They'd gathered for the ISS World Conference, a trade show featuring the latest in mass communications intercept gear, held in the Washington, D.C., suburb of Crystal City, Virginia. Situated conveniently between Reagan National Airport and the Pentagon, Crystal City is an artificial place dominated by conference centers and hotels, set up to accommodate the endless, and often secret, intercourse between the U.S. military and its myriad itinerant contractors, lobbyists, consultants and trainers. They rotate in and out, civilians using the airport, military personnel taking the subway from the Pentagon, with Crystal City as the intersection in a figure-eight circuit of constant activity.
Back in the narrow hotel corridor, vendors manned their booths, exhibiting the latest gadgets for mass electronic surveillance: machines capable of scouring the data streams of millions of subscribers -- industrial-strength kits for packet interception and analysis, RF interception, and voice and keyword recognition.
These devices are a bonanza for the communications hardware industry, vouchsafed by the U.S. Communications Assistance to Law Enforcement Act of 1994, or CALEA, which mandates that all new telephone company gear must be wiretap-friendly, or "CALEA compliant," according to the popular euphemism. This has led to a seller's market with equipment makers pushing their dual-use kits with exceptional confidence. The sales pitch has evolved beyond the traditional points of reliability, scalability, total cost of ownership and ease of deployment to exploit the hard-sell undercurrents of mass-scale commerce that's mandated by law and funded by taxpayers who are powerless to review the deals and evaluate their various costs and benefits to society.
While U.S. telephone companies are well accustomed to CALEA requirements (designed originally to make mobile phone networks as wiretap-friendly as land-line systems), the Federal Communications Commission has declared itself competent to expand the act to cover voice over internet protocol outfits and internet service providers as well. This expansion has been challenged in federal court, and the conflict has boiled down to a simple phrase in the law, exempting providers of "information services" (as opposed to communications services) from CALEA obligations. The Department of Justice, ever eager for opportunities to plug law enforcement into the internet at the most basic levels, claims that ISPs, like telephone companies, are communications services, on grounds that instant messaging, VOIP and e-mail constitute a significant replacement for traditional telecommunications.
The FCC is in complete agreement with the Justice Department, and has issued its demand for compliance by May 14, 2007. The case, currently on appeal, is pending in a federal appeals court in Washington, D.C., where, comically, one judge characterized the FCC's legal arguments as "gobbledygook." Thus it's possible that only VOIP services that use the public switched telephone network will be covered by the CALEA, leaving peer-to-peer VOIP outfits and ISPs in the clear. A decision should arrive in a few months' time.
Despite this uncertainty, ISPs (and universities) have become new sales targets for the surveillance equipment industry -- fresh leads, so to speak -- and the hustle is uniform and loud: "CALEA is coming, and you'd better be ready."
In the conference rooms, salesmen pitched their solutions for "lawful interception." In attendance were the generally responsible representatives of North American and Western European government and law enforcement, but also numerous representatives of naked state control in the Middle East, Asia and Africa. The phrase "lawful interception" might have meaning in the United States, Canada and Europe, but this was the ISS world conference, after all, with attendees from more than 30 countries.
Narus was there, maker of the kit fingered by Mark Klein and allegedly used with impunity by the National Security Agency at numerous AT&T facilities for mass, domestic internet surveillance, and, the company boasts, used by Shanghai Telecom "to block 'unauthorized' internet calls."
There were European heavyweights like Ericsson and Siemens, American giants like Raytheon and light-heavyweights like VeriSign and Agilent, along with a vast host of leaner, more specialized, surveillance outfits such as Verint, Narus and the like. They offered equipment and services capable of every manner of radio frequency and packet interception, with user interfaces and database structures designed to manage and deliver not just information but "actionable data," properly organized and formatted for easy prosecutions.
Certain conference sessions, according to the schedule, were "open to sworn law enforcement agents only." But there was no discrimination between the more punctilious law enforcement agencies of democratic nations and those hailing from quarters where darker practices are commonplace.
The last thing anyone involved wanted was publicity. Unfortunately, I had a job to do, although it would be difficult; the press had been strenuously dis-invited, and Wired News' efforts to get credentialed for the event firmly rebuffed. I spent my first day lurking in public areas of the hotel. In the lobby, two nattily dressed men with Caribbean accents were being hustled by an American salesman. The Caribbean fellows stiffened upon my approach, and warily lowered their voices. I buried my nose in the paper and listened.
I could hear little of what the two potential customers said, but the salesman, God bless him, was a loudmouth, and I was able to piece together parts of the conversation from his various announcements. It seemed elements of the deal that he was attempting to close were challenging. This may have had to do with his customers' qualifications to take delivery of surveillance equipment, perhaps because they weren't legitimate government representatives, or the government that employed them was subject to U.S. export restrictions. I never learned the exact problem with getting the equipment into the customers' hands, but it was obvious that there was one.
The salesman concluded with a hearty recap. "I'm glad we had the chance to meet in person; this is not a conversation I'd want to have on the phone, for obvious reasons," he roared. Everyone laughed heartily.
Later, at the bar, I sat beside three Americans: two cops and a civilian police employee. They bitched about how difficult RF interception is, how the equipment is complicated and its user interfaces mysterious, and the difficulty of getting adequate funds and properly trained personnel to carry out surveillance effectively.
Grant money is to be avoided, they agreed. It's got strings attached -- strings like performance milestones and complicated reporting demands. And on top of that, there's such an assload of damned frequencies, and it's such a trial just to get the kit dialed in. You can waste hours listening to TV instead of the subject's cell phone. But all the brass understands is hard evidence leading to arrests, they whined.
This was suggestive stuff, but it's not what I came for. On day two, it was time to make a move. I went to the registration booth and requested a pass and a press fee waiver. "The conference isn't open to the press," a receptionist explained with a fluty tone of voice and an android smile. A uniformed security guard took a step closer, for emphasis.
I withdrew, bloodied but unbowed.
In the bar that night, things got interesting. A group of men associated with the Pen-Link and Lincoln electronic surveillance systems came in. I exchanged small talk with them for a bit, then moved to their table. Although I had identified myself as a journalist, an enthusiastic reseller of the equipment decided to hold forth. We drank a great deal, so I won't name him.
"I'm not much concerned about wiretaps in America and Europe," I'd been saying to one of the Pen-Link engineers, "but I wonder if it bothers you to consider what this technology can do in the hands of repressive governments with no judicial oversight, no independent legislature."
Our man interrupted. "You need to educate yourself," he said with a sneer. "I mean, that's a classic journalist's question, but why are you hassling these guys? They're engineers. They make a product. They don't sell it. What the hell is it to them what anyone does with it?"
"Well, it's quite an issue," I said. "This is the equipment of totalitarianism, and the only things that can keep a population safe are decent law and proper oversight. I want to know what they think when they learn that China, or Syria, or Zimbabwe is getting their hands on it."
"You really need to educate yourself," he insisted. "Do you think this stuff doesn't happen in the West? Let me tell you something. I sell this equipment all over the world, especially in the Middle East. I deal with buyers from Qatar, and I get more concern about proper legal procedure from them than I get in the USA."
"Well, perhaps the Qataris are conscientious," I said, "and I'm prepared to take your word on that, but there are seriously oppressive governments out there itching to get hold of this stuff."
He sneered again. "Do you think for a minute that Bush would let legal issues stop him from doing surveillance? He's got to prevent a terrorist attack that everyone knows is coming. He'll do absolutely anything he thinks is going to work. And so would you. So why are you bothering these guys?"
"It's a valid question," I insisted. "This is powerful stuff. In the wrong hands, it could ruin political opponents; it could make the state's power impossible to challenge. The state would know basically everything. People would be getting rounded up for thought crimes."
"You're not listening," he said. "The NSA is using this stuff. The DEA, the Secret Service, the CIA. Are you kidding me? They don't answer to you. They do whatever the hell they want with it. Are you really that naïve? Now leave these guys alone; they make a product, that's all. It's nothing to them what happens afterward. You really need to educate yourself."
On day three, the last day of the conference, I had nothing left to gain from working the periphery, hence nothing to lose from being tossed out, so I strolled past the android and the uniformed guard. No one challenged me. I chatted with vendors. I grabbed brochures from their tables and handouts in the conference rooms. I hung out on the veranda and smoked with fellow tobacco addicts.
The best conversation I had was with Robert van Bosbeek of the Dutch National Police. I asked him if he was tempted to buy anything.
"Not really," he said with a laugh. "But it's always good to see what's on offer. Basically, we're three or four years ahead of all this."
He said that in the Netherlands, communications intercept capabilities are advanced and well established, and yet, in practice, less problematic than in many other countries. "Our legal system is more transparent," he said, "so we can do what we need to do without controversy. Transparency makes law enforcement easier, not more difficult."
By noon on day three, the conference had wound down. The final thing I needed was the forbidden packet, with its CD of the slides from the presentations. I would have it in spite of the android. Indeed, because of the android.
I waited in the lobby. A group of Koreans came down the stairs. I know this because they spoke Korean, and few outsiders speak it. It's not a popular language, like French or English.
As it happens, I can speak it a little. Most Koreans are charmed by foreigners who can mutter even a few words of their mother tongue, so I chatted for a bit, and asked if I might copy the conference CD onto my notebook computer. They were happy to oblige.
Naturally, this forbidden object contained nothing that could justify keeping it from a journalist. There were no stunning revelations about new intercept equipment designs, capabilities or techniques. Making it unavailable was just another expression of the conference director's small-minded attitude of hostility toward the press.
An attendee told me that during one presentation, a discussion arose about whether the press should be invited to future ISS conferences. Some of those present believed that secrecy only leads to speculation, which is usually worse for trade than the facts. Others believed that reporters are too ignorant to write competently about the secret intercourse between big business and law enforcement, and should be told as little as possible in hopes that they'll have nothing to write. Judging by my own experiences, it was clear that the second line of reasoning had prevailed.
But it's foolish to be secretive: A determined reporter can't be thwarted, and it's better that one should have more rather than less information to work with.
It's ironic that spooks so often remind us that we've got nothing to fear from their activities if we've got nothing nasty to hide, while they themselves are rarely comfortable without multiple layers of secrecy, anonymity and plausible deniability. While there was little or nothing at the conference worth keeping secret, the sense of paranoia was constant. The uniformed guard posted to the entrance was there to intimidate, not to protect. The restrictions on civilians attending the law enforcement agency sessions were, I gather, a cheap marketing gesture to justify their $6,500-per-head entrance fee with suggestions of secret information that the average network-savvy geek wouldn't have known.
In the end, all this surveillance gear and attendant hype becomes meaningless with simple precautions like encrypted VOIP, a good implementation of virtual private networks, and proxies and SSH for web surfing, IM, internet relay chat, webmail and the like. Skype's VOIP service is encrypted but closed-source. Still, there's SpeakFreely, a peer-to-peer, open-source VOIP app; Zfone, an open-source VOIP crypto plug-in from PGP honcho Phil Zimmermann; Invisible IRC, an open-source IRC proxy implementation that includes anonymization and encryption features, plus other dodges too numerous to mention.
The popular law enforcement myth is that crooks are getting ever more sophisticated in their use of modern technology, so the police have got to acquire more "sophisticated" point-and-drool equipment to catch them. We find versions of this incantation in virtually every Justice Department press release or speech related to CALEA. But these tools -- especially in the IP realm -- are not so much sophisticated as complicated and very expensive. They're a bad alternative to old-fashioned detective work involving the wearing down of shoes and dull stakeout sessions in uncomfortable quarters such as automobiles. The chief impulse behind this law enforcement gizmo fetish is laziness, and it's a bad trend: The more policemen we have fiddling with computer equipment, the fewer we have doing proper legwork.
The windup is that garden-variety crooks will remain those most susceptible to remote, electronic surveillance, while sophisticated, tech-savvy bad guys will continue operating below the radar. CALEA and its most potent technological offspring are inadequate to catch the people who most need catching. The project of "lawful interception" is huge, grotesquely expensive, controversial, infused with unnecessary secrecy and often useless against the most important suspects it purports to target.
It poses a tremendous threat to human rights and dignity in countries without adequate legal safeguards, and still invites occasional abuses in countries with them. Its costs are paid by citizens who are deliberately kept in the dark about how much they're paying for it, how effective it is in fighting crime and how susceptible it is to abuse. And that's the way the entire cast of characters involved wants to keep it.
Which, of course, is exactly why the public needs to know much more about it, even if it requires rude tactics like crashing the spooks' soirée.