Feb. 13, 2012 at 4:26 PM ET
As technology that enables law enforcement officials to snoop on citizens continues to advance, so too does the system of checks and balances, meant to prevent the abuse of phone and email logging and other tracking activity. At least on paper. A new discovery by a cybersecurity researcher indicates that, for five years, Congress did not ask the Department of Justice for its reports of surveillance, nor did the DOJ submit those findings — even though they're required by law to do so.
Christopher Soghoian, who works for the Center for Applied Cybersecurity Research at Indiana University, filed Freedom of Information Act requests and found an alarming disparity between what is expected of federal law enforcement reporting electronic surveillance to Congress and what actually has come to pass. As he wrote in an abstract for a report called, "The Law Enforcement Surveillance Reporting Gap,":
The existing surveillance statistics might be sufficient if law enforcement agencies' surveillance activities were limited to wiretaps and pen registers. However, over the last decade, law enforcement agencies have enthusiastically embraced many new sources of investigative and surveillance data for which there are no mandatory reporting requirements. As a result, most modern surveillance now takes place entirely off the books and the true scale of such activities, which vastly outnumber traditional wiretaps and pen registers, remains unknown.
Soghoian's research also includes emails from congressional aides asking for the reports, and in the usual bureaucratic fashion, goes back and forth before they finally get them. The researcher sent Wired the emails.
He responded to our inquiries and told us, "No one in Congress noticed that the reports were missing. Although Congress is supposed to perform oversight over these invasive surveillance powers, it seems clear that Congress is not taking its oversight role seriously. Had Senator Feingold's staffer not asked for the reports in 2009, DOJ might never have sent them over to Congress."
The actual reports focus on requests for call and email logs that don't contain any content aside from, perhaps, an email subject line. These requests fall under a much lower threshold for approval than wiretaps, which record the content of conversations.
The 2004 to 2009 reports are now available through the Department of Justice website, which still leaves 2010 and 2011 missing. The brief reports cover original orders, investigations and quantity of people affected by the surveillance. They're broken down by agency (FBI, DEA, USMS and ATF). In his paper, Soghogian says that reports used to be more thorough, but have eroded over the years.
Soghoian's research found that:
[Wiretap order] requests have increased each year: In 1987, there were 637 wiretap orders requested nationwide; ten years later, the number increased to 1186; in 2009, the most recent year for which reports exist, 2376 wiretaps were requested.
While the reports that have finally come in reveal a doubling in numbers of orders for this kind of surveillance, there is still a lot more information needed that could be pivotal in shaping policy.
"This can be a trigger for hearings. To know number of requests doubled doesn't tell you much, you don't know the circumstances. Numbers have to be examined in context. But without numbers, you can't ask questions," said Mark D. Rasch, director of the Virginia-based CyberSecurity and Privacy Consulting firm. Rasch is the former head of Justice Department Computer Crime Unit, and served in the department for 10 years.
Usually, Rasch says, there is a process — and it could be informal — by which these reports are supposed to be submitted to Congress, usually via a committee or sub-committee. In his view, "Congress has effectively granted to the executive branch the authority to invade privacy with limited judicial intervention."
And that's it — at the core of why this could very well outrage many Americans is because of the cost to individual privacy. We've already seen the outcry when consumers found out about the tracking potential of Carrier IQ, as well as the location-based tracking on iPhones and other smartphones.
"A lot of information can get in 'trap and trace' [call and email logging] and reveal a lot about people," Rasch said. "The government still has to certify it as important. People use email for a lot more stuff, so its more relevant to investigation, there's an exponential increase. But it's something Congress has to look at, if people demand it. We need to hold our government accountable."
And, as Soghoian answers, when asked who is being tapped:
We all are. The government routinely obtains "community of interest" information, which means that the government gets information on all the people who have called, or been called by the target of an investigation. If someone sells pot out of a Pizza Hut, this means the government gets detailed information about everyone who called up for a pizza over the previous month.
Likewise, when the government wants to investigate a crime that occurred at a particular physical place, it is extremely common to request information about everyone who was within a mile or two of that place at the time that the crime occurred. Given these investigative methods used by the government, it is impossible for information on innocent Americans to not end up in government databases, where it stays forever.
It is too soon to try and pinpoint any particular reasoning for the neglect. It could be, Rasch said, simply a matter of laziness.