[Infowarrior] - Widespread cell phone location snooping by NSA?

[Richard Forno]

Exclusive: Widespread cell phone location snooping by NSA?
Posted by Chris Soghoian 5 comments

http://news.cnet.com/8301-13739_3-10030134-46.html

If you thought that the National Security Agency's warrantless  
wiretapping was limited to AT&T, Verizon and Sprint, think again.

While these household names of the telecom industry almost certainly  
helped the government to illegally snoop on their customers,  
statements by a number of legal experts suggest that collaboration  
with the NSA may run far deeper into the wireless phone industry. With  
over 3,000 wireless companies operating in the United States, the  
majority of industry-aided snooping likely occurs under the radar,  
with the dirty-work being handled by companies that most consumers  
have never heard of.

A recent article in the London Review of Books revealed that a number  
of private companies now sell off-the-shelf data-mining solutions to  
government spies interested in analyzing mobile-phone calling records  
and real-time location information. These companies include  
ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive  
probing" data-mining services to governments around the world.

ThorpeGlen, a U.K.-based firm, offers intelligence analysts a  
graphical interface to the company's mobile-phone location and call- 
record data-mining software. Want to determine a suspect's "community  
of interest"? Easy. Want to learn if a single person is swapping SIM  
cards or throwing away phones (yet still hanging out in the same  
physical location)? No problem.

In a Web demo (PDF) (mirrored here) to potential customers back in  
May, ThorpeGlen's vice president of global sales showed off the  
company's tools by mining a dataset of a single week's worth of call  
data from 50 million users in Indonesia, which it has crunched in  
order to try and discover small anti-social groups that only call each  
other.

Clearly, this is creepy, yet highly lucrative, stuff. The fact that  
human-rights abusing governments in the Middle East and Asia have  
deployed these technologies is not particularly surprising. However,  
what about our own human-rights-abusing government here in the U.S.?  
Could it be using the same data-mining tools?

To get a few answers, I turned to Albert Gidari, a lawyer and partner  
at Perkins Coie in Seattle who frequently represents the wireless  
industry in issues related to location information and data privacy.

When asked if there is a market for these kinds of surveillance data- 
mining tools in the U.S., Gidari told me: "Of course. It is a global  
market and these companies have partners in the U.S. or competitors."

The question is not if the government would like to use these tools-- 
after all, what spy wouldn't want to have point-and-click real-time  
access to the location information on millions of Americans? The real  
mystery is how the heck the National Security Agency can legally get  
access to such large datasets of real-time location information and  
calling records. The answer to that, Gidari said, is the thousands of  
other, lesser-known companies in the wireless phone and communications  
industry.

The massive collection of customer data comes down to the interplay of  
two specific issues: First, thousands of companies play small, niche  
support roles in the wireless phone industry, and as such these firms  
learn quite a bit about the calling habits of millions of U.S.  
citizens. Second, the laws relating to information sharing and  
wiretapping specifically regulate companies that provide services to  
the general public (such as AT&T and Verizon), but they do not cover  
the firms that provide services to the major carriers or connect  
communications companies to one other.

Thus, while it may be impossible for the NSA to legally obtain large- 
scale, real-time customer location information from Verizon, the  
spooks at Fort Meade can simply go to the company that owns and  
operates the wireless towers that Verizon uses for its network and get  
accurate information on anyone using those towers--or go to other  
entities connecting the wireless network to the landline network. The  
wiretapping laws, at least in this situation, simply don't apply.

Giardi explained it as follows:

     Networks are more and more disaggregated and outsourced, from  
customer service call centers overseas with full viewing access to  
data to key infrastructure components and processing. A single  
communication is handled by many more parties than the named provider  
today. Moreover, interoperability protocols include network  
identifiers--send a message from company A to company B and the  
acknowledgment of delivery may include location and other information.  
That's just the way the system is designed--location was about billing  
in the early years and no one bothered to undo the existing protocols  
when business models changed and interoperability became common  
practice or a myriad of new messaging companies came into being...So  
my point is that there are many access points--albeit less convenient  
than one-stop shopping at the big carriers--to get information  
including real-time data.

ThorpeGlen's product appears to be a mashup of Google Earth + phone  
location data (in this case, from 50 million people in Indonesia)
(Credit: ThorpeGlen)

For example, if a Sprint Wireless customer in Virginia calls a  
relative in Montana--who is a customer of a small, regional landline  
carrier--information on the callers will spread far beyond just those  
two communications companies.

Sprint doesn't own any of its own cellular towers, and so TowerCo, the  
company that owns and operates the towers, of course, learns some  
information on every mobile phone that communicates with one of its  
towers. This is just the tip of the iceberg, though. There are  
companies that provide "backhaul" connections between towers and the  
carriers, providers of sophisticated billing services, outsourced  
customer-service centers, as well as Interexchange Carriers, which  
help to route calls from one phone company to another. All of these  
companies play a role in the wireless industry, have access to  
significant amounts of sensitive customer information, which of  
course, can be obtained (politely, or with a court order) by the  
government.

With the passage of laws like the FISA Amendments Act and the USA  
Patriot Act, in most cases, requests for customer information come  
with a gag order, forbidding the companies from notifying the public,  
or the end users whose calling information is being snooped upon.  
Gidari summed it up this way:

     So any entity--from tower provider, to a third-party spam filter,  
to WAP gateway operator to billing to call center customer service-- 
can get legal process and be compelled to assist in silence. They  
likely don't volunteer because of reputation and contractual  
obligations, but they won't resist either.

Seeking clarification, I turned to Paul Ohm, a former federal  
prosecutor turned cyberlaw professor at the University of Colorado Law  
School and a noted expert on surveillance laws.

Before getting into the details of the issue, Ohm first outlined the  
basic problem of the various wiretap and surveillance laws; they are  
extremely confusing and few people fully understand them. The 9th  
Circuit Court of Appeals seemed to share Ohm's view, stating a few  
years ago that the Electronic Communications Privacy Act is a  
"complex, often convoluted area of the law" (United States v. Smith,  
155 F.3d 1051).

Ohm then said that the "one thing I can say with confidence is that  
you are correct to note that the [Stored Communication Act's]  
voluntary disclosure prohibitions (in 18 USC 2702(a)) apply only to  
providers to the public."

After describing all the ways that the government could legally  
collect real-time data on millions of U.S. citizens, Gidari said that  
essentially, the existence of such a program would likely remain a  
secret (barring a whistle-blower or leaks to the press by government  
officials). Summing it up, he stated that:

     Whether [a] vendor to a carrier to the public cooperates with  
agencies (either for a fee or by acquiescence in an order), is  
something you will not find out as FISA makes it so, regardless of  
whether the person is in the U.S. or communicating with a person  
abroad. Such means and methods largely are hidden.

However, if the existence of such a program were ever confirmed, Ohm  
said that Congress would not be too happy:

     If [the sharing of data by niche telecom providers] is seen as  
allowing an end-around an otherwise clear prohibition in the SCA,  
Congress is likely to throw a fit when it is revealed and try to amend  
the law. DOJ is sensitive to this kind of thing (despite what the NSA  
wiretapping program would lead you to believe) and would probably try  
to avoid blatantly bypassing otherwise clear language in this way.