First Monday

Webtapping: Securing the Internet to save us from transnational terror? by Christopher Bronk

Considerable debate surrounds the issue of wiretapping as a tool for the collection of intelligence in combating trans–national organizations employing terror tactics in pursuit of their political agendas. This paper argues that the language used to frame this debate is outmoded. At root conventional wisdom of the wiretapping issue in the United States is framed by a general consensus that fails to account for now ubiquitous digital means of communication. In addition, the issue of information security, the protection of computer networks, government and private alike, but often tied in some way to critical infrastructure, is inextricably linked to digital eavesdropping. The author argues that while attempts to understand the totality of network activity may be of great value in protection of critical infrastructure, this webtapping presents potentially grave implications for individual liberties and may produce limited payoffs in defeating terror organizations or cyber–attackers.


Katz’s legacy
Pen registers, trap and trace and wiretaps
From analog to digital
The digital tap
Computer–enabled listening
And the Internet too?
Why listen?
Deaf in plain sight
And defending cyberspace too
The cyber initiative
Can’t we go back to analog?




“The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well–meaning but without understanding.” — Louis Brandeis (Olmstead v. U.S.)

Use of the telephone system by U.S. law enforcement for the collection of evidence is built upon a tradition stretching back to the first quarter of the last century. Federal agents have constructed damning cases against organized crime and other nefarious actors through the use of wiretaps. Concurrently, agencies of the United States’ Intelligence Community (IC) built upon the electronic surveillance and codebreaking capacities so useful during the Second World War to penetrate the Iron Curtain when human agents could not. Both these capabilities, with their attendant histories and cultures are now aimed at contemporary threats to national security: trans–national terrorism and cyber–attacks designed to damage infrastructure or steal information resources not meant for disclosure. This paper attempts to illuminate the similarities and shared issue set in both electronic intelligence gathering and information security, explaining the evolution of law and policy in parallel with the emergence of digital information technologies.

Falling between the boundaries of the information, computer and political sciences, the area of information politics straddles the region in which information policy regarding the availability and use of information meets the political objectives of those serving in government (Jaeger, 2007). We are witnessing the politics of security’s entrance into the field of information technology. What is happening is a securitization of issues, changing the political dynamics of debate through escalatory language. As argued by Buzan, et al. [1]:

“‘Security’ is the move that takes politics beyond the established rules of the game and frames the issue either as a special kind of politics or as above politics. Securitization can thus be seen as a more extreme version of politicization.”

In the wake of the terrorist attacks against the United States in September 2001, the country has passed through a profound period of securitization in information policy, spearheaded by the USA PATRIOT Act’s passage some six weeks after the Al–Qaeda attacks. Creation of policy in the information space has centered around two areas, the collection of intelligence in the digital domain and the protection of critical information infrastructure. These paired roles, it is argued here, hold great similarities.

In order to further the contemporary debate on wiretapping, which is largely viewed as a threat to liberty, and information security, which is not, we must begin by viewing of the policy on both fronts and also understanding the technical dimension in both. Because both activities focus on surveillance of data transmitting the Internet, they are intertwined. Thus, it makes great sense that that the National Security Agency (NSA), the U.S. intelligence agency charged with digital surveillance should also hold responsibility for digital defense. This role is envisaged for the NSA in a responsibility sharing arrangement with the Department of Homeland Security described within a still classified executive writ of the Bush administration. The politics of such a move are hugely controversial and represent a potentially enormous growth in responsibility for the NSA, although details of the mandate remain largely unknown (Gorman, 2007b).

Wiretapping, outmoded in definition and information security are both part of a larger strategic domain, labeled the United States’ “information edge” in the 1990s (Nye and Owens, 1996) and National Information Power more recently (Gravell, 2002). Yet the language used to describe monitoring comes from a bygone age. With everything digital, tapping, analyzing and protecting information resources are activities transformed. To understand this, we need begin with an understanding of how these processes have evolved, and how the law has failed to keep up (Lewis, 2007).



Katz’s legacy

Contemporary discussion of wiretapping is deeply colored by the U.S. Supreme Court’s decision regarding Katz v. United States (1967). Reversing the decision of the Ninth Circuit Court of Appeals, the Warren Court decided in favor of Charles Katz, throwing out his conviction for engaging in illegal gambling across state lines. Convicted in California, Katz used a pay phone to place bets in Miami and Boston, but was unaware that agents of the Federal Bureau of Investigation (FBI) had tapped the pay phone he utilized to communicate with his bookie and was recording his conversations. At issue was the applicability of Katz’s Fourth Amendment protections from illegal search and seizure. Katz’s appeal re–opened for review the constitutionality of wiretapping, an activity largely protected by 1928’s Olmstead v. United States. On the heels of several cases, which hemmed in government wiretapping powers, “the court ruled that eavesdropping was constitutional after all — within certain narrowly defined limits” (Time, 1967). After almost forty years to mull over Louis Brandeis’ eloquent and prescient dissent, the court had reversed itself, perhaps accepting the belief,

“The progress of science in furnishing the government with means of espionage is not likely to stop with wire tapping. Ways may some day be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.” (Olmstead v. U.S.)

Forty years after Katz, the question again arises regarding the legality of government wiretapping. What has changed however is the scope of what we may interpret as wiretapping. In Olmstead and Katz, we are talking about telephone conversations, but our system of electronic communication has changed incredibly. In the late 1960s the Department of Defense’s Advanced Research Projects Agency (ARPA a.k.a. DARPA), conducted research in what would eventually become the Internet. Building on foundations in telegraphy and telephony, this technology would provide a new means for employing computers to move data from point to point. While the impact of this innovation is far–reaching and still difficult to comprehend, for the area of electronic surveillance, it created vast new terrain, incredible opportunity and a massive task for legislators and the courts in determining the rules for this new activity. To understand contemporary debate in the United States falling under the label wiretapping, it is necessary first to understand the rhetorical base upon which U.S. law is constructed in this area and second, to comprehend how the technologies that complete telephone calls, deliver Web pages, and pass mobile phone text messages actually function. But to understand the law regarding electronic surveillance requires explanation regarding the three forms of legally sanctioned surveillance techniques, and a brief narrative of their evolution.



Pen registers, trap and trace and wiretaps

Legal terminology for eavesdropping still draws on a technological vocabulary created at a time when human operators used switchboards to make telephone connections. Three terms, drawing from a decades old form of the practice of telephone eavesdropping guide much legal thinking on the appropriate surveillance of telecommunication channels for law enforcement and the intelligence community in the United States. Pen registers, trap and trace devices and wiretaps are the three primary subdivisions for codifying electronic eavesdropping of a space now populated by Internet telephony, e–mail, cellular text messaging, instant messaging and additional forms of digitally constructed communications. The three general terms may be described as such:

Pen register referred at one time to the practice of monitoring each number dialed out from a particular telephone number. A list was compiled by hand (pen) of each outgoing number for use in the conduct of a criminal investigation. “In the United States the ability to record called numbers has been an essential component of billing for a long time and thus has been built into telephone equipment for a long time.” [2]

A “‘trap and trace device’ means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication.” [3]

Wiretaps are devices emplaced on the line of electronic communication communication, able to intercept the entirety of the communication. In the analog frame of reference, the wiretap was quite literally a connection to the telephone wire, or the telephone itself. The practice of wiretapping has grown over time and the legality of the practice was debated in the Olmstead and Katz cases and codified in the Omnibus Crime Control and Safe Streets Act of 1968 (Olmstead v. U.S.).



From analog to digital

Contemporary understanding of electronic eavesdropping is largely influenced by terminology borne of efforts to listen in on the analog electronic telephone system, a technology that dates back to the late nineteenth century. The telephone system of Justice Brandeis’ age was a creature of electrical engineering in which pulses of electricity transmitted over copper wire carried voice communications. Voice was translated by the receiver microphone to electrical pulses and converted back into audible sound in a speaker on the other end. Switching was a manual and then electro–mechanical task. In the analog period, tapping wires was literally that, the connection of a device to the telephone wire somewhere between the telephone receiver and the switch used to route calls. Wiretapping was a resource intensive activity generally requiring access to the phone infrastructure in close proximity to the targeted telephone. Computing technology markedly changed this.

In the 1960s, the International Telecommunications Union (ITU), an international oversight body based in Geneva, Switzerland, commissioned its Comité Consultatif International Téléphonique et Télégraphique (CCITT), the Union’s standards making body, to work on bringing computerization to telephony. The concept, in hindsight, was a simple one, to replace the modulated frequencies of electricity representing vocal tones with strings of digital data representing pieces of the conversation (Teralight, 2008). Required was a system to break up the voice information into small pieces, send it to the intended recipient and reassemble it on the receiving end. At roughly the same time, researchers at the U.S. Defense Department’s Advanced Research Projects Agency (ARPA) funded research on university campuses and forged partnerships in industry to develop the highly resilient data communications network that would eventually produce the Internet.

For CCITT and ARPA, realization came that breaking streams of data into small pieces, or packets, could considerably increase the efficiency of communications. Rather than holding open a connection, whether down the street or to the other side of the planet, these packets could be shot across great distances in massive quantities and be reassembled to form text, voice, video or other formats. With the creation of the ARPANet hardware by Bolt, Beranek and Newman (BBN), which linked research computing facilities at UCLA, UC–Santa Barbara, the Stanford Research Institute and the University of Utah in 1969, the template for the packetized transmission of data, largely employing the existing telephone network, came into being. By the mid–1970s, ITU standards for packet–based telephony had developed to a level of maturity, with the agreed interconnecting pieces of technology labeled Signaling System #7.

What Signaling System 7 allowed was the creation of a Public Switched Telephone Network (PSTN) employing digital packets to send pieces of conversations between the local switching operations. The first piece of the PSTN was emplaced in Chicago in 1976 with the installation of a Class 4 Electronic Switching System (4ESS). What the 4ESS did was mate the function of previous automatic electromechanical switching hardware with the power of mainframe computing (AT&T, 2008). The massive trunk lines connecting area code to area code would be filled with call data as hierarchical call routing fell out of use and the computerized switches began choosing the route dynamically. The analog electrical pulses traveling across the telephone wire were translated by computer into a string of ones and zeroes, parsed into packets and fired across the network. No longer did the phone company need to hold open a circuit from St. Louis to Chicago to complete a long distance call. Instead, traditional analog connections would link telephones to switching stations where signals would be converted from analog to digital and vice versa. Once in digital form, the data would travel along the best path across long distance.



The digital tap

Digital switching changed the practice of wiretapping inestimably. The practice of splicing wires would be redundant if listening could be done at the switches. By emplacing equipment at the point of routing from the local network to the national telecommunications grid, any number in the area could be tapped at any time with a minimum of effort. Moving to digital rather than electro–mechanical switching, the regional companies left behind to run the phone system after the breakup of AT&T, opened a new avenue for simplifying the business of phone wiretapping. At the local level, phone calls still traveled from phone to the telecommunications switch in the same manner as before. An analog signal (modulated electrical frequencies) traveled over copper wire to the switching office, but when it arrived at the switching office, the analog signal was converted to digital data, routed by computer to the intended telephone number and reconverted back as an analog signal across the copper wire to make a connection.

In the early 1990s, guidelines and rules for electronic surveillance were still very much directed toward an analog telephone network and media (Mueller, 1991). With the advent of packet–based telephony, government eventually realized that if tapping could be undertaken at the computerized switch federal agents wouldn’t need their alligator clips. Listening could be undertaken at the point of digital conversion. With this realization, the U.S. Department of Justice set to work on proposed legislation to migrate wiretapping to the computerized switch. This would immeasurably simplify the task of establishing and removing wiretaps.

Legal description of electronic eavesdropping would change as well. As an example, the PATRIOT Act revision of the pen register function (the process of collecting dialed telephone numbers) was considerably amended. Replaced was the text, “electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached,” with the significantly more exhaustive, “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication.” In addition, “or process” was tacked onto the term “device” wherever it appeared in the statute (18 U.S.C.).

The key issue was to establish a relatively simple means to connect directly with the phone companies’ computerized switches (Ward, 1996). Desired by the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) was a means to tap in to the large–scale computers serving as switches to enable tapping. Unfortunately for the government, the equipment had not been designed with such a feature. DOJ and FBI wanted a means to connect with the switch and monitor specific phone numbers at specific times. If the government could emplace eavesdropping hardware connected to the switch, it could perform a variety of wiretapping assignments from a centralized location.

A new telecommunications feature developed harnessing the computing power of the computerized digital switches would provide an opening to facilitate direct access to the switch itself. Conference calling, in which multiple parties could participate in a single telephone conversation, provided the avenue for simplified telephone wiretapping. “Digital telephone switches, such as AT&T’s ESS series and Northern Telecom’s DMS–100,” offered a conference call capacity which enabled wiretapping, with the wiretapper serving as a silent party to the conversation [4]. Law enforcement seized upon this capability and quickly realized they wanted to monitor many more conversations than the conference calling technology permitted.




Impressed with the power and ease of centralized wiretapping facilitated by digital telephone switches, the FBI began a campaign in the early 1990s to enhance its capacity to engage in electronic surveillance. Sought was a means to set standards for digital telecommunications equipment that would expand upon the teleconferencing capability extant in the new generation of computerized switches.

The FBI initiated, “a massive lobbying effort,” in support of the Digital Telephony Proposal; new wiretapping legislation to designed to facilitate wiretapping of digital telecommunications [5]. The Bureau argued that new telecommunications technologies including digital transmission systems and fiber optics, “‘make it increasingly difficult for government agencies to implement lawful orders or authorizations to intercept communications in order to enforce the laws and protect the national security.’” Department of Justice officials were arguing that new technology would ultimately eliminate their capacity to engage in wiretapping. Asked by the AP for comment on the proposal, Justice Department spokesman Paul McNulty refused (Associated Press, 1992) [6].

At the time of the introduction of digital wiretapping legislation, the number of wiretaps undertaken was rather modest. Questioned regarding the number of wiretaps conducted by law enforcement, the FBI admitted, “there were 1,083 court–authorized wiretaps — both new and continuing — by Federal, state, and local law–enforcement authorities in 1990,” the last year from which records were publicly available at the time of the statement (Ramirez, 1992a). The Bureau’s argument was essentially one that emerging technology would diminish its capacity to engage in telephone wiretapping, however industry was not without reservation on the matter. “‘We have grave concerns about these proposals,’” an AT&T representative stated, adding that those concerns primarily derived from the potential of the proposed initiative to stifle innovation and raise customer costs (Mintz, 1992). As one editorial argued, the initial draft by the FBI and DOJ to adapt wiretapping technology to the digital telecommunications was deeply flawed.

“The department’s proposal is to require the Federal Communications Commission to establish such standards for the industry ‘as may be necessary to maintain the ability of the government to lawfully intercept communications.’ Any technology now in use would have to be modified within 180 days, with the costs passed on to the rate payers. Any new technology must meet the suitable–for–wiretap standard, and violators could be punished by fines of $10,000 a day. As a final insult, commission proceedings concerning these regulations could be ordered closed by the attorney general ... We believe, as the industry suggests, that the kind of informal cooperation between law enforcement agencies and telecommunications companies that has always characterized efforts in the past, is preferable to this stifling legislation.” (Washington Post, 1992)

Some questioned the value of or need for new legislation regarding digital wiretapping. One anonymous source stated, “‘The FBI already has a lot of technology to wiretap digital lines,’” and went on to describe Canadian firm Mitel’s “brief–case” size digital wiretap decoder. With the capacity to convert digital data to audible signal, the Mitel device could listen in on up to 36 lines, while a larger version was envisaged to hold the capacity to monitor up to 1,000 (Ramirez, 1992b). Drawing fire from civil libertarians and the telecommunications industry, the DOJ continued to brief Congress on the subject of new wiretapping capabilities.

With a new administration in the White House, the FBI once again sent forward a draft proposal for the Congress. Under a suggested title of the “Digital Telephony and Communications Privacy Act of 1994,” again the case was made for extended wiretapping legislation. The authors addressed the civil libertarians, stating, “nothing herein is intended to enlarge or reduce the government’s authority to lawfully intercept the content of communications or install or use pen register or trap and trace devices.” However, legal review of the proposed statute argued that one provision “would create an immensely powerful tool for message traffic analysis, which has significance wholly independent of the ability to capture the content of communications” (Godwin, n.d.).

In a seesaw battle to convince Congress of the importance of new telecommunications monitoring legislation, FBI Director Louis Freeh made repeated visits to the Hill to lobby its behalf. “Mr. Freeh had devoted considerable personal time to lobbying for the bill and made it his agency’s highest legislative priority. He repeatedly argued that the F.B.I. could not fight crimes like terrorism, espionage and international drug dealing if telephone technology continued to outpace eavesdropping abilities” (Chartrand, 1994). Approved by the House and Senate, Bill Clinton wrote into law a revised proposal entitled the Communication Assistance for Law Enforcement Act of 1994 (CALEA). Among other things, “CALEA put government right in the middle of the process of designing telephone switches.” [7]

Counsel from the Center for Democracy and Technology summarized the intent of the legislation in remarks before the Federal Communication Commission in 1998.

“CALEA was intended to preserve a minimum law enforcement surveillance capability in the face of technological change. It was not intended to serve as the basis for mandated expansions in that capability. It was enacted by Congress in response to FBI claims that new technologies would soon make it ‘virtually impossible’ to carry out wiretaps. In the words of FBI Director Freeh, CALEA was intended to preserve the electronic surveillance capability ‘as it has existed since 1968’.” (Dempsey, et al., 1998)



Computer–enabled listening

With access to the switches, wiretapping becomes less labor intensive. The problem then becomes one knowing for what to listen. In intelligence, collectors haul raw intelligence for analysts to sift through. For old–style wiretapping, this translated to the analysts spending massive quantities of time listening to recorded conversations or in cases of considerable time–sensitivity listening to the line in real time. The more listening desired; the more listeners are needed.

To enable massive listening on a broad scale with only a limited pool of listeners begs for a technical solution to take a first pass at the raw intelligence haul and provide some cues for human analysts in getting to valuable pieces of information. The answer to this problem resides in Automatic Speech Recognition (ASR) technology. A field gradually moving toward maturity, speech recognition has enormous presumed utility in identifying keywords in spoken communication. While the discourse on the value of speech recognition in law enforcement is fairly well worn, assessing the efficacy of the technology in this role is largely an unknown. Commercially available products from companies large (IBM) and small (Dragon) indicate many of the pluses and minuses of attempting to interface the computer with the human voice. A simple choice from a customer service menu may be relatively simple for a computer to process, but asking for higher–level thinking, to hear, for instance, nuance or metaphor, is far more complicated.

Looking to the National Security Agency, the secretive electronic surveillance component of the intelligence community, hypothetical capabilities came to light with an article from former Director of Central Intelligence revealing NSA’s Echelon program. NSA used Echelon, “to search through collected signals intelligence (SIGINT), using key words via a computer,” allowing, “more material to be searched and exploited.” [8] This capability, previously imagined, but never publicly acknowledged, barring Freedom of Information Act (FOIA) releases, gave strong indication that the United States government held the capability to use computers to listen in on phone conversations in an effective manner (Zeller, 2000).

A decade after the Echelon revelation, speech recognition technology has proliferated widely in the global marketplace and continues to approach and possibly surpass human listener comprehension in some parameters (Namarvar, et al., 2001). Commercialization of the technology has touched activity from corporate call centers to instant translation devices, while Silicon Valley’s obsession with software able to link advertising with human behavior has migrated from Web browsing to Voice over Internet Protocol (VoIP) phone calls with the technology created by a software startup with the moniker Pudding Media (Story, 2007) [9]. Interesting is the idea that the company’s product is built on consent to digital monitoring in exchange for no–cost calling.

Although ASR continues to improve, with research producing, “the world’s first machine system that can recognize spoken words better than humans can,” the applicability of ASR to wiretapping may largely be of passing interest (Mankin, 1999). Increasingly, telephone conversations are converted from analog to digital format further from the telecommunications switch and closer to the telephone itself. This renders the task for the eavesdropper as not one of speech recognition, but rather one of digital pattern recognition. Instead of listening to a conversation, the packets making up the conversation must be collected and reassembled. With the Internet as a growing element in the placing of phone calls, eavesdropping changes (Williams, 2006).



And the Internet too?

VoIP, or Voice over Internet Protocol, is a means for transmitting two–way voice communications via the Internet. The FCC offers a plain English definition of the technology:

“VoIP services convert your voice into a digital signal that travels over the Internet. If you are calling a regular phone number, the signal is converted to a regular telephone signal before it reaches the destination. VoIP can allow you to make a call directly from a computer, a special VoIP phone, or a traditional phone connected to a special adapter.” (FCC, 2008)

Over the past decade VoIP services have commercialized the concept of employing the Internet to place phone calls. In fact, “using Internet telephony, almost anyone can be a telecommunications carrier, including Google, Skype, Vonage and Yahoo, to name just four [phone] companies that did not exist in 2004” (Upson, 2007)

Decades before, after the initial ARPANet nodes were linked together, its users begin toying with the concept of transmitting voice over their fledgling network. Spearheaded by Danny Cohen, an engineer at the University of Southern California’s Information Sciences Institute, a protocol for voice transmission, Network Voice Protocol (NVP) was designed “to develop and demonstrate the feasibility of secure, high–quality, low–bandwidth, real–time, full–duplex (two–way) digital voice communications over packet–switched computer communications networks” (Cohen, 1976). With the NVP Request For Comment (RFC), the groundwork was put in place on which to build Internet telephony. More than twenty years would pass before it would find a major user base beyond the telecommunications research community.

In the mid–1990s frenzy of Internet–connectedness the concept of Internet–enabled phone calls re–emerged. Two major shifts had occurred in the landscape since Cohen wrote his RFC. The first had to do with the availability of computing power at more affordable costs. Between 1976 and 1996 Moore’s Law had cycled through the doubling of computer processing power at the same price in eighteen months more than six times. Across a twenty–year span, Intel went from producing its 8080–processor performing operations in the vicinity of 2–3 MHz, to the 150 MHz Pentium microprocessor. What had been considered mainframe computer performance in the 1970s was available on the desktop by the mid–nineties.

Another major development occurred in the connectedness of these increasingly powerful computers. By the 1990s, ARPANet had migrated from a Department of Defense research tool to an increasingly utilized scientific collaboration network now under the control of the National Science Foundation following NSF’s development of civilian research computing centers at Princeton, Cornell, the University of Pittsburgh and the University of California — San Diego. What had once been a defense–only research network available only to universities and other research institutions funded by the DoD, became a system connecting an increasing larger slice of American academia. Spirited forward with the passage of the High Performance Computing Act (HPCA) of 1991, the so–called “Gore Bill” was described by President George H.W. Bush as, “part of an overall strategy, advanced by this administration to enhance our competitiveness” (G.H.W. Bush, 1991).

The HCPA’s mandate for the NSF charged it with creating, “the establishment of a national multi–gigabit–per–second research and education computer network by 1996” (U.S. Senate, 1991). Long before 1996, the National Science Foundation Network (NSFNet) had been set loose and opened for commercial activity. A series of commercial acquisitions stretched over the period in which the fledgling Internet caught on. In 1989, UUNet, a non–profit created to service the ever–growing needs of the nascent Internet only two years before, became a for–profit company as the number of computers connected to the network edged past 100,000. By 1996, when the company was sold for some US$2 billion, the number of Internet–connected computers would jump to more than 12 million. Sold again to Mississippi–based WorldCom for US$12.4 billion only two years later, the number of connected computers, or hosts had more than tripled. Within the year, WorldCom would merge with MCI in a US$37 billion dollar deal. Almost overnight, the Internet business grew to a size and value competitive with other sectors in telecommunications.

What this flurry of commercial activity rapidly built out was the information infrastructure envisioned in the Clinton–Gore campaign slogan, “the Information Superhighway.” In parallel with digitization of the telephone network overseen by the Regional Bell Operating Companies (RBOCs), the Internet grew up almost overnight, with MCI WorldCom owning the biggest switches designed to route Internet traffic. These super switches, known as Metropolitan Access Exchanges (MAEs), are the key interchange points on the Internet. Like the central switching operations of the RBOCs, the MAEs direct massive amounts of traffic, formatted in packet–sized data rather than phone calls (Gross, 2003).

With widespread adoption of VoIP, wiretapping is no longer the domain of the telephone company. American consumers have flocked to VoIP services in increasing numbers, with the business growing to US$10 billion by 2007. It has been a vehicle for new entrants in the telecommunications market, chiefly cable television companies, competing head–to–head with the RBOCs for home telephone consumers. In return the RBOCs have looked to VoIP as the likely successor to its existing computerized switching infrastructure. “As telephony, both traditional and cable, continue to utilize IP communications technology, the VoIP market as a separate business strategy will continue to disappear” (New Paradigm Resources, 2008). In conducting telephone wiretapping, CALEA’s grab on telecom switches has become irrelevant. VoIP has changed the business of electronic surveillance.

Effective wiretapping is Web tapping, listening to (and reading and watching) everything transmitted in digital form.

CALEA allowed law enforcement to simplify its task of opening and closing wiretaps. However, the telecommunications marketplace is very dynamic. In the decade following CALEA’s enactment, the number of VoIP users went from zero to millions in the United States alone. With the growth of broadband Internet connections, from roughly 10 broadband subscriptions per one hundred inhabitants in the U.S. in 2003 to more than 20 per one hundred by 2007, the potential user base for VoIP doubled (OECD, 2007; 2003). But this is not the whole picture in the world of digital communications. In the converging world of IT, the phone call is but one avenue for communication. New modes for relaying information continue to proliferate as e–mail begets online chat, which in turn begets Web video conferencing and Web 2.0’s social networking Web sites. Wiretapping is not listening to simply the phone. Effective wiretapping is Web tapping, listening to (and reading and watching) everything transmitted in digital form.



Why listen?

It was no surprise that adversaries of the United States — be they major nation states, transnational terrorist networks or criminal syndicates — would seek to use the same information technologies upon which they could leverage their “information edge.” Indeed, to borrow from one military officer’s assessment, “We can say with some certainty, al–Qaeda loves the Internet.” It offers, at minimal cost, connectivity with a robust, global communication system able to easily handle the message traffic of its distributed organization. “Evidence strongly suggests that terrorists used the Internet to plan their operations for 9/11. Computers seized in Afghanistan reportedly revealed that al–Qaeda was collecting intelligence on targets and sending encrypted messages via the Internet.” Even after 9/11, “al–Qaeda cells operating in America reportedly were using Internet–based phone services to communicate with cells overseas.” [10]

It is worth visiting the organizational structure of terror networks to better understand the incredible value of distributed communications to those networks. Command and control for terror groups functions differently than in the highly hierarchical bureaus of government and military services in the United States or elsewhere. Responsibility, resources and operational authority are all distributed. Prominent leaders may exist, but they lead rhetorically rather than calling the shots as a four–star general or cabinet–level secretary would. The unit of action is the semi–autonomous cell, fueled by the messages of their leadership, but not necessarily managed by them.

“The same way that Americans look at Jessica Simpson or Bruce Springsteen and the young Americans lionize these people and worship them as heroes. There are those in the radical fundamentalist community, youths, who do the same thing with Mohammed Atta, with Osama bin–Laden, with Abu–Musab–al–Zarqawi. These are their heroes.” (Kohlman, 2005)

As the Internet impacts popular culture and challenges broadcast and mass media paradigms in the West — subverting established structures for reporting news and selling music, for example — so too it affects international politics. It is the vehicle of consciousness for the non–governmental organization (NGO) sector and was instrumental in the grassroots global effort to ban anti–personnel land mines (Duran, 1998). Not surprisingly, “The great virtues of the Internet — ease of access, lack of regulation, vast potential audiences, and fast flow of information, among others — have turned to the advantage of groups committed to terrorizing societies to achieve their goals” (Weimann, 2004). Although, some Islamist jihadist leaders “condemned the Internet as ‘a Jewish conspiracy,’” the technology caught on quickly due to its enormous reach as “a vehicle for propaganda, proselytizing and indoctrination” (Lia, 2006). Furthermore, “Without the Internet, the extreme fragmentation and decentralization of the jihadi movement into a still functioning global network just would not be possible” (Ariza, 2005).

Understanding how the spread of ideas via the Internet leads to action follows an unusual pathway (Lia, 2006). The terror organization may not necessarily draft grand designs for its campaign of attacks, pass those plans to operatives and then send a clandestine “go” code to sleeper agents lying in wait. Regarding al–Qaeda, “As far as one can make out, our knowledge about who makes the operational decisions and how they are made in choosing Western targets for attack is nonexistent.” [11] More persuasive is this view, characterizing an attack with deep political ramifications for the U.S.–led coalition engaged in military operations in Iraq. Anthropologist Scott Atran makes a persuasive argument on this front:

“I think we can expect more independent attacks by autonomous groups because of the Internet ... Atran cites the Madrid train bombings on March 11, 2004, as a good example: a computer of one of the attackers showed evidence of systematic downloading from the same site that delivered a document entitled “Jihadi Iraq: Hopes and Dangers,” which circulated on the Net some months before the massacre. Among other charges the document called for attacking Spain to force a withdrawal of the nation’s troops from Iraq.” [12]

An invaluable tool for organizing, fund–raising, and communicating, the Internet has served trans–national terrorism well. Thus, it stands to reason that the government agencies covering signals intelligence, the National Security Agency (NSA) in the case of the United States, would seek to better cover the information space, from phone calls to e–mail, Web pages to online videos. For an intelligence establishment created to pull back the veil and peer inside the Iron Curtain when human spy networks were rolled up with surprising ease by Soviet counterintelligence forces, the new tasking is to watch, read and listen for cues emanating from al–Qaeda and its regional franchises, largely on the Internet.



Deaf in plain sight

Assessing the intelligence haul of what has traditionally been the most secretive of the agencies forming the United States Intelligence Community is a task left to a select few inside the United States government. Inside critiques rarely emerge from NSA’s campus at Fort Meade, Maryland, and when they do, they are almost certain to be given to the Fourth Estate on condition of anonymity. Little more than a year after the 9/11 attacks, before the National Commission on Terrorist Attacks was formally established, doubts regarding NSA’s capabilities surfaced. It was unclear then, and it remains unclear how well the agency that had successfully tapped into the Soviet telephone network during the tense years of the early 1980s had adapted to its new targets. On unnamed intelligence official opined on the NSA’s signals intelligence haul after September 11. “‘I have been privileged to listen to this stuff,’ the official said, ‘and a lot of it is crap.’” (Diamond, 2002).

Creator of Echelon, the eavesdropping system of almost mythical power, the NSA apparently has struggled to migrate from its Cold War footing and target. As the inquiry into the 9/11 attacks began, William Safire opined that the agency’s “Big Ear” had gone deaf, thwarted by, “readily available encryption technology and fiber–optic cables.” (Safire, 2002) How had the Agency so adept at peering inside the Soviet Bloc come to such trouble?

During the cold war, eavesdropping on unencrypted Russian communications was a relatively simple task since the Soviet military was easy to locate and they communicated endlessly over known communication channels. But in the post-9/11 world, the N.S.A. is faced with the flip side of the coin. Members of Al–Qaeda and other terrorist groups operate in small cells hidden throughout the world, communicate infrequently and often with untraceable phone cards over random pay phones. E–mail messages are sent using anonymous computers, servers and screen names in libraries, copy shops or other public places. It is little surprise, therefore, that the last time the N.S.A. was able to eavesdrop on Osama bin Laden was in 1998, three years before the [9/11] attacks (Bamford, 2002).

As the developer and builder of the switches, routers, servers and other hardware, along with most of the computer software, which allows the Internet to function, it is somewhat frustrating that the United States’ signals intelligence agency might have trouble in culling actionable intelligence from millions of “phone calls, e–mail messages, faxes and other types of communications every hour” (Bamford, 2002). Beyond pure volume, the convergence of different communications technologies presents new problems as they move toward Internet standards. “‘The Internet presents two main challenges ... One is it’s ubiquitous — you can access it from just about anywhere in the world. The other thing is you can be easily hidden.’” (Stellin, 2002).

Problematic is the enormous growth in potential avenues for communication provided by digital technologies. Whereas CALEA tremendously simplified wiretapping for U.S. law enforcement, the proliferation of communication technologies has largely erased that edge. Although CALEA now applies to VoIP providers, “the U.S. Federal Bureau of Investigation has asked that it eventually be extended to all Internet–based communications” (Upson, 2007). But is listening in on the Internet really legally permissible? Certainly, these issues illuminate the debate on warrant–less wiretaps.

CALEA gave law enforcement access to centralized switching resources, however in the world of decentralized Internet communications, that high ground shifts away. Internet Protocol (IP) transmissions may scatter packets widely in transmitting an e–mail or completing a VoIP call. The eavesdropper is not connecting the alligator clips to the phone line as he did in the 1920s, or even able to use the phone company’s centralized switch.

“In theory — though less so in practice — each packet of a VoIP call can use a distinct path to reach its destination. This is the first problem that Internet wiretapping poses. On the Internet, routing control is distributed. It’s impossible to determine a priori the routing of packets the communication is broken into — this is determined by the routing tables, which change depending on network traffic. Thus, unless the communication is tapped at the endpoints (at the user, or at the Internet service provider if the user always accesses the same provider), it’s impossible to guarantee 100 percent access to all communications packets.” (Landau, 2005)

This theoretical view regarding the impossibility of tapping the Internet does not appear to have daunted the U.S. intelligence community, however (Gorman, 2008b). Although developing CALEA–like surveillance capabilities have been generally dismissed as overwhelming by intelligence watchers and engineers alike, at least one finger squarely points to the NSA’s attempt to get a big picture view of the Internet. Mark Klein, a retired technician with 22 years with AT&T, “alleged that the NSA set up a system that vacuumed up Internet and phone call data from ordinary Americans,” in an “secret room” run out of the company’s San Francisco telecommunications center. Klein alleges that the NSA installed splitters, “glass prisms that split signals from each network into two identical copies. One fed into the secret room, the other proceeded to its destination” (Klein and Nakashima, 2007). Klein claimed that the NSA was copying Internet traffic and running that traffic through a Naurus STA 6400, a device reputedly able to conduct semantic traffic analysis, in other words, to understand, to some degree the contents of the messages it analyzed (Kline, 2005).

Klein’s accusations gave credence to those voicing concern over the NSA’s role in monitoring digital communications. If he is to be believed, the NSA is attempted to engage in systematic surveillance of all Internet traffic transiting the United States. “Foul!” cried civil libertarians and legal scholars fearful of unfettered domestic surveillance (American Civil Liberties Union, 2008). The NSA and other agencies of the intelligence community operate under clear rules with regard to domestic operations. Unfortunately, re–interpreting these rules for cyberspace is confounded by the immense difficulty in establishing sovereignty within it. With al–Qaeda affiliate Web pages hopping from country to country with each switch of ISP, tracking the end points of communications is inherently international, while at the same time inherently domestic (Kimmage, 2008). Jurisdiction may change as quickly as the Internet’s routing tables do.

Openly available policy covering the network intelligence role, what the NSA has called Digital Network Intelligence, is, as would be expected, limited. Much may be gleaned as to future intentions from publicly available strategic planning emanating from the agency. Recognized is the need to, “master and operate in the global net of tomorrow.” [13] That was a vision statement drafted for an agency covering signals intelligence portfolios including only foreign targets and protection of the U.S. government’s secure computing systems, but also one that recognized the change afoot in its mission area.

“(C) In the past, NSA operated in a mostly analog world of point–to–point communications carried along discrete, dedicated voice channels. These communications were rarely encrypted, and those that were used mostly indigenous encryption that did not change frequently. Before the arrival of fiber optic technology, most of these communications were in the air and could be accessed using conventional means; the volume was growing but at a rate that could be processed and exploited.

(C) Now, communications are mostly digital, carry billions of bits of data, and contain voice, data and multimedia. They are dynamically routed, globally networked and pass over traditional communications means such as microwave or satellite less and less. Today, there are fiber optic and high–speed wire–line networks and most importantly, an emerging wireless environment that includes cellular phones, Personal Digital Assistants and computers. Encryption is commercially available, growing in sophistication, and packaged in off–the–shelf computer software. The volumes and routing of data make finding processing nuggets of intelligence more difficult. To perform both its offensive and defensive missions, NSA must ‘live on the network.’” [14]

If Mr. Kline’s allegations are to be believed, had the agency successfully met its internal mandate? Perhaps. But what of the NSA’s other major role that of protecting computer networks?



And defending cyberspace too

If scanning the digital communications of the world’s telecommunications grid for actionable intelligence information isn’t enough work for any government agency, then protecting that telecommunications grid along with every important piece of national infrastructure connected to it fills the plate considerably. Under the provisions of Executive Order 12333, the NSA has been assigned with both signals intelligence and communications security. Through the lens of the Reagan administration, whose staffers drafted the order to meet the late Cold War security environment, this covered signals, in the form of phone calls, telegrams, missile telemetry, essentially any microwave, radio or satellite transmission to be had, and the protection of military and diplomatic communications, primarily by cryptographic means. Currently, because of technology and a changed national security environment, the roles are up for re–definition.

Perceived, by some, as a potential Achilles’ heel for the United States, the potential for cyber–attacks to severely disrupt the function of the U.S. economy, its government and even military forces, has drawn the attention of policy–makers, but clear assessment of risk remains elusive (Schell, 1979). Attacks perpetrated via the Internet, conducted by the shadowy cadre of computer hackers, are either a mortal threat to the nation’s security, potentially an “Electronic Pearl Harbor,” or simply “weapons of mass annoyance.” Opinions vary widely on this. Former White House cyber–security czar Richard Clarke sees great potential vulnerability (Clarke, 2004) while the Center for Strategic and International Studies’ expert on the topic argues that, “‘The idea that hackers are going to bring the nation to its knees is too far–fetched a scenario to be taken seriously’” (Schachtman, 2002). Nonetheless, policy moves forward on the drive to protect the Internet from hackers, whether teenage electronic joy–riders or the well–trained, disciplined agents of the national intelligence agencies of foreign powers.

What the cyber–security mission holds in common with the electronic surveillance mission is the need to watch the network. Indeed, in learning if a computer network has been penetrated and is being used for unauthorized purposes, a best practice is employment of an Intrusion Detection System (IDS) designed to watch the flows of packet–ized data for anomalies. At the national policy level, concerns for protection of networks responsible for the function of critical infrastructure appear to hold a dominant position in contemporary policy agenda. In his “reverse Manhattan Project” plan for national cyber–security, Department of Homeland Security Secretary Chertoff cites the, “power grids, water treatment facilities, financial institutions, all use computer systems and software to operate, so we have to coordinate closely to ensure the systems that are making our infrastructure assets more efficient do not also expose them to vulnerabilities that a terrorist could exploit” (Chertoff, 2005). He speaks to the Electronic Pearl Harbor constituency, making his case that terrorists could poison the water supply, turn out the lights or crash airliners.

More likely is just what the U.S. intelligence community attempts to do everyday, employ the Internet and information technology to collect useful intelligence. For the NSA, this is its Digital Network Intelligence (DNI) mission, but when someone else is doing the spying it usually is labeled cyber–espionage. Given code words like Byzantine Foothold (Grow, et al., 2008) and Titan Rain (Lewis, 2005) by the Pentagon, the typical cyber–attack is not one that shuts off the lights, but rather emplaces clandestine software on the targeted network, which begins copying data off of the network to another location. This “malicious agent” software application, which covertly pulls data from a targeted network, represents much of what the NSA is trying to do on the collection side, while the protection side of the house tries to thwart it. The agency has evolved from code–making and code breaking to network penetration and network protection missions, under the headings of “signals intelligence” and “information assurance.” [15]

It is no secret that the U.S. government buys the same Microsoft Windows/Intel x86 (Wintel) computers that most Americans, and indeed, most of the world buys (Lohr, 1998). The record of security failings of the Wintel platform has caused Microsoft to dramatically rethink the security of its software including operating systems (Howard and Lipner, 2003). Up for debate now is how the U.S. government can aid in securing the commercially available computer systems used in all sectors of society. But assessing the magnitude of the problem, the debate “Electronic Pearl Harbor” versus “weapons of mass annoyance,” has not produced a consensus point for policy. We can be reasonably sure that a cyber–attack has yet to kill anyone in the United States, so that moves attention to financial costs. Measuring the economic impact of cyber–attacks is also difficult, for reasons falling into two general categories. “First, there are strong incentives that discourage the reporting of breaches of information security. Second, organizations are often unable to quantify the risks of cyber–attacks they face, or even to set a dollar value on the cost of attacks that have already taken place.” [16] All of this uncertainty does, however, present a terrific environment for upward trends in computer security spending as reported by the most exhaustive industry survey regarding organizational information security activities (Richardson, 2007).

In response to its difficulties in developing software able to stand up to cyber–attack, Microsoft went to the NSA to assess the vulnerability of its Vista operating system. The head of the NSA’s vulnerability and analysis group acknowledged aided the company, adding, “Our intention is to help everyone with security” (Nakashima, 2007). Despite the trouble in discerning a clear picture on the nation’s cyber–vulnerabilities, the NSA acknowledge entering into a broader role in combating a problem, which may, according the CSI Survey, be gradually improving with greater awareness and technical investment (Richardson, 2007).

Although still classified in its entirety nearly two decades after its enactment, National Security Directive (NSD) 42 built on Executive Order 12333 in further detailing the NSA’s responsibilities with regard to information security. At root, NSD 42 covers the security of national security systems; the information systems used to create, transmit and store information classified at the confidential, secret and top secret levels. At core, it lays out the responsibilities of the director of the NSA. As the National Manager for National Security Telecommunications and Information Systems Security, the NSA director is to (among other things):

“Examine U.S. Government national security systems and evaluate their vulnerability to foreign interception and exploitation. Any such activities, including those involving monitoring of official telecommunications, shall be conducted in strict compliance with law, Executive Order and implementing procedures, and applicable Presidential directive.” (G.H.W. Bush, 1990).

But with the broadening definition of what may, or may not constitute critical infrastructure, sticking to the task of safeguarding only computer systems used by the United States Government to handle classified information, the NSA is increasingly asked to move beyond its traditional terrain. Much like the case of eavesdropping only in foreign intelligence, the position of only covering security for the classified domain appears to be creeping to other areas.

Since its establishment in November 2002, it was envisaged that the Department of Homeland Security (DHS) would assume responsibility for protecting the greater national information network infrastructure in line with Presidential directive (G.W. Bush, 2003b). Through the next five years, DHS was roundly criticized for its inability to gain traction on the cyber–security front, embarrassingly scoring near the bottom of Representative Tom Davis’ computer security report card for Federal agencies (Davis, 2007), although some critics have questioned if the entire basis for the report card, the 2002 Federal Information Security Management Act (FISMA), provides accurate criteria for measuring performance (Fountain, 2007). With DHS foundering and the best expertise on information security contained in the NSA, the Bush Administration generated new policy to protect the information piece of the nation’s critical infrastructure.



The cyber initiative

For more than a decade, the United States Government has attempted to construct policy capable of protecting its interests in cyberspace. A still undisclosed presidential order, signed into effect on 8 January 2008, issued a directive, “that expands the intelligence community’s role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies’ computer systems” (Nakashima, 2008). National Security Presidential Directive 54/Homeland Security Presidential Directive 23 is reputed to cover the administration’s “cyber initiative,” a policy intended to protect government computer networks from outside penetration. While the contents of NSPD54/HSPD23 remain classified, that has not prevented the press from speculating on its provisions. News reports claimed that the cyber initiative would involve bringing the NSA’s considerable information security capabilities to the defense of a larger set of networks than the national security networks specified under NSD 42. According to one anonymous NSA source, “The NSA’s new domestic role would require a revision of the agency’s charter,” as the new initiative would tap the agency to cover substantially more terrain. Assigned, “to guard the government’s classified networks — not the unclassified networks that now are the responsibility of other federal agencies,” the collaborative information security task with Homeland Security would move far beyond simply classified networks (Gorman, 2007a). Of interest is to know exactly how far.

As stipulated under NSD 42, the NSA’s defensive role prior to the executive directive bringing into effect the cyber initiative was in protecting the classified information systems employed by government to create, store and transmit information at the confidential, secret and top secret levels. Agencies handling classified information worked by rules established and overseen at the NSA (G.H.W. Bush, 1990). For unclassified material, agencies handled security themselves, largely guided by directives from the National Institute of Standards and Technology. Even after enactment of the Federal Information Security Management Act (FISMA) of 2002, information security issues rested with each agency (General Accounting Office, 2004). Speculation regarding NSPD54/HSPD23 would indicate that, in partnership with Homeland Security, that the NSA will take a greater roll in guarding unclassified government networks.

Providing justification for the plan to ramp up cyber–security, Homeland Security officials noted a rise in attacks in government and private networks, from 4,095 in 2005 to 37,258 in 2007. Cause for concern was also attributed to a monitoring activity for cyber–attacks conducted under the title Byzantine Hades (Gorman, 2008a). Concerns for this area, that, for example, terrorists could attack the computer systems of a nuclear power plant or spies, usually Chinese, would penetrate a sensitive computer network and steal military secrets, have circulated for nearly as long as the Internet has been widely available (Greenberg, 2007; Sevastopulo, 2007). Despite being overshadowed to a degree by the hugely violent techniques of trans–national terror organizations, the cyber–security issue remains prominent.

While this is speculative, a hard line may not even be drawn at unclassified government systems, but also to those who supply government with services and hardware. “Privatization and outsourcing as public–policy initiatives have spread rapidly in the 1990s, locally, nationally and globally.” [17] Due to the proliferation of contracting engagements in which outside contractors connect, by various means, to U.S. government computer networks. In the provision of IT services, the government has increasingly sought integrators and vendors holding the array of talent necessary to support its missions on a contractual basis rather than standing up development shops of its own (Berteau, 1998). This is an area that continues to grow with great vigor (Wait, 2002). In other areas in which the government picks up the tab, such as scientific research conducted by both corporations and on university campuses, a demand may exist to secure information systems from unauthorized access. The challenge then is in establishing firm boundaries for the cyber initiative, a secret mandate that ostensibly covers potentially immense quantities of unclassified data. Does it cover all government networks? What about those of contractors or subcontractors? How about those of the companies who create computer hardware and software purchased off–the–shelf by government agencies (Greenberg, 2008)? What emerges is a heavy order for the nation’s signals intelligence establishment.

These questions underscore the point that the United States’ cyber–defense policy should be clearly stated, as the cyber area will continue to grow in utility both in the conduct of espionage and conflict. Unfortunately, the national cyber–security initiative is anything but an open book. As the Senate Armed Services Committee states, policy on this initiative is almost entirely absent from public view.

A chief concern is that virtually everything about the initiative is highly classified, and most of the information that is not classified is categorized as “For Official Use Only.” These restrictions preclude public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties. Without such debate and awareness in such important and sensitive areas, it is likely that the initiative will make slow or modest progress. The Committee strongly urges the Administration to reconsider the necessity and wisdom of the blanket, indiscriminate classification levels established for the initiative.

The Administration itself is starting a serious effort as part of the initiative to develop an information warfare deterrence strategy and declaratory doctrine, much as the superpowers did during the Cold War for nuclear conflict. It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified. In the era of superpower nuclear competition, while neither side disclosed weapons designs, everyone understood the effects of nuclear weapons, how they would be delivered, and the circumstances under which they would be used. Indeed, deterrence was not possible without letting friends and adversaries alike know what capabilities we possessed and the price that adversaries would pay in a real conflict. Some analogous level of disclosure is necessary in the cyber–domain (SASC, 2008).

With the national security establishment moving deeply into the cyber–defense arena after considerable debate on the issue stretching across more than a decade, the Bush Administration has left those not sharing access to the cyber initiative’s blueprint as to what exactly it is intended to undertake, although it would likely encompass offensive as well as defensive operations (Buxbaum, 2007). This is a considerable growth in scope from the previous declared roles in the cyber–domain, although in line with the Department of Defense’s doctrine falling under the umbrella of ’Information Operations” (U.S. Department of Defense, 2006). While the details remain known only to a chosen few in government and its contractors, the cyber initiative represents a potentially enormous increase in government’s stake in the security and observation of cyberspace. It relegates prior executive direction on information security to the sidelines.

NSD 42 was drafted in a simpler time, one in which most individuals in the United States had never heard of the Internet or employed sophisticated encryption technology to complete a transaction. Much like the collection of intelligence in digital form, protecting computer networks revolves around a single activity, watching the traffic of data. Surveillance or security both come down to establishing patterns, locating anomalies and passing along actionable intelligence for decision–makers. “‘If you’re going to do cybersecurity, you have to spy on Americans to secure Americans,’ said a former government official familiar with NSA operations” (Gorman, 2007a).



Can’t we go back to analog?

Contemporary debate on government surveillance remains centered on the topic of wiretapping. We remain bogged down in descriptive terminology from another time, nearly a century old. When we think of wiretapping, we may want to accept this argument.

The various legal statutes defining wiretapping do not give adequate definitions to distinguish between wiretapping and various other activities at the technical level. For the purposes of this paper, the following definition of wiretapping is used:

“Wiretapping is what occurs when information passed across the Internet from one party to one or more other parties is delivered to a third party.” (Bossert, et al., 1997).

Much debate has swirled around the issue of warrant–less wiretaps, the Foreign Intelligence Surveillance Act and use by trans–national terror organizations of the Internet. Recognized is the reality that the strategic threat has changed in some way, produced not by a monolithic superpower but non–state actors falling at the boundaries of sovereignty (Berkowitz, 2003). Just as officialdom in the United States sought to contain the crafty, subversive agents of global communism much in the same way it hopes to manage those producing terror problem — or the cyber–security problem for that matter.

Combating transnational terrorists or foiling cyber–attacks forces us to revisit our capacity to employ a legal system increasingly globalized but still populated by sovereign actors (Kaldor, 2006). While this is no doubt a subject for discussion at great length, it requires attention in assessing the following claim: “In general, wiretaps appear to be of greater value in gathering intelligence than in developing evidence.” [18] Whether in combating terrorism or computer crime, it is desirable to mitigate risk and exposure. When a given computer port is probed by another, the best response is not to seek warrant or file suit, but rather to close the port to all but trusted traffic. And therein lies the problem, for the intelligence collectors and security experts alike. There is no easy way to establish relationships of trust online. Furthermore, difficulties emerge in adopting technological mechanisms to enable trust. One may choose to understand general knowledge regarding information security in this way. “There are those who overreact and those who under–react, but how many don’t know?” (Maffit, 2008). The same could be said about digital privacy or the argument over wiretapping (Rasmussen Reports, 2008).

Political debate is conducted in a ring with civil libertarians in one corner marked “privacy” and the government in an opposite one labeled “security” (Stanley, 2004; G.W. Bush, 2003a). Blurred is the line where intelligence collection ends and information security begins. This is odd terrain. In the name of protection and security for society and its computer networks, an edifice may also be constructed able to expose the totality of information held in digital form regarding each citizen (Healy, 2003). For those who worry about online profiling, marketers running amok, or the digitization of health records, there are valid reasons for concern. If any piece of information is digitized, it is much more portable and therefore useful. If it traverses the Internet it is vulnerable to interception (Hunter, 2002). These are the very real risks of using digital information technologies, imperfect as they are. There remains a shortage of trust in the online domain (Bronk and Salucci, 2001).

In addressing the trust problem, there is the very real concern over the roles of corporate players facilitating the delivery of technologies, services, and data to the United States government. With the value of digital information so high, the potential for abuse in pursuit of business interests is great. “The key distinction between public and private, or outsourced, provision is whether the provider is acting as a private entity on contract subject to profit–making discipline, or is operating within the public sector and thus subject to direct democratic and civil service accountability systems.” [19] In this area, the record of private industry in protecting the privacy of the individual is not without blemish (Etzioni, 1999).

In the current national security environment, a CNN (2006) sampling of Americans appeared relatively divided — 47 percent for and 50 percent against — in their beliefs regarding whether secret wiretapping was right or wrong. Among those more involved in the politics of the Internet, in a 2004 survey of members of the Internet Society an overwhelming majority — 80 percent — indicated that their organization, “should actively oppose government’s efforts to wiretap the Internet.” A majority of respondents to that same survey — 68 percent — also considered themselves “concerned” or “very concerned” about terrorism (Internet Society, 2004). Surveys regarding the wiretapping, security, and terrorism issues are less than ideal measures of reality, however, as more than a third of respondents to a 2006 Scripps poll “said it is ‘very likely’ or ‘somewhat likely’ that federal officials either participated in the attacks on the World Trade Center and the Pentagon or took no action to stop them” (Hargrove, 2008).

With skepticism of government in the United States clearly part of the political terrain, the wiretapping/information security issue requires greater scrutiny, albeit in a manner that does not compromise the all important sources and methods of intelligence collection or cyber–defense. It would appear that some in the Senate has connected many of the dots that inextricably link the surveillance and information assurance activities.

“The [Senate Armed Services C]ommittee also concludes that some major elements of the cyber initiative are not solely or even primarily intended to support the cyber security mission. Instead, it would be more accurate to say that some of the projects support foreign intelligence collection and analysis generally rather than the cyber security mission particularly.” (U.S. Senate Armed Services Committee, 2008).

Protecting the networks and collecting the data labeled “chatter” in the forecasting language of terror analysis are very much connected activities. Surveillance and security technologies constitute an enormous potential toolkit for government to defend its data resources, protect the key infrastructure of an information society and thwart the radical elements that seek to employ gross violence in pursuing their political goals. The capacity to observe “digital activity,” in which, “computers can sort and identify in incredibly short time frames, and that means what numbers are being dialed, how they are being dialed, suddenly could be accessible in the kind of time frame, that you can do warning, preventive attack” (Inman, 2006). There is also an enormous potential for misuse or corruption by those operating even under the best of intentions.




This paper has addressed how communications surveillance, what is generally called wiretapping, and information security are technically interwoven activities, which we may call webtapping. One item of at least passing mention in this paper’s concluding remarks is the issue of liability for telecommunications firms. While this will continue to draw attention from scholarship, the thrust of this work is not to assess the grounds for liability for telephone companies that aided the U.S. intelligence community in performing electronic surveillance. Opinion on this, as is imaginable, varies widely with some demanding strict liability for telecommunications firms (Sims, 2006) and others advocating immunity (Hedlund, 2007). From intermediate terrain, the following argument balances the issues.

Companies will be less willing to cooperate once we set the pattern of a president swearing them to secrecy and then telling them that cooperation is legal, only to yank the rug out from under them later in court. The precedent is that if a citizen helps police officers at their request in an activity that appears legal, the citizen is not liable. We do not want a situation in which the next time there is an emergency people drag their feet out of fear of being used (Lewis, 2007).

Debate on both digital intelligence collection and cyber–defense issues is likely only to continue, however much of it will take place behind closed doors. One hopes that this debate will eventually address the interests of all parties from law enforcement and intelligence agencies to civil libertarians and industry advocates as currently it does not. Today, there exists a disconnect between theses parties and the political actors who side with each of them, a debate without discussion. Until these groups, the intelligence agencies, privacy advocates, and telecom companies, are able to get back around the table to bargain as they did in the period between the Church Commission and September 11 there will be little accord among them. Desperately needed is this type of interplay on the emergent phenomena surrounding webtapping. Today policy–makers rarely hear more than monologues distorted by incomplete technical knowledge of the topic. End of article


About the author

Christopher Bronk is the Baker Institute Fellow in Technology, Society and Public Policy (TSPP) at Rice University. He previously served as a career diplomat with the United States Department of State on assignments both overseas and in Washington, D.C. His last assignment was in the Office of eDiplomacy, the Department’s internal think tank on information technology, knowledge management, computer security and interagency collaboration. He also has experience in political affairs, counternarcotics, immigration and U.S.–Mexico border issues. Since arriving at Rice, Bronk has divided his attentions among a number of areas including information security, technology for immigration management, broadband policy, Web 2.0 governance and the militarization of cyberspace. He teaches on the intersection of computing and politics in Rice’s George R. Brown School of Engineering. Bronk has provided commentary for a variety of news outlets including ABC, NPR, the BBC and the Houston Chronicle. His latest research is in the political informatics of transnational terror. Holding a Ph.D. from the Maxwell School of Syracuse University, Bronk also studied international relations at Oxford University and received a bachelor’s degree from the University of Wisconsin–Madison.
E–mail: rcbronk [at] rice [dot] edu



1. Buzan, et al., 1997, p. 24.

2. Diffie and Landau, 2007, p. 133.

3. 18 U.S.C..

4. Diffie and Landau, 2007, p. 132.

5. Diffie and Landau, 2007, p. 219.

6. McNulty would go on to supervise the prosecution of John Walker Lindh and Zacharias Moussaoui and rise to the rank of Deputy Attorney General before resigning in July, 2007.

7. Diffie and Landau, 2007, p. 220.

8. Lowenthal, 2006, p. 245.

9. The company, founded by a pair of former Israeli military veterans with experience in intelligence, offers a service in which a computer listens to a telephone conversation and in real time and places advertisements on the screen of the user’s computer. Characterizing the software’s ability to capture keywords, Pudding Media CEO Ariel Maislos boasted, “The conversation was actually changing based on what was on the screen,” he said. “Our ability to influence the conversation was remarkable.”

10. Thomas, 2003, p. 112.

11. Hitz, 2008, p. 46.

12. Ibid.

13. Kimmage, 2008, p. 3.

14. National Security Agency, 2000, p. 3.

15. Ibid.

16. Cashell, et al., 2004, p. 13.

17. Markusen, 2003, p. 494.

18. Diffie and Landau, 2007, p. 130.

19. Markussen, 2003, p. 477.



18 U.S.C., Part II, Chapter 206, Section 3127, at, accessed 14 November 2008.

American Civil Liberties Union (ACLU), 2008. “FISA: Fear–mongering and what we’ve learned since January” (14 May), at, accessed 16 June 2008.

Associated Press, 1992. “Phone tapping plan proposed” (6 March).

AT&T, 2008. “History of network switching,” at, accessed 16 June 2008.

Luis Miguel Ariza, 2005. “Virtual Jihad: The Internet as the ideal terrorism recruiting tool,” Scientific American (26 December), at, accessed 14 November 2008.

James Bamford, 2002. “War of secrets; Eyes in the sky, ears to the wall, and still wanting,” New York Times (8 September), at, accessed 14 November 2008.

Bruce Berkowitz, 2003. The new face of war: How war will be fought in the 21st century. New York: Free Press.

David Berteau, 1998. “Defense conversion in information technology service industries,” In: Gerald I. Susman and Sean O’Keefe (editors). The defense industry in the post–Cold War era: Corporate strategies and public policy perspectives. New York: Pergamon, pp. 241-250.

G. Bossert, S. Cooper, and W. Drummond, 1997. “Considerations for Web transaction security,” Network Working Group RFC 2084 (January), at, accessed 16 June 2008.

Christopher Bronk and Lapo Salucci, 2001. “Law, trust and the wired world: Privacy, profiling and e–commerce,” Maxwell Review, volume 9, number 1 (Spring).

George H.W. Bush, 1991. “Remarks on signing the High–Performance Computing Act of 1991” (12 December), at, accessed 16 June 2008.

George H.W. Bush, 1990. “National Policy for the Security of National Security Telecommunications and Information Systems” (5 July), at, accessed 16 June 2008.

George W. Bush, 2003a. “National strategy to secure cyberspace” (February). Washington, D.C.: White House, at, accessed 14 November 2008.

George W. Bush, 2003b. “Homeland Security Presidential Directive (HSPD) 7” (17 December), at, accessed 16 June 2008.

Peter A. Buxbaum, 2007. “Air Force explores the next frontier: Cyber Command could establish model for info operations,” Government Computing News (19 February), at, accessed 14 November 2008.

Barry Buzan, Ole Wæver, and Jaap de Wilde, 1998. Security: A new framework for analysis. Boulder, Colo.: Lynne Rienner.

Brian Cashell, W.D. Jackson, Mark Jickling, and Baird Webel, 2004. “The economic impact of cyber–attacks,” Congressional Research Service (1 April), and at, accessed 14 November 2008.

Sabra Chartrand, 1994. “Clinton gets a wiretapping bill that covers new technologies,” New York Times (9 October), at, accessed 14 November 2008.

Michael Chertoff, 2005. “Remarks by Secretary Michael Chertoff U.S. Department of Homeland Security at the Commonwealth Club” (28 July), at, accessed 16 June 2008.

Richard A. Clarke, 2004. Against all enemies: Inside America’s war on terror. New York: Free Press.

CNN, 2006. “Poll: Fifth of Americans think calls have been monitored” (14 February), at, accessed 16 June 2008.

Danny Cohen, 1976. “Specifications for the Network Voice Protocol (NVP),” RFC 741 (29 January), at, accessed 16 June 2008.

Tom Davis, 2007. “Seventh report card on computer security at federal departments and agencies” (12 April), at, accessed 16 June 2008.

James Dempsey, Daniel Wiesner, Martin Stern, and Lisa Leventhal, 1998. “Comments of the Center for Democracy and Technology, In the matter of communications assistance for Law Enforcement Act” (20 April), at, accessed 16 June 2008.

John Diamond, 2002. “Al–Qaeda steers clear of NSA’s ears,” USA Today (17 October), at, accessed 14 November 2008.

Whitfield Diffie and Susan Landau, 2007. Privacy on the line: The politics of wiretapping and encryption. Updated and expanded edition. Cambridge, Mass.: MIT Press.

Henry A. Duran, 1998. “Riding the superhighway to glory: Jody Williams v. U.S., strategy research project,” Carlisle, Pa.: U.S. Army War College, at, accessed 14 November 2008.

Amitai Etzioni, 1999. The limits of privacy. New York: Basic Books.

Federal Communications Commission (FCC), 2008. “Voice Over Internet Protocol (VOIP),” at, accessed 16 June 2008.

Christopher Fountain, 2008. “Last word: Make the FISMA grade meaningful,” SC Magazine (1 January), at, accessed 14 November 2008.

Mike Godwin, n.d. “Section–by–section analysis of the 1994 draft of the digital telephony legislation,” Electronic Frontier Foundation, at, accessed 16 June 2008.

Siobhan Gorman, 2007a. “NSA to defend against hackers: Privacy fears raised as spy agency turns to systems protection,” Baltimore Sun (20 September), and at, accessed 14 November 2008.

Siobhan Gorman, 2007b. “House panel chief demands details of cybersecurity plan,” Baltimore Sun (24 October).

Siobhan Gorman, 2008a. “Bush looks to beef up protection against cyberattacks; Estimated cost could be $6 billion; Democrats are wary,” Wall Street Journal (28 January).

Siobhan Gorman, 2008b. “NSA’s domestic spying grows as agency sweeps up data; Terror fight blurs line over domain; Tracking email,” Wall Street Journal (10 March), at, accessed 14 November 2008.

Government Accounting Office (GAO), 2004. “Information security: Agencies need to implement consistent processes in authorizing systems for operation” (June), and at, accessed 14 November 2008.

William Gravell, 2002. “National security in transformation: Outlining a comprehensive approach to national information power,” In: U.S. Congress. Joint Economic Committee. Security in the information age: New challenges, new strategies (May), at, accessed 14 November 2008.

Andy Greenberg, 2008. “Bush’s double–edged cyber–security plan,” Forbes (26 February), at, accessed 14 November 2008.

Andy Greenberg, 2007. “America’s hackable backbone,” Forbes (22 August), at, accessed 14 November 2008.

Scott W. Gross, 2003. “White paper: MAE services, version 1.0,” (November), MCI at, accessed 14 November 2008.

Brian Grow, Keith Epstein, and Chi–Chu Tschang, 2008. “The new e–spionage threat,” Business Week (10 April), at, accessed 14 November 2008.

Thomas Hargrove, 2008. “Third of Americans suspect 9–11 government conspiracy,” Scripps Howard News Service (1 August), at, accessed 14 November 2008.

Gene Healy, 2003. “Beware total information awareness,” Cato Institute (20 January), at, accessed 16 June 2008.

Julie A. Hedlund, 2007. “Don’t shoot the messenger: Telecommunications carriers deserve immunity,” Information Technology and Innovation Foundation (November), at, accessed 14 November 2008.

Frederick P. Hitz, 2008. Why spy? Espionage in an age of uncertainty. New York: St. Martin’s Press.

Michael Howard and Steve Lipner, 2003. “Inside the Windows security push,” IEEE Security and Privacy, volume 1, number 1 (January), pp. 57–61.

Richard Hunter, 2002. World without secrets: Business, crime, and privacy in the age of ubiquitous computing. New York: Wiley.

Bob Inman, 2006. “Listening in: Eavesdropping and the National Security Agency,” New York Public Library (8 May), at, accessed 14 November 2008.

Internet Society, 2004. “Wiretapping the Internet: Member survey” (March), at, accessed 16 June 2008.

Paul Jaeger, 2007. “Information policy, information access, and democratic participation: The national and international implications of the Bush administration’s information politics,” Government Information Quarterly, volume 24, number 4 (October), pp. 840–859.

Mary Kaldor, 2006. New & old wars. Second edition. Malden, Mass: Polity Press.

Daniel Kimmage, 2008. The Al–Qaeda media nexus: The virtual network behind the global message. Washington, D.C.: Radio Free Europe/Radio Liberty, and at, accessed 14 November 2008.

Alec Klein and Ellen Nakashima, 2007. “For Windows Vista security, Microsoft called in pros,” Washington Post (9 January), p. D01, and at, accessed 14 November 2008.

Mark Kline, 2005. “AT&T’s implementation of NSA spying on American citizens” (31 December), at, accessed 16 June 2008.

Evan Kohlman, 2005. “Interview,” Washington Post, at, accessed 16 June 2008.

Susan Landau, 2005. “Security, wiretapping, and the Internet,” IEEE Security and Privacy, volume 3, number 6 (November/December), pp. 26–33.

James Lewis, 2007. “Domestic surveillance, FISA and terrorism,” Center for Strategic and International Studies (7 November), at, accessed 14 November 2008.

James Lewis, 2005. “Computer espionage, Titan Rain and China,” Center for Strategic and International Studies (14 December), at, accessed 14 November 2008.

Brynjar Lia, 2006. “Al–Qaeda online: Understanding jihadist Internet infrastructure,” Jane’s Intelligence Review (1 January), and at, accessed 14 November 2008.

Steve Lohr, 1998. “As U.S. spars With Microsoft, federal offices use its systems,,” New York Times (4 May), at, accessed 14 November 2008.

Mark M. Lowenthal, 2006. Intelligence: From secrets to policy. Third edition. Washington, D.C.: CQ Press.

Peter Maffit, 2008. Conversation with author (8 May).

Eric Mankin, 1999. “USC machine system demonstrates superhuman speech-recognition abilities,” USC Chronicle (18 October), at, accessed 14 November 2008.

Ann R. Markusen, 2003. “The case against privatizing national security,” Governance, volume 16, number 4 (October), pp. 471–501.

John Mintz, 1992. “FBI, phone firms in tiff over turning on the taps,” Washington Post (10 March), p. C1.

Robert S. Mueller, 1991. Electronic surveillance manual. Volume 1: Procedures and forms. Washington, D.C.: U.S. Department of Justice, Criminal Division, Office of Enforcement Operations.

Ellen Nakashima, 2008. “Bush order expands network monitoring,” Washington Post (26 January), p. A.03, and at, accessed 14 November 2008.

Ellen Nakashima, 2007. “A story of surveillance: Former technician ‘turning in’ AT&T over NSA program,” Washington Post (7 November), p. D01, and at, accessed 14 November 2008.

Hassan Heidari Namarvar, Jim–Shih Liaw and Theodore W. Berger, 2001. “A new dynamic synapse neural network for speech recognition,” Neural Networks 2001, Proceedings, International Joint Conference on Neural Networks (Washington, D.C.), volume 4, pp. 2985–2990.

National Security Agency, 2000. Transition 2001 (December), at, accessed 14 November 2008.

Joseph S. Nye, Jr. and William A. Owens, 1996. “America’s information edge,” Foreign Affairs, volume 75, number 2 (March/April), pp. 20–36, and at, accessed 14 November 2008.

New Paradigm Resources, 2007. “VoIP year in review,” at, accessed 16 June 2008.

Olmstead v. United States, at, accessed 14 November 2008.

Organisation for Economic Co–operation and Development (OECD), 2007. “Broadband subscribers per 100 inhabitants in OECD countries and ICCP Committee observers countries” (June), at,3343,en_2649_34449_33987543_1_1_1_1,00.html, accessed 14 November 2008.

Organisation for Economic Co–operation and Development (OECD), 2003. “Broadband subscribers per 100 inhabitants in OECD countries” (December), at,3343,en_2649_34449_33987543_1_1_1_1,00.html, accessed 14 November 2008.

Anthony Ramirez, 1992a. “As technology makes wiretaps more difficult, F.B.I. seeks help,” New York Times (8 March), at, accessed 14 November 2008.

Anthony Ramirez, 1992b. “The FBI’s latest idea: Make wiretapping easier,” New York Times (19 April), Section 4, p. 2.

Rasmussen Reports, 2008. “32% say U.S. legal system worries too much about national security at expense of individual rights” (18 February), at, accessed 16 June 2008.

Robert Richardson, 2007. “CSI computer crime and security survey,” Computer Security Institute, and at, accessed 14 November 2008.

William Safire, 2002. “The ‘big ear’ gone deaf,” New York Times (13 June), at, accessed 14 November 2008.

Noah Schachtman, 2002. “Terrorists on the Net? Who cares?” Wired (2 December), at, accessed 14 November 2008.

Roger R. Schell, 1979. “Computer security: The Achilles heel of the electronic Air Force?” Air University Review (January–February), at, accessed 14 November 2008.

Demetri Sevastopulo, 2007. “Chinese military hacked into Pentagon,” Financial Times (3 September), at, accessed 14 November 2008.

John Cary Sims, 2006. “What the NSA is doing ... and why it’s illegal,” Hastings Constitutional Law Quarterly, volume 33, p. 101.

Jay Stanley, 2004. “The surveillance–industrial complex: How the American government is conscripting businesses and individuals in the construction of a surveillance society,” American Civil Liberties Union, at, accessed 14 November 2008.

Susan Stellin, 2002. “Terror’s confounding online trail,” New York Times (28 March), at, accessed 14 November 2008.

Louise Story, 2007. “ADVERTISING; A company will monitor phone calls and devise ads to suit,” New York Times (24 September), at, accessed 14 November 2008.

Teralight, 2008. “The history of signaling System #7,” at, accessed 16 June 2008.

Timothy L. Thomas, 2003. “Al Qaeda and the Internet: The danger of ‘cyberplanning’,” Parameters, volume 33, number 1, pp. 112–123, and at, accessed 14 November 2008.

Time, 1967. “Unplugging bugging,” Time (29 December), at,9171,844334,00.html, accessed 16 June 2008.

U.S. Department of Defense, 2006. “Information operations” (DOD Directive o–3600.1, 14 August), at, accessed 16 June 2008.

U.S. Senate, 1991. “S. 272, High–Performance Computing Act of 1991,” 102nd Congress, at, accessed 14 November 2008.

U.S. Senate, Armed Services Committee, 2008. “National Defense Authorization Act for fiscal year 2009” (12 May), at, accessed 14 November 2008.

Sandra Upson, 2007. “Wiretapping woes: Trouble ahead for those wanting to monitor Internet–based calls,” IEEE Spectrum, volume 44, number 5 (May), pp. 10–12, and at, accessed 14 November 2008.

Patience Wait, 2002. “Government outsourcing grows fastest of all sectors,” Washington Technology, volume 16, number 23 (4 March), at, accessed 14 November 2008.

David Ward, 1996. “Sisyphean circles: The Communications Assistance for Law Enforcement Act,” Rutgers Computer and Technology Law Journal, volume 22, number 1, pp. 267–299.

Washington Post, 1992. “Back to smoke signals” (editorial), Washington Post (26 March).

Gabriel Weimann, 2004. “ How modern terrorism uses the Internet,” United States Institute of Peace, special report 116, at, accessed 14 November 2008.

Mark Williams, 2006. “The total information awareness project lives on,” Technology Review (26 April), at, accessed 14 November 2008.

Tom Zeller, 2000. “Ideas & trends; Cloak, dagger, Echelon,” New York Times (16 July), and at, accessed 14 November 2008.


Editorial history

Paper received 16 June 2008; accepted 5 October 2008.

Creative Commons License
“Webtapping: Securing the Internet to save us from transnational terror?” by Christopher Bronk is licensed under a Creative Commons Attribution–No Derivative Works 3.0 Unported License.

Webtapping: Securing the Internet to save us from transnational terror?
by Christopher Bronk
First Monday, Volume 13, Number 11 - 3 November 2008