I noted this yesterday in a quick post, but I wanted to post the video and my transcription of Mark Warner’s efforts to lay out some of the privacy problems with HR 3361, which I call USA Freedumber.
Warner, who made his fortune as a telecom mogul, points out that USA Freedumber will be able to access calls from smaller cell companies that are currently not included as primary providers to NSA (he doesn’t mention it, but USA Freedumber will also be able to access VOIP).
Warner: It was reported when we think about 215 in the previous program that that collected metadata that was with those entities — those companies — that entered into some relationship with the IC, and I believe there was a February WSJ article that reported — and I don’t want to get into percentages here — that while the large entities, large companies were involved, that in many cases, the fastest growing set of telephone calls, wireless calls, were actually a relatively small percentage. Is that an accurate description of how the press has presented the 215 program prior — previously?
Ledgett: Yes, that’s how the press represented it.
Warner: And if that was an accurate presentation, wouldn’t the universe of calls that are now potentially exposed to these kind of inquiries be actually dramatically larger since any telco, regardless of whether they had a relationship with the IC or not, and any type of call, whether it is wire or wireless, be subject to the inquiries that could be now made through this new process.
Ledgett: Uh Yes, Senator, that’s accurate.
Warner: So, again, with the notion here that under the guise of further protecting privacy, I think on a factual basis, of the number of calls potentially scrutinized, the universe will be exponentially larger than what the prior system was. Is that an accurate statement.
Ledgett: No, Senator, I don’t believe so, because the only calls that the government will see are those that are directly responsive to to the predicate information that we have.
Warner: No, In terms of actual inquiries, correct, but the the universe of potential calls that you could query, when prior to the calls were only queried out of the 215 database that was held at the NSA, which as press reports said did not include — in many cases — the fastest growing number of new calls, wireless calls, now the universe of — even though the number of queries may be the same, because the protections are still the same, the actual universe of potential calls that could be queried against is dramatically larger than what 215 has right now.
Ledgett: Potentially yes, that’s right Senator.
From there, Warner focuses on a more troubling issue: the likelihood that NSA could get cell location data and call detail records with the same request. Ultimately James Cole (who steps in for DDIRNSA Richard Ledgett) does not deny that under this program NSA will be able to get call records at the same time as getting phone location information.
Warner: That’s a fairly big additional yes. Let me just go to one other additional item. One of the things, again I check with staff to make sure this is all appropriate to be asked here, is that one of the things that 215 did not include was location information. The nature of wireless telephony is, having had some background in that field, you can identify where a cell phone call originates. What kind of privacy protections do we have in this legislation to ensure that location data will not be queried [Ledgett starts looking around for help] on a going forward basis, since the telcos who hold this data hold not only the billing data but hold the location data as well.
Cole: I think that would be up to the specific request in specific court orders. I mean, right now, in law enforcement contexts, when we have a good basis for it, we can go and get location information. Sometimes it’s very valuable, I can think of one instance where it saved somebody’s life, who had been taken hostage, being able to get location information quickly. It won’t be collected in bulk, it’ll be collected in each individual circumstances that warrants it by showing the court that in fact this is information that is relevant–
Warner: But in the previous 215 Section where the data was held, the megadata was held at NSA, the location data was not–
Cole: That’s correct, we didn’t get the location data with what was held in the database at NSA and then could be queried within NSA’s protection, but we could always have the ability to go back to the telephone company providers in an appropriate circumstance and ask them for individual location information that we thought was warranted.
Warner: But that would require an exceptional step, I’m talking now not so much on the law enforcement side. I’m talking more on the IC side.
Cole: Right. And that’s what’ll happen now. Under this bill–
Warner: Would they be combined into a single step or a dual step.
Cole: It could be I think it would require the court to look at whether or not it thought it was appropriate under the facts and circumstances of the request to provide location information as well as the call data records. Or whether or not only the call data records were appropriate. Just depends on the circumstances.
Warner; Again, my time is expired and I appreciate I think that it is essential to the public, that while we’re trying to get this balance right, and you know understandably public great deal of concern about the government holding the data, I think as a number of us have outlined, there lies a number of concerns that privacy advocates should also be concerned about in terms of both the scope of the amount of data, potentially even greater access if we’re able to go at this at the telcos, and again, re-emphaiszing what a couple of my colleagues have said, my hope is there will be an additional higher level of security standard and a higher level of training and a higher level of commitment from the telcos of these individuals who are going to have access to the data–I don’t think they’ll ever get to the standard of the folks at the NSA. But this is an issue that needs to be thoroughly vetted.
Warner still seems to be missing one part of this (he ended his operational involvement in cell phones before the explosion of smart phone use). NSA is chaining, here, not exclusively on chains of calls made, but on connections. And whether or not NSA makes a dual request to receive cell location, the analytical process seems to permit the use of cell location to chain cell phones in regular proximity, even if they never call each other (again, DEA is already doing this under the Hemisphere program, so it would be crazy to imagine that NSA wouldn’t demand at least what DEA has in place).
But now that Warner has gotten Cole to admit they seem to have envisioned dual requests — including both call detail records and cell location — it opens up the possibility that they’ll issue triple requests, obtaining call detail records and cell location as well as Internet content or other smart phone functions (like calendar data or photographs). Zoe Lofgren has already gotten Cole to admit that Section 215 could be used for far broader uses like that (including URL search terms and credit card records). If Section 215 can be used to access all the functions of a cell phone, and if NSA can issue hybrid requests like this, then the privacy implications of USA Freedumber really do amount to putting the NSA right into your smart phone.