News, Developments, and Insights

high-tech technology background with eyes on computer display


Remember the good old days, when the FBI used tools such as Carnivore, the device that sifted through email traffic at ISPs. The FBI renamed the device DCS-1000 to sound less ominous and mean, but the name Carnivore stuck. Later on, Carnivore no longer became necessary, as ISPs could deliver the goods to the FBI without its help. Attention then shifted to the NSA, the new king of surveillance.

Ryan Singel at Wired News has a very interesting article about the FBI’s new surveillance system. It is based on documents obtained by the Electronic Frontier Foundation via the Freedom of Information Act. According to the article:

The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act.

The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation’s telecom infrastructure than observers suspected.

It’s a “comprehensive wiretap system that intercepts wire-line phones, cellular phones, SMS and push-to-talk systems,” says Steven Bellovin, a Columbia University computer science professor and longtime surveillance expert.

It seems as though the FBI naming guy has been fired, and the new devices are all in the DCS family. And it appears from the names that the devices are many generations more advanced than Carnivore (DCS-1000):

DCSNet is a suite of software that collects, sifts and stores phone numbers, phone calls and text messages. The system directly connects FBI wiretapping outposts around the country to a far-reaching private communications network.

Many of the details of the system and its full capabilities were redacted from the documents acquired by the Electronic Frontier Foundation, but they show that DCSNet includes at least three collection components, each running on Windows-based computers.

The $10 million DCS-3000 client, also known as Red Hook, handles pen-registers and trap-and-traces, a type of surveillance that collects signaling information — primarily the numbers dialed from a telephone — but no communications content. (Pen registers record outgoing calls; trap-and-traces record incoming calls.)

DCS-6000, known as Digital Storm, captures and collects the content of phone calls and text messages for full wiretap orders.

A third, classified system, called DCS-5000, is used for wiretaps targeting spies or terrorists.

Yippee! We now have “Red Hook” and “Digital Storm.” The new naming guy at the FBI is good, finding names that sound much more innocuous. And we’re up to DCS-6000, many iterations above the philistine DCS-1000!

More about the surveillance system:

Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans. . . .

Ah, I knew that the FBI couldn’t let the NSA have all the fun. It now has some nifty new surveillance toys. And we know from its past record how good the FBI is with respecting privacy, following the rules, and so on. According to the article:

But the documents show that an internal 2003 audit uncovered numerous security vulnerabilities in DCSNet — many of which mirror problems unearthed in the bureau’s Carnivore application years earlier.

In particular, the DCS-3000 machines lacked adequate logging, had insufficient password management, were missing antivirus software, allowed unlimited numbers of incorrect passwords without locking the machine, and used shared logins rather than individual accounts.

The system also required that DCS-3000’s user accounts have administrative privileges in Windows, which would allow a hacker who got into the machine to gain complete control.

Columbia’s Bellovin says the flaws are appalling and show that the FBI fails to appreciate the risk from insiders.

“The underlying problem isn’t so much the weaknesses here, as the FBI attitude towards security,” he says. The FBI assumes “the threat is from the outside, not the inside,” he adds, and it believes that “to the extent that inside threats exist, they can be controlled by process rather than technology.”

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
LinkedIn Influencer blog

TeachPrivacy Ad Privacy Training Security Training 01