![[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]](https://www.emptywheel.net/wp-content/uploads/2017/08/NationalSecurityAgency_HQ-FortMeadeMD_Wikimedia-1030x687.jpg)
Lawfare “Breaks” News: NSA Hasn’t Restarted the Section 215 CDR Function
Last week, Lawfare’s podcast had on Luke Murry, National Security Advisor to Republican House Minority Leader Kevin McCarthy, and Daniel Silverberg, National Security Advisor to Democratic House Majority Leader Steny Hoyer.
At 5:10, in response to a question from Margaret Taylor about what kind of oversight Congress will exercise in this Congress, one of them says,
I think my mind goes to the must-pass things. Let’s use that as lowest common denominator. One which may be must-pass, may actually not be must-pass, is Section 215 of USA Freedom Act, where you have this bulk collection of, basically metadata on telephone conversations — not the actual content of the conversations but we’re talking about length of call, time of call, who’s calling — and that expires at the end of this year. But the Administration actually hasn’t been using it for the past six months because of problems with the way in which that information was collected, and possibly collecting on US citizens, in the way it was transferred from private companies to the Administration after they got FISA court approval. So, if the Administration does ask on that, that’s inherently a very sensitive subject. And we’ve seen that sensitivity be true in other areas of USA Freedom Act so I think that’s going to be a real challenge for Congress. But I’m not actually certain that the Administration will want to start that back up given where they’ve been in the last six months.
The staffer seems a bit confused by what he’s talking about.
By description — the description of this being metadata turned over by providers — this must be the Call Detail Record of USA Freedom Act, not all of Section 215. It appears to be public confirmation that the government never resumed the CDR program after it announced that it had destroyed all its records last June (though that works out to be 8 months, not just 6).
That, in turn, suggests that the problem with the records may not be the volume or the content turned over, but some problem created either by the specific language of the law or (more likely) the House Report on it or by the Carpenter decision. Carpenter came out on June 22, so technically after the NSA claims to have started deleting records on May 23. It also may be that the the NSA realized something was non-compliant with its collection just as it was submitting the 6th set of 180-day applications, and didn’t want to admit to the FISC that it had been breaking the law (which is precisely what happened in 2011 when the government deleted all its PRTT records).
Just as an example, I long worried that the government would ask providers to use location data to match phones. Under the law, so long as the government just got the phone number of a new phone that had been geolocated, it might qualify as a CDR under the law, but would absolutely be a violation of the intent of the law. Such an application — which is something that AT&T has long offered law enforcement — might explain what we’ve seen since.
One other thing, though: The NSA almost never gives up a function they like. Instead, they make sure they don’t have any adverse court rulings telling them they’ve broken the law, and move the function some place else. Given that the government withdrew several applications last year after FISC threatened to appoint an amicus, and given that the government now has broadened 12333 sharing, they may have just moved something legally problematic somewhere else.
In any case, there’s no follow-up on the podcast, which might at least clarify the obvious parts of this revelation, to say nothing of asking for the underlying detail. So it will take some work to figure out what really happened.
You don’t think there is any chance that the collection stopped due to a request by the White House? That some people didn’t like the idea of having this metadata in storage where it might be accessed at a later time in response to a court order?
Another possibility is that the White House is understaffed and has lost a lot of institutional knowledge about what is required to keep the security state running smoothly. Thus, they may be unaware of deadlines that they need to fulfill by law to keep some of the less well-known programs.
@emptywheel Would you mind elaborating on the significance of your remark concerning the “broadening of 123333 sharing” (I think you were probably referring to Executive Order *12333*: https://www .cia .gov/about-cia/ eo12333.html)
[FYI, shared link ‘broken’ with inserted blank spaces to prevent accidental click through by community members. The resource may be governmental but they do not need to cull information from the site’s visitors. /~Rayne]
Anyone seeking Marcy’s perspective to this point on Executive Order 12333 can use the site’s search feature: https://www.emptywheel.net/?s=12333
Excuse me guys, I was in the telecom business for years, including AT&T, and I know what networks can do — especially the new GSM networks. So I am mystified by the terminology in this paragraph:
Just as an example, I long worried that the government would ask providers to use location data to match phones. Under the law, so long as the government just got the phone number of a new phone that had been geolocated, it might qualify as a CDR under the law, but would absolutely be a violation of the intent of the law. Such an application — which is something that AT&T has long offered law enforcement — might explain what we’ve seen since.
I delved into the PRTT reference and was highly amused: PR (pen register) goes back to the beginning of dial pulse dialing and step-by-step switching, late 1890s. T&T (Trap and trace) goes back to Calling Line ID feature, 1980s.
Frankly, this issue goes back to Olmstead in 1928 and Katz in 1967. And rolls all the way into Jones in 2012 and Riley in 2014.
Also, given your background, maybe you can comment on this long ago post: https://www.emptywheel.net/2008/02/18/dont-cry-for-the-telcos-bush-cheney-are-the-only-ones-that-are-dying-for-immunity/
Concur with Marcy’s opinion about how sharp Telco legal departments are. My expertise is technical.
What I’m getting from the discussion is that instead of asking for information on specific telephone numbers, the NSA was asking the Telcos for their entire charging data base. I’ve also heard that they would grab the entire contents of international circuits at the gateways (including conversations) and listen (using supercomputers) to the conversations to filter out interesting ones. This is how they would know that, for example, Cohen’s cell phone was in or near Prague on a certain date. There is also a thing called a Tower dump, where law enforcement can ask for the identities of every cell phone present in a group of cells at any given moment. Call intercept is of course routine and a required feature of switching equipment anywhere in the world.
What baffled me in the preceding paragraph was “using location data to match phones.” Don’t get it.
It may say Marcy, because a lot of posts got scrambled as to author when we transferred them from FDL to our standalone site here, but I wrote that.
Hi all,
I’m a little bit (well, yeah, a yhuhuge bit ) nervous speaking up on this incredible forum. So here is my train of thought, from a grassroots, humble opinion…
When I, a Canadian, saw my nephew’s comment on Facebook, and I quote “Fuck, yeah,eh…I am all for”Arms for All”, I was flabbergasted, and maybe gaslighted…but I have awoken. I have never experienced this in Canada. Ever.
I did some research and went down a bunch of rabbit holes. What I discovered chilled me to the core. I will be truthful; I vacillated between posting and not posting for a day and a half, but I truly believe, the truth must be told.
I happened upon a link to “Big Tech Stole Our Data While Democracy Slept: Shoshana Zuboff on the Age of Surveillance Capitalism”
Hmmmmm, Survellence Capitalism. I then read part two….
https://www.democracynow.org/2019/3/1/age_of_surveillance_capitalism_we_thought
Both links are from Democracy Now..
I shared this info with my husband. He came out As whitefaced as Schumer and Feinstein….and we talked “What if…” all weekend.
Then went deeper, which led me to Cambridge Analytical, AI1, Christopher Wylie, a genius from Victoria, British Columbia, Canada. Check out this report from 2018 in the AVictoria Times Coloninist….
https://www.timescolonist.com/news/local/how-a-victoria-kid-ended-up-at-heart-of-facebook-data-mining-story-1.23206550
Ties to some really scary stuff. Companies buying data collected from many sites/apps/phones /smart t.v.s, etc. etc and actually using AI to predict future behaviour, and target folks via ads, bots, and ??? To change their behaviours, thus controlling the thinking of mankind! Maybe this explains the Trump following, are they just a continuation of a Human social experiment behind a facade of the new term, “Survelience Capitalism “.
Chilling indeed.
Well, yeah. That’s how modern social media works.
Think of it as advertising, but the users are the product and the advertisers are the buyers.
It’s the perfect one-sentence answer that describes our times.
I note that Ghana started taxing social media users a nickel a day, and everybody said the hell with it.
Facebook made no secret that their purpose was collecting users and their data to sell to advertisers. That was long before 2016.
Understood. But there was no commitment that the depth of the data would be used to warp the behaviours of human beings. This is huge.
@PJ’s right. FB didn’t need to keep it secret.
I recall assorted bemusements concerning Facebook’s business model back at the time of the IPO. FB claimed in 2012 its business is “advertising.” Some contemporary observations published in Business Insider on occasion of the 2012 IPO realized something nontraditional may be looming:
[quote] The key question when trying to value Facebook’s stock is: can they find another business model that generates significantly more revenue per user without hurting the user experience? (And can they do that in an increasingly mobile world where display ads have been even less effective.) Perhaps that business model is sponsored feed entries, as Facebook seems to be hoping (along with Twitter and perhaps Tumblr). The jury is still out on that model. Personally, I have trouble seeing how insertions into the feeds aren’t just more prominent display ads. You still have to stoke demand and convert people from non-purchasing to purchasing intents. A more likely outcome is that Facebook uses their assets – a vast number of extremely engaged users, it’s [sic] social graph, Facebook Connect – to monetize through another business model. If they do that, the company is probably worth a lot more than the expected $100B IPO valuation. If they don’t, it’s probably worth a lot less. [end quote] (https://www.businessinsider.com/facebooks-business-model-2012-5 – Note: contains links no longer active)
The money line: “A more likely outcome is that Facebook uses their assets – a vast number of extremely engaged users […] – to monetize through another business model.”
So it was recognized by folks who were paying attention fairly early on. But in all fairness, it’s taking the world-at-large awhile to realize that advertising in the data-driven digital sense is a different animal than traditional advertising that has simply been relocated to digital space.
Also, any discussion of FB wouldn’t be complete without the context offered by Helaine Olen in WaPo from December 2018 (https://www.washingtonpost.com/opinions/2018/12/20/is-facebook-psychopath/)
[quote] CNBC has never been the sort of outlet to ask a CEO and founder if his business model was psychopathic. But it’s certainly a conclusion we can consider now. [end quote]
:-)
I have not been on FB since election day 2016. I knew that they had had an outsize influence on the course of our ‘civil discourse’ that had turned the election. This sentence from the WaPo editorial caught my attention as it so correctly captures so much of what is wrong in our country since Citizens United.
[quote] In the case of Facebook, this could mean everything from privacy legislation with muscle — something the United States happens to lack — to declaring the business a public good and legislating it like a utility of old, with demands it open up its network to outsiders. But there is a bigger picture too, one that applies more broadly: If corporations are people, they need to abide by the standards of decent, civilized behavior or face the consequences.[end quote].
Long-time lurker. Love this blog. Thanks to all for the great intellectual stimulation without trolls.
” I was doing time in the universal mind,
I was feeling fine
I was turning keys
I was setting people free
I was doing all right.”
The inimical Mr. Morrison
New Version
I was on the grid, I was doing as they did,
I was feeling fine.
I was hitting keys, pretending I was free,
I was alt right….
I am amazed how far from farming we have come.
Every last bit of surveillance capitalism presumes we will all be sitting on our fat butts looking at big and little electric boxes. Is there an element of mind control ay play? Undoubtedly.
What are the worse outcomes for me? I get more pings to my conscience to buy shit ?
No biggee . But when I see people slain in churches and schools and see the universal shrug.
Bothers me.
Are they tracking behavior (choice trends) or fomenting it?
“Think of it as advertising, but the users are the product and the advertisers are the buyers.”
Still not sure why it is worth so much. People get bored easily. Might the pendulum swing and people start divorcing from their gadgets? “Here ya’hr, I got your digits and zeros right here. ”
Facebook already knows teens are turning away. Dunno. All this makes me scared for our race(humanity)
The empty wheel turns.
I’ve been presuming that the providers, the carriers in other words, collect and store the metadata. Not because they have been asked to or told to but just because they can. Is that correct?
In any case they have it. it exists. I don’t want to discount some arm of the government getting it but the US government getting it is the tip of the iceberg. How many schmucks at Verizon have access to the data who might think of selling it? What’s to stop Verizon from selling it? Why wouldn’t state actors put spooks right inside Verizon? Why wouldn’t Facebook have their own spook inside Verizon?
Obviously crunching that data is a monumental task. In 10 years your phone along with the cloud and 5G will probably be able to do it.
Give me a few million $$$ and I’ll give you a distributed database system with cloud-based ingest APIs that can crunch the data on every phone on the planet sending pings at 1s resolution!
I would suspect and agree that “they may have just moved something legally problematic somewhere else.” I’m inclined to the likelihood of the prospect that the way that personal information is handled before the usg accesses it is similar to how illicitly acquired wealth is laundered through a series of obfuscating gatekeepers, like at&t, etc.
I remember that rumsfeld’s total information awareness was just repurposed when it was “defunded.”
also, very little appears in the media regarding the Utah data center with its exa-bit storage goal.
I too am skeptical and would like to hear from people that should know like wyden or snow or those tech savvy enough to know what the present day capabilities and limitations actually are.
the us and it’s five eyes allies have invested too much over too long a time to just call it quits when it comes to the global game of big data acquisition and ai-enhanced data mining via voice recognition.
lastly, the ferocious competition in advanced telecommunications would on its face argue that the opposite is true: the combination of geoeconomic and geopolitical advantages to accelerating the capture of user data sounds way more likely, especially with the intensifying interest in scaling up isr capabilities.
call me skeptical.
“But the Administration actually hasn’t been using it for the past six months” yet Arstechnica’s lede is “House aide: NSA has shut down phone call record surveillance, Rep. McCarthy aide says program was halted 6 months ago, and renewal is unlikely.”
“Shut down” not equals “hasn’t been using”.
https://arstechnica.com/tech-policy/2019/03/house-aide-nsa-has-shut-down-phone-call-record-surveillance/
This means that instead of grabbing ALL the charging data from ALL phones, they’re going back to the old rule of intercepting individual phones based on court orders for individual customers, either FISA or any judge anywhere. “Intercepting” means hearing the conversation.
This post caught my eye because…surely the wholesale collection of everyone in the whole country is an abuse of the law and the constitution but…
Surely the collection of information to counter spies, terrorists and organized crime is not.
We have a president who believes all “Democrats” “liberals” and journalists are enemies.
So there is a danger of this power by intel being corrupted for political and criminal purposes by the current administration.
My personal fear is that this power may be bent to the will of organized crime by this administration, creating a tool of the kind of kleptocracy so admired by the current president