Treasonous Devices: Weapons of Mass Surveillance
Ready…
In the first part of this series, The Network Architecture of Treason, alert reader philosophicus outlined the network locations and the hardware required for a large scale Internet surveillance system to be set up, and concluded that such a system would present no significant technical challenges. He also immediately drew two logical conclusions that were not obvious when the Times broke the story of Bush’s illegal warrantless wiretapping. First, such a system would require the collusion of the major carriers; this was subsequently borne out by reporting from The Times. Second, monitoring all email is the real goal of the program, not voice. (This has not yet been borne out by traditional reporting; the analysis is here: “The Internet is Bush’s target, not voice”). Monitoring all email is just as treasonous as breaking the law, but for different reasons, as we shall see.
In this part, philosophicus shows how email is sent across the Internet (in “packets,” using “packet switching”), looks at whether email users have any legal grounds for an expectation of privacy (no), and describes the devices that would be needed the government to inspect your email and decide to investigate you. We conclude by characterizing such devices as weapons of war, and their use against the civilian population of the United States as treason (q.v. The United States Constitution, Article 3, Section 3, “levying war”).
One piece of terminology before we begin: Anything that hangs off the Internet and connects to this flow of packets we call a device. Your computer is a device, your BlackBerry is a device, your hard disk is a storage device, and the weapon the administration has devised to read your mail is a device.
[The indented portions of what follows are from philosphicus; the unindented framing is from Corrente. We solicit your feedback.]
Aim…
What do you—or rather the flowing electronic bits and bytes of email/chat/VOIP/browsing/media-playing/blogging/Googling that represent you on the Internet—look like to a device? To a device, all of these activities look the same; they are all composed of packets of data that are routed from your origin in the Internet to a destination on the Internet. (For how the routes look, see the previous article.)
Here is the raw packet of a browse request to Corrente as it looks like to any device on the Internet. Portions are highlighted to show the correlation between the raw bits and bytes that the devices see, and how they look, to humans, when the numbers that machines process are translated to the characters that humans can understand:
00 0c 41 e1 42 58 00 11 5b d5 de f8 08 00 45 00
01 f7 eb 38 40 00 40 06 82 e6 c0 a8 00 03 46 54
c3 e2 a1 21 00 50 80 6c 7c 84 b9 26 4c f5 50 18
16 d0 52 a9 00 00 47 45 54 20 2f 20 48 54 54 50
2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e
63 6f 72 72 65 6e 74 65 77 69 72 65 2e 63 6f 6d
0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f
7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20
55 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 3b
With a well known tool called ethereal, we can translate this this raw packet into something we can read:
| Ethernet Source Address | Ethernet Destination Address | Internet Source Address | Internet Destination Address | Protocol | Info |
| 00:11:5b:d5:de:f8 | 00:0c:41:e1:42:58 | 192.168.0.3 | 70.84.195.226 | HTTP | GET / HTTP/1.1 |
This is the header of the packet, which contains the addresses of my computer (192.168.0.3) and the computer where corrente’s web page resides (70.84.195.226). The rest of the packet, which contains the content of my message, is called the payload. Think of the header as a series of nested envelopes; with my message (GET HTTP: www.correntewire.com) to another computer in the inside-most envelope. Each of the envelopes is addressed for the particular route that the packet takes. Notice that anyone can open the envelope and read what’s inside.
If we look deeper into the payload below, we can even find information about the computer that made the request, e.g. the request came via the FireFox browser running on the SUSE Linux [Yes!—Lambert] Operating System on a 64-bit processor.
GET / HTTP/1.1
Host: www.correntewire.com\r\n
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8) Gecko/20051128 SUSE/1.5-0.1 Firefox/1.5\r\nWhat does the packet look like for an email? Here is a test email sent to a test address on the mail system at Corrente. The header remains the same but the payload is a bit different.
Simple
Mail Transfer Protocol
Message: Message-ID:
<43AFC436.4070902@philo.net>\r\n
Message: Date: Mon, 26 Dec
2005 05:21:42 -0500\r\n
Message: From: philosophicus
<philosophicus@philo.net>\r\n
Message: User-Agent: Mozilla
Thunderbird 1.0.6 (X11/20050715)\r\n
Message: X-Accept-Language:
en-us, en\r\n
Message: MIME-Version: 1.0\r\n
Message: To: postman@correntewire.com\r\n
Message: Subject: Test\r\n
Message: Content-Type:
text/plain; charset=ISO-8859-1; format=flowed\r\n
Message:
Content-Transfer-Encoding: 7bit\r\n
Message: \r\n
Message: This is an email
test.\r\n
Message: \r\n
Message: .\r\nHere you can see, in clear, the sender, recipient, subject, and body of the message. So can anybody else that happens to stumble upon this packet. They can read the payload (“This is an email test”) and know who sent it, to whom, and how.
Now, this is just one packet out of hundreds that make up any given browsing transaction or email message. Each of these packets would carry same addressing information in the header, but only fragments of the entire email—or chat, or VOIP, or whatever—in the payload. Why? When an email is sent, the payload is disassembled into individual packets, each with the same address information in the header. Using the header information, each individual packet can find its way to its destination by a different route. (This is the key to the original design of the Internet and its protocols, survivability. Unlike an analog voice call, if the connection is disconnected or degraded, the conversation does not end. The packets just seek another route to their destination.) At the destination, all those disparate packets are reassembled into a coherent message. They can also be reassembled by anybody watching those packets.
Now we know how email is transmitted over the Internet, and how easily anyone can read it. But the administration keeps saying, “foreign,” not domestic. (Though they’ve captured purely domestic calls.) Does this distinction have any meaning for email? Let’s see why it doesn’t.
If even a single packet is routed through an international server, is the entire email considered foreign and thus subject to inspection under the rules of engagement as the administration has described them? The law on this is not yet settled, and it would be highly unfortunate if such as Scalito were to settle it, but we can be confident that here, as with torture, we will eventually discover that when Bush says “legal,” he means semi-plausibly justified by a cherrypicked, secret memo from an eager-to-please, ambitious, and amoral administration lawyer with very little real-world experience. (Take a bow, John Yoo.)The Internet is an interconnected mesh of high speed links as in this diagram.
If my email packet has to get from router A to router E it could be routed directly or it could travel through routers B, C, and/or D.
Routes on the Internet pay no attention to geopolitical boundaries. The route is derived only from the standpoint of efficiency. It is entirely possible that a number of the email packets from my computer in Georgia (A) may find a more efficient path to Corrente (E) via Canada (C) or Bermuda (D), i.e. they may traverse an international route on the way to a local destination. (Do you know where your email server actually resides?)
In other words, Yes. Since it’s semi-plausible that an email with a single internationally routed packet could be “foreign,” and that’s the broadest interpretation, that’s the interpretation the Bush administration will make.
So now we have a number of these packets, jumbled together in a public medium owned by private companies, sometimes traveling together, sometimes not, yet all traveling through switches and routers owned and operated by a very small number of corporate entities, the carriers, who are highly regulated and beholden to the administration for their monopolies, protection for their intellectual property rights, union busting, and much else.
And let’s say we’re the administration, and we’ve built an Internet surveillance network. We have placed our monitoring devices at certain “target rich environments” on the Internet: the major switches and routers controlled by the carriers, the twenty or so hubs through which most of the world’s packets flow, most of which are located on U.S. territory. We have software, let’s say a package very similar to Snort, that can monitor and inspect these packets at around 2Gb/sec. Indeed, as we have seen, many carriers already have such monitors already in place and sell monitoring services to their customers (AT&T monitors). (Such tools are generally used to defend against a network attack based on patterns or signatures in the data.
We have our “device” up and running, monitoring and
inspecting as many packets as we like. Is this legal? (Here we’re not
taking about the warrantless surveillance of voice communications.
That’s definitely illegal under FISA, according to the non-partisan
Congressional Research Service, and even Bush’s apologists admit it’s
illegal. Rather, we’re talking about monitoring and inspecting data,
packets, not voice.)
Fire…
Let’s begin by reviewing the verbiage used by the administration:
The monitors we describe are not “wiretaps” and are classified by law as “pen/trap” devices. Wiretaps and pen traps are different technologies, and each is governed by a different body of law.
“Wiretaps” are used to intercept and record real-time “aural” communication. They are covered by Title III, 18 USC2510, et. seq. Because they intercept and record the actual contents of the “aural” communication, and because we have an “expectation of privacy” under the 4th Amendment, law enforcement must present probable cause for that wiretap.
“Pen registers” and/or “trap and trace” devices are a different animal, though their ancestry is also from the analog world. A “pen register,” at least in an analog world, does not record the content of an “aural” conversation. It was originally defined as a device that “records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is.” Since IP addresses in the digital world serve roughly the same purpose as phone numbers in the analog world, our legal system has classified Internet monitoring devices as “pen/trap” devices. The burden on law enforcement for getting approval of a “pen/trap” device is minimal compared to “wiretaps” because the “expectation of privacy” derived from the original analog devices is non-existent.
From the Center for Democracy and Technology
On the other hand, the Supreme Court has held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call. Smith v. Maryland, 442 U.S. 735, 742 (1979). Accordingly, the pen register and trap and trace provisions in 18 USC 3121 et seq. establish minimum standards for court-approved law enforcement access to the “electronic or other impulses” that identify “the numbers dialed” for outgoing calls and “the originating number” for incoming calls. 18 USC 3127(3)-(4). To obtain such an order, the government need merely certify that “the information likely to be obtained is relevant to an ongoing criminal investigation.” 18 USC 3122-23. (There is no constitutional or statutory threshold for opening a criminal investigation.)
Thus, in law the packet headers would be like dialled phone numbers; they are electronic impulses that connect two or more parties. And, legally, the government can monitor the headers whenever it wants. What about the payload?
The legal boundaries of how deep law enforcement can look into these packets, i.e. how many envelopes to open, have never been fully qualified. In short, our Internet communications are completely public. Those little disclaimers you put at the bottom of your corporate email saying things like: “the information contained in the email is legally protected from disclosure, etc.” are useless, even laughable.
So, both email header and email payload (unlike voice!) are open to administration surveillance. Returning to technical matters, these monitoring devices, equipped with their software, will now detect patterns within the packets.
Those patterns may be word patterns, usage patterns, directional patterns, any type of rule you can write. Once recognized, those patterns can trigger actions to take such as: start capturing the whole message transaction, log the pertinent data into searchable storage, determine the other destinations of this computer’s previous messages, determine those other past destinations transacting now, add this recipient to this sender’s social network, add this phrase to the lexicon of proscibed phrases, etc.
For example, we might have our device look into email payloads. If the device detects an email packet, we’ll see if it’s bound for an international route. If so, we’ll look deeper and see if text of interest—“Bin Laden” or, if you’re the FBI, “vegan” or an animal rights activist—appears in the payload of the packet. Suppose “Bin Laden”, “kidney dialysis”, and “Musharraff” all appear in the same payload. We might flag that payload, decide to log the source and destination addresses, and tell all our other monitors to be on the lookout and start capturing all traffic from the source or the destination. We categorize the content of that traffic and “mine” that data for additional names. Now we can start building a social network (“I’m sure government agencies do that”) of relationships between these names which will, in turn, allow us to expand our search to the new names, and develop additional criteria for refining our patterns. The variables and permutations are numerous but well understood and fill entire books of theory.
In other words, the consistent use of “wiretap” by the administration (picked up by the press, as in this WaPo story) is obfuscatory; it conceals both the technical and legal points at issue, because voice and data communications are governed by different bodies of law. Not that the traditional media is helping to clarify matters. Close reading of the coverage of the Bush’s warrantless surveillance program shows that surveillance is constantly, and carefully, descibed as both voice and email; yet all the stories discuss legality and impact in terms of voice only, ignoring email. It’s such curious and consistent behavior it has to be editorially driven. But why? What is the traditional press afraid of?
To the bottom line: It’s both court-legal and John Yoo-legal for the administration to monitor all email, whether domestic or foreign. They have the technical capability to do so. And if they have set up a sort of Friendster for their enemies—call it Foe-ster—the mathematics of social networking are such that the number of those monitored would grow exponentially. If Osama has 100 friends, and each of his friends has 100 friends, and each of those has 100, that’s 100 * 100 * 100, or 1,000,000. One more round—remember “six degrees of seperation”?—is, well, almost the number Bush foes in the last “election.”
Miss (?) …
Will such a system of email surveillance system work? (Leaving aside, for now, the question of what we mean by “work.” Perhaps, to a Republican, “work” means raking in billions of tax dollars without delivering, and destroying the Constitution into the bargain. I mean, what’s not to like?) The pessimist might say, “All too well.” The realist might say “Not at all.”
The pessimist: Of course, I’m sure the administration wouldn’t, couldn’t monitor so many people. And I’m sure they throw all the email away once they’re done with it. I mean, it’s not like all the email you’ve ever written in your life would go on your permanent record, right? Right? (Isn’t it pretty to think so. See WaPo at “shall retain all records.”) Those who think that government just can’t monitor everybody would be well advised to look at the history of the East German Stasi, who did actually did monitor everybody, and without any help from computersm, the Inofizielle Mitarbeiters of the modern day.
The realist: Just like neocon fantasies of missile defense or global empire, this shit really doesn’t accomplish the task of protecting us. Oh yeah, the mechanics work. We can take Baghdad in 30 days, we can shoot shiny pebbles in the sky, we can do neat things with Internet traffic analysis, but these ideas never get much better than their display in PowerPoint presentations. However, they are very seductive. Does this weapon work against terrorism? What metrics of success are applied? What are the chances that it actually has “saved thousands of lives” as one of it’s sponsors has said? Don’t bet on it. The efficacy of these mechanisms in a defensive role have proven to be iffy at best, especially at prevention, and they are very easy to evade. At most, this apparatus was the source of all those terrorist alerts because of a “heightened amount of chatter”, i.e. more patterns being matched.
If it doesn’t work, why worry?
The surveillance device that we’ve been discussed here is a weapon of war, and its use to monitor email is a tactic of war. This is just common sense. Information warfare has been a part of war since the days of Sun Tzu (“knowledge of the enemy’s dispositions can only be obtained from other men.”) World War II was fought on the battlefields of information warfare when the British broke the German Enigma code, and the Americans the Japanese equivalent, Purple. To this day, cryptographic systems are classified legally as munitions, devices of war. And administration takes the common sense position. From the DOJ’s letter to Congress, purportedly justifying Bush’s illegal warrantless surveillance system:
Communications intelligence targeted at the enemy is a fundamental incident of the use of military force.
Because communications intelligence activities constitute, to use the language of Hamdi, a fundamental incident of waging war, the AUMF clearlv and unmistakably authorizes such activities directed against the communications of our enemy.
But who is “our enemy” to this administration? Certainly journalists and their source, because they’ve told us so. What about the Kerry campaign? What about members of the opposition party? How about participants in the WHIG disinformation campaign? What about activists in areas where Bush campaign and Social Security rallies were held? (For example, the Denver three were supposedly kicked out of a Bush rally by a Bush operative because they had a “No blood for oil” bumper sticker on their car. And indeed they did. But the story that they were kicked out because of the bumper sticker comes from the Secret Service. Should we trust them? Why? What about the other “eerily similar” events in Arizona and North Dakota? Bumper stickers there, too? And why is Bush is fighting so hard to conceal his sources and methods on this one? Why not just sacrifice the “overzealous volunteer” and move on?) What about fishing expeditions against ordinary Democrats, now that the IRS is keeping records of political affiliations?
So, what “enemy” email are they reading? It is—in the words of
Reagan hagiographer Peggy
Noonan—irresponsible
not to speculate. My answer is: A
conservative estimate is that they’re reading all email inside the
Beltway. After all, everyone inside the Beltway is either
a known enemy or a
potential one. (Cf. “Asking
the unasked question about Bush’s illegal domestic spying.”)
This would account for the curious tendency of many
players in this drama to consign important information only
to paper. Examples include: Jay Rockefeller’s handwritten
letter to Cheney, Judy Miller’s notebooks,
and Scooter Libby’s three-ringed
binders. It’s as if all the players assumed that anything
electronic would be read. In addition, assuming for a moment
that the administration regards the
entire Democratic apparatus as an enemy, wiring the entire Beltway
would seriously disrupt the “enemy’s” command and control
systems.
If this hypothesis is true—and remember, all the stories say “and email” whenever they mention surveillance—that would mean that the administration has turned devices that history, the law, and they themselves consider weapons of war against members of the press, members of Congress, and many citizens.
That means that this massive email surveillance program is “levying war” against the United States. What else is informational warfare but war?
And that, friends, is what the Constitution defines as treason.
As we’ve said: the use of this device, this weapon of war is perfectly legal. “Foreign” or “domestic,” it makes no difference. The administration has the power, and the ability, to read and analyze all the email of its enemies.
Next: Civil Disobedience in the Digital Marketplace.