Why Anonymous Phone Cards Aren't

Here is extracted testimony of the FBI, relating to the tracing of a telephone debit card found in the possession of Timothy James McVeigh.

The card had been purchased in the name of Darryl Bridges, an apparently fictitious person, from a right-wing newspaper called The Spotlight.

It was the government's contention that the card was used to call for bomb making materials and transportation in the months prior to the bombing of the Oklahoma City Federal Building on April 19, 1995.

May 7th, 1997 in the UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLORADO Criminal Action No. 96-CR-68 (...) THE WITNESS: My full name is Frederick Raymond Dexter, D-E-X-T-E-R. (..) DIRECT EXAMINATION BY MR. MACKEY: (...) Q. For whom do you work? A. I'm employed by the FBI. Q. And how long have you worked for the FBI? A. A little over 23 years. Q. Has that 23 years of experience been largely dedicated to a single area of specialty? A. Yes. The majority of my work has been working with - stationed in Washington, D.C., but working with field offices on major cases doing all kinds of automation work, always in the data-processing area. (...) Q. Are you a special agent? A. No, I am not (...) Q. What is your current position? A. I'm the unit chief of the Investigative Intelligence Support Unit. Q. And in that position, do you supervise or oversee other computer specialists? A. Yes, I have 23 - approximately 23, maybe 24, computer specialists that work for me. Q. Tell the Court and the jury a little bit about your present-day duties. A. The unit supports automation efforts for the FBI in many program areas. One of our tasks is to support major case investigations throughout the United States. When records are subpoenaed or whatever, we automate those records to support the analysis for agents in the field. That's one of the tasks. (...) Q. What sort of positions have you held in that field or in that unit over your 23 years? A. When I came to the FBI, I was a programmer, wrote software for all kinds of investigations, white-collar crime, investigations in the early 70's through the mid 70's. And I became a computer systems analyst, which I was in charge or the team leader over some computer programmers. Then I became a project manager over that continued group and advanced through the same unit until where I am today to be the unit chief. Q. In the course of those years prior - prior years, have you had the task of organizing, managing, and understanding large volumes of telephone records? A. Yes, I have. In some cases, numerous cases, UNABOM investigation, the Judge Vance murder investigation in Alabama, World Trade Center investigation, numerous other investigations. I managed, analyzed, and helped write software to the tune of millions of records in - in numerous cases. Q. And did such a task, although on a smaller scale, fall to you in this particular investigation? A. Yes, it did. Q. Tell the Court exactly what your assignment was as it relates to the present case. A. My task which I was assigned around June I was to obtain records from WCT in California and take those records - all of the records that were needed and produce what would be an intelligible, easy-to-read summary of calls that were made against the debit card. (...) Q. I want to spend a little time now, Mr. Dexter, acquainting the court and the jury with the steps that you took in order to (...) produc(e) that summary. (...) A. When I visited with the people from WCT initially, I found out that there were three sets of records from them. (...) I took those records and put them together. In addition, there was other information that was needed. There was a particular area of the country that did not pass the "from number" to the WCT place, so those records had to be subpoenaed and merged in with them. Once the telephone numbers were identified that were either originating numbers or terminating numbers, then the subscriber data had to be subpoenaed and then merged in with those records or matched to those so that we know who the subscriber was of that telephone at the time that the phone calls were made. Q. Let's turn your attention to a series of computer disks that should be before you marked as 509, 513, and 511. (...) A. (...) (l)et's talk about 509 first. 509 is the incoming information into the WCT switch that is referred to a lot of times.You may have heard 3911. That is the information as it comes into the switch. The last set of disks that we obtained from them is the 3910 records, the file that they refer to as 3910, and that is the information of calls that are answered. If a call is not answered, then it would not be on these disks. (...) A. When a phone call is made in the left-hand comer there, you will see that the - the information - or when you dial the number, it goes to your local phone company. If you dial an 800 number and the other seven digits, that phone call will then go to NASC, the Number Administration and Service Center, for routing. And at the NASC, every time a call comes in there - there's one of those that's located somewhere in the United States. Every time a local phone company gets an 800 call, they send it to that place. It does a query for that local phone company, and it determines the routing for how it goes to the destination that it needs to go to. Q. Let me interrupt and ask you, are you familiar with who man-aged the 800 number for the Spotlight debit calling card system? What company? A. WCT (...) (m)anaged the - the information for them. Q. All right. Thanks. A. The - the routing on this particular chart that we have up here shows that the NASC routed it directly to the switch at - the Los Angeles switch, as the title says. So it would go then to WCT. Within the red box is a switch that is at Los Angeles, WCT's location. The information would come in on the left side into (...) the 3911, the incoming call group. (A)t that point, certain information is captured. (...) It logs, as it comes in, the date, the time, the number of the telephone that sent (...) the call to it. And at that point, it is assigned a particular number to follow its way through here. (...) (I)t then passes the information to OPUS. (...) There's a message that goes back to the caller and says, "Thank you for calling Spotlight," if that's who it is, or whatever debit card they handle. WCT handles many debit-card systems or debit-card customers, and it welcomes them and it says, "Now would you put in your PIN number and also put in the 'to number.'" If you put in the "to number" right away, it doesn't come back and tell you how much is on your balance. (...) A. In fact, (...) when you make the call to the local phone company, they create a record right there of the date and time of that call, and much information is done there. Then as it passes through the 3911, it captures the information there. A computer captures that Once a person puts in a PIN number and their "to number," it would be then passed down (...) to make sure there's some money in the account that you can make a call..(...) It goes to one of the four computers down on the bottom from the servers in the middle and one of the four computers or processors. The 3911 is hardwired. A lot of wires go down and wires go to each one of those four (computers). And we'll refer to those as Processor 1, 2, 3, and 4 later on. Once the OPUS has those records, it then sends the information up - back to (...) the WCT switch, to the 3910 and the number is dialed to go out to wherever you're calling. And when you do that, the information again is collected at the 3910 (...) Then the information goes to a local phone company and your phone rings. If you pick up the phone and answer it, (...) when you hang up, then a record is completed at the 3910. If you didn't answer the phone, no record is actually written at the 3910. When you hang up the phone, records are written (...) at each one of those locations. Q. All right. As I understand your testimony, information is gathered in each of those three boxes, 3911, OPUS, and 3910. Is that information always the same? A. There are certain pieces of information in each one of those files that are collected. The date is collected in each one of those files. There is a time that is collected in each one of those files. That time obviously isn't the same in each one of those files because it's a progression thing. When you dial the 800 number, the 3911 captures that. It's a little bit later when you put in the PIN number and the "to number," at the time you captured down in the (...) OPUS record, and then it's a little bit later, like a second later, that it would get captured in the 3910. (Testimony presented out of sequence, for clarity) Q. Incidentally, Mr. Dexter, in this diagram, there are names associated with the subscriber number. When you were working with the data, did you have any subscriber information? A. When - when we worked with these three files, I had no subscriber information. And it was not until we had totally completed the process and handed it to the people to do the subpoenas for the particular numbers, which then they came back, that any of these numbers were identified or known to me. I did not know any of those numbers during the matching process. Q. So as you were identifying choices for matches, you had no idea whether one of those choices was a name associated with the investigation or not? A. I did not. Q. You had numbers only? A. Numbers. Dealt strictly with numbers. (Second piece of testimony presented out of sequence) Q. Mr. Dexter, can you tell the jury what tic time is? A. Two of the files, the 3911 and the 3910, kept track of the time of day in what they call tics. And what that is is every 3 seconds as the clock goes by, starting at midnight, it adds one to a counter on the switch. So after - if you happen to look at a record that had the beginning tic time of 20 in it, you would multiply each one of those tics by three and you would know that it's actually 60 seconds or one minute past midnight. If you were to took at a record that had 1,200 tics in it as the starting time, then you would multiply 1,200 by 3 and have 3,600 seconds past midnight. In the computer, we put in an algorithm to figure out - to convert that to clock time so everybody could understand it, because looking at tics doesn't mean anything to anybody. It's a very simple algorithm in that once you've multiplied by the 3 seconds and know how many seconds it is past midnight - there's 3,600 seconds in an hour, so you just take that number that you have, divide it by 3,600, and you have how many hours you are past midnight. Whatever the remainder is, you have that many seconds left You divide that by 60, and you have that's how many minutes you are - that many hours and minutes past midnight And then whatever the remainder is, that's how many seconds there are. And the clocks in 3911 and 18 kept the beginning and ending time in tics for each one of those. So every record there, when you look at it, you automatically had - you could never get finer than 3 seconds because they didn't capture anything other than 3-second intervals. Q. And did you use this unit of measure, the tic time, in your preparation of the summary? A. Yes, we - Q. Why did you do that? Why did you rely on tic time? A. We were - we were in - in meetings with WCT while they were explaining their records, they explained that there was a field in their records. You've seen the file layout for the 3910, 3911. There's a field called "Time," but that is not the actual time of the call. That was actually time of the customer, where they wanted to be billed. These computers were on the West Coast, but if you were a company that was in Mountain Time, then you would ask for your billing records to be offset one hour so the time in the record that they have under the field called "Time" was not really the time. It was always an offset The tic time was always absolutely the time when a call started and ended according to Pacific either Daylight or Standard Time. (End of testimony out of sequence) (..) Q. Now many total records of telephone calls did you have to look at among or from those three disks or three sources? A. Without looking at the exact numbers, there was over 100,000 in each one of the files. Approximately - I'm sure we have an exhibit that gives us the exact numbers. (...) Q. Lets spend a little time, Mr. Dexter, talking about the timing of events. You described three different sets of records, timing of events somewhat dose but maybe never always the same moment Did you find there were different times among the records you were looking at? A. Yes, we did. And going back to the chart, the one thing that is common is that every - every call that comes in has to go through 3911. If - if every clock was synchronized on every one of these computers, the computer at the local phone company at the top, that would be the earliest time if they were all in synch. The time that is in the 3911 when it starts would be the next time if they were all in synch. When you get down to OPUS, if all four of those computers had the exact same time on it, then whichever one it went to, that would be a little bit later. (...) We're talking milliseconds or a second or two seconds this happens, very quickly after a person puts their PIN number and "to number" in. But there can be or usually is a minute or so from the time you put the 800 number in until you get down to the OPUS record, because a person has to put in the PIN number, the "to number," and the processing, etc. It takes that much time. Q. And that all assumes that every computer that processes that call has a synchronized clock? A. That's correct Q. And do they? A. There were none of them that were synchronized. Q. What did you - what did you do to address that problem of identifying an accurate time of telephone calls? A. Well, since - since every call had to go through the WCT switch, no matter where it originated or where it went out, we used that as our constant clock. And then everything we worked with was a difference or a deviation from that particular WCT switch. The clock, by the way, in the 3911 and the 3910 is the same clock because it's in the same computer, the same switch. Q. So the first step was to use the same measure of time in pulling together the various items of telephone calls? A. You use a constant clock, yes. Q. In this case, you use the clock on the L.A. switch? A. Yes. Q. Faced with some - more than 300,000 records, what was the first step you took to reconstruct the activity on one account in the name of Daryl Bridges? A. The first thing that we did since we knew that the account number is logged into only one of these files, and that is the file at the bottom called OPUS or where the debit card records are, we ran a program to go in there and pull off all of the records that were - had been stored in the database using that particular account number. (...) A. The OPUS file told us how many records there were in the OPUS file by all of the Spotlight customers. This particular exhibit shows us exactly the number of records that were stored in the OPUS file that had the Daryl Bridges account number in each of those records. Q. So you could design a computer program to say from the 155,000 plus records, find just those with the Daryl Bridges account number? A. That's correct. Q. And what you started with then was down to 681 such records? A. Correct. (..) METHOD 1 Q. Now, having focused on the Bridges records and the OPUS file, what was your next step in producing the summary? A. The next step was to take each one of those records; and by looking at those records, we knew certain information. We knew a lot of information by looking at the OPUS record. We knew the date of the call. We knew the time of the call. We knew the terminating number of the call. We had the account number because we only pulled one account number. And we had a duration that came with the OPUS records. So we had all of those. The thing that we needed to match it was - was to find the "from number." The only file that carried the "from number" was, in fact, the 3911. So the first step would be to go in and match each one of those OPUS records, each one of those 8 - 681 records with a corresponding 3911, how it came into the LA. switch. (...) A. We started with (...) the OPUS file - and the key to matching that up to the 391 I was the port (...) This port has a corresponding port number. And then the date, of course, would have to match the date down here. And the beginning time would match the beginning time here. To match a 3911 record, that was the key fields that you used to match. Q. You made reference to associations between ports. What exactly was that relationship? A. There is a - I call it a matrix, but it was a process that was developed by WCT and their contractor. If you would envision like 132 electric outlets. And each one of those outlets, you would plug a wire into it. And some of those wires in 3911 would go down to Processor 1, some of those wires would go to Processor 2, and some of those would go to 3 and some would go to 4. On the back of each one of those, it looks like electrical outlets, also. So from the 3911, there is a hard wire that goes from the 3911 down to - and I'll just use Processor 1. On the back of there, there's actually a number. Each one of those electric outlets, ports, have a number associated with it. And when you go down to the processor at OPUS, that has a number associated with it, also. So when a call comes in to the 3911, (...) it goes out of a particular port onto that wire and goes into a port into the OPUS processor; and each one of those are numbered so that it follows that constant path, depending on which one of the ports it selected when it came into the 3911. (...) A. We would start here with an OPUS record. And in that record, we would look at a date, a begin time, and a port. And we would be trying to match that with a 3911 record that has a corresponding port over here. The date would have to match exactly. And since the clocks were not synchronized, we would look for a record in the 3911 that is within 2 minutes of the - of the time in the OPUS record. Then we would take that pair down here, once we find that record, and we - we'd try to find if, in fact, that call was answered. If the call was answered, a record is created in the 3910 file. (...) The other thing is - is the end time in the 3910 and the 3911 are the same. They are to within one tic because when they hang up the phone, the WCT switch writes the record out, and it writes it at the same time or within 1 second of each other. So when you find a record in the 3910 that the end time matches exactly, you have absolutely locked in on the record. Q. Mr. Dexter, how many phone calls did you find took place on the Daryl Bridges account after September 14, 1994, and April 19, 1995? A. There were 604 calls. Q. And how many of those calls were matched in the process you've just described? A. Using the LA. switch as this process? Q. Yes. A. There were - of the 604, there was around 500 of them that were matched in that process. (...) Q. So of the five fields of information, you relied on the 3911 for start time and called from and for the other three, the OPUS source? A. That is correct with one exception. The length in the OPUS file, there was always a length of a call. If, in fact, the call was answered, then it was the talk time of the call. If, in fact, the call was not answered, then the duration in the 3910 record was the ring time of the call. So in our summary, if a call was not answered, we wanted to demonstrate that the call was not answered. So therefore, zero was put into the summary. Q. Now, the method that you have described and illustrated thus far, did that allow you to match all of the data that you have before you? A. No. That was the first of three different ways that the information had - had to be matched. Q. And what was the second method? METHOD 2 (The only difference in the entire process is that original port number is not available in the 3911.) A. The second method was if - dealt with information that did not come directly into the Los Angeles switch. When the local call was made and it went to the NASC, the NASC routed that call to a switch other than LA f first. And then it would be routed to L.A. so that was the second set of calls that had to be matched. Q. And why did the fact that a call might start in the Chicago switch cause any special problems for you in your matching? A. The - the problem there was - is that in the 3911 record, the information that was captured in each one of the records for a non-L.A. switch carried with it the time that it was and the switch where it came from. So if it was Atlanta, it carried East Coast time. That was stored in the record. Although those 3911 records that came through LA., the time was always Pacific Time. If a switch was not LA., then it - the record carried the time of the time zone where that switch was located. (...) A. (...) WCT had, I believe, six of those switches around the country to help offload. You can't send everything to one switch. So they had information there that processed the information and then would send it on to Los Angeles. When the record left the non-LA. switch and came to LA., it would go to the 3911 side and it would go into a port there and the call would be handled within the record, although those records would be created, the 3911, the OPUS, the 3910, exactly the same way as the other one except that in the 3911 record, it captured information from the non-LA. switch because they needed it for carrier billing and it didn't capture certain information that was available in the LA. switch at that time. So the port that was used in the LA. switch, in fact, was not captured in the 3911 record. (...) In each one of the records, there is a field that is called switch, and there's a number in it. If the number is a 10, then we know that record originated in the L.A. switch. If it was - I'll give two other examples. If it was a 2, it was - it told us it was - originated in the Chicago switch. If it was a 4, it originated in the Dallas switch. There was also switches in Philadelphia, Atlanta, San Francisco, and Seattle - I believe that was the other four places. Q. So once you knew where that call had started, you knew how many hours to adjust in your calculations? A. That's correct. (...) Okay. We would - we would in this case - first, you would have looked for - when you have an OPUS record, you would have looked to see if, in fact, the ports matched over to the 3911. In fact, if it did not, then what you did is you looked for a 3911 record with a - the same date and the same time; but the 3911 had to be adjusted for the number of hours, wherever that switch was. So you would be looking for a record that would be either I - there were no switches in Mountain Time so you'd be looking for a switch - a record that was two hours difference, if it was Central, or three hours difference if it was East Coast Time to do the match there. (...) Once you have matched an OPUS with a 3911 record to match a 3910 record, the ports now are available again. So that match guarantees when you go across, you have the OPUS record as it's hard wired up to the 3910. You have that port sequence that follows through. You have the ending tic time, and the 3910 matches the ending time in the 3911. And the "to number" in the OPUS record matches the "to number" in the 3910. So the only difference in the entire process is that original port number is not available in the 3911. METHOD 3 A. This - this debit card for Spotlight has a process a lot like a lot of debit cards or calling cards that you can make or call a second number without redialing the 800 number again or without putting your PIN number in again. And how that works is on the original call, you dial the 800 number. Spotlight answers it and says put in your PIN number, put in your "to number." You do all that. The money is available. You connect with that call, talk to the person, or whatever. When they hang up, instead of you hanging up the phone, you can hit the pound sign. And when you hit the pound sign, that then you can dial another "to number," instead of having to go through the whole process of getting into the system again. And you continue to repeat this as many calls as you want as long as you have money in your account that will continue to be subtracted when you're making - calling that particular number. Q. What's that feature known as? A. We refer to that as the reorigination feature within the calling card. (...) Q. What was the consequence in terms of the records that you had available to match if that person had done a series of reorigination calls? A. Well, the - the thing we want to remember is when the 800 number is called, a 3911 is created. (...) An OPUS record is created every time that a "to number" is put in, and a 3910 is created every time a call is answered. So if you use the reorigination feature, you end up with one 3911 record created in the file... you will end up with many OPUS records... and you will get a... corresponding 3910 record for each one of those that is, in fact, answered. Q. So the answer in 3911 will encompass more than one call? A. Yes, it will. Q. And then it fell to you to figure out how many steps or how many parts there were to that total sequence? A. Yes. Q. Did you develop a methodology for doing that? A. Yes. And it - it actually worked in reverse. We didn't go in with known 3911's. We had (681) OPUS records. And we matched up all the ones that would match up through the L.A. switch, because you had a 3911. (...) Then what you had is you had a certain number of records that did not match to a 3911. (...) It was very obvious on reorigination records, because once you were into the 3911 record, that port was selected for all of your calls that you made during that reorigination. So every call that you made used the same port in OPUS and if it was answered, used the port in the 3910, because you had that electrical connection that it just continued to use that same one path through there all the time. (...) Q. What steps did you take then to calculate the time of calls that took place in the series of reorigination calls? A. (...) You always knew the start time of the call because it's (in) the 3911 when it came in. You always knew the ending time of the last call because you have the duration from the OPUS record, whether it's 5 seconds, it's a minute; and you know the ending time of the 3911. So all you have to do is subtract the duration from the end of it. So the last call in the series, you always know what (...) time it was. The one situation where you do not know the start time of the call is if it's in the middle of a series of more than two calls and, in fact, that call was answered. Then you had to come up with and we did come up with a standardized formula to calculate that time, so that it was the same across every reorigination call. THE COURT. (..) What we have to do is caution the jury that these exhibits are not going to tell us who made the call or who received the call or what was said in the call and that with respect to the subscriber information, again, it's simply based on what these phone companies have in their records with respect to who they sent the bills to.

Commentary on the Extracted Testimony of Frederick Dexter

The first thing which becomes apparent in the FBI's testimony is that the suspect's use of the card was a misinformed attempt at subterfuge.  The card was purchased with postal money orders in a fictitious name, and was "refilled" by money order twice.  This indicated that the user was attempting to leave no trace of their identity when they used the card to make telephone calls from various locations around the country.

The major failing of this strategy was the continued use of the card for several months and the retention of the card beyond its operational utility.  McVeigh apparently used the card too long, and left the card in the possession of a friend to whom he was easily traced.  The FBI found the card, and thus was able to reconstruct several months of activity on it with only a single breach in operational security.

A more successful strategy would have involved the use and disposal of several prepaid phone cards purchased anonymously at gas stations.  These cards would be used for a few calls each, short of their $10-20 face values, and discarded with the remaining credit intact so that they might be adopted by unsuspecting people.  This would be an impediment to successful tracing even if an account number was obtained by a surveillance agency.  Anyone following the electronic trail would be led astray as the person who found the card went her separate way.

The second lesson which this teaches us is the relative difficulty the FBI has in tracing these cards for ordinary cases or casual surveillance.  The search which produced the card in question and allowed its tracing was conducted by almost 50 agents.  The information used in reconstructing the call activity involved the subpoena of several bodies of evidence, including subscriber records, from each local phone company which handled the calls, as well as from the company which handled the 800 number and debit billing.  Clearly this is not a real-time capability for the FBI, unless the account number is known in advance and the subject is essentially under close surveillance.  From past experience this would only apply to espionage or terrorism cases involving suspects subject to infiltration or agents provocateur.

The third thing which this teaches us is that the records do not actually prove anything.  As the court said in this case, these records cannot show who actually used the card, or what was said, or who was spoken to at the terminating end.  They are primarily of use in inferring guilt, and are thus less useful the less any single card is used.