Earlier this week, The Guardian broke a story revealing that Verizon, acting pursuant to an order from the U.S. Foreign Intelligence Surveillance Court (FISC), has been handing over call metadata on millions of individuals to officials at the National Security Agency for a three month period of time.
Such metadata would include phone numbers called, the locations of cell phones at the time the calls were placed, the time of the call, and the duration of the call. Moreover, the order applied to both international and wholly domestic calls, and required Verizon to update the information “on a daily basis.”
As Paul Rosenzweig points out, the basis for this order could easily support requests for similar orders to other telecommunications carriers, which implies an even broader gathering of metadata. At least two U.S. Senators appear to have confirmed that supposition..
Subsequently, The Guardian and The Washington Post reported that nine U.S.-based Internet service providers (Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, and Apple) have provided NSA officials with communications data—which may well include the actual content of communications—for at least six years. At this point, though, most of the identified ISPs deny knowing about the program.
Moreover, The Washington Post obtained and disclosed a series of slides (4 out of 41) used to train NSA analysts. These slides suggest that, through a surveillance program named PRISM, the NSA and the FBI have tapped directly into these providers’ servers to obtain information including “audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.”
In response to these stories, Director of National Intelligence James Clapper issued an official statement asserting that such information “is among the most important and valuable foreign intelligence” collected. He further stressed: “The collection is broad in scope because more narrow collection would limit our ability to screen for and identify terrorism-related communications. Acquiring this information allows us to make connections related to terrorist activities over time.”
Clapper also listed a series of restrictions about who, how, and under what circumstances the collected data can be accessed and analyzed. He noted that only specially-cleared and highly-trained personnel can query this data and, even then, only “when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization.”
Much of the media coverage has failed to distinguish the type of information collected: whether it merely documented that a communication had occurred or actually captured the content of a communication. Some portion of the collected data is simply metadata, which is not covered by the Fourth Amendment. As the Supreme Court of the United States held in Smith v. Maryland, phone record information (such as the fact that one phone dialed another and placed a 10-minute call) does not have the same constitutional protections as the content of such communication (i.e., what was actually said during that call).
I wrote in support of Congress passing the Foreign Intelligence Surveillance Act Amendments Act Reauthorization Act of 2012, extending the FISA system until December 31, 2017. Section 215 of the PATRIOT Act, 18 U.S.C. § 1861, allows for collection of business records, such as the “telephony metadata” at issue here. Additionally, 18 U.S.C. § 1861(b)(2)(A) provides that the government must offer “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation” to gather foreign intelligence.
With respect to information provided to authorities that reveals the content of communications, Prof. Orin Kerr points out that, in all likelihood, the orders justifying such collection were designed to acquire foreign intelligence information against targeted “persons reasonably believed to be located outside the United States,” which is permissible under Foreign Intelligence Surveillance Act of 1978, specifically, at 50 U.S.C. § 1881a(a).
As Stewart Baker has noted, the government’s modus operandi here appears to be “collect first” and query later, if needed, under the conditions set out by the FISC order. This collection-first model (as opposed to the traditional law enforcement model of establishing relevance and then collecting the data) allows the government to blindly gather large amounts of data initially but limits the ability of the government to run inquiries and view the data. However, as Baker notes, “If you trust the government to follow the rules, both models end up in much the same place.” Additionally, this model makes some sense when you consider that, otherwise, the service providers might destroy the data as part of their standard document retention procedures, and that critical terrorist-related information might be irretrievably lost.
The government is currently collecting potentially relevant information on a scope so broad as to preclude any reasonable understanding of its limitation. Ben Wittes has also expressed confusion at what sort of factual basis would justify the gathering metadata from so many individuals. After all, the program seems to allow for the collection of live communications and stored information of both foreign and domestic customers.
While likely legal, that does not mean that it was or is wise to collect all this information. One possible, if not likely, reaction will be for Congress to rein in some of the legal tools that the government has and continues to use to thwart terrorist attacks on our soil. When the pendulum swings too far in one direction, there is often a correlative overreaction in the other direction. That would indeed be unfortunate.