Posts

Verizon VP: Company-Based Transparency Reports Don’t Help Consumers

There was a fascinating panel of Telecom execs and bloggers discussing human rights at RightsCon yesterday. Among others, Verizon Executive Vice President and General Counsel Randal Milch spoke.

As I noted in passing, Verizon published an update to their Transparency Report the other day. Particularly as compared to AT&T’s bogus report, the Verizon report was laudable for its explanation of what it couldn’t show, such as when it acknowledged that its report did not include the hundreds of millions of customers whose records got turned over under Section 215.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

It also acknowledged something obvious but that which should be explicit: when the government obtains content from Verizon, it sometimes gets metadata as well.

Some FISA orders that seek content also seek non-content; we counted those as FISA orders for content and to avoid double counting have not also counted them as FISA orders for non-content.

All this is useful information that lends the report itself credibility.

So when I first approached Milch, I thanked him for the quality of his report.

Which is why I was so surprised when he said the government should be in the business of transparency reports, not the providers. I challenged that, noting that an easy comparison of AT&T and Verizon’s reports strongly suggests that Verizon demands more legal process for requests than AT&T. He dismissed that, suggesting any differences arise from the different kind of client base the providers have.

Granted, Milch was talking about your average consumer, not … me.

But it seemed bizarre. Or perhaps it was a testament that Milch and Verizon generally don’t want to have to compete in this front.

Milch answered one other question of mine: I asked whether the Verizon/Vodaphone split affected Verizon’s obligations to the UK (that is, to GCHQ). He claims it didn’t affect it at all, that it was more an investment stake and that none of Verizon’s cell call records were in the UK. (No, I didn’t point out that the records are right where GCHQ wants them, in places accessible under Tempora).

So at least according to Milch’s claims, my theory laid out here is wrong.

Did GCHQ and NSA Lose an Eye Today?

As the business press is crowing, Vodaphone and Verizon are officially divorced.

After pulling off the $130 billion sale, Vodafone will drop from the world’s second-biggest phone company to the fourth, measured by market value, behind China Mobile Ltd., AT&T Inc. and Verizon Communications Inc. (VZ), data compiled by Bloomberg showed. Vodafone’s weighting in share indexes such as the FTSE 100 in London will be cut approximately in half.

Shareholders will get a return of about 102 pence ($1.70) per share. That’s about $23.9 billion in cash and about $58.6 billion in Verizon Communications shares.

Vodafone’s shares rose 2.8 percent to 236.10 pence at 2:45 p.m. in London. Verizon slipped 0.3 percent to $47.97 in New York.

“This is a great day for Verizon,” Verizon CEO Lowell McAdam said in a statement. “The new Verizon now has full ownership of the U.S. wireless industry leader in network performance, profitability and cash flow.”

The deal will help Vodafone pay off debt and help fund 7 billion pounds of additional network investments by March 2016, adding high-speed broadband and wireless coverage across its largest markets.

And rejoicing was heard on both sides of the Atlantic!

Curiously, though, I seem to be the only one asking what seems to be an obvious question: how will this high level British-US breakup affect the Five Eyes dragnet?

Particularly given reports that Verizon is (was?) one of 7 Tempora providers, I wonder whether splitting with Vodaphone has permitted Verizon to withdraw from compliance with GCHQ data requests.

Back in 2006, USA Today’s report that the NSA had a database of all of AT&T, Verizon, and BellSouth’s phone records caused one of the telecoms to refuse to turn over data without being legally obligated (and for a number of reasons, it is unlikely AT&T was the provider that demanded an order).

The publication of the Verizon Secondary Order on June 5, 2013 exposed Verizon far more than that 2006 story. And it exposed Verizon uniquely, in a way AT&T and Sprint hadn’t been exposed. ODNI exacerbated that exposure further when it released another document with Verizon’s name unredacted.

If I were Verizon, I would be doing nothing more than the government(s) legally requred me to do. And as of today, Verizon may have one less government with the ability to make such requirements.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on Verizon’s obligations to the US.

Keith Alexander Refutes Claims NSA Doesn’t Get Cell Data

Eight days ago, the country’s four major newspapers reported a claim that the NSA collected 33% or less of US phone records (under the Section 215 program, they should have specified, but did not) because it couldn’t collect most cell phone metadata:

  • “[I]t doesn’t cover records for most cellphones,” (WSJ)
  • “[T]he agency has struggled to prepare its database to handle vast amounts of cellphone data,” (WaPo)
  • “[I]t has struggled to take in cellphone data,” (NYT)
  • “[T]he NSA is gathering toll records from most domestic land line calls, but is incapable of collecting those from most cellphone or Internet calls.” (LAT)

Since that time, I have pointed to a number of pieces of evidence that suggest these claims are only narrowly true:

  • A WSJ article from June made it clear the cell gap, such as it existed, existed primarily for Verizon and T-Mobile, but their calls were collected via other means (the WaPo and NYT both noted this in their stories without considering how WSJ’s earlier claim it was still near-comprehensive contradicted the 33% claim)
  • The NSA’s claimed Section 215 dragnet successes — Basaaly Moalin, Najibullah Zazi, Tsarnaev brothers — all involved cell users
  • Identifying Moalin via the dragnet likely would have been impossible if NSA didn’t have access to T-Mobile cell data
  • The phone dragnet orders specifically included cell phone identifiers starting in 2008
  • Also since 2008, phone dragnet orders seem to explicitly allow contact-chaining on cell identifiers, and several of the tools they use with phone dragnet data specifically pertain to cell phones

Now you don’t have to take my word for it. Here’s what Keith Alexander had to say about the claim Friday:

Responding to a question about recent reports that the NSA collects data on only 20% to 30% of calls involving U.S. numbers, Alexander acknowledged that the agency doesn’t have full coverage of those calls. He wouldn’t say what fraction of the calls NSA gets information on, but specifically denied that the agency is completely missing data on calls made with cell phones.

“That part is not true,” he said. “We don’t get it all. We don’t get 100% of the data. It’s not where we want it to be, but it has been sufficient to go after the key targets that we’re going after.” [my emphasis]

Admittedly, Alexander is not always entirely honest, so it’s possible he’s just trying to dissuade terrorists from using cellphones while the NSA isn’t tracking them. But he points to the same evidence I did — that NSA has gotten key targets who use cell phones.

There’s something else Alexander said that might better explain the slew of claims that it can’t collect cell phone data.

The NSA director, who is expected to retire within weeks, indicated that some of the gaps in coverage are due to the fact that the NSA “paused any changes to the program” during the recent controversy and discussions about restructuring the effort.

The NSA has paused changes to the program.

This echoes WaPo and WSJ reports that crises (they cited both the 2009 and current crisis) delayed some work on integrating cell data, but suggests that NSA was already making changes when the Snowden leaks started.

There is evidence the pause — or at least part of it — extends back to before the Snowden leak. As I reported last week, even though the NSA has had authority to conduct a new auto-alert on the phone dragnet since November 2012, they’ve never been able to use it because of technical reasons.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes.

This description actually came from DOJ, not the FISC, and I suspect the issue is rather that NSA has not solved some technical issues that would allow it to perform the auto-alert within the legal limits laid out by the FISC (we don’t know what those limits are because the Administration is withholding the Primary Order Supplement that would describe it, and redacting the description of the search itself in all subsequent orders).

That said, there are plenty of reasons to believe there are new reasons why NSA is having problems collecting cell phone data because it includes cell location, which is far different than claiming (abundant evidence to the contrary) they haven’t been collecting cell data all this time. In addition to whatever reason NSA decided to stop its cell location pilot in 2011 and the evolving understanding of how the US v. Jones decision might affect NSA’s phone dragnet program, 3 more things have happened since the beginning of the Snowden leaks:

  • On July 19, Claire Eagan specifically excluded the collection of cell site location information under the Section 215 authority
  • On September 1, NYT exposed AT&T’s Hemisphere program; not only might this give AT&T reason to stop collating such data, but if Hemisphere is the underlying source for AT&T’s Section 215 response, then it includes cell location data that is now prohibited
  • On September 2, Verizon announced plans to split from Vodaphone, which might affect how much of its data, including phone metadata, is available to NSA via GCHQ under the Tempora program; that change legally takes effect February 21

Remember, too, there’s a February 2013 FISC Section 215 opinion the Administration is also still withholding, which also might explain some of the “technical-meaning-legal” problems they’re having.

Underlying this all (and assuredly underlying the problems with collecting VOIP calls, which are far easier to understand and has been mentioned in some of this reporting, including the LAT story) is a restriction arising from using an ill-suited law like Section 215 to collect a phone dragnet: telecoms can only be obligated to turn over records they actually “already generate,” as described by NSA’s SID Director Theresa Shea.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

To the extent telecoms use SS7 data, which includes cell location, to fulfill their Section 215 obligation (after all, what telecoms need billing records on a daily basis?), it probably does introduce problems.

Which, I suspect, will mean that Alexander and the rest of the dragnet defenders will recommend that a third party collate and store all this data, the worst of all solutions. They need to have a comprehensive source (like Hemisphere apparently plays for the DEA), one that will shield the government from necessarily having collected cell location data that is increasingly legally suspect to obtain. And they’ll celebrate it as a great sop to the civil libertarians, too, when in fact, they’ve probably reached the point where it is clear Section 215 can’t legally authorize what it is they want it to do.

The issue, more and more evidence suggests, is that they can’t collect the dragnet data without a law designed to construct the dragnet. Which is another way of saying the dragnet, as intended to function, is illegal.

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

Will NSA Lose Access to All Verizon Cell Metadata in 12 Days Time?

Last week, NSA selectively leaked a claim it only obtains 20 to 30% of US call data because it doesn’t collect some or all cell provider data. (WSJ, WaPo, LAT, NYT)

I believe the claim itself is true only in a narrow sense and the premises given to journalists underlying it are laughably false as presented (though have grains of truth).

I suspect this leaked propaganda campaign might better be explained by the possibility that NSA will lose some of its existing access to Verizon cell data on February 21, when the Vodaphone/Verizon split becomes legally official.

Some aspect of Verizon’s structure — and a good deal suggests it’s that dual-country ownership — has created problems in the metadata program since 2009. On May 29, 2009, Judge Reggie Walton started breaking out directions to Verizon’s Custodian of Records in its own paragraph of the Primary Order so as to clarify that it should only provide entirely domestic or one-end domestic calls under the Section 215 order, not entirely foreign calls. Then, in a July 9, 2009 Primary Order the government is still withholding, Walton actually shut down production from Verizon, apparently entirely. He restored production with the September 3, 2009 Primary Order, permitting retroactive collection of any records still in existence. We know Verizon was this provider because ODNI failed to redact Verizon’s name in the Verizon-specific paragraph in a recent document dump.

While we don’t know why including foreign production presented such a problem (that 3 month period is the only period I know of during which production of any part of the phone dragnet was shut down), it did.

But we do have hints of why Verizon’s international collection might be so sensitive. In August (a month before Verizon and Vodaphone agreed to split), Suddeutsche newspaper revealed that Verizon was among the 7 providers included in GCHQ’s Tempora program.

BT, Vodafone Cable, and the American firm Verizon Business – together with four other smaller providers – have given GCHQ secret unlimited access to their network of undersea cables. The cables carry much of the world’s phone calls and internet traffic.

In June the Guardian revealed details of GCHQ’s ambitious data-hoovering programmes, Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. It emerged GCHQ was able to tap into fibre-optic cables and store huge volumes of data for up to 30 days. That operation, codenamed Tempora, has been running for 20 months.

The Guardian explained that providers were compelled, under licensing requirements, to participate under the UK’s Telecom Act.

Telecoms providers can be compelled to co-operate with requests from the government, relayed through ministers, under the 1984 Telecommunications Act,

[snip]

Vodafone said it complied with the laws of all the countries in which its cables operate. “Media reports on these matters have demonstrated a misunderstanding of the basic facts of European, German and UK legislation and of the legal obligations set out within every telecommunications operator’s licence … Vodafone complies with the law in all of our countries of operation,” said a spokesman.

That would seem to suggest Verizon’s legal presence in the UK made it subject to orders to participate in Tempora. This requirement, which started as early as 2008, involves the massive collection of both phone and Internet metadata which gets stored for 30 days. The kind of metadata that last week’s propaganda campaign claimed NSA didn’t get access to.

Given Verizon’s role in Tempora, I suspect it is one of the corporate partners which accesses data (including, but no way limited to, cell location data) from the telephone links between networks under the FASCIA program.

A sigad known as STORMBREW, for example, relies on two unnamed corporate partners described only as ARTIFICE and WOLFPOINT. According to an NSA site inventory, the companies administer the NSA’s “physical systems,” or interception equipment, and “NSA asks nicely for tasking/updates.”

STORMBREW collects data from 27 telephone links known as OPC/DPC pairs, which refer to originating and destination points and which typically transfer traffic from one provider’s internal network to another’s. That data include cell tower identifiers, which can be used to locate a phone’s location.

The agency’s access to carriers’ networks appears to be vast.

“Many shared databases, such as those used for roaming, are available in their complete form to any carrier who requires access to any part of it,” said Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania. “This ‘flat’ trust model means that a surprisingly large number of entities have access to data about customers that they never actually do business with, and an intelligence agency — hostile or friendly — can get ‘one-stop shopping’ to an expansive range of subscriber data just by compromising a few carriers.”

And as Blaze describes (Mindrayge describes some of why this is so in this comment), accessing data at these points would give Verizon access to everyone’s cell data, not just its own.

I believe that collection — because it was obligated by the UK, not the US, and because it took place offshore — would count as EO 12333 data, not Section 215 data. This is why I believe NSA does get comprehensive coverage of all cell data, just not under Section 215. NSA gets all the data it wants, just via GCHQ’s greater ability to obligate production than NSA’s. And it gets cell location data if it wants it too!

Or it did, so long as the joint corporate structure of Vodaphone and Verizon created the obligation behind that production.

Now, obviously, the hardware linking Verizon and Vodaphone won’t disappear in 12 days time. Verizon will still presumably operate the hardware where this massive data collection takes place. But if I’m understanding the legal leverage of the UK’s licensing law correctly, the UK and US’ collective ability to obligate production will change. As one possibility (there are others I’ll explain in a later post), NSA may have to rely on Section 215 to obligate production, rather than the UK’s more expansive law.

Which, I suspect, is the real logic behind last week’s propaganda campaign on cell data. For the first time, NSA may have to rely on Section 215 rather than UK licensing laws to access Verizon’s (and probably some other providers’) cell phone metadata. And that’s happening at a time when Verizon is the dominant cell provider in the US. But even as it will need to rely on Section 215, the FISC has narrowed the scope of its interpretation of the law, to specifically exclude the cell location data that has been included in this collection for years.

In other words, I believe the confluence of two events — the change in Verizon’s corporate structure and FISC’s effort to prohibit the application of Section 215 to location data — may have created significant new difficulties in maintaining what (I strongly believe) has always been comprehensive dragnet collection.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on their legal obligation.