AT&T Pulled Cell Location for Its “Mobility Cell Data”
ProPublica and NYT have an important story that confirms what we’ve long known — that AT&T, operating under the Fairview program — is all too happy to do business with the NSA. As part of the story, they note that in 2011, AT&T started providing cell data to NSA under the BR FISA program.
In 2011, AT&T began handing over 1.1 billion domestic cellphone calling records a day to the NSA after “a push to get this flow operational prior to the tenth anniversary of 9/11,” according to an internal agency newsletter. This revelation is striking because after Snowden disclosed the program of collecting the records of Americans’ phone calls, intelligence officials told reporters that, for technical reasons, it consisted mostly of landline phone records.
They base the claim on this document, which reads,
On 29 August, FAIRVIEW started delivering Mobility Business Records traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The intent of the Business Records FISA program is to detect previously unknown terrorist threats in the United States through the cell chaining of metadata. This new metadata flow is associated with a cell phone provider and will generate an estimated 1.1 billion cellular records a day in addition to the 700M records delivered currently under the BR FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a push to get this flow operational prior to the tenth anniversary of 9/11, and extensive coordination with external entities via our OGC (to include: FBI, DOJ, ODNI, and FISC) NSA received approval to initiate this dataflow on August 29, 2011. Analysts have already reported seeing BR Cellular records in the Counter Terrorism call-chaining database queries.
Though it provides important new context, that NSA started receiving mobile data on August 29, 2011 is not new news (though that it was getting it from AT&T is). The government released the notice it gave to the House Judiciary Committee that it was receiving that data in October 2013 under FOIA (indeed, this document is one I have pointed to to refute claims that the program didn’t collect cell data).
All that said, the notice, taken together with the context of the internal announcement, does explain more about why the NSA wasn’t getting as much cell data as they wanted.
In the case of Fairview and the collection started on August 29, 2011, the provider “remove[d] the cell [redacted] location information [redacted] before providing the CDRs to NSA.”
Before initiating the acquisition of mobility data, NSA undertook extensive testing to ensure strict compliance with the terms of the FISC Orders. The Court’s Orders are designed to protect the civil liberties and privacy interests of Americans. Following completion of testing, on 29 August 2011, NSA began to receive approximately [redacted] CDRs per day and enter these records into our BR FISA bulk metadata architecture.
[redacted] NSA requested that the [redacted] remove the cell [redacted] location information [redacted] before providing the CDRs to NSA. Consequently, NSA is not currently receiving this field as part of the data being acquired. [redacted]
As the NYT reported earlier this week, NSA had given Verizon Wireless a separate order for phone dragnet order in 2010. But the redaction in the notice to Congress on obtaining mobility data from a year later seems to address the problem with obtaining location information.
We know from the Congressional notice AT&T was willing to strip it. For a lot of reasons, it’s likely Verizon was unwilling to strip it.
This is one of the possible explanations I’ve posited for why NSA wasn’t getting cell data from Verizon, because any provider is only obliged to give business records they already have on hand, and it would be fairly easy to claim stripping the cell location data made it a new business record.
Which is another important piece of evidence for the case made against AT&T in the story. They were willing to play with records they were handing over to the government in ways not required by the law.
Though who knows if that remain(ed) the case? To get to the 30% figure quoted in all the pieces claiming NSA wasn’t getting cell data, you’d probably have to have AT&T excluded as well. So maybe after the Snowden releases, they, too, refused to do things they weren’t required to do by law (though because it had the Hemisphere database which could easily select records, that may have been harder to do).
Update: Adding that FISC took judicial notice of some magistrates’ rulings you needed more than a subpoena for location data in 2006, after Congress said you could only get what you could get with a subpoena in the 2006 PATRIOT Reauthorization. So it’s possible any squeamishness about location collection dates to that point, though we know FISC did still permit the government to get location data with 215 orders.