May 15, 2006

How the NSA will analyze millions of phone call records

The revelation last week by USA Today that the NSA has
obtained calling records of millions of Americans has
alarmed many in Congress and a large part of the
population, but I suspect many of these folks would be a
lot less worried if they understood what the NSA is likely
to do with those phone records.

Rather than snoop into the actual contents of any
particular conversation, or examine the calling pattern of
any specific individual -- such as you or me -- the NSA is
more likely to engage in what's called "social network
analysis" or "link analysis." Through this advanced method
of data mining, the NSA can sift through mountains of phone
data in an effort to detect non-obvious relationships and
suspicious patterns.

One developer of such social networking analytic software
is Cogito, Inc., of Draper, UT, which drew its name from
Rene Descartes' famous 17th century utterance, "Cogito Ergo
Sum," ("I think, therefore I am.")

Cogito's vice president of product management and
marketing, William Donahoo, acknowledged to me last Friday
that the NSA has licensed the company's "Cogito Knowledge
Center" software, but said he is unaware if the highly
secret intelligence agency is actually using that software
to sift through phone records.

According to published reports, telephone carriers Verizon,
AT&T and BellSouth have cooperated with the NSA since
shortly after 9/11 and turned over records for millions of
their customers, while a competitor, Qwest, has adamantly
refused to comply with the NSA's requests.

Finding a needle in a haystack

Here's an over-simplified explanation of one way in which
this type of analytic software might be used by the NSA to
identify a terrorist.

Suppose the agency had amassed strong evidence that three
Muslim individuals living in the United States -- let's
call them Abdul, Mohammed and Omar -- were active members
of Al Qaeda. And suppose the NSA wanted to identify
additional terrorists.

In a purely hypothetical example, let's assume the NSA fed
millions and millions of phone call records into its
computers and crunched that data with extremely powerful
analytic software, such as that licensed from Cogito.

Beginning with Abdul's phone calling records, the software
could instantly identify every phone number that Abdul
called in, say, March 2006. Let's estimate that Abdul
called 300 people that month.

The software could then, in the blink of an eye, identify
every phone number that each of those 300 people called
during the same month. And in another blink of the eye,
identify every call made during the same month by all of
the thousands of recipients of all of those phone calls.
And on and on.

Let's imagine that after six layers of such phone calls -
you might think of it as "Six Degrees of Separation" - one
of those thousands of people telephones Mohammed, one of
the three original suspected terrorists. The computer has
now established a "chain" of six separate phone calls that
originated with suspected terrorist Abdul and ended with
suspected terrorist Mohammed.

Simultaneously, the NSA might identify a separate chain
that began with Abdul, weaved its way through a different
group of callers and ended with the third suspected
terrorist, Omar.

Now suppose that the powerful software program compares
both chains of calls and discovers that a previously
unknown individual - Iqbal - appears on both chains. In
fact, as the software continues to compare chains that
connect known terrorists, it keeps turning up the presence
of Iqbal, in almost every chain. That would point a strong
finger of suspicion at Iqbal. Investigators would certainly
want to examine Iqbal's activities and associations much
more closely.

Of course, this example is meant only to illustrate a
process by which a careful examination of millions of phone
records by a computer - well beyond the capability of human
investigators acting manually - could turn up vital
intelligence information.

In this scenario, the NSA computers would not be
"listening" to any specific conversations. Nor would they
be focusing on the calling patterns of specific
individuals. Instead, they would be searching for overall
calling patterns that might flush out relationships that
investigators could never hope to identify otherwise.

"Law enforcement officials know from experience that if you
are dealing with illicit activities, the people involved
usually try to communicate indirectly," explained Cogito's
Donahoo. "So, we do a 'centrality analysis' on a subset of
calls to find the leaders."

Some people serve as a "bridge" or a "gatekeeper" -- such
as our fictitious Iqbal - and help to facilitate those
indirect conversations.

The power of such a social network analysis has all sorts
of potential applications.

Searching for "bad guys" in Iraq

While standing at Cogito's exhibit booth at the recent
GovSec security expo and conference in Washington, DC,
I happened to hear -- and participate informally in - an
introductory conversation between a Cogito representative (not
William Donahoo) and a female business development executive
from Verizon.

The Verizon executive was looking for a software tool that
could help her company sift through mountains of its own
phone records of the phone calls made in Iraq on
Verizon's wireless network by current members of the Iraqi
government. She indicated that Verizon has been asked to
determine which members of the Iraqi government are
covertly communicating - either directly or indirectly -
with members of that nation's bloody insurgency, who are
trying to topple the newly-established government. Social
network analysis software might be the answer.

So, whether it is here in the United States or in distant
Iraq, the ability of high-powered software to make sense of
massive amounts of data will probably be less feared as it
is better understood.

Phone record analysis by Cogito

To demonstrate how phone records can be analyzed with its
Knowledge Center software, Cogito fed mobile phone call
records for four of its employees into a database. By
running a "centrality analysis" on the four sets of phone
calls, the software was able to identify who the
communication "gatekeeper" was between those four
employees.