Will NSA Lose Access to All Verizon Cell Metadata in 12 Days Time?

Last week, NSA selectively leaked a claim it only obtains 20 to 30% of US call data because it doesn’t collect some or all cell provider data. (WSJ, WaPo, LAT, NYT)

I believe the claim itself is true only in a narrow sense and the premises given to journalists underlying it are laughably false as presented (though have grains of truth).

I suspect this leaked propaganda campaign might better be explained by the possibility that NSA will lose some of its existing access to Verizon cell data on February 21, when the Vodaphone/Verizon split becomes legally official.

Some aspect of Verizon’s structure — and a good deal suggests it’s that dual-country ownership — has created problems in the metadata program since 2009. On May 29, 2009, Judge Reggie Walton started breaking out directions to Verizon’s Custodian of Records in its own paragraph of the Primary Order so as to clarify that it should only provide entirely domestic or one-end domestic calls under the Section 215 order, not entirely foreign calls. Then, in a July 9, 2009 Primary Order the government is still withholding, Walton actually shut down production from Verizon, apparently entirely. He restored production with the September 3, 2009 Primary Order, permitting retroactive collection of any records still in existence. We know Verizon was this provider because ODNI failed to redact Verizon’s name in the Verizon-specific paragraph in a recent document dump.

While we don’t know why including foreign production presented such a problem (that 3 month period is the only period I know of during which production of any part of the phone dragnet was shut down), it did.

But we do have hints of why Verizon’s international collection might be so sensitive. In August (a month before Verizon and Vodaphone agreed to split), Suddeutsche newspaper revealed that Verizon was among the 7 providers included in GCHQ’s Tempora program.

BT, Vodafone Cable, and the American firm Verizon Business – together with four other smaller providers – have given GCHQ secret unlimited access to their network of undersea cables. The cables carry much of the world’s phone calls and internet traffic.

In June the Guardian revealed details of GCHQ’s ambitious data-hoovering programmes, Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. It emerged GCHQ was able to tap into fibre-optic cables and store huge volumes of data for up to 30 days. That operation, codenamed Tempora, has been running for 20 months.

The Guardian explained that providers were compelled, under licensing requirements, to participate under the UK’s Telecom Act.

Telecoms providers can be compelled to co-operate with requests from the government, relayed through ministers, under the 1984 Telecommunications Act,

[snip]

Vodafone said it complied with the laws of all the countries in which its cables operate. “Media reports on these matters have demonstrated a misunderstanding of the basic facts of European, German and UK legislation and of the legal obligations set out within every telecommunications operator’s licence … Vodafone complies with the law in all of our countries of operation,” said a spokesman.

That would seem to suggest Verizon’s legal presence in the UK made it subject to orders to participate in Tempora. This requirement, which started as early as 2008, involves the massive collection of both phone and Internet metadata which gets stored for 30 days. The kind of metadata that last week’s propaganda campaign claimed NSA didn’t get access to.

Given Verizon’s role in Tempora, I suspect it is one of the corporate partners which accesses data (including, but no way limited to, cell location data) from the telephone links between networks under the FASCIA program.

A sigad known as STORMBREW, for example, relies on two unnamed corporate partners described only as ARTIFICE and WOLFPOINT. According to an NSA site inventory, the companies administer the NSA’s “physical systems,” or interception equipment, and “NSA asks nicely for tasking/updates.”

STORMBREW collects data from 27 telephone links known as OPC/DPC pairs, which refer to originating and destination points and which typically transfer traffic from one provider’s internal network to another’s. That data include cell tower identifiers, which can be used to locate a phone’s location.

The agency’s access to carriers’ networks appears to be vast.

“Many shared databases, such as those used for roaming, are available in their complete form to any carrier who requires access to any part of it,” said Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania. “This ‘flat’ trust model means that a surprisingly large number of entities have access to data about customers that they never actually do business with, and an intelligence agency — hostile or friendly — can get ‘one-stop shopping’ to an expansive range of subscriber data just by compromising a few carriers.”

And as Blaze describes (Mindrayge describes some of why this is so in this comment), accessing data at these points would give Verizon access to everyone’s cell data, not just its own.

I believe that collection — because it was obligated by the UK, not the US, and because it took place offshore — would count as EO 12333 data, not Section 215 data. This is why I believe NSA does get comprehensive coverage of all cell data, just not under Section 215. NSA gets all the data it wants, just via GCHQ’s greater ability to obligate production than NSA’s. And it gets cell location data if it wants it too!

Or it did, so long as the joint corporate structure of Vodaphone and Verizon created the obligation behind that production.

Now, obviously, the hardware linking Verizon and Vodaphone won’t disappear in 12 days time. Verizon will still presumably operate the hardware where this massive data collection takes place. But if I’m understanding the legal leverage of the UK’s licensing law correctly, the UK and US’ collective ability to obligate production will change. As one possibility (there are others I’ll explain in a later post), NSA may have to rely on Section 215 to obligate production, rather than the UK’s more expansive law.

Which, I suspect, is the real logic behind last week’s propaganda campaign on cell data. For the first time, NSA may have to rely on Section 215 rather than UK licensing laws to access Verizon’s (and probably some other providers’) cell phone metadata. And that’s happening at a time when Verizon is the dominant cell provider in the US. But even as it will need to rely on Section 215, the FISC has narrowed the scope of its interpretation of the law, to specifically exclude the cell location data that has been included in this collection for years.

In other words, I believe the confluence of two events — the change in Verizon’s corporate structure and FISC’s effort to prohibit the application of Section 215 to location data — may have created significant new difficulties in maintaining what (I strongly believe) has always been comprehensive dragnet collection.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on their legal obligation.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

14 replies
  1. emptywheel says:

    Incidentally, this is why I’m so interested in the delayed release of the January 4 dragnet reauthorization.

    They would have had to deal w/a change in Verizon production either in that order or a supplement around now. I wouldn’t be surprised if the govt just asked FISC to approve geolocation data so it could go on collecting what it always has from Verizon. But the FISC said no.

    At least that’s my guess.

  2. Snoopdido says:

    I think it is also important to note that the NSA Upstream collection activities under FAA 702 (with or without the UK’s GCHQ active collaboration) provides a massive volume of cellphone data for ingestion in NSA’s databases. This will continue to be true regardless of the coming Verizon/Vodafone breakup.

    As that Barton Gellman’s Washington Post article states:

    “One senior collection manager, speaking on the condition of anonymity but with permission from the NSA, said “we are getting vast volumes” of location data from around the world by tapping into the cables that connect mobile networks globally and that serve U.S. cellphones as well as foreign ones.”

    My point is that even without falling back on EO 12333 or Section 215 authority, the NSA can and does still hoover up massive volumes of both telephony and Internet data with its Upstream activities.

    The coming Verizon/Vodafone breakup may indeed create issues for the NSA, but it doesn’t seem likely to turn off the NSA’s voluminous cellphone data collection tap.

  3. ess emm says:

    Back in December the Morell-Sunstein Review Group wrote

    As it currently exists, the section 215 program acquires a very large amount of telephony meta-data each day, but what it collects represents only a small percentage of the total telephony meta-data held by service providers.

    What were they trying to say? What was the point?

  4. Snoopdido says:

    @Snoopdido: To further delineate this discussion, it’s probably important to describe a difference between what I’ll call “organized” and “unorganized” data.

    The Section 215 data provided to the NSA, which are euphemistically called “Business Records” is what I would call “organized” data. That is, data about the telephone companies’ customers’ calls. It data that has been massaged and “organized” by the telephone companies into a format that the NSA can easily and quickly ingest into their databases.

    The “unorganized” data is that which flows across the Internet backbone pipes/cables that the NSA siphons off as part of their FAA 702 Upstream collection activities. The data is free-flowing Internet traffic and “unorganized” in comparison to what the NSA gets from the telephone companies under Section 215 in that the data is not massaged by anyone and the NSA itself is responsible for massaging and formatting it into usable information.

    While I would agree that the NSA prefers the “organized” data provided by the telephone companies under Section 215, they would not pass by the “unorganized” data opportunity to “collect it all”.

  5. emptywheel says:

    @Snoopdido: Why do you believe that’s 702?

    Upstream collection of terminal flows in the US is 702. Upstream collection of transit traffic in the US APPEARS to be treated as 12333. And upstream collection just offshore (and that cell data appears to be FAR offshore, and the structure sounds like that of Tempora) is definitely EO 12333.

  6. emptywheel says:

    @ess emm: They were trying to make the same point the propaganda made–that this really wasn’t that much production. But I think they realize (at least Clarke said it during the SJC hearing) that that doesn’t mean that’s all the metadata. I’m NOT sure they know (if I’m right) thta the EO 12333 rounds out the collection. Well, certainly Morell should know.

  7. Jim White says:

    Hmmm. With a lot of this stuff happening in 2009, that makes Dubya’s dedication to the “special relationship” with the UK much more understandable in 2010 when the Binyam Mohamed case was revealing details of US torture. He couldn’t dare walk away from a major conduit to realtime phone data.

    Edit: Duh, it’s late and I’m old. That would be Obama in 2010…

  8. Snoopdido says:

    @emptywheel: I don’t know if there is a single answer to your question. What I do know, is that the NSA under FAA 702 through its Upstream collection, does indeed collect massive volumes of telephone and Internet traffic flowing to and from the terminus points entering the US.

    And on the other side of some of those same transatlantic fiber optic links, the UK’s GCHQ Tempora operation collects massive volumes of telephone and Internet traffic flowing to and from the terminus points entering the UK.

    The US is certainly using FAA 702 to do collection of massive volumes of telephone and Internet traffic flowing to and from the terminus points entering the US by their own admission in the Prism slides (http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/).

    And I do agree with you that sharing of the UK’s GCHQ Tempora operation collection with the NSA probably also falls under EO 12333.

    So it would seem that the collection of massive volumes of telephone and Internet transatlantic traffic flowing between the US and the UK is done both by FAA 702 at our end and EO 12333 at the UK’s end.

    It would be interesting to find out how the NSA treats the collection from both endpoints. Differently I suspect according to their sleight-of-hand reading of the law.

    I suspect the US government’s lawyers use one set of rules for our end of the fiber optic pipes and another set for the UK end of the very same fiber optic pipes.

  9. emptywheel says:

    @Snoopdido: Yes, that’s my point. The collection method and targeted data is the same, but it is called 3 different things based on where it happens, at least within this country (702 upstream, transit, and EO 12333). The Brits are allowed to take more directly and so they don’t have to make those distinctions.

    But the reason they’re important here is because the 702 upstream and the 215 data are subjected BOTH to a far higher (though still inadequate) level of oversight AND Americans are afforded more protection.

    I think what is actually going on here is that the ONLY thing, if the NSA could arrange it, that they’d collect under 215 is stuff that either comes with extra advantages or they can’t get anywhere but domestic collection. The same is true of 702 Internet collection.

    Which means that for things they can readily get offshore — like cell data — they’re going to do that because they have fewer rules to follow. That’s why I harp on the distinction: I think this stuff is about arbitraging laws, but that for a variety of reasons Verizon may have them temporarily screwed.

  10. Mindrayge says:

    A couple of things to note:

    “A sigad known as STORMBREW, for example, relies on two unnamed corporate partners described only as ARTIFICE and WOLFPOINT. According to an NSA site inventory, the companies administer the NSA’s “physical systems,” or interception equipment, and “NSA asks nicely for tasking/updates.”

    Remember that from the Draft IG Report we know that they need telco help for phone tasking and collection but for PR/TT (Internet collection) they could task and collect without company involvement. I suspect that is still the case so any reporting by Yahoo, Google, Facebook, etc. and the whole “we put in a drop box” nonsense with regard to what orders they comply with is just that – nonsense.

    “STORMBREW collects data from 27 telephone links known as OPC/DPC pairs, which refer to originating and destination points and which typically transfer traffic from one provider’s internal network to another’s. That data include cell tower identifiers, which can be used to locate a phone’s location.”

    While that says 27 OPC/DPC pairs for Stormbrew, if you were to load up the GHOSTMACHINE slides and blow up the 4th one you will see that according to JUGGERNAUT they actually have 860 OPC/DPC pairs. FAIRVIEW has 27 pairs so, I wonder if that is a mistake in the reporting. The big hitters are SPINNERET at 2022 pairs, and two US-3167 and US 3237 whose code names are unknown at this point with 1913 and 1816 OPC/DPC pairs respectively. Those would be rather large providers. SPINNERET shows up in the slides discussing of the problem with collecting too many address books (MOONLIGHTPATH US-3145 381 pairs and US-3261 5 pairs also show up) in the reporting on MUSCULAR.

    One other point (related to the “web crawler” story. Those reporters might want to also go back to previous reporting to explain how a FISA Secondary order plus two exhibits for a separate FISA Order would end up on a WIKI in HAWAII when they are supposed to exist on only a handful of servers in tightly controlled areas. They might want to ask their sources if e-mails would be in that WIKI – the e-mail from the MONKEYPUZZLE DEV TEAM person in the reporting on collections from MICROSOFT is but one example. Or the Mukasey Memorandum. Or the Draft NSA IG report for that matter. The information sharing Agreement with Israel, for yet another example of what wouldn’t be floating around “in the wild” within an NSA wiki.

    There are a number of documents that don’t appear to be WIKI like material or useful in the context of a Wiki in the first – not the least of which would be the actual presentations that stand-alone would have little more value to NSA insiders than they have to us outsiders – even with speakers notes.

    Finally, there is one other observation to note with older documents I have been revisiting. In the SID Oversight document from the Washington Post on August 16th on page 12 there is a distinction between what they term NSA Establishment FISA and FBI FISA. Do we know what data collection is considered FBI FISA? As the PCLOB noted the 215 orders were submitted by the FBI for data to be given directly to NSA. One thing I should add though is the one PRISM slide that shows FBI DITU feeding to PRINTAURA and then on through the rest of the system diagram on the one slide. Is PRISM perhaps under FBI FISA? The overcollection mess in the NSA FISA documents may just be UPSTREAM? It isn’t clear to me just what FBI FISA would be (other than a source collection tag) as we havem’t seen such a distinction elsewhere. Any ideas?

  11. emptywheel says:

    @Mindrayge: Don’t know the answer to your establishment/FBI FISA question. The way the NSA MPs describe it is FBI can nominate targets, but a lot of what they get is just unminimized production to FBI. That said, a number of people (incl Ambinder) have suggested FBI is the one that chats up the Internet producers, which would support your PRISM idea.

    One other places this shows up in deptb (though heavily redacted) is the Semiannual compliance report to Congress. It shows there are 3 different ways FBI is involved in 702 production.

  12. Mindrayge says:

    @emptywheel: One other thing related to that WAPO August 16th SID Oversight document that was published. The cause of one of their most frequent issues:

    “The System Limitations root cause category accounted for the largest percentage of System
    Error incidents under FISA authorities for 1QCY12. The largest number of incidents in the System Limitations category account for roamers where there was no previous indications of the planned travel. These incidents are largely unpreventable. Consistent discovery through the Visitor Location Register (VLR) occurs every quarter and provides analysts with timely information to place selectors into candidate status or detask. Analysis identified that these incidents could be reduced if analysts removed/detasked selectors more quickly upon learning that the status of the selector had changed and more regularly monitored target activity. This analysis indicates that continued research on ways to exploit new technologies and researching the various aspects of personal communications systems to include GSM, are an important step for NSA analysts to track the travel of valid foreign targets.”

    Visitor Location Register (VLR) is something you have with GSM as part of the Mobile Application Part (MAP) of SS7. They are telling oversight that they can only reconcile this quarterly while at the same time they have FASCIA receiving 5 billion DNR records a day. Though to be fair there is no mention of FASCIA whatsoever in the oversight report so I wonder whether or not the overseers were even aware of its existence. Since that report purportedly covered FAA and EO12333 I wonder what authority FASCIA is operating under. DISHFIRE which holds SMS records is mentioned in the query incidents so we know it is operating under one of those authorities. Ironically, there is no mention of MAINWAY (DNR metadata) even though there is mention of a BR FISA (215) issue. As well as NUCLEON which is voice content. Maybe it simply is that there were no compliance issues with FASCIA.

  13. emptywheel says:

    @Mindrayge: But remember they claimed those were Chinese phones. As far as we’ve heard, FASCIA is focused east, not west to China.

    I know they presumably can get all those records via SS7. But is it possible they don’t have easy a time doing it for Asian targets?

Comments are closed.