FBI BBS Surveillance

by Marc Rotenberg

FBI BBS Surveillance (CPSR FOIA Request)

On August 18, 1989 CPSR submitted a Freedom of Information Act request to the FBI asking for information about BBS surveillance. After four follow-up letters, a series of phone calls, and Congressional testimony that discussed the CPSR request, the FBI has failed to respond to our request. (The statutory time limit for the FOIA is ten days).

If any one has information about possible FBI surveillance of bulletin boards or networks, please send it to me. Specific dates, locations, BBSs are important. (You can send information to me anonymously by land mail, if you need to protect your identity).

Thanks for your assistance,

Marc Rotenberg, Director CPSR Washington Office 1025 Connecticut Ave., NW, Suite 1015 Washington, DC 20036 202/775-1588 (voice) 202/775-1941 (Data) [email protected] or [email protected]

Contents: 1. CPSR FOIA Request to the FBI Regarding BBS Surveillance 2. CPSR letter to Congressman Don Edwards regarding FOIA request 3. Chronology of events

[CPSR FOIA Request to the FBI Regarding BBS Surveillance]

CPSR Washington Office 1025 Connecticut Avenue, NW Suite 1015 Washington, DC 20036 202 775-1588 202 775-1941 (fax)

Director Marc Rotenberg

August 18, 1989 FOIA Officer FBI 9th St. & Penn. Ave., NW Washington, DC 20535

Dear FOIA Officer, This is a request under the Freedom of Information Act, 5 U.S.C. 552.

Part I:

I write to request a copy of all materials relating to the FBI's collection of information from computer networks and bulletin boards, such as PeaceNet (San Francisco CA) or The Well (Berkeley CA), that are used frequently by political or advocacy organizations.

In particular, I would like any records which would indicate whether the Bureau is intercepting, collecting, reviewing, or "downloading" computer transmissions from any of the following networks and conferences: Action Southern Africa, AIDS Coalition Network, The American Peace Test, Amnesty International, Association for Progressive Communications, Beyond Containment, Center for Innovative Diplomacy, Central America Resource Center, Central America Resource Network (CARNet), The Christic Institute, Citizen Diplomacy, Community Data Processing, EcoNet, Friends of the Earth, Friends Committee on National Legislation, HandsNet, Institute for Peace and International Security, Media Alliance, Meiklejohn Civil Liberties Institute, National Execution Alert Network, Palo Alto Friends Peace and Social Action Committee, PeaceNet. Quaker Electronic Project, Web, The Well.

This request includes public communications that take place through a computer bulletin board. For example, this would include both transmissions that are available for public perusal, a "conference" or "posting," as well as transmissions that are directed from one party to one or more other specific parties and intended as private, "electronic mail."

Part II:

I also request any records that would indicate whether anyone acting at the behest or direction of the FBI, has any computer accounts on any computer bulletin boards operated by an advocacy or political organization, and, if so, the names of the bulletin boards, and whether the Bureau has indicated the actual organizational affiliation of the account holders to the system operators.

Part III:

I also request any records that would indicate whether the Bureau has ever operated, is currently operating, is involved in the operation of, or is planning to operate, a computer bulletin board that is intended for public use.

Part IV:

I would also like any records which would indicate the circumstances under which it would be appropriate for an agent or authorized representative, asset, informant, or source of the Bureau to intercept, collect, review, or "download" the contents of computer bulletin boards.

Part V:

I would like any records relating to the FBI's development, research, or assessment of computer systems for automated review of information stored in an electronic format, obtained from a computer bulletin board or network.

Part VI:

Finally, I request any records that would indicate whether the FBI has developed, or is planning to develop, a system that could automatically review the contents of a computer file, scan the file for key terms or phrases, and then recommend the initiation of an investigation based upon this review.

I ask that you check with your regional offices in San Francisco, San Jose, Austin, Phoenix, Los Angeles, and New York, in addition to the files that are available in Washington, DC. I also ask that you consult with those agents involved in the investigation of computer crime to determine whether they might be aware of the existence of such records. You should also check any documents relating to John Maxfield, who was employed by the Bureau to investigate computer bulletin boards.

Under the Freedom of Information Act, you may withhold all properly exempted materials. However, you must disclose all non-exempt portions that are reasonably segregable. I reserve the right to appeal the withholding or deletion of any information.

Under the Freedom of Information Act, CPSR is entitled to a waiver of all fees for this request because the "disclosure of this information is likely to contribute significantly to the public understanding of the operations or activities of the government and is not primarily in the commercial interest of the requester." CPSR is a non-profit, educational organization of computer scientists. Our work has been cited in scholarly journals, trade publications, and the national media. CPSR has particular expertise on the use of computer technology by the FBI, having prepared an extensive report on the proposed expansion of the NCIC at the request of Congressman Don Edwards. For these reasons, CPSR is entitled to a waiver of all fees.

If you have any questions regarding this request, please telephone me at the above number. I will make all reasonable efforts to narrow the request if you determine that it has been too broadly framed.

As provided in the Freedom of Information Act, I will expect to receive a response within ten working days.

Sincerely yours,

Marc Rotenberg, Director

Washington Office, Computer Professionals for Social Responsibility

[CPSR letter to Congressman Don Edwards regarding FOIA request]

February 27, 1990 Representative Don Edwards Subcommittee on Civil and Constitutional Rights House Judiciary Committee 806 House Annex 1 Washington, DC 20515

Dear Chairman Edwards:

I am writing to you about a particular FOIA request that CPSR has pursued since August of last year. We asked the FBI for information about the monitoring of computer networks and bulletin boards. We initiated this request because of the obvious civil liberties interests -- speech, associational, and privacy -- that would be endangered if the FBI's examination of the contents of computer systems failed to satisfy appropriate procedural safeguards.

After six months of delay, five certified letters to the Bureau's FOIA/Privacy Act office, and many phone calls with the FBI's FOIA officers, we have not received even a partial response to our request.

On September 20, 1989 a FOIA officer at the FBI assured us that information would be forthcoming "in a couple of weeks." A letter from the FBI FOIA/PA office on December 22 indicated that information responsive to our request "has been located and will be assigned for processing soon." But when I spoke with a FBI FOIA Officer on February 15, less than two weeks ago, I was told that they "haven't even started" to process the request and that the FBI couldn't say when we would receive a response. (Please see enclosed chronology and attachments).

The need for this information is truly urgent. Further delay will constitute a denial. Congress is now considering several computer crime bills, such as H.R. 55 and H.R. 287, that could broaden the authority of federal agents to examine the contents of computer systems across the country. There is a good chance that a bill will pass before the end of this session.

Before Congress and the public should have a complete picture of the FBI's current practices. Computer communications are particularly vulnerable to surveillance and routine monitoring. Computer mail unrelated to a particularized investigation could be swept up in the government's electronic dragnet if the law is not carefully tailored to a well defined purpose. Without a clear understanding of the civil liberties problems associated with the investigation of computer crime, Congress may be exacerbating a problem it does not yet fully know about.

CPSR's Freedom of Information Act request could provide answers to these questions. The FOIA establishes a presumption that the activities of government should be open to public review and that agency records should be disclosed upon request. But the Bureau failed to comply with the statutory requirements of the FOIA and frustrated our effort to obtain information that should be disclosed. Without this information computer users, the public, and the Congress, may be unable to assess whether the Bureau's current activities conform to appropriate procedural safeguards.

Computer crime is a serious problem in the United States. One auditing firm places the annual loss between $3 billion and $5 billion. Nonetheless, it is necessary to ensure that new criminal law does not undermine the civil liberties of computer users across the country. We requested information from the FBI under the FOIA to help assess the adequacy of current safeguards. The Bureau failed to respond. The result is that the public is left in the dark at a time when significant legislation is pending.

We would appreciate whatever assistance with this request you might be able to provide.

Sincerely yours,

Marc Rotenberg, Director CPSR Washington Office

Enclosure Chronology of CPSR's FOIA Request regarding FBI Monitoring of Computer Networks with attachments

cc: Representative Charles Schumer Representative Wally Herger

FBI FOIA/PA Office

Chronology of events

CPSR FOIA Request

FBI Monitoring of Computer Networks

CHRONOLOGY

Aug. 18, 1989

CPSR sends FOIA request to FBI seeking agency records regarding the FBI's monitoring of computer networks and computer bulletin boards used by political and advocacy organizations. The FOIA request seeks information about:

a) the FBI's surveillance of computer bulletin boards and networks used by political organizations;

b) the FBI's creation of clandestine accounts on computer bulletin boards and networks operated by political organizations;

c) the FBI's creation of secret accounts on public bulletin boards;

d) the FBI's procedures regarding the downloading of information contained on a computer bulletin board;

e) the FBI's research on the automated review of the contents of information contained on computer bulletin board and networks; and

f) the FBI's research on the automation of the decision to initiate a criminal investigation, based on the contents of a computer communication.

The letter requests a fee waiver based on the public interest standard. The letter indicates that CPSR has particular expertise in the evaluation of the civil liberties implications of law enforcement computer systems, having completed an extensive report for the House Judiciary Committee on the proposed expansion of the FBI's computer system, the NCIC. The letter further states that CPSR would work with the FOIA/PA office to facilitate the processing of the request.

Aug. 31, 1989

FBI response #1. FBI sends a letter to CPSR ackn the FOIA request and designating the request "FBI's Computer Networks and Bulletin Board Collection," request no. 319512.

Sept. 20, 1989

CPSR speaks with FOIA Officer Keith Gehle regarding status of request. Mr. Gehle states that he can not send a response "until he receives responses from various agencies." It is "difficult to go to computing indices." He says that he expects to have information "in a couple of weeks,"and will have a response "by October 5, at the latest."

Oct. 16, 1990

CPSR Follow-up letter #1. CPSR confirms conversation with Mr. Gehle regarding Oct. 5 target date and asks FOIA Officer to call to indicate the status of the FBI's response to the request.

Oct. 26, 1989

CPSR speaks with Mr. Gehle. He says, "we are working on your request." "We should have something soon. Hate to give a specific date, but should have a letter for you within two weeks."

Nov. 22, 1989

CPSR follow-up letter #2. CPSR writes to Mr. Gehle, notes that Mr. Gehle said he was working on the request, and the that response should have been sent by Nov. 9. CPSR requests that FOIA officer call CPSR by Dec. 1 to indicate the status of the request.

Dec. 22, 1989

FBI response #2. FBI sends letter, acknowledging receipt of Oct. 16 and Nov. 22 letters. The letter states that "[i]nformation which may be responsive to your request has been located and will be assigned for processing soon." The letter indicates that the FOIA/PA office receives a large number of requests and that delays are likely.

Jan. 9 , 1990

CPSR follow-up letter #3. CPSR writes to Mr. Moschella, chief of the FOIA/PA office at the FBI, acknowledges Dec. 22 letter and location of responsive information. Requests that records be sent by Feb 18, 1990.

Jan. 19, 1990

FBI response #3. FBI sends letter stating that the Bureau has allocated many agents to FOIA processing, that a large number of requests are received. The letter further states that "a delay of several months or more may be anticipated before your request is handled in turn."

Feb. 2, 1990

CPSR follow-up letter #4. CPSR writes to Mr. Moschella, acknowledges Jan. 19, expresses concern about delay. Letter notes that CPSR was assured by a FOIA officer in the fall that "request would be answered within 'a couple of weeks.'"

Feb. 15, 1990

CPSR receives call from Mr. Boutwell. According to Mr. Boutwell, FBI can't say when request will be processed. "Haven't even started. Backlogs and lay-offs during past year . . ." CPSR: FOIA Officer indicated information had been located. FBI: Too optimistic. "Request not yet assigned to an analyst . . . working now on 1988 requests . . . Litigation is taking up time . . . analyst is taking time away from document review for litigation . . . increased requests, fewer personnel, lots of other factors. Would expedite for life and death or due process, pursuant to agency regulations." CPSR: so when do we receive a response? FBI: "Can't say."

The United States Government is monitoring the message activity on several bulletin boards across the country. This is the claim put forth by Glen L. Roberts, author of "The FBI and Your BBS." The manuscript, published by The FBI Project, covers a wide ground of FBI/BBS related topics, but unfortunately it discusses none of them in depth.

It begins with a general history of the information gathering activities of the FBI. It seems that that the FBI began collecting massive amounts of information on citizens that were involved with "radical political" movements. This not begin during the 1960's as one might expect, but rather during the 1920's! Since then the FBI has amassed a HUGE amount of information on everyday citizens... citizens convicted of no crime other than being active in some regard that the FBI considers potentially dangerous.

After discussing the activities of the FBI Roberts jumps into a discussion of why FBI snooping on BBS systems is illegal. He indicates that such snooping violates the First, Fourth, and Fifth amendments to the Constitution. But he makes his strongest case when discussing the Electronic Communications Privacy Act of 1987. This act was amended to the Federal Wiretapping Law of 1968 and But as with all good laws, it was written in such broad language that it can, and does, apply to privately owned systems such as Bulletin Boards. Roberts (briefly) discusses how this act can be applied in protecting *your* bulletin board from snooping by the Feds.

How to protect your BBS: Do NOT keep messages for more than 180 days. Becaus the way the law is written, messages less then 180 days old are afforded more protection then older messages. Therefore, to best protect your system purge, archive, or reload your message base about every 150 days or so. This seems silly but will make it harder (more red tape) for the government to issue a search warrant and inform the operator/subscriber of the service that a search will take place. Roberts is not clear on this issue, but his message is state emphatically... you will be better protected if you roll over your message bas sooner.

Perhaps the best way to protect your BBS is to make it a private system. This means that you can not give "instant access" to callers (I know of very few underground boards that do this anyway) and you can not allow just anyone to b a member of your system. In other words, even if you make callers wait 24 hours to be validated before having access you need to make some distinctions about who you validate and who you do not. Your BBS needs to be a PRIVATE system and you need to take steps to enforce and proclaim this EXPECTED PRIVACY. One of the ways Roberts suggests doing so is placing a message like this in your welcome screen:

"This BBS is a private system. Only private citizens who are not involved in government or law enforcement activities are authorized gained from this system to any government agency or employee."

Using this message, or one like it, will make it a criminal offense (under the ECPA) for an FBI Agent or other government snoop to use your BBS.

The manuscript concludes with a discussion of how to verify users and what to do when you find an FBI agent using your board. Overall, I found Roberts book to be moderately useful. It really just whetted my appetite for more information instead of answering all my questions. If you would like a copy o the book it sells for $5.00 (including postage etc). Contact:

THE FBI PROJECT Box 8275 Ann Arbor, MI 48107

Visa/MC orders at (313) 747-7027. Personally I would use a pseudonym when dealing with this organization. Ask for a catalog with your order and you will be sure the FBI would be interested in knowing who is doing business with this place. The manuscript, by the way, is about 20 pages long and offers references to other FBI expose' information. The full citation of the EPCA, if you want to look it up, is 18 USC 2701.

Additional Comments: The biggest weakness, and it's very apparent, is that Roberts offers no evidence of the FBI monitoring BBS systems. He claims that they do, but he does not give any known examples. His claims do make sense however. As he states, BBS's offer a type of "publication" that is not read b any editors before it is "published." It offers an instant form of news and one that may make the FBI very nervous. Roberts would do well to include some supportive evidence in his book. To help him out, I will offer some here.

* One of the Ten Commandments of Phreaking (as published in the famous TAP Magazine) is that every third phreaker is an FBI agent. This type of folklore knowledge does not arise without some kind of justification. The FBI is interested in the activities of phreakers and is going to be looking for the BBS systems that cater to them. I your system does not, but it looks like it may, the FBI may monitor it just to be sure.

* On April 26, 1988 the United States Attorney's Office arrested 19 people for using MCI and Sprint credit card numbers illegally. These numbers were, of course, "stolen" by phreakers using computers to hack them out. The Secret Service was able to arrest this people by posing as phone phreaks! In this case the government has admitted to placing there, the success of theis "sting" will only mean that they will try it again. Be wary of people offering you codes.

* In the famous bust of the Inner Circle and the 414s, the FBI monitore electronic mail for several months before moving in for the kill. While it is true that the owners of the systems being hacked (Western Union for one) invited the FBI to snoop through their files, it does establish that the FBI is no stranger to the use of electronic snooping in investigating crimes.

Conclusion: There is no reason to believe that the government is *not* monitoring your bulletin board system. There are many good reasons to believe that they are! Learn how to protect yourself. There are laws and regulations in place that can protect your freedom of speech if you use them. You should take every step to protect your rights whether or not you run an underground system or not. There is no justification for the government to violate your rights, and you should take every step you can to protect yourself.

I have no connections with Roberts, his book, or The FBI Project other then being a mostly-satisfied customer. I'm not a lawyer and neither is Roberts. No warranty is offered with this text file. Read and use it for what you thin it is worth. You suffer the consequences or reap the benefits. The choice is yours, but above all stay free.