USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records
The House Judiciary Committee just released the latest incarnation of USA Freedom Act, which for now I’m calling USA F-ReDux.
One thing they’ve changed from the Patrick Leahy version is to reword what, under Leahy’s bill, provided for two hops of “connection chaining,” without defining what “connection chaining” meant.
Now, they provide a first hop that produces call detail records…
(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);
Later on in the bill, they define call detail record, which is what it was under the Leahy bill.
‘(3) CALL DETAIL RECORD.—The term ‘call detail record’—
(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and
(B) does not include—
(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;
(ii) the name, address, or financial information of a subscriber or customer; or
(iii) cell site location or global positioning system information.
In other words, that first hop cannot include one definition of content or, most importantly, cell site location.
But the second one can.
The second hop is based off session-identifying information that is not limited by that CDR definition.
(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii)
They might as well have said, you can get call detail records, which we’ll define as a limited kind of session-identifying information, and then you can get call detail records (which have to be no more than a SIM card ID) using session-identifying information that doesn’t qualify under our CDR definition.
And that second session-identifying information could easily include cell location, cookies and permacookies, or a slew of other things that count as session-identifying information when you’re talking smart phones.
In other words, this seems to confirm the concerns I have had from day one that by going to the providers, they intend to do chaining off of information that doesn’t qualify under the narrow definition of session-identifying information.
Update: Here’s one more piece of evidence this is about getting smart phone data. USA F-ReDux introduces a new definition of “specific selection term” just for the CDR function. And it specifically permits the chaining on “accounts.”
(B) CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device.
Now, it’s possible that they just mean to chain on Friends and Family accounts, as AT&T will gladly do with just an NSL.
Except you get into accounts when you’re dealing with calls and messaging tied to a computer account and not any device. So they could chain on my “emptywheel” account to get Skype calls.
That’s fine, to an extent. They need such accounts to have anything close to full coverage, given how much messaging traffic takes place online. But that also says you’re already broaching any distinction between “calls” and Internet.
“Except you get into accounts when you’re dealing with calls ad messaging tied to a computer account and not any device. So they could chain on my “emptywheel” account to get Skype calls.”
.
Can you please do more “plain English” descriptions and examples, like that, of what all this means? “Session identifying information” is not in my dictionary, for example.
.
Could be something like this: “Now, they can do this – start with phone numbers, Internet, ____, take a phone number, connect it with your IP address, or Skype login, or date of birth, etc. and they can then run with it to do ____. Bad, but not horrible. With the proposed expanded authority, they will ALSO be able to do this _____. which as you can see is even more intrusive.”
.
Thanks!
I’ve been wondering, did you use the famous “buck for a fucked up duck” joke as the inspiration for your “USA F-ReDux” moniker?
Without knowing the details, narrow hop first, broad hop second, seems backwards to me.
The net theoretically expands to the same size, either way. But it seems to me they are being less careful in how they spread it.
quote”That’s fine, to an extent. They need such accounts to have anything close to full coverage, given how much messaging traffic takes place online. But that also says you’re already broaching any distinction between “calls” and Internet.”unquote
Fine? Not in my universe. And what do you mean “They need such accounts to have anything close to full coverage..”? Sounds like you’re advocating for the enemy of privacy.
At least I didn’t have to dig out my 10k item index of emptywheel’s acronyms. Like I did a few posts back. Crap..every other word was an acronym. Although, I’ll have to add CDR, Session identifying information(SII) and USA F-ReDux. Jeezus.. pretty soon I’ll need and index for the index.