How do the feds tap phone lines?

Senate hearings in Washington last week focused on whether the NSA needs a warrant before it conducts domestic surveillance, but from a technology perspective, the lawful wiretap process is pretty straightforward.

Senate hearings in Washington last week focused on whether the National Security Agency needs a warrant before it conducts domestic surveillance, but from a technology perspective, the lawful wiretap process is pretty straightforward.


Warrant or no warrant


Let's say U.S. forces in Iraq or elsewhere capture a laptop or cell phone containing the phone number of someone suspected of having links to Al Qaeda. And let's assume that law enforcement goes to the appropriate court and obtains a warrant to tap that phone number.

Once a warrant is issued, depending on time constraints surrounding the investigation, it is either faxed directly to the service provider or physically presented by law enforcement. In this scenario, it might be the FBI, acting on behalf of the NSA.

Under the federal Communications Assistance for Law Enforcement Act (CALEA) of 1994, carriers are required to have a procedure and technology in place for intercepting calls.

The most common type of tap is a pen register (otherwise known as trap and trace), which produces a log showing what numbers were called, and the dates, times and durations of the calls. The second type intercepts the content of the call.

"There are tens of thousands of trap and trace interceptions vs. thousands of content interceptions each year because they are much easier to do," says John Morris, staff counsel at the Center for Democracy and Technology (CDT) in Washington, D.C.

The way it works is that a carrier taps into a digital switch at its central offices or at an aggregation point and programs in what number will be traced or what calls will be intercepted.

Once the information is gathered, it is sent via a private link paid for by law enforcement to the agency that requested it. That could be the FBI or another federal law enforcement agency, such as the Drug Enforcement Agency or Bureau of Alcohol, Tobacco and Firearms.

"Phone tapping has been going on for more than 20 years, it's nothing new," says David Holtzman, a security expert, former CTO of Network Solutions, and author of the upcoming book Privacy Lost. "It's a very simple thing to get a warrant to intercept communications."

But what has changed significantly, according to experts, is the role that carriers and service providers play.

"In the past, the government or law enforcement didn't need the carrier's help," Morris says. "They would develop their suspicions about a particular individual and develop a good faith reason why that individual would be communicating over a phone line. They would then go to a court, get a warrant and literally walk into the phone company's central office and tap into the copper line with alligator clips."

With fiber replacing copper wires, the deployment of digital switches at the central office, and the burst of cellular and Internet traffic, law enforcement now depends on the expertise of service providers to help carry out interception warrants, Morris says.

It's the law

Three U.S. laws compel carriers and other communications providers to participate in lawful interceptions:

1. Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (also known as Title XVIII).

2. The Foreign Intelligence Surveillance Act (FISA) of 1978.

3. CALEA of 1994.

"Title III covers domestic surveillance, and FISA deals with matters involving foreign powers," says Kevin DiLallo, partner at the Levine, Blaszak & Boothby, LLP law firm in Washington, D.C. He adds that CALEA explains the role of communications providers in helping law enforcement carry out wiretaps.

In addition, the Patriot Act of 2001 widened the scope of lawful interception.

Crimes were added to the list of those that could be investigated with the help of wiretaps, and warrants for wiretaps no longer have to be sought where the wiretapping will occur. Today, courts can issue a warrant for a roving wiretap that allows for "blanket authority to wiretap anywhere in the U.S," he says.

Under these laws, agencies must seek a warrant from a U.S. district court for domestic calls or the FISA court, a private court appointed by the chief justice of the Supreme Court for calls involving foreign parties.

Certain ISPs, including Internet access providers and interconnected VoIP service providers, are also required to have procedures in place to carry out warrants, according to an FCC ruling last year. For instance, non-facilities based providers such as Vonage would be covered in this ruling. However, there isn't a universal method for doing this.

One network expert, who requested anonymity, outlined a few possibilities such as DSL providers replicating the ATM virtual circuit from a subscriber's DSL modem, cable providers duplicating Ethernet and IP traffic crossing the cable to the ISP; dial-up providers taking point-to-point protocol traffic using the IETF's AAA authentication standard. Wireless taps often are done like cable taps, at an intercept point.

"With all of these, it's done as close to the subscriber as the ISP can get for the simple reason that if that weren't true, some subscriber traffic would evade the intercept point," he says. He adds that these methods also are the least expensive for ISPs and have the least impact on overall network performance.

In addition, the IETF is working on creating standards for wiretapping of electronic communications outside of the phone system. For example, RFC 3924, published in 2004, provides information about how to build wiretap-ready systems.

Your data or mine?

Once law enforcement receives wiretap data from communications providers, it must do two things: minimize it (parse through the information) and mine it, according to Winn Schwartau, author of Cybershock and Information Warfare.

Before an agency can analyze traffic and content, it must minimize what has been sent by the communications provider. Carriers intentionally send more traffic and content than is necessary because they are not given specific details of what law enforcement is looking for, because that might jeopardize a case, according to the CDT's Morris.

For instance, carriers would intercept all traffic from Mr. Jones even if law enforcement only needs to know how many times Mr. Jones called Mr. Smith.

Therefore, it's up to law enforcement to minimize it, and only keep what it needs for that case, Morris says. He adds that the FBI has two types of agents working on intercepts: those who do the minimization and those who do the analysis, so that agents investigating cases are not exposed to unauthorized information.

Once the minimization is done, the analysis begins. Much of the initial analysis of content and pen registers is automated. Data coming in is run against up-to-the-minute database algorithms that look for patterns in calls or keywords that show relevance to current events and threats.

"With pen registers, they analyze the logs to see who's calling who and how often - this is what is called chatter," Schwartau says. "With content, you look for key words and phrasing. You keep modifying the algorithms so that detection methods become more finely tuned and smarter."

If the algorithms flag a call or identifying call information, then the issue is passed on to a person. For instance, with content, if keywords, or trigger words, are detected, the call could be sent to an Arabic translator for further investigation. This filtering saves on the amount of human resources needed by law enforcement, Schwartau says.

In the case of encrypted traffic, communications providers are under no obligation to decrypt it unless they encrypted it in the first place, according to CALEA. Otherwise, it's up to law enforcement to figure out how to decrypt packets.

"If I were law enforcement, I would assume that any piece of encrypted communication is suspicious and examine it," Holtzman says. However, encryption is not much of a deterrent for the government because they have the top cryptographers at their disposal, he adds.

Law enforcement is obligated to toss out after a certain period of time any information that was gathered before the minimization process. However, it is under no obligation to delete information that is relevant to a warrant.

"Storage is pretty cheap and they need it for post-analysis such as historical relevance and pattern spotting," Schwartau says.

Warrantless wiretaps

While communications providers are required by law to assist in warranted wiretapping, some experts speculate they are doing so even in cases where there is no warrant - either actively participating or merely looking the other way.

One security expert says it is in a carrier's best interest to cooperate even in warrantless interceptions because of the damage that could come to their lines from non-experienced personnel trying to tap into the line. "As a practical business matter, they'd want to assist law enforcement to avoid risk to their cables or degradation in performance to the network - they'd want to be involved in anything that has to do with their connections," he says.

Gittlen is a freelance technology editor. She can be reached at sgittlen@charter.net.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2006 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)