While details on the president’s proposal to end NSA bulk collection of telephony records remain sparse, we do now have an actual piece of legislation to look at from the House Permanent Select Committee on Intelligence—one that tracks the broad outlines of the White House plan even as it differs in several critical details. I’ve already done a quick take in broad brushstrokes over at The Daily Beast; here I want to get into the weeds a bit.
The HPSCI bill actually covers quite a bit more than just NSA bulk collection—there are a few transparency measures and a provision for the FISA Court to appoint amici curiae, which mostly seems like an attempt to preempt legislation creating a more robust FISC “advocate”—but in this post I want to focus on the meat: The prohibition (or so it seems) on bulk collection, and the new authority in §503 designed to replace the current bulk telephony program.
(A) The Bulk Prohibition
The first thing to note is that the (apparent) prohibition on bulk collection is structured somewhat oddly, even taking into account the framers apparent desire to limit that prohibition to certain subcategories of records. The USA Freedom Act, for instance, does this by means of a fairly straightforward modification: It limits the scope of §215 (as well as FISA pen/trap orders and National Security letters) to records that are both relevant to an investigation and pertain to a suspected foreign agent or their direct contacts, using language the Senate had unanimously approved back in 2005. The HPSCI bill is rather bit more convoluted.
First, Section 2 of the bill completely excludes “call detail records” from the scope of §215—and only from §215. The bill defines “call detail records” as “communications routing information,” which sounds awfully general, but both the description as “call detail records” and the series of enumerated telephony-specific data types that follow strongly suggest it’s really limited to telephonic communications routing information. There’s some wiggle room here since the general term precedes the more specific enumeration, but especially in light of the subsequent separate prohibition on acquisition of “electronic communications” records, defined to exclude telephonic communications, I’d be surprised if the FISC didn’t read this narrowly. Though the “including” that precedes the enumerated data types indicates that it’s not exhaustive, the omission of location-associated terms like “cell site and sector” is conspicuous. HPSCI staff are apparently assuring reporters that location data is implicitly included, but we do know that law enforcement routinely obtain bulk location data in the form of “tower dumps,” or records of all the phones registered with a specific cell tower at a particular time. Since phones routinely do this even when they’re not placing a call—which is to say, when no particular “communication” is being “routed”—it’s at least an open question whether this provision forbids bulk collection of tower location data.