Talking Points for Babak Pasdar Affidavit

March 4, 2008

To: Congressional staff on telecom immunity

From: Tom Devine, Government Accountability Project (GAP), ., 202-408-0034, x. 124

Re: Talking Points for Babak Pasdar Affidavit

GAP represents Babak Pasdar, a computer and computer security technologist for 19 years whose clients have ranged from multinational corporations to small organizations. His field is designing, implementing, troubleshooting and managing computer security systems. These talking points summarize his February 28, 2008 affidavit and whistleblowing disclosure. His statement is a professional’s eyewitness account of a major telecommunications carrier passively giving a third party access to all communications on its network connected with mobile phones, from conversations to emails, internet use, document transmission, videos, text messaging – anything. The telecom also refused to keep track what was taken, or even have the capacity to know.

In September 2003 Mr. Pasdar led a “Rapid Deployment” team that worked with the telecom’s long term consultants to radically restructure its network and security environment. The work provided an intimate insight into the carrier's network infrastructure and systems. This included its computer network, and business systems such as billing, fraud detection, web applications, sales and customer service, among others. The job directly involved data communications for mobile phones such as text messaging, Internet Access, e-mail, and web access. Indirectly, it allowed him to diagnose the network access of all mobile communications, including mobile-mobile and mobile-landline calls. The team reported directly to the telecom’s Director of Security.

1. The “Quantico Circuit”

Mr. Pasdar stumbled upon a high-speed digital line called the “Quantico Circuit.” He repeatedly asked the long term consultants questions like where the line went, to whom, and if this is what it seemed to be? (Quantico, Virginia is the company town for a major national military base.) They repeatedly winked, smiled, asked his question back, and refused to answer or explain.

2. Intentional, extraordinary, uncontrolled access

The long term consultants were adamant that the Quantico Circuit was to be uniquely exempt from all security measures and access control. This violated all standard security protocols, and any legal duty to protect its customers’ privacy. It was highly unusual for any third party to have unfettered access in any form to the inner workings of a major telecom or any similar organization. Even the telecom’s own branch offices were firewalled, with strictly limited and controlled access to specified data center systems. By contrast, the Quantico Circuit had uncontrolled, blanket access to all systems.

3. Illegal “refusal to know” syndrome

The long term consultants were equally adamant that the client wanted the network structured so usage logs could not be created for information transmitted through the Quantico Circuit. There could not be any record of what data or communications were removed. This defied basic professional standards, and created potential liability as broad as the network’s customer base. Standard industry practice is that when an organization recognizes information’s relevance for liability litigation, it is responsible to ensure that any data deletion practices are suspended and that any and all relative information is preserved. Failure to do so could be considered destruction of evidence, and create telecom liability for breach of duty to its customers.

4. Secrecy enforced by threats

When Mr. Pasdar persisted in advocating minimal access controls or at least usage logging, the long term consultants called the corporate Director of Security. He immediately traveled to the worksite, chastised Mr. Pasdar and informed Mr. Pasdar that he hadn’t seen anything, that nothing would happen, and that he would drop the issue or be replaced. Mr. Pasdar did not argue, but he has been haunted since by the implications and consequences if the Quantico Circuit went to the government, as it appeared.

5. Scope of information vulnerable to surveillance.

The scope of uncontrolled “Quantico Circuit” access allowed the third party to obtain significant information about any mobile phone subscribers, including --

  listening in and recording all conversations en-mass;

  collecting and recording mobile phone data use en-mass;

  obtaining the data they accessed from their mobile phone (Internet access, e-mail, web);

  trending their calling patterns and other call behavior;

  identifying inbound and outbound callers;

  tracking all in and outbound calls

  tracing the user's physical location

6. Vulnerability to en masse surveillance

The Quantico Circuit could monitor in real-time and transfer information on over 2200 simultaneous conversations. Through the use of “Network VCRs” all conversations and data / Internet usage for mobile users over days or weeks could be recorded en masse – structuring in vulnerability to an indefinite record of every part of every customer’s life that involves mobile phone communications.

In his affidavit Mr. Pasdar is careful not to draw conclusions beyond what he personally witnessed. Many of the technical conclusions are qualified as what is likely or only a vulnerability, because he does not have direct proof. He is sure the security loopholes were intentional, however, and not only because they deviated from corporate and professional SOP. The telecom was adamant that the system be structured to create the vulnerabilities, and to keep itself ignorant of whether or how they were used, or abused.

Mr. Pasdar refuses to speculate about non-technical conclusions. As a result, his affidavit points to more significant questions. For example, who was at the other end of the Quantico Circuit? How long has the Quantico Circuit been in operation? How much and what type of information was collected, both in gross terms and as a proportion of customer communications? What was it? Whose privacy was betrayed?

Mr. Pasdar believes that for an informed choice about what it means to grant telecom immunity, Congress must obtain definitive answers to these type questions. He believes the operation’s entire scope must be subjected to public scrutiny before excusing telecoms from legal accountability, whether or not the Quantico Circuit went to the government. If the telecom practices he witnessed are not an aberration, the answers will tell us whether in reality the concept of privacy -- let alone the right -- still exists for any communications involving mobile phones. It would be even more significant if the telecom were giving blanket access to a third party other than U.S. authorities, and if the absence of structural accountability for government transmissions permitted that multi-party access. Mr. Pasdar will cooperate with any congressional or other responsible investigations.