 Hello everyone, so is that my audio or is that yours? So my name is Chris Segoian. I'm a PhD candidate at Indiana University and I'm going to be talking about government surveillance today. My day job, I guess, is two things. So first, I'm a researcher and activist. I work on privacy and security issues. I also work half time at the Federal Trade Commission where I assist a team of lawyers in going after companies that violate your privacy. Unfortunately, in the United States, there's actually no federal agency that's tasked with protecting your privacy from the government. The FTC has no official position on the Department of Justice or NSA's abuse of your civil liberties. And so for those reasons, I'm not speaking on behalf of the FTC here. This is definitely my student research. So my dissertation relates or is focused on the relationship between ISPs and the government. And so this is basically a collection of some of the research I've put together over the last year or two. So you might remember me. A few years ago, I made a website that made fake boarding passes that led to the FBI raiding my house at 2 in the morning. Shortly after that, they finally got around to fixing the ease with which you could manipulate boarding passes. Now there are cryptographic hashes on the boarding passes, whether you consider that a good thing or not. That's up to you. So this talk is going to be focused on a few things. So first, how often do companies provide our cost of the people's data to law enforcement intelligence agencies? What data can they be forced to disclose? How much money do they make by selling your data to the government? And which engineering and legal practices can actually impact the degree to which your information is disclosed? So some companies actually fight both through legal means and through engineering means. And I'm going to be shedding some light on those because for the most part, they're just not really known. All right, so part one. How often does the government get our data? So you might remember from the movies, the old days of wiretapping was someone climbing up a telephone pole and listening in on headphones. That's not how wiretaps work anymore. This is how wiretaps work. Someone sitting in an air conditioned data center, typing away at a keyboard, pulling down a trunk full of data. When you store your data in the cloud, Google doesn't get a visit at 2 AM from armed police. They don't seize Google's hard drives. Google just sends them a DVD with your data. There's a reason that this shift from hosting data on our personal computers to hosting them in the cloud is important and impacts the way that the government gets information. So there are bottlenecks with regard to government resources. They only have so many agents and so many officials and so many lawyers. And so consider the marginal increase in work. Five more searches of homes. That means five more teams that have to go out and raid the house and take all your data, versus asking Google for five more accounts. You're just adding a few names to an existing subpoena or existing search warrant. And so it's really, really easy for the government to benefit from the network effect with ISPs. They can ask for 20 more users' information at very little cost. So what do we know about the extent of surveillance today? So there are surveillance statistics that are published according to some federal statutes for certain kinds of surveillance. But a lot of the information that I have and I'm presenting here, I've gotten through the Freedom of Information Act, through friends that I've made in Washington, DC. And a really effective strategy is getting the company's lawyers drunk. They like to talk. And when you promise them that you won't name them, they're actually willing to give up the goods. It's important to note that the stats that I have, by and large, don't cover intelligence. And the reason for that is that intelligence requests are shrouded in secrecy. We have some stats regarding the number of FISA orders, which is the Foreign Intelligence Surveillance Court. But they list the number of request or the number of court orders, not the number of individuals. So one court order can get 10,000 people's information. So we know nothing about the intelligence industry. But we do know plenty about law enforcement. So the first method of surveillance I'll be talking about is wiretaps. This is real-time interception of communications content. This includes voice communications, text, instant messaging, and network traffic dumps, like, I think, TCP dump. To get one, you need what's called a super warrant. This is a really, really high legal standard. It's a pain in the ass to get, and it takes a little bit of time. And the police have to show probable cause. So they have to show there's probable cause to believe that you've broken the law. They also have to show that they've gone through all these other steps to try and get data, and it failed. All right, so let's look into the wiretap stats and see what we can figure out. So the first thing is the use of surveillance intercepts grows every year. So this is 1987 through 2009. You can see a clear increase. The blue is total intercepts, and the red is federal intercepts. So take home lesson here is that the federal usage isn't really going up that much, but states is skyrocketing. Also important to note that look at between 1999 and 2001, 2003, you would assume that after 9-11, there would be a massive increase in the number of wiretaps. It's not there. And the reason is because the massive buildup of surveillance that happened after 9-11 wasn't law enforcement. It was intelligence. All right, next take home lesson. Drugs are bad if you value your privacy. So these are the major offenses specified in intercept orders, narcotics versus other crimes. You can see that your chance of getting wiretapped, if you're engaged in drugs, is pretty high, and if you're engaged in anything else, it's pretty low. Take home lesson here is if you're going to break the law and don't want to be wiretapped, stick with something safer, like murder, bribery, or extortion. You can see this from the numbers here. So we have 2,000 intercepts a year for narcotics and nine for robbery. These numbers speak for themselves. So the police are focused on drugs. This is the impact of the war on drugs in this country. And most of the requests are coming from New York and California, which have specialized drug task forces. These are agents who are trained in the process of getting these pay-and-the-ask orders. You're not seeing a police officer in Podonk, Minnesota, who is going to go through all the effort to do a wiretape. These are special units in LA and New York, San Francisco. All right, next trend. Phone surveillance increases each year while other forms decline. And this isn't due to increases from the feds, but this is due to the states. So I don't know if you can see this graph, but the take home lesson here, the blue thing is total phone intercepts those have skyrocketed again due to use of the states. The little things that start on the left and the orange and a few other colors, those are electronic surveillance. So basically, electronic surveillance is zero at this point. So in 2009, so actually one of the things, the 2009, 95% of intercept orders were for portable devices. So this is your cell phone being surveilled. If you are using a phone in your house, the chance of them wiretapping you is also very, very slim. So again, you can see here from the stats, portable devices, which are green, are the lion's share, just massive, massive numbers here. Electronic intercept orders, so that's computers and other things, used to be significant in number. So if we look through 1997, in 1999, there were nearly 700 electronic intercepts a year. And if you go to 2009, you can see that you can't even see it on the graph. And they've plunged to less than five a year. All right, so we used to have hundreds of electronic intercepts, and now we have five or 10 a year combined for federal and state. So what happened? This is an electronic intercept. So that category used to include pagers, faxes, and computers. And when people stopped using pagers, the number of electronic intercepts went down. So why are there no network core taps? The reason is, because they're expensive, law enforcement has to maintain a lease line back from the ISPs data center back to theirs. It's expensive, it requires all this fancy gear, they don't have the training to do it. So law enforcement agencies just really are not doing network level wire taps. Instead, they're going after the fact to your ISP and getting your stored data, that's your stored email, your search queries, and this other stuff. Like, why tap your ISP in real time when you can go after the fact and get it at much, much cheaper prices? So another interesting data point. We used to hear for years that encryption was gonna be the scourge of law enforcement. How can they keep us safe when criminals are gonna be using PGP? And so a few years ago, the Senate initiated a bill that got reporting of encryption added to the stats. So every year, law enforcement have to reveal how many cases of encryption they found when they were doing wire taps. So the take home lesson here, first is that they're not encountering it. And when they are encountering it, it doesn't stop them from getting what they're after. Now again, I have to clarify that this is not intelligence collection of data, right? So NSA is seeing encryption because they're monitoring Skype. But again, your Podonk police officer in the South is not playing with encryption and they're not seeing it because the criminals that they're going after, they don't know how to use encryption. All right, another category of data, pen registers. So this is the real time capture of non-content communications data. We're thinking IP headers, to and from information on emails, the phone numbers dialed, the URLs viewed in some cases, and also geolocation data when combined with another kind of order. The standard for getting these is ridiculously low. It's called relevance to an ongoing investigation. This is so, so easy to get. And as you'll see from the numbers, there are a lot more of them. All right, so we have in 2008, 14,000 pen registers a year at the federal level. This doesn't include states. These reports are not public. I had to foyer these and then get some other stuff leaked to me. But we're seeing massive, massive numbers, like five or six times the number of wiretaps. And the reason is one, it's really, really easy to get. There's no evidentiary threshold that they really have to surpass. And two, the data is not as difficult to parse, right? They get a list of the phone numbers that are dialed in real time, as opposed to having to deal with gigabytes of network transfers. All right, this is where the mother load is. Store communications and other data. Oops, I moved that. All right, well, I'll get to that in a minute. All right, so before that, location. Location requests have become a massive, massive problem or a massive, massive tool if you take the perspective of law enforcement. It is routine now, if there is a murder and the police don't know who did it, that they call up the phone companies and they say, tell us everyone that was within 200 feet of the corner of First and Main Street at 7 p.m. on Friday night. They can get hundreds of people's information with this. The legal threshold to get this historical information super, super low. The historical information is usually cell tower data that is not super accurate, but real time data is based on GPS pings or tower triangulation data, which is really accurate. In some parts of the country, it requires a warrant, but often in other areas, it can be gotten with a far lower legal process. In fact, the standard varies by magistrate in a district. So two judges down at the hall from each other can have different standards. This is a big problem because there's no federal guidance as to what the standard should be. So this is a quote from a house judiciary hearing a few months ago. This is a lawyer representing T-Mobile and a few other companies. It's common in hybrid location orders for the government to seek the location of the community of interest. That is the location of persons with whom the target communicates. So that means if you're under investigation, not only is the government getting your location information, but they're also getting the location information of everyone that you've called and that everyone who's called you with one order. This is really, really scary. The extent to which they're getting this data and then putting it in a database and keeping it forever. So this is a slide that I acquired that was presented at an intelligence conference a few years ago. This is a British software solutions company that's created a plugin for Google Earth. This shows real-time geographic information, geographic cell information on 60 million Indonesian cell phone users in Google Earth. So an analyst can sit at a desktop and in real-time zoom from the city level down to the street level and see a little dot for every phone. This is really, really scary. And if these companies are sell, these are Western companies that are selling it around the world, you can bet that they're selling it to governments that are slightly closer to our hearts. Right, so this is something I'm particularly proud of. Last fall, there was a conference in Washington, DC called ISS World. It's nicknamed the Wiretapers Ball. It's a closed-door conference where surveillance software vendors get together and show off their products to intelligence and law enforcement officials from around the world. And I snuck in. It was fun. First time I shaved in six years, put on a suit. Anyway, so I went there and collected some information. Rather than explaining it myself, I'll let my friend Steven do it for me. It was recently revealed that Sprint gives the government their customers GPS coordinates. Sprint's electronic surveillance manager, Paul Taylor, describes the program's success. With our GPS tool, we turned it on for law enforcement about one year ago last month and we just passed a million requests. That conversation was recorded without Mr. Taylor's consent, which is a terrible violation of Sprint's violation of your privacy. All right, so I mean, it's funny, right? But what the fuck are these guys doing? Eight million pings in one year? So what Sprint did is they set up a special website where law enforcement can log in and view real-time coordinates for any individual under surveillance. Now Sprint used to charge per ping $250 per ping. Back in the old days when they had an analyst sit down and type the command themselves, they removed that step and now law enforcement just logs in on their own special web interface. Sprint also has created a system they call L-Site, which is an API that law enforcement agencies can program to and then access the information they want with their own systems. So the DEA, the Drug Enforcement Administration, is the first test pilot user of the system and every DEA office has a terminal in it where an agent can sit down and type up the subpoena or the order or whatever. It gets sent electronically, cryptographically signed to Sprint systems, it gets put in a bug tracker, Sprint's people monitor it, put the data back in and then it gets sent back to the analyst. It's cut the response time from days to hours. So Sprint employee, or the DEA folks put it in the evening before the next morning the data's waiting for them. I mean, it's cutting through red tape but I would argue that the red tape is actually a feature, not a bug. But this stuff is really scary. Sprint is not the only company that is providing this GPS information but they are at least right now, as far as I know, the only one that has provided it in such an easy and friendly to use manner. All right, so stored communications, I messed up my slides before. All right, so this includes your email inbox, your Google documents, your spreadsheets, your search queries, your password protected private blogs, your instant messaging communications if saved by a service provider and archived cellular text messages. So this is all the data we store with Google and Yahoo and Microsoft and Flickr and all these other companies. And the legal standard to get this information is ridiculously low and so obscure and weird, right? So if your emails are 180 days old, it requires one threshold but once it's 181 days it's a much lower threshold. The minute you've opened up your emails it's easier for the government to get. They can get your sent mail and your drafts with a simple subpoena. The standards are just really, really weird but the take home message is it's very easy for them to get your information. So most ISPs don't talk about the number of requests they get. Google is actually the first and they released this really handy tool in April this year and they show on a country by country basis how many requests they get. Take home lesson here, a message really is that they're not getting that many requests. So 3,500 requests a year in the US but again that doesn't say how many individuals communications were disclosed just how many requests can be for 10,000 individuals. It also notes that this doesn't include intelligence orders because it's illegal for Google to disclose the existence of those but no other ISP has created anything like this and Google has pledged that every six months they'll be updating this. So this is actually pretty cool even if it isn't actually particularly useful. All right, a few other data points. In May of 2009 an unknown Facebook employee gave an interview with Newsweek saying that they were getting between 10 and 20 requests per day. That was when they had like 200 million users and now they have 500 million so maybe it's twice as much as that. In 2006 AOL was getting 1,000 requests a month but that was when AOL had customers so I don't know how many they're getting now. Time Warner revealed just recently that they get about 560 requests a month. This is because they don't wanna provide people's IP addresses to copyright lawsuits that they revealed this data point. They said that nearly all of those requests they get right now come from law enforcement. Verizon gets a shitload of requests. They get 90,000 requests a year and approximately 35,000 of those are from federal officials and 54,000 are from state and local officials. We don't have any numbers for AT&T or Sprint or T-Mobile but it's reasonable to assume that the vast majority of the requests are going to phone companies right now. This is because they have the longest relationship with the government like all the police know how to submit a request to AT&T or as they don't know how to submit a request to Twitter. All right, so this awesome document landed in my lap a few weeks back. So this is, you'll see the details in a minute. This is, there's a really nice DOJ agency that can't disclose the identity of them yet that keeps a database of every request they submit to every ISP. They list the recipient of the request and the reason for it. So this is information from 2006. You can see that Yahoo and Microsoft Hotmail are the big winners here, the recipient, the major recipients. 2010, oh look, MySpace is now the number one recipient by a huge margin. MySpace is just receiving massive amounts of requests. Well, a few years ago a researcher, Berkman named Dana Boyd hypothesized that basically poor people use MySpace and rich people use Facebook. That there's been a white flight from MySpace and that the only people who are left behind are those not likely to go to college. Well, you know, unsurprisingly, if there are people who are more poor and more minorities on MySpace, then they're gonna get more requests because they're unfortunately on the receiving end of most government investigations in the real world, so why not in cyberspace too. What these users don't know is that MySpace actually goes out of their way to help the government. MySpace is by far the best friend forever of the government. And I'll get into that later, but MySpace's chief security officer told me at a conference that it's a matter of pride that the company doesn't charge for the tens of thousands of requests they get per year. They see it as a service to their customers, their customers being, of course, the government. All right, so those are the stats that we have. Now let's look into something a little bit more interesting. So in which ways, in which technical ways can companies actually differ on privacy and protect their customers? All right, first, email headers. This is a lovely technical audience, I can speak about these things. We all know that there is interesting information in email headers, what you may not know is that web mail providers voluntarily put in some special headers. So Microsoft and Yahoo put in their customer's current IP address in the headers of outgoing mails. What that means is that if you're sitting in an internet cafe at your house and using Microsoft Hotmail or Yahoo, your computer's IP address is going in the outbound email header, not Microsoft or Yahoo's server's IP address. This is not required by technical standard, this is something that they've chosen to do to help the government or to cut down on the number of requests they receive from the government, but Google doesn't do this and several other web mail providers are not doing this. So it's important to note that these two companies are voluntarily providing their customers information and actually not telling their customers that they're doing this. They're not the only one, though. So between 2006 and 2009, Facebook was adding users' IP addresses to every automated message that was sent. So if you commented on someone's wall or you poked them or did something stupid like that, your IP address would get sent in the notice that was sent to them. I think it's slightly interesting that Zuck Mail, the email server named after Zuckerberg was leaking your personal information. So in 2009, they changed, they started including the information in an encoded form. This is base 64, so it doesn't take rocket science to reverse it. Once people figured out what was going on, the company quickly removed it. But the impact of including this information is that when this information is in a header, these companies are not in the loop when they get a request from law enforcement. So if I send a threatening email to someone with a Yahoo account, they can look in the header and know exactly which dialup or broadband ISP I use. Okay, well, Yahoo or Microsoft, we're gonna have to give that information up anyway. But what if the request comes from the government of Burma or Pakistan or Zimbabwe, where those ISPs actually will tell the government to get lost? In those instances, people in those countries would have had more privacy, had that information not been provided. All right, so another really interesting data point. Mobile phone and broadband IP addresses. So at that same conference I went to where I was lucky enough to record the executive from Sprint Talking, he revealed that Sprint statically assigns all of their broadband customers IP addresses, and they keep the logs of who has which IP address for 24 months. They also have the URL history of every webpage you view using their WAP gateway, and they keep those for two years. But they note that they don't store it for law enforcement purposes, they store it because when they originally launched their service in 2001, they thought they were gonna bill by the megabyte, but then they decided not to do that. But the reason they keep it is because marketing wants to rifle through the data. How nice of Sprint. So if you're using Sprint, they know which IP address you use, which means if you leave a nasty comment in someone's blog and that person tries to unmask you, Sprint is in a position to reveal who you are and which websites you're going to at that time. Contrast is to Cricut, which is a prepaid service aimed at the poor in inner cities. They use level three communications, which is upstream provider, they use NAT, they have no idea which users are using which connections. Everyone in the same city comes from a single IP address. And so this is Cricut's surveillance manager at the same conference. And they're apologizing, they're saying, look, we're really sorry, we're not able to help you, law enforcement. We'd like to, but our infrastructure just doesn't provide us with that data. So if you're a Cricut user and you leave a nasty comment on someone's blog, that person isn't gonna be able to unmask you. That's a cool feature, but Cricut is apologetic. They are not advertising this as a privacy feature. Also at the same conference, T-Mobile's person said, yeah, we're in the same boat. It's Cricut, we don't have the ability to determine IP addresses, everyone comes from the same address in the city. So if you're a T-Mobile user, you can have far more confidence in your ability to leave the faming comments or download BitTorrent files over their network than if you're using Sprint. I'm not advising that you do that, but I would definitely consider that issue when you're deciding who to renew your mobile contract with. All right, this is an issue that's near and dear to my heart. HTPS for Webmail. So many of you have seen The Wall of Sheep in previous years. I think it's running this year as well. All right, so when we use wireless networks and we're not using encryption, our usernames and passwords go over the network in the clear, which means that anyone running a packet sniffer can hijack your information, get it, break into your account, steal your data. The solution for this is not rocket science, right? Like it's HTPS, it's been used by banks for the last 15 years. In 2008, Google said HTPS can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you. Now, in all fairness, Google at least offered its customers a choice. Every other Webmail provider at the time didn't even offer HTPS. So Google was at least ahead of the pack in offering it, but the choice that they were offering was an option in their settings, the last of 13 options after Unicode, keyboard shortcuts, and vacation responders. So it wasn't exactly a high priority setting in their eyes. Well, in 2010, Google said, you know, over the last few months, we've been researching the security and latency trade-offs, and we've decided that turning HTPS on for everyone is the right thing to do. And then just this week, in testimony before Congress, Alma Witton, Google's lead privacy engineer, said, you know, we hope other companies will join or will soon follow our lead. We're the first and only provider to do this, blah, blah, blah. Well, why did Google do this? What caused them to change their tune? Well, last May or last June, I wrote an open letter to Eric Schmidt, and it was signed by 38 other experts, including some folks who speak at this conference and some folks in the community. And they said, we said, look, this is the responsible thing, turn this shit on, encrypt your user's data. It's totally irresponsible to let this stuff go out and make it over the wire. Google turned around and said, yeah, we're gonna look into this, and then six months later, they did it. All right, so who still doesn't offer HTPS by default? Twitter, Facebook, Google's other services, so Google Docs, Google Calendar, Google Search. They just started offering encrypted search a month or two ago, but it's not on by default. All right, who doesn't use HTPS at all, even as an configurable option? So Yahoo, Hotmail, Bing, Search, MySpace, these providers don't offer any encryption at all after your username and password goes out over the wire. All right, well, maybe it's expensive, right? Like, buying all those crypto accelerators, it's really, really expensive. You have to buy this gear, put it in data centers, configure all these servers. How many thousands of servers does it require to support SSL? None. At this point, it's free. So this is Google's SSL engineer, Adam Langley on a blog post just last month, revealing that they had zero new machines deploy, that SSL accounts for less than 1% of the CPU load, less than 10K per memory per connection, and less than 2% network overhead. So encryption is free for these companies. This means there is no longer any reason not to protect your customer data with SSL, right? SSL is awesome. It protects your users from passive network monitoring. It protects them from many hijack attacks, and it protects them from passive network surveillance by folks at NSA who have convinced AT&T to give them access to their backbone. This is a good thing, and many ISPs should be doing it. All right, but network encryption isn't enough. We also need storage encryption. So when you upload your data into the cloud, the file should be encrypted so that no one can get the information. A few companies have been leading the way here, so I don't know how many of you are using the Firefox web browser. They have an add-on that's, I think, gonna become part of the browser at some point called Firefox Sync. It synchronizes your cookies and bookmarks and stuff across multiple computers, across your wireless, or your handheld. And the data is stored on Mozilla servers, but it's encrypted with a key that Mozilla doesn't have. Mozilla cannot be compelled to reveal your bookmarks. This is a really awesome thing, and probably the reason that they've designed it this way is because they're not profiting from it, right? Whereas if your web mail provider pays for their costs by scanning your email and showing you ads, it's unlikely that they're ever gonna be able to offer you encrypted storage of your data, right? They need to be able to access the plain text of your communications to pay their hosting costs. Two other awesome services, Spider Oak is a secure backup service, and Tarsnap is a similar service that has no graphical user interface. Both offer encrypted backups. Really, really cool, really fun, and Spina Proof. What about data retention? So through collecting some information, I've been able to get the data retention periods for a bunch of service providers. Some of this stuff has been leaked. I've gotten other information other ways. Take home lesson is that your IP address connection information is retained across the board at companies, Microsoft keeps it for 60 days, AOL keeps it for 90 days, MySpace for a year, Time Warner for six months. Companies all have these policies. They all have established policies for how long they keep data and when they delete it. But they don't tell their customers about these policies. The one area where they do tell their customers is in the search engine space. So over the last couple of years, European regulators have been beating up the search engines and pushing them to start deleting IP address data in response all have moved, right? So Microsoft now deletes the entire IP address from their logs after six months. Yahoo anonymizes some of their logs after three months. They keep a second set for security purposes that only a few engineers have access to but that can still be subpoenaed up until six months. And then Google does a really shitty job of anonymizing their data. They delete the last octet of the IP address at nine months. So like one in 255, Google is not doing a good job in this space but they're all anonymizing their logs after a certain number of months. Well, does this matter? No. So Google's head privacy lawyer spoke to Wired in 2007 and basically said that when law enforcement comes for data, they come a couple of days after the searches were done, right? So deleting the data at six months, at nine months, at one month, it doesn't really matter because when law enforcement is coming, the companies have the full data in their possession. What about Microsoft? Well, they were asked by the New York Times a couple of years ago why they wouldn't adopt zero data retention. And Microsoft said, too much privacy is actually dangerous. Anonymized search can become a haven for child predators. We wanna make sure that users have control and choices but at the same time we wanna provide a security balance. Well, I don't really want my service provider to be striking that balance. I want them to be deleting the data on day one or to not keep it in the first place. But you should think about this. When companies say we protect your privacy, we care about your privacy. We put your privacy first, then they're making these statements and cutting these deals behind closed doors, right? So when companies talk about putting your privacy first, what they're talking about is putting your commercial privacy first. We want to share your data with third parties. We want to sell your data. None of them consider their relationship with the government to be a part of that aspect of privacy. So one interesting thing is that when companies have these data retention policies and they don't talk about the data retention policies, when they change the number of months after which they keep the data, no one knows, right? So this is, these are screenshots from MySpace's law enforcement handbook which they publish and compile and give to any law enforcement official in the country. You can see that in 2006, they kept 90 days worth of logs and in 2007, they kept one year of logs. So they massively multiplied the length at which they keep data and they never told their customers. The reason is their privacy policy doesn't include this stuff. Their privacy policy says, we will provide your data in certain circumstances, we protect your privacy, we value your privacy, blah, blah, blah, but they don't actually include the important details. The place those details are listed are in the law enforcement handbooks but they don't share with their customers. All right, so there are also these non-technical methods by which companies can protect your privacy and companies do differ in these ways, right? So not every company is the same in the way that they respond to requests. Emergency requests, all right? So we have requests that come with court orders, we have requests that come with subpoenas, that come with some legal process and we have these emergency requests. What this means is that the law says that if a provider in good faith believes that an emergency involving danger of death or a serious physical injury to any person requires disclosure or delay of communications related to the emergency. So what this means is that the feds or local police can go to an ISP and say, someone's gonna die, we need this person's data. Sounds reasonable, right? You don't wanna stop the investigation in its tracks. Well, when you have two paths, one with high work and one with low work, everything shifts to the low work track and so suddenly there are lots and lots of emergencies. So how many are there? A huge fucking amount. So of the approximately 90,000 requests that Verizon received from government agencies each year, 25,000 are emergency requests. These are requests that have no court order, no subpoena, no search warrant, no oversight at all. This is a police officer calling them up or writing a fax saying someone's gonna die and the ISPs don't even have to learn about the circumstances. They can take the police on their word. So the important thing is here that the feds are not actually submitting loads of emergency requests to Verizon. They're all from state and local law enforcement. So like missing person in the woods or a murder or something. I don't know what the cases are because unfortunately because there's no court order, there's also no paper trail to follow up so we have no idea what these emergencies are. It's important to note that a voluntary disclosure means a voluntary disclosure, right? So according to the internet service providers association which represents all the big ISPs, there is never an emergency obligation on an ISP to disclose. The ISP has the right to tell the government to get lost and to come back with a warrant. They can and in some cases the ISPs do. There is a process by which the police can wake a judge up at two in the morning and get him to sign a court order. I know because they did one and used it to break into my house. They can call up a magistrate over the phone and he'll issue the order by fax. It can take half an hour. So this isn't a serious issue, but very few ISPs actually say no. All right, so a company's policy on emergency requests is one of the most important indicators regarding its overall commitment to privacy because this is an area where they can actually say no. When they get a court order or they get a search warrant, there's nothing they can really do. The warrant is, if it's valid, they have to disclose the data. But when it's a voluntary request, the ISP can put their foot down. But we don't know how many say no because they don't talk about it. This is like an area of uber-uber secrecy. Because the ISPs think that if customers find out that they're doing this, that they will not entrust them with their data. Maybe for a good reason. All right, well, what about the cost? Nothing is free in this world. Companies are legally permitted to pass along the cost of surveillance to the government. This includes labor, capital costs, including associated with hardware and software, the development of the wiretapping systems. As an example, Sprint has a hundred employees doing nothing but wiretapping their customers. I'm providing their customers call records and location and other stuff. That isn't free, right? Those folks all have salaries. What's interesting is that these companies charge, on a regular basis, and actually right now, several big ISPs are under investigation by the Department of Justice for overcharging the government. Again, because we don't know how much they're charging. All right, so this is some information that came out of a report a couple of years ago. This details the prices for different ISPs. It's tough to read, but basically, you can see that the average cost of an intercept is between one and a half and two and a half thousand dollars. They're charging big bucks for these intercepts. Not everyone charges though. MySpace, Facebook, and Microsoft don't charge at all. They've decided that they would like to help the government in any way they can. So they just give the information for free. Well, you know, is it good or bad that these companies are charging? Well, so there are actually some benefits to the public when ISPs charge. This is, again, a telecommunications lawyer, Agudari speaking. When records are free, law enforcement over consumes with abandon. But when service providers charge for extracting data, law enforcement requests are more tailored. Also, when you charge, there's an invoice, there's a check, there's a paper trail. And so over the last couple of years, I've been filing FOIA requests to get the invoices. So you can see here that Google charges $25 for your email account. It's pretty interesting to know. Also, Yahoo charges $20.39, or $20.41. What's the difference between those two numbers? The increase in the cost of a stamp. Yahoo is passing on the cost of a stamp to the government for every time they hand over your data. I think this is pretty cool, actually. All right, so as I said before, all of these ISPs have surveillance manuals in which they detail their policies, their costs, everything else. They provide sample subpoenas so that the police don't have to spend as much time writing up the requests. Many of these surveillance manuals have leaked onto the internet recently. I've got copies and they're really interesting. You can see them all at cryptom.org. That's where they're all hosted. This is my favorite. This is Sprint surveillance manual. You can check out the awesome clip art. Thankfully, folks, other companies are pitching in, like Yahoo, who is currently facing a freedom of information suit that seeks to learn how much money they made selling their customer's private information to the feds. They are fighting this suit because according to their lawyer, the information, if disclosed, would be used to shame Yahoo and other companies and to shock their customers. I, for one, am shocked. Does Yahoo still have customers? So, you know, there's always this talk about bloggers ripping off the mainstream media, and I don't know if Stephen Colbert counts as the mainstream media, but both that Sprint recording and this FOIA request that he's citing are mine and he didn't mention my name on the air, so I think it's totally appropriate that I then use a clip of his without paying for it. All right, so we know that ISPs differ on privacy. We know that some fight more requests than others. We know that some go out of their way to help the government. I think it's interesting to note that, so Yahoo's surveillance manual showed up on Kryptom, which is a website Yahoo sent a cease and desist. Then a few weeks later, Microsoft's surveillance manual showed up on Kryptom, and Microsoft really went hardcore after Kryptom and had the site shut down. Their upstream ISP pulled the connection for a little while. These companies don't want their surveillance manuals getting out because it makes them look bad, right? They're spilling all the goods and describing all the ways in which the government can get your data and the prices they charge. This is damning stuff, but I really recommend that you look through these because it's really interesting. So from this information though, maybe we can do a little bit of analysis and say, well, which ISPs suck the least? Which ISP is not gonna totally violate your privacy? All right, so let's start with Sprint. Sprint retains their IP address logs and the URL's viewed for two years and they provided eight million GPS pings to law enforcement in one year. I don't think these guys are very good, so I wouldn't recommend using Sprint. Verizon, when sued by EFF for assisting in the warrantless wiretapping program, actually went to court and argued that they had a First Amendment right to disclose their customers' communications to the government. They believe they have a free speech right to share your information. So screw Verizon. What about AT&T? One word. All right, so by process of elimination, T-Mobile is the largest reasonable communications carrier. They use NAP, they have no IP logs to keep, they don't retain the URLs that you view and at least I haven't found any public materials that indicate they went along with the NSA warrantless wiretapping program. They very well may have, but they didn't get caught doing it, which is more than I can say for the other two big service providers. Also, it's important to know that prepaid phones are your friend. There's a bill in Congress right now to try and ban the use of prepaid SIM cards. Hasn't gone through yet, so I recommend that you buy several SIM cards and share them with your friends. So, it is important to know that companies do differ on privacy and they don't wanna talk about why they differ. In many cases, they're apologetic for the ways they differ, but you can significantly impact and protect your own privacy by intelligently picking. Your service provider, your email provider by using an encrypted cloud service rather than one that data minds your information and serves you ads. I would like that you be able to walk into Best Buy and in addition to comparing who has the sexiest new phone or who has the cheapest prices, that you could actually compare who fights law enforcement requests the most or who keeps the least amount of data. We don't have that yet, but hopefully we will in the near future. Thank you.