Clearly it's time to make a little tinfoil hat for my phone.
posted by BigHeartedGuy at 4:31 PM on July 9, 2012 [1 favorite]

We should give those guys a tax break to compensate them for all of their patriotic service.
posted by feloniousmonk at 4:33 PM on July 9, 2012 [2 favorites]

Seems like a surprisingly low number to me. I had imagined more; in the thousands each given they cover millions of customers.
posted by astrobiophysican at 4:40 PM on July 9, 2012 [1 favorite]

Seems like a surprisingly low number to me.

It's amazing how much more efficiently you can work with good tools.
posted by mhoye at 4:45 PM on July 9, 2012 [2 favorites]

We should give those guys a tax break to compensate them for all of their patriotic service.

And job creation. Not only surveillance jobs but think of all the otherwise-out-of-work torturers who'll get fresh victimsclients because of this work.
posted by DU at 4:46 PM on July 9, 2012 [2 favorites]

In addition, several carriers disclosed that they sometimes provide all the information from a particular cell tower or particular area. Metro PCS for example charges:

$50 for Cell Tower Dump per tower for a 2 hour period
$100 for an Area Dump (if you know the location but do not know the cell towers that affect the area) for a maximum of 2 cell towers for a 2 hour period per cell tower search

Everyone whose phone has been used by a particular cell tower over a particular time period—likely hundreds or thousands of people—could have their data examined by investigators. And these dragnet data requests are on the rise. Verizon estimates that over the last 5 years it has seen an average increase of 15% annually, and T-Mobile reported increases of approximately 12%-16%. This has also led to at least some possible abuse; T-Mobile disclosed that in the last three years it has referred two inappropriate law enforcement requests to the FBI.

Yikes.

Also interesting is the fee structure. I wonder what the margin is.

This is a more detailed look at the results of ACLU's FOIA request on the issue, including info on proposed legislation aimed at reining some of this in.

We can add this collection [PDF] of manuals (and price lists) for law enforcement agencies seeking cell phone data to the banality of evil pile.
posted by notyou at 4:48 PM on July 9, 2012 [1 favorite]

Seems like a surprisingly low number to me. I had imagined more; in the thousands each given they cover millions of customers.

Yup it is low:

Because of incomplete record-keeping, the total number of law enforcement requests last year was almost certainly much higher than the 1.3 million the carriers reported to Mr. Markey. Also, the total number of people whose customer information was turned over could be several times higher than the number of requests because a single request often involves multiple callers. For instance, when a police agency asks for a cell tower “dump” for data on subscribers who were near a tower during a certain period of time, it may get back hundreds or even thousands of names.

Not inexpensive either:

The surging use of cell surveillance was also reflected in the bills the wireless carriers reported sending to law enforcement agencies to cover their costs in some of the tracking operations. AT&T, for one, said it collected $8.3 million last year compared with $2.8 million in 2007, and other carriers reported similar increases in billings.
posted by snaparapans at 4:50 PM on July 9, 2012

It would be trivial to write a software application which, given a list "suspects" and the locations of their homes and jobs, would generate a list which would provide sufficient tower coverage to monitor all traffic in an entire area, effectively limited by budget and the lengths to which the carriers will cooperate. This is definitely not the kind of sci-fi I wanted to come true.
posted by feloniousmonk at 4:53 PM on July 9, 2012 [1 favorite]

This could be cheaper for taxpayers if we sent bills to the subjects for the cost of the surveillance on them.

(rewatching Brazil now for more savings ideas)
posted by el io at 4:54 PM on July 9, 2012 [4 favorites]

T-Mobile disclosed that in the last three years it has referred two inappropriate law enforcement requests to the FBI.

So the vast majority are presumably legitimate requests, with warrants approved by judges, based on a showing of probable cause. On the other hand, this data does not include the unknown number of taps made by the NSA and other Federal agencies who don't bother with those inconvenient warrants.
posted by three blind mice at 4:55 PM on July 9, 2012

For many, many years in the US we had very strong protection against police eavesdropping. Wiretaps were very difficult to get and even a pen register was a significant requirement. But somehow between the switch to computerized phone networks, the rise of wireless, and the spector of terrorists we've now allowed the police to access pretty much all phone calls with little to no barrier. And the phone companies make a profit selling the access. It's outrageous, but hey at least with the cops they have to ask. NSA just plugs right into the main switch and hoovers it all up.
posted by Nelson at 5:18 PM on July 9, 2012 [3 favorites]

That’s a lot of people power devoted solely to surveillance.

That is basically nothing. If those numbers are right it's the best news for the state of civilian surveillance I've heard in many years.

AT&T employs 270,000 people. They have 100 million customers. 100 people for the law enforcement compliance program is ... well, nothing at all.
posted by Tell Me No Lies at 5:33 PM on July 9, 2012

At this point in time you can safely assume that all mobile telephone calls, SMS messages, email and most other cleartext is captured, filtered and analyzed at some level.

You can also safely assume that your modern phone may turn into a voice or or even video eavesdropping device at any moment without any outward symptom of such a function happening unless you happen to keep a third party datalogger or broad spectrum RF scanner/analyzer running whenever your phone is on.

The surveillance panopticon has been building in this direction for decades. Echelon was/is real. So was Carnivore. So was the secret packet-recording room at the AT&T exchange in San Francisco.

It is far too powerful a tool of monitoring and control to be ignored or left on the table. It has been used. It is being used. It will be used, with impunity.

And I don't think it can be legislated or outraged away. You may lop off some public facing pseudopod of the amoeba, but the entire surveillance structure just will just extend another pseudopod that it already prepared, just in case.

The core function of the surveillance culture isn't voyeurism or even control - it's a paranoid sense of privacy and self-protection at all costs. Secrets beget more secrets, and more lies, and more paranoia and more of a need to self-protect, leading to more secrets...

You can't legislate that away. It's a mental (and social) disease. It doesn't listen to Congress, the Senate or the President, or the Supreme Court. It's extralegal. Warrants are simply the formality that permits such surveillance to be officially used in court in the case of a prosecution, post facto.

And it does what it thinks is right and best to preserve itself at great cost like some lurching Dr. Frankenstein clone of Grendel with too many limbs. It doesn't actually care about your security.

This mentally ill, paranoid machine is incapable of respecting your privacy and being polite.

Your privacy is actually a direct treat to it's privacy and security.

This isn't a tinfoil hat issue - it's just common sense given the known course of human history.
posted by loquacious at 5:44 PM on July 9, 2012 [19 favorites]

Seems like a surprisingly low number to me.

It's disturbingly low. Sprint received 500 000 warrantless subpoenas last year, handled by only 226 employees, meaning that each employee is processing about one police request per hour. That strongly implies that Sprint is doing zero work to confirm that any of these police requests for information are legitimate.

Never have so many been spied on so much by so few.
posted by justsomebodythatyouusedtoknow at 6:00 PM on July 9, 2012 [2 favorites]

100 people for the law enforcement compliance program is ... well, nothing at all.

If the machines are doing all the work - logging, collating, recording, sending - why would you think it would take more than that? Every enterprise-class piece of computer hardware in the world offers in-depth logging and traceability, and hard drive space is basically free. All you need is one well-informed person with access to the infrastructure to write a competent shell script, and all of a sudden that $50 for a 24-hour tower dump is pure profit. You want all the information from tower NY-NYC-223521-A in a 24-hour period? Click, click, done. Send.

And, given the numbers involved, hmm: 1.3 million requests divided by approximately four hundred people (as given) is about 3250 per year, or about thirteen or so per person per day; roughly two an hour, all day, every day. Dragnet tactics sound just about right at that point, because it's not really feasible to have people doing fine-grained filtering at that level, so yeah, law enforcement says dump this tower, that's a few clicks, and done. Whoever else made a call through that tower in that window, well, hope you don't have anything to hide, commie.

So the vast majority are presumably legitimate requests, with warrants approved by judges, based on a showing of probable cause.

Haha, that's not how telcos thing at all. You should read that as "the vast majority won't expose us to material liability".
posted by mhoye at 6:03 PM on July 9, 2012 [1 favorite]

At this point in time you can safely assume that all mobile telephone calls, SMS messages, email and most other cleartext is captured, filtered and analyzed at some level.

No, actually you can't.
posted by Tell Me No Lies at 6:48 PM on July 9, 2012 [2 favorites]

Sooooo... are we safe yet??
posted by LordSludge at 6:52 PM on July 9, 2012 [2 favorites]

It may not be safe to assume that all of your web traffic is being stored and analyzed, but I don't think that's necessarily the case for email or IM, particularly if you live in a "sensitive" area. Assuming you have a competent spam filter (and really, as an intelligence agency, information classification is what you do, so you have one) the requirements for reading everyone's email are not nearly as pie in the sky as they are for capturing all traffic on all routers.
posted by feloniousmonk at 7:23 PM on July 9, 2012

$50 for Cell Tower Dump per tower for a 2 hour period. $100 for an Area Dump (if you know the location but do not know the cell towers that affect the area) for a maximum of 2 cell towers for a 2 hour period per cell tower search

But for that you also get unlimited dumps on weekends and we'll throw in a phone at a reduced price, if you sign the two-year contract.
posted by twoleftfeet at 7:23 PM on July 9, 2012 [2 favorites]

No, actually you can't.

It may not be safe to assume that all of your web traffic is being stored and analyzed, but I don't think that's necessarily the case for email or IM, particularly if you live in a "sensitive" area.

I think it's also safe to assume all of your web traffic is being stored, or at least processed. And that's ignoring the giant new datacenter the NSA is building.

Information Science, Information Retrieval, and NLP are fascinating topics, and some of the brightest experts in those fields are at work right now at the NSA.

Here's just a quick solution to the HTML storage problem I came up with, and my pea-brain is nothing compared to those geeks.

First, you realize many HTTP requests are redundant. Like a fucking lot. That's why we have entire teams, companies and budgets in the millions dedicated to HTTP caching technologies.

So, starting with, you don't need to store every full HTTP response to every user. You store a copy of the original page the first time you see it, and a diff every time it changes, along with timestamps on those diffs. Then you just store the request info from the user. With that you can restore the entire browsing history of a single user, or billions of users for a long time. Jim Bob is watching Wall-E on Netflix? Don't store the entire video, just the intermediate requests.

There are obvious details to be worked out there: when do you update the cache, etc. But these are relatively well-studied problems. And it's also introducing a weakness into the system, since you could do a kind of time-dependent steganography. But there are ways around that. Maybe you process the entire response, just don't store it if it matches a hash or whatever.

And that's ignoring the biggest issue being overlooked. Request data, aka "envelope" data contains a LOT more information than many people would think. Associations are important.
posted by formless at 8:01 PM on July 9, 2012

This could be cheaper for taxpayers if we sent bills to the subjects for the cost of the surveillance on them.

What do you think taxes are for?
posted by emjaybee at 8:16 PM on July 9, 2012

I think it's also safe to assume all of your web traffic is being stored, or at least processed. And that's ignoring the giant new datacenter the NSA is building.

Just because they have all the data doesn't mean they can do anything with it. It's pretty easy to story huge amounts of data, so maybe they can soak up terabytes-per-second, but that's a pretty stupid way of handling the national security concerns that the NSA is actually tasked with handling.

At some point, all that data is its own worst enemy.

When you're trying to find the next terrorist bomber, the fact that you have all my receipts from Bob's Tavern starts to slow you down.
posted by twoleftfeet at 8:18 PM on July 9, 2012 [2 favorites]

Wonder why sprint has more people? Must sell a lot of burners.
posted by Ironmouth at 9:00 PM on July 9, 2012

Wonder why sprint has more people? Must sell a lot of burners.


Probably legacy of cell phone industry consolidation more than anything else and the legacy systems at play hosting customer records.
posted by iamabot at 10:41 PM on July 9, 2012

I just can't understand why they would give out cell tower dumps. It takes a bit of expertise and some time to read the reports, and unless you know the number you're looking for, it's just a list of numbers. If you already know the number, why not just pull the records for that phone?
posted by WhackyparseThis at 3:31 AM on July 10, 2012

I didn't see if they mentioned this - were they including defense attorneys as law enforcement? My husband (a defense attorney) requests records sometimes to bolster a claim that his client was nowhere near a crime scene. He says he'd request cell tower dumps because the phone's records would only have the provider's cell towers, not all the cell towers (since his client's provider might not own all the cell towers). And usually the actual phone has been seized, so it's easier to get the records from the provider than from the phone itself, plus getting an expert to pull and interpret the phone's own data is expensive, and often his clients can't afford it, whereas the cell tower dump is cheap and all he has to do is search for the number.

He and I just talked about this, so hopefully I haven't misrepresented what he said to me.
posted by joannemerriam at 5:26 AM on July 10, 2012

You can also safely assume that your modern phone may turn into a voice or or even video eavesdropping device at any moment without any outward symptom of such a function happening unless you happen to keep a third party datalogger or broad spectrum RF scanner/analyzer running whenever your phone is on.

Your desk VOIP phone? Sure. Your cell phone? No way. Unless people are going to just ignore the fact that they are only getting 1 hour of life out of a full charge and that their phone is hot as hell. The feds have better ways of getting audio and video.
posted by gjc at 5:53 AM on July 10, 2012

The government is doing its best to protect you from the phantom terrorist menace. Why can't you appreciate that instead of whining about your rights? Surely you're an upstanding citizen with nothing to hide. Everyone knows that if you have nothing to hide, you have nothing to fear.

Law enforcement having free and easy access to your mobile phone call and location data is good for everyone, except for those who are up to no good. Everyone knows that you're OK with the idea or you wouldn't carry a locator beacon with you everywhere you go.

I'm not in a position to either confrm or deny that the NSA can decrypt your encrypted email in 0.000034 seconds (or less) and prioritize it for review. Everyone knows that only a terrorist with evil secrets would use encrypted email.

We are within measurable distance of winning the war on terror! Don't let your resolve to crush the terrorist threat falter at this critical moment! Everyone knows that we must all do our part!
posted by double block and bleed at 6:29 AM on July 10, 2012

I just can't understand why they would give out cell tower dumps. It takes a bit of expertise and some time to read the reports, and unless you know the number you're looking for, it's just a list of numbers. If you already know the number, why not just pull the records for that phone?

You can do some statistical analysis on them to figure out what your target's "clean" cell number is. If a cell number you don't know about frequently starts a phone call shortly after the one you do know about hangs up, there's a decent chance that number is that person's "clean" phone.

And, presto, it's not a clean phone anymore, and the best part is they don't know that.
posted by mhoye at 7:16 AM on July 10, 2012 [1 favorite]

mhoye, that's a pretty interesting attack. Easily mitigated by using a different cell network (GSM v. CDMA), but to what degree is questionable...
posted by Xoder at 7:44 AM on July 10, 2012

mhoye, that's a pretty interesting attack. Easily mitigated by using a different cell network (GSM v. CDMA), but to what degree is questionable...

Very questionable indeed, since all the carriers are playing ball.
posted by jaduncan at 11:09 AM on July 10, 2012

You can do some statistical analysis on them to figure out what your target's "clean" cell number is.

These clever statistical and machine learning approaches to data mining the vast quantities of information are what makes this data collection truly scary. And they're things most citizens don't even think about, or realize are even possible.

At some point, all that data is its own worst enemy.

When you're trying to find the next terrorist bomber, the fact that you have all my receipts from Bob's Tavern starts to slow you down.

Your receipts at Bob's Tavern show me a lot of very interesting things:

With timestamps on each receipt/charge, they show who you are there with and we can infer relationships and associations based on historical data.

You know those "People who went to X also went to Y" on Foursquare or Amazon? Well, those relationships aren't just limited to similar products or restaurants. The recent article on data-mining by Target and detecting pregnancies based on shopping habits is especially enlightening about the power of machine learning.
posted by formless at 12:43 PM on July 10, 2012

Clearly it's time to make a little tinfoil hat for my phone.

"God, my reception always sucks lately!"
posted by Celsius1414 at 3:09 PM on July 10, 2012

What about voiceprint technology? Couldn't they just follow the same person's voice from one phone to another, including payphones and the like? This could even be done in real time, if their voice pops up on a phone anywhere in the world. Chances are it's either already happening, or in the works.
posted by TreeHugger at 5:51 PM on July 10, 2012

mhoye, that's a pretty interesting attack.

It's not interesting at all; it's one of the dumbest, easiest attacks you can do on that data. It's the bubble-sort of mining that dataset; a drunk sophomore could implement it in an hour.

When people say stuff like ... that's a pretty stupid way of handling the national security concerns that the NSA is actually tasked with handling, I have to wonder which NSA they're talking about, because the one I'm familiar with is at least 15 years ahead of the public domain in terms of cryptanalysis and surveillance technologies, and hiring as many of the smartest mathematicians they can find every year.
posted by mhoye at 6:23 PM on July 10, 2012