23 November 2023

Secretive White House Surveillance Program Gives Cops Access to Trillions of US Phone Records

DELL CAMERON & DHRUV MEHROTRA

A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter WIRED obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality.

According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.

The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs’ departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by WIRED. Records show that the White House has, for the past decade, provided more than $6 million to the program, which allows the targeting of the records of any calls that use AT&T’s infrastructure—a maze of routers and switches that crisscross the United States.

In a letter to US attorney general Merrick Garland on Sunday, Wyden wrote that he had “serious concerns about the legality” of the DAS program, adding that “troubling information” he’d received “would justifiably outrage many Americans and other members of Congress.” That information, which Wyden says the DOJ confidentially provided to him, is considered “sensitive but unclassified” by the US government, meaning that while it poses no risk to national security, federal officials, like Wyden, are forbidden from disclosing it to the public, according to the senator’s letter.

AT&T spokesperson Kim Hart Jonson declined WIRED’s request to comment on the DAS program, saying only that the company is required by law to comply with a lawful subpoena.

There is no law requiring AT&T to store decades’ worth of Americans’ call records for law enforcement purposes. Documents reviewed by WIRED show that AT&T officials have attended law enforcement conferences in Texas as recently as 2018 to train police officials on how best to utilize AT&T’s voluntary, albeit revenue-generating, assistance.

In 2020, the transparency collective Distributed Denial of Secrets published hundreds of gigabytes of law enforcement data stolen from agencies around the US. A WIRED review of the files unearths extraordinary detail regarding the processes and justifications that agencies use to monitor the call records of not only criminal suspects, but of their spouses, children, parents, and friends. While DAS is managed under a program devoted to drug trafficking, a leaked file from the Northern California Regional Intelligence Center (NCRIC) shows that local police agencies, such as those in Daly City and Oakland, requested DAS data for unsolved cases seemingly unrelated to drugs.

In one instance, an officer with the Oakland Police Department asked for a “Hemisphere analysis” to identify the phone number of a suspect by analyzing the calls of the suspect’s close friends. In another, a San Jose law enforcement officer asked the Northern California Regional Intelligence Center to identify a victim and material witness in an unspecified case. One officer, soliciting information from AT&T under the program, wrote: “We obtained six months of call data for [suspect]'s phone, as well as several close associations (his girlfriend, father, sister, mother).” The records do not indicate how AT&T responds to every request.

Leaked law enforcement files further show that a range of officials—from a US Postal Service inspector to a New York Department of Corrections parole officer—participated in DAS training sessions. Other participants include port authorities and members of US Immigration & Customs Enforcement, National Guard, and California Highway Patrol, alongside scores of smaller agencies.

First disclosed by The New York Times in September 2013 as Hemisphere, the DAS program—renamed in 2013—has since flown largely under the radar. Internal records concerning the program’s secrecy that were obtained by the newspaper at the time show that law enforcement had long been instructed to never “refer to Hemisphere in any official document.”

Following the Times’ story, former US president Barack Obama reportedly suspended funding for the Hemisphere program in 2013. And while discretionary funding was withheld over the following three years, a White House memo obtained by WIRED shows that individual law enforcement organizations across the US were permitted to continue contracting with AT&T directly in order to maintain access to its data-mining service. Funding resumed under former president Donald Trump but was halted again in 2021, according to the White House memo. Last year, under president Joe Biden, the funding resumed once more, the memo says.

The White House acknowledged an inquiry from WIRED but has yet to provide a comment.

THE DAS PROGRAM is maintained under an affiliated program called HIDTA, funded by the White House’s Office of National Drug Control Policy (ONDCP). HIDTA, or “high-intensity drug trafficking area,” is a designation assigned to 33 different regions of the US, according to the White House. The first five regions, mapped out in 1990, included areas around Los Angeles, Houston, Miami, New York, and the entire US-Mexico border, some of the nation’s most active drug trafficking areas.

The collection of call record data under DAS is not wiretapping, which on US soil requires a warrant based on probable cause. Call records stored by AT&T do not include recordings of any conversations. Instead, the records include a range of identifying information, such as the caller and recipient’s names, phone numbers, and the dates and times they placed calls, for six months or more at a time. Documents released under public records laws show the DAS program has been used to produce location information on criminal suspects and their known associates, a practice deemed unconstitutional without a warrant in 2018.

“Requests concerning location information require the highest level of legal demand, which is a court-issued warrant, except in emergency situations,” AT&T’s Hart Jonson says.

Orders targeting a nexus of individuals are sometimes called “community of interest” subpoenas, a phrase that among privacy advocates is synonymous with dragnet surveillance.

“The scale of the data available to and routinely searched for the benefit of law enforcement under the Hemisphere Project is stunning in its scope,” Wyden’s letter to Garland says.

The White House has provided at least $6.1 million in discretionary funding to the DAS program since 2013, according to a two-page memo authored last year by White House officials. An internal HIDTA “participant guide” reviewed by WIRED shows that HIDTA funding exceeded $280 million in 2020 alone. It remains unclear how much HIDTA funding is spent to support AT&T’s vast collection of American call records.

It is not currently known how far back the call records accessible under DAS go. A slide deck released under the Freedom of Information Act in 2014 states that up to 10 years’ worth of records can be queried under the program, a statistic that contrasts with other internal documents that claimed AT&T could reach decades into the past. AT&T’s competitors, meanwhile, typically retain call records for no more than two years. (The necessity for phone companies to track call records for extended periods of time has gradually decreased with the disappearance of long-distance charges.)

THE DAS PROGRAM echoes multiple dragnet surveillance programs dating back decades, including a Drug Enforcement Agency program launched in 1992 that forced phone companies to surrender records of virtually all calls going to and from over 100 other countries; the National Security Agency’s bulk metadata collection program, which the US Second Circuit Court of Appeals deemed illegal in 2014; and the Call Details Records program, which suffered from “technical irregularities” leading the NSA to collect millions of calls it was “not authorized to receive.”

Unlike these past programs, which were subject to congressional oversight, DAS is not. A senior Wyden aide tells WIRED the program takes advantage of numerous “loopholes” in federal privacy law. The fact that it’s effectively run out of the White House, for example, means it is exempt from rules requiring assessments of its privacy impacts. The White House is also exempt from the Freedom of Information Act, reducing the public’s overall ability to shed light on the program.

Because AT&T’s call record collection occurs along a telecommunications “backbone,” protections enshrined under the Electronic Communications Privacy Act may not apply to the program.

Earlier this month, Wyden and other lawmakers in the House and Senate introduced comprehensive privacy legislation known as the Government Surveillance Reform Act. The bill contains numerous provisions that, if enacted, would patch most if not all of these loopholes, effectively rendering the DAS program, in its current form, explicitly illegal.

I write to request that you clear for public release additional information about the Hemisphere Project. This is a long-running dragnet surveillance program in which the White House pays AT&T to provide all federal, state, local, and Tribal law enforcement agencies the ability to request often-warrantless searches of trillions of domestic phone records.

In 2013, the New York Times revealed the existence of a surveillance program in which the White House Office of National Drug Control Policy (ONDCP) pays AT&T to mine its customers’ records for the benefit of federal, state, local, and Tribal law enforcement agencies. According to an ONDCP slide deck, AT&T has kept and queries as part of the Hemisphere Project call records going back to 1987, with 4 billion new records being added every day. That slide deck was apparently disclosed by a local law enforcement agency in response to a public information request and was published by the New York Times in 2013.

The scale of the data available to and routinely searched for the benefit of law enforcement under the Hemisphere Project is stunning in its scope. One law enforcement official described the Hemisphere Project as “AT&T's Super Search Engine” and ... "Google on Steroids,” according to emails released by the Drug Enforcement Administration (DEA) under the Freedom of Information Act. The ONDCP slide deck and an email released by the DEA also reveal that AT&T searches records kept by its wholesale division, which carries communications on behalf of other communications companies and their customers. Another slide deck released by ONDCP and published by the press in 2014 describes the specific capabilities of Hemisphere, including that it can be used to identify alternate numbers used by a target, obtain location data and “two levels of call detail records for one target number” (meaning the phone records of everyone who communicated with the target).

The Hemisphere Project has been supported by regular funding from the White House ONDCP since 2009, according to the attached undated white paper that ONDCP provided to my office on October 27, 2022 (Appendix A). That same document reveals that White House funding for this program was suspended by the Obama Administration in 2013, the same year the program was exposed by the press, but continued with other federal funding under a new generic sounding program name, “Data Analytical Services.” ONDCP funding for this surveillance program was quietly resumed by the Trump Administration in 2017, paused again in 2021, the first year of the Biden Administration, and then quietly restarted again in 2022.

Although the Hemisphere Project is paid for with federal funds, they are delivered to AT&T through an obscure grant program, enabling the program to skip an otherwise mandatory federal privacy review. If the funds came directly from a federal agency, such as the DEA, Hemisphere would have been subjected to a mandatory Privacy Impact Assessment conducted by the Department of Justice (DOJ) Office of Privacy and Civil Liberties, the findings of which would be made public. Instead, ONDCP provides funding for the program through the Houston High Intensity Drug Trafficking Area (HIDTA), one of 33 regional funding organizations as a part of a grant program created by Congress and administered by ONDCP. The HIDTAs distribute federal anti-drug law enforcement grants to state and local agencies, and are governed by a board made up entirely of federal, state and local law enforcement officials.

ONDCP provided my staff with an undated white paper describing the program and its historical funding levels, but ONDCP directed all questions about Hemisphere to the Houston HIDTA. Officials at the Houston HIDTA provided my office with a briefing on November 7, 2022, and spoke again with my staff again by phone on December 1, 2022. The Houston HIDTA officials told my staff that all Hemisphere requests are sent to a single AT&T analyst located in Atlanta, Georgia, and that any law enforcement officer working for one of the federal, state, local and Tribal law enforcement agencies in the U.S. can contact the AT&T Hemisphere analyst directly to request they run a query, with varying authorization requirements. The Houston HIDTA officials confirmed that Federal and state law enforcement agencies can request a Hemisphere search with a subpoena, which is a directive that many law enforcement agencies can issue themselves (except in California and Texas, where a court order is required by state law). They also explained that Hemisphere searches are not required to be in support of drug-related investigations.

For the past year, I have urged the DOJ to release dozens of pages of material related to the Hemisphere Project, which it first provided to my office in 2019. This information has been designated “Law Enforcement Sensitive,” which is meant to restrict its public release. I have serious concerns about the legality of this surveillance program, and the materials provided by the DOJ contain troubling information that would justifiably outrage many Americans and other members of Congress. While I have long defended the government’s need to protect classified sources and methods, this surveillance program is not classified and its existence has already been acknowledged by the DOJ in federal court. The public interest in an informed debate about government surveillance far outweighs the need to keep this information secret. To that end, I urge you to promptly clear for public release the material described in Appendix B.


No comments: