Britain’s Guardian newspaper has broken a story claiming the United States’ National Security Agency is currently collecting every CDR for every call carried by Verizon Business Network Services, where at least one of the parties to the call is in the USA. You can see the Guardian story here.
The Guardian also published the leaked court order. The court order explicitly states it is not permitted to disclose its existence. Whoever blew the whistle is taking a big risk by revealing the extent to which the US Government is using telecoms companies to engage in widespread surveillance of ordinary US citizens and residents.
The court order has a three-month duration, starting on 25th April 2013, and terminating on July 19th of this year. The order demands the following data from Verizon Business Network Services:
It is hereby ordered that, the Custodian of Records shall produce to the National Security Agency (NSA) upon service of this Order, and continue production on an ongoing daily basis thereafter for the duration of this Order, unless otherwise ordered by the Court, an electronic copy of the following tangible things: all call detail records or “telephony metadata” created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls. This Order does not require Verizon to produce telephony metadata for communications wholly originating and terminating in foreign countries. Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g. originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication… or the name, address, of financial information of a subscriber or customer.
The order was signed by Judge Roger Vinson of the Foreign Intelligence Surveillance Court, which works in secret. Verizon Business Network Services is a subsidiary of Verizon Communications. They are one of the United States’ largest providers of business telecommunications and internet services. Given the blanket nature of the order, it is impossible to determine who, amongst their many customers, are the targets of this order.
I find this form of surveillance to be troubling for a number of reasons. The broad-brush approach means that the US government will inevitably collect data and analyse the behaviour of many innocent individuals. If it were not for brave whistleblowers, they would do so in secret, with citizens having no opportunity to question the laws that enable such acts, how they have been interpreted, and how the government has acted. Whilst the order does not ask for customer names and addresses, it must be a mere formality for government agencies to obtain other kinds of data that will enable them to personally identify who uses which telephone number. At the same time, private sector businesses are increasingly co-opted into providing surveillance to the government, and the cost of that surveillance is borne by their customers. Given the power of government, telcos are put into an invidious position, contrary to the interests of their customers. Telcos will feel unable to challenge occasions when government exceeds their legal powers, for fear that the government will punish their business indirectly, via less favourable government decisions elsewhere. Telcos are also unable to advise their customers or the public of the true scale of surveillance, thus eliminating an important source of information, that might justify a democratic decision to impose tighter constraints on government powers. Meanwhile, other government departments intend to force telcos to protect the privacy of their customers, and to punish them if they fail to do so. This leads to a moral contradiction. One on side, business is schooled by government on how to extract data that invades the privacy of their customers. On the other side, business is told to resist the temptation to use data in similar ways, for commercial reward.
I can hear what some of you are saying to yourselves. “This does not concern me. I am a humble RA Consultant/Fraud Analyst/Billing Ops Manager and I do not live in the USA.” But it does concern you. Everyone visiting this website does work, or has done work, that requires the extraction and analysis of CDRs. If governments develop a habit of expecting all the CDRs from telcos within their borders, they can equally well get into the habit of expecting CDRs, both domestic and foreign, from any other business they can exert influence over. That means they can gather CDR data via equipment manufacturers, software vendors, providers of managed services and the like. I can offer no glib solution to the endless push-and-pull between privacy and security. But like the brave whistleblower who revealed this secret court order, any one of us might get caught up in the struggle between freedom and safety.