Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A newly obtained document written by the FBI lays out in unusually granular detail how it and other law enforcement agencies can obtain location information of phones from telecommunication companies.
Much of the information reiterates what we already knew about law enforcement access to telecommunications data—how officials can request location data from a telecom with a warrant or use court orders to obtain other information on a phone user, for example. But the document does provide insights on what exactly each carrier collects, a more recent run-down of how long each telecom retains certain types of data for, and images of the tool the FBI makes available to law enforcement agencies across the country to analyze cell phone tower data.
Ryan Shapiro, executive director of nonprofit organization Property of the People, shared the document with Motherboard after obtaining it through a public record act request. Property of the People focuses on obtaining and publishing government records.
Do you have access to similar documents? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
The document, a 139 page slide presentation dated 2019, is written by the FBI’s Cellular Analysis Survey Team (CAST).
CAST supports the FBI as well as state, local, and tribal law enforcement investigations through the analysis of call data and tower information, the presentation adds. That can include obtaining the data from telecommunications companies in the first place; analyzing tower dumps that can show which phones were in an approximate location at a given time; providing expert witness testimony; and performing drive tests to verify the actual coverage of a cell tower.
“When necessary, CAST will utilize industry standard survey gear drive test equipment to determine the true geographical coverage breadth of a cell site sector,” the presentation reads. The presentation highlights the legal process required to obtain information from a telecommunications company, such as a court order or search warrant.
The LinkedIn profile of one CAST member Motherboard found says they have a “special emphasis in historical cell site analysis which is typically used for locating phones (and the individuals attached to those phones) for cases such as kidnappings, homicides, missing persons, and robberies.”
CAST provides its own cell phone data visualization tool to law enforcement officials around the country called CASTViz for free.
“CASTViz has the ability to quickly plot call detail records and tower data for lead generation and investigative purposes,” the presentation reads. The document includes images of and instructions for the CASTViz software itself.
Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU), said in a phone call that “I’ve never seen a visualization of it” after viewing the document. He added that the document raises questions around what sort of assumptions are built into this tool, and what errors this software might make. (The presentation adds that maps and analysis created by CASTViz should not be taken to court without being validated for accuracy, and that testimony should only be through a qualified expert).
The document also explains how data requests from Mobile Virtual Network Operators (MVNOs) such as Boost Mobile are handled, explains how to obtain location data from what the FBI describes as “burner phones,” and how to obtain information from OnStar, General Motors’ in-vehicle system. The document also provides the cost of some of this data for law enforcement to request.
The presentation provides more recent figures on how long telecoms retain data for. AT&T holds onto data such as call records, cell site, and tower dumps for 7 years. T-Mobile holds similar information for 2 years, and Verizon holds it for 1 year.
“There is no conceivable business reason they need that much,” Wessler said, referring to AT&T’s longer retention periods than other telecoms.
The slide also shows that AT&T retains “cloud storage internet/web browsing” data for 1 year. When asked what this detail entails exactly, such as websites visited by customers on the AT&T network, AT&T spokesperson Margaret Boles said in an email that “Like all companies, we are required by law to comply with mandatory legal demands, such as warrants based on probable cause. Our responses comply with the law.” The document also mentions that law enforcement can request records related to wearable devices from AT&T.
Another section that provides an overview of the different engineering and location datasets held by telecoms and potentially available to law enforcement agencies tells officials to use some AT&T data “cautiously.”
“AT&T does not validate results,” the presentation reads. AT&T did not respond to a request for comment on this point.
“It’s good that there’s a disclaimer. At the same time, concerning that they’re advising law enforcement officers—state and local police—that they can ask for this stuff,” Wessler said on the AT&T data.
That section also mentioned that Verizon has a “new” location tool that law enforcement agencies can use.
Rich Young, a Verizon spokesperson, told Motherboard in an email that “This is a tool that our security team uses in response to lawful warrants and emergency requests. For example, this tool would be used in response to cases involving armed fugitives or missing children. As a common industry practice, the tool uses network-based cell site location information. All other major providers use a similar approach.”
The FBI did not respond to a request for comment.