Wired's ThreatLevel is carrying an article by Ryan Singel which cites remarks made by Assistant Attorney General for National Security Kenneth Wainstein on Monday:
At the breakfast yesterday, Wainstein highlighted a different problem with the current FISA law than other administration officials have emphasized. Director of National Intelligence Mike McConnell, for example, has repeatedly said FISA should be changed so no warrant is needed to tap a communication that took place entirely outside the United States but happened to pass through the United States.
But in response to a question at the meeting by David Kris, a former federal prosecutor and a FISA expert, Wainstein said FISA's current strictures did not cover strictly foreign wire and radio communications, even if acquired in the United States. The real concern, he said, is primarily e-mail, because "essentially you don't know where the recipient is going to be" and so you would not know in advance whether the communication is entirely outside the United States.
Which means that all the alarmist fear-mongering was...alarmist fear-mongering. It means that phone calls are NOT the major concern.
The Washington Post's story by Ellen Nakashima and Paul Kane is datelined March 4, 2008 is the source of the quoted passage above. Singel's Wired blog entry goes on to note:
But that also means all the hysterical screaming and the dire scenarios constructed by right-wing spying proponents based on very thin evidence of what the secret court actually ruled -- all of it is just wrong.
And more to the point, the Justice Department and the Office of the Director of National Intelligence allowed them to be wrong for months. They allowed and facilitated their supporters to scare freedom loving people with phantoms of lost wiretaps.
One of the important differences between telephones calls and email is that the phone calls originate and terminate in locations whose jurisdiction can be determined via knowledge of the telco's network topology and numbering assignments. For example, anything 314-xxx-xxxx is in Missouri. So for purposes of determining whether any particular call originates or terminates outside the US, mapping that topology to national borders should suffice.
But that's not true for email. Email can be submitted from anywhere and retrieved from anywhere: for example, someone in Iowa might send email to someone in Illinois via a server in the UK. Or someone in France might send mail to someone in Germany via the US. And then there are all the ways that mail might be retrieved, either with a mail client using POP or IMAP, or with a web-based email service like Gmail.
Which means that if you really want to be serious about vacuuming up all email that might be passing through US borders, then you're really left with no choice: you have to go after all of it. Everything you can possibly get. Because there's no way to know, a priori, where it's coming from or where it's going.
With that in mind, consider something else Singel says:
DNI Michael McConnell, the serial exaggerator who claims to be a non-political straight shooter, himself kept saying the NSA lost 70 percent of its capabilities after the ruling.
If that's the case, that means that 70 percent of what the NSA does is collect emails inside United States telecom infrastructure and service providers.
Twenty-plus years ago, there were rumors and smartass jokes that the NSA was collecting every Usenet news article and tossing them into their bin for analysis. A contemporary snarky response to this was to include "NSA fodder" in the signature of postings, using keywords imagined likely to match those of interest. Now it appears that they're really doing exactly that -- but likely using far more sophisticated techniques, such as syntactically and semantically aware search engines. I'll skip over the technical details over how all this plumbing might be put together; suffice it to say that data taps in places like Room 641A combined with basic knowledge of SMTP and POP/IMAP would make it easy to grab everything in transit, and national security letters delivered to major email service providers, compelling them provide access to their servers, would pick up much of the rest.
Kurt Opsahl of the EFF has also commented on this; I recommend reading his comments in full. A brief excerpt:
In short, Wainstein said that the current interpretation of FISA does not impede the interception of foreign-to-foreign telephone calls - even after the secret FISA court ruling that McConnell claims required the change in the law. Indeed, it does not impede the interception of foreign-to-foreign emails, VOIP calls or other communications, so long as you know both ends are foreign.
This is a critical admission because it puts the lie to talking points made all over by supporters of the wiretapping legislation.
It's time -- past time -- to consider encrypting your email, using strong encryption and open-source software like GnuPG. (Closed-source software simply can't be trusted, because it may have weak encryption or back doors.) Even that may not be sufficient: it's possible that the NSA (or someone else) has broken the encryption algorithms and managed to keep that fact from becoming public knowledge. But (a) it's still worth trying and (b) it may still be effective against anyone with fewer resources.
I was going to write "it's also past time for Congress to hold open hearings on this and get some answers", but even with very little sleep last night and not enough coffee yet this morning, I know that's not realistic.