(I’d like to thank Col Lang for inviting me to be a guest author. One thing I’ve learned the last year or so coming here is that wisdom may be nothing more than recognizing how wrong we all can be sometimes, and accepting it when we are. I cannot count how many times I’ve commented here only to find within hours, days, weeks, or sometimes months that I was completely wrong! So, I’m starting with something safe (chuckle). Cheers…CWZ/Bob Devine)
The "lefty" blogosphere has lit up like a Christmas tree with the latest FISA legislation battle. Many of you have probably read about using prepaid (disposable) cell phones to evade those allegedly illegal wiretaps. When I first read about the supposed “warrantless” wiretaps the first thing that popped into my mind were the prepaid cell phones.
Since this is a topic dear to my heart – telecom Signals Intelligence – I’d like to add my two cents. Most importantly, I’d like to explain what I think is happening inside the SIGINT community in response to the technical challenges facing the government with these cell phones. My guess is that they are the centerpiece of the FISA controversy.
But let me be clear. This is just my speculation based on my experience. I don’t know for sure.
Prepaid cell phones are needles in a haystack. The smart criminal will buy one with cash, activate it from a pay phone, buy a few more minutes with cash at any 7-11, use it a few days, and then toss it in the trash. It’s the volume of telephone numbers that make them so hard to find, as well as their mobility.
A telephone number in North America has three parts: area
code, central office code, and line number. (ITU E.164 format for the
techno-geeks among us). In telephone jargon, the area code is a
Numbering Plan Area (NPA) and the central office code must follow a
numbering rule called NXX. Telephone people refer to large blocks of
line numbers as an NPA/NXX. There are 10,000 line numbers available for
use in each NPA/NXX block. That doesn’t mean there will be 10,000
active lines, just 10,000 numbers are available for that particular
NPA/NXX. Based on the numbering plan, there are 792 central office
codes (NXX) available per NPA, and there are 792 available NPAs. That’s
a lot of telephone numbers.
The Industry Numbering Committee of the Alliance for
Telecommunications Industry Solutions (ATIS) assigns NPA/NXX blocks of
numbers to telecom carriers: ATIS
The carrier assignments are public knowledge. You can even look them up yourself: NPA/NXX Lookup
So the SIGINT organizations know which prepaid cellular companies own which NPA/NXX blocks.
Active numbers are maintained in huge databases dispersed throughout
North America, and similar numbering plans are implemented overseas.
When you order a land line from a local Bell company like Verizon, your
name and number are recorded in one or more of these databases. These
databases are used for all sorts of services such as caller ID and
E-911. Of course, with a prepaid cell phone, no name is associated with
the cell number in the database.
In the land line network, there are plenty of places where names and
addresses are associated with a specific telephone number. When the government wants to tap it, they go and get a warrant. Cut and dry.
But let’s say Mr. Terrorist is somewhere in
Maryland between Baltimore and Washington DC, and he is using a prepaid
cell phone he bought with cash. His NPA (area code) can be 240, 301,
410, 443, 202, or 703 depending on his carrier. Each one of those NPAs
can have up to 792 NXX codes assigned to it. And each one of those NXX
codes can have up to 10,000 numbers. Now we’re really starting to see a
problem. The government already knows which blocks are owned by
prepaid cellular carriers, but there are still hundreds of thousands
of telephone numbers in one small region to sift through. This guy may
only pop up for a few hours before trashing his phone – I know I would!
How does the FBI or NSA tap his phone based on the number? Here’s
what I suspect has been happening behind the scenes with the FISA
It is physically impossible to monitor all the calls traversing the
telephone networks. The tinfoil hat crowd likes to scream about the NSA
“monitoring all our calls” but it just isn’t physically possible. When
I worked for a long distance carrier we were processing around 1
million calls per day, per junction (a junction is a large central
office), and our network had about 7-8 junctions. That was in the late
1990s. Call volume is much higher today. And that was one carrier out
What we can look at, however, are the messages the telephone network
uses to connect, maintain, and disconnect your calls. This process is
known as call signaling, or call processing. In the old days,
intercepting the call signaling of a large portion of the network was
difficult since both the call processing and voice connection used the
same physical circuit. Now, a signaling technology called Signaling
System 7 (SS7) has made that job much easier – the signaling process
has been decoupled from the voice circuit. All the SS7 messages are
carried on a network separate from the network that connects the two
phones together for the conversation. (For the techno-geeks among us, Wiki SS7 )
Although the land line telephone network can operate without SS7,
the cellular networks cannot. They all use SS7. Most likely the FBI and
NSA are exploiting this portion of the telephone network. But remember,
the SS7 network is only carrying call signaling messages. Inside those
messages are the telephone numbers of the calling party and the called
party, but no names. These messages containing each telephone number in
a call can be stored in huge databases and mined for anomalies. The
SIGINT folks are probably looking for call patterns – anything that
will make the target stick out. If there is an interesting call
pattern, then resources can be applied to actually monitor the
So, is it really wiretapping if the government is only monitoring
call patterns and no names are associated with numbers? Is it really
wiretapping if no voice conversation is monitored? I don’t know. That’s
for the lawyers to decide. I do know that the amount of data collected
would be incredibly huge – for every telephone call there will be many SS7 messages generated. Multiply that by the hundreds of thousands of calls
processed by the prepaid cellular carriers per day, and you start
seeing the problem our law enforcement and SIGINT folks are tackling.
Sifting through all these millions of call singling messages is a huge
Most likely the process is becoming more and more automated with
signaling anomalies triggering the automatic monitoring and storage of
conversations. Although this would make life much easier for the
collection folks, this automation would be where the legal points
become shaky since the warrant would have to be applied after the fact.
I do not know for sure, but I suspect that total automation is feasible
to a degree. It would still require a lot of resources. What if the
trigger was in error and you recorded two innocent people, should you
still have to get a warrant even if internal procedures ensured the
recording was deleted? Sometimes innocent Americans get caught up in
SIGINT collections overseas, and there are existing oversight policies to deal with that.
So, here we are so many paragraphs later and we’ve only seen the tip of
the technical iceberg. But my intention was to provide a taste of what
the managers at NSA and FBI are dealing with, and one can only imagine
the pressure that was applied from on high to find solutions starting
in October of 2001. How many of these terrorists were still floating
around out there among millions of telephone numbers back then? How can
we catch the right people while respecting the rights of the innocent?
Personally, if I were in my SIGINT shoes back then, I would have pushed
forward looking for a technical solution to finding these guys while
the lawyers above me figured out the legal issues: “it’s easier to ask
forgiveness than to get permission.”
And we haven’t even touched email, SMS messaging, chat, voice over
IP, video, and the like. To quote Carl Sagan: “billions and billions”
It ain’t 1978 any more.