Telecommunications companies gather and log vast quantities of private information about, and generated by, 400 million customers. This information is typically withheld from third parties by internal security firewalls and by federal privacy laws. Until recently, U.S. spy agencies were expressly forbidden by the Foreign Intelligence Surveillance Act to wiretap phone and e-mail communications inside the United States, but in 2002, President Bush authorized the National Security Agency to flout FISA and intercept billions of private Internet and telephone records. After press disclosures about the domestic spying, Congress updated the FISA law (now the Protect America Act) to permit some previously banned surveillance, provided the intelligence agency in question receives a court-approved warrant. U.S. telecommunications companies must cooperate.
Those same companies are defendants in numerous lawsuits brought by privacy advocates against the earlier, warrantless assistance. The corporations have asked Congress for retroactive immunity. Even if the privacy advocates succeed, however, there may not remain much record of precisely what the telecommunications firms passed on to the government. This difficulty has focused attention on an affidavit (see below and the following six pages) by “certified ethical hacker” Babak Pasdar, circulated around Capitol Hill earlier this month. It describes how Pasdar, CEO of Bat Blue Corporation, stumbled across an unmonitored and unlimited third-party access feed to the entire network of an unnamed major wireless telecommunications carrier (psst: If you’re a Verizon customer, pay attention), while working on an emergency “migration” of systems timed to a 2003 Christmas-season product launch (below). The telecom company’s people told Pasdar, who they’d brought in for the project, that the unusual backdoor conduit was called the “Quantico Circuit” and “should not be firewalled” (Pages 3-4). Pasdar was concerned that the channel, code named for the FBI academy in Northern Virginia, was an open door to his client’s “core network,” giving unrestricted access to the cellular phone company’s “billing system, text messaging [and] fraud detection” systems (Page 5). The conduit made it possible, for example, “to tap into any conversation on any mobile phone supported by the carrier at any point” (Page 6).
To Pasdar’s mind, “Having a third party with completely open access to their network core” seemed “against organizational policy” (Page 3). He urged his client counterparts to at least log “the source, destination and type” of unfettered data flowing out of their DS3 circuit. His corporate contacts demurred and called in the director of security, who, “wagging his finger in my face,” informed Pasdar he was “treading above my pay grade.” Pasdar, a 19-year veteran of internet security protocols, was told to move on and “forget the circuit” or the telecom company would “get someone who would” (Page 4).
Last week, the House voted 214-195 to deny corporate immunity in the FISA reauthorization bill but the president promised to veto any bill that withholds immunity.
Send ideas for Hot Document to documents@slate.com. Please indicate whether you wish to remain anonymous.
