HOW THE NSA WARRANTLESS WIRETAP SYSTEM WORKS
An Educated Guess
7 Feb 2006; revised 1 May 2006; 26, Sept. 2006
Note: this has been modified for formatting. No content has been altered.
MINI-TUTORIAL on our NATIONAL TELECOM INFRASTRUCTURE
If you need a broader background on networks and the Internet, it’s here.
The National Security Agency (NSA) is opening so many phone taps that it is physically impossible to obtain court-reviewed warrants. It is time to forget warrants and move on. This Administration certainly has.
The Foreign Intelligence Surveillance Act (FISA) Court has approved 18,742 requests for search warrants and rejected 4. Furthermore, a search can be started in hot pursuit and permission obtained retroactively up to 72 hrs later. Why is a secret court hidden from public view and biased in the government’s favor not good enough for the Bush administration?
ANSWER TO RIDDLE:
Getting warrants from FISA is impossible because the government runs computer algorithms that expand the spy net electronically to hundreds of people in a few minutes.
THE SOCIAL NETWORK
When an interesting call is found using the National Security Agency’s voice recognition computers, all inbound and outbound contacts to that person are automatically logged and that person’s social network is charted. This is an excellent strategy if you have a target of value to begin with. To find a group of conspirators, chart the group.
There are two technical problems with reconstructing social networks: exponential expansion, and speed.
When charting associates of associates, the circle of surveillance expands exponentially. The freedom to explosively expand the number of wiretaps requires the Administration to drop the practice of obtaining court-reviewed warrants. They have done so.
To gain speed when charting social groups, one would like to know who a target’s friends are without waiting for them to call. We return later to the use of telephone billing records to drive the exponential expansion without delay. First, some background on tapping phones.
COMPUTER-DRIVEN PHONE TAPS
Phone company switches open phone taps under government command.
Governmental ability to demultiplex switch traffic in order to drop a particular call out of the rivers of cross-country traffic has always been required. People who occasionally read a communications industry magazine have heard the big telecommunications companies complain over the past decade about the added cost to their switches from implementing this Federal requirement. The government has always had the ability to remotely command a commercial switch to tap traffic for a particular phone number. The Federal authority to command that a tap be opened comes most recently from the Communications Assistance for Law Enforcement Act (CALEA). CALEA was passed by Congress in 1994. The FBI maintains a public information site for CALEA: http://www.askcalea.net/
CALEA gives the National Security Agency direct command and control over telephone switches around the country.
Technological evolution is an orderly affair. What we can once do for one phone, we can soon do for many. Today, government computers in Fort Meade, Maryland set up and tear down eavesdropping taps by remote control all over the country, thousands per day. The National Security Agency holds the access codes and passwords for issuing the specified phone tap commands to any switch. Cell phone traffic passes through the same kinds of switches. Nobody is climbing a telephone pole here.
Legacy switches are remotely signaled to tap a call. The future evolution of National Security Agency technology as telecom company technology moves from these legacy switches to packet-based Voice Over Internet Protocol methods (VoIP) is in flux, and is discussed later.
CORPORATIONS GIVE PERSONAL PHONE RECORDS TO GOVERNMENT
The government asks, Who are the target’s friends? Some phone companies make calling records available so that the social network of any target can be opened at once without waiting for the target person’s phone to ring or dial out, thus revealing the target’s associates. The calling records that AT&T/SBC gives the government are about 300 terabytes in size (the “Daytona database”). The Electronic Frontier Foundation (the ACLU of the Internet) has filed a lawsuit against what they see as illegal corporate activity in the support of illegal government activity. http://www.eff.org/legal/cases/att/
Calling records can be summarized billing information for each call, or the raw, complete “Call Detail Record (CDR)”, the written record of the reservations made to place your call. The raw CDR is a log of timestamps as the switch in your neighborhood Central Office actually went through the steps of setting up (and eventually tearing down) one of your phone calls. Unfortunately, raw CDRs and their summarized versions intended only for billing purposes are both called “call detail records”. Many more true CDRs are generated then are saved in summary form, and each contains more information. True CDRs give both the called and calling number, sometimes for incoming as well as outgoing calls, and for unsuccessful as well as completed (billable) calls. What has the National Security Agency obtained from AT&T?
The basic CDR is a minimum of about 150 bytes long. Since the AT&T/SBC database contains information on about about 2 trillion calls and is about 300 trillion bytes long, I assume the Daytona database consists of complete Call Detail Records (2 x 150 = 300). (Note: AT&T calls the CDR database “Hawkeye“. The Hawkeye installation is constructed and run with Datona database management technology, which AT&T sells publically.)
Call Detail Records are boring, and information on them is mercifully scarce, so I have provided this primer on Call Detail Records. Use your browser’s RETURN button when you can’t stand it anymore.
We now have a powerful surveillance program. Given calling record databases, there are no longer any delays when reconstructing any target’s social network. The target’s calling history is available in an instant from a data base dip, and an expanded circle of new phone taps is opened an instant later.
CORPORATIONS FACE FINES
Qwest’s lawyers’ advice to the company to resist the NSA’s pressure for phone records was well-grounded and explains the fervor of denials from the others.
The Telecommunications Act of 1996 Section 222 obligates telephone carriers to protect Customer Proprietary Network Information (CPNI) that includes logs of calls that individuals or businesses initiate and receive. As originally passed in the Telecommunications Act, phone companies were obligated to get an opt-in permission from consumers in order to sell the information, but a court decision in favor of an industry plaintiff overturned that ruling. Carriers now sell customer data to their affiliates, agents and joint venture partners. Some exchange of calling records among companies is of use technically to configure the network, but marketing uses are in dispute.
Federal Communications Commission Chairman Kevin Martin and Federal Trade Commissioner Jon Liebowitz urged lawmakers to ban the sale of consumer telephone information by online brokers and telephone companies. These two top Federal regulators were speaking on 2 February 2006 before a House Energy and Commerce Committee hearing probing the source of black-market telephone data (Call Detail Records) sold over the Internet, and Congressional Representatives from both parties agreed with them at that time to ban such sales.
The issue over “opt-in” vs “opt-out” protection of privacy would appear to be moot if all the records for all years since 2001 have already been sold under contract to the government, as reported on 11 May 2006 by USA Today. Billions of dollars in fines are at stake, since the Telecommunications Act authorizes the FCC to levy fines of up to $130,000 per day per violation, with a cap of $1.325 million per violation. Qwest certainly took the high road.
NSA’S PHONE CALL TECHNOLOGY IN A NUTSHELL
Summarizing, here is the National Security Agency’s scenario for telephony today.
Computers in Fort Meade send access codes and a command string to a telephone switch in a telco central office building in Buffalo or San Diego. Phone numbers are tapped by remote command. For example, we begin by tapping the entire Yemeni immigrant community in Buffalo or the Muslim community in San Diego. Speech recognition computers look for key words (“hijack”), emotion (the timing and cadence of excited speech), and the contextual anomalies of concealment. For example, there have been recorded wiretaps that discussed “the bride and groom” and the “wedding day” in the context of other words having nothing to do with a wedding, because, in the past, terrorists used “bride and groom” and “wedding day” to refer to martyrs and their date of attack.
Some phone callers show interesting speech, many others are dropped.
The calling records of the interesting phone numbers are searched using billing data for the past several years provided to the National Security Agency from leading American phone companies such as AT&T/SBC. Most people receive and make more than one call to about 100 contacts. Therefore, one hundred new phone taps are now opened and computer-screened for emotional speech, trigger words, and contextual oddity indicating concealment.
If we began with 100 interesting phone numbers from the community under inspection, we now have 10,000 active phone taps. Everything is computer-driven so far, and a single workday at Fort Meade is not yet over.
The number of different communities the National Security Agency can tap is large. Phone companies maintain about 22,000 central office buildings in the United States, and there are about 25,000 voice switches in them, each remotely addressable to open a phone tap. Communities which can be tapped include the re-election committees of candidates in all states; networks of donors pledging funds can be reconstructed.
Social nets of people whom the computers think make “interesting phone calls” to one another are defined and stored, presumably forever, as persons of interest. Computers compare these government lists to others (“data mining” for patterns across multiple, individual databases).
The geometrical expansion inherent in these methods is managed by promptly closing many taps not long after they are opened. An example:
A social contact who also makes “interesting calls” to a person of interest will have their calling records pulled up–three social levels. Fortunately, most of the 10,000 active phone taps now opened (100 social contacts of the starter x 100 associates per each of them is a circle of 10,000 people) yield no hits and are quickly closed. Let us suppose that only 600 new calls remain interesting. Therefore, instead of growing to 1,000,000 active taps (100 x 100 x 100), the National Security Agency ‘s “crawler” now adds only 60,000 calls (100 x 100 taps yields 600 keepers; 600 keepers x 100 new associates is a social net of 60,000, ignoring overlaps). Most of these will quickly be dropped, too. Short-term surveillance is hard to detect.
Establishing social networks within communities and among individuals requires tapping phones without probable cause.
Computers must be free to crawl through their databases and open every phone line along the way. Of necessity, many phone taps are brief and will be discarded.
Finding groups (e.g., everyone in a charity, all active contributors to a cause) is a good way to find conspiracies. Unfortunately and despite attempts to be selective, a system with geometrical expansion will yield many false positives. After all, only four “degrees of separation” will get you to all 100 million households in the United States when each phone has 100 contacts, all of them available in phone bill records.
At some point, therefore, human analysts inspect the computer harvest we have been discussing. It is possible that a court might be asked for a paper-based search warrant, particularly since any long-term surveillance that is started might be discovered. Also, warrants are still needed for black-bag jobs (breaking and entering secretly). If you have a really high-value target (suspected CIA double-agent Aldrich Ames, for example), the thing you want to do is run a black bag job and bug the house. Why settle for only conversations that occur on a telephone when you can get all the conversations by bugging the house? With a microwave beam for power, you won’t even have go back in to change the batteries. Database-driven, computerized phone surveillance is technology designed for a fishing expedition, for a secret voyage of discovery.
NSA’s COMPUTING POWER
The National Security Agency (NSA) has the computing power to crawl the national phone system, to perform speech recognition on thousands of calls, and still screen most of the nation’s e-mails.
NSA’s supercomputing power is not measured in the teraflop speed of their fastest machine; rather, NSA computing power is measured in the number of football field-sized rooms they need to hold all their machines. Much of the money we spend on the National Security Agency (1996 estimates, $3.6 billion/yr; 2002 estimates by James Bamford are $4 to $5 billion plus $2 to $3 billion/yr for the satellites) goes towards buying computer power.
Over the past 20 years you may have noticed that most of the best, innovative and financially risky (no big market) projects to build the world’s best supercomputers build two machines, and the National Security Agency gets one. This has been a successful way to provide government support of American innovation and to give the NSA cutting-edge technology, needed primarily to get codes broken before too much time has passed.
The National Security Agency’s technological advantage extends from computers to storage systems. NSA uses the largest solid-state memory systems in the world (Texas Memory Systems; March 2004; over 2.5 terabytes/system) because they are more than 10x faster than the best arrays of disk drives (no moving parts). There is nothing classified here. These solid-state memory systems are “COTS” — Commercial Off-The-Shelf products. For most agencies or corporations, the mission would not justify the expense.
Language translation is currently being added to speech recognition capability. Computers have difficulty with both jobs, but the National Security Agency is a world leader. Its work might more advantageously be commercialized and sold worldwide rather than hidden and narrowly applied.
E-MAIL: EASY & HARD AT THE SAME TIME
“…the Internet and e-mail are the most surveillance-friendly media ever devised.”
M.A. Caloyannides, Mitretek Systems, writing in Institute for Electrical and Electronic Engineers SPECTRUM,
May 2000 p. 47.
I turn from telephony to e-mail.
The amount of new phone taps that can be created, and the speed with which they can be opened (and usually closed again) when the system is computerized and algorithmically driven, have exceeded safeguards based on judicially-reviewed warrants. Those safeguards were developed for a phone tap that opened when commands were sent manually by an analyst or investigator to a single remote telephone switch. However, there are still technological limits to phone surveillance that have yet to be surmounted in the areas of speech recognition. This is what limits how many taps are opened in practice. E-mail is a different story. It is within the National Security Agency’s technical grasp to scan most e-mails in the country.
E-mails are easier to sift than phone conversations because a text message is 2000 times shorter than the same message spoken as an audio recording. More important, perhaps a million times greater computational effort is needed to “parse” an audio stream into words and figure out what the words are. So, by the nature of the beast, e-mails are easier to filter than phone calls, two billion times easier. If the NSA is computationally capable of tapping and computer-monitoring a thousand phones, then they are computationally capable of scanning a few trillion e-mails.
How to get e-mails and the computers in Fort Meade together is a problem. The computers can’t be moved, so we must move the e-mails.
Traditional, circuit-switched phone calls are easy to tap. One can ask any switch to open a tap and send you the calls and no one will be the wiser, provided you are a domestic government that has been given the access codes, or a foreign government that has quietly stolen them. (Would Congress be informed? Would the foreign power be named?)
E-mails, like all services on the Internet Protocol (IP) platform that we call the Internet, are forwarded by routers, not switches, and routers are different. Up until now, routers could not be remotely commanded to send a tapped transmission to Fort Meade. The Internet is also a packetized network that breaks long emails into short packets and mixes them with packets for other services (e.g., Web browsing). The issue of sorting all the packets out again (email, not Web, John’s not Mary’s) is a crucial one for social policy makers, because the technology dictates that, to get anything, you must sort out everything. But first, NSA must get the packets, and so we turn first to traffic diversion.
WHISTLE-BLOWER: Without remote-control taps for the Internet, NSA must install its own taps to route the mail to Maryland. Logically, one expects NSA to set up special rooms in the buildings of friendly phone companies to tap Internet traffic. A whistle-blower named Mark Klein recently learned of such a secret room at his place of work in San Francisco, and tipped off the press. http://arstechnica.com/news.ars/post/20060412-6585.html
Shortly after San Francisco was tapped in 2002, industry workers in California ascertained that rooms to tap Internet traffic and send it off to NSA for scanning were created in Seattle, San Jose, Los Angeles and San Diego. See Wired magazine for April 2006.
These crude first steps with “secret rooms” must suffice until better routing technology can be deployed.
EXTENDING SURVEILLANCE TO THE INTERNET
Internet surveillance requires that routers be modified for remote-controlled tapping just as the Communications Assistance for Law Enforcement Act of 1994 (CALEA) required that telephone switches be modified.
In 2005, the FCC issued a ruling (Order and Further Notice of Proposed Rulemaking FCC 05-153) requiring the telecommunications industry to provide the Federal government with the ability to remotely redirect traffic from
- facilities-based broadband Internet providers, and
- Voice Over Internet Protocol (VoIP) providers who place calls to or from the Public Services Telephone Network (PSTN).
All providers that meet the definitions above must comply with the ruling within 18 months of November 14, 2005 (May 2007). Rebuffing requests for exemptions, the FCC insisted in May 2006 that the networks of universities and public libraries be technically equipped for remote tapping in real time by the government. Court battles ensued.
Since the R&D and capital investment needed to give key elements (servers, routers, data centers) of the national data networking infrastructure this new remote-command facility is expensive, arguments arose over who should pay for it (“cost recovery”). Some argued that, if Yahoo or Google provide email servers and service, then they “own the customer” and they – not carriers — should pay to make it feasible and efficient for the government to monitor any email it chooses.
A new surveillance industry has sprung up to facilitate compliance with the now-extended CALEA law. These are companies in communication with the government who will tap, replicate and redirect your traffic (http://www.ss8.com/li.php) for telecommunications companies (e.g., http://www.ss8.com/internet.php). Groups who cannot afford to put privacy taps into their networks that the government can remotely open and shut can pay “trusted third parties” to pry into their customers’ traffic for them, as requested by law enforcement officials.
INTERNET SURVEILLANCE REQUIRES PACKET SORTING
Legislation, judicial oversight and technology for “tapping a phone line” on the legacy infrastructure for voice traffic cannot be extended to the Internet because the Internet has no phone lines.
In another century, we built archaic networks, one just for phone calls, one just for television shows, one for email (and later, looking at Web pages). It was one expensive national infrastructure for each function, one after another, over and over. The nation is now making a transition to a converged network that does everything everyone remembers doing “back then”, and keeps coming up with new things few ever imagined they might do: e-commerce, distributed computation and storage, music downloads, online gaming, blogs, photo sharing, vehicle registration, online stock purchase, online medical advice.
The Internet is a converged network of many services traveling in parallel streams at the same time. The Internet is also a packetized network in which each stream is broken up into chunks, and the chunks are mixed — there are no “channels” for email. Individual chunks are called packets. A packet is one part of one service for one person: part of an email sent, or part of a Website visited. Finally, packets for hundreds to millions of users are gathered and mixed together. The packets travel in swift streams and mighty rivers that converge and cross our continental nation. Packets reach their destination as a succession of routers look at their “to” address and move them closer to their destination, one step at a time. Typically, no paths are created in advance.
Extending last century’s “tap” of a telephone “line” to this century’s national infrastructure that has no lines means sorting the packets out for all the services that today support all the social interactions in our lives. Then from the sorted piles, the surveillance program takes . . . what?
At this juncture, we already have whistle blower reports of email tapping (above). Any technology project leader would advise the National Security Agency to take all the e-mail traffic. It is compact. Scanning it at Fort Meade headquarters is less trouble than sorting it out in the first place.
Where does the Patriot Act fit? If we refrain from tracking the books you borrow at the library, will the computers be programmed to discard packets showing which books you bought at amazon.com? Will Congress check the software every day?
The extension of surveillance to the Internet is occurring without Congressional review or legislation through FCC rule-making. The FCC’s changes are couched as extending CALEA from one kind of phone call to another. No physical science person seems to have explained to a social science person that tapping a voice call on the Internet means tapping the entire Internet.
The National Security Agency must initially place the routers that sort the packets close to every neighborhood Central Office or cable-TV “head end” location. In our communities at the edge of the network, speeds are slow enough to inspect every packet lined up in a buffer before it is shipped out. Furthermore, the entire stream of one subscriber’s mailing, browsing and other activities passes through one point. After packets have routed randomly across the nation, a national system would be needed to recollect them. The packet-sorting routers now used are made by Narus, Inc. Narus asserts that their “Lawful Intercept module is compliant with CALEA . . .[and] enables packet-level, flow-level, and application-level usage information [to be] captured and analyzed as well as [capturing the] raw … packets [themselves], for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept.” As technology improves, surveillance can move away from insecure neighborhood locations to more secret central data exchanges.
DEEP PACKET INSPECTION FOR INTERNET SURVEILLANCE
Being able to read messages or at least their identifying headers as they travel (termed “deep-packet inspection & filtering”) provides a foundation for three striking and strikingly different recent developments. There is a common bond between
- e-mail spying technology in the USA,
- technology for Internet censorship by foreign governments, and
- technology for privatization of the Internet
NSA promotes deep packet inspection technology to make traffic surveillance, sorting and forwarding more intelligent. Their concern is finding which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) phone call.
Cisco modified their own routers’ deep-inspection capabilities in order to sell top-of-the-line routers to China in support of Chinese censorship of the Internet. (Cisco denies the claim.) The Chinese are interested in which packets are going to interesting Web sites.
There is also a push by cable TV and incumbent phone companies to privatize the Internet rather than accept the same common carrier status that earlier transportation and communication networks have acquired. http://www.democraticmedia.org/issues/netneutrality.html
Giving wealthy or otherwise privileged customers preferential service also depends on using deep packet inspection to know who owns every packet, not just where it is going. The entrenched telecom operators are interested in which packets originated with preferred customers.
The alternative to privatizing the Internet is common carrier status. A common carrier has publicly published tariffs and anyone who pays them gets the same transportation services. In the early 1800s, we gave common carrier status to the canal system, and to the toll roads and the inns (road houses) where travelers had to rest. Rates are posted behind the door to your hotel room to this day. In the late 1800s, we gave common carrier status to the railroads, and in the 1900s we gave common carrier status to the national phone system. All of these networks created untold wealth. New communities sprang up across the length and breadth of the landscape because these transportation and communication networks were configured to serve the public as a whole. Giving the Internet common carrier status will create similar wealth in our own century.
One wants to know who a target’s interesting associates are
so that only the interesting phone calls need be surveilled.
Today, calling records define those who phoned one another as “interesting”.
Tomorrow your phone may be tapped because you were once
geolocated to the same park bench as some other person.
The definition of “transactional information” (billing records) was extended
to data about your physical location, something that cell phone records contain.
As of a 20 December 2005 ruling,
Federal officials do not need “probable cause” to track your physical location.
Cell phone companies were required by law to produce this information
in the name of aiding the 911 emergency calling system.
It’s hard to imagine the state of surveillance that may be coming,
but the American Civil Liberties Union has tried in this well-known video..
Old safeguards do not work with new technologies.
There is no time for warrants. Logic compels the Administration to deny warrants were needed in the first place. It has done so.
Congress legislated in CALEA (1994; 47 U.S.C. §§ 1001-1021) that the telecommunications industry must enable the National Security Agency to tap any phone at will, by remote control. What can be done for one phone line can be done for many. This legislation is now the foundation for an automated system that is concealed from those who made it possible in the first place.
The system run by NSA needs the private call records of all telephone subscribers in the United States, and it needs the Internet e-mail traffic carried by all broadband providers. These needs drive NSA’s current covert behavior.
Corporate complicity of Internet and telephone companies is known. Corporate complicity of cellphone and fiber optic transport corporations may be assumed.
“Probable cause” for violating privacy does not exist in database driven surveillance technology. The next phone is tapped because both numbers appear in the Call Detail Record of a telephone switch. The next email address will be filtered because both people flew to the same city on the same day, or had cellphones geolocated to the same park at lunchtime, or use the same ATM machine or passed under the same electronic toll collector (“EZ-Pass”).
Order and Further Notice of Proposed Rulemaking FCC 05-153 of the Federal Communications Commission (November 14, 2005; effective May 2007) extends the foundation Congress created for surveillance of a phone line to the surveillance of packets traversing the Internet. If a phone call occurs entirely on the Internet, then the only way to find it is to decode all packets for all services to all subscribers. The NSA does so, and currently harvests e-mail streams as well as voice streams. China uses similar technology, but is more interested in HTTP packets (Web browsing).
Clearly, these new technologies can be used to prevent anyone from obtaining and exercising political power, including, perhaps, terrorists.
(This white paper has been sent to a few policy makers with the following reminder that it is speculative.)
The laws of science hold for everyone. Applied science and technology flow from these laws. The applied science and technology that I can understand and in principle access are little different from the applied science and technology available to anyone else at a given moment in history. Thus we can be confident that this assessment of what NSA can do and how they do it is broadly accurate. Indeed, an informal reviewer with 25 years experience in the industry commented, “Nothing in your piece is contrary to my technical knowledge of encryption, telephony, voice recognition or data mining techniques.”
From the science alone, however, I cannot assess how many resources the NSA is throwing at these problems. I do not know whether it is decided to open dozens or thousands of phone taps on a given day. Science dos not reveal administrative policies for picking targets. These are matters of political oversight, and political oversight goes well beyond my job description. That is why I have written to you. (return to top)
Jerry Nelson, Ph.D.
Institute for Electrical and Electronic Engineers
Society for Neuroscience
Optical Society of America
jerry-va removethistext at speakeasy.net
7 May 2006, Rev 9Aug2006, 26Sept2006
Minor Rev 30Jul07
NSA campus, Ft. Meade, MD
You can tap only one phone line, but on the Internet you can only tap everything because there are no lines. In the name of extending phone surveillance to VoIP on the Internet, we extend surveillance to all on-line activities.
I invite you to savor the excitement of the times and treat yourself to a look at the technology inside the telecommunications revolution. If the Mini-tutorial leaves you with an understanding deeper, truer and more powerful than that of many around you, I’m sure you can handle it with style. For information on the Foreign Intelligence Surveillance Act itself, the court that administers it, and many related links, see the Federation of American Scientists:
http://fas.org/irp/agency/doj/fisa/Technical terms defined
Originally posted here.