Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Computer Problems at the NSA | Main | Major Vulnerability Found in Diebold Election Machines »
May 11, 2006
NSA Creating Massive Phone-Call Database
There's other NSA news today: USA Today is reporting that the NSA is collecting a massive traffic-analysis database on Americans' phone calls. This looks like yet another piece of Echelon technology turned against Americans.
The NSA's domestic program, as described by sources, is far more expansive than what the White House has acknowledged. Last year, Bush said he had authorized the NSA to eavesdrop — without warrants — on international calls and international e-mails of people suspected of having links to terrorists when one party to the communication is in the USA. Warrants have also not been used in the NSA's efforts to create a national call database.[...]
The government is collecting "external" data on domestic phone calls but is not intercepting "internals," a term for the actual content of the communication, according to a U.S. intelligence official familiar with the program. This kind of data collection from phone companies is not uncommon; it's been done before, though never on this large a scale, the official said. The data are used for "social network analysis," the official said, meaning to study how terrorist networks contact each other and how they are tied together.
Note that this database does not just contain phone calls that either originate or terminate outside the U.S. This database is mostly domestic calls: calls we all make everyday.
AT&T, Verizon, and BellSouth are all providing this information to the NSA. Only Quest has refused.
According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order — or approval under FISA — to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used.Financial implications were also a concern, the sources said. Carriers that illegally divulge calling information can be subjected to heavy fines. The NSA was asking Qwest to turn over millions of records. The fines, in the aggregate, could have been substantial.
The NSA told Qwest that other government agencies, including the FBI, CIA and DEA, also might have access to the database, the sources said. As a matter of practice, the NSA regularly shares its information — known as "product" in intelligence circles — with other intelligence groups. Even so, Qwest's lawyers were troubled by the expansiveness of the NSA request, the sources said.
The NSA, which needed Qwest's participation to completely cover the country, pushed back hard.
Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.
In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.
Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused.
We should also assume that the cellphone companies received the same pressure, and probably caved.
This is important to every American, not just those with something to hide. Matthew Yglesias explains why:
It's important to link this up to the broader chain. One thing the Bush administration says it can do with this meta-data is to start tapping your calls and listening in, without getting a warrant from anyone. Having listened in on your calls, the administration asserts that if it doesn't like what it hears, it has the authority to detain you indefinitely without trial or charges, torture you until you confess or implicate others, extradite you to a Third World country to be tortured, ship you to a secret prison facility in Eastern Europe, or all of the above. If, having kidnapped and tortured you, the administration determines you were innocent after all, you'll be dumped without papers somewhere in Albania left to fend for yourself.
Judicial oversight is a security system, and unchecked military and police power is a security threat.
EDITED TO ADD (5/11): Orin Kerr on the legality of the program. Updated here.
Posted on May 11, 2006 at 10:40 AM • 79 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Qwest should at least ask NSA to shoulder the burden of the fines they fear. That doesn't alleviate the concerns, but it give us yet another avenue to bash NSA and the current administration over the head, regardless of the answer.
another_bruce • May 11, 2006 11:08 AM
in order to assess the ease and availability of truly anonymous calling, my current cellphone was purchased for cash from wal-mart along with a one year prepaid plan. the question was, could i activate it from a computer in the local library without supplying any personal information. the answer was yes, but it wasn't easy, the girl at the eastern european call center needs to work on her english. a year later i blew my cover when i supplied them my cc number for more airtime. i wonder if it can still be done, and i anticipate that at some point the answer will be no.
Carlo Graziani • May 11, 2006 11:20 AM
> Note that this database does not just contain phone calls that either
> originate or terminate outside the U.S. This database is mostly domestic
> calls: calls we all make everyday.
I had assumed this was clear from the EFF class-action suit against AT&T --
nowhere in that matter does any restriction on provenance or destination of
the call appear, and my understanding of the AT&T's Daytona database is
that it comprises all long-distance communications, not just International
ones.
What is new here is Qwest's stand on principle. I had not realized that
this sort of ethical barrier still existed in the corporate world. Make no
mistake, this is a seriously risky position for a corporate officer to take
-- quite aside from the courage required to stare down the 9/11 patriotic
stampede, the threat of loss of government contracts is a matter of concern
with regards to the fiduciary obligation of corporate officers to safeguard
shareholder value. Pissed off hyperpatriot shareholders could conceivably
sue over this. Nacchio appears to be a civil rights hero, whatever other
trouble he may be in.
David W. • May 11, 2006 11:32 AM
The not-so-subtle shakedown by the NSA of Qwest regarding the getting of future security contracts is just business as usual for this administration.
Michael • May 11, 2006 11:33 AM
"It's important to link this up to the broader chain...."
But we wouldn't want to get freaked out by movie plot threats. Even if all of the pieces of this little "chain" are true (just as radio-controlled planes, tactical nukes, and terrorists are all real) it doesn't mean that the combination of them all is commonplace.
Don't get me wrong. I agree with the major points made here, but if we're going to denounce motivation by fear-mongering, then we need to do it on both sides.
Stine • May 11, 2006 11:38 AM
@ Carlo
If I read the article correctly, Qwest didn't bow in because they were afraid of customer lawsuits, not because they were taking the moral high ground.
Pat Cahalan • May 11, 2006 11:47 AM
re: Qwest
Financial motivations were certainly an issue, but it could very well be a simple stand on principle. It has been known to happen :)
DragonHunter • May 11, 2006 11:50 AM
Damn. This is unconstitutional, period. Should I call my congressman? E-mail? Dang, we are screwed...Does he have PGP? Does it matter?
Alun Jones • May 11, 2006 12:00 PM
Nice of Qwest to take such a principled stand. Why didn't they publish that this information was being asked of them, if they felt it was inappropriate to provide it, so that other providers' users could ask the question of their providers?
Andre LePlume • May 11, 2006 12:18 PM
Not just a lawsuit issue. Being potentially in violation of the law and at risk of millions in fines might have been something the SEC would require them to disclose. Investors might react badly to that, and failure to disclose would put the officers of the firms in personal jeopardy, incarceration-wise.
@DragonHunter: What constitution? 15 years ago, I tried to talk to my Congresscritter to ask him to oppose the Clipper Chip. Guess how far I got? A minor functionary in the front office that would not give me their fax number because they reserved it for "important issues". Things haven't improved since then, either. So yeah, we *are* screwed.
RvnPhnx • May 11, 2006 12:41 PM
If it weren't for the constitutional protections that keep us from voting out an entire government all at once over here.......damn.......
Misc • May 11, 2006 1:14 PM
The difference, Michael, is that this sort of thing actually happens in countries all over the world, every day. Typical "movie plot threats" don't.
"Movie plot threats" are called that because they sound sexy and yet are impractical. By contrast, history is littered with examples of power corrupting, and unchecked power leading to exactly what Bruce described, above. That's the whole reason we have checks and balances in our government, as well as a Bill of Rights.
And yes, in contrast to "movie plot threats", the chain of holding American citizens without trial indefinitely, and even mistreating them, has already been used.
Tim • May 11, 2006 1:18 PM
I have done quite a bit of telecom consulting in Switzerland and know for a fact, that here call records are very well protected by privacy laws. Within a few years they even have to be destroyed.
Switzerland has very strong banking secrecy laws which are diligently being upheld, so the banking industry is a kind of voluntary watchdog to ensure that call records do not get into the wrong hands.
So all you guys in America. Just send all your money to Switzerland like everyone else, that's if you want to be sure that Internal Revenue does not get a whiff of who is calling whom over which transaction.
With all due respect to my much loved Americans and their like-minded friends, we in Europe think that Americans are going well and truly crazy.
Ale • May 11, 2006 1:25 PM
@Jungsonn: 'IMHO: Welcome to the land of the "free" '
Indeed. And the most worrisome issue is that, in general, the USA tends to "export" its outlooks and inclinations to other countries in the world. I would not be surprised to learn that this same disregard for privacy starts getting foothold elsewhere... which means this is cause of concern for everybody, even if not an american citizen.
Josh • May 11, 2006 1:38 PM
There are reports that Justice department officials are being denied security clearances to stonewall the investigation into illegal NSA operations inside the US.
I just called my congressman and senators to remind them that members of Congress have absolute immunity from prosecution should they need to reveal classified information on the floors of Congress. I think the issue has to be forced.
Andre LePlume • May 11, 2006 1:41 PM
Meanwhile, the NSA refuses to provide clearances to the DoJ, so there can be no investigation:
geoff lane • May 11, 2006 1:48 PM
First glance estimates imply a minimum of 100Tb of storage is required a year but I would not be surprised if the requirement reached 10 to 100 times that amount.
No real problems buying that storage but making any kind of search through that data is going to need Google sized search farms.
The cost/benefit doesn't look good.
Anonymous • May 11, 2006 1:51 PM
You mean America is adopting European practices??? http://news.bbc.co.uk/2/hi/europe/4527840.stm
Anonymous • May 11, 2006 1:54 PM
Tim, oh really!
http://news.bbc.co.uk/2/hi/europe/4527840.stm
Explain this!
NotThatMo • May 11, 2006 2:38 PM
Americablog points out that the USA Today article quotes someone saying this is the biggest database in the world, and asks if a list of all the phone calls in the US would, in fact, be the biggest database in the world.
quincunx • May 11, 2006 2:45 PM
"I hate to say this, but... it looks like the terrorists have won"
Not a keen insight if you know history.
I knew it on 9/11 - I sat their glued to the TV feeling "shit, there goes our freedoms". I suspected mass wire-tapping, sedition acts, espionage acts, incompetency in catching the perpetrators, deficit finance, high inflation, etc. The last one will come due by 2008.
Ronald Pottol • May 11, 2006 2:46 PM
I just called T-Mobile's customer service, they have been briefed on this story, and say they did not provide info, and will only provide info with a valid warrant or subpoena.
Every other cell phone company is owned by a company that rolled over, with the possible exception of Sprint/Nextel, correct?
Yet another reason I'm glad I avoid baby bells.
Aargh! • May 11, 2006 3:04 PM
"Yet another reason I'm glad I avoid baby bells."
Huh? Qwest is a baby bell.
Durable Alloy • May 11, 2006 3:46 PM
>>Carriers that illegally divulge calling information can be subjected to heavy fines.
Does anybody know how big these fines could be?
Josh • May 11, 2006 4:16 PM
@Durable Alloy
>>Carriers that illegally divulge calling information can be subjected to heavy fines.
>Does anybody know how big these fines could be?
The trouble is that laws about data privacy have an "out" that removes legal liability when the request comes from law enforcement or the government.
For example, one of the telecommunications acts that the EFF is invoking in its lawsuit against ATT companies have no criminal liability if they receive a letter from the Attorney General requesting cooperation. (I don't know if they get shielded from civil liability too.) In this case, it is the government that is behaving illegally, and trying to punish the telecommunications company probably won't work.
I still admire the EFF for trying, because it is one of the few ways available to get the attention of the courts.
derf • May 11, 2006 4:35 PM
Your level of wariness at this should depends on your view of terrorism. If you think terrorists should be tried in a court of law after the fact (even though they are likely already dead), the NSA wiretapping and call database is a bad thing because no warrants were obtained in response to a specific crime. If you think terrorists should be hunted without mercy and killed before they can attack like "enemies of the state", then the NSA has every right to do this, as long as the information isn't shared with other federal agencies.
I'd be more worried that this would get shared with other agencies. Can you imagine the TSA's "no call" list after all the success they've had with their "no fly" list?
Anjan Bacchu • May 11, 2006 5:51 PM
hi there,
TODAY : one valid use case for such interception might be to intercept VOIP calls that might be going out of the country. Since you can make calls from a POTS telephone to a "LOCAL" VOIP telephone (located anywhere), local calls aren't really local anymore.
BR,
~A
Jac • May 11, 2006 6:03 PM
Could someone tell me how this is different from the allowances that are in CALEA?
I think this is the relevant sections.
quote------
(2) expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to access call-identifying information that is reasonably available to the carrier
unquote-----
Stefan Wagner • May 11, 2006 6:56 PM
@geof:
"First glance estimates imply a minimum of 100Tb of storage is required a year ..."
My estimation:
300x mio americans
365 days
---
10x billion
10 calls /day
---
100 billion
8+ bytes call start date/time
8+ bytes caller -id
8+ bytes receiver-id
8+ bytes call end date/time
8 bytes serial
--
40x bytes / row
100 billion
---
4 terrabytes per year.
The data of one year would fit on 10 consumer-harddrives.
Not very impressing.
Indexing and searching should be very easy - of course increasing the size of the database a little.
A small video-database containing the videos as content will be bigger.
Roxanne • May 11, 2006 7:11 PM
I had thought for a while that AT&T was being allowed to reconstitute itself as a monopoly in exchange for letting the government get records and listen in without a warrant, but also thought that was my normal cynical attitude. Now it turns out, maybe I wasn't cynical enough.
It's time to go find out if I can switch my phone service to Qwest, even though the phone does mostly just allow TiVO to phone home. :-)
Josh • May 11, 2006 7:34 PM
@Jac
> Could someone tell me how this is different from the allowances that are in CALEA?
Calea requires a warrant; no court has approved this surveillance, and the administration denies it has any obligation to get permission from the courts.
Congress passed a law enabling CALEA, but the administration denies that it has any obligation to brief congress about this stuff.
What's different is that the executive branch is asserting absolute power, without accountability.
Jungsonn • May 11, 2006 8:45 PM
@Ale
i live in the Netherlands, and the U.S. already tryed to obtain all data from telcos, Airline data, And Internet providers are being asked to cooporate with the demands. Most of them resist, and here we have a foundation called: "bits of freedom" which fights back and takes position for the individual and the right on privacy. And i personally think that this madness needs to stop, there should be limits on infringement in privacy.
Carlo Graziani • May 11, 2006 9:56 PM
@Jac:
Note also the main difference between this program and normal CALEA-enabled surveillance: there is no suspect. *Everybody* is being monitored, every time they make a long-distance call.
The really worrisome thing here is the false-positive rate.
The false-positive problem is familiar to anyone who has received a call
from their credit card company after an unusual purchase has triggered an
alarm from software that monitors card activity for patterns indicating
fraud. In the case of NSA traffic-monitoring software, false positives
manifest themselves as innocent people falsely tagged as possible
terrorists, and selected for follow-up investigation.
That's why the size of the database being mined is such a problem. The more
calls in the database, the more people wrongly scrutinized for terrorist
ties. Sooner or later, one of these people is going to be unluckily
attended by other suspicious circumstances (an unexplained bank transfer, a
name coincidence, travel to a Muslim nation...). God may have mercy on
such a person, but the Bush Administration will certainly have none. Due
process is not so much of a barrier to wrongful long-term detention these
days.
If the Administration seems untroubled by the implications of the
false-positive problem, perhaps the reason is that this is familiar
territory. After all, the U.S. security bureaucracy makes enthusiastic use
of polygraph lie-detector examinations to screen employees for signs of
disloyalty, despite a 2002 review by the National Academy of Science that
concluded that the high false-positive rate of polygraph exams wrongly
casts suspicion on an unacceptably high number of loyal employees.
It appears, then, that the Executive is merely extending its irresponsible
attitude concerning justifiable suspicion of its own employees to the
population at large. In a sense, we are all being subjected to
surreptitious polygraph examinations, every time we make a long-distance
call.
egeltje • May 12, 2006 3:10 AM
@anonymous:
Yes, the EU (or actually, one of its less democratically chosen bodies) has approved this data retention. However, the data stays with the Telco's. Police and such can only get info after a detailed request on a (single) customer's data, so undirected correlation of phonecalls will require a tremendous amount of paperwork.
Yes, the combination of this data gives a huge database, but it is stored somewhat distributed (different Telco's/ISP's). This will make a full correlation also less easy than with one huge database.
I am absolutely not in favour of this retention (majority of Europe isn't), but I believe there are some effective checks in place to prevent a broad misuse of the data.
aikimark • May 12, 2006 4:36 AM
@Stefan Wagner,
I'm not sure of your Serial data requirements, but my calculations for storage are even less than yours:
4 bytes call start date/time
6 bytes caller -id
6 bytes receiver-id
2 bytes call duration
===
18 bytes/call
x100 billion calls/day
===
1.8 TB/year
Ale • May 12, 2006 6:16 AM
@ Jungsonn:
" that this madness needs to stop, there should be limits on infringement in privacy"
Of course there should be. The problem is that it is no longer reasonable to assume that countries work in isolation, and that the "internal" policies of a country will have no international effects - specially of a country with such a large economic leverage as the USA. The state decisions of the US government are shaking the world, and I agree with quincunx (and all the others with similar opinion) that the aftershocks will continue to be felt for a long time. I currently live in the UK (I previously lived in Mexico) and I can assure you that the USA government will use every trick in the book to impose its security agenda in as many countries as possible.
I also think "that this madness needs to stop". I however feel that this is much easier said than done.
Steve Willis • May 12, 2006 8:51 AM
Maybe this is obvious but consider the following scenario: I call my local gas station (owned by an naturalized Iranian). He calls his relatives in Iran (Happy Birthday!). Maybe a relative in Iran calls someone that the US "thinks" is a threat. Does this connect me with the possible threat? The government has phone numbers (and conversions which need to be listened to) which can be linked domestically using our patriotic carriers and internationally by the NSA (hey, could that be the same database?).
Folks might think I'm paranoid but I suggest reading up on large scale commercial data mining and correlation efforts (i.e. Oracle). I wonder if the NSA knows about data mining.
Jungsonn • May 12, 2006 8:58 AM
Well the main thing on the agenda besides being not too political here, is "fear". that's the main thing to controle people. And i think: if it happens it happens, just live your life. If someone really wants to do harm, they will do it. one can try to stop it, but not on the cost of ohters. How more protected a system will become, to more it attracts. mainly due to its complexity and the reward one gets while broken the complex system.
Benjamin Franklin • May 12, 2006 9:23 AM
OK...I'll say it again...
"Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both."
And, to quote an old friend:
"But when a long train of abuses and usurpations, pursuing invariably the same object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security."
--From the Declaration of American Independance.
kashmarek • May 12, 2006 9:40 AM
Following the pattern of the "almost" sale of American ports to an Arab country, where economic interests almost trumped security concerns, chances are this domestic phone data will eventually find its way into some sort of marketing scheme. I would guess that "patterns of usage" is the key, where they might want to "predict" what you are or are not doing, and try to change your ways.
Benny • May 12, 2006 9:46 AM
@ "Benjamin Franklin"
I like Wikiquote's version better:
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."
Jungsonn • May 12, 2006 9:47 AM
@Benjamin Franklin ;)
That might be the right qoute in his time. It is more nuanced when you talk about safety or freedom. Who are more free? americans or europeans? Terrorist threads we had here in my country are mainly due to U.S. policies. and all over the world the U.S. did not managed to make todays world a better place IMHO it is getting worse. And it is not a fight about freedom, its a fight about power. And that would be the mindset of a mere dictatorship.
another_bruce • May 12, 2006 9:55 AM
"our records show that four months ago, a call was placed from your number to the local abortion clinic. your teenage daughter didn't kill her baby did she? care to tell us what that was about?"
Shift Register • May 12, 2006 12:18 PM
Is this latest NSA bombshell a ploy at hindering Michael Hayden's chances for the CIA's top spook position ? Only time will tell.
"...collecting millions of Americans' everyday telephone records" is not the same as actively monitoring a call.
If we're talking about lawful interception, and the CALEA act, then even though most Americans know nothing about it, it is legal. Infosys/Verint's RELIANT and STARGATE products are installed on nearly every Class 5 Telco switch in the world since 2000.
Pat Cahalan • May 12, 2006 1:12 PM
Every citizen should fill out a FOIA request to the NSA to recieve the call records of all of their local, state, and federal officials. Keep submitting them every year until the "this information needs to be kept secret for national security purposes" argument is unsustainable.
If they haven't been engaging in back door deals or consorting with terrorists, they have nothing to hide, right? We, their constituents, certainly have a justifiable interest in knowing who our elected officials are talking to, right?
Anonymous • May 12, 2006 1:23 PM
@ Shift Register
> If we're talking about lawful interception, and the CALEA act, then
> even though most Americans know nothing about it, it is legal.
This class of definition (IMO) is little more than logical ledgermain. This is why spokespeople for these intelligence programs keep insisting that these programs are "legal".
There is an understood implication amongst the American public that "legal" = "Constitutional".
The definition that the Administration is using is "the President has the authority to establish what is 'legal' during times of war" (this is Gonzales talking, not me).
Using this definition, the Administration is attempting to "sell" these programs to the American public by presenting them using the terminology "legal". Many Americans are falling for this, interpreting "legal" as "Constitutional".
Mike • May 12, 2006 1:34 PM
I don't hear anyone bashing Clinton in here? I believe this program started under slick Willie.
Also, this story is MONTHS old - why the uproar now? What about all the congresscritters (I loved that term and am stealing it now :D ) who are "shocked" and "outraged" when the same stupid story was in the NY Times like 3 or 4 months ago?
I understand that this includes domestic-to-domestic calls, but the contents are not recorded, just the "transaction" information (numbers involved). The media is politically twisting this to make it sound like the conversations, etc. are being monitored & recorded a la the FISA-related surveillance when it's nothing like it.
The courts have already decided that there should be no expectation of privacy when it comes to phone record information. This has already been declared legal. What's the new story here?
It seems like a re-hashing of an old story about legal data collection to me.
Benny • May 12, 2006 2:24 PM
Mike said:
"The courts have already decided that there should be no expectation of privacy when it comes to phone record information. This has already been declared legal."
Pardon me for being uninformed, but when did the courts decide this?
Pat Cahalan • May 12, 2006 2:36 PM
@ Mike
> I believe this program started under slick Willie.
Reference, please?
In fact, it doesn't matter if it started under Carter, or Roosevelt for that matter. It still deserves criticism and analysis, non-partisan.
Let's say it did start under Clinton (which I don't believe is supported currently)... does this mean we should recuse the current Administration for continuing such a program?
> Also, this story is MONTHS old - why the uproar now?
These details aren't months old. In fact, if you have been following the NSA story since December, this is the first instance of discussion of domestic phone calls (which of course anyone with a brain suspected, but wasn't discussed) and also the first instance of details regarding databases of information about call history being maintained, as opposed to "we're only looking at phone calls where one end is a terrorist".
> What about all the congresscritters who are "shocked" and "outraged" when
> the same stupid story was in the NY Times like 3 or 4 months ago.
They've continued to be shocked and outraged, but have been unable to get any details in their investigation because all of the investigators have been refused security clearance. So the only time they can have a response to new information is when it gets leaked to the media.
Senator Spector (a Republican) in particular has been critical of the Administration's response to this investigation, so you can hardly claim partisanship on this issue.
> The media is politically twisting this to make it sound like the conversations,
> etc. are being monitored & recorded a la the FISA-related surveillance when
> it's nothing like it.
I have not heard one story that implied that conversations are being recorded. Could you link a story that shows "the media "politically twisting this"?
If the USA today story is true, then the President is blatantly lying when questioned about this new information by responding that the program does not involve "trolling". Maintaining a call database as described in the story and doing traffic analysis on it is most definitely "trolling".
Unless of course he doesn't understand what he authorized, they're doing something other than what he authorized, or the reports about the caller information database are incorrect. In the first two cases, there's a huge story about this Administration, and in the third there's another story about a media outlet putting out a false story. In any case, this is A BIG DEAL.
> The courts have already decided that there should be no expectation of
> privacy when it comes to phone record information.
I would like to see a reference for this as well, please. Especially given the hubbub over the story about services that will sell you people's phone records, and the FCC and Congressional response to that story.
Carlo Graziani • May 12, 2006 3:06 PM
@Mike:
The "Months Old" story had to do with International calls. As you claim to understand, this uproar has to do with domestic call monitoring. The media should undoubtedly have cottoned on to what was up sooner --- it seemed to me to be implicit in the class action suit brought against AT&T by the EFF --- but better late than never.
What the "courts" have decided is subject to an expectation of privacy is not even of the slightest relevance here. There is a statute, called "FISA", which governs both full-up surveillance and pen-register/trap-and-trace monitoring (what you refer to as "transaction" information). You may read the statute here:
http://www4.law.cornell.edu/uscode/html/uscode50/...
You will find that while the statute provides for emergency and even wartime exceptions (after a Congressional declaration of war), no possible reading of that statute allows the Executive to scrutinize any traffic without clearing the matter with the FISA court, if only belatedly. The NSA itself acnowledged this to Qwest, when Qwest requested a warrant from the court. To say, as you do, that "this has been declared legal" is simply confused.
And, if you are somehow under the illusion that the fact that no conversations are recorded makes this a benign (or at least harmless) program, I hope you will consider the implications more carefully.
NSA software is scanning hundreds of millions of calls for patterns deemed "characteristic" of terrorist communication. This is similar to the activity carried out (for example) by credit card companies, which scan hundreds of millions of transactions for patterns "characteristic" of fraud, and is similarly error-prone. Whenever you get a call from your credit card company inquiring whether you made a particular set of purchases, it is because a pattern of transactions triggered their software alarms. Often, these are false alarms -- what are referred to as "false positives". Generally speaking, such alarms are resolved quickly by a phone call, leaving consumers with a warm fuzzy feeling that the credit card company is looking after their interest.
Now imagine that scenario, except instead of a CC company it's the FBI, and instead of being a customer, you're a potential suspect, and instead of trying to clear things up, the government is digging for further incriminating information. Does your whole life stand up to scrutiny? Do you have any troublesome friends? Did you happen to handle a lot of cash recently? Did you browse any websites hosted in a dodgy country, not just yesterday, but any time in the last several years?
Even if you feel you might survive this kind of scrutiny (I imagine most people would), the size of the database means that eventually some innocent person won't.
That's the problem.
Mike • May 12, 2006 3:18 PM
- Media twist: http://www.usatoday.com/news/washington/... "In defending the previously disclosed program, Bush insisted that the NSA was focused exclusively on international calls. "In other words," Bush explained, "one end of the communication must be outside the United States."
As a result, domestic call records — those of calls that originate and terminate within U.S. borders — were believed to be private.
Sources, however, say that is not the case."
This is clearly implicating that the domestic-only calls are being recorded, which is untrue.
- Project Echelon was started in 1999, under Clinton's watch: http://www.nytimes.com/library/tech/99/05/cyber/...
Also, great article on Bill Clinton's warrentless-wiretapping: http://www.nationalreview.com/york/...
You and I have different points. My point is the hypocracy of the politicians and partisans out there NOT "condemning" Clinton and only slamming Bush. Your point is who cares who started, it if the new guy keeps it up, he's just as dirty. I see both points... so, since both are "dirty" guys, I just wonder why the Libs are ignoring Clinton's part in this? Oh yeah, hypocracy.
-Bush is lying when he says "trolling" -- Since when does semantics matter to libs? I guess it depends on what the definition of "IS" is, er, I mean "Trolling" is. Then again, Bill was under oath at the time...
- "you can hardly claim partisanship on this issue" -- I'm not claiming partisanship, I'm claiming political posturing and hypocracy... both sides are guilty unfortunately (how sad, their ability to spin for reelection is more important than Nat'l Security WAY too often).
- "continued to be shocked & outraged....getting info via leaks..." -- This "story" was leaked months ago. Being outraged now is just more political posturing.
I believe that this is all political posturing by both parties in Congress. Nothing more than chest-thumping and getting their face on TV to help bolster reelection campaigns. I personally don't see anything wrong with a big-@ss database of phone calls (there's no names, SSN, etc. in the DB - though it doesn't take a genius to see it can be cross-referenced - which is what makes it legal). I don't see it being all that helpful either. They're just all play-acting to garner money and power.
Pat Cahalan • May 12, 2006 4:52 PM
>> As a result, domestic call records
> This is clearly implicating that the domestic-only calls are being recorded
I think that pretty clearly states "domestic call records", not "domestic call recordings". If someone is misinterpreting that quotation, they clearly can't read plain English.
> You and I have different points. My point is the hypocracy of the politicians
> and partisans out there NOT "condemning" Clinton and only slamming
> Bush. Your point is who cares who started, it if the new guy keeps it up,
> he's just as dirty.
Actually (this being a security blog and not a political blog), my point of view on this particular topic is apolitical -> the only reason this Administration is a topic of my posts is because this Administration is currently in charge. If *this* story had been broken to the press in 1996, my position would be the same.
I'm not really sure what your position is. Do you agree with the various NSA programs that have been in the news since December, or not? This is, after all, *the security question*. If you do, it doesn't make sense for you to "condemn" Clinton, if you're supporting Bush for the same activity.
> -Bush is lying when he says "trolling" -- Since when does semantics matter
> to libs? I guess it depends on what the definition of "IS" is, er, I mean
> "Trolling" is. Then again, Bill was under oath at the time...
Definitions matter to me. Attempting to manipulate the public by misrepresenting your actions matters to me. It disgusted me when Clinton did it. It is disgusting me more in this particular incident, for *blatantly obvious security reasons*. Clinton was talking about something that had nothing to do with national security or invading my privacy.
> I personally don't see anything wrong with a big-@ss database of phone calls
Excellent. Can you post your cell, home, and business phone call records here, please? Since you obviously don't care...
OpenEyed • May 12, 2006 5:37 PM
Let's see, this is a privacy issue? You can purchase other people's call records on line. Here's a report on that topic:
http://www.suntimes.com/output/news/...
In fact the SCOTUS has stated twice that phone call records are not covered by any expectancy of privacy.
CALEA doesn't always require warrants, that's why there is that bit about "other lawful authorization." In fact the Bells have been providing this information to the government and private purchasers for many years. Typically these records are used with relationship to some form of investigation and they also assist in the "floating" wire tap.
If you don't want the government looking at these records, get the law changed. And while you're at it, you may want to push for legislation to stop private citizens being able to purchase those same records. There are a lot of people getting all stirred up over something that has been around for a long time, yet if the NSA under Bush decides to use them is some new manner it's evil.
Pat Cahalan • May 12, 2006 6:11 PM
> Let's see, this is a privacy issue?
Amongst other things, yes.
> Your can purchase other people's call records on line.
Yes, I know. There are numerous news updates concerning this, you can Google it. Currently some of these companies are under criminal investigation. Most of the articles I've read concerning this story don't mention the practice is legal.
> In fact the SCOTUS has stated twice that phone call records are not
> covered by any expectancy of privacy.
You're the second person to state this, I would like a case reference please. Usually reading the court decision reveals that this is true in very narrow or specific cases, not in general terms.
> CALEA doesn't always require warrants
http://www.askcalea.net/calea.html
It requires warrants, or authorized access. Obviously "authorized access" was intended by CALEA's authors to allow "pre-warrant" access by those authorized by the Attorney General in accordance with FISA.
It does not anywhere say, "authorized access"="whenever someone with a badge says so".
> If you don't want the government looking at these records, get
> the law changed.
The point is, according to the law already existing, the government can't look at these records. There is already established law saying "you can't do this without a warrant or authorization from the AG persuant to the acquistion of a FISA warrant".
If the government wanted access to these records, it was incumbant upon them to get the law changed, not the other way around.
> There are a lot of people getting all stirred up over something that has been
> around for a long time, yet if the NSA under Bush decides to use them is
> some new manner it's evil.
Regardless of the fact that this is a "if Timmy jumped off a bridge you'd want to too" argument, there is another element to the NSA process that is different from the ability for a common citizen to accomplish this (legally or illegally). That is, this is wholesale activity and not targeted. Even assuming that it was decided that someone should be able to find out a specific other person's phone records (which is patently absurd), that does not scale automatically into "the governement should be doing this to all of its citizens all the time".
Carlo Graziani • May 12, 2006 6:27 PM
@OpenEyed:
That is just confused.
First of all, this is in no sense a "privacy issue". This is a Civil Liberties issue.
The Supreme Court's attitude towards the presumption of privacy inherent in phone records is of no bearing here. That is simply a red herring. To conflate terrorism investigations with commercial data mining is a muddying of the waters.
There is no such thing as a CALEA warrant, or even a CALEA demand for records. CALEA regulates what equipment telcos must have, and what records they must retain. It is completely silent about procedure for turning those records over.
There are two possible legal avenues for the government to seek these kind of records: A FISA warrant and Patriot Act National Security Letter. If you like reading statutes, here you go:
FISA:
http://www4.law.cornell.edu/uscode/html/uscode50/...
NSL:
http://www4.law.cornell.edu/uscode/html/uscode18/...
These are the *only* legal basis for the government to use communication records in a criminal investigation. Neither of them appears to have been used in this case --- we know the NSA didn't want to bother the FISA court, and if an NSL had been served it would have by law come from the FBI, not the NSA, and it would be illegal for Qwest (and AT&T, and Verizon) corporate officers to talk to USA Today about it. This news story would be about a court case to quash the NSL, not about a refusal to honor an informal request to share data with the NSA.
This is not about changing laws. It's about whether the Executive is bound by them.
Brian • May 12, 2006 8:30 PM
A question on data mining. Back in March, Bruce put together what I thought was a coherent argument that data mining for terrorists was not going to be effective.
http://www.schneier.com/blog/archives/2006/03/...
"...Data mining works best when there's a well-defined profile you're searching for, a reasonable number of attacks per year, and a low cost of false alarms..."
The NSA surveillance program definitely doesn't meet the first two criteria, and probably doesn't meet the third either. So either the NSA is stupid and is wasting a ton of money on an ineffective program, or they are somehow analyzing this data effectively. It's not unheard of for bureaucracies to burn cash on bad ideas. Is it possible that this program is flat-out useless to the NSA?
What are they doing with this data?
Durable Alloy • May 12, 2006 8:48 PM
From AP (via Yahoo! News):
"Two New Jersey public interest lawyers sued Verizon on Friday for $5 billion, claiming the phone carrier violated privacy laws by turning over customers' records. The lawsuit asks the court to stop Verizon from supplying the information without a warrant or the subscriber's consent."
Po Boy • May 12, 2006 11:53 PM
@ Durable Alloy:
I'm a Verizon customer. Is there a way I could get a piece of this $5 billion pie if those lawyers won their case?
Tank • May 13, 2006 3:43 AM
"Back in March, Bruce put together what I thought was a coherent argument that data mining for terrorists was not going to be effective."
Back in March I told you this was what they were doing with it.
http://www.schneier.com/blog/archives/2006/03/...
Since then nobody has questioned the usefulness of mapping human networks for uncovering terrorist cells.
You can certainly argue it is a poorly implemented, illegal and wasteful program. You could do better just by issuing warrants for billing records of targets.
Don't suggest it has no use to those investigating terrorism though.
Alex G • May 13, 2006 5:33 AM
After thinking about this issue for a bit I came to a realization that call metadata (source, destination, time, etc.) is, in at least one respect, more sensitive than actual phone content. Think about the value, "privacy value" if you will, of that information deminishing over time. The content of an odd conversation I had 10 years ago typically has very little value to me today. On the other hand, most of the social ties that can be deduced from analyzing my call records from 10 years ago still exist today, making that 10-year-old meta-data still very valuable. One outcome of this is that if the courts rule both of these practices illegal tomorrow and order the NSA to stop collecting any more data (lets assume they comply), the damage from universal meta-data will take a lot longer to "decay" than damage from actual content. I guess we can say that the half-life of call meta-data is significantly longer than that of call content.
One other note. I think that this database is much more compact than people believe. If we go with the figure provided in other comments here that put the size of the database in terabytes, that would mean that an average US monthly phone bill contains between 500KB and 1MB worth of call history data. That just seems way to high. I bet an average monthly phone bill has on the order of a few KB of data in it, making the annual total for US be 10s of gigabytes not terabytes. Furthermore, this data has a lot of structure to it, making it highly compressible.
aikimark • May 13, 2006 1:13 PM
Here's a solution that should make everyone feel good. The phone company places all the phone numbers through a good one-way hash before turning the records over to the NSA. The NSA can establish social networks of interest and then go back through the FISA courts to ask for the original phone numbers and possible wire taps.
Our identities are protected while giving the NSA what they seek.
Carlo Graziani • May 13, 2006 10:31 PM
You know, this non-sequitur about that 1979 Supreme Court decision keeps cropping up, despite it's evident irrelevance to the current scandal. It's like someone went and issued it as a talking point to a squad of blog crawlers, to arm them for their drive-by inanities.
Look, go and actually read that decision. At least the first few paragraphs, OK?
Alright. Now, the first thing to note is, neither the plaintiff nor the defendant was the Federal Government. This was a case about whether Maryland police procedure concerning pen registers violated the Fourth Amendment to the U.S. Constitution.
Here's the thing: It turns out that the U.S. government is -- are you ready? -- a *totally separate legal entity* from the State of Maryland! That's right! You could look it up! And it even has it's own laws, that are different from Maryland's!
Some of those laws concern limitations on what the Feds may do with regards to electronic surveillance. Many were put in place in the '70s, when people became uncomfortable with the FBI's enthusiastic use of telephone surveillance, and the White House's very pragmatic views of the political uses to which that surveillance could be put.
As a result of that discomfort, those laws were larded with inconvenient terms, like "probable cause", and "reasonable suspicion", and a deplorable layer of court supervision was added to the process.
Not to worry, though. In recognition of the burdens placed by due process on overworked agents, Congress provided for a highly streamlined procedure, in a law called "FISA". The FISA law set out an accelerated procedure with very low evidentiary burden, to deal with the cases having to do with presumed espionage or terrorism. There are still judges involved, and warrants to be produced --- even for pen registers --- but they can even be procured retroactively, if a busy agent jumps the gun by a couple of days.
After 9/11, stampeding Congressmen concluded that there might be cases in which even FISA was just too burdensome. Accordingly, they threw into the Patriot Act a provision for something called a "National Security Letter". This is a document signed by the Director of the FBI, or by another functionary of the FBI designated by the Director for this purpose, which certifies that certain telco records concerning communications by certain persons are necessary to a terrorism investigation, and should be turned over to the Bureau Post-Haste. No judicial review is provided, no warrant is required, and it is illegal for the persons served with an NSL to mention that fact to anyone.
You might think that the Administration could have found a way to drive its surveillance truck through these loopholes. But you would be wrong.
The NSA apparently refused point-blank to bother the FISA court. And the NSA may not issue NSLs -- only the FBI may do so. And apparently they didn't, because if they had, the Qwest, Verizon and AT&T executives who talked to USA Today would be going to prison for violating the Gag Rule that attends NSLs in the Patriot Act.
So the bottom line is, the U.S. Code sets out very clear and explicit procedures regulating how the Government may access this data, and what it may do with it. The Administration evaded every one of those procedures. They didn't feel like following them, so they ignored them.
Think about that: Our government is not bound by our law.
shoobe01 • May 14, 2006 8:39 AM
> Yes, I know. There are numerous news updates concerning this, you can Google it. Currently some of these companies are under criminal investigation. Most of the articles I've read concerning this story don't mention the practice is legal.
Its not. Some people I know are semi-furiously working to close the (atrocious) loopholes thru security that allow you into the system at [a large US cellular company]. Lawsuits, government investigations, etc. It will probably never stop, but it should be harder to get CDR data.
And, I'll note, plenty of people are mad about this data being shared.
aikimark • May 14, 2006 11:15 AM
@andy,
There's a HUGE difference between a law enforcement agency obtaining such records pursuant to their investigation of crimes or criminal activities. In this case, every US citizen's call logs have been obtained, except for Qwest customers. That includes your cell phone calls as well as land line calls (and faxes too).
The obtaining party in this situation is NOT a law enforcement agency, it is an intelligence agency. The judicial court meant to oversee our protections was bypassed.
Do I think unchecked power and lack of transparency are dangerous? Yes.
Do I trust this administration? No. You are certainly welcome to trust whomever you want, but don't expect the rest of us to follow your lead without some evidence of their integrity, honesty, competence, and concern for the well-being of all humans. (not just the 'corporate-humans')
===========================
In 1999, I formed an opinion that Dubya was an international incident just waiting to happen. After more than 5 years of 'compasionate conservatism', 'visionary leadership' and 'uniting-not-dividing', I have not changed my mind. With the same political party controlling two branches of the US government, there have been no checks and balances save the occasional Supreme Court or UN push-back. Only recently has the press been able or willing to shine a light on activities that are detrimental to the country -- its people and constitution. After so much public complacency and media spin, I'm not sure that our voices will be enough to raise the consciousness of the populace before we become another police state.
isildur • May 14, 2006 2:16 PM
Ok, I know that FUD is a great propaganda tool used by many media agents, but when the government repeatedly flouts the very foundations of our nation's laws, I must admit that I am getting more and more alarmed at the fear, uncertainty, and doubt being created by the very organization which should be protecting us from it.
The best security is in prevention. Prevention needs us to understand why someone would actively do something that hurts us. That understanding may need us to face some painful truths. Applying double standards is a good example of a something that would inflame others to attack us.
The closer you get to the root cause, the better and more efficient your security.
Jake • May 15, 2006 1:18 AM
Think about that: Our government is not bound by our law.
Not only that, with this move they are announcing that they are not bound by the law.
Joshua • May 15, 2006 5:03 AM
Yehaa ! They continue in Europe:
US could access EU data retention information
12.05.2006 - 09:50 CET | By Helena Spongenberg
US authorities can get access to EU citizens' data on phone calls, sms' and emails, giving a recent EU data-retention law much wider-reaching consequences than first expected, reports Swedish daily Sydsvenskan.
RANDY • June 6, 2006 10:33 AM
I WILL BUY HIGH QUANTITIES IF YOU CAN SECURE MY PAYMENT.I REFUSE TO USE WESTERN UNION OR BANK TRANSFER.
Paul • June 15, 2006 3:40 PM
Hola; M e gustaria saber si alguien esta interesado en enviar productos a PERU. me gustaria se contacten conmigo lo antes posible para hacer negocios.
Especifiquen la forma en que trabajan con que Banco y de que forma o con que compañia envian los productos y cual es el limite de estos.
Atentamente
Paul.
Trujillo - PERU
+51449358793
slylurk@hotmail.com
g0dkr4fty@yahoo.es
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments