April 28, 2015 / by emptywheel


USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records

The House Judiciary Committee just released the latest incarnation of USA Freedom Act, which for now I’m calling USA F-ReDux.

One thing they’ve changed from the Patrick Leahy version is to reword what, under Leahy’s bill, provided for two hops of “connection chaining,” without defining what “connection chaining” meant.

Now, they provide a first hop that produces call detail records…

(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);

Later on in the bill, they define call detail record, which is what it was under the Leahy bill.

‘(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

In other words, that first hop cannot include one definition of content or, most importantly, cell site location.

But the second one can.

The second hop is based off session-identifying information that is not limited by that CDR definition.

(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii)

They might as well have said, you can get call detail records, which we’ll define as a limited kind of session-identifying information, and then you can get call detail records (which have to be no more than a SIM card ID) using session-identifying information that doesn’t qualify under our CDR definition.

And that second session-identifying information could easily include cell location, cookies and permacookies, or a slew of other things that count as session-identifying information when you’re talking smart phones.

In other words, this seems to confirm the concerns I have had from day one that by going to the providers, they intend to do chaining off of information that doesn’t qualify under the narrow definition of session-identifying information.

Update: Here’s one more piece of evidence this is about getting smart phone data. USA F-ReDux introduces a new definition of “specific selection term” just for the CDR function. And it specifically permits the chaining on “accounts.”

(B) CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device.

Now, it’s possible that they just mean to chain on Friends and Family accounts, as AT&T will gladly do with just an NSL.

Except you get into accounts when you’re dealing with calls and messaging tied to a computer account and not any device. So they could chain on my “emptywheel” account to get Skype calls.

That’s fine, to an extent. They need such accounts to have anything close to full coverage, given how much messaging traffic takes place online. But that also says you’re already broaching any distinction between “calls” and Internet.

Copyright © 2015 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2015/04/28/usa-f-redux-session-identifying-information-that-is-not-call-detail-records/