by Anthony W. Accurso

Arecently-obtained document sheds light on how an FBI special team obtains data from cellular providers to provide support for FBI, tribal, and local law enforcement investigations, including what data they can obtain and how long each provider stores that data.

Ryan N. Shapiro of the nonprofit Property of the People—an organization that uses the Freedom of Information Act (“FOIA”) to obtain and publish government records and aid watchdog groups—struck proverbial gold when he obtained a training manual published by the FBI’s Cellular Analysis Survey Team (“CAST”).

CAST’s mission “is to support the FBI, along with state, local, and tribal investigations through the analysis of cellular call detail records (“CDRs”) and their associated tower information.” It accomplishes this mission largely in three ways: (1) maintains liaison contact with cellular providers to source accurate information about what data can be obtained from each company, (2) participates in priority investigations and supports prosecutions by providing analysis and expert witnesses, and (3) publishes tools and training materials to assist and educate law enforcement officers (“LEOs”).

The document obtained by Shapiro, which states it is “current as of March 2019,” is entitled “Cellular Analysis & Geo-Location, Field Resource Guide.” It is intended to be a part of LEO partner training about how to conduct cellular analysis. It also introduces CASTViz, a tool created by the CAST team and made available for free to LEOs.

According to the document, “CASTViz has the ability to quickly plot call details records and tower data for lead generation and investigative purposes.”

CASTViz forms the backbone of the process dictated in the CAST training document, though other tools are mentioned, including how each interacts with CASTViz in the analysis workflow.

The training also provides legal guidance outlining statutory authority for obtaining the cellular provider data. These include 18 U.S.C. § 2702(c) (voluntary disclosure of records by a provider), § 2703(d) (search warrants for call and cell site data), and § 3215 (emergency pen register and trap-and-trace installation).

According to the FBI, LEOs can obtain the following information simply making a request (aka “subpoena”) to the provider: toll records, call to destination search, subscriber information (name and billing address), how a customer pays their bill, device electronic serial number, IP address(es), and how long the customer has had the service/equipment.

To obtain the following, LEOs must first obtain a search warrant: historical tower information to include cell site and sector, text messaging content, data connections, installation of pen trap-and-trace, tracking authorization, subscribers for all numbers contacting target(s), location-based services, ping data (Sprint only), and E-911 data (AT&T and T-Mobile).

CAST also provides templates for language to support subpoenas and warrants, with wording specific to each of the major carriers. Some of the provided language includes “Advice” from FBI Special Agent David Church supporting requests for 60 days or more worth of records because, in is his expert opinion, “this range of records will establish a pattern of life and behavior” of the target of the investigation and that “[a] smaller collection of records would make it difficult to determine if it is unusual for the phone(s) to appear in the areas where these crime(s) occurred.”

There is a short description of the various communication protocols in use by each of the major carriers (e.g., GSM, CDMA, LTE), as well as a brief guide to how cell phones and towers interact. After this brief overview, the document transitions to a checklist for the workflow for “basic historical cell site analysis.”

Depending on the type of investigation, a LEO first uses the ELEP Portal provided by numberportability.com to determine the carrier of record for the target’s cell number.

Next, a LEO obtains a CDR from one or more towers in a zone of interest. A CDR contains pertinent information about each call made on the network and includes the following: which number placed and received each call, at which tower the call began and ended, the exact time and duration of each call, and the latitude and longitude of each involved tower.

Separately, LEOs can obtain tower lists from the provider in question, and the CAST document provides training on how to plot tower locations using Google Maps Pro. This allows LEOs to visualize where the scene of a crime is located in relation to nearby towers, enabling a (close enough) determination of the coverage area for each tower. Once towers of interest have been identified, LEOs can obtain the CDR for each tower. The resulting CDRs are then loaded into the CASTViz software and cross-referenced for “investigative leads.”

For example, a homicide occurs at a particular location and officers have no good leads in the case. They can obtain a geo-fence warrant for CDRs of nearby towers, which they can then load into CASTViz. This can provide information on which cellphones were in use at or near the homicide location. If a phone belonging to someone other than the victim was at that location, other related records can be obtained from the provider (who owns the phone, the billing address, etc.).

If the target is a “burner phone,” call records can be obtained for that number. The CAST document advises that the location of the first and last call made each day from the phone may give a lead as to the home or hideout of the suspect, for which a warrant can be obtained.

CASTViz is a versatile tool, able to import many types of records, not just CDRs from cellular providers. It can load and cross-reference ID and user data obtained from app and social media providers (e.g., big tech and digital ad companies), as well as load records from sources like automated license plate readers.

Regarding sources for those non-cellular records, the document also lists companies that can provide these records, the types of records available, and contact details for each company. Given the sheer amount of user data collected and stored (for indeterminate lengths of time) by Google, Facebook, and Apple, it should come as no surprise they are listed here.

What may surprise some people is the list of details that each company can provide. Google and Facebook will track any conceivable data point on their users and then disclose these to law enforcement with proper authorization.

Apple advertises that user data is stored/encrypted in such a way as to respect user privacy, so it is surprising that its list of programs, cited by the FBI for which data is available, includes: Find My Phone, iTunes Gift Cards, Apple retail store surveillance videos, iCloud records and files, customer service records, and “extracting data from passcode locked iOS devices.”

This last item is shocking given how public Apple CEO Tim Cook made the fight against the FBI’s efforts to force Apple to unlock the iPhone belonging to the San Bernardino shooter in December 2015.

OnStar is also on this list, and all basic customer information is available for LEO access (customer name, billing address, vehicle make, model, and year). A pleasant surprise is that OnStar “does not create, receive or maintain vehicle activity such as speed, braking, ignition, cycles, lock status, etc.,” though it may have “airbag data, maximum reported Delta V, direction of impact and roll over status” for some vehicles involved in crashes.

Also, OnStar only has in-car audio when a customer calls the company for emergency service or when the call is automatically initiated by an air-bag deployment sensor. At all other times, including when “actively assisting law enforcement,” in-car audio is not available. It is possible the microphone may only be activated by the vehicle occupant(s) to prevent hackers from remotely activating it.

The CDRs are not the only records available from cellular carriers, and the CAST document contains a table of available data, as well as retention periods for each provider. The table also includes a list of each acquired company, reseller, and mobile virtual network operator (“MVNO”) that use each carrier’s network. Thus, while a company like Boost Mobile may claim to not keep customer usage data, the actual carrier network on which Boost operates (Sprint) may retain it anyway.

Since the CAST document was listed as being “current as of March 2019,” it is unclear if any of the major carriers have altered their retention policies since then. It is possible that at least some of this data is out of date due to the merger of T-Mobile and Sprint (a 26-billion-dollar deal that started in 2018 and closed in 2020, discontinuing the Sprint brand).

AT&T maintains CDRs, texting metadata, and estimated phone location for ALL devices on its network (including wearables) going back for seven years. Similar information is available for the previous two years from T-Mobile and the previous one year from Verizon.

Verizon and US Cellular actually keep records of texting content (7 and “3-5” days, respectively), and AT&T stores “texts” sent through the AT&T messaging app for 90 days.

AT&T, Cricket, and Verizon store “Internet/Web Browsing” data, with retention periods of one year for AT&T and Cricket and 187 days for Verizon.

When asked what web browsing data AT&T retains, spokesperson Margaret Boles told Vice that, “[l]ike all companies, we are required by law to comply with mandatory legal demands, such as warrants based on probable cause. Our responses comply with the law.”

“There is no conceivable business reason they need that much,” said Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the ACLU, commenting on the extreme length of time for which AT&T maintains records on its customers when compared to other carriers.

Wessler also raises doubts about the reliability of tools such as CASTViz because of the vast amount of data being imported into the program, there are likely errors in the data. Further, as CASTViz is only available to law enforcement without review by any third parties, he expressed “questions about what sort of assumptions are built into this tool, and what errors this software can make,” according to Vice.

Rich Young, a Verizon spokesperson, commented on data provided in this manner, stating, “[t]his is a tool that our security team uses in response to lawful warrants and emergency requests. For example, this tool would be used in response to cases involving armed fugitives or missing children. As a common industry practice, the tool uses network-based cell site location information. All other major providers use a similar approach.”

To limit some of the potential damage from such errors—or misuse by LEOs—CAST advertises its willingness to “utilize industry standard survey gear drive test equipment to determine true geographical coverage breadth of a cell site sector.”

While the document does not directly advise against LEOs testifying in court on information obtained using its guidance, it states that “testifying in court regarding cell phone records is difficult and requires significant training.” CAST is also willing to provide “expert witness testimony in support of cellular analysis” and claims its “Agents receive over 500 hours of training.”

The lesson of this document is that the breadth of information available to law enforcement—with or without a warrant—is staggering, and the FBI is using its organization funding and expertise to make that information available to LEOs at every level. This free-for-all approach lacks transparency and accountability, leaving it open to abuses similar to the documented abuses of Foreign Intelligence Surveillance Act (FISA) warrants by federal agents reported in recent years.

While it’s good to know what information is available to law enforcement, it is imperative that legislators investigate how this information is being used and whether its misuse is violating the privacy of citizens. 

Source: vice.com

Subscribe today

Already a subscriber? Login