Wiretapping emails and phone calls has always been a contentious law enforcement tactic. But now surveillance is becoming more of a legal minefield than ever in the United States, thanks to a clash between European and American eavesdropping regulations—and some telecom firms could be handing over data on suspects without court authorization.
That’s according to a company that plays a significant but little-known role monitoring communications for agencies like the FBI, the DEA, and the Department of Homeland Security. Subsentio, based out of Centennial, Colo., provides telecommunication companies with an outsourced wiretap service—fitting surveillance “probe” equipment into their network infrastructure and then handling spy requests on their behalf. Subsentio won’t say who its customers are, but it claims it deals with major national and international communication firms in the United States and is responsible for “millions of subscribers” across mobile and broadband networks.
When a law enforcement agency like the FBI wants to monitor a person’s communications, it has to get authorization. To obtain metadata showing IP addresses and basic information like “to” and “from” fields in an email, the bureau fills out a form certifying that the requested information is relevant to an ongoing investigation and asks a court to sign off a “pen register” and/or “trap and trace” order. (In 2011, 37,616 of these were approved.) But obtaining communications content—like the body of an email or audio of a call—requires a much higher legal standard, because the authorities in most cases have to show probable cause and obtain a search warrant from a judge.
Subsentio’s surveillance equipment was tailored for U.S. laws, so it provides only the data requested by the applicable court order. But Subsentio President Steve Bock told me in a phone interview last week that some of the surveillance technology used by carriers in the United States to pass communications data to the authorities was built instead to European standards. This means it can’t properly differentiate between pen register metadata requests and so-called “Title III” content surveillance orders. Consequently, “service providers could be delivering content that has not been authorized by the court,” Bock says.
It’s not clear how widespread a problem this is, mainly because the surveillance is shrouded in secrecy. According to Bock, carriers will tend to “deliver too little information instead of too much,” and if the authorities do receive too much data, then they have “minimization procedures” to delete content they were not authorized to receive. But the prospect of telecommunications companies passing on more data than authorized even in a small number of cases will no doubt unsettle privacy and civil liberties groups, who are already up in arms about various government surveillance issues.
Subsentio is trying to cash in on the legal landmines by offering to handle carriers’ surveillance requests and ensure compliance with U.S. law. I contacted 11 of the major wireless and broadband providers to ask whether they had a relationship with Subsentio. Comcast, T-Mobile, and U.S. Cellular said they weren’t customers, Verizon and AT&T wouldn’t comment on the record as a matter of policy, and the others hadn’t responded at the time of publication. Bock declined to comment on his company’s revenue or reveal the number of staff he employs, though he hinted that business is good. “We are busy,” he said, adding that Subsentio has “personnel in virtually every time zone” and runs a “24/7” operation. He also claimed that the company handles “top secret” Foreign Intelligence Surveillance Act requests and, perhaps more notably, told me that wiretaps are on the rise.
“Because of national security issues there is a certain increase in the need for surveillance for terrorist activities,” Bock said.
The question is: How much of that surveillance is being conducted using European-standard equipment—and how often, as a result, are law enforcement agencies receiving more data than a court has authorized?