The NSA report, dated May 5, 2017, details what I would assume is only a small part of a more comprehensive investigation into Russian intelligence services' "cyber operations" to influence the US presidential race. The report analyzes several relatively small-scale targeted email operations that occurred in August and October of last year. One campaign used "spearphishing" techniques against employees of third-party election support vendors (which manage voter registration databases for county election offices). Another -- our focus here -- targeted 112 unidentified county election officials with "trojan horse" malware disguised inside plausibly innocuous-looking Microsoft Word attachments. The NSA report does not say whether these attacks were successful in compromising any county voting offices or what even what the malware actually tried to do.
Targeted phishing attacks and malware hidden in email attachments might not seem like the kind of high-tech spy tools we associate with sophisticated intelligence agencies like Russia's GRU. They're familiar annoyances to almost anyone with an email account. And yet they can serve as devastatingly effective entry points into even very sensitive systems and networks.
So what might an attacker -- particularly a state actor looking to disrupt an election -- accomplish with such low-tech attacks, should they have succeeded? Unfortunately, the possibilities are not comforting.
Encryption, it seems, at long last is winning. End-to-end encrypted communication systems are protecting more of our private communication than ever, making interception of sensitive content as it travels over (insecure) networks like the Internet less of a threat than it once was. All this is good news, unless you're in the business of intercepting sensitive content over networks. Denied access to network traffic, criminals and spies (whether on our side or theirs) will resort to other approaches to get access to data they seek. In practice, that often means exploiting security vulnerabilities in their targets' phones and computers to install surreptitious "spyware" that records conversations and text messages before they can be encrypted. In other words, wiretapping today increasingly involves hacking.
This, as you might imagine, is not without controversy.
Recent news stories, notably this story in USA Today and this story in the Washington Post, have brought to light extensive use of "Stingray" devices and "tower dumps" by federal -- and local -- law enforcement agencies to track cellular telephones.
Just how how does all this tracking and interception technology work? There are actually a surprising number of different ways law enforcement agencies can track and get information about phones, each of which exposes different information in different ways. And it's all steeped in arcane surveillance jargon that's evolved over decades of changes in the law and the technology. So now seems like a good time to summarize what the various phone tapping methods actually are, how they work, and how they differ from one another.
Note that this post is concerned specifically with phone tracking as done by US domestic law enforcement agencies. Intelligence agencies engaged in bulk surveillance, such as the NSA, have different requirements, constraints, and resources, and generally use different techniques. For example, it was recently revealed that NSA has access to international phone "roaming" databases used by phone companies to route calls. The NSA apparently collects vast amounts of telephone "metadata" to discover hidden communications patterns, relationships, and behaviors across the world. There's also evidence of some data sharing to law enforcement from the intelligence side (see, for example, the DEA's "Hemisphere" program). But, as interesting and important as that is, it has little to do with the "retail" phone tracking techniques used by local law enforcement, and it's not our focus here.
Phone tracking by law enforcement agencies, in contrast to intelligence agencies, is intended to support investigations of specific crimes and to gather evidence for use in prosecutions. And so their interception technology -- and the underlying law -- is supposed to be focused on obtaining information about the communications of particular targets rather than of the population at large.
In all, there are six major distinct phone tracking and tapping methods used by investigators in the US: "call detail records requests", "pen register/trap and trace", "content wiretaps", "E911 pings", "tower dumps", and "Stingray/IMSI Catchers". Each reveals somewhat different information at different times, and each has its own legal implications. An agency might use any or all of them over the course of a given investigation. Let's take them one by one.