During the chaos of the Boston Marathon bombing, the Associated Press issued a now-retracted piece in which it alleged that law enforcement shut down cell phone service in the Boston Metro area in order to prevent the remote detonation of any remaining bombs. While this was ultimately denied by Verizon Wireless and Sprint Nextel, the idea that the government could, theoretically, block the cellular network drove privacy advocates to determine if this was — in fact — a possibility.
“Network jamming,” or the intentional blocking of radio signals for the intent of disrupting cellular, Wi-Fi, GPS and/or emergency response communications, is an imprisonable and finable felony. “While people who use jammers may think they are only silencing disruptive conversations or disabling unwanted GPS capabilities, they could also be preventing a scared teenager from calling 9-1-1, an elderly person from placing an urgent call to a doctor, or a rescue team from homing in on the location of a severely injured person,” wrote Michele Ellison, chief of the Federal Communication Commission’s Enforcement Bureau, in a FCC enforcement advisory. “The price for one person’s moment of peace or privacy, could be the safety and well-being of others.”
Jamming has been a commonly-used tactic recently — particularly, in response to Arab Spring demonstrations in the Middle East, in which Libya, Tunisia and Bahrain have all been accused of interfering with cell phone receptions, and where Internet blockages were a common anti-protest mechanism. Due to this, the perception of the United States possibly controlling the flow of cell phone and Internet traffic with a theoretical “kill-switch” plays into the continuing narrative of a federal government that repeatedly and intrusively participates in the monitoring of private citizens’ communications. But until recently, the thought that the federal government could or would block cell phone service was regarded as nothing more than conspiracy.
On Nov. 12, that conspiracy was proven true when the United States District Court for the District of Columbia ruled that the Department of Homeland Security must disclose to the Electronic Privacy Information Center details of the department’s Standard Operating Procedure 303, which permits the DHS to block Internet and cellular traffic regionally or nationally with the expressed intention of preventing the detonation of radio-controlled ordinances. In reality, however, SOP 303 is feared to have the potential to be used to stop free speech and to be abused, and — in at least one case — it is thought to have been used in just that manner.
Standard operating procedures
SOP 303 was established on March 9, 2006 as a nondisclosed protocol of the National Communications System that codifies and allows for a “shutdown and restoration process for use by commercial and private wireless networks during national crisis.” According to the President’s National Security Telecommunications Advisory Committee (NSTAC), SOP 303 would be implemented in coordination of the NSTAC, with DHS personnel or state-based Homeland Security advisers deciding whether communication services should be shut down.
On July 3, 2011, Bay Area Rapid Transit officer James Crowell shot and killed Charles Hill, a San Francisco homeless man, after Hill allegedly threw a knife at Crowell and another officer. Even though the officers were reported as giving “conflicting and confusing commands,” and though the knife missed the officers by “a large margin,” the officers responded as if they perceived Hill as a threat. Before a planned demonstration, BART officials turned off the power to the cell phone towers in four train stations for three hours in order to impair the protest coordinators’ abilities to communicate with each other. The protest failed to form because of this, organizers said.
“A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators,” BART officials said in a statement.
Since the implementation of SOP 303, the Obama administration has worked to strengthen it. A 2011 White House report asserted that the National Security Council and the Office of Science and Technology Policy have the right to assume control of private communication systems in the United States during times of war or national emergencies. This was followed by a July 6, 2012 Executive Order that allowed the DHS to seize private facilities, when necessary, to ensure the continuity of government communications in a national crisis.
Fighting government secrecy
In 2012, the Electronic Privacy Information Center filed a Freedom of Information Act request with the DHS requesting the full text of SOP 303 and the list of questions that must be answered prior to the authorization of shutting down a network. After the DHS heavily redacted the information it shared with EPIC on grounds of violations to Exemption 7(E) of FOIA — that it could “disclose techniques and procedures for law enforcement investigations or prosecutions” or “could reasonably be expected to endanger the life or physical safety of any individual” — EPIC filed suit to gain access to the uncensored information.
The court ruled for EPIC, arguing that disclosure of this legislative procedure does not meet the standards established for the exemptions DHS claimed. “If ‘techniques and procedures for law enforcement investigations or prosecutions’ is given its natural meaning, it cannot encompass the protective measures discussed in SOP 303,” the court ruling reads. “This term refers only to acts by law enforcement after or during the commission of a crime, not crime-prevention techniques. Reading Exemption 7(E) as such, moreover, is in keeping with FOIA’s ‘basic policy that disclosure, not secrecy, is the dominant objective of the Act.’
“In arguing against such an interpretation, DHS relies on a nearly 30-year-old case fromthis district that upheld the Secret Service’s invocation of Exemption 7(E) to shield ‘records pertaining to . . . two armored limousines for the President.’,” the ruling continued. “In that case, the court rejected plaintiff’s argument – similar to the one EPIC makes here – ‘that the information at issue [] would reveal ‘protective’ not ‘investigative’ techniques and procedures’ and concluded that “[i]t is inconceivable . . . that Congress meant to afford these [preventive] activities any less protection from disclosure simply because they do not fit within the traditional notion of investigative law enforcement techniques.’ This case, however, was decided before the 1986 amendments changed the language of the relevant clauses, making it not ‘inconceivable,’ but in fact probable that Congress intended to differentiate between preventive and investigative activities.”
The court has ruled that DHS must turn over SOP 303 to EPIC within 30 days, with redactions only allowed to remove information referring to a living person or information that can directly and immediately be used to compromise national security. However, the court has given DHS thirty days to file an appeal, if the agency wishes, with an automatic stay of the decision being put in place should DHS decides to appeal.
The president has been under increasing pressure from within and outside his party to strengthen cybersecurity. In a letter sent to him in 2012 by then Sen. Joe Lieberman (I – Conn.), the president was urged to use his executive authority to implement protections listed under the defeated Cybersecurity Act of 2012, including the ability to actively monitor and block potentially dangerous Internet traffic.
“I urge you to use your executive authority to the maximum extent possible to defend the nation from cyber attack,” read Lieberman’s letter. “For example, under current law, as set forth in Title II of the Homeland Security Act of 2002, the Department of Homeland Security has clear authority, if directed by you, to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyber attack, and issue voluntary standards for those critical systems or assets to maintain adequate cybersecurity. Though executive action cannot offer private sector entities liability protections for compliance with these guidelines, I urge you to consider other incentives that you can offer by executive action to companies that own critical cyber infrastructure and decide to comply with the cyber defense standards that result from your Executive Order.”
While it is unclear if the DHS will appeal, this case points out that the demarcation between security and procedural overreach is a fine one and one that is more likely to be overstepped, despite expressed intent.
“Once the document is released, advocates will know exactly when and how the kill switch can be activated, and will be better equipped to mount an appeal if they feel the switch has been activated without sufficient cause,” the Verge reported.