According to an explosive report in the Guardian on Wednesday, the National Security Agency (NSA) has been granted wide-ranging access to the call records of Verizon business customers. Under the arrangement described in court documents obtained by the Guardian, Verizon is required to hand over phone records for all calls made within the United States and calls originating domestically and reaching an international number. The Foreign Intelligence Surveillance Court — better known by its acronym, FISA — also ordered Verizon to hand over extensive metadata for the phone calls.
But what exactly is telephone metadata, and what is it good for?
First, have a look at the relevant section of the court order that describes what Verizon is required to provide the NSA:
IT IS HEREBY ORDERED that, the Custodian of Records shall produce to the National Security Agency (NSA) upon service of this Order, and continue production on an ongoing daily basis thereafter for the duration of this Order, unless otherwise ordered by the Court, an electronic copy of the following tangible things: all call detail records or "telephony metadata" created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls. This Order does not require Verizon to produce telephony metadata for communications wholly originating and terminating in foreign countries. Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity(IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc., trunk identifier, telephone calling card numbers, and time and duration of call. Telephone metadata does not include the substantive content of any communication as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer.
Some of what the NSA is receiving is fairly straightforward. "Originating and terminating telephone number" is exactly what it sounds like, as is "time and duration of call." But some of the other information is far more cryptic. Here’s what you need to know about the information the government is empowered to collect, according to this FISA court order.
(Many thanks to Allan A. Friedman, a technology expert at Brookings, for helping make sense of these various categories.)
Comprehensive communications routing information
The phrase "comprehensive communications routing information" is a catch-all term for the kinds of information the court empowered the NSA to collect. The term itself does not describe specific data and is fairly broad in terms of what it can include.
According to Friedman, it might include, for example, data tracking how a cell phone user moves from one cell phone tower to another while traveling — information that would obviously be useful for tracking the whereabouts of an individual. Interestingly, such data is not specifically named in the court order, and it’s unclear if Verizon provided that data to the NSA.
International Mobile Subscriber Identity [IMSI] number
The IMSI number is a system through which an individual user is tied to a phone. According to Friedman, the system was conceived as a way of facilitating billing for mobile users, essentially giving cell phone comapnies the ability to track customers through identifying codes.
Having the number itself does not provide the NSA with the identity of an individual cell phone user — but it would make it easier for the agency to determine a user’s identity. Unless the NSA managed to get its hands on that information through clandestine channels, it would probably have to return to court to obtain the information.
The IMSI number also provides important geographic information on the user. The first part of the typically 15-digit number identifies the network operator of a specific country, providing the NSA a handy shorthand guide to a user’s location.
International Mobile station Equipment Identity [IMEI] number
Whereas the IMSI number ties a user to a phone, the IMEI number is merely used to identify an individual phone. It is typically found in the battery compartment of a phone and, according to Friedman, is a system that was put in place in order to prevent cell phone "spoofing" — or the practice of cloning one phone to imitate another. When one phone begins broadcasting using the same IMEI number as another, a network can detect a spoof.
For the purposes of the NSA, the number is extremely useful in tracking individual pieces of equipment.
The trunk identifier provides additional data on how a call is routed through a telephone system and where it originated. In a landline system, for example, the trunk identifier can be used to identify the regional center through which a call is routed.
It’s a number that provides the NSA with an additional geographic data point on the calls they track.
Telephone calling card numbers
A useful method for preventing calls from being tracked to a specific number, telephone calling cards can be used to mask the origins of a phone call. If for example, I were to call you from Foreign Policy headquarters using a calling card number, my call would not come up as originating from FP but rather from the number associated with the card.
By collecting calling card numbers, Friedman explained, the NSA can at least begin to track the use of such numbers across different phones. This approach is, of course, easily counteracted by using different calling cards, but it allows the NSA to build up a network from which it can mine the information it seeks. If a person, for example, receives 10,000 calls from various calling cards, that would probably result in an automatic red flag in the NSA’s system.
The FISA court order contains a mysterious "etc." in its designation of the type of data Verizon is required to hand over to the NSA. Does that mean that the NSA is empowered to collect additional information not specified by the FISA court? We don’t know. Could the NSA perhaps be empowered to also collect what mobile phone users browse and download on the Internet under the authority of an "etc."?
It sounds unlikely, but, hey, so does the fact that Verizon would be required to hand over comprehensive call records.