The FBI's Digital Collection System 3000 collects real-time phone records for authorized spy and criminal pen traps and traces.

Photo Illustration: Wired.comIn poring through the latest round of documents the FBI turned over to the Electronic Frontier Foundation about how the FBI legally plugs into the nation's telephone system, THREAT LEVEL discovered that the nation's secret spy court repeatedly questioned the FBI in 2005 and 2006 about whether the Bureau was exceeding its wiretap authority.

But there were other fine eavesdropping nuggets in those pages, including info on when the FBI learned to wiretap VOIP calls, how number portability messed with FBI taps, and a moment of candor from an FBI technician about how the FBI's wiretapping software could work with the NSA's warrantless wiretapping program.

For instance, the FBI accidentally listened in on one innocent American phone conversations due to a hack a phone company used to let people take port their phone numbers from one cell provider to another. At issue is a workaround used by CDMA providers, where a carrier assigns an alias number to a ported number in order to speed up switching at a user's usual calling area. The workaround has the unfortunate side effect of occasionally reporting the alias – which could actually be a real person's number – instead of the real caller to the FBI's wiretapping software.

In the FBI's own words, "due to misinformation in the call records, the unrelated subscriber was temporarily included in the investigation" and "this error has recently misled a few FBI investigations.

Secondly, in one message thread (.pdf) about moving offices in Manhattan and wiretapping the traditional wireline phone service in March 2006, one FBI employee who works for the FBI's Operational Technology Division asks if the NSA still does warrantless wiretaps and suggests how the FBI's equipment could be configured to deal with the lack of court orders.

Does the [redacted] do intercepts without court orders? I thought we act as a proxy for [redacted – likely FISA]. That is, we serve the company the order for the [FISA] targets. If so there should not be a problem: the DCS-3000 can direct all FISA traffic to the [ redacted - likely DCS-5000 system]. If not, then we can segreagate the [redacted - likely NSA] traffic from our traffic by giving [redacted - likely the carriers] separate telephone numbers for [redacted - likely the NSA] and Bureau to deliver the CDC data. For example, [redacted - likely the NSA's] targets' CDC data can be delivered to 212-[redacted phone number] the FBI's target's CDC data can be delivered to 212[redacted phone number].

In reply, an FBI agent from New York City wrote back:

It is my understanding that we do act as a proxy with delivering their orders. The [redacted] does that. However, they do a lot more surveillance than we do. I will get someone from the [redacted - likely NSA] down here when you guys come to set up the equipment for the DCS_3000 move.

A third message of interest note that in June 2005, the FBI's wiretapping software successfully collected foreign intelligence wiretaps on two separate VOIP subscribers (provider is redacted in the docs). The call records were delivered like any phone switch would, while the phone communication itself was snagged via a CALEA-like feature built-into Cisco CMTS routers, which delivered copies of the conversation to the FBI. That's pretty significant since the Justice Department argued that this capability had to be mandated for VOIP companies, when it seems the feds were able to pull it off without design mandates.

That interception predated the extension of CALEA mandates to the internet and IP traffic generally. That mandate went into effect May 11, 2007, on what THREAT LEVEL dubbed "Wiretap the Internet Day."

See Also: