AT&T

DOJ Inspector General Investigating DEA’s Use of Parallel Construction under Hemisphere

Screen Shot 2014-04-18 at 11.02.49 AMAs I noted in my last post, DOJ’s Inspector General recently created a page showing their ongoing investigations. It shows some things not described in Inspector General Michael Horowitz’ last report to Congress.

Of particular interest is this investigation.

Administrative Subpoenas

The OIG is examining the DEA’s use of administrative subpoenas to obtain broad collections of data or information. The review will address the legal authority for the acquisition or use of these data collections; the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data; the creation, dissemination, and usefulness of any products generated from the data; and the use of “parallel construction” or other techniques to protect the confidentiality of these programs.

The description doesn’t say it, but this is Hemisphere, the program under which DEA submits administrative subpoenas to AT&T for phone records from any carrier that uses AT&T’s backbone. DEA gets information matching burner phones as well as the call records. In addition, it gets some geolocation — and continued to increase what it was getting even after US v Jones raised concerns about such tracking.

The presentation on Hemisphere makes it very clear the government uses “parallel construction” to hide Hemisphere.

Protecting the Program: When a complete set of CDRs are subpoenaed from the carrier, then all memorialized references to relevant and pertinent calls can be attributed to the carrier’s records, thus “walling off” the information obtained from Hemisphere. In other words, Hemisphere can easily be protected if it is used as a pointed system to uncover relevant numbers.

Exigent Circumstances — Protecting the Program: In special cases, we realize that it might not be possible to obtain subpoenaed phone records that will “wall off” Hemisphere. In these special circumstances, the Hemisphere analyst should be contacted immediately. The analyst will work with the investigator and request a separate subpoena to AT&T.

Official Reporting — Protecting the Program: All requestors are instructed to never refer to Hemisphere in any official document. If there is no alternative to referencing a Hemisphere request, then the results should be referenced as information obtained from an AT&T subpoena.

And this is not the only area where DEA Is using parallel construction to hide where it gets its investigative leads. Reuters reported in August that DEA also uses parallel construction to hide the leads it gets from purportedly national security-related wiretapping.

A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin – not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence – information that could reveal entrapment, mistakes or biased witnesses.

[snip]

The two senior DEA officials, who spoke on behalf of the agency but only on condition of anonymity, said the process is kept secret to protect sources and investigative methods. “Parallel construction is a law enforcement technique we use every day,” one official said. “It’s decades old, a bedrock concept.”

A dozen current or former federal agents interviewed by Reuters confirmed they had used parallel construction during their careers. Most defended the practice; some said they understood why those outside law enforcement might be concerned.

Presuming that Horowitz is investigating whether DEA’s extensive use of parallel construction complies with the Constitution (and not, as is possible, whether the sources of this information are being adequately buried), this is welcome news indeed.

But it’s also one of several reasons why I’m particularly alarmed, in retrospect, that Horowitz is complaining about his ability to get grand jury information without having to get either Attorney General Holder or Deputy Attorney General James Cole to personally approve it.

After all, the only way you can learn what truly happens in prosecutions that have used parallel construction to hide their sources is to work backward from the actual prosecution. Continue reading

A Key Part of RuppRoge’s Fake Dragnet Fix Reform: Pay the Telecoms

Here’s an interesting “reform” in the RuppRoge’s Fake Dragnet Fix. It pays the telecoms.

COMPENSATION AND ASSISTANCE.–The Government shall compensate, at the prevailing rate, an electronic communications service provider for providing records in accordance with directives issued pursuant to [their bill].

Section 215 does not include such a payment provision. And while the first two phone dragnet orders included provision for such payments, that was probably illegal.

Don’t get me wrong. I’m sure the government has found some way to pay the telecoms, either through added payments for AT&T’s Hemisphere program or gifts in kind. (Though given the timing of DOJ’s suit against Sprint for over-billing, I do wonder whether the government is retaliating for something.) Telecoms don’t spy for free, so I’m sure they’ve been getting paid, illegally, for the last 8 years of dragnet spying they’ve been doing.

But the lack of such provision in Section 215 should have limited the scope of the dragnet. It should have required that requests be so narrow no telecom was going to send big bills to the government every month. And it presumably made the telecoms (well, except for AT&T, which never met a spying request it didn’t love) less willing to interpret orders from the government expansively.

The inclusion of such a compensation clause in the RuppRoge “reform” makes it even more likely this dragnet will expand with the now well-oiled willingness of the telecoms to go above and beyond the letter of the request.

Which is presumably just how the NSA wants it to be.

Verizon VP: Company-Based Transparency Reports Don’t Help Consumers

There was a fascinating panel of Telecom execs and bloggers discussing human rights at RightsCon yesterday. Among others, Verizon Executive Vice President and General Counsel Randal Milch spoke.

As I noted in passing, Verizon published an update to their Transparency Report the other day. Particularly as compared to AT&T’s bogus report, the Verizon report was laudable for its explanation of what it couldn’t show, such as when it acknowledged that its report did not include the hundreds of millions of customers whose records got turned over under Section 215.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

It also acknowledged something obvious but that which should be explicit: when the government obtains content from Verizon, it sometimes gets metadata as well.

Some FISA orders that seek content also seek non-content; we counted those as FISA orders for content and to avoid double counting have not also counted them as FISA orders for non-content.

All this is useful information that lends the report itself credibility.

So when I first approached Milch, I thanked him for the quality of his report.

Which is why I was so surprised when he said the government should be in the business of transparency reports, not the providers. I challenged that, noting that an easy comparison of AT&T and Verizon’s reports strongly suggests that Verizon demands more legal process for requests than AT&T. He dismissed that, suggesting any differences arise from the different kind of client base the providers have.

Granted, Milch was talking about your average consumer, not … me.

But it seemed bizarre. Or perhaps it was a testament that Milch and Verizon generally don’t want to have to compete in this front.

Milch answered one other question of mine: I asked whether the Verizon/Vodaphone split affected Verizon’s obligations to the UK (that is, to GCHQ). He claims it didn’t affect it at all, that it was more an investment stake and that none of Verizon’s cell call records were in the UK. (No, I didn’t point out that the records are right where GCHQ wants them, in places accessible under Tempora).

So at least according to Milch’s claims, my theory laid out here is wrong.

Did GCHQ and NSA Lose an Eye Today?

As the business press is crowing, Vodaphone and Verizon are officially divorced.

After pulling off the $130 billion sale, Vodafone will drop from the world’s second-biggest phone company to the fourth, measured by market value, behind China Mobile Ltd., AT&T Inc. and Verizon Communications Inc. (VZ), data compiled by Bloomberg showed. Vodafone’s weighting in share indexes such as the FTSE 100 in London will be cut approximately in half.

Shareholders will get a return of about 102 pence ($1.70) per share. That’s about $23.9 billion in cash and about $58.6 billion in Verizon Communications shares.

Vodafone’s shares rose 2.8 percent to 236.10 pence at 2:45 p.m. in London. Verizon slipped 0.3 percent to $47.97 in New York.

“This is a great day for Verizon,” Verizon CEO Lowell McAdam said in a statement. “The new Verizon now has full ownership of the U.S. wireless industry leader in network performance, profitability and cash flow.”

The deal will help Vodafone pay off debt and help fund 7 billion pounds of additional network investments by March 2016, adding high-speed broadband and wireless coverage across its largest markets.

And rejoicing was heard on both sides of the Atlantic!

Curiously, though, I seem to be the only one asking what seems to be an obvious question: how will this high level British-US breakup affect the Five Eyes dragnet?

Particularly given reports that Verizon is (was?) one of 7 Tempora providers, I wonder whether splitting with Vodaphone has permitted Verizon to withdraw from compliance with GCHQ data requests.

Back in 2006, USA Today’s report that the NSA had a database of all of AT&T, Verizon, and BellSouth’s phone records caused one of the telecoms to refuse to turn over data without being legally obligated (and for a number of reasons, it is unlikely AT&T was the provider that demanded an order).

The publication of the Verizon Secondary Order on June 5, 2013 exposed Verizon far more than that 2006 story. And it exposed Verizon uniquely, in a way AT&T and Sprint hadn’t been exposed. ODNI exacerbated that exposure further when it released another document with Verizon’s name unredacted.

If I were Verizon, I would be doing nothing more than the government(s) legally requred me to do. And as of today, Verizon may have one less government with the ability to make such requirements.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on Verizon’s obligations to the US.

AT&T’s “Transparency” Report: Polite Requests Versus Demands

Screen Shot 2014-02-18 at 1.40.24 PMI want to make two more points about AT&T’s “Transparency” Report which, as I mentioned earlier, shows how deceitful “transparency” reports can be.

First, compare the number of subpoenas AT&T shows, total, compared to the rough numbers provided for requests to AT&T under Hemisphere for the prior year.

In 2012, 3 cities — Atlanta, Houston, and  Los Angeles — submitted a total of 2,770 requests to Hemisphere. In 2012 to 2013 (see the following slide), 7 HIDTAs plus two parts of the Southwest Border HIDTA submitted 838 requests to Hemisphere. While I suspect other HIDTAs also have access to Hemisphere, those numbers are still just a tiny fraction of the total subpoenas AT&T got the following year — using the larger number, just slightly more than 1% of the 223,659 criminal subpoenas AT&T received in 2013.

Even assuming the number is 3 times that across all DEA requests, that seems like a miniscule number, probably even a miniscule number of the requests submitted in drug investigations.

We are to believe, then, that AT&T keeps up this database just to feed as what might be less than 4% of its total requests?

Which is one reason I suspect Hemisphere is also serving other purposes.

And that, of course actually assumes (I’m in a generous mood) that AT&T receives a subpoena for all its Hemisphere requests, in spite of references in the Hemisphere presentation to emails and despite the past history of AT&T (or another telecom) providing phone records in response to requests on Post-It notes.

Which makes me really wonder, given another little detail in AT&T’s “Transparency” Report, whether AT&T responds to as data requests, rather than formal demands.

Here are the categories for the data requests it gets:

  • National Security Demands
  • Total U.S. Criminal & Civil Litigation Demands
  • Location Demands
  • Emergency Requests
  • International Demands [my emphasis]

Remarkably, AT&T has just 22 International Demands, counting both law enforcement and URL blocking. Verizon, by contrast, got 2,396 law enforcement demands and 1,663 block requests, though some of that may reflect Vodapone exposure and it also implies there were other requests that it funneled through MLAT processing.

I raise this because, in his paper on the dragnet, David Kris repeatedly suggested the NSA gets some bulk metadata via voluntary production of foreign data.

Alternative methods of collection would include non-bulk FISA orders, or what prior NSA Directors in the past have referred to as “vacuum cleaner” surveillance outside the ambit of FISA, under Executive Order 12333 and its subordinate procedures, such as DOD 5240-1.R, and perhaps voluntary production if not otherwise prohibited by law. See NSA End-to-End Review at 15; August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); cf. 18 U.S.C. § 2511(2)(f) otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).(“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).

If AT&T is voluntarily providing data in response to requests, without insisting on getting a demand, it might explain some of the numbers (not to mention its far greater skew towards subpoenas rather than warrants, as compared to Verizon — though this “demand” “request” language necessarily appears at Verizon, too).

Don’t get me wrong: if AT&T wants to just give out customer information in response to data requests without asking for a demand, I’ll just assume it’s being polite to those in authority. But if it is, those requests should be in its transparency report too.

AT&T: Anti-Transparency and Trickery

I noted last month that Verizon released its transparency report before the Tech Company transparency deal, which gave it a way to avoid revealing this embarrassing detail:

Had Verizon released a transparency report yesterday, it would have added at least the following two details:

Non-Content FISA orders:

4 orders affecting 107,700,000 customers

Content FISA orders:

? orders affecting ? selectors (probably measuring the number of search terms — maybe something like “250″ — Verizon searches for off its upstream collection affecting millions of people)

It would have painted a very different picture.

AT&T wasn’t as smart as Verizon, only now releasing its so-called transparency report. (h/t Kash Hill)

Here’s how it communicated to its customers that it provides all their call records and sucks up Internet data off its switches using search terms.

Screen shot 2014-02-18 at 9.26.06 AM

 

You see, it’s supposed to reveal all of its FISA Court orders, not just the orders it gets under the Foreign Intelligence Surveillance Act, which is a different thing. While the number of non-content orders might still be quite small: just 4 orders, presumably, plus some exotic ones thrown in. The number of customer accounts affected would be “all.”

Moreover, in the content section, AT&T is supposed to describe “customer selectors.” This is different than accounts, because, in AT&T’s case, it also includes the number of search terms is sucks right off the circuits (which affects millions of accounts).

Congratulations, AT&T, you have demonstrated definitively these transparency guidelines are not about transparency at all.

Keith Alexander Refutes Claims NSA Doesn’t Get Cell Data

Eight days ago, the country’s four major newspapers reported a claim that the NSA collected 33% or less of US phone records (under the Section 215 program, they should have specified, but did not) because it couldn’t collect most cell phone metadata:

  • “[I]t doesn’t cover records for most cellphones,” (WSJ)
  • “[T]he agency has struggled to prepare its database to handle vast amounts of cellphone data,” (WaPo)
  • “[I]t has struggled to take in cellphone data,” (NYT)
  • “[T]he NSA is gathering toll records from most domestic land line calls, but is incapable of collecting those from most cellphone or Internet calls.” (LAT)

Since that time, I have pointed to a number of pieces of evidence that suggest these claims are only narrowly true:

  • A WSJ article from June made it clear the cell gap, such as it existed, existed primarily for Verizon and T-Mobile, but their calls were collected via other means (the WaPo and NYT both noted this in their stories without considering how WSJ’s earlier claim it was still near-comprehensive contradicted the 33% claim)
  • The NSA’s claimed Section 215 dragnet successes — Basaaly Moalin, Najibullah Zazi, Tsarnaev brothers — all involved cell users
  • Identifying Moalin via the dragnet likely would have been impossible if NSA didn’t have access to T-Mobile cell data
  • The phone dragnet orders specifically included cell phone identifiers starting in 2008
  • Also since 2008, phone dragnet orders seem to explicitly allow contact-chaining on cell identifiers, and several of the tools they use with phone dragnet data specifically pertain to cell phones

Now you don’t have to take my word for it. Here’s what Keith Alexander had to say about the claim Friday:

Responding to a question about recent reports that the NSA collects data on only 20% to 30% of calls involving U.S. numbers, Alexander acknowledged that the agency doesn’t have full coverage of those calls. He wouldn’t say what fraction of the calls NSA gets information on, but specifically denied that the agency is completely missing data on calls made with cell phones.

“That part is not true,” he said. “We don’t get it all. We don’t get 100% of the data. It’s not where we want it to be, but it has been sufficient to go after the key targets that we’re going after.” [my emphasis]

Admittedly, Alexander is not always entirely honest, so it’s possible he’s just trying to dissuade terrorists from using cellphones while the NSA isn’t tracking them. But he points to the same evidence I did — that NSA has gotten key targets who use cell phones.

There’s something else Alexander said that might better explain the slew of claims that it can’t collect cell phone data.

The NSA director, who is expected to retire within weeks, indicated that some of the gaps in coverage are due to the fact that the NSA “paused any changes to the program” during the recent controversy and discussions about restructuring the effort.

The NSA has paused changes to the program.

This echoes WaPo and WSJ reports that crises (they cited both the 2009 and current crisis) delayed some work on integrating cell data, but suggests that NSA was already making changes when the Snowden leaks started.

There is evidence the pause — or at least part of it — extends back to before the Snowden leak. As I reported last week, even though the NSA has had authority to conduct a new auto-alert on the phone dragnet since November 2012, they’ve never been able to use it because of technical reasons.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes.

This description actually came from DOJ, not the FISC, and I suspect the issue is rather that NSA has not solved some technical issues that would allow it to perform the auto-alert within the legal limits laid out by the FISC (we don’t know what those limits are because the Administration is withholding the Primary Order Supplement that would describe it, and redacting the description of the search itself in all subsequent orders).

That said, there are plenty of reasons to believe there are new reasons why NSA is having problems collecting cell phone data because it includes cell location, which is far different than claiming (abundant evidence to the contrary) they haven’t been collecting cell data all this time. In addition to whatever reason NSA decided to stop its cell location pilot in 2011 and the evolving understanding of how the US v. Jones decision might affect NSA’s phone dragnet program, 3 more things have happened since the beginning of the Snowden leaks:

  • On July 19, Claire Eagan specifically excluded the collection of cell site location information under the Section 215 authority
  • On September 1, NYT exposed AT&T’s Hemisphere program; not only might this give AT&T reason to stop collating such data, but if Hemisphere is the underlying source for AT&T’s Section 215 response, then it includes cell location data that is now prohibited
  • On September 2, Verizon announced plans to split from Vodaphone, which might affect how much of its data, including phone metadata, is available to NSA via GCHQ under the Tempora program; that change legally takes effect February 21

Remember, too, there’s a February 2013 FISC Section 215 opinion the Administration is also still withholding, which also might explain some of the “technical-meaning-legal” problems they’re having.

Underlying this all (and assuredly underlying the problems with collecting VOIP calls, which are far easier to understand and has been mentioned in some of this reporting, including the LAT story) is a restriction arising from using an ill-suited law like Section 215 to collect a phone dragnet: telecoms can only be obligated to turn over records they actually “already generate,” as described by NSA’s SID Director Theresa Shea.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

To the extent telecoms use SS7 data, which includes cell location, to fulfill their Section 215 obligation (after all, what telecoms need billing records on a daily basis?), it probably does introduce problems.

Which, I suspect, will mean that Alexander and the rest of the dragnet defenders will recommend that a third party collate and store all this data, the worst of all solutions. They need to have a comprehensive source (like Hemisphere apparently plays for the DEA), one that will shield the government from necessarily having collected cell location data that is increasingly legally suspect to obtain. And they’ll celebrate it as a great sop to the civil libertarians, too, when in fact, they’ve probably reached the point where it is clear Section 215 can’t legally authorize what it is they want it to do.

The issue, more and more evidence suggests, is that they can’t collect the dragnet data without a law designed to construct the dragnet. Which is another way of saying the dragnet, as intended to function, is illegal.

On the Definition of Dragnet “Identifier”

Last month, I noted that ODNI failed to redact a reference to Verizon in one of the phone dragnet primary orders, which helped to confirm that Verizon was the provider ordered to provide only its domestic or one-end domestic call records to NSA under this order.

I’d like to look at another redaction fail (also, IIRC, pointed out to me Michael) from that document dump.

In the February 25, 2010 order, part of the footnote describing what identifiers NSA can use to contact chain was left unredacted.

Screen Shot 2014-02-15 at 12.42.04 PM

The footnote starts on the previous page; this is the end of the description (the big redaction below it modifies one of the terms in the list of terror groups associations).

Given all the discussion about whether NSA does or does not collect cell phone data, I think it of particular interest that IMSI and IMEI — two ways to identify cell phone users — appear in this footnote. It’s actually not clear whether their inclusions mean they can or cannot be used as identifiers.

But there’s reason to believe the footnote says they can be used as identifiers.

The footnote first appeared in the March 5, 2009 order — the first written after Judge Reggie Walton started trying to clean up the dragnet mess. Screen Shot 2014-02-15 at 1.01.28 PM

By that point, NSA had informed Walton that an additional querying tool had regularly accessed the 215 dragnet to perform analysis of certain identifiers.

If an analyst conducted research supported by [redacted] the analyst would receive a generic notification that NSA’s signals intelligence (“SIGINT”) databases contained one or more references to the telephone identifier in which the analyst was interested; a count of how many times the identifier was present in SIGINT databases; the dates of the first and last call events associated with the identifier; a count of how many other unique telephone identifiers had direct contact with the identifier that was the subject of the analyst’s research; the total number of calls made to or from the telephone identifier that was the subject of the analyst’s research; the ratio of the count of total calls to the count of unique contacts; and the amount of time it took to process the analyst’s query.

But this was before NSA explained it treated all correlated identifiers for a particular RAS-approved person as RAS-approved,

The end-to-end review revealed the fact that NSA’s practice of using correlated selectors to query the BR FISA metadata had not been fully described to the Court. A communications address or selector, is considered correlated with other communications addresses when each additional address is shown to identify the same communicant(s) as the original address.

Though it had provided some kind of description of this practice in an August 18, 2008 filing that almost certainly served as back-up for the August 19, 2008 order that first started specifically ordering IMSI and IMEI data.

A description of how [redacted] is used to correlate [redacted] was included in the government’s 18 August 2008 filing to the FISA Court, While NSA previously described to the FISC the ractice of using correlated selectors as seeds, the FISC never addressed whether [redacted] correlated selectors met the RAS standard when any one of the correlated selectors met the RAS standard. A notice was filed with the FISC can this issue on 15 June 2009.

 

All of which is to say that several of the items discussed during the 2009 review pertained to how NSA tracked identities over time, particularly phone-based identities that spanned multiple cell phones.

Which would explain why it would want to track both phone numbers themselves, but especially the handset and SIM identifiers (though in the case of burner phone “correlation,” those details wouldn’t help to make a match).

None of this should be surprising. As I said, it would be shocking if the nation’s counterterrorism professionals accepted a dragnet with less functionality than the one available to DEA under AT&T’s Hemisphere program, and a key part of that program involves matching cell phone identities (though remember, Hemisphere at least used to permit tracking of geolocation, too).

But assuming that footnote defining “identifier” affirmatively includes IMSI and IMEI as potential identifiers, which would seem logical, it’s yet one more data point showing how central the use of cell phones is to the dragnet.

That still doesn’t mean the NSA collected cell phone data, or collected it from providers besides AT&T and Sprint. But it sure seems to indicate an priority on such data.

Is Hemisphere Creating Problems for the Phone Dragnet?

Screen Shot 2014-02-12 at 4.39.40 PMYou are all probably bored with my repeated posts about why the claim that NSA only collects 30% of US data is probably only narrowly true.

So I won’t discuss how absurd it would be to argue that the terrorist dragnet drawing on the records of at least 3 phone companies was less comprehensive than Hemisphere, the similar AT&T-specific database it makes available to hunt drug crime.

I just want to raise a methodological issue.

In her declaration submitted in support of the suits challenging the Section 215 dragnet, Theresa Shea emphasized something implicit in the Business Records order: the telecoms are only turning over records they already have.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

Presumably, AT&T provides precisely this same data to the NSA for its master phone dragnet. That is, to the extent that AT&T compiles this data in particular form, that may well be the form it hands onto NSA.

And that’s interesting for several reasons.

Hemisphere includes not just AT&T call records. It includes records from “CDRs for any telephone carrier that uses an AT&T switch to process a telephone call.” It gets 4 billion call records a day, including international ones and cell ones. As Scott Shane explained,

AT&T operates what are called switches, through which telephone calls travel all around the country. And what AT&T does in this program is it collects all the—what are called the CDRs, the call data records, the so-called metadata from the calls that we’ve heard about in the NSA context. This is the phone number—phone numbers involved in a call, its time, its duration, and in this case it’s also the location. Some are cellphone calls; some are land line calls. Anything that travels through an AT&T switch, even if it’s not made by an AT&T customer—for example, if you’re using your T-Mobile cellphone but your call travels through an AT&T switch somewhere in the country, it will be picked up by this project and dumped into this database.

Which supports the report from last summer that the government can get T-Mobile calls off AT&T’s records. These are the pre-existing records that NSA can come get and they include T-Mobile calls.

There’s another interesting part of that. As I noted the first two phone dragnet orders provided for compensation to the providers, even though the statute doesn’t envision that. That would bring you to November 2006; Hemisphere started in 2007, with funding from ONCDP, the White House Drug Czar. Remember, too, that FBI had the equivalent of Hemisphere onsite until late 2007-2008. That is, one thing Hemisphere does is pay for one provider to store what serves as a good baseline dragnet that can then be handed over to the NSA. That’s significant especially given Geoffrey Stone’s claims that the dragnet is not comprehensive because the cost involved: there should be no cost, but somehow it’s driving decisions.

In any case, as luck would have it, Hemisphere got exposed at the same time as the dragnet.

Hemisphere operates with different legal problems than the NSA phone dragnet. At least with the phone dragnet, after all, AT&T has been compelled to turn over records; with Hemisphere they’re effectively retaining them voluntarily to turn surveillance into a profit center (though they do get compelled on an order-by-order basis). Moreover, AT&T’s far more exposed by the publication on Hemisphere than it is on the NSA dragnet (or perhaps, than even Verizon is under the phone dragnet). The exposure of Hemisphere might make AT&T more hesitant to “voluntarily” retain this data.

Finally, there’as the amicus challenge EFF and ACLU submitted in a criminal case in Northern California notes, Hemisphere includes precisely the data the NSA is struggling with: cell location data.

Hemisphere goes even further than the NSA’s mass call-tracking program, as the CDRs stored in the Hemisphere database contain location information about callers (see Hemisphere Slide Deck at 3, 13), thus implicating the specific concerns raised by five Justices in Jones. See 132 S. Ct. at 955 (Sotomayor, J., concurring) (“wealth of detail about [a person’s] familial, political, professional, religious, and sexual associations” revealed through “trips to the psychiatrist, the plastic surgeon, the abortion clinic,” etc.) (internal quotation marks, citation omitted); id. at 964 (Alito, J., concurring).

The FISC has created all sorts of problems for NSA to store cell location data, most explicitly with Claire Eagan’s order in July specifically prohibiting it.

But here AT&T is, creating the opportunity for the perfect challenge to use Jones to challenge location in a dragnet specifically.

Which is all a way of saying that the tensions with the phone dragnet may not be entirely unrelated from the fact that Hemisphere also got challenged.

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

Emptywheel Twitterverse
bmaz @runtodaylight Doubt it will go criminal, too many complications.But I do have a client who is a Dr. there from a previous matter.
1hreplyretweetfavorite
bmaz @FalguniSheth @adamsteinbaugh @emptywheel No calves. I have my cows all grazing on Uncle Sam's land up in Nevada. Beer smooth.
1hreplyretweetfavorite
bmaz @adamsteinbaugh @emptywheel @FalguniSheth Never had Founder's beer before. Pale ale is killer.
1hreplyretweetfavorite
bmaz .@emptywheel @FalguniSheth My Founder's beer from our patio bar seat tonight: http://t.co/T9gB3HT7iB
2hreplyretweetfavorite
bmaz @steve_vladeck @ACLU_NCA Yeah, and neither will the FISC and other courts apparently.
4hreplyretweetfavorite
bmaz In the not even close to news dept, breaking or otherwise, The Blue Angels are a bunch of rowdy fighter jocks http://t.co/17tfetOJAh
4hreplyretweetfavorite
bmaz @gideonstrumpet @nancyleong @ntswanson Is that a hospital in CT is it?
4hreplyretweetfavorite
bmaz RT @erinscafe: If you come to the premiere of Follow Friday the Film Friday at 5:45 pm, you can meet @LynsieLee, my fav stripper. http://t.…
4hreplyretweetfavorite
bmaz @yvonnewingett @barrettmarson @JimSmall Hey, I think I made that point already!
4hreplyretweetfavorite
bmaz I'd love to convict this Blackwater fuckstic; but the Stated Dept tanked the case w/Garrity statements at the get go http://t.co/d1zH3nNR2k
4hreplyretweetfavorite
bmaz @barrettmarson @JimSmall "Innocent"??
5hreplyretweetfavorite
bmaz @APribetic @gideonstrumpet @ScottGreenfield @kashhill @adamsteinbaugh My media strategy is "don't talk to the media". Nothing good happens.
5hreplyretweetfavorite
April 2014
S M T W T F S
« Mar    
 12345
6789101112
13141516171819
20212223242526
27282930