Six Data Points about the CIA Dragnet
Last week, Ron Wyden and Martin Heinrich released a declassified letter they wrote last April, describing a CIA bulk program that had not been fully briefed to the Intelligence Committees, which violated the spirit and understanding of efforts to shut down bulk collection.
This history demonstrates Congress’s clear intent, expressed over many years and through multiple pieces of legislation, to limit, and in some cases, prohibit the warrantless collection of Americans’ records, as well as the public’s intense interest in and support for these legislative efforts. And yet, throughout this period, the CIA has secretly conducted it own bulk program [redacted]. It has done so entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes with FISA collection.
I’ve been hesitating writing about it. That’s true, because it’s not the least little surprise to me. I’ve written a series of pieces describing how the self-congratulatory pieces claiming legislation passed in the wake of Snowden’s leaks won’t do what they say. I pointed out some of what PCLOB was likely to find when they started this review.
Then there’s bullet 4, which suggests CIA and/or NSA are collecting “within the United States or from U.S. companies.”
With regards collection “within the US,” Mayer’s post is helpful here too, pointing to loopholes for wireless and satellite communication.
The law that results is quite counterintuitive. If a communication is carried by radio waves, and it’s one-end foreign, it falls under Executive Order 12333. If that same communication were carried by a wire, though, it would fall under FISA. (Specifically, the Section 702 upstream program.)
As for how this Executive Order 12333 authority might be used beyond satellite surveillance, I could only speculate. Perhaps intercepting cellphone calls to or from foreign embassies?12 Or along the national borders? At any rate, the FISA-free domestic wireless authority appears to be even broader than the Transit Authority.
As far as collection outside the US, this may simply be a reference to providers voluntarily providing data under 18 U.S.C. § 2511(2)(f), as we know at least some of the telecoms do.
I pointed out that a consideration of the risks of surveillance under EO 12333 to US persons had to consider CIA’s use of it (then got yelled at because I pointed out enormous blindspots in “expert” reports). I noted that when cautioning about the dragnet Donald Trump would wield, you had to consider EO 12333.
I mean, there’s been a whole lot of self-congratulation since Snowden. And it has all been just that, something to brag to donors about. Because EO 12333 was always out there, and it was always possible to do virtually all of what Snowden exposed in the Section 215 program via EO 12333.
Add that to the list of unpopular things I have said over the years that leads “experts” to prefer to ignore me.
So I assume this will be ignored like all those other warnings of precisely this moment.
Here’s where I would propose to go find the CIA dragnet.
CIA always wanted to restore its Stellar Wind component
First, remember there was a CIA component to Stellar Wind, the first dragnet set up for counterterrorism (which this program is). CIA had to do its own IG Report on Stellar Wind.
Remember that one of Bill Binney’s gripes about how NSA repurposed his surveillance was that they eliminated the encryption hiding US person identifiers, effectively making it easy to spy on US persons.
Now consider that on July 20, 2004, the CIA took the lead on pushing for the adoption of “supplemental procedures” allowing the analysis of US person metadata under EO 12333. July 20, 2004 was days after Jack Goldsmith, who had shut down parts of Stellar Wind, resigned, and the agencies immediately moved to start turning all the programs he had shut down (including both surveillance and torture) back on.
It took years to restore that access to US person data (I have a theory that Alberto Gonzales was fired because he refused to reauthorize it). But starting in 2007, expanding in 2009 (at a time when the Section 215 program was under threat), and then fully implementing in 2011 (after NSA had to shut down the PRTT program knowing full well it violated John Bates upstream order), SPCMA was rolled out.This meant that, so long as data was collected via whatever means overseas, US person metadata could be included in the analysis.
The government has been preserving its ability to use 18 U.S.C. § 2511(2)(f)
Over a series of IG Reports written by Glenn Fine, I honed in a memo that David Barron (the OLC head who, under Obama, played a similar role as John Yoo did for George Bush) wrote seemingly authorizing using 18 U.S.C. § 2511(2)(f) to get “international” data from telecoms provided voluntarily. In 2013, David Kris confirmed that that had been happening.
In March 2021 — so before he wrote the letter just declassified but after he was briefed by PCLOB on the report on the CIA dragnet — the Congressional Research Service wrote a report on 18 U.S.C. § 2511(2)(f) for Senator Wyden. It describes how it works as an exception to FISA and other criminal laws.
Accordingly, Section 2511(2)(f) identifies two broad categories of government activities that are exempt from Title III, the SCA, the Pen Register statute, and section 705 of the Communications Act of 1934:27 (1) the “acquisition by the United States Government of foreign intelligence information from international or foreign communications”; and (2) “foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system.” These two categories are further qualified so that the exception only applies if: (3) the acquisition or the foreign intelligence activity is not “electronic surveillance” as defined under FISA; and (4) an “exclusivity” clause states that ECPA, the SCA, and FISA shall be the exclusive means by which electronic surveillance and the interception of domestic wire, oral, and electronic communications may be conducted. Each of these clauses is discussed in more detail below.
It describes that some things don’t count as an “acquisition” under FISA, such as something obtained from a telephone instrument being used in the ordinary course of business.
Therefore, some intelligence activities that qualify as “acquisitions” for purposes of Section 2511(2)(f) may not qualify as “electronic surveillance” under FISA because the acquisition is not accomplished through an electronic, mechanical, or other surveillance device. Although FISA does not define this phrase, ECPA provides a definition of “electronic, mechanical, or other device” to mean “any device or apparatus which can be used to intercept a wire, oral, or electronic communication.”46 However, this definition expressly excludes “any telephone or telegraph instrument, equipment or facility, or any component thereof” that is “being used by a provider of wire or electronic communication service in the ordinary course of its business.”47
This is the kind of language that was used to treat bulk metadata as a mere business record under Section 215 after the government stopped relying exclusively on voluntary production. The bulk telephony data of all Americans was just a business record.
The report written for Ron Wyden during the same period he was writing the now unclassified letter also notes that “exclusivity” only applies to “domestic” communications, not stuff acquired overseas.
The exclusivity clause is first directed at interception of domestic communications, which would not appear to be affected by the previous disclaimers regarding acquisition of foreign and international communications or foreign intelligence activities directed at foreign electronic communications systems.
In other words, if telephone companies want to voluntarily give the records they otherwise keep to the IC for the purpose of foreign intelligence, it fits in this loophole. And given the realities of telecommunication, a huge percentage of “domestic” communications can be obtained overseas.
In 2013, NYT reported that AT&T was providing CIA call records
In 2013, as a bunch of different dragnets were being disclosed while everyone was looking exclusively at Section 215 and right after Kris had confirmed this application of 18 U.S.C. § 2511(2)(f), Charlie Savage described that the CIA had its own dragnet based on telephone records purchased from AT&T.
The C.I.A. is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls, according to government officials.
The cooperation is conducted under a voluntary contract, not under subpoenas or court orders compelling the company to participate, according to the officials. The C.I.A. supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said. The company has a huge archive of data on phone calls, both foreign and domestic, that were handled by its network equipment, not just those of its own customers.
Legally, this dragnet would fit solidly in the 18 U.S.C. § 2511(2)(f) loophole.
Obama’s codification of EO 12333 in his final days
Insanely, Obama finished the process of reconstituting the Stellar Wind program in his final days. He did so, I’ve been told, in an effort to put guidelines in place (for example, Loretta Lynch adopted rules that you couldn’t use EO 12333 data for political purposes, as if that would restrain Donald Trump). But I emphasized then precisely what Wyden and Heinrich are emphasizing now. There’s no oversight.
Which brings us to whether the EO sharing procedures, as released, might bind Trump anymore than EO 12333 bound Bush in 2001.
In general, the sharing procedures are not even as stringent as other surveillance documents from the Obama Administration. The utter lack of any reasonable oversight is best embodied, in my opinion, by the oversight built into the procedures. A key cog in that oversight is the Department of National Intelligence’s Privacy and Civil Liberties Officer — long inhabited by a guy, Alex Joel, who had no problem with Stellar Wind. That role will lead reviews of the implementation of this data sharing. In addition to DNI’s PCLO, NSA’s PCLO will have a review role, along with the General Counsels of the agencies in question, and in some limited areas (such as Attorney Client communications), so will DOJ’s National Security Division head.
What the oversight of these new sharing procedures does not include is any statutorily independent position, someone independently confirmed by the Senate who can decide what to investigate on her own. Notably, there is not a single reference to Inspectors General in these procedures, even where other surveillance programs rely heavily on IGs for oversight.
There is abundant reason to believe that the PATRIOT Act phone and Internet dragnets violated the restrictions imposed by the FISA Court for years in part because NSA’s IG’s suggestions were ignored, and it wasn’t until, in 2009, the FISC mandated NSA’s IG review the Internet dragnet that NSA’s GC “discovered” that every single record ingested under the program violated FISC’s rules after having not discovered that fact in 25 previous spot checks. In the past, then, internal oversight of surveillance has primarily come when IGs had the independence to actually review the programs.
Of course, there won’t be any FISC review here, so it’s not even clear whether explicit IG oversight of the sharing would be enough, but it would be far more than what the procedures require.
I’d add that the Privacy and Civil Liberties Oversight Board, which provided key insight into the Section 215 and 702 programs, also has no role — except that PCLOB is for all intents and purposes defunct at this point, and there’s no reason to believe it’ll become operational under Trump.
I guess I was wrong about PCLOB. It did get reconstituted, and seven years after the EO 12333 review started we’re getting dribbles about what it found!
And in fact if this whole discussion didn’t make me crabby, I’d point out details from the PCLOB report that suggest things aren’t as bad as I thought they’d get in 2017, when this dragnet was handed over to Donald Trump.
So I’m not entirely a pessimist!
PCLOB only has authority over counterterrorism programs
The only problem with being proven wrong about PCLOB, however, is even though there were efforts to expand its mandate during the Trump years, those efforts failed.
It can only look at counterterrorism programs.
So there could be a parallel program used for counterintelligence (indeed, the sharing rules make it quite clear there’s a CI purpose for it), and we’d never get oversight over it. So Wyden and Heinrich should be pushing to get a full briefing on the CI version of this, because it’s there, I would bet you a lot of money.
Anyway, if you want to find the CIA dragnet, you can look at my warnings over the last 9 years (or Charlie Savage’s report on it from 2013). Or you can look at the loophole that 18 U.S.C. § 2511(2)(f) creates, Ron Wyden was exploring closely when he was writing this letter. Another place you might look is AT&T’s earnings statements.
Just going to point out that would include SS7 equipment. Based on the design of the SS7 protocol, a telco could make a lot of money entering into a contract with a government agency that would allow that agency to totally hijack anybody’s phone calls. And by totally hijack, I mean route every call, text, or data packet from any phone through a recording device, or alter the call, text, or data in-flight, or send to a completely different destination, etc.
I know that sounds nuts. It’s literally built into the design of SS7. And SS7 is now used to route almost every communication on the global telecom network.
To clarify. You’re saying not just that AT&T’s source **is** SS7, but also that this may involve more than metadata?
Or could?
If they’re really talking historical data, then it’s just metadata (CDRs) generated from SS7. However, the way I read what’s allowed, it could work, in real time, the way “SS7 hacks” work. SS7 is a separate control channel that’s designed to support “spoofing”. If actively grab control when a specific device connects to the network, you can spoof the system so that the caller’s phone thinks that the call is going to a different network that has roaming agreement. At that point, you can then control the voice/data channel, get local data, etc.
This is not making any sense to me. User devices don’t “speak” SS7; they “speak” basically the ISDN protocol designed back in the 1980s. The exchanges “speak” to each other in SS7. That’s assuming they’ve all upgraded to this international standard from CCIS6 designed back in the 1980s.
I can’t imagine any entity grabbing control of a node on the SS7 network.
The CDRs are generated by the originating (calling) exchange and shipped off to the billing computer and that’s not SS7 either; it’s some administrative protocol we first designed back in the 1960s.
The only thing I can think of for spoofing is the user interface for PABXs (private branch exchanges, that is, private switches where you have an office with lots of phones and you can dial into a specific extension) and for which I can’t access any documentation; I imagine there is a way to put in phony information that the exchange doesn’t check for sanity.
Yes, the exchanges use the SS7 protocol to communicate. There’s no authentication in that protocol. If you can get onto the network and have a good idea of which exchanges the device is likely to connect to, you can send commands that will re-route all communications from a particular phone number through your network. Hackers have demonstrated repeatedly over the years that this is possible.
After a career in telecom, including a few years in AT&T’s Bell Laboratories, I hope I can help with some of the technical stuff. Politicians and I suspect legislators are confusing stuff and not using precise terminology.
First, “intercept” to us telecom folks means “capture the conversation (record the voices)” and this has to be set up in advance and done in real time. Every electronic switching system (exchange) is required to have this feature; it’s done using a 3-way conference circuit with the third line being the police. Cell phones or land lines, it works the same. The other way to intercept conversations is to have access to the contents of an entire trunk group and record everything on it, which is what I understood the NSA was doing on some sub cables our of AT&T’s NY gateway (scuttlebutt from the ’70s). Another way to capture conversations is to pick up the downlink of a satellite trunk group, or even the uplink if you can get close enough. You can also capture conversations with the more sophisticated Stingrays, which are a “man in the middle” operation for cell phones: it pretends it is a cell tower. And of course you can capture a radio link carrying trunks. Except that the call setup information is not carried on the same radio link so you’re capturing conversations without knowing who called whom (that’s Signaling System No. 7 that Ockham mentioned).
“Call records” or more precisely “Call Detail Records” are for charging: think of the operator back in the old days writing a “ticket,”
with time the call started and the time it hung up, and who called whom. This is what I think is being called “metadata.” These do NOT capture (intercept) the conversation, only the fact that a conversation happened. In most cases, it’s the calling party getting charged, so if you’re looking for who called a certain terrorist, you’d have to search a zilliion CDRs across several phone companies looking for the terrorist in the “called party” part of the CDR. With cell phones in the US, I believe there are two CDRs because both parties get charged. These records MUST be kept by the phone company so you can contest your bill, typically a couple of months or whatever the Public Utilities Commission requires. In the US, there used to be “local calling areas” where no CDR was made at all because the call was free. Generally not true in other countries. CDRs are part of “ordinary course of doing business” for the phone company but are not a “telephone instrument” (and never have been).
The “pen register” terminology is hilarious: it goes back to telegraph technology, in which a pen jiggles up and down as you dial (that’s dial pulse, folks, if you’re under 40 you’ve probably never seen a dial pulse phone). It would capture the dialed number if you have it hooked to a line but no conversations and no calling line ID on terminating calls.
Please feel free to ask me questions; I’ll do my best to answer.
As I understand it they’re not billing statements. They’re network access records that AT&T and others could hypothetically use for billing statements. So it gets both sides.
“network access records” doesn’t mean anything to me. Call records are used to compile the bill; the CDRs are generated by the originating exchange and then shipped off to another computer that figures out the actual bill. For example, I have 200 free minutes on my cell phone. The network generates CDRs because it doesn’t know or care what my subscription is. Then the billing computer figures out whether I’ve exceeded my limit. If you send me some actual TelCo jargon I’ll try to figure out what it means.
There’s a whole separate network for what is called OA&M: operations, administration, and maintenance. Charging and billing are part of it. Traffic and maintenance data collection is another part. TelCo technicians can access exchanges from a terminal in the same building or from another building to give the exchanges commands to do stuff. That’s not SS7 which is the signaling protocol for making and taking down calls. One OA&M task is to set up intercept on a line.
Thanks for all the info. I worked for a telecom equipment manufacturer for 15 years, but in the scope of node management software. Think of a graphical interface that, under the covers, uses TL1 to discover or configure network nodes.
Anyway, I googled “network access record” and found no precise hits within the first couple of pages. Best I can tell it’s probably internet jargon, but still don’t know if pertains to data connections, voice over IP, or all of it.
DHS report on mobile device security at https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf see p53, cites this brochure from Positive Technologies https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf which states ” Overall roaming connectivity adds to the pressure on mobile carriers to ensure network security and continuity of service. This lack of security enables hackers to send, intercept, and alter SS7 messages attacking cellular networks and subscribers.”
Keyword, intercept. As a technicality, the DHS report indicates that sometimes the control plane is SS7 sometimes it’s Diameter, but both share similar vulnerabilities.
One report of such an interception is here
https://www.securityweek.com/hackers-exploit-ss7-flaws-loot-bank-accounts
“Attackers first obtained bank account information from the victims, which can be done either via phishing or malware, and then launched an SS7 attack to obtain the mobile transaction authentication number (mTAN) sent by the bank via SMS…Jean Gottschalk, SS7 mobile network security consultant at Las Vegas-based Telecom Defense, has confirmed for SecurityWeek that access to the SS7 network can be obtained for roughly €1,000 per month, but the expert pointed out that this is not enough to conduct attacks. Attackers also need an identity on the network, known as a global title (GT), which can be obtained from legitimate mobile operators. Normally, these identities are not handed out to anyone, but attackers could obtain them by bribing individuals working for mobile operators in less developed countries. The only condition is that the company needs to have a roaming agreement with the country whose citizens are targeted by the cybercriminals.”
To emphasize, hackers reportedly intercepted the mTAN payload, not simply the SMS metadata.
Another trail of breadcrumbs involves Ability’s ULIN
https://www.interceptors.com/cellular-interception/ .
In 2016 a Forbes staff reporter asserted “Ability’s service – it is the sole licensee from an unknown third party – exploits a weakness resident in SS7, the Signalling System No. 7”
https://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-ulin-ss7/?sh=e164fbf63fa5
At one point during 2017 in a longer story I will hold off on for now, Sen Wyden and MoC Lieu mailed Gen Kelly then Secy of Homeland Security stating “Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones. We are concerned that the government has not adequately considerred the counterintelligence threat posed by SS7 surveillance”. The lawmakers cite “published media reports” as their source.
Anyway these are just data points. Though I have quite a few more along these lines, I can’t say what is and isn’t truly possible. I myself tend to err on the side of believing that if you have access to the SS7 control plane, including a Global Title (analogous to an IP address but this isn’t IP), interception is one of the many things you can do.
Um, not AT&T’s earnings statements.
Back in the 70s it turned out the Russians were [allegedly] reading telecoms’ SEC filings, earnings reports, yadda yadda in fine detail. From which they were supposedly able to deduce how much and where the USG was spending on wiretapping them and getting their info, stuff in later days called metadata, call information, whatever.
So, about the time FISA was enacted, there was an exemption written into the securities laws (whence came the requirement for the SEC filings), written in for the telecoms. They do not have to (are probably prohibited from) reporting their income from government expenditures for these wiretapping and related activities.
Thus, three things are true: 1. All telecoms’ SEC reports are dishonest, incomplete, and untrue – there’s money running around their coffers they don’t have to tell the accountants, investors or anyone else about – investors beware, 2. looking at earnings statements to find surveillance activity is a waste of time, and 3. this exemption from the securities laws is a two-way deal. When the government wants info, they’re going to get it. The telecoms will have to provide it. Resistance or even reluctance is a bad idea. Ask Joe Nacchio.
Also, what about Facebook selling their info to the government just like AT&T does?
“Also, what about Facebook selling their info to the government just like AT&T does?”
Or the inheritors of Cambridge Analytica and other such firms.
Been answering my phone for years now with a warning that NSA says they are no longer listening but Rupert Murdoch and others probably are.
Wafts of DARPA “Total Information Awareness”…
https://bgladd.com/Total_Information_Awareness
“A conservative is someone who believes in reform. But not now.”
What we really need is more whistleblowers and the Reformation Act of 2022.
“Since its inception in 2010, the SEC whistleblower program has won $5 billion in monetary sanctions, with $1.1 billion awarded to 214 individuals who blew the whistle. In fiscal year 2019, the Justice Department scored $3 billion in judgments and settlements under the False Claims Act; $2.1 billion of that came through cases originating with whistleblowers, who collectively received rewards of $265 million. And yet it is also highly likely that lots of fraud is going undetected. “Despite what we hear, the government does have limited resources. They don’t have the ability to go after fraud at the level that we’d want them to,” says White. “Trillions of dollars have flown out of Congress in the last eighteen months, and not a single dollar was added to the Department of Justice to actually monitor for fraud.” Jeri Zeder, BC Law Magazine