Told Ya So: NSA's Collection Of Metadata Is Screamingly Illegal

Author(s): 
Publication Type: 
Other Writing
Publication Date: 
January 24, 2014

This post is coauthored by Christopher Sprigman.

We told you so.  This week’s report from the independent Privacy and Civil Liberties Oversight Board, or PCLOB, confirms what we said back in June of last year in our New York Times Op Ed “The Criminal NSA”. The NSA’s telephone record metadata program, in which it collects the calling records of almost everyone inside the United States, is illegal. Amend that: it’s screamingly illegal. Flat out. Not even a close call.  The program is also a serious threat to civil liberties, but first things first – the NSA’s massive program of telephone spying is illegal. 

And it’s not illegal just because it violates the Constitution – although it does (the Fourth Amendment, specifically). The illegality of the NSA’s telephone metadata program is much clearer and even more disturbing than that.  The program is illegal because no law authorizes bulk collection of phone record data. To the contrary, several laws forbid it.  Understanding that the program is illegal doesn’t require fancy lawyer arguments about the frustratingly terse and vague provisions of the U.S. Constitution. It requires only that you read section 215 of the Patriot Act, which is the statute identified by the NSA as providing congressional authorization for its programs. We read it. It is surprisingly clear. And it does not authorize the NSA to do what it’s doing.

Specifically, section 215 allows the F.B.I. to obtain court orders demanding that a person or company produce “tangible things,” upon showing reasonable grounds that the things sought are “relevant” to an authorized foreign intelligence investigation. This statute allows the NSA to collect only information it can plausibly argue is “relevant” to a particular investigation.

The pen register statutes which authorize court orders for the collection of telephone and Internet dialing, signaling, routing and addressing information, and the controversial national security letter (NSL) powers, which allow the FBI to demand certain information without even court review, also hinge on “relevance”.  Were we really expected to believe that all these provisions allow the government to collect in bulk the telephone records—as well as Internet records, credit card records and more—of everyone in America?

Obviously, no. Any individual’s telephone records –your records, our records, your grandmother’s records (unless your grandmother is secretly a member of Al Qaeda)—are virtually certain to be not relevant to any particular foreign intelligence investigation. Only a few people’s phone records will ever be relevant, at least if the word “relevant” has any meaning.

And of course the word does have meaning. For hundreds of years, even before America was founded, the common law has understood the concept of “relevance” to require some articulable factual connection between a particular piece of evidence and some wrongdoing. It does not license intelligence agencies to vacuum up information about every person in America, whether or not that person has any suspected connection to an investigation. And yet that is precisely what the NSA has done.

Given how obvious it is, surprisingly few people came forward to say that the NSA telephone spying program lacked any statutory authorization and was therefore illegal. In June, both we and the Center for Democracy and Technology (in separate analyses) were first to say that bulk collection is obviously unsupportable on a relevance standard. And Georgetown Law Professor Laura Donohue made the “first full-throated (and dazzlingly comprehensive) argument” against bulk collection in her October congressional testimony and subsequent law review paper.

But in the days immediately following the disclosure of this practice, Dennis C. Blair, who served as President Obama’s first director of national intelligence, said that the Obama Administration did not debate whether to continue the NSA telephone and Internet surveillance programs that began under President Bush because, “everything was put under a legal basis. That looked pretty good to us, so we continued it.” Within the tightly-knit national security law and policy community, it must be considered impolitic to accuse any Administration of lawbreaking on a large scale. This kind of truth-telling can get you accused of “imbalance,” as well as interfere with future employment prospects.

President Obama’s NSA review panel recently issued a report that made clear that many aspects of the NSA’s phone records collection are bad policy, but did not address the key question of whether the program was legal.

The federal judiciary displayed similar reluctance. District of Columbia Judge Richard Leon held in Klayman v. Obama that the phone records program violates the Fourth Amendment.  But for procedural reasons, Judge Leon did not rule on what, in our view, is the first question – whether the program was authorized at all.  The NSA can’t just spy on American citizens willy-nilly. We do have some rights. To spy legally, NSA requires authorization by Congress. And as we pointed out in the Times back in June, there was none.

But now the PCLOB – a blue-ribbon panel stocked with people appointed by Obama himself– has said what we said.  Specifically, the Board found that section 215 does not provide an adequate legal basis to support the program for four reasons:

First, the telephone records acquired under the program have no connection to any specific FBI investigation at the time of their collection. Second, because the records are collected in bulk — potentially encompassing all telephone calling records across the nation — they cannot be regarded as “relevant” to any FBI investigation as required by the statute without redefining the word relevant in a manner that is circular, unlimited in scope, and out of step with the case law from analogous legal contexts involving the production of records. Third, the program operates by putting telephone companies under an obligation to furnish new calling records on a daily basis as they are generated (instead of turning over records already in their possession) — an approach lacking foundation in the statute and one that is inconsistent with FISA as a whole. Fourth, the statute permits only the FBI to obtain items for use in its investigations; it does not authorize the NSA to collect anything. (Emphasis added).

Again, this is not a close call. Anyone who looks at the matter dispassionately, and not clouded either by fear or ideology, must agree – bulk collection is not authorized by the Patriot Act, or any of the other relevance-based statutes.

This is all very bad, but we’re not done. For not only does the NSA telephone spying program fail to comply with section 215 of the Patriot Act, the PCLOB says it also violates the Electronic Communications Privacy Act, or ECPA.

Sections 2702 and 2703 of ECPA prohibit telephone companies from sharing customer records with the government except in response to specific enumerated circumstances, which do not include section 215 orders.  In late 2008, a judge of the FISA Court – a secret court comprised of judges hand-picked by Supreme Court Chief Justice John Roberts to consider government surveillance requests, which has compiled a stunningly consistent record of approving virtually every request for surveillance authority that the government submits to it — considered for the first time whether its own previous 215 orders were consistent with ECPA. In finding they were, the judge acknowledged that the terms of section 215 and ECPA were in tension but reasoned that because ECPA’s prohibition on disclosures specifically includes an exception for “national security letters” issued pursuant to 18 U.S.C. § 2709, it must also imply an exception for section 215 orders.

This reasoning is obviously suspect – not least because it was approving, retrospectively, orders that the FISA Court had already (and perhaps illegally) granted. Yet the argument was recently adopted by Southern District of New York Judge William H. Pauley’s opinion dismissing an ACLU lawsuit challenging the NSA’s phone records dragnet.

The PCLOB disagrees.  While “the matter is not free from doubt, we believe that these decisions are wrong. ‘[I]t is a commonplace of statutory construction that the specific governs the general,’ the Supreme Court has said.” If Congress said telephone companies can share customer data in specific circumstances, but not in response to Section 215 orders, that’s what the law is.  That conclusion seems, to us if not to Judge Pauley, crystal clear.

So the NSA’s telephone metadata spying program exceeds the agency’s authority under the Patriot Act, and violates ECPA in the process. But we’re still not done – it gets worse yet. For there are good reasons to believe the NSA’s phone records collection is not just illegal, but criminal.

Telephone and Internet metadata are protected by law under the aforementioned “pen register” statute.  That statute says that “no person may install or use a pen register or a trap and trace device without first obtaining a court order under section 3123 of this title or under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).” Pen registers and trap and trace devices collect dialing, routing, signaling or addressing information. Violation of the statute is a criminal misdemeanor.

Without a court order based on a showing of relevance, the government cannot compel phone companies to collect this information for it, unless the phone company is using the same process to collect that same data for billing, cost accounting, or similar purposes in the ordinary course of its business. Yet, the section 215 orders deputize Verizon and other telephone companies to collect protected data on a prospective rolling basis on the government’s behalf without a valid pen register order. The information includes “comprehensive communications routing information including but not limited to session identifying information (e.g. originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call.”

Is this information collected in the ordinary course of business, and thus exempt from the pen register statute protections? Well, we have never seen IMSI, IMEI, trunk identifiers or other such information on our phone bills.  We suspect that the phone companies have put in place a process adopted specifically to collect the information that the government demands via its section 215 orders and transmit that information to the government according to technological specifications that the government establishes.  We have seen just this sort of cooperative relationship in another of the NSA’s mass surveillance programs – PRISM – which collects the content of emails, text messages, IMs, and other Internet communications. The government works with telephone and Internet companies to get access to the data it wants in a specific, interoperable format. And this is the problem: If the process for collecting data in response to section 215 orders is in any way different from the process for regular billing, without meeting the statutory requirements for installation of a pen register device, it is a crime.

One very important question remains: If it’s so obvious that collecting all phone records on everyone violates the law, then why has it taken so long for people to understand that fact?  The explanation is simple, and depressing.  As Upton Sinclair said, “It is difficult to get a man to understand something, when his salary depends on his not understanding it.” Still, people now are waking up to what the NSA bulk collection programs obviously are—giant, lawless, and perhaps even criminal, enterprises. Given how clearly illegal these programs are, it is stunning that people charged with upholding the American rule of law, including the FISA court judges, Dennis Blair, NSA Director Kieth Alexander, Director of National Intelligence James Clapper, other top NSA and intelligence officials, and President Obama, chose instead to debauch it.