BY KIM ZETTER
The Justice Department agree to grant internet service providers that participated in a new cybersecurity monitoring program legal authorization to monitor and intercept communications traffic, according to documents obtained by the Electronic Privacy Information Center.
The documents show that the Justice Department secretly agreed to provide AT&T and other participating providers with so-called “2511 letters” that granted them immunity for activity that might otherwise have violated federal wiretapping laws.
EPIC obtained more than 1,000 documents last week through a FOIA request and provided them to CNET, which broke the story today.
The immunity would have covered their participation in a program aimed at monitoring internet traffic to spot cyber threats and defend against malicious attacks, but EPIC said it essentially allowed the companies to skirt wiretap laws.
“The Justice Department is helping private companies evade federal wiretap laws,” Marc Rotenberg, executive director of EPIC, told CNET. “Alarm bells should be going off.”
The cybersecurity program, originally known as the Defense Industrial Base Cyber Pilot project when it was announced in 2011, initially covered only participating defense contractors and their ISPs. Under the program, which involved a partnership between the National Security Agency and the Department of Homeland Security, ISPs were provided with malware signatures and other information to help them monitor traffic going to defense contractors, so they could spot malicious threats and safeguard the networks and data. Outgoing traffic that appeared to be headed to malicious sites and servers was blocked so that valuable data couldn’t be siphoned from the defense contractor networks.
An early study of the program doubted its effectiveness, though the government later said the program improved.
Since then, the government announced that in June the program will expand beyond defense contractors and their network providers to encompass participants in sixteen government-designated critical infrastructure sectors — including chemical, the water and electrical industries, financial sector, healthcare and critical manufacturing.
The documents obtained by EPIC show that when the program was initiated, the NSA and DoD pressed the Justice Department to grant network providers legal immunity after the latter expressed concerns that the federal Wiretap Act barred them from eavesdropping on network traffic.
The Wiretap Act allows ISPs to monitor traffic only when it is necessary to provide services. But there is an exception that allows providers to get around this prohibition if they can get consent from users. Many standard user agreements provide some authorization for monitoring, such as scanning email attachments for viruses. But the authorization is buried in agreements that few users read.
Under the DIB Cyber Pilot project, employees working for the defense contractors that participated in the program were shown login banners on their computers that notified them of expanded monitoring. There were apparently concerns about the banners when the government proposed them, according to emails obtained by EPIC.
One email noted that “all participating DIB companies would be required to change their banners to reference government monitoring.” But participating companies apparently “expressed serious reservations” about changing the banners, which they said ”could take months.”
The expanding DIB program, now renamed the Enhanced Cybersecurity Services program, will use the same model when it’s rolled out to critical infrastructure companies in June. DHS’s privacy office has said that users on the participating company networks will see “an electronic login banner [saying] information and data on the network may be monitored or disclosed to third parties, and/or that the network users’ communications on the network are not private.”
Although the exact wording of the banner is unclear, a December 2011 government PowerPoint presentation that was among the documents EPIC obtained listed eight key elements the government said should be part of the banner.
EPIC staff attorney Amie Stepanovich says the banner the government proposed is so broad and vague that it would allow ISPs not only to monitor the content of all communication, including private correspondence, but also potentially hand over the monitoring activity itself to the government. She also notes that the banner notice would be one-sided since it would be given only to the employees of participating companies. Outsiders who communicated with those employees would not know that their communication was being monitored in this way.
“One of the big issues is the very broad notice and consent that they’re requiring, which far outpaces the description of the program the we’ve been given so far of not only the extent of the DIB pilot program but also the extent of the program that expands this to all critical infrastructure,” she says. “The concern is that information and communications between employees will be sent to the government, and they’re preparing employees to consent to this.”
What’s more, the Cyber Intelligence Sharing and Protection Act (CISPA) that passed in the House last week and will be working its way through the Senate, looks to this DIB model as an example of what supporters of the bill hope will eventually be adopted on other private networks. CISPA opens the way for private companies to share information with the government and would give AT&T, Verizon and other providers immunity for doing so. Documents obtained by EPIC show that the NSA, DOD, and DHS met with members of the House Intelligence committee who drafted the legislation. Civil liberties groups oppose the legislation because it does not provide adequate privacy safeguards. The White House has also said it would veto the legislation if passed.