November 30, 2015 / by emptywheel


FBI Asks for at Least Eight Correlations with a Single NSL

After 11 years and a number of lawsuits, Nicholas Merrill is finally permitted to release the National Security Letter he received from the FBI in 2004. Here’s the list of things the FBI asked for about one of Merrill’s ISP customers.

  • DSL account information
  • Radius log
  • Subscriber name and related subscriber information
  • Account number
  • Date the account opened or closed
  • Addresses associated with the account
  • Subscriber day/evening telephone numbers
  • Screen names or other on-line names associated with the account
  • Order forms
  • Records relating to merchandise orders/shipping information for the last 180 days
  • All billing related to account
  • Internet service provider (ISP)
  • All e-mail addresses associated with account
  • Internet Protocol (IP) address assigned to the account
  • All website information registered to the account
  • Uniform resource locator (URL) address assigned to the account
  • Any other information which you consider to be an electronic communication transactional record

Perhaps the most alarming thing — though it is by no means a surprise — is that they asked for the radius log of IPs accessing the site, which would provide the traffic for a given website.

But because I’m interested in how the FBI and NSA correlate identifiers — match a person’s various IDs together, so as to be able to put together a complete picture of that person — I wanted to highlight the many different kinds of correlations they would get here: 1) subscriber name, 2) addresses, 3) telephone numbers, 4) screen names, 5) billing (which would include credit card or bank information), 6) email addresses, 7) IP addresses, 8) URL. That’s 8 different correlations (most of which can and in some cases would bring up multiple pieces of information) that one NSL obtains. And for most of those (plus the DSL and ISP), there’d be a similar set of identifiers available from another provider.

This is what the government means when it does “connection” chaining: gluing together every fragment of your online life together to see it all.

Update: In a press conference on this release (and in the unredacted court opinion), Merrill revealed the FBI considered cell site location to be included in radius log. He explained that URL searches would be included in cached traffic under the electronic communication transactional record.

Copyright © 2015 emptywheel. All rights reserved.
Originally Posted @