CYBER SURVEILLANCE

Nicodemo S. Scarfo, the son of Philadelphia’s former mob boss, was almost paranoid enough. Scarfo, who has been charged with masterminding a mob-linked loan sharking operation in New Jersey, reportedly used the popular PGP encryption software to shield his computer’s secrets from prying eyes or cyber surveillance.

But when the feds learned of Scarfo’s security measures, they decided to do something that would bypass even the best encryption software: FBI agents sneaked into Scarfo’s office in Belleville, New Jersey, on May 10, 1999, and installed a keyboard-sniffing device to record his password when he typed it in.

A seven-page court order authorized the FBI and cooperating local police to break into Scarfo’s first-floor “Merchant Services of Essex County” office as many times as necessary to deploy, maintain, and then remove recovery methods that will capture the necessary key-related information and encrypted files. The case, which is still awaiting trial, appears to be the first in which the U.S. government used such aggressive surveillance techniques during an investigation; some legal observers say the FBI’s breaking-and-entering procedures go too far. This case has the potential to establish some very important precedents on this issue.

Scarfo’s prosecution comes at a time when the FBI’s Carnivore surveillance system (previously discussed) is under increasingly heavy fire from privacy groups, and the use of data-scrambling encryption products appears to be growing.

Recently, for instance, news leaked out about Yahoo’s encrypted Web-based e-mail service it introduced through a deal with Zixit, a Dallas firm.

Scarfo has been charged with supervising “an illegal gambling business” in violation of state and federal law and using extortionate loan shark tactics, according to a three-count indictment filed in federal court in June 2000. He has pleaded not guilty.

The elder Scarfo, who once ran the Philadelphia mob that also dominated the Atlantic City gambling racket, was imprisoned in 1991 on racketeering charges. The spring 1999 investigation of the younger Scarfo, who is 35 years old, may be what prompted the previous Clinton administration to recommend changing federal law to allow police to conduct electronic “black bag” jobs.

The idea first publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police obtain surreptitious warrants and “postpone” notifying the person whose property they entered for 30 days. After vocal objections from civil liberties groups, the administration backed away from the controversial bill. In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search portions had disappeared.

In January 2000, the previous Clinton administration seemed to change its mind. When criminals such as drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect.

The feds didn’t need a new law—and would instead rely on “general authorities” when asking judges to authorize black bag jobs. A related “secret search” proposal resurfaced in May 2000 in a Senate bankruptcy bill.

In the Scarfo case, the FBI in May 1999 asked for authority to search for and seize encryption-key-related pass phrases from his computer as well as install and leave behind software, firmware, and/or hardware equipment that will monitor the inputted data entered on Nicodemo S. Scarfo’s computer by recording the key related information as they are entered. Although the government has refused to release details, this appears to indicate the FBI was using either a hardware device (inserted into the keyboard or attached to the keyboard cable) or a software program that would quietly run in the background and record keystrokes. With the PGP private key and Scarfo’s secret password, the government could then view whatever documents or files he had encrypted and stored on his computer.

Ruling that normal investigative procedures to decrypt the codes and keys necessary to decipher the ‘factors’ encrypted computer file have been tried and have failed, U.S. Magistrate Judge G. Donald Haneke granted the FBI’s request. Haneke did not, under federal law, have the authority to grant such an order. The interesting issue is that they in those (court) documents specifically disclaim any reliance on the wiretap statute. If they’re on record saying this isn’t communications (and it isn’t), then that extraordinary authority they have under the wiretap laws does not apply.

If the government is now talking about expanding (black bag jobs) to every case in which it has an interest, where the subject is using a computer and encryption, the number of break-ins is going to skyrocket. Break-ins are going to become commonplace.

However, the government could successfully argue that break-ins are constitutional. There’s nothing in the Constitution that prohibits this kind of anticipatory search. In many respects, it’s no different from a wiretap.

A lawyer for Scarfo told the Philadelphia Inquirer that he would file a motion challenging the legality of the FBI’s black bag job. The FBI’s got everything that Scarfo typed on that keyboard (a letter to his lawyer, personal or medical records, legitimate business records, etc.).

Finding a mentally impaired relative, a lost child, or a criminal in a sprawling metropolitan area would be simple if the person were equipped with a personal locator device. The next part of the chapter will take a close look at these IW tracking devices.