Kevin Poulsen at Wired's Threat Level has this piece up: Whistle-Blower: Feds Have a High-Speed Backdoor Into Wireless Carrier. He writes:
A U.S. government office in Quantico, Virginia, has direct, high-speed access to a major wireless carrier's systems, exposing customers' voice calls, data packets and physical movements to uncontrolled surveillance, according to a computer security consultant who says he worked for the carrier in late 2003. (emphasis mine)
Meanwhile, the New York Times is running this story: More FBI Privacy Violations Confirmed which reads in part:
The FBI acknowledged it improperly accessed Americans' telephone records, credit reports and Internet traffic in 2006, the fourth straight year of privacy abuses resulting from investigations aimed at tracking terrorists and spies.
I recommend reading both those articles and then returning to this; I thought about quoting the relevant passages, but honestly the entire articles are very relevant (and they're not terribly long).
The suspected wireless carrier involved is Verizon; one reason for this is the overlap in facts with those discussed in this lawsuit [PDF]. Of course, Verizon's spokesdroids won't confirm or deny, citing possible national security concerns. The Government Accountability Project is circulating a copy of the seven-page affidavit [PDF] written by the whistleblower, and it makes for fascinating reading. (They also have a series of Talking Points which are regrettably in Word format.)
Among the details in the affidavit is this narrative:
At one point I overheard C1 [consultant 1] and C2 [consultant 2] talking about skipping a location. Not wanting to do a shoddy job I stopped and said "we should migrate all sites"
C1 told me this site is different.
I asked "Who is it? Carrier owned or affiliate?"
C1 said "This is Quantico Circuit."
I remember that he paused and looked at me as did C2. I inquired "Quantico, Virginia? Is this a store location?"
C1 responded, "No".
"Is it what I think it is?", I asked.
C1 did not reply but just smiled. It was a very telling smile and I knew we were discussing something unusual.
This becomes much more interesting a page or so later:
C1 and C2 did not want to comply. Instead they got on the phone with DS [Directory of Security] who asked me to stop what I was doing and move on. To my surprise, he then drove the one hour or so to do the data center.
The tentative, uncertain DS I had known was transformed into a man wagging his finger in my face telling me to "forget about the circuit" and "move on" with the migration, and if I couldn't do that then he would get someone who would.
The affidavit (which is very much worth your time to read) comes to a number of conclusions, grouped by probability. Among those at the top of the list are:
- A third party had access to one or more systems within the organization.
- The third party could connect to one or more of the client's systems. This would include the billing system, fraud detection system, text messaging, web applications. Moreover, Internet communications between a mobile phone and other Internet systems may be accessed.
If this is all true, then what it means is that the feds are plugged into the heart of this wireless carrier's network and can see everything. Worse, nobody's monitoring that. But it gets still worse when we combine this with the other article I referenced in the intro, which tells us that private data acquired by the FBI is being misused. We've seen this before, for example: Federal Agent Indicted for Cyber-Stalking. We also know that their data security is, shall we charitably say, less than optimal: DHS acknowledges own computer break-ins. (And keep in mind as you read these the 1:10:100 rule: for every breach an organization discloses, there are 10 more that they know about; for every one of those, there are 10 more they don't know about.)
I'm somewhat at a loss for superlatives here. As bad as the threats to our privacy and civil liberties implied by this backdoor are, what's worse are the threats to individuals made possible via the use of this data by rogue federal employees (and likely, contractors). And still worse than that are the threats posed by anyone out there with the requisite computer skills to tap into this goldmine of data.
Isaac Asimov, in his science fiction novel "Foundation", wrote "It's a poor atom blaster that won't point both ways.". It seems to me that this lesson has been lost on those building these ever-more-sophisticated and intrusive data-mining operations. They have yet to grasp that it's not how much data they're bringing in that should be the major concern: it's how much data is getting out.