Schrodinger’s Catnip Revisited – Part I – The Lawful NSA Metadata Program


January 16, 2014

By Mark Rasch 

In 1935, Austrian physicist Edwin Schrodinger posited a thought experiment illustrating the duality of quantum entanglement.  In his thought experiment, illustrating nuclear decay, a cat placed in a box would be simultaneously dead and alive, and the only way to determine the current state of the cat was to open the box. 

The NSA’s metadata collection program is much like Schrodinger’s cat – simultaneously lawful and unlawful, and the only real way for the public to determine its state is to open the box – not just to look at the legal authorities, but also the technical details of how and why the program was implemented. That is unlikely to happen.  And that is unfortunate, because it fosters mistrust in the NSA and other governmental operations.

Right now there are two federal district court opinions, one ruling that the NSA’s telephony metadata collection program is a restrained use of statutorily created, judicially approved and restrained response to an existential national security threat. Then there is the other ruling that the program is an out of control, massive infringement on the civil rights of ordinary citizens, which not only violates their constitutional rights, but has never been proven to be either necessary or effective.

This is a three part series – Part I (here) will discuss why the metadata program is perfectly legal and responsible.  Part II will discuss why the program is an unconstitutional exercise of unrestrained government power.  Part III will discuss how the law has been twisted and manipulated to make the dead cat live – and encourage more dead cats in the future.

The Bulk Collection Program

A brief introduction is necessary.  In a nutshell, after 9/11, the NSA was charged with doing everything “possible” to prevent another attack.  The NSA’s statutory authority was to intercept and analyze communications with a few legal restrains.  First and foremost, it could not “deliberately target” U.S. persons.  Second, to intercept the contents of communications within the United States, they needed a court order from a super-secret court called the FISC.  Third, of course, don’t get caught.  In other words, operate in secret.

Following the events of 9/11, Congress passed Section 215 of the Foreign Intelligence Surveillance Act to permit the NSA, like the FBI or grand jury, not only to intercept communications, but also to get a court order for documents or tangible things – business records, files, etc. A minor change with significant consequences.

The problem, from the NSA’s perspective, was that they would obtain a telephone number from a potential terrorist overseas.  This might be from a “throw away” phone that might be used only once, or only a few times before being discarded.  It might be from a seized computer in an Afghan cave.  

To the NSA (and CIA, and DoD) this was clearly related to foreign intelligence and counterterrorism.  The most important thing for the NSA to find out was whether that suspected terrorist was planning any attacks particularly within the United States.  A smoking gun.  They wanted the ability to quickly and secretly find out the telephone activity associated with the seized or intercepted phone and to be able to do so across all telephone providers, landline, cell, VoIP, and all carriers.  An eminently reasonable thing to do.

If the NSA found that a phone in Afghanistan called a telephone number in Delaware, they could go to the phone carrier in the U.S. and get a court order for production of records to see what that number was, and who the owner of that specific number called.  They could then compile a matrix of associations to determine the relationship between the Delaware person and their conversants and the persons in Afghanistan.  A useful endeavor for counterterrorism in general, and to thwart a potential domestic attack.

But the subpoena itself would alert the U.S. carrier that the NSA was following a particular suspect in Afghanistan and Delaware – perhaps the most secret of secret things.  That information had to be kept secure and classified.  And it takes time for the phone company to collect, compile and turn over the records (how much time is in dispute) and even more time when you have to collect data from multiple providers and coordinate the responses. 

This was too much time for the NSA.  What the NSA (and other intelligence agencies) wanted was the ability to query a relational database of phone calls in “real time” – perhaps from the field itself and get every call made or received from every carrier.  That, plus a sophisticated computer program to do the kind of data analytics on the database to spit out which phone numbers were likely “important” and which were just a call to the deli for baba ganoush. 

Moreover, the NSA needed the ability to obtain and analyze records not just from one phone company, but from all of them.  It’s not like the NSA could issue a subpoena to AT&T for the records related to (202) 867-5309 and find out that that number called (212) 687-7500 on Verizon, and then get those records from Verizon  - at least not in real time.  And that’s what they needed (or thought they needed) data in real time.

The Bulk Data Collection Program is Legal, Narrow and Reasonable

The NSA came up with the “bulk data” collection program.  Armed with the statutory authority of Section 215 to obtain “documents and physical objects,” they would get a court order from the super-secret court every day for a “data dump” from all of the telcos.  All phone carriers would provide the NSA with a record of every single call made or received, the numbers used, the location of the calls (maybe), their duration and sequence, and possibly other data. 

The FCC calls this information “CPNI” or Consumer Proprietary Network Information, and makes it clear that, while these are records created by the phone company, there are strict restrictions on how the phone companies can collect, store and use this data.  However, a court order (by the FISA court) trumps the FCC privacy laws, if the Court order is lawful and constitutional   It has been reported that a few telcos (including Sprint) opposed the bulk data collection orders, but the authority of the NSA to compel production was affirmed by the FISC.

The idea behind the bulk CPNI data collection program was that the NSA would replicate the databases of all telcos, and have a massive, searchable relational database of every call made.  Thus, if they got the phone number in Afghanistan, they could then ping the database (subject to strict restrictions imposed by the FISC) to find out more information about the phone number, who they called, and who the people they called.  Up to “three hops” from the original phone call. 

The Bulk Data Collection Program Was Authorized by Congress

So, to the NSA, the FISC, and at least one federal district court, the program was authorized by Congress which passed section 215 and had at least the opportunity to know about the program and how the FISC was interpreting NSA’s Section 215 authority. 

The NSA briefed at least the intelligence committees about how it was interpreting its Section 215 authority.  Other Members of Congress may have had the opportunity to be in on some of the briefings and know how the NSA was interpreting its statutory authority.  If Congress didn’t like how the NSA and the FISC were interpreting the Section 215 authority, Congress certainly could have (but didn’t) repealed Section 215. 

The fact that Congress did not repeal the authority of the NSA to subpoena documents and tangible objects is clear evidence that, when they passed Section 215 as part of the USA PATRIOT Act it was their intention to create a massive database of every phone call every person makes or receives. 

Thus, Congress clearly intended the NSA to engage in the bulk CPNI collection process.  Moreover, Congress never had any hearings on repealing Section 215.  Although a few Members of Congress had some vague and unsubstantiated gripes about the NSA generally, Congress as a body never took any serious efforts to rein the NSA in, so they must have intended the NSA to do what it did.

The Bulk Data Collection Program Was Authorized by the Courts

The Fourth Amendment provides:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Putting aside momentarily whether telephone records maintained by the phone company are individuals “persons, houses, papers and effects” the Fourth Amendment only prohibits “unreasonable” searches and seizures, and expresses a preference for a warrant.    In the case of the bulk data collection program, there was a warrant – or its functional equivalent – a court order.

The bulk CPNI program had the approval of the FISC itself.  The Court repeatedly affirmed the NSA’s authority to engage in the bulk subpoena and analysis of CPNI, and in fact issued all of the Court orders to the telcos. 

Since the Fourth Amendment prohibits unreasonable searches and seizures without a warrant, the FISC order satisfies the “warrant” requirement of the Fourth Amendment, rendering the bulk CPNI program lawful.  Besides, even if the program is ultimately unlawful, the NSA was, under the law, legally entitled to rely in good faith on the existence of and scope of the FISC Court order.

The Bulk data Collection Program Was Narrow and Targeted

Whether the program was “reasonable” is a function of the purpose of the program (to prevent terrorism), the scope of the program (telephone toll records), and the controls placed on the program. 

The bulk CPNI program was reasonable and Constitutional because it was severely restrained in terms of how the database could be accessed and pinged.  Indeed, the NSA has reported fewer than 300 pings (that is 300 seed numbers) with only a few thousand hits (using the three hops rule) over the life of the program.  Each class of “pings” had to be approved either by a NSA lawyer or a supervisor, and had to be within strict guidelines approved by the Court.

This was no “out of control” data collection.  Each “ping” had to be approved by NSA lawyers, who had strict controls in place to ensure that the ping was part of a terrorism investigation, that it would not target U.S. persons, and that it was likely to reveal information necessary to protect the national security. 

These procedures for pinging, like the bulk data collection program itself, were repeatedly approved by the FISC, and were subject to audit, inspection and review within and outside the NSA.  The data was collected in bulk because it had to be collected that way to be meaningful.  The pinging of the data was a restrained use of authority granted by Congress and the Court.  The NSA has also pointed to dozens of terrorist plots foiled by this and other related programs.

A reasonable response to an existential threat, which is restrained, court approved, statutorily authorized, and narrowly interpreted. 

The Bulk Data Collection Program Did Not Impinge on Any Legitimate Privacy Interests

The documents and records subpoenaed by the NSA infringed on no one’s privacy interests because they are ordinary business records of the phone companies, about which consumers have no “reasonable expectation of privacy.”  They are the phone company’s records, not those of consumers.  Consumers have voluntarily provided this data to a third party (the phone company), and assumed the risk that the phone company will turn this over to someone else (like the NSA).  They know the data is being collected by the phone company, and consent to its collection and later use. 

This is no different than the government subpoenaing bank records, or airline travel records or any other records of third parties.  In fact, in the wake of 9/11, the government obtained all of the records of all of the major airlines and analyzed them to see if they could detect travel patterns of terrorists or suspected terrorists.  That program obtained the travel records of U.S. and foreign travelers alike.  This program is no different – it gets third party records for later retrieval.

Moreover, if the FBI can subpoena the phone records of a single individual without probable cause or a warrant and that is “reasonable” under the Fourth Amendment, then certainly the NSA – charged with protecting national security -- can get a Court order (a higher standard than a subpoena) for a database of records. Putting it simply, there is no expectation of privacy in these records.  The Supreme Court has clearly and repeatedly said so.  Once the NSA has this database, then “pinging” the database of telco business records infringes no privacy interest any more than a cop looking up a license plate in a database. 

Did I mention that the program thwarted dozens of terrorist plots?

The program was designed to be secret.  So if you, as a U.S. person had your records obtained by the NSA, and even “pinged” in a search, how were you “harmed?”  If you have done nothing wrong, you have suffered no damages.  In fact, you don’t even have “standing” – or legal authority – to sue under the program.  These aren’t your records.  They are the phone company’s.  The fact that the NSA (or any other agency) can search them doesn’t harm you in any legal way.  In fact, you should never have known it happened.  “These aren’t the droids you’re looking for… move along.”

And the program thwarted dozens of terrorist plots.

So from the NSA’s perspective, they have collected records for which there is no expectation of privacy, under a program that was approved by Congress, authorized by the Courts and severely limited by the executive branch, which was rarely used, and only then to thwart terrorist plots, which it did in dozens of cases.

The Fourth Amendment prohibits “unreasonable searches and seizures” or unreasonable intrusions into a legally recognized privacy interest.  Since telco users have no expectation of privacy in the numbers they have dialed (or at least none the court is willing to recognize as reasonable) the program is both legal and constitutional.

And it thwarted dozens of terrorist plots.

The NSA bulk data collection program is a narrowly tailored, strictly controlled, necessary and effective program designed to prevent terrorist attacks.  It is both legal and constitutional. 

Next.. the dead cat.

 

 

comments powered by Disqus

Trend Micro | Switch to Complete User Protection: Proven by Customers​​

Trend Micro | Switch to Complete User Protection: Simplify Management​​

About securitycurrent | Privacy Policy | Subscribe to our newsletter