FBI Asks for at Least Eight Correlations with a Single NSL

After 11 years and a number of lawsuits, Nicholas Merrill is finally permitted to release the National Security Letter he received from the FBI in 2004. Here’s the list of things the FBI asked for about one of Merrill’s ISP customers.

  • DSL account information
  • Radius log
  • Subscriber name and related subscriber information
  • Account number
  • Date the account opened or closed
  • Addresses associated with the account
  • Subscriber day/evening telephone numbers
  • Screen names or other on-line names associated with the account
  • Order forms
  • Records relating to merchandise orders/shipping information for the last 180 days
  • All billing related to account
  • Internet service provider (ISP)
  • All e-mail addresses associated with account
  • Internet Protocol (IP) address assigned to the account
  • All website information registered to the account
  • Uniform resource locator (URL) address assigned to the account
  • Any other information which you consider to be an electronic communication transactional record

Perhaps the most alarming thing — though it is by no means a surprise — is that they asked for the radius log of IPs accessing the site, which would provide the traffic for a given website.

But because I’m interested in how the FBI and NSA correlate identifiers — match a person’s various IDs together, so as to be able to put together a complete picture of that person — I wanted to highlight the many different kinds of correlations they would get here: 1) subscriber name, 2) addresses, 3) telephone numbers, 4) screen names, 5) billing (which would include credit card or bank information), 6) email addresses, 7) IP addresses, 8) URL. That’s 8 different correlations (most of which can and in some cases would bring up multiple pieces of information) that one NSL obtains. And for most of those (plus the DSL and ISP), there’d be a similar set of identifiers available from another provider.

This is what the government means when it does “connection” chaining: gluing together every fragment of your online life together to see it all.

Update: In a press conference on this release (and in the unredacted court opinion), Merrill revealed the FBI considered cell site location to be included in radius log. He explained that URL searches would be included in cached traffic under the electronic communication transactional record.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

6 replies
  1. orionATL says:

    freightening power.

    especially when used against groups such as

    – war protesters

    – civil rights groups

    – corporate hegemony protesters

    – anti-police brutality groups

    – money in politics

    – gun rights opponents

    – fbi abuse of authority, deceit in courts, lab testing incompetence

    – first amendment violations

    – muslim rights

    – environmental protest

    – systemic government corruption

    – union votes, support

    particularly in conjunction with informers

    https://theintercept.com/2015/11/19/an-fbi-informant-seduced-eric-mcdavid-into-a-bomb-plot-then-the-government-lied-about-it/

    and

    overflights.

    and

    the infiltration of hardcore right wing into the fbi.

  2. bevin says:

    One begins to understand how ordinary people wondered as the camps suddenly began to be built: “What are they doing this for?” “Who is coming here?” “Are these vacation facilities for tired workers from the cities?” “What is the hurry?”
    These are the bones of totalitarianism awaiting only a Trump and a Congress debauched by money and stupidity to clothe them.

  3. haarmeyer says:

    I believe the radius log request is with respect to the ISP customer, and consists of all the IP addresses that were assigned to that customer by the DSL service during whatever period the ISP holds them for. It is not a request for all traffic, rather it gives a record of what IP addresses were used by the specific customer at each access point in time. The investigators would then use that to find out what else the person did during that time by presenting a similar letter to their DSL service, and so forth.

      • haarmeyer says:

        Finding out what a radius log is just requires internet search skills. I’ll admit to more than the average experience with metadata, but I’ve never been a spy.

        • orionATL says:

          @#5

          “i admit to more than average experience with metadata ”

          yeah, me too.

          why i’m so old that –

          i can remember when all emails came with their metadata as the top page of the message.

          printers used daisy wheels and ribbons in those days. paper was in continuously connected reams seperated by properly spaced perforations. all was expensive; machinery broke down frequently; metadata printing cost money.

          then printing metadata became an option for emails.

          then it dissappeared entirely from the message displayed.

          too bad.

          reading metadata could be as useful as reading JCL.

          i wonder if that option to print metadata should be brought back :)

Comments are closed.