BULGARIA’S STATE AGENCY TECHNICAL OPERATIONS WANTS TO SNOOP EVEN THROUGH SMALL INTERNET PROVIDERS Mind the horns!

A copy of the letter sent from the State Agency Technical Operations (DATO) to providers

In the last few days a surprisingly large number of small internet and telecommunication services providers have received a notice from DATO to make available access to their networks to eavesdrop in real time (letter attached).

They are invited to a meeting on June 10, 2014 (next Tuesday) to discuss (and to offer) a technical mechanism with which to provide access to DATO to traffic in their networks with the goal to track and to have direct interception under the Special Surveillance Devices and Electronic Communications Acts.

It is a matter of providing technical capability to access the network in real time; meanwhile such access does not mean that DATO is automatically entitled to tap, as the latter must be activated by the provider only upon presentation of proper authorization, signed by a judge, and only a specific person should be tracked.

Until now DATO (still part of the Interior Ministry, though formally a separate agency – see its address in the letterhead), required such access only from large providers, with which it mostly followed technically the traffic in and out of the country or traffic going in different geographical regions (the backbone of the network).

Actually, the full capture of all traffic is quite difficult and expensive to implement (for example, smaller providers do not have the infrastructure to allow it to be redirected to the equipment used to eavesdrop on traffic that passes through unmanaged devices and even through some manageable ones).

In fact, with the mass mailing of this letter, DATO is voicing its desire to be able to activate eavesdropping devices within many more providers, way more widely, with equipment located in many more points through which traffic passes and to be able to monitor traffic closed in areas inaccessible before – about 10-20 % of the traffic; traffic carried internally in the country.

I suspect that with the extra budget and the concentration of power in DATO in connection with its separation from the Ministry of Interior, they are trying to bolster their possibilities for eavesdropping.

The current legislation allows it, in the presence of multilateral control – activation by the telecom provider, judicial warrant, or in exceptional circumstances, with the permission of the Minister of Interior, which must be confirmed by a judge within a 24-hour deadline and only for crimes that call for over 5 years in prison (i.e. at least 6). Then all parties involved – the requesting organization, the judge, the telecommunications provider are to send statistics to the oversight agency, which thus can establish whether there is a breach – unauthorized eavesdropping (in the absence of one of the three required).

The scandals around former Interior Minister Tsvetan Tsvetanov now officially confirmed (and it was previously informally known) that the control mechanisms are being circumvented like a “gate in the field” – either by permission from a prosecutor (bypassing the judge), which, it emerged, is permitted by law in certain cases (but the exception is becoming the rule); be it only by permit from the Minister (which should happen 1-2 times a year, and once again has become the rule) for the prevention of a serious crime (murder ?); either by lying to judges (if one refuses, they figure out how to change the region and immediately ask another, having the opportunity to try more than 20 times), but mostly by bypassing the mentioned tripartite account.

If the tapping equipment is permanently switched on, and if DATO has permanent access, the following risks appear –

If any and all traffic passes through the equipment, they can overhear someone other than the person for whom they have authorization, as his or her traffic also passes by there, and the telecommunications provider cannot know what exact snooping they are doing at this time.

If they have constant access to the equipment, they can activate it and stop it without informing the providers, and therefore without an authorization from a judge, because if the provider is not going to account before the oversight agency, then there is no need to ask a warrant from a judge since no one will ever know.

There is also the option that some provider could activate the equipment, or pass through it the sought traffic, simply on friendly basis.

After the expiration of the right to eavesdrop, eavesdropping does not cease because the equipment is not switched off. News about rejected forensic evidence, because it was collected outside the allowed time, making it illegal, are popping constantly, but apparently eavesdropping and maintaining records after the expiration of the period authorized by the warrant or of the statutory time limits is (illegally) a rule in our country.

We learned from the cases and the scandals around Tsvetanov that each one of these problems has happened and not occasionally, but they have nearly become the rule. I believe that violations happen more because of laziness in following the procedures, because of lack of understanding of their meaning rather than mean intentions. But we know anyway that when there is a risk, a problem occurs, and particularly in tapping, it is absolutely mandatory for this to happen. There is not even one potential problem that has not occurred in reality.

I find it especially funny when a politician, an agent, or another person defends the secret services and explains how society is afraid of risks that never happen, and after just one month we learn from a scandal that they not only happened, but also occur regularly. Thus, any problem that may put at risk civil rights, should be approached responsibly so that the risk is procedurally, technically, and legally minimized and their defense should not just be left to honor, glory and good faith in erring people.

In this sense, I think that it is possible that whether due to inexperience, fear, lack of knowledge of their rights or the law, false ease, or something else, small providers could be misled, intentionally or unintentionally, by DATO at the meeting to provide such “technical capability” to access networks, where all their traffic, for all users, passes through permanently connected equipment to which DATO has constant access in real and any time.

They will allow DATO to have the cake and eat it all and would, in fact, let the agency carry out uncontrolled breaches of the law.

It must be noted that small providers still hold a significant share of traffic in the country, so this is not a matter of “low risk.”

It is also appropriate to note (for some readers, who may now be shouting that they want to prosecute torrents) that generally copyright infringements (such as torrents), for now, do not fall in the group of serious crimes, with some exceptions. But no one knows if such tracking is not being already carried out (on one side) and for how long, as there are no public accounts and the general approach is like the one of doctors – to conceal errors in order not to frighten people. In addition, infrastructure, mounted today with one intention, can be used with another tomorrow, so civil society should always approach these things with great caution.

In this sense, I wish that telecom providers will protect citizens and minimize the risk by allowing and offering just such technical solution to DATO that will simultaneously satisfy all of these conditions:

Equipment may not be switched on permanently, but only if there is properly documented, authorized tapping under other conditions written in the Special Surveillance Devices and Electronic Communications Acts.

The equipment is not at all included in the way of traffic, but in a separate, fully isolated (and treated as external, in order to prevent “hacking ” from there) network

Only specific traffic is redirected to this equipment, only if it is clearly identified as belonging to the legitimately tapped customer (for example a filter that redirects traffic to the equipment only if it comes from or goes strictly to a specified IP address).

Clear procedure of the provider itself how to accept (and check, because some are fake) DATO’s requests for activation of access, and how and when to stop it (it would be wonderful if the switch off is fully automated – for example, having a filter to redirect traffic; it may be associated with a time profile and stopped automatically by the network).

If the relevant conditions are met, this will minimize the risk to the public (and the provider), allowing to intercept only specific traffic and eliminating common interception of any other traffic beyond that for which a warrant is granted, and then only within the time frame for which the warrant is valid. On the other hand, this is good for the DATO agency itself, because by minimizing their possibility to commit violations, they will learn to work correctly and to comply with their own procedures.

I attach the letter from DATO, which I received on my email address from some anonymous employee of a provider.

The text is republished with the permission of the author Delyan Delchev from his blog. The title has been changed by Bivol.