by Declan McCullagh
Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws.
The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors’ Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12.
“The Justice Department is helping private companies evade federal wiretap laws,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which obtained over 1,000 pages of internal government documents and provided them to CNET this week. “Alarm bells should be going off.”
Those documents show the National Security Agency and the Defense Department were deeply involved in pressing for the secret legal authorization, with NSA director Keith Alexander participating in some of the discussions personally. Despite initial reservations, including from industry participants, Justice Department attorneys eventually signed off on the project.
The Justice Department agreed to grant legal immunity to the participating network providers in the form of what participants in the confidential discussions refer to as “2511 letters,” a reference to the Wiretap Act codified at 18 USC 2511 in the federal statute books.
The Wiretap Act limits the ability of Internet providers to eavesdrop on network traffic except when monitoring is a “necessary incident” to providing the service or it takes place with a user’s “lawful consent.” An industry representative told CNET the 2511 letters provided legal immunity to the providers by agreeing not to prosecute for criminal violations of the Wiretap Act. It’s not clear how many 2511 letters were issued by the Justice Department.
In 2011, Deputy Secretary of Defense William Lynn publicly disclosed the existence of the original project, called the DIB Cyber Pilot, which used login banners to inform network users that monitoring was taking place. In May 2012, the pilot was turned into an ongoing program — broader but still voluntary — by the name of Joint Cybersecurity Services Pilot, with the Department of Homeland Security becoming involved for the first time. It was renamed again to Enhanced Cybersecurity Services program in January, and is currently being expanded to all types of companies operating critical infrastructure.
The NSA and DOJ declined to comment. Homeland Security spokesman Sy Lee sent CNET a statement saying:
DHS is committed to supporting the public’s privacy, civil rights, and civil liberties. Accordingly, the department has implemented strong privacy and civil rights and civil liberties standards into all its cybersecurity programs and initiatives from the outset, including the Enhanced Cybersecurity Services program. In order to protect privacy while safeguarding and securing cyberspace, DHS institutes layered privacy responsibilities throughout the department, embeds fair practice principles into cybersecurity programs and privacy compliance efforts, and fosters collaboration with cybersecurity partners.
