June 14, 2013 12:09PM

How Much Bulk Records Snooping Bypasses Judges?

The revelation that the National Security Agency has been indiscriminately collecting Americans’ phone records using sweeping bulk orders issued by a secret court has sparked enormous controversy. Yet we know that at least in the first few years after 9/11, something very similar occurred without any judicial process at all, as first reported by USA Today in 2006. Though that story was dwarfed at the time by the controversy over the Bush administration’s warrantless wiretap program, it was actually the call records program that provoked a dramatic showdown between the White House and Justice Department, nearly triggering a mass resignation when the president threatened to reauthorize it over the objections of the acting attorney general that it was unlawful.

The controversy reemerged earlier this month when the Guardian published a leaked court order to Verizon’s business-focused subsidiary to produce “all call detail records,” including all “routing information,” and specifically requesting communications "wholly within the United States, including local telephone calls." The order made it clear that the program continued, and was not merely large-scale but sought literally all domestic records. Moreover, it raised concerns about the Foreign Intelligence Surveillance Court’s interpretation of §215 more generally. The court had apparently determined that an authority to demand “any tangible thing” from nearly any person or entity could be exercised in a completely non-particularized way: Give us everything, we may eventually decide some of it is “relevant.” But it’s still not wholly clear when and why the FISC got involved in the metadata program—and how much of it may still bypass judicial supervision.

It’s clear from the original USA Today story that the metadata program in its original incarnation “didn't need a court order—or approval under FISA—to proceed.” It’s also relatively clear that something changed around 2006. Statements from the program’s defenders in Congress indicate that the current version of the program, involving orders reissued at three-month intervals, has been operating for seven years. Moreover, you can read between the (heavily redacted) lines of a March 2008 Inspector General report on the use of §215 in 2006 and see intimations that “unlike in previous years,” the authority was being used in some programmatic way that would not be included in the IG’s discussion or metrics.

Yet the numbers reported annually for §215 orders, as Amie Stepanovich of the Electronic Privacy Information Center reminded me, are hard to square with a major shift to reliance on the authority for metadata at that time. Only a handful of §215 orders were issued in the subsequent years: six in 2007, 13 in 2008, and 21 in 2009. Even if those metrics only count the “primary order” authorizing acquisition from multiple providers, and not the “secondary orders” issued to each provider, that seems low. You’d still need at least four each year for each type of bulk order, and the Wall Street Journal has reported that the program reaches far beyond telephone data to encompass “records from Internet-service providers and purchase information.”

Instead, we see two enormous jumps in orders starting in 2010. That year, there were 96 orders, of which a surprising 43 were modified. That seemed odd to observers because §215 authority is so broad, requiring only “relevance” to an investigation, that the court would rarely have occasion to intervene—unless what was being demanded was so mindbogglingly expansive that it strained even that flaccid standard. We then see another big jump in 2011, to 205 orders (176 modified), which levels off in 2012 at 212 orders (200 modified). What was going on there? If the NSA bulk metadata program moved over to reliance on §215 in 2006, why is there no sign of anything like it in the numbers until four years later?

A story by Michael Isikoff of NBC News finds the likely answer in a little-noticed set of answers to Congress from FBI Director Robert Mueller:

“Beginning in late 2009, certain electronic communications service providers no longer honored NSLs to obtain” records because of what their lawyers cited as “an ambiguity” in the law. (What Mueller didn’t say was this came at a time when all the major telecommunications companies were still facing lawsuits over their cooperation with the government on surveillance programs.) As a result, Mueller said, the FBI had switched over to demanding the same data under Section 215. “This change accounts for a significant increase in the volume of business records requests,” Mueller wrote.

And what ambiguity in the law would that be? This is almost certainly a reference to the DOJ Office of Legal Counsel's November 2008 opinion concluding that the FBI had seriously misinterpreted the scope of its authority under the National Security Letter statute permitting access to telecommunications records without court approval. Congress, the OLC pointed out, had not given the FBI a blank check to demand any kind of "transactional records," but only "toll billing records" or whatever their equivalent in the Internet context might be. That opinion was only made public several months later, and while the gap between the ruling and the switch to §215 suggests that the FBI was in no hurry to inform providers that they were turning over too much information, it looks as though attorneys at the companies eventually got wind of the problem and began demanding more robust process. The extraordinarily high rate of modifications suggests that the requests must be quite sweeping: The FISC is required to deem "relevant" for §215 purposes any records pertaining to suspected foreign agents or their activities or anyone known to them (like e-mail correspondents). A modification suggests a request beyond both those broad parameters and the incredibly loose general standard of relevance.

The obvious question these numbers provoke is, was the government previously using National Security Letters as well as §215 orders in connection with its bulk metadata collection program? That would be consistent with what the Inspector General has found to be the usual practice: National Security Letters, which can be issued by high-ranking FBI agents without any court approval, are always the preferred method for getting information, while the more cumbersome process of seeking court approval under §215 is a last resort when the information sought is not covered by NSL authorities. The narrowing of NSL power as companies gradually got wind of the 2008 OLC memo would have prompted a big shift to §215.  And yet, in one sense, not big enough. FBI agents issue tens of thousands of NSLs each year, which makes the displacement of a few hundred to §215 seem rather small for the magnitude of the legal change--unless these are bulk orders. In that case, assuming renewal at three-month intervals, a few hundred orders could cover the major ISPs and online platforms.

If this is what happened, though, there are three extremely disturbing inferences:

First, it would imply that the FBI believed that it could gather records in bulk, not just with court approval, but using a tool that involves no real judicial oversight.

Second, it would suggest that the publicly reported annual numbers for NSL requests affecting U.S. persons may be wildly, vastly understated. Because this metadata collection does not involve names, no "persons" need be named in a bulk request for "all records," and the records themselves would not contain any reference to "persons," even though, of course, tying a number to a name is in most cases trivial—especially if you're the NSA.

Third, if the impetus for the shift was the disclosure of the OLC ruling, what about the other National Security Letter authority that permits "financial records" to be collected from a wide variety of businesses, including credit card companies? As far as we know, no similar opinion has limited the FBI's authority with respect to those records. That means that if the government thinks that NSLs can be used not just for requests tied to specific suspects and investigations, but as a routine tool to make bulk requests, there's every reason to expect government agents would still happily be using financial record NSLs in this way.

This is admittedly speculative, but it strikes me as plausible, and fits the public facts reasonably well. I hope reporters and members of Congress will try to confirm whether something along these lines is accurate, as it would entail an even more jaw-dropping scale of potential data gathering than has already been disclosed.