Last edited Sat Jun 8, 2013, 04:08 PM - Edit history (3)
No need to get the ISP's cooperation. It's usually done without it, except when the ISP or telco needs to get paid (a lot) out of the Justice Dept. fund for a Title III warrant (FBI) connection. Here's how that intercept system works: http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
Technical implementation
USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn't interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic. Modern voice switches now have this capability built in, yet Internet equipment almost always requires some kind of intelligent Deep Packet Inspection probe to get the job done. In both cases, the intercept-function must single out a subscriber named in a warrant for intercept and then immediately send some (headers-only) or all (full content) of the intercepted data to an LEA. The LEA will then process this data with analysis software that is specialized towards criminal investigations.
All traditional voice switches on the U.S. market today have the CALEA intercept feature built in. The IP-based "soft switches" typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network's data to dedicated IP probes.
Probes can either send directly to the LEA according to the industry standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they can deliver to an intermediate element called a mediation device, where the mediation device does the formatting and communication of the data to the LEA. A probe that can send the correctly formatted data to the LEA is called a "self-contained" probe.
In order to be compliant, IP-based service providers (Broadband, Cable, VoIP) must choose either a self-contained probe (such as made by IPFabrics), or a "dumb" probe component plus a mediation device (such as made by Verint, or they must implement the delivery of correctly formatted for a named subscriber's data on their own.
Here's some additional information on the role that CALEA-compliant equipment plays in PRISM and some other NSA programs:
http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions
How does it work?
The NSA isn't saying. Sources in the data-processing business point to a couple of methods. First, lots of data bound for those companies passes over what are called "content delivery networks" (CDNs), which are in effect the backbone of the internet. Companies such as Cisco provide "routers" which direct that traffic. And those can be tapped directly, explains Paolo Vecchi of Omnis Systems, based in Falmer, near Brighton.
"The Communications Assistance for Law Enforcement Act (Calea) passed in 1994 forces all US manufacturers to produce equipment compliant with that law," says Vecchi. "And guess what: Cisco is one of the companies that developed and maintains that architecture." Cisco's own documents explain its Calea compliance.
So the NSA would only need to tap the routers?
Not quite. Much of the traffic going to the target companies would be encrypted, so even when captured it would look like a stream of digital gibberish. Decrypting it would require the "master keys" held by the companies.
Did the companies know?
They say not. Those which have been contacted have all denied knowledge of it: Google, for example, said: "Google does not have a 'back door' for the government to access private user data." An Apple spokesman said: "We have never heard of Prism. We do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order."
The Washington Post retracted part of its story about Prism in which it said that the companies "knowingly" participated. Instead, it quotes a report which says that "collection managers [could send] content tasking instructions directly to equipment installed at company-controlled locations".
It is ambiguous whether "company" refers to the NSA or the internet companies. But the implication seems to be that the NSA has been running a system that can tap into the internet when it wants.
How could the companies not know if they had provided master decryption keys?
They might be required to provide them under US law, but would not be allowed to disclose the fact. That would give the NSA all it needed to monitor communications.
= new reply since forum marked as read
