cole_1-061914.jpg

Larry Downing/Reuters

The NSA’s new director, Admiral Michael Rogers, at a cybersecurity summit in Washington, D.C., May 12, 2014

Supporters of the National Security Agency inevitably defend its sweeping collection of phone and Internet records on the ground that it is only collecting so-called “metadata”—who you call, when you call, how long you talk. Since this does not include the actual content of the communications, the threat to privacy is said to be negligible. That argument is profoundly misleading.

Of course knowing the content of a call can be crucial to establishing a particular threat. But metadata alone can provide an extremely detailed picture of a person’s most intimate associations and interests, and it’s actually much easier as a technological matter to search huge amounts of metadata than to listen to millions of phone calls. As NSA General Counsel Stewart Baker has said, “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.”1

It is precisely this power to collect our metadata that has prompted one of Congress’s most bipartisan initiatives in recent years. On May 7, the House Judiciary Committee voted 32–0 to adopt an amended form of the USA Freedom Act, a bill to rein in NSA spying on Americans, initially proposed by Democratic Senator Patrick Leahy and Republican Congressman James Sensenbrenner. On May 8, the House Intelligence Committee, which has until now opposed any real reform of the NSA, also unanimously approved the same bill. The Obama administration appeared to welcome the development, although on May 20 it managed to convince the House Rules Committee to water down the bill to such an extent that several important civil liberties groups have now withdrawn their support of the bill—including the Center for Democracy and Technology and the Electronic Frontier Foundation. On May 22, the House passed the bill in its compromised form, 303–121.

For some, no doubt, the very fact that this bill has attracted such broad bipartisan approval will be grounds for suspicion. After all, this is the same Congress that repeatedly reauthorized the 2001 USA Patriot Act, a law that was also proposed by Sensenbrenner and on which the bulk collection of metadata was said to rest—even if many members of Congress were not aware of how the NSA was using (or abusing) it. And this is the same administration that retained the NSA’s data collection program, inherited from its predecessor, as long as it was a secret, and only called for reform when the American people learned from the disclosures of NSA contractor Edward Snowden that the government was routinely collecting phone and Internet records on all of us. So, one might well ask, if Congress and the White House, Republicans and Democrats, liberals and conservatives, all now agree on reform, how meaningful can the reform be?

It’s a reasonable question. This compromise bill addresses only one part of the NSA’s surveillance activities, and does not do nearly enough to address the many other privacy-invasive practices that we now know the NSA has undertaken. And the last-minute revisions pressed by the administration significantly weaken its protection. But it’s nonetheless an important first step and, particularly if strengthened by the Senate, would introduce several crucial reforms affecting all Americans.

First, and most importantly, it could significantly limit the collection of phone metadata and other “business records.” Until now, the NSA and the Foreign Intelligence Surveillance Court have aggressively interpreted a USA Patriot Act provision that authorized collection of business records “relevant” to a counterterrorism investigation. The NSA convinced the court that because it might be useful in the future to search through anyone’s calling history to see if that person had been in contact with a suspected terrorist, the agency should be able to collect everyone’s records and store them for five years.

The NSA has said that it only searched its vast database of our calling records when it had reasonable suspicion that a phone number was connected to terrorism. But it did not have to demonstrate the basis for this suspicion to a judge. Moreover, it was authorized to collect data on all callers one, two, or three steps removed from the suspect number—an authority that can quickly generate more than one million phone numbers of innocent Americans from a single suspect source number. The fact that you may have called someone (say, your aunt) who in turn called someone (say, the Pizza Hut delivery guy) who was in turn once called by a suspected terrorist says nothing about whether you’ve engaged in wrongdoing. But it will land you in the NSA’s database of suspected terrorist contacts.

Advertisement

Under the USA Freedom Act, the NSA would be prohibited from collecting phone data en masse. Instead, such records would remain with the telephone companies, and the NSA would only be authorized to approach those companies on an individual, case-by-case basis, and only when it could first satisfy the Foreign Intelligence Surveillance Court that there was reasonable suspicion that a “specific selection term”—for example, a name, phone number, or address—is linked to an international terrorist or a representative of a foreign government or political organization. At that point, the court could order phone companies to produce calling records of all numbers that communicated with the suspect number (the first “hop”), as well as all numbers with which those numbers in turn communicated (the second “hop”).

In the bill as initially approved by the Intelligence and Judiciary committees, the “specific selection term” had to identify a unique person, entity, or activity associated with terrorism or a foreign agent. However, at the administration’s behest, the Rules Committee expanded that term to include any “discrete term…used by the Government to limit the scope of the information or tangible things sought.”

This vague formulation leaves entirely unspecified just how limited the scope must be. Presumably nationwide collection is no longer permitted, but would a request for all e-mail records of persons with the last name of Mohammed, or with an address in New York City, be sufficiently “limited”? Nothing in the bill precludes such an interpretation, and the executive has already shown its proclivity for reading the language as aggressively as possible.

Further restrictions are necessary. Through these authorized searches the NSA would still be able to collect large amounts of metadata on persons whose only “sin” was that they called or were called by someone who called or was called by a suspected terrorist or foreign agent. At a minimum, “back-end” limits on how the NSA searches its storehouse of phone numbers are still needed. But the bill would at least end the practice of collecting everyone’s calling records.

Second, the new House bill imposes similar limits on other USA Patriot Act provisions that were susceptible to being used, or had been used, to authorize collection of data in bulk. These include a provision empowering the government to obtain information by “national security letters,” a kind of administrative subpoena issued without judicial oversight, and “pen registers,” which intercept Internet and phone trafficking data. All of these powers would now be limited by the same requirement that the government seek case-by-case warrants based on a “specific selection term.” The point is to end bulk collection of data across the board, and return the agency to the more targeted searches and inquiries that US laws have historically deemed reasonable. But as noted above, “specific selection term” has been so expansively defined that the bill as currently drafted may not serve its intended purpose.

Third, the bill would establish a panel of legal experts, appointed by the presiding judges of the Foreign Intelligence Surveillance Court, who would participate in proceedings before the court when it addresses “a novel or significant interpretation of law,” and in any other proceedings at the court’s discretion. They would appear as amicus curiae, or “friends of the court,” but their purpose would be to add an independent assessment of the legal issues involved, ensuring that the court is not hearing only from the government. Such a panel would increase the likelihood that difficult legal issues get a full and fair consideration, and would likely shore up the legitimacy of the secret court, which as of now is dismissed by many, rightly or wrongly, as a “rubber stamp.”

Finally, the bill contains a number of measures designed to increase transparency and oversight. It would require the attorney general to request the declassification of opinions of the FISA court, permit private Internet and telephone companies to report semiannually on the volume of records they were ordered to produce, and compel the inspectors general of the Justice Department and the Intelligence Community to report on the numbers of records requested and the effectiveness of the program. Had Verizon been permitted to report, for example, that it was being forced to turn over hundreds of millions of phone records on its customers to the NSA, and had the inspector general informed us that the program had stopped not a single terrorist act, it is likely that bulk collection would have been cut short long ago.

Even with all these reforms, however, the USA Freedom Act only skims the surface. It does not address, for example, the NSA’s guerrilla-like tactics of inserting vulnerabilities into computer software and drivers, to be exploited later to surreptitiously intercept private communications. It also focuses exclusively on reining in the NSA’s direct spying on Americans. As Snowden’s disclosures have shown, the NSA collects far more private information on foreigners—including the content as well as the metadata of e-mails, online chats, social media, and phone calls—than on US citizens.

Advertisement

The FISA Amendments Act of 2008 permits the NSA to intercept the content of communications when it can demonstrate nothing more than reason to believe that its targets are foreign nationals living abroad, and that the information might relate to “foreign intelligence.” “Foreign intelligence” is in turn defined to include any information that might inform our foreign affairs, which is no restriction at all. Under this authority, the NSA established the PRISM program, which collects both content and metadata from e-mail, Internet, and phone communications by millions of users worldwide. It is probably under this authority that, according to The Washington Post, the NSA is recording “every single” phone call from a particular unnamed country. Documents leaked by Snowden demonstrate that the NSA also collects, again by the millions and billions, foreign nationals’ e-mail contact lists, cell phone location data, and texts.

A set of documents disclosed on May 13, in conjunction with the publication of Glenn Greenwald’s No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State, confirms that the NSA has indeed sought to “collect it all.”2 One document, a PowerPoint slide presented at a 2011 meeting of the “Five Eyes”—the spy agencies of the United States, United Kingdom, Canada, Australia, and New Zealand—boasts that the NSA’s “new collection posture” is to “collect it all,” “process it all,” “exploit it all,” “partner it all,” “sniff it all,” and, ultimately, “know it all.”

Other documents show that the NSA collects billions of records on the world’s electronic communications. One graph shows that in a single month in 2013, the NSA’s Global Access Operations unit collected data on more than 97 billion e-mails and 124 billion phone calls from around the world. Other documents discuss X-KEYSCORE, the NSA’s most powerful tool, which apparently permits it to track every keystroke on a computer. In a single month in 2012, it collected over 41 billion records. One is left with the distinct impression that the only thing that ever limited the agency’s desire to “collect it all” so it could “know it all” were technological limitations—and that those limitations are being erased every single day. The NSA’s omnivorous appetite for data has given “dragnet surveillance” a new meaning.

Most of these programs are directed at foreign populations, and Congress is far less motivated to do anything about the NSA’s abuse of the rights of foreign nationals. They are “them,” not “us.” They don’t vote. But they have human rights, too; the right to privacy, recognized in the International Covenant on Civil and Political Rights, which the US has signed and ratified, does not limit its protections to Americans. Snowden’s revelations have justifiably led to protests from many of our closest allies; they don’t want their privacy invaded by the NSA any more than we do, and they have more to complain about than we do, as they have suffered far greater intrusions.

In the Internet era, it is increasingly common that everyone’s communications cross national boundaries. That makes all of us vulnerable, for when the government collects data in bulk from people it believes are foreign nationals, it is almost certain to sweep up lots of communications in which Americans are involved. The initial version of the USA Freedom Act accordingly sought to limit the NSA’s ability to conduct so-called “back door” searches of content collected from foreigners for communications with Americans citizens. But that provision was stripped in committee, leaving the back door wide open.

Defense hawks will argue that even the USA Freedom Act’s modest reforms go too far, and that we may be risking our security by tying the NSA’s hands. But as the Privacy and Civil Liberties Oversight Board found, there is little evidence that the domestic collection of metadata, the principal target of the new bill, has made us safer. More fundamentally, if we want to preserve the liberties that define us as a democratic society, we must learn to live with risk. It is the insistence on preemptively eliminating all terrorist threats—an unattainable goal—that led the NSA to collect so much information so expansively in the first place.

The fact that the USA Freedom Act has achieved such wide-ranging support may be less an indication of its compromises than of a marked shift in American views. In July 2013, following the Snowden revelations, the Pew Research Center reported that for the first time since it started asking the question in 2004, more Americans expressed concern that counterterrorism measures were infringing their civil liberties than worried that the government was not doing enough to keep them safe.

Congress is responsive to such shifts in popular opinion. The question now is whether that new attitude can be translated into real systemic reform, or whether enactment of this significantly compromised bill will placate enough people that the demand for further reform fizzles. If the Senate can strengthen the USA Freedom Act, as Senator Leahy has said he intends to do, it will be a significant achievement for civil liberties. But the biggest mistake any of us could make would be to conclude that this bill solves the problem. n

—May 22, 2014