The revelation that the National Security Agency has been indiscriminately collecting Americans’ phone records using sweeping bulk orders issued by a secret court has sparked enormous controversy. Yet we know that at least in the first few years after 9/11, something very similar occurred without any judicial process at all, as first reported by USA Today in 2006. Though that story was dwarfed at the time by the controversy over the Bush administration’s warrantless wiretap program, it was actually the call records program that provoked a dramatic showdown between the White House and Justice Department, nearly triggering a mass resignation when the president threatened to reauthorize it over the objections of the acting attorney general that it was unlawful.
The controversy reemerged earlier this month when the Guardian published a leaked court order to Verizon’s business-focused subsidiary to produce “all call detail records,” including all “routing information,” and specifically requesting communications “wholly within the United States, including local telephone calls.” The order made it clear that the program continued, and was not merely large-scale but sought literally all domestic records. Moreover, it raised concerns about the Foreign Intelligence Surveillance Court’s interpretation of §215 more generally. The court had apparently determined that an authority to demand “any tangible thing” from nearly any person or entity could be exercised in a completely non-particularized way: Give us everything, we may eventually decide some of it is “relevant.” But it’s still not wholly clear when and why the FISC got involved in the metadata program—and how much of it may still bypass judicial supervision.
It’s clear from the original USA Today story that the metadata program in its original incarnation “didn’t need a court order—or approval under FISA—to proceed.” It’s also relatively clear that something changed around 2006. Statements from the program’s defenders in Congress indicate that the current version of the program, involving orders reissued at three-month intervals, has been operating for seven years. Moreover, you can read between the (heavily redacted) lines of a March 2008 Inspector General report on the use of §215 in 2006 and see intimations that “unlike in previous years,” the authority was being used in some programmatic way that would not be included in the IG’s discussion or metrics.
Yet the numbers reported annually for §215 orders, as Amie Stepanovich of the Electronic Privacy Information Center reminded me, are hard to square with a major shift to reliance on the authority for metadata at that time. Only a handful of §215 orders were issued in the subsequent years: six in 2007, 13 in 2008, and 21 in 2009. Even if those metrics only count the “primary order” authorizing acquisition from multiple providers, and not the “secondary orders” issued to each provider, that seems low. You’d still need at least four each year for each type of bulk order, and the Wall Street Journal has reported that the program reaches far beyond telephone data to encompass “records from Internet-service providers and purchase information.”
Instead, we see two enormous jumps in orders starting in 2010. That year, there were 96 orders, of which a surprising 43 were modified. That seemed odd to observers because §215 authority is so broad, requiring only “relevance” to an investigation, that the court would rarely have occasion to intervene—unless what was being demanded was so mindbogglingly expansive that it strained even that flaccid standard. We then see another big jump in 2011, to 205 orders (176 modified), which levels off in 2012 at 212 orders (200 modified). What was going on there? If the NSA bulk metadata program moved over to reliance on §215 in 2006, why is there no sign of anything like it in the numbers until four years later?