large scale phone location snooping by NSA

Eugen Leitl eugen at
Mon Sep 8 23:45:15 PDT 2008

Exclusive: Widespread cell phone location snooping by NSA?

Posted by Chris Soghoian

If you thought that the National Security Agency's warrantless wiretapping
was limited to AT&T, Verizon and Sprint, think again.

While these household names of the telecom industry almost certainly helped
the government to illegally snoop on their customers, statements by a number
of legal experts suggest that collaboration with the NSA may run far deeper
into the wireless phone industry. With over 3,000 wireless companies
operating in the United States, the majority of industry-aided snooping
likely occurs under the radar, with the dirty-work being handled by companies
that most consumers have never heard of.

A recent article in the London Review of Books revealed that a number of
private companies now sell off-the-shelf data-mining solutions to government
spies interested in analyzing mobile-phone calling records and real-time
location information. These companies include ThorpeGlen, VASTech, Kommlabs,
and Aqsacom--all of which sell "passive probing" data-mining services to
governments around the world.

ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical
interface to the company's mobile-phone location and call-record data-mining
software. Want to determine a suspect's "community of interest"? Easy. Want
to learn if a single person is swapping SIM cards or throwing away phones
(yet still hanging out in the same physical location)? No problem.

In a Web demo (PDF) (mirrored here) to potential customers back in May,
ThorpeGlen's vice president of global sales showed off the company's tools by
mining a dataset of a single week's worth of call data from 50 million users
in Indonesia, which it has crunched in order to try and discover small
anti-social groups that only call each other.

Slide from "Identification of Nomadic Targets " ISS Webinar

(Credit: ThorpeGlen)

Clearly, this is creepy, yet highly lucrative, stuff. The fact that
human-rights abusing governments in the Middle East and Asia have deployed
these technologies is not particularly surprising. However, what about our
own human-rights-abusing government here in the U.S.? Could it be using the
same data-mining tools?

To get a few answers, I turned to Albert Gidari, a lawyer and partner at
Perkins Coie in Seattle who frequently represents the wireless industry in
issues related to location information and data privacy.

When asked if there is a market for these kinds of surveillance data-mining
tools in the U.S., Gidari told me: "Of course. It is a global market and
these companies have partners in the U.S. or competitors."

The question is not if the government would like to use these tools--after
all, what spy wouldn't want to have point-and-click real-time access to the
location information on millions of Americans? The real mystery is how the
heck the National Security Agency can legally get access to such large
datasets of real-time location information and calling records. The answer to
that, Gidari said, is the thousands of other, lesser-known companies in the
wireless phone and communications industry.

The massive collection of customer data comes down to the interplay of two
specific issues: First, thousands of companies play small, niche support
roles in the wireless phone industry, and as such these firms learn quite a
bit about the calling habits of millions of U.S. citizens. Second, the laws
relating to information sharing and wiretapping specifically regulate
companies that provide services to the general public (such as AT&T and
Verizon), but they do not cover the firms that provide services to the major
carriers or connect communications companies to one other.

Thus, while it may be impossible for the NSA to legally obtain large-scale,
real-time customer location information from Verizon, the spooks at Fort
Meade can simply go to the company that owns and operates the wireless towers
that Verizon uses for its network and get accurate information on anyone
using those towers--or go to other entities connecting the wireless network
to the landline network. The wiretapping laws, at least in this situation,
simply don't apply.

Giardi explained it as follows:

    Networks are more and more disaggregated and outsourced, from customer
service call centers overseas with full viewing access to data to key
infrastructure components and processing. A single communication is handled
by many more parties than the named provider today. Moreover,
interoperability protocols include network identifiers--send a message from
company A to company B and the acknowledgment of delivery may include
location and other information. That's just the way the system is
designed--location was about billing in the early years and no one bothered
to undo the existing protocols when business models changed and
interoperability became common practice or a myriad of new messaging
companies came into being...So my point is that there are many access
points--albeit less convenient than one-stop shopping at the big carriers--to
get information including real-time data.

ThorpeGlen's product appears to be a mashup of Google Earth + phone location
data (in this case, from 50 million people in Indonesia) (Credit: ThorpeGlen)

For example, if a Sprint Wireless customer in Virginia calls a relative in
Montana--who is a customer of a small, regional landline carrier--information
on the callers will spread far beyond just those two communications

Sprint doesn't own any of its own cellular towers, and so TowerCo, the
company that owns and operates the towers, of course, learns some information
on every mobile phone that communicates with one of its towers. This is just
the tip of the iceberg, though. There are companies that provide "backhaul"
connections between towers and the carriers, providers of sophisticated
billing services, outsourced customer-service centers, as well as
Interexchange Carriers, which help to route calls from one phone company to
another. All of these companies play a role in the wireless industry, have
access to significant amounts of sensitive customer information, which of
course, can be obtained (politely, or with a court order) by the government.

With the passage of laws like the FISA Amendments Act and the USA Patriot
Act, in most cases, requests for customer information come with a gag order,
forbidding the companies from notifying the public, or the end users whose
calling information is being snooped upon. Gidari summed it up this way:

    So any entity--from tower provider, to a third-party spam filter, to WAP
gateway operator to billing to call center customer service--can get legal
process and be compelled to assist in silence. They likely don't volunteer
because of reputation and contractual obligations, but they won't resist

Seeking clarification, I turned to Paul Ohm, a former federal prosecutor
turned cyberlaw professor at the University of Colorado Law School and a
noted expert on surveillance laws.

Before getting into the details of the issue, Ohm first outlined the basic
problem of the various wiretap and surveillance laws; they are extremely
confusing and few people fully understand them. The 9th Circuit Court of
Appeals seemed to share Ohm's view, stating a few years ago that the
Electronic Communications Privacy Act is a "complex, often convoluted area of
the law" (United States v. Smith, 155 F.3d 1051).

Ohm then said that the "one thing I can say with confidence is that you are
correct to note that the [Stored Communication Act's] voluntary disclosure
prohibitions (in 18 USC 2702(a)) apply only to providers to the public."

After describing all the ways that the government could legally collect
real-time data on millions of U.S. citizens, Gidari said that essentially,
the existence of such a program would likely remain a secret (barring a
whistle-blower or leaks to the press by government officials). Summing it up,
he stated that:

    Whether [a] vendor to a carrier to the public cooperates with agencies
(either for a fee or by acquiescence in an order), is something you will not
find out as FISA makes it so, regardless of whether the person is in the U.S.
or communicating with a person abroad. Such means and methods largely are

However, if the existence of such a program were ever confirmed, Ohm said
that Congress would not be too happy:

    If [the sharing of data by niche telecom providers] is seen as allowing
an end-around an otherwise clear prohibition in the SCA, Congress is likely
to throw a fit when it is revealed and try to amend the law. DOJ is sensitive
to this kind of thing (despite what the NSA wiretapping program would lead
you to believe) and would probably try to avoid blatantly bypassing otherwise
clear language in this way.

More information about the cypherpunks-legacy mailing list