Government data gathering and the PRISM program

There are quite a few sensational stories in the media claiming that the government is gathering large amounts of data from network providers without warrants and/or abusing privacy.   Some of the fuss is legitimate but for the most part it’s being blown out of proportion.

Lert’s start with how Amplex handles requests for data by government agencies:

  • Any request for data of a transactional nature made by a governmental agency requires a valid subpoena.  The request can specify that no notification be made to the target of the investigation for a certain amount of time.  These requests are rare and very specific.  There really isn’t anything to object to in these type of requests – it’s local or state law enforcement doing exactly what they are supposed to be doing.  Amplex reviews these requests with our legal council to verify the authenticity of the request and complies as needed.
  • Requests for stored data (email or other content) or any real time capture of data requires a search warrant, signed by a judge.   Search warrants may specify that no notice be given to the affected party.   Amplex reviews these requests with our legal council for authenticity and to narrow the scope of the request if the request is unreasonable, excessively broad, or technically unfeasible.
  • National Security Letters (NSL).  This is a special type of request for data from the federal government.  This type of request contains a gag order prohibiting the disclosure of the contents of the letter, the requested data, etc.   The Electronic Frontier Foundation has a good writeup of NSL’s.  Amplex has never been presented with a National Security Letter (at least as of 6/8/2013).

On several occasions Amplex has been presented with a request from law enforcement for information outside the above processes when there was imminent danger.  Amplex will cooperate with law enforcement in these situations when we believe the request is legitimate.  Specific examples of this have included a bomb threat to a local school, and a person posting very specific threats online.  Please note that our terms of service allow Amplex to cooperate with law enforcement agencies (LEA) in these situations.  Is there a potential for abuse in this?  Yes, but there are many legal options for Amplex to take if we discover that the process was abused or LEA intentionally deceived us.

So what are all the sensational stories about?   What is the real story?   We have a few ideas but first we need to discuss CALEA:

CALEA  is a federal regulation that specifies a series of technical, legal, and management procedures by which LEA can gather needed data.   The CALEA implementation in a private network is NOT controlled by the government.  There are a considerable number of safeguards in the CALEA system to prevent unauthorized use and to limit the data captured to only the records specified in the accompanying search order.

PRISM is the system that hit the news this week.  The system reportedly gives the government access to large amounts of data.   The story doesn’t really add up.  Why?

  • The reported cost of the program is $20 million dollars.    The federal government can’t fund a giant data gathering program with that money.   $20 million barely pays for the consultant to design the program, much less implement it.
  • The shear volume of data would be extremely difficult to capture and transport.  Capturing all the data from a tiny network like Amplex would consume somewhere around 40TB of data per day.  Getting that data transported off the network would be very expensive.   There is no central point on the network where all data can be collected in any case.
  • Large networks like  Google, MSN, Facebook, are very decentralized.   Large scale monitoring would require a massive investment in additional transport capacity.  The networks have a hard enough time keeping up with their own growth, much less building a parallel network for the government.
  • Most data transported on the Internet is asymmetric, meaning that the data path to the end user is not the same as the return path.   Capturing data at mid-points in the network usually only gets you 1/2 the information.  Trying to capture the data from multiple mid-points and putting it back together is very difficult.  Capturing data only works well at the source or destination.

So what is PRISM really about?   My best guess is that it’s a electronic system where the government can present CALEA requests along with the relevant legal search warrants,  national security letters, etc. to the participating companies by electronic means rather than faxing, scanning, and/or using overnight delivery services to move paper around.  That is about the only thing that $20M by the federal government will buy you.   It also makes sense.  Much of the legal system really is 15 years behind the rest of private industry and they still push mountains of paper around the country.   The fed’s did something smart and built a secure communication system to deliver legal documents?   Good for them.  Perhaps they should have sent out a press releases instead of hiding it.

Are the feds overreaching with NSF letters and the PATRIOT act?   Yes – and the Department of Justice has previously found major problems with the program.  Are other government agencies abusing the program as well?    I suspect we are about to find out.

Mark