May 4, 2015 / by emptywheel

 

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record

As part of a larger effort to get some people who understand the intersection of telephony and Internet technologies well to review the chaining process that would be introduced under USA F-ReDux, I want to compare the definitions of Call Detail Record used under the current dragnet orders and that which would be adopted under USA F-ReDux (both of which I’ve put below).

Obviously, the definitions are very closely related. Both prohibit the collection of the name, address, or financial information of a subscriber or customer (which makes this definition far narrower than an administrative subpoena for phone records). Both prohibit the collection of “contents” (though using a definition tied to a communication sent, which may not include stored content). Both prohibit the collection of non-trunk identifier location data, though the USA F-ReDux definition explicitly adds GPS data to the definition.

And both include certain things in their definitions of “session identifying information,” including originating and terminating telephone number, IMSI and IMEI numbers, calling card numbers, and time and duration of a call. Though the existing definition uses the conjunction “and” in its orders that ultimately go to providers, but notes the definition “includes but is not limited to” this session-identifying information. USA F-ReDux uses a non-exclusive “or” for its description of what session-identifying information is, suggesting only one of those things must be included in a CDR. At least as I read it, then, the existing phone dragnet definition of “session identifying information” is expansive, ordering providers to turn over at least this much, though possibly more (cough, AT&T), just so long as that “more” doesn’t include anything from the 3 kinds of prohibited information. Whereas the USA F-ReDux definition provides a list of things, one of which must be included, to be considered a CDR that can be returned to the government at the end of the process. As I read it, a CDR might consist of nothing more than an IMEI or an IMSI number.

But by far the most interesting difference between these two definitions is that the existing phone dragnet orders requires this be telephony session-identifying information (and also seems to require some communications routing information). Not only doesn’t USA F-ReDux require the session-identifying information to relate to telephony sessions, the word “telephony” doesn’t appear in USA F-ReDux at all.

Thus, while the bill requires that reports back to the government include something that is considered a telephony identifier — a phone number or one of two numbers identifying a device — it doesn’t actually say that the sessions in question must be telephony sessions.

Update 5/6: Actually, I think this paragraph is incorrect. A CDR, as defined, involves one of 5 things: telephone number, IMSI number, IMEI number, calling card number, or time and duration of a call. Given the “or,” only one of those things must be included. So if time and duration of a call is included (perhaps described as tied to Internet identifiers rather than device identifiers), that should fulfill the definition.

That’s important, because people increasingly make their calls using Internet technology, whether via things that feel like phone calls (VOIP), via video conversations, or via messaging (most notably iMessage) that — if sent across wifi — would not hit a telecom network as telephony. Nothing I see in this bill excludes those “calls” from this definition of CDR.


USA F-ReDux Definition of Call Detail Record

(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.


Existing Section 215 Definition of Call Detail Records

From the February 26, 2015 order, footnote 1.

For the purposes of this Order, “telephony metadata” includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identifier (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. Furthermore, this Order does not authorize the production of cell site location information (CSLI).

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2015/05/04/unlike-the-existing-phone-dragnet-usa-f-redux-does-not-include-telephony-in-its-definition-of-call-detail-record/