Treasonous Devices: Weapons of Mass Surveillance
In the first part of this series,
Network Architecture of Treason, alert reader philosophicus
outlined the network locations and the hardware required for a large
scale Internet surveillance system to be set up, and concluded that
such a system would present no significant technical challenges. He
also immediately drew two logical conclusions that were not obvious
when the Times broke the story of Bush's href="http://www.opencrs.com/document/M20060105">illegal
warrantless wiretapping. First, such a system would require the
collusion of the major carriers; this was subsequently borne out by
reporting from href="http://www.heraldtribune.com/apps/pbcs.dll/article?AID=/20051225/ZNYT02/512251019">The
Times. Second, monitoring all email is the real goal of the
program, not voice. (This has not yet been borne out by traditional
reporting; the analysis is here: href="http://www.correntewire.com/the_network_architecture_of_treason">"The
Internet is Bush’s target, not voice"). Monitoring
all email is just as treasonous as breaking the law, but for different
reasons, as we shall see.
In this part, philosophicus shows how email is sent across
the Internet (in "packets," using "packet switching"), looks at whether
email users have any legal grounds for an expectation of privacy (no),
and describes the devices that would be needed the government to
inspect your email and decide to investigate you. We conclude by
characterizing such devices as weapons of war, and their use against
the civilian population of the United States as treason (q.v. href="http://caselaw.lp.findlaw.com/data/constitution/articles.html">The
United States Constitution, Article 3, Section 3, "levying
One piece of terminology before we begin: Anything that hangs
off the Internet and connects to this flow of packets we call a device.
Your computer is a device, your BlackBerry is a device, your hard disk
is a storage device, and the weapon the administration has devised to
read your mail is a device.
What do you—or rather the flowing electronic bits
and bytes of email/chat/VOIP/browsing/media-playing/blogging/Googling
that represent you on the Internet—look like to a device? To
a device, all of these activities look the same; they are all composed of
packets of data that are routed from your origin in the
Internet to a destination on the Internet. (For how the routes look,
Here is the raw packet of a browse request to href="http://www.correntewire.com">Corrente as it
looks like to any device on the Internet. Portions are highlighted to
show the correlation between the raw bits and bytes that the devices
see, and how they look, to humans, when the numbers that machines
process are translated to the characters that humans can understand:
style="background: rgb(255, 204, 153) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">00
0c 41 e1 42 58 style="background: rgb(0, 220, 255) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">00
11 5b d5 de f8 08 00 45 00
01 f7 eb 38 40 00 40 06 82 e6 style="background: rgb(255, 204, 153) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">c0
a8 00 03 style="background: rgb(0, 220, 255) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">46
style="background: rgb(0, 220, 255) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">c3
e2 a1 21 00 50 80 6c 7c 84 b9 26 4c f5 50 18
16 d0 52 a9 00 00 style="background: rgb(35, 255, 35) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">47
45 54 20 2f 20 48 54 54 50
2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e
63 6f 72 72 65 6e 74 65 77 69 72 65 2e 63 6f 6d
0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f
7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20
55 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 3b
This is the header of the packet, which
contains the addresses of my computer (192.168.0.3)
and the computer where corrente's web page resides ( style="background: rgb(255, 204, 153) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">184.108.40.206).
The rest of the packet, which contains the content of my message, is
called the payload. Think of the header as a series
of nested envelopes; with my message ( style="background: rgb(0, 255, 0) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">GET
to another computer in the inside-most envelope. Each of the envelopes
is addressed for the particular route that the packet takes. style="font-weight: bold;">Notice that anyone can open the
envelope and read what's inside.
If we look deeper into the payload below, we can even find
information about the computer that made the request, e.g. the request
came via the FireFox browser running on the SUSE Linux
[Yes!—Lambert] Operating System on a 64-bit processor.
style="background: rgb(35, 255, 35) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">GET
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8)
Gecko/20051128 SUSE/1.5-0.1 Firefox/1.5\r\n
What does the packet look like for an email? Here is a test
email sent to a test address on the mail system at Corrente. The header
remains the same but the payload is a bit different.
style="background: rgb(0, 255, 0) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">Simple
Mail Transfer Protocol
style="background: rgb(0, 255, 0) none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">Message:
Message: Date: Mon, 26 Dec
2005 05:21:42 -0500\r\n
Message: From: philosophicus
Message: User-Agent: Mozilla
Thunderbird 1.0.6 (X11/20050715)\r\n
Message: MIME-Version: 1.0\r\n
Message: To: href="/ym/Compose?Toemail@example.com%5Cr%5Cn">firstname.lastname@example.org\r\n
Message: Subject: Test\r\n
text/plain; charset=ISO-8859-1; format=flowed\r\n
Message: This is an email
Here you can see, in clear, the sender, recipient, subject,
and body of the message. So can anybody else that happens to stumble
upon this packet. They can read the payload ("This is an email test")
and know who sent it, to whom, and how.
Now, this is just one packet out of hundreds that make up
any given browsing transaction or email message. Each of these packets
would carry same addressing information in the header, but only
fragments of the entire email--or chat, or VOIP, or whatever--in the
payload. Why? When an email is sent, the payload is disassembled into
individual packets, each with the same address information in the
header. Using the header information, each individual packet can find
its way to its destination by a different route. (This is the key to
the original design of the Internet and its protocols, survivability.
Unlike an analog voice call, if the connection is disconnected or
degraded, the conversation does not end. The packets just seek another
route to their destination.) At
the destination, all those disparate packets are reassembled into a
coherent message. They can also be reassembled by anybody
watching those packets.
Now we know how email is transmitted over the Internet, and
how easily anyone can read it. But the administration keeps saying,
"foreign," not domestic. (Though they've captured purely domestic calls.) Does this distinction have any meaning for
email? Let's see why it doesn't.
The Internet is an interconnected mesh of high speed links
as in this diagram.
alt="routing_1" height="157" width="240">
If my email packet has to get from router A to router E it
could be routed directly or it could travel through routers B, C,
alt="mesh" height="146" width="240">
Routes on the Internet pay no attention to geopolitical
boundaries. The route is derived only from the standpoint of
efficiency. It is entirely possible that a number of the email packets
from my computer in Georgia (A) may find a more efficient path to
Corrente (E) via Canada (C) or Bermuda (D), i.e. they may traverse an
international route on the way to a local destination. (Do you know
where your email server actually resides?)
If even a single packet is routed through an international
server, is the entire email considered foreign and thus subject to
inspection under the rules of engagement as the
administration has described them? The law on this is href="http://volokh.com/archives/archive_2006_01_01-2006_01_07.shtml#1136400573">not
yet settled, and it would be highly unfortunate if such as
Scalito were to settle it, but we can be confident that here, as with
torture, we will eventually discover that when Bush says "legal," he
means semi-plausibly justified by href="http://www.nybooks.com/articles/18431?email">a
cherrypicked, secret memo from an eager-to-please, ambitious,
and amoral administration lawyer with very little real-world
experience. (Take a bow, John Yoo.)
In other words, Yes. Since it's semi-plausible that an email
single internationally routed packet could be "foreign," and that's the
broadest interpretation, that's the interpretation the Bush
administration will make.
So now we have a number of these packets, jumbled together
in a public medium owned by private companies, sometimes traveling
together, sometimes not, yet all traveling through switches and routers
owned and operated by a very small number of corporate entities, the
carriers, who are highly regulated and beholden to the administration
for their monopolies, protection for their intellectual property
rights, union busting, and much else.
And let's say we're the administration, and we've built an
Internet surveillance network. We have placed our monitoring devices at
certain “target rich environments” on the Internet:
the major switches and routers controlled by the carriers, the twenty
or so hubs
through which most of the world's packets flow, most of which are
located on U.S. territory. We have software, let's
say a package very similar to href="http://www.snort.org/">Snort, that can
monitor and inspect these packets at around 2Gb/sec. Indeed, as we have
seen, many carriers already have such monitors already in place and
sell monitoring services to their customers ( href="http://www.business.att.com/service_fam_overview.jsp?repoid=ProductSub-Category&repoitem=eb_internet_protect&serv_port=eb_security&serv_fam=eb_internet_protect">AT&T
monitors). (Such tools are generally used to defend against a
network attack based on patterns or signatures in the data.
We have our "device" up and running, monitoring and
inspecting as many packets as we like. Is this legal? (Here we're not
taking about the warrantless surveillance of voice communications.
That's definitely illegal under FISA, according to the non-partisan
Congressional Research Service, and even Bush's apologists admit it's
illegal. Rather, we're talking about monitoring and inspecting data,
packets, not voice.)
Let's begin by reviewing the verbiage used by the
The monitors we describe are not
“wiretaps” and are classified by law as
“pen/trap” devices. Wiretaps and pen traps are
different technologies, and each is governed by a different body of law.
"Wiretaps" are used to intercept and record real-time
"aural" communication. They are covered by Title III, 18 USC2510, et.
seq. Because they intercept and record the actual contents of the
"aural" communication, and because we have an "expectation of privacy"
under the 4th Amendment, law enforcement must present probable cause
for that wiretap.
"Pen registers" and/or "trap and trace" devices are a
different animal, though their ancestry is also from the analog world.
A "pen register," at least in an analog world, does not record the
content of an "aural" conversation. It was originally defined as a
device that "records or decodes electronic or other impulses which
identify the numbers dialed or otherwise transmitted on the telephone
line to which such device is." Since IP addresses in the digital world
serve roughly the same purpose as phone numbers in the analog world,
our legal system has classified Internet monitoring devices as
“pen/trap” devices. The burden on law enforcement
for getting approval of a “pen/trap” device is
minimal compared to "wiretaps" because the "expectation of privacy" derived
from the original analog devices is non-existent.
On the other hand, the Supreme Court has held that
there is no constitutionally-protected privacy interest in the numbers
one dials to initiate a telephone call. Smith v. Maryland, 442 U.S.
735, 742 (1979). Accordingly, the pen register and trap and trace
provisions in 18 USC 3121 et seq. establish minimum standards for
court-approved law enforcement access to the "electronic or other
impulses" that identify "the numbers dialed" for outgoing calls and
"the originating number" for incoming calls. 18 USC 3127(3)-(4). To
obtain such an order, the government need merely certify that "the
information likely to be obtained is relevant to an ongoing criminal
investigation." 18 USC 3122-23. (There is no constitutional or
statutory threshold for opening a criminal investigation.)
Thus, in law the packet headers would be like dialled phone
numbers; they are electronic impulses that connect two or more parties.
And, legally, the government can monitor the headers whenever it wants.
What about the payload?
boundaries of how deep law enforcement can look into these packets,
i.e. how many envelopes to open, have never been fully qualified. In
short, our Internet communications are completely public. Those
little disclaimers you put at the bottom of your corporate email saying
things like: “the information contained in the email is
legally protected from disclosure, etc.” are useless, even
So, both email header and email payload (unlike voice!) are
open to administration surveillance. Returning to technical matters,
devices, equipped with their software, will now detect patterns within
Those patterns may be word patterns, usage patterns,
directional patterns, any type of rule you can write. Once recognized,
those patterns can trigger actions to take such as: start capturing the
whole message transaction, log the pertinent data into searchable
storage, determine the other destinations of this computer's previous
messages, determine those other past destinations transacting now, add
this recipient to this sender's social network, add this phrase to the
lexicon of proscibed phrases, etc.
For example, we might have our device look into email
payloads. If the device detects an email packet, we'll see if it's
for an international route. If so, we'll look deeper and see if text of
interest--"Bin Laden" or, if you're the FBI, href="http://www.theledger.com/apps/pbcs.dll/article?AID=/20060103/NEWS/601030301/1036">"vegan" or an animal rights activist--appears
in the payload of the packet. Suppose "Bin Laden", "kidney dialysis",
and "Musharraff" all appear in the same payload. We might flag that
payload, decide to log the source and destination addresses, and tell
all our other monitors to be on the lookout and start capturing all
traffic from the source or the destination. We categorize the content
of that traffic and “mine” that data for additional
names. Now we can start building a href="http://www.infoshop.org/inews/article.php?story=20051230114118982">social
network ("I'm sure government agencies do that") of
relationships between these names which will, in turn, allow us to
expand our search to the new names, and develop
additional criteria for refining our patterns. The variables and
permutations are numerous but well understood and fill entire books of
In other words, the consistent use of "wiretap" by the
administration (picked up by the press, as in href="http://www.washingtonpost.com/wp-dyn/content/article/2006/01/04/AR2006010401864.html">this
WaPo story) is obfuscatory; it conceals both the technical
and legal points at issue, because voice and data communications are
governed by different bodies of law. Not that the traditional media is
helping to clarify matters. Close reading of the coverage of the Bush's
warrantless surveillance program shows
that surveillance is constantly, and carefully, descibed as both voice href="http://news.google.com/news?hl=en&ned=us&ie=UTF-8&q=surveillance+%22and+email%22&btnG=Search+News">and
email; yet all the stories discuss legality and
impact in terms of voice only, ignoring email. It's such curious and
consistent behavior it has to be editorially driven. But why? What is
the traditional press afraid of?
To the bottom line: It's both court-legal and John Yoo-legal
for the administration
to monitor all email, whether domestic or foreign. They have the
technical capability to do so. And
if they have set up a sort of Friendster for their enemies--call it
Foe-ster--the mathematics of social networking are such that the number
of those monitored would grow exponentially. If Osama has 100 friends,
and each of his friends has 100 friends, and each of those has 100,
that's 100 * 100 * 100, or 1,000,000. One more round--remember "six
degrees of seperation"?--is, well, almost the number Bush foes in the
Miss (?) ...
Will such a system of email surveillance system work?
(Leaving aside, for now, the question of what we mean by "work."
Perhaps, to a Republican, "work" means raking in billions of tax
dollars without delivering, and destroying the Constitution into the
bargain. I mean, what's not to like?) The
pessimist might say, "All too well." The realist might say "Not at
The pessimist: Of course, I'm sure
the administration wouldn't, couldn't monitor so many people. And I'm
sure they throw all the email away once they're done with it. I mean,
it's not like all the email you've ever written in your life would go
on your permanent record, right? Right? (Isn't it pretty to think so.
at "shall retain all records.") Those who think that government
just can't monitor everybody would be well advised to look at the
history of the East
German Stasi, who did actually did monitor everybody, and
without any help from computersm, the style="font-style: italic;"
Mitarbeiters of the modern day.
The realist: Just like neocon fantasies
of missile defense or global empire, this shit really doesn't
accomplish the task of protecting us. Oh yeah, the mechanics work. We
can take Baghdad in 30 days, we can shoot shiny pebbles in the sky, we
can do neat things with Internet traffic analysis, but these ideas
never get much better than their display in PowerPoint presentations.
However, they are very seductive. Does this weapon work against
terrorism? What metrics of success are applied? What are the chances
that it actually has href="http://www.correntewire.com/bush_surveillance_lawbreaking_critical_to_saving_american_lives">“saved
thousands of lives” as one of it's sponsors has
said? Don't bet on it. The efficacy of these mechanisms in a defensive
role have proven
to be iffy at best, especially at prevention, and they are
very easy to evade. At most, this apparatus was the source of all those
terrorist alerts because of a “heightened amount of
chatter”, i.e. more patterns being matched.
If it doesn't work, why worry?
The surveillance device that we've been discussed here is a
weapon of war, and its use to monitor email is a tactic of war.
This is just common sense. Information warfare has been a
part of war since the days of href="http://classics.mit.edu/Tzu/artwar.html">Sun Tzu
("knowledge of the enemy's dispositions can only be obtained name="1120">from other men.") World War II was
fought on the battlefields of information warfare when the British
broke the German Enigma code, and the Americans the Japanese
equivalent, Purple. To this day, cryptographic systems are
classified legally as munitions, devices of war.
And administration takes the common sense position. From the href="http://www.nationalreview.com/pdf/12%2022%2005%20NSA%20letter.pdf">DOJ's
letter to Congress, purportedly justifying Bush's illegal
warrantless surveillance system:
Communications intelligence targeted at the enemy
is a fundamental incident of the use of military force.
Because communications intelligence activities
constitute, to use the language of Hamdi,
a fundamental incident of waging war, the AUMF clearlv
and unmistakably authorizes such activities directed against
the communications of our enemy.
But who is "our enemy" to this administration?
and their source, because they've told us so. What about href="http://www.salon.com/politics/war_room/index.html">the
Kerry campaign? What about href="http://rawstory.com/news/2005/Congressmembers_write_White_House_ask_if_0105.html">members
of the opposition party? How about href="http://www.correntewire.com/the_grey_lady_that_did_not_bark_in_the_night">participants
in the WHIG disinformation campaign? What about activists in
areas where Bush campaign and Social Security rallies were held? (For
example, the Denver three were supposedly kicked out of a Bush rally by
a Bush operative because they had a "No blood for oil" bumper sticker
on their car. And indeed they did. But the story that they were kicked
of the bumper sticker href="http://www.buzzflash.com/analysis/05/04/ana05010.html">comes
from the Secret Service. Should we trust them? Why? What
about the other "eerily
similar" events in Arizona and North Dakota? Bumper stickers
there, too? And why is Bush is fighting so hard to conceal his sources
and methods on this one? Why not just sacrifice the "overzealous
volunteer" and move on?) What about fishing expeditions against
ordinary Democrats, now that href="http://www.thenewstribune.com/news/local/story/5440902p-4912739c.html">the
IRS is keeping records of political affiliations?
So, what "enemy" email are they reading? It is--in the words of
Reagan hagiographer href="http://www.opinionjournal.com/columnists/pnoonan/?id=95000429">Peggy
not to speculate. My answer is: A
conservative estimate is that they're reading all email inside the
Beltway. After all, everyone inside the Beltway is either
a known enemy or a
potential one. (Cf. href="http://www.correntewire.com/asking_the_unasked_question_about_bushs_illegal_domestic_spying">"Asking
the unasked question about Bush's illegal domestic spying.")
This would account for the curious tendency of many
players in this drama to consign important information only
to paper. Examples include: Jay Rockefeller's href="http://www.talkingpointsmemo.com/docs/rock-cheney1.html">handwritten
letter to Cheney, Judy Miller's href="http://www.thenation.com/blogs/capitalgames?bid=3&pid=29143">notebooks,
and Scooter Libby's href="http://iht.com/articles/2005/10/30/news/libby.php">three-ringed
binders. It's as if all the players assumed that anything
electronic would be read. In addition, assuming for a moment
that the administration regards the
entire Democratic apparatus as an enemy, wiring the entire Beltway
would seriously disrupt the "enemy's" command and control
If this hypothesis is true--and remember, all the stories say
email" whenever they mention surveillance--that would mean
that the administration has turned devices that history, the law, and
they themselves consider weapons of war against members of the
press, members of Congress, and
That means that this massive email surveillance program is
war" against the United States. What else is informational
warfare but war?
And that, friends, is what the Constitution defines as
As we've said: the use of this device, this weapon of war is
perfectly legal. "Foreign" or "domestic," it makes no difference. The
administration has the power, and the ability, to read and analyze all
the email of its enemies.
Next: Civil Disobedience in the Digital