Risk assessments are the underpinning of all effective security programs. It’s quite difficult to best prioritize defensive efforts without a proper valuation of assets to be protected, consideration of threats against those assets, and some means to establish a probable rate at which those threats will result in a particular impact. Because risk assessments describe the priorities of the organization through the perspective of minimizing impact from security events, they must be regularly reviewed to ensure not only that the assets and activities of the organization are current, but also that the current threats are properly accounted for.
Recent research by Christopher Soghoian, a graduate student at Indiana University, Bloomington’s Center for Applied Cybersecurity Research, suggests that underreporting of US law enforcement surveillance could be creating a blind spot in organizational risk assessments. That is, the current legislative reporting requirements exclude certain information and agencies. In the absence of such requirements, it appears that state and local agencies, for example, are responsible for the vast majority of Electronic Communications Privacy Act (ECPA) requests. Unfortunately, the kinds of information excluded from stringent reporting requirements coincides with the current trends in mobile computing and informal electronic communication, namely stored communication (text messages, social networking posts, etc.). At this intersection lies the opportunity for an organization to miss a very real threat to its sensitive communications, as we mentioned in our recent Cyber Risk Report.
Overview of Legal Classifications of Electronic Surveillance
Soghoian begins his report with a brief breakdown of the variety of federally-defined communications intercept types and requirements, and by contrasting the various differences among requirements defined in the respective Acts of Congress. The most complete reporting was established for real-time intercepts, commonly called wiretaps, in the 1968 Omnibus Crime Control and Safe Streets Act (OCCSSA). This act requires annual statistical reporting by the Administrative Office of the US Courts to Congress, which has also made its reports available online, going back to 1998.
A second common method used by law enforcement to collect electronic surveillance is via non-content interception, such as pen registers (which record data on outgoing connections) or trap and trace (which record data on incoming connections). Non-content intercepts provide meta data about electronic communication, and are regulated by the Electronic Communications Privacy Act of 1986. With non-content intercepts, law enforcement can obtain information about communications, such as the source and destination of a phone call or e-mail message, but not the content of the call or message itself.
The ECPA also regulates stored communications and the requirements for warrants and reporting for law enforcement retrieval of stored messages, such as SMS, email, social network, and other similar communications at rest. Under “emergency” conditions, the ECPA also allows companies to voluntarily provide stored content to law enforcement, although they are not required to do so.
However, unlike the 1968 Omnibus Act regulating wiretaps, the ECPA only requires law enforcement entities within the US Department of Justice to report statistics through the US Attorney General’s office. To date, DOJ reporting has been infrequent, though the DOJ has recently reiterated policies that will make future reporting more timely. Still, ECPA’s limited scope of reporting leaves a gap that non-content intercepts and stored communications retrieval is not closely monitored at the federal level.
Differences in the approval requirements also exist between the two acts, with ECPA intercepts being much easier to obtain than OCCSSA wiretaps:
Although the numbers have fluctuated in particular years, over time, the number of requests has skyrocketed. By 2009, the latest year for which statistics exist, 12,444 pen registers and 11,091 trap and trace orders were issued. … This difference might be because each of the 663 Federal intercept orders … obtained in 2009 had to be thoroughly evaluated and then approved by a judge, while the 12,444 pen registers requests only received a cursory review at best.
Trends in Law Enforcement Surveillance
The report lays out trends in wiretaps, comparing state and federal increases:
Over the last decade, the use of electronic surveillance orders has increased nationwide, although this is largely due to a massive increase in use by the states. In 1987, there were 237 wiretap orders obtained by federal law enforcement agencies. One decade later, in 1997, there were 569, and by 2009, this had increased to 663. Over these twenty years, the number of federal wiretaps fluctuated, but generally increased. In contrast, there were 437 state wiretaps in 1987, which increased to 617 by 1997. It was in the decade that followed that states really embraced this surveillance method, as by 2009, the number jumped to 1713.
Lower requirements and limited scope of reporting appear to fuel the states’ use of non-content intercepts. However, this gap in reporting prevents organizations from truly getting a clear picture. In order to fill the gap, Soghoian looks to the voluntary disclosure that some companies have made regarding their participation in voluntary emergency disclosure. Verizon, AOL, Google, Facebook, Sprint, and others have publicly disclosed their voluntary emergency disclosure rates, and they have shared numbers from 10-20 requests per day, up to “thousands” of requests per month. The volume is even reported to have caused Sprint Nextel to develop “a web interface that gives agents direct access to users’ location data,” enabling law enforcement to “ping” Sprint users millions of times in a single year.
Impact on Risk Assessment
In the face of such a rapid increase in surveillance activity, particularly outside of federal or public statistical reporting, a number of new threats appear. First, organizations that regularly use electronic communications outside of their own control may be unaware of the frequent surveillance activities that are taking place. Any stored communications hosted by third parties could be the subject of voluntary disclosures with little, if any, oversight. This creates not only a risk of questionable use by any law enforcement officers, or accidental disclosure to law enforcement, but also a risk that stored communications become replicated onto law enforcement systems, resulting in a secondary storage risk. Such information, for example, could be the subject of a breach or unintentional disclosure by miscreants targeting law enforcement servers, misplaced laptops, and so forth.
Second, the methods by which law enforcement officers request information from companies that store or process it could in itself become an avenue for unauthorized access. In this case, organizations could find that their sensitive information is disclosed via the systems or processes put in place to expedite the processing of the increasing volume of law enforcement requests.
The benefits of social media and the rapid explosion of powerful technology in the hands of employees create wide opportunities for business. However, we continue to see opportunities for risk to creep in alongside this individualized and empowered workforce. Businesses should continue to seek balance between enabling employees to effectively conduct business with the risk of blurring personal and corporate boundaries and exposing sensitive information through improperly controlled communications channels. Soghoian’s research shows that a recent spike in law enforcement collection may be on a collision course with businesses that are adopting more individualized communication methods through third parties.