Latest

NSA Mass CDR Collection Was Not Authorized

By Eric Priezkalns 8 May 2015

An appeal court has ruled that the National Security Agency (NSA) acted without proper government authorization when collecting data about millions of American phone calls, a surveillance program originally revealed by whistleblower Ed Snowden. The Court of Appeals for the Second Circuit reached their decision yesterday, after reviewing a lawsuit brought by the American Civil Liberties Union (ACLU), and which was defeated in a lower court during December 2013. The ACLU argued that the NSA’s phone surveillance violated the constitutional right to privacy. In a 97-page decision, Circuit Judge Gerard Lynch wrote that Congress had not authorized the NSA program in the way required by the section of the Patriot Act that governs how investigators gather counter-terrorist intelligence.

The decision begins with a straightforward statement of the issue.

This appeal concerns the legality of the bulk telephone metadata collection program (the “telephone metadata program”), under which the National Security Agency (“NSA”) collects in bulk “on an ongoing daily basis” the metadata associated with telephone calls made by and to Americans, and aggregates those metadata into a repository or data bank that can later be queried.

It then summarizes the judges’ finding.

Because we find that the program exceeds the scope of what Congress has authorized, we vacate the decision below dismissing the complaint without reaching appellants’ constitutional arguments.

In other words, the judges reverse the previous court’s decision without considering whether the constitution had been violated. They can do this because the surveillance program had not been authorized in the way required by the relevant statute, without needing to refer to the constitution.

For those of you interested in the detailed decision, it begins by putting this case into historical context.

In the early 1970s, in a climate not altogether unlike today’s, the intelligence‐gathering and surveillance activities of the NSA, the FBI, and the CIA came under public scrutiny.  The Supreme Court struck down certain warrantless surveillance procedures that the government had argued were lawful as an exercise of the President’s power to protect national security, remarking on “the inherent vagueness of the domestic security concept [and] the necessarily broad and continuing nature of intelligence gathering.”

In response… the Senate established the Select Committee to Study Governmental Operations with Respect to Intelligence Activities (the “Church Committee”) to investigate whether the intelligence agencies had engaged in unlawful behavior and whether legislation was necessary to govern their activities.

The findings of the Church Committee… prompted Congress in 1978 to enact comprehensive legislation aimed at curtailing abuses and delineating the procedures to be employed in conducting surveillance in foreign intelligence investigations… the Foreign Intelligence Surveillance Act of 1978 (“FISA”).

We are faced today with a controversy similar to that which led to the Keith decision and the enactment of FISA.  We must confront the question whether a surveillance program that the government has put in place to protect national security is lawful.  That program involves the bulk collection by the government of telephone metadata created by telephone companies in the normal course of their business but now explicitly required by the government to be turned over in bulk on an ongoing basis.

Supporters of the intelligence community often emphasize that the bulk collection of call records is different to listening to private conversations. This is sometimes a smokescreen. Whilst listening to a conversation is obviously an invasion of privacy, that does not mean that the collection of call data poses no threat to the private individual. Thankfully, the judges were clear about the risks.

That telephone metadata do not directly reveal the content of telephone calls, however, does not vitiate the privacy concerns arising out of the government’s bulk collection of such data.  Appellants and amici take pains to emphasize the startling amount of detailed information metadata can reveal… “information that could traditionally only be obtained by examining the contents of communications” and that is therefore “often a proxy for content.” For example, a call to a single‐purpose telephone number such as a “hotline” might reveal that an individual is: a victim of domestic violence or rape; a veteran; suffering from an addiction of one type or another; contemplating suicide; or reporting a crime. Metadata can reveal civil, political, or religious affiliations; they can also reveal an individual’s social status, or whether and when he or she is involved in intimate relationships.

The judges were also clear that governments and intelligence agencies cannot merely claim they seek the same information they have always sought. Technology allows information to be processed in ways that were not previously possible, changing the parameters for privacy.

…the structured format of telephone and other technology‐related metadata, and the vast new technological capacity for large‐scale and automated review and analysis, distinguish the type of metadata at issue here from more traditional forms.  The more metadata the government collects and analyzes, furthermore, the greater the capacity for such metadata to reveal ever more private and previously unascertainable information about individuals.  Finally, as appellants and amici point out, in today’s technologically based world, it is virtually impossible for an ordinary citizen to avoid creating metadata about himself on a regular basis simply by conducting his ordinary affairs.

The judges also recognize how they, and we, came to learn about the NSA’s bulk collection of CDRs. I am proud to say that Commsrisk has been covering this story from the very beginning.

Americans first learned about the telephone metadata program that appellants now challenge on June 5, 2013, when the British newspaper The Guardian published a FISC order leaked by former government contractor Edward Snowden.  The order directed Verizon Business Network Services, Inc. (“Verizon”), a telephone company, to produce to the NSA “on an ongoing daily basis . . . all call detail records or ‘telephony metadata’ created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.”

The order thus requires Verizon to produce call detail records, every day, on all telephone calls made through its systems or using its services where one or both ends of the call are located in the United States.

The decision reiterates the full scale of surveillance.

After the order was published, the government acknowledged that it was part of a broader program of bulk collection of telephone metadata from other telecommunications providers carried out pursuant to § 215. It is now undisputed that the government has been collecting telephone metadata information in bulk under § 215 since at least May 2006, when the FISC first authorized it to do so in a “Primary Order” describing the “tangible things” to be produced as “all call‐detail records or ‘telephony metadata’ created by [redacted] . . . , includ[ing] comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number[s], communications device identifier[s], etc.), trunk identifier, and time and duration of call.” 

The judges soon found fault with the way the government justified spying.

The government disputes appellants’ characterization of the program as collecting “virtually all telephony metadata” associated with calls made or received in the United States, but declines to elaborate on the scope of the program or specify how the program falls short of that description.  It is unclear, however, in what way appellants’ characterization of the program can be faulted. On its face, the Verizon order requires the production of “all call detail records or ‘telephony metadata’” relating to Verizon communications within the United States or between the United States and abroad.

The government does not suggest that Verizon is the only telephone service provider subject to such an order; indeed, it does not seriously dispute appellants’ contention that all significant service providers in the United States are subject to similar orders.

In a lengthy discussion where the judges review if the ACLU has the standing necessary to bring their lawsuit, they discuss a topic recently glossed over by the Intelligence and Security Committee of the British Parliament: whether having personal data reviewed by a machine, as opposed to a human, might still be an infringement of privacy.

…the government admits that, when it queries its database, its computers search all of the material stored in the database in order to identify records that match the search term.  In doing so, it necessarily searches appellants’ records electronically, even if such a search does not return appellants’ records for close review by a human agent.  There is no question that an equivalent manual review of the records, in search of connections to a suspect person or telephone, would confer standing even on the government’s analysis. That the search is conducted by a machine might lessen the intrusion, but does not deprive appellants of standing to object to the collection and review of their data.

The government argued that the ACLU was not entitled to bring their lawsuit because the Patriot Act bars the relevant surveillance orders from being “reviewable in federal court upon suit by an individual whose metadata are collected”. However, the judges disagreed. Paradoxically, any individual affected can bring a lawsuit, because Ed Snowden’s whistleblowing means far more people know about surveillance than was anticipated by the writers of the Patriot Act.

The government has pointed to no affirmative evidence, whether “clear and convincing” or “fairly discernible,” that suggests that Congress intended to preclude judicial review. Indeed, the government’s argument from secrecy suggests that Congress did not contemplate a situation in which targets of § 215 orders would become aware of those orders on anything resembling the scale that they now have.  That revelation, of course, came to pass only because of an unprecedented leak of classified information.  That Congress may not have anticipated that individuals like appellants, whose communications were targeted by § 215 orders, would become aware of the orders, and thus be in a position to seek judicial review, is not evidence that Congress affirmatively decided to revoke the right to judicial review otherwise provided by the APA in the event the orders were publicly revealed.

The judges then consider the correct order for reviewing the ACLU’s multiple complaints.

Although appellants vigorously argue that the telephone metadata program violates their rights under the Fourth Amendment to the Constitution, and therefore cannot be authorized by either the Executive or the Legislative Branch of government, or by both acting together, their initial argument is that the program simply has not been authorized by the legislation on which the government relies for the issuance of the orders to service providers to collect and turn over the metadata at issue.  We naturally turn first to that argument.

The judges then identified the key requirement for authorizing the collection of call records.

The basic requirements for metadata collection under § 215, then, are simply that the records be relevant to an authorized investigation (other than a threat assessment).

After this, they make their most important observation.

…the parties have not undertaken to debate whether the records required by the orders in question are relevant to any particular inquiry. The records demanded are all‐encompassing; the government does not even suggest that all of the records sought, or even necessarily any of them, are relevant to any specific defined inquiry.  Rather, the parties ask the Court to decide whether § 215 authorizes the “creation of a historical repository of information that bulk aggregation of the metadata allows,” because bulk collection to create such a repository is “necessary to the application of certain analytic techniques,”…

Thus, the government takes the position that the metadata collected – a vast amount of which does not contain directly “relevant” information, as the government concedes – are nevertheless “relevant” because they may allow the NSA, at some unknown time in the future, utilizing its ability to sift through the trove of irrelevant data it has collected up to that point, to identify information that is relevant. We agree with appellants that such an expansive concept of “relevance” is unprecedented and unwarranted.

In short, the government were trying to hoodwink everybody, when claiming they needed to collect this information for the same reasons that information is collected for ordinary law enforcement.

The sheer volume of information sought is staggering; while search warrants and subpoenas for business records may encompass large volumes of paper documents or electronic data, the most expansive of such evidentiary demands are dwarfed by the volume of records obtained pursuant to the orders in question here.

Moreover, the distinction is not merely one of quantity – however vast the quantitative difference – but also of quality.  Search warrants and document subpoenas typically seek the records of a particular individual or corporation under investigation, and cover particular time periods when the events under investigation occurred.  The orders at issue here contain no such limits.  The metadata concerning every telephone call made or received in the United States using the services of the recipient service provider are demanded, for an indefinite period extending into the future.  The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created. The government can point to no grand jury subpoena that is remotely comparable to the real‐time data collection undertaken under this program.

Furthermore, the judges fault the government for conflating the idea of a specific investigation with the desire to investigate everything, just in case it proves useful to do so.

… § 215 does not permit an investigative demand for any information relevant to fighting the war on terror, or anything relevant to whatever the government might want to know.  It permits demands for documents “relevant to an authorized investigation.”  The government has not attempted to identify to what particular “authorized investigation” the bulk metadata of virtually all Americans’ phone calls are relevant.  Throughout its briefing, the government refers to the records collected under the telephone metadata program as relevant to “counterterrorism investigations,” without identifying any specific investigations to which such bulk collection is relevant.

Put another way, the government effectively argues that there is only one enormous “anti‐terrorism” investigation, and that any records that might ever be of use in developing any aspect of that investigation are relevant to the overall counterterrorism effort.

Really putting the boot in, the judges find that the US government’s argument is not just inconsistent with law – it is inconsistent with the dictionary!

Indeed, the government’s information‐gathering under the telephone metadata program is inconsistent with the very concept of an “investigation.”  To “investigate” something, according to the Oxford English Dictionary, is “[t]o search or inquire into; to examine (a matter) systematically or in detail; to make an inquiry or examination into.” Section 215’s language thus contemplates the specificity of a particular investigation – not the general counterterrorism intelligence efforts of the United States government.  But the records in question here are not sought, at least in the first instance, because the government plans to examine them in connection with a “systematic examination” of anything at all; the records are simply stored and kept in reserve until such time as some particular investigation, in the sense in which that word is traditionally used in connection with legislative, administrative, or criminal inquiries, is undertaken.  Only at that point are any of the stored records examined.  The records sought are not even asserted to be relevant to any on‐going “systematic examination” of any particular suspect, incident, or group; they are relevant, in the government’s view, because there might at some future point be a need or desire to search them in connection with a hypothetical future inquiry.

The judges continue to bash the government, pointing out that some seemingly important words in the Patriot Act makes no sense if the judges accepted the government’s interpretation of other words.

The government’s approach also reads out of the statute another important textual limitation on its power under § 215.  Section 215 permits an order to produce records to issue when the government shows that the records are “relevant to an authorized investigation (other than a threat assessment).”  The legislative history tells us little or nothing about the meaning of “threat assessment.”  The Attorney General’s Guidelines for Domestic FBI Operations, however, tell us somewhat more.  The Guidelines divide the category of “investigations and intelligence gathering” into three subclasses: assessments, predicated investigations (both preliminary and full), and enterprise investigations.

In limiting the use of § 215 to “investigations” rather than “threat assessments,” then, Congress clearly meant to prevent § 215 orders from being issued where the FBI, without any particular, defined information that would permit the initiation of even a preliminary investigation, sought to conduct an inquiry in order to identify a potential threat in advance.  The telephone metadata program, however, and the orders sought in furtherance of it, are even more remote from a concrete investigation than the threat assessments that – however important they undoubtedly are in maintaining an alertness to possible threats to national security – Congress found not to warrant the use of § 215 orders.  After all, when conducting a threat assessment, FBI agents must have both a reason to conduct the inquiry and an articulable connection between the particular inquiry being made and the information being sought.  The telephone metadata program, by contrast, seeks to compile data in advance of the need to conduct any inquiry (or even to examine the data), and is based on no evidence of any current connection between the data being sought and any existing inquiry.

In a useful footnote, the judges again emphasize how increasing technological possibilities mean the government cannot argue they simply wish to follow precedents that were applied to older methods of enforcing the law.

The government also argues that, aside from their relevance to the subject matter of counterterrorism, the telephone metadata records are relevant to authorized investigations in that they are necessary for the government to apply certain investigative techniques – here, searching based on “selectors” through the government’s metadata repository.  That argument proves too much.  If information can be deemed relevant solely because of its necessity to a particular process that the government has chosen to employ, regardless of its subject matter, then so long as “the government develops an effective means of searching through everything in order to find something, … everything becomes relevant to its investigations” – and the government’s “technological capacity to ingest information and sift through it efficiently” would be the only limit to what is relevant.

The judges ruminate on the significance of their decision – and the significance of what the NSA did without seeking the consent of the American public.

Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans.  Perhaps such a contraction is required by national security needs in the face of the dangers of contemporary domestic and international terrorism.  But we would expect such a momentous decision to be preceded by substantial debate, and expressed in unmistakable language.  There is no evidence of such a debate in the legislative history of § 215…

By this point, the judges have already decided that the NSA’s CDR gathering program was not authorized. They then briefly commented on the constitutional arguments.

Appellants’ argument invokes one of the most difficult issues in Fourth Amendment jurisprudence: the extent to which modern technology alters our traditional expectations of privacy.  On the one hand, the very notion of an individual’s expectation of privacy, considered in Katz a key component of the rights protected by the Fourth Amendment, may seem quaint in a world in which technology makes it possible for individuals and businesses (to say nothing of the government) to observe acts of individuals once regarded as protected from public view.  On the other hand, rules that permit the government to obtain records and other information that consumers have shared with businesses without a warrant seem much more threatening as the extent of such information grows.

…the bulk collection of data as to essentially the entire population of the United States, something inconceivable before the advent of high‐speed computers, permits the development of a government database with a potential for invasions of privacy unimaginable in the past.  Thus, appellants argue, the program cannot simply be sustained on the reasoning that permits the government to obtain, for a limited period of time as applied to persons suspected of wrongdoing, a simple record of the phone numbers contained in their service providers’ billing records.

Because we conclude that the challenged program was not authorized by the statute on which the government bases its claim of legal authority, we need not and do not reach these weighty constitutional issues.  The seriousness of the constitutional concerns, however, has some bearing on what we hold today, and on the consequences of that holding.

…The constitutional issues, however, are sufficiently daunting to remind us of the primary role that should be played by our elected representatives in deciding, explicitly and after full debate, whether such programs are appropriate and necessary.  Ideally, such issues should be resolved by the courts only after such debate, with due respect for any conclusions reached by the coordinate branches of government.

The judges’ final conclusion is brief, and worth reading in full.

This case serves as an example of the increasing complexity of balancing the paramount interest in protecting the security of our nation – a job in which, as the President has stated, “actions are second‐guessed, success is unreported, and failure can be catastrophic,” – with the privacy interests of its citizens in a world where surveillance capabilities are vast and where it is difficult if not impossible to avoid exposing a wealth of information about oneself to those surveillance mechanisms.  Reconciling the clash of these values requires productive contribution from all three branches of government, each of which is uniquely suited to the task in its own way.

For the foregoing reasons, we conclude that the district court erred in ruling that § 215 authorizes the telephone metadata collection program, and instead hold that the telephone metadata program exceeds the scope of what Congress has authorized and therefore violates § 215.

The US government, and the NSA, took one hell of a beating in that legal decision. Whilst some politicians prefer to stick their head in the sand, and imply there has been no change to government’s legal powers, the truth is that changes in technology also change the real balance of power, and hence the correct legal interpretation of the government’s actions.

This particular legal fight is not over. The lawsuit has been sent back to the lower court, which is now expected to decide what harm has been done to the plaintiff. However, the USA may have a new government, and new laws, before this lawsuit reaches its end.

For the moment, the ACLU and the privacy campaigners have won, arguing that government overreached when pretending the mass collection of CDR data does not infringe the individual’s right to privacy. Whilst the judges noted that telcos want to stand clear from such conflicts – not least because they do not want to antagonize governments – the wider ethical and business implications are clear. CDR data is not something to be bought and sold, searched through and collated on a whim – or even when there is a genuine and serious desire to protect the public – without regard for the danger of an unacceptable intrusion into private life. Safety is not a single goal but multiform; we want safety from terrorists and from overbearing government. However, this court did a good job of balancing the safety issues created by vast amounts of data and the increasing power to process it.

About the Author

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Related Articles