outside audits, the FBIâ€™s current Internet eavesdropping techniques have received little attention.
Carnivore apparently did not perform full-pipe recording. A technical report (PDF: â€œIndependent Technical Review of the Carnivore Systemâ€) from December 2000 prepared for the Justice Department said that Carnivore â€œaccumulates no data other than that which passes its filtersâ€ and that it saves packets â€œfor later analysis only after they are positively linked by the filter settings to a target.â€