February 11, 2014 / by emptywheel

 

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

Copyright © 2014 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2014/02/11/section-215-fisc-orders-specifically-included-mobile-phone-ids-starting-in-2008/