Regulatory Compliance

NSA and FBI Access to Verizon Phone Records

It is being reported by The Guardian that the NSA has been collecting phone records on millions of Verizon customer in the United States under an order by the Obama administration.

The FBI was  granted the order by the Foreign Intelligence Surveillance Court to collect the data for a 3 month period, this order has been renewed every 3 months for the past 7 years. The information supposedly includes the phone numbers of both parties, location data, call duration and unique identifiers.

The identifiers are IMSI (International Mobile Subscriber Identity) and/or MEID (Mobile Equipment Identifier) and IMEI(International Mobile Equipment Identifier) . By location data I assume it refers to the billing address and not accessing GPS on the phone, or utilizing cell tower triangulation.

This is an important differentiator with regards to the level of invasiveness, there is a big difference between tracking the billing address mapped to a specific phone line and tracking a suspect’s location and movements via cell tower positioning or other methods. As the data being collected is “telelphony metadata” the odds are slim that device tracking is utilized, this would require a further court order.

When it comes to domestic surveillance law enforcement have to follow very strict policies. The first step law enforcement takes is to determine the service provider from the phone number, there are a number of services that allow users to do this free.

The next step is to determine probable cause or exigent circumstances such as a child abduction, missing person, fugitive etc. The provider will then send information to the law enforcement agent to complete, that information is then faxed back.

The law enforcement agent can send a preservation letter to the provider to ensure that records are not discarded regarding the target phone number, such as text messages and voice mail which is sometimes only retained for 72 hours.

The next level  is a subpoena, this will allow law enforcement access to basic transaction data, this is limited to account details, billing records and account notes.  This is usually sent via fax to a specific number at a provider for this purpose.

In order to get deeper information a court order or search warrant is filed, such as what the FBI is claimed to have done in this case. When this happens law enforcement can get detailed records including incoming and outgoing calls, cell tower locations and general location information, text message content, voice mail content and other information.

However law enforcement needs to provide probable cause to the courts in order to get access to the data. The general hierarchy of protection is as follows:

  1. Transaction records ( name, number billing)
  2. Numbers dialed, incoming and outgoing
  3. Location data, from cell towers
  4. Content of stored communication such as email, voice, text messages
  5. Content of telephone conversations ( wiretap )

It is a crime to access electronic communications without the proper authorization and it is outlined to law enforcement pretty clearly the process and circumstances the data should be accessed.According to 18 U.S.C. §§ 2701-2711 Section 2703(c) a court order, search warrant or customer consent is required for the release of electronic communications. A subpoena can be used to obtain basic transactional data, but deeper data requires a court order.

It would be interesting to see the justification for such a large blanket order to be approved by the courts. I would also be surprised if the order was only limited to Verizon. I doubt the FBI is using the order to track our calls to grandma and are leveraging big data tools to mine the data looking for patterns and data is collected but can only be accessed and utilized without a further FISA request.

Previous post

Securing WordPress: Hardening Basics

Next post

Analysis of Korean War Anniversary Cyber Attack and Malware

Ken Westin

Ken Westin

Your Pundit of Paranoia