>From: Eugen Leitl <[email protected]>
>To: [email protected]; [email protected]; [email protected] >Sent: Friday, September 20, 2013 5:10 AM >Subject: [Cryptography] FISA court releases its "Primary Order" re telephone >metadata >----- Forwarded message from John Gilmore <[email protected]> ----- >Date: Tue, 17 Sep 2013 18:02:27 -0700 >From: John Gilmore <[email protected]> >To: [email protected], [email protected] >Subject: [Cryptography] FISA court releases its "Primary Order" re telephone >metadata >The FISA court has a web site (newly, this year): > http://www.uscourts.gov/uscourts/courts/fisc/index.html >Today they released a "Memorandum Opinion and Primary Order" in >case BR 13-109 ("Business Records, 2013, case 109"), which lays >out the legal reasoning behind ordering several telephone companies >to prospectively give NSA the calling records of every subscriber. >That document is here: > http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-order.pdf >I am still reading it... > John Armed with my nearly 12 years of daily visits to prison law libraries, I can report that this "Memorandum Opinion and Primary Order" contains many legal errors and false representations and assumptions, and indeed the facts have changed mightily since the issuance of the 1979 "Smith v. Maryland" Supreme Court decision that supported the use of 'pen registers', which provided (only) the phone number called by a given telephone line. One is that in 1979, there was only one phone company, or at least one per geographic area, that fact having been changed by the 1983 breakup of the telephone monopoly by Judge Green. The assumption can no longer be made that modern telephone companies WANT to share metadata with the government; prior to 1979 it would have been virtually assumed that they were willing to so share. The Smith case, above, merely supported the practice of a phone company voluntarily giving information to the government, without the government obtaining a warrant: It didn't require that these phone companies share that information without a warrant. Today, a company may simply be unwilling to share that data, or can be convinced to declare that unwillingness now (after the Snowden/NSA revelations) and the public can be expected to want its chosen phone companies to refuse. Another difference (or reality) is that these warrants refer repeatedly to 'business records': Ostensibly, because this metadata is a 'business record', somehow the phone co. can be expected to provide it. While there may not have been any reason for phone companies to keep telephone calling records ('metadata') in 1979, there is certainly no need for such records today. In 1979, long-distance telephone calls were billed by time, and by distance to the called party, and they generally kept the full phone number as part of the record.. Today, it is common to have unlimited LD contracts, which disregard the distance of the call or its duration, or both, at least within the US, making it entirely unnecessary for the phone company to keep records on calls. (Or, simply the duration of a phone call could be recorded, if the total time is billed.) In principle, therefore, a phone company could announce that it was ceasing keeping such metadata, as a matter of business records. Or, it could keep metadata, and X-out the last four digits of all called-telephone numbers, making those records virtually useless for any large-scale investigational use. Yet another way for a phone co. to fight back would be to provide that metadata to the government, printed out on paper, in tiny "captcha"-type font, or perhaps in some kind of pseudo-randomized cursive font, so that it would be readable, yet it would also be virtually impossible for the government to return that information to an electronically-accessible font. Sure, that tactic might result in yet another court-order, but that will amount to a further reason to challenge that court: "The government is getting the information it requested, it may simply not be getting it in the form it wants." Another attack is suggested by both the Smith case and this primary order url'ed above: The assertion that there is no 'expectation of privacy' in phone numbers given by the user to the phone company(ies). This could be challenged simply if the phone co's declared to its customers, "We will keep your telephone metadata secret except if given a warrant providing individualized suspicion against you: A general warrant asking for all telephone metadata will not be honored and in fact will be publicized by means of leak or otherwise. Further, we will no longer retain the last four digits of numbers you call, in your records, or the last four digits of your telephone number, in records of calls to you." At that point, the 'expectation of privacy' declared non-existent by the 1979 Smith decision will return. Jim Bell
