Along with the rest of the USA Freedom Act, the Call Detail Records (CDR) program is set to expire on 12/15/2019. This is the infamous NSA program that gathered hundreds of millions of American citizens’ phone call metadata records. A commission formed after 9/11, the Privacy and Civil Liberties Oversight Board (PCLOB), is studying the phone program to determine whether it should be renewed, despite the fact NSA reportedly asked to shut the program down voluntarily last year.
As I explained in my comment letter to the PCLOB, I believe CDR is becoming ineffective as a counter-terrorism tool. The threat landscape has shifted from the command-and-control model of Al Qaeda to the more decentralized model of ISIS and the domestic accomplices it inspires (often indirectly). As a result, traffic analysis of known targets is less likely to surface actionable intelligence. The technology landscape has also shifted dramatically, with encrypted messaging apps replacing phone calls and texts. The NSA program has blind spots that allow terrorists to fly under its radar.
Should you care? Call metadata may seem harmless from a privacy perspective, but traffic analysis can reveal a surprising amount of your personal information -- relationships, location, politics, religion, travel, purchases, health, etc. – which is why NSA used it to study terrorist networks.
The USA Freedom Act compounded the privacy risk by mandating a so-called “second hop”. Say NSA requests call records for a terrorist suspect Alice. If Alice calls Bob, NSA gets all of Bob’s call records too. But it doesn’t stop there. If Bob calls Charlie, then NSA gets Charlie’s call records as well. This leads to a “Six Degrees of Kevin Bacon” problem whereby a NSA single query can retrieve tens of thousands of records. Yet any terrorist familiar with the 2-hop process (thanks to Edward Snowden) can evade detection simply by stretching communication chains to 3 hops.
Massive CDR databases also make an attractive cybersecurity target for foreign adversaries. In fact it was just reported that China may have breached US telecom carriers to steal call metadata. A big CDR breach could have grave consequences for national security as well as citizen privacy. NSA and CIA are not invincible; news reports indicate both have fallen victim to Chinese breaches in the past.
The NSA phone snooping program is losing effectiveness while increasingly posing privacy and security risks. For these reasons, I believe the CDR authority should be stripped away when the USA Freedom Act is renewed for 2020.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.