(I'd like to thank Col Lang for inviting me to be a guest author. One thing I've learned the last year or so coming here is that wisdom may be nothing more than recognizing how wrong we all can be sometimes, and accepting it when we are. I cannot count how many times I've commented here only to find within hours, days, weeks, or sometimes months that I was completely wrong! So, I'm starting with something safe (chuckle). Cheers...CWZ/Bob Devine)
The "lefty" blogosphere has lit up like a Christmas tree with the latest FISA legislation battle. Many of you have probably read about using prepaid (disposable) cell phones to evade those allegedly illegal wiretaps. When I first read about the supposed “warrantless” wiretaps the first thing that popped into my mind were the prepaid cell phones.
Since this is a topic dear to my heart – telecom Signals Intelligence – I’d like to add my two cents. Most importantly, I’d like to explain what I think is happening inside the SIGINT community in response to the technical challenges facing the government with these cell phones. My guess is that they are the centerpiece of the FISA controversy.
But let me be clear. This is just my speculation based on my experience. I don’t know for sure.
Prepaid cell phones are needles in a haystack. The smart criminal will buy one with cash, activate it from a pay phone, buy a few more minutes with cash at any 7-11, use it a few days, and then toss it in the trash. It’s the volume of telephone numbers that make them so hard to find, as well as their mobility.
A telephone number in North America has three parts: area code, central office code, and line number. (ITU E.164 format for the techno-geeks among us). In telephone jargon, the area code is a Numbering Plan Area (NPA) and the central office code must follow a numbering rule called NXX. Telephone people refer to large blocks of line numbers as an NPA/NXX. There are 10,000 line numbers available for use in each NPA/NXX block. That doesn't mean there will be 10,000 active lines, just 10,000 numbers are available for that particular NPA/NXX. Based on the numbering plan, there are 792 central office codes (NXX) available per NPA, and there are 792 available NPAs. That’s a lot of telephone numbers.
The Industry Numbering Committee of the Alliance for Telecommunications Industry Solutions (ATIS) assigns NPA/NXX blocks of numbers to telecom carriers: ATIS
The carrier assignments are public knowledge. You can even look them up yourself: NPA/NXX Lookup
So the SIGINT organizations know which prepaid cellular companies own which NPA/NXX blocks.
Active numbers are maintained in huge databases dispersed throughout North America, and similar numbering plans are implemented overseas. When you order a land line from a local Bell company like Verizon, your name and number are recorded in one or more of these databases. These databases are used for all sorts of services such as caller ID and E-911. Of course, with a prepaid cell phone, no name is associated with the cell number in the database.
In the land line network, there are plenty of places where names and addresses are associated with a specific telephone number. When the government wants to tap it, they go and get a warrant. Cut and dry.
But let's say Mr. Terrorist is somewhere in Maryland between Baltimore and Washington DC, and he is using a prepaid cell phone he bought with cash. His NPA (area code) can be 240, 301, 410, 443, 202, or 703 depending on his carrier. Each one of those NPAs can have up to 792 NXX codes assigned to it. And each one of those NXX codes can have up to 10,000 numbers. Now we're really starting to see a problem. The government already knows which blocks are owned by prepaid cellular carriers, but there are still hundreds of thousands of telephone numbers in one small region to sift through. This guy may only pop up for a few hours before trashing his phone – I know I would!
How does the FBI or NSA tap his phone based on the number? Here’s what I suspect has been happening behind the scenes with the FISA battle.
It is physically impossible to monitor all the calls traversing the telephone networks. The tinfoil hat crowd likes to scream about the NSA “monitoring all our calls” but it just isn’t physically possible. When I worked for a long distance carrier we were processing around 1 million calls per day, per junction (a junction is a large central office), and our network had about 7-8 junctions. That was in the late 1990s. Call volume is much higher today. And that was one carrier out of many.
What we can look at, however, are the messages the telephone network uses to connect, maintain, and disconnect your calls. This process is known as call signaling, or call processing. In the old days, intercepting the call signaling of a large portion of the network was difficult since both the call processing and voice connection used the same physical circuit. Now, a signaling technology called Signaling System 7 (SS7) has made that job much easier – the signaling process has been decoupled from the voice circuit. All the SS7 messages are carried on a network separate from the network that connects the two phones together for the conversation. (For the techno-geeks among us, Wiki SS7 )
Although the land line telephone network can operate without SS7, the cellular networks cannot. They all use SS7. Most likely the FBI and NSA are exploiting this portion of the telephone network. But remember, the SS7 network is only carrying call signaling messages. Inside those messages are the telephone numbers of the calling party and the called party, but no names. These messages containing each telephone number in a call can be stored in huge databases and mined for anomalies. The SIGINT folks are probably looking for call patterns – anything that will make the target stick out. If there is an interesting call pattern, then resources can be applied to actually monitor the conversation.
So, is it really wiretapping if the government is only monitoring call patterns and no names are associated with numbers? Is it really wiretapping if no voice conversation is monitored? I don’t know. That’s for the lawyers to decide. I do know that the amount of data collected would be incredibly huge – for every telephone call there will be many SS7 messages generated. Multiply that by the hundreds of thousands of calls processed by the prepaid cellular carriers per day, and you start seeing the problem our law enforcement and SIGINT folks are tackling. Sifting through all these millions of call singling messages is a huge undertaking.
Most likely the process is becoming more and more automated with signaling anomalies triggering the automatic monitoring and storage of conversations. Although this would make life much easier for the collection folks, this automation would be where the legal points become shaky since the warrant would have to be applied after the fact. I do not know for sure, but I suspect that total automation is feasible to a degree. It would still require a lot of resources. What if the trigger was in error and you recorded two innocent people, should you still have to get a warrant even if internal procedures ensured the recording was deleted? Sometimes innocent Americans get caught up in SIGINT collections overseas, and there are existing oversight policies to deal with that.
So, here we are so many paragraphs later and we’ve only seen the tip of the technical iceberg. But my intention was to provide a taste of what the managers at NSA and FBI are dealing with, and one can only imagine the pressure that was applied from on high to find solutions starting in October of 2001. How many of these terrorists were still floating around out there among millions of telephone numbers back then? How can we catch the right people while respecting the rights of the innocent? Personally, if I were in my SIGINT shoes back then, I would have pushed forward looking for a technical solution to finding these guys while the lawyers above me figured out the legal issues: “it’s easier to ask forgiveness than to get permission.”
And we haven’t even touched email, SMS messaging, chat, voice over IP, video, and the like. To quote Carl Sagan: “billions and billions” of messages.
It ain’t 1978 any more.
If Bob Devine is right, and he makes a plausible case, one would think that the Bush administration could defuse the situation by explaining it to Feingold, Dodd, etc. These are not stupid people, nor are they going to share the details, which are too complicated for them to readily pass on anyway.
But instead, the Bush administration stonewalls. Given their knee-jerk propensity to lie about everything, the only rational reaction is to assume that they are lying about warrantless wiretapping, too. Given Bush's record of utter disdain for Congress and the Constitution, how can this hapless bunch of bozos called Congressmen and Senators grant Bush authority to do anything? And dare they look at themselves in the mirror without shame the morning after?
Posted by: JohnH | 25 June 2008 at 12:36 AM
While I'm hardly an expert, I spent a brief stint working for a cellphone company, and have some background in computer science and I'm not actually convinced a disposable cell phone is that reliable a method of avoiding detection. At least detection by the NSA. Probably works quite well if you're the friendly neighborhood dope dealer. If the NSA has a back door into the cellphone companies databases (as has been alleged) then they have, at minimum the following information on every phone number, the time the number was activated, the type of account, how the phone is activated and how much it has been used. It wouldn't be too taxing to put together a list of every cell prepaid cell phone activated in the last week, that's been used for less than, say, an hour. I doubt they're monitoring everything. But if there isn't a metaphorical red light going off in a computer system somewhere when someone's first call on a prepaid cell phone is long distance collect to Pakistan or Yemen, I'd be shocked.
That said your point that this is a difficult technical problem most likely exacerbated by political and legal concerns is well taken, and I have nothing but sympathy for the technicians who undertake it. My issues with the warrantless wiretapping has more to do with questions of executive privilege and legislative spinelessness than they do with the notion that phone conversations are being recorded. I'll leave it at that.
Posted by: Grimgrin | 25 June 2008 at 01:33 AM
CWZ
Can you help us non-techie geeks understand the following:
1. Why did AbuG and Andy Card go to the hospital bed to try and pressure Ashcroft to sign off on something that he refused? What could that something be?
2. Why did Comey refuse to certify the spying program? What do you think troubled him?
3. Why did Joe Nacchio and Qwest believe what the NSA requested of them was illegal? What could that have been? Why did the government then retaliate against Nacchio and Qwest?
4. Why is the government using "state secrets" as the only defense against all the law suits?
5. The EFF lawsuit with a sworn affidavit by an AT&T technician is that NSA had a "backbone tap"? What could such a tap be and what are the implications?
6. In Congressional testimony there have been references to data mining large volumes of data and concern that innocent Americans maybe unfairly caught up in the dragnet. What data are they mining?
7. Another issue is around "minimization" - meaning if the NSA determines that they picked up information on an innocent American they will destroy any data collected - that's what is in current FISA. Why are the intelligence agencies and this Administration fighting this so hard? Why do they want to retain data collected on innocent Americans?
8. It seems that the telecom companies in complying with the Administration's request have broken the law since they and the Administration are fighting tooth and nail to retroactively change the law to make what was once illegal suddenly legal. Why?
9. The FISA law that was passed in 1978 is the outcome of the Church commission investigation on illegal spying on Americans by our intelligence agencies. We fought the cold war against a serious adversary who was very astute technologically and who had a solid and competent intelligence apparatus with no difficulty with that same FISA law. What is materially different with some cave dwelling non-state actors in the middle of the Hindu Kush that threatens the "existence" of the USA that this Administration felt the need to break this FISA law in secrecy and is now fighting to make all their illegal actions retroactively legal?
Something doesn't add up. And when it comes to this Administration and politicians of both parties and the intelligence agencies considering what transpired in the 50s, 60s and 70s I think it pays to be skeptical. Fundamental constitutional liberties once lost can never be regained, IMHO.
Posted by: zanzibar | 25 June 2008 at 01:50 AM
I'm sorry Pat, but you are seriously behind the times in electronic capability.
A three minute phone call takes up about 1.5 meg of hard disk space.
A million 3 minute phone calls consumes about 1.5 terabytes of hard disk space.
You can buy a terabyte of hdd space for less than $500. (and that gives you instance access, if you go to removable media like DVDs, the cost goes way lower, but the pita factor goes up
There is absolutely no reason why they can't be recording every long distance call in the USA (and storing them, waiting for something to point them at a particular phone call later)
Posted by: Ael | 25 June 2008 at 01:55 AM
Thanks to CWZ for framing some of the issues so well. Presumably other (non-U.S.) intelligence agencies are interested in similar traffic analysis. At the risk of exposing my tin-foil hat, I'd be interested in hearing a technical discussion regarding the kind of capabilities the Israeli firm Amdocs would have as a result of its role in handling billing for major U.S. carriers, and also the suitability of having the Israeli firm Verint (aka Comverse Infosys) as a major
CALEA player. If the internet (and Fox News) chatter in this regard is mere drivel, I'd be happy to learn why that is so. Otherwise, I'd like to hear some discussion of the role of COMSEC in U.S. domestic governance, and more specifically, the actual consequences of such foreign monitoring of U.S. telecommunications. The case of Monica Lewinsky comes to mind, although its COMSEC aspect may be just a red herring. In any case thanks again to CWZ. It was refreshing to read not only the discussion, but also, and especially, the admission of fallibility.
Posted by: Hannah K. O'Luthon | 25 June 2008 at 02:54 AM
With the availability of essentially unbreakable encoding schemes for free (e.g. Pretty Good Privacy) and the knowledge that the bad guys are going to create a ton of chaff to conceal their real messages, is wiretapping me really going to do any good?
Posted by: arbogast | 25 June 2008 at 03:46 AM
The tinfoil hat crowd likes to scream about the NSA “monitoring all our calls” but it just isn’t physically possible.
The tin man being the companion to the straw man. Sheesh.
The objection isn't about Geo. Bush monitoring my calls. It's that 1) Geo. Bush dismantled FISA by executive fiat - part of a broader effort by this administration to dismantle Congress' constitutional role - and 2) the new regime was implemented with zero - zero - oversight.
Posted by: Andy Vance | 25 June 2008 at 06:34 AM
I'm pretty left politically, and agree with your piece and add my own set of doubts.
I've never understood how it would work if the intention was to monitor ALL phone calls and email. It would be physically impossible for any government to have a bank of folks with headsets on listening in on all phone calls. So the calls would have to be harvested and stored on some kind of media and processed later. Not only that, no terrorists worth his salt would say to his correspondent, "hey, we'd better switch over to English since the American Intelligence agencies are so poorly gifted with multi-lingual snoops." So, we'd have to rely on translation software and we've all chuckled over examples of how well that works.
Imagine, calls are logged onto media somewhere, run through translation software, a filter of hot words or phrases run on that, and then someone attempting to determine if this "hit" should be assigned for some level of follow-through. How many agents will that take?
But it does not stop there - the results of the follow-through have to be fed back to the persons developing and refining the filters so as to throw out the bad parts of the algorithm ( I think the quality of follow-through would plummet if most of the things assigned out for field follow-through turned out to be nonsense ), and refine the good. A pretty massive undertaking in itself.
Posted by: Frank | 25 June 2008 at 07:59 AM
I'm pretty left politically, and agree with your piece and add my own set of doubts.
I've never understood how it would work if the intention was to monitor ALL phone calls and email. It would be physically impossible for any government to have a bank of folks with headsets on listening in on all phone calls. So the calls would have to be harvested and stored on some kind of media and processed later. Not only that, no terrorists worth his salt would say to his correspondent, "hey, we'd better switch over to English since the American Intelligence agencies are so poorly gifted with multi-lingual snoops." So, we'd have to rely on translation software and we've all chuckled over examples of how well that works.
Imagine, calls are logged onto media somewhere, run through translation software, a filter of hot words or phrases run on that, and then someone attempting to determine if this "hit" should be assigned for some level of follow-through. How many agents will that take?
But it does not stop there - the results of the follow-through have to be fed back to the persons developing and refining the filters so as to throw out the bad parts of the algorithm ( I think the quality of follow-through would plummet if most of the things assigned out for field follow-through turned out to be nonsense ), and refine the good. A pretty massive undertaking in itself.
Posted by: Frank | 25 June 2008 at 08:00 AM
it appears that you might want to also 'expound' on for example some missing key item[s] -- 'guidelines'. example ussid18, or dod 5240.1-r, or ag guidelines for foreign intelligence collection and foreign counterintelligence investigations, just for starters. it's the attitude of “it’s easier to ask forgiveness than to get permission” that should be avoided as such can wind up trampling over existing laws on the books and the agency 'offender' winding up behind federal jail cell bars or at the least dismissed/released/fired from their 'air conditioned job'. and that hasn't even begun to approach right versus wrong what most refer to as the 'moral issue', the yin-yang, etc..
Posted by: J | 25 June 2008 at 08:03 AM
Ael-
I wrote this one, not Pat.
You are right, modern storage capacity can handle the recordings. It's getting those recordings in the first place that requires huge amounts of resources.
Posted by: Cold War Zoomie | 25 June 2008 at 08:04 AM
it's the attitude of “it’s easier to ask forgiveness than to get permission” that should be avoided as such can wind up trampling over existing laws on the books and the agency 'offender' winding up behind federal jail cell bars or at the least dismissed/released/fired from their 'air conditioned job'.
Thanks for highlighting this J.
My point here is not that it is right to behave that way, but that the temptation will be so great to do so.
The main gist of my post was to show that there are very complicated technical challenges that the intel folks must balance with the law, and it wouldn't have been easy on 12 Sep 2001 to do that.
And we have to have an honest debate about this reality rather than partisan rhetoric.
Posted by: Cold War Zoomie | 25 June 2008 at 08:18 AM
To add to what Andy said about straw men.
First, your nice little scenario assumes that the government is following sound minimization approaches. Since we know that they've tapped Christiane Amanpour and Lawrence Wright, we know that's not true. Wright, at least, was brought into an actual tap, based on the "six degrees of separation" approach that is no doubt driven by call data analysis, but which demonstrably did not have adequate safeguards for private citizens. The proposed bill does not allow the courts to review the actual minimization (just the procedures), which means you're going to continue to have these errors that violate the privacy of Americans.
But the other problem is that the telecoms, after having received 2.5 years of authorization letters that, in compliance with other law, were signed by the AG, all of a sudden accepted one in March 2004 that was signed by the White House Counsel. And in spite of all the high priced legal support they've got, they apparently didn't even balk; they just kept collecting data. Now, call me crazy, but sending corporations the message that they can do whatever they want to American citizens, in clear violation of American law, so long as the President's own lawyer says it's okay--that's a really scary precedent.
Posted by: emptywheel | 25 June 2008 at 08:24 AM
Andy-
My tinfoil hat comment is something I've been hearing for years and years. This was an opportunity to respond!
Cheers....
Posted by: Cold War Zoomie | 25 June 2008 at 08:28 AM
thanks for the insights and clarifications. More would be appreciated. From, in the context of this blog, one of the "lefties".
Posted by: frank durkee | 25 June 2008 at 08:37 AM
This is typical American paranoia. Will we ever be paranoid enough?
Hard-core professionals won't get caught by any of these means, but then, the hard-core are presumably acting on behalf of sophisticated foreign governments. Israel, for example.
Posted by: Dave of Maryland | 25 June 2008 at 08:53 AM
If the NSA has a back door into the cellphone companies databases (as has been alleged) then they have, at minimum the following information on every phone number, the time the number was activated, the type of account, how the phone is activated and how much it has been used. It wouldn't be too taxing to put together a list of every cell prepaid cell phone activated in the last week, that's been used for less than, say, an hour. I doubt they're monitoring everything. But if there isn't a metaphorical red light going off in a computer system somewhere when someone's first call on a prepaid cell phone is long distance collect to Pakistan or Yemen, I'd be shocked.
Thanks for this tidbit, Grimgrin.
My background is in terrestrial networks, not the cellular. I know just enough about the cellular guys to be dangerous.
Emptywheel-
You are way more up to date on the political and legal issues than I am. That is way out of my comfort zone.
My point here was to just give a snapshot of a different aspect to the argument. That there are going to be good people facing huge technical challenges to catch the "evil bad guy."
Posted by: Cold War Zoomie | 25 June 2008 at 08:59 AM
All-
Here's a disclaimer: I've been out of the SIGINT business for over a decade, and was a technical guy who maintained the systems. I did not work in the higher levels of operations, policy and planning. So...
Zanizibar-
I can't answer the political stuff. But these I can:
5. The EFF lawsuit with a sworn affidavit by an AT&T technician is that NSA had a "backbone tap"? What could such a tap be and what are the implications?
My memory is that NSA had tapped a tier 1 Internet router in San Francisco. That router would be carrying TCP/IP (Internet) traffic, not cellular traffic. Well, most likely not cellular traffic unless a cell call was converted from circuit-switched to IP by some IP "carrier." But that router would have mainly carried traditional IP traffic on the Internet backbone rather than cellular calls.
6. In Congressional testimony there have been references to data mining large volumes of data and concern that innocent Americans maybe unfairly caught up in the dragnet. What data are they mining?
In my scenario, they would be mining call singaling messages. But your question could be about all sorts of TCP/IP traffic on the Internet. I don't know.
Posted by: Cold War Zoomie | 25 June 2008 at 09:10 AM
Zoomie
Great technical info and extremely helpful. Thanks.
From what I can tell, the criticism of FISA is not coming exclusively from the left, as many conservatives do not want to see executive orders eviscerate the 4th Amendment. As John Dean wrote, “Bush and Cheney want to make permanent unchecked Executive powers to electronically eavesdrop on anyone whom any President feels to be of interest.” Here’s the Dean article from Findlaw:
http://writ.news.findlaw.com/dean/20071019.html
Dean relies heavily on the work of G. Washington law Professor Daniel Solove. Here is his website.
http://docs.law.gwu.edu/facweb/dsolove/
Without any possibility of civil liability against the telecoms, then the ability to erode further the 4th Amendment protections becomes that much easier. As Dean makes clear, this is part of the motive for the recent legislation that grants immunity to the telecoms. If a jury popped the telecoms with a judgment -- and Verizon as well as others were sweating bullets -- then political pressure would arise to make sure the individual was protected.
Posted by: Sidney O. Smith III | 25 June 2008 at 09:12 AM
dave,
paranoid, who is 'paranoid'? especially when 'they' have been injected into our nation's telecomm networks, the 'theys' like amdocs, or comverse, jsi, verint, comverse infosys. with these 'israel based companies' watching/surveillance of our u.s. citizenry (to include 'their' surveillance of our fbi, nsa, dea, dod, etc.,) who needs to be 'paranoid', right? and given the big force behind the let's make sure the telecomms get immunity -- aipac. for if in the process of discovery it were discovered the israeli base companies involvement in the illegal surveillance of americans, and our american intel infrastructures, their israeli shredders would be working overtime. the discovery process that foreign storefronts like aipac want to avoid at all costs.
what does 'paranoid' mean anyway? snarf.
Posted by: J | 25 June 2008 at 09:22 AM
Now, call me crazy, but sending corporations the message that they can do whatever they want to American citizens, in clear violation of American law, so long as the President's own lawyer says it's okay--that's a really scary precedent.
Posted by: emptywheel
Hardly a precedent, EW, if you've been paying attention.
Former Atlanta Mayor and UN Ambassador Andrew Young:
"Nothing is illegal if 100 businessmen decide to do it."
I'm not sure when he said it but one can find glaring examples of this type of "precedent" as far back as you'd want to go in American history. But I agree with you. This is a problem that needs to be addressed. Either no one is above the law or some people are above the law. I think it has become the latter, and the poor get prison.
Posted by: JT Davis | 25 June 2008 at 09:30 AM
I have great respect for SIGINT, but petty domestic spying to satisfy political paranoia is not a good use of their time & abilities.
Posted by: Dave of Maryland | 25 June 2008 at 09:31 AM
Zoomie,
SOSIII is correct. This drives civil libertarians from across the political spectrum crazy. There are many on the right who have long been opposed to this infringement on an important right added to the BoR. It is one of those areas that involves the intersection of technology and law and the expanding and contracting concept of privacy as a loose construction of the constitution. The word is never mentioned in the Constitution. Case law has given us the concept of a zone of privacy and there are no rights without a remedy. The federal courts never bothered with the fourth amendment much until 1914 when Weeks v U.S. gave us the doctrine of the Exclusionary Rule. The states largely ignored it until Mapp v Ohio in 1960.
It's like trench warfare. gain some ground, lose some ground, and technology usually outpaces the development of the law with the law playing catch-up.
I still refer to this. Brandeis in the Harvard Law Review on The Right to Privacy, 1890:
http://www-swiss.ai.mit.edu/6805/articles/privacy/Privacy_brand_warr2.html
http://www.rbs2.com/privacy.htm
Posted by: JT Davis | 25 June 2008 at 09:49 AM
Sorry to post off topic, but for David Habakkuk and others interested in the bush telegraph used to post dodgy intelligence info and smears in the American media by first using British or Israeli publ;ications, Jim Lobe has an interesting article on The Telegraph's role in this and how the post-Rumsfeldt Pentagon is using its stories far less frequently:
http://www.ips.org/blog/jimlobe/?p=161
Posted by: johnf | 25 June 2008 at 10:05 AM
Actually, getting the voice recording shouldn't take up a lot of effort either.
Switched voice toddles along at 64 kilo bits per second.
Let us take your example of a single node with a million 3 minute calls per day.
Assume that the busy hour takes 10% of them. So one hour handles 100,000 calls. 3600 seconds in an hour moving 100,0000 * 1,500,000 bytes
or about 40 mega bytes per second.
Modern PC's have busses which can do several orders of magnitude better.
So pulling that information off the wire and putting it onto a disk isn't a problem for a single PC.
Note too, that all this stuff is inherently distributed, so you don't have to have it all go to one hard disk (even though you could).
Finally, all telecommunications equipment operates to established standards (to enable multiple vendors, etc). These standards makes for a nice playing field when operating across all the switches in the field.
I see no technical barriers to being able to record every long distance phone call in the USA for a reasonable (to the NSA) amount of money.
Posted by: Ael | 25 June 2008 at 10:08 AM