The two being unveiled this week—bipartisan legislation sponsored by leaders of the House Permanent Select Committee on Intelligence (HPSCI) and a plan supported by President Barack Obama—are quite similar in their broad outlines but differ in a few key details. Neither, however, goes quite so far in limiting the NSA as the USA Freedom Act, sponsored by Senate Judiciary Committee Chair Patrick Leahy (D-VT) and born‐again Patriot Act author Rep. Jim Sensenbrenner (R-WI).
Take a victory lap, Edward Snowden. Last summer, the White House and congressional intelligence committee leadership were unified in their insistence that the National Security Agency’s bulk collection of American telephone records was an essential intelligence resource that had prevented scores of terrorist attacks. As spring dawns—with those claims shredded by two expert panels—the only disagreement is over precisely how to end the controversial NSA program, with three main proposals now vying for legislative support.
Before delving into the differences, though, it’s important to note what these proposals have in common. In a major policy speech in January, President Obama committed to ending the NSA program “as it currently exists,” as his handpicked Surveillance Review Group had urged. But Obama left open the possibility that bulk records collection might continue with some third‐party custodian maintaining the database of phone logs, or that phone companies could be compelled to retain their own records for a longer time to ensure NSA access.
Both ideas would now appear to have been firmly rejected. Phone companies will keep their own records for as long as their own business purposes (or preexisting FCC rules) require, and the government will query the specific records it needs with the approval of the secret Foreign Intelligence Surveillance Court (FISC).
The two new proposals, however, envision the creation of a new authority explicitly designed to duplicate the NSA program’s core capabilities without bulk collection. Phone companies would be required to rapidly and continuously provide records for suspicious numbers and their direct contacts (yielding numbers two “hops” from the initial suspect) in a consistent format, presumably to aid quick cross‐referencing of records between different carriers. Under Obama’s plan, the FISC would approve each request before it is sent to the phone companies. The HPSCI proposal, sponsored by Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), would instead have the court pre‐approve general procedures and criteria for designating numbers as suspicious, then review each specific request after the fact to confirm that the government has evidence for its suspicions.
Yet neither proposal truly attacks the underlying legal basis for the program: A secret opinion by the FISC, which held that the authority under Section 215 of the Patriot Act, which empowers the government to demand business records “relevant to an authorized investigation,” could be used to seize entire vast databases, concerning millions of innocent people, in order to sift through them for a tiny fraction of truly “relevant” records. The HPSCI bill at least seems to prohibit such bulk collection of all telecommunications records—along with a few other sensitive categories of data, such as medical, library, or educational files. Press reports suggest that the White House plan applies only to phone logs, leaving open the possibility that the government could revive its strained “relevance” theory to seize other private information—such as credit card bills—in bulk.
One other subtle but important difference is that the HPSCI proposal employs a slightly different standard for obtaining phone records, which it’s not clear whether the White House proposal also adopts. Under Section 215, records must be “relevant” to an “authorized” FBI counterterror or counterespionage investigation—with records of suspected terrorists and their contacts deemed automatically relevant. The current NSA program, of course, allowed collection of all records, and allowed analysis of second‐degree contacts logs as well—but the FISC only allowed NSA to search for numbers linked to a handful of specific terror groups under investigation. Rogers and Ruppersberger’s proposal covers records linked to any suspected “agent of a foreign power”—something also allowed in principle by the underlying 215 authority—but eliminates the required link to an “authorized FBI investigation.” That’s significant because FBI investigations require some specific factual basis, which in theory should have acted as an additional constraint on the authority. One safeguard, for instance, bars the government from obtaining records “for an investigation” of an American based exclusively on First Amendment protected activity—but that becomes harder to police when no link to a specific investigation is required.
The far more sweeping reforms of the USA Freedom Act—which extend well beyond changes to records authorities—instead strike directly at the heart of the government’s overbroad relevance theory. That law requires the government to show a specific link to a suspected terrorist or spy for all information requests under all its myriad authorities—including National Security Letters, issued without judicial approval by FBI agents, which appear to be left untouched by the newer proposals.
It may make sense to provide some novel hybrid authority, of the sort contemplated by the two newest proposals, to enable more streamlined and agile acquisition of records from multiple phone carriers. But Americans should not be satisfied with tepid reforms that fix one controversial program while leaving the underlying legal theory that spawned it intact. Otherwise we’ll gain the illusion of increased privacy, even as the door remains open for the surveillance state to launch yet another bulk collection program—with no Snowden left on the inside to warn us about it.