July 24, 2013 3:14PM

The Talking Points for NSA’s Dragnet Don’t Hold Up

A bipartisan group of legislators in the House—spearheaded by Rep. Justin Amash (R-Mich) and John Conyers (D-Mich)—is bucking both the Obama administration and Republican party leadership to push an appropriations measure defunding the National Security Agency's dragnet phone records programs. The measure would forbid the government from using any resources to execute a Patriot Act §215 "business records" order unless it is limited to the specific targets of specific investigations—effectively barring use of that authority to vacuum up the phone records of millions of innocent Americans. Predictably, the intelligence community and its proxies in Congress are pushing back ferociously, circulating an "Open Letter of Support" for the dragnet program from former intelligence officials. It's worth surveying their main talking points to see just why they aren't persuasive. Note that they begin, as many defenders of the phone dragnet do, by lumping it together with the very different PRISM program, which involves monitoring of international e-mail and Internet traffic:

We are convinced that both programs are vitally important to our national security. The Director of the NSA, Gen. Keith Alexander, has publicly attested that these programs have been instrumental in helping to prevent attacks on the United States and its allies, including the plot to bomb the New York City subway.

The bundling here is important. Alexander did, at a June 18 hearing, assert that PRISM had been "critical" in disrupting a number of "terror events," mostly overseas.  But when pressed specifically by Rep. Jim Himes (D-Conn.) on whether the §215 call records program had been "essential" in any cases, Alexander conspicuously dodged the question. He would not identify even a single case in which the bulk phone records collection had been "essential," or even claim that there was such a case that he couldn't discuss specifically. 

As for the plot to bomb New York's subway system, the Atlantic convincingly marshalls evidence from the public record showing that the key initial leads in that case did not come from either PRISM or the §215 program. And with those leads, traditional intelligence authorities would have allowed the investigation to proceed more or less as it did. In particular, there is no indication whatever that the use of phone records to identify associates of plotter Najibullah Zazi required a massive database of all Americans' calls: Ordinary police, after all, do similar detective work all the time, but with targeted orders based on particularized suspicion.

The crucial general point to understand about these claims for the efficacy of these programs is that if you have unlimited authority, then that will be what you end up using even if more limited authority would have sufficed. If we had never passed the Fourth Amendment, and the government could get "general warrants," allowing police to search any home at will, they would never bother getting specific warrants based on probable cause. Then, every time police solved a crime through a search, they could accurately say "You see, we used a general warrant!"  But that would be no argument for general warrants. The question to ask is: "Why couldn't you have done it with a specific warrant instead?"  We haven't heard, at least publicly, any very good answers to that question when it comes to the NSA call dragnet.

Both programs are based on statutes thoroughly debated, enacted by overwhelming majorities, and reauthorized repeatedly by Congress since the attacks of 9/11, and each is supported by court orders periodically approved by the federal judges who sit on the Foreign Intelligence Surveillance Act court.

The claim that these statutes have been "thoroughly debated" is absurd. They have repeatedly been subject to rushed debate in which it was clear that most members of Congress had no idea how the law had been interpreted to grant spying power of extraordinary breadth. Consider a slightly orthogonal example, which I explain in more detail in my paper on the Patriot Act. In 2006, Congress amended §215 to add protections for certain types of sensitive records, such as medical and educational records. What nobody appears to have understood is that the Department of Justice had interpreted existing statutes governing those records to trump §215, which lacks a "notwithstanding any other law" clause. Only after that amendment did DOJ conclude that §215 could be used for such records, since they were now explicitly referenced. Now, one may reasonably think that's an acceptable outcome, but what's important is that nobody who voted on that amendment understood what its effect would be. Majority approval cannot legitimize laws when the people voting don't understand what the laws do.

The telephone metadata program is supported by a business records order under section 215 of the PATRIOT Act. The database includes only the X's and O's of phone calls, not the substance of anyone's communications. These are purely transactional business records that phone companies use for billing purposes, and telephone subscribers do not have a reasonable expectation that this transactional metadata will remain private.

This argument becomes no more convincing through repetition. Metadata is, in fact, incredibly sensitive information—even more so on the Internet, but for phone calls too. The assertion that people "do not have a reasonable expectation of privacy" in business records is a fiction endorsed in a 1979 Supreme Court ruling that has been all but uniformly denounced by Fourth Amendment scholars. As one of its very few academic defenders, Orin Kerr, has put it: "The third-party doctrine is the Fourth Amendment rule scholars love to hate. It is the Lochner of search and seizure law, widely criticized as profoundly misguided." Of course people expect their phone records to be private. Are we to believe people call suicide hotlines, divorce lawyers, and substance abuse counselors expecting that such information would become public? Of course not. It doesn't pass the straight face test. 

Indeed, when they are not trying to to excuse warrantless invasions, other government agencies recognize the obvious truth that ordinary people regard this information as sensitive and private, and require companies to take steps to safeguard that information. As a recent statement from the Federal Communications Commission put it, explaining a ruling to that effect:

When mobile carriers use their control of customers’ devices to collect information about customers’ use of the network, including using preinstalled apps ... carriers are required to protect that information. This sensitive information can include phone numbers that a customer has called and received calls from, the durations of calls, and the phone’s location at the beginning and end of each call.

The "third party doctrine" as applied to telecommunications records was wrong when first established, and is positively dangerous in a world of powerful Big Data analytic tools and Internet technology that puts the most intimate facets of our lives in trusted "third party" hands.  Back to the talking points:

The court order circumscribes how and when the database is used. It does not permit random searching through the data to find suspicious patterns. The data can only be accessed when the government has a particular phone number that it reasonably suspects is used by a foreign terrorist organization. Testing the suspicious number against this database is one of the best tools we have to discover new phone numbers that are being used by terrorist agents.

We do not really know how far this is true, since the public has still not seen the "primary" orders used, and I will register a measure of skepticism that the government decided to strain the law and build this massive database to do a handful of targeted queries. But even if they did, once the massive database of records is established, the rules governing its use can be changed at any time by a judge on the secret FISA court. And even under the current rules, the determination of when "reasonable suspicion" exists to query that database is left to executive branch employees, not neutral magistrates. The §215 provision was written to specifically require the Court to make a finding that the records sought were relevant. Instead, they've allowed the NSA to obtain everyone's records, the vast majority of which are obviously not relevant to any particular investigation, and then delegated to NSA staff the determination of which records are relevant. Moreover, we now know that NSA performs "contact chaining,"  meaning they analyze records up to three "hops" away from a "suspicious" phone number. Thus, information about the private calls of thousands of innocent Americans are drawn into each query. That the numbers pulled up aren't directly associated with names is cold comfort when a Google search—to say nothing of the NSA's vast databases—will often provide that information.

The principal question raised about this program is, “How can such a large collection of data be "relevant" to an authorized counterterrorism investigation, as required by section 215?” In reality, this use of the “relevance” standard is not extraordinary or unprecedented. The same standard supports similar acquisitions of large data collections by other government agencies in regulatory investigations conducted using administrative subpoena authorities―which, unlike section 215, do not typically require court approval.

This claim is truly shameless coming from people with legal training. Mark Eckenwiler—the former DOJ attorney who has been one of the most steadfast defenders of Patriot Act surveillance powers—correctly told the Wall Street Journal that if a prosecutor "served a grand-jury subpoena for such a broad class of records in a criminal investigation, he or she would be laughed out of court." Legislators have repeatedly challenged intelligence officials to cite any specific examples of comparably broad subpoenas, and they have come up blank—because there simply aren't any.  It is true that regulatory agencies sometimes obtain "large data collections" of corporate records under administrative subpoenas when they are investigating the conduct of that corporation to ensure compliance with the law—not to sift through the private activity of ordinary citizens. The situations are comparable only if, absurdly, you count gigabytes but ignore the nature of the data and the purpose of its acquisition.

The talking points close with a predictable assertion that closing down vaccum-cleaner collection of phone data will "leave the Nation at risk." But it is just that: a bald assertion with no basis in any public evidence, predicated on the arrogant assumption that merely uttering the word "risk" will leave us too timid and frightened to ask questions. Every major carrier keeps these records for well over a year, and in many cases much longer. Has there been any case where records that would not have been available from the carrier proved essential to preventing an attack? You would imagine someone would have said so if there were.

It is no surprise that the officials signing this letter believe that the programs they supervised are prudent and crucial. No doubt most employees of every government agency—from EPA to FCC—would say exactly the same thing. In those cases, we understand that the officials in question are well-meaning, but hardly impartial, and we don't take their conclusions about the value of their agency's activity as gospel. We shouldn't do so here either.

Some other critics of the Conyers/Amash amendment do raise somewhat more reasonable points: It is a relatively blunt instrument, and going forward it might be desirable to tweak the rules so that this type of bulk collection remains forbidden, while other potentially legitimate uses of §215 to obtain records that may not directly "pertain to the subject of an investigation" are permitted. That's a conversation that should begin only after it's clear that the indiscriminate mass collection of data about all Americans is off the table.