Adm. Michael “Mike” Rogers, director of the National Security Agency and commander of U.S. Cyber Command, listens to a question during a cybersecurity conference in Washington in June. (Andrew Harrer/Bloomberg)
Marcy Wheeler is an independent journalist who writes extensively on surveillance and civil liberty issues. She blogs at Emptywheel.
The terms of the debate over NSA reform between Dickinson College professor H.L. Pohlman and the ACLU’s Gabe Rottman are too limited. Pohlman claims the version of the USA Freedom Act sponsored by Sen. Patrick Leahy (D-Vt.) still permits the government to collect call-detail records prospectively (he suggests, but does not specifically say, that it permits the government to do so in bulk). Rottman claims that new language limiting the specific selection terms used in queries and mandating minimization procedures would limit that.
Both men miss the one thing in Leahy’s bill that should limit bulk call-detail records: prohibitions on using the name of an electronic communications service provider as a specific selection term (unless that provider is the target of an investigation). Thus, whereas now the government uses “Verizon” as a selection term, it shouldn’t be able to do this going forward. The government will surely still be able to collect more limited sets of call-detail records — targeting, for example, everyone within 2 degrees of Julian Assange as part of a counterintelligence
But Rottman’s assurances don’t really work for all other kinds of production — the 97 percent of Section 215 orders last year that weren’t for the known phone dragnet. There were 174 Section 215 orders last year issued for “tangible things” other than the phone dragnet program exposed by Edward Snowden. Just four Section 215 orders authorized the collection of some significant part of all the phone records in the United States for the entire year, but we have almost no idea what the other 174 orders authorized.
As mentioned, Rottman suggests the definition of “specific selection term” limits what the government can obtain using a Section 215 order. “USA Freedom Act would require the government to present a phone number, name, account number or other specific search term before getting the records.” But he misstates the definition, which specifically permits “person” to be used, and makes a distinction between “individuals” elsewhere in the bill and “persons” for the existing authority. That suggests that any corporate person — besides the electronic service or cloud providers specifically excluded — might be used as a selector. Under Leahy’s bill, “Verizon” couldn’t be a selector, but “Fedex” or “Western Union” probably could. The Wall Street Journal and New York Times have both reported on an existing bulk collection program for Western Union’s records.
Rottman suggests that the newly mandated minimization procedures in Leahy’s bill will limit such collection. There’s no reason to believe that’s the case. That’s because the FISA Court already imposes minimization procedures for many, and probably most, of its orders.
Back in 2010, the number of Section 215 orders started to balloon: There were 21 in 2009, 96 in 2010, 205 in 2011. As the number of orders grew, the FISC modified more and more of the orders: 43 percent and 45 percent in 2009 and 2010 respectively and 86 percent in 2011. Two documents released to the ACLU under FOIA revealed that the majority of those modifications imposed
Because of the secrecy surrounding all the orders not involving the phone dragnet, we have no idea whether the minimization procedures mandated by Leahy’s bill are even as stringent as the procedures FISC has been imposing for years (some procedures in Leahy’s bill — such as the treatment of improperly collected records under an emergency provision — are arguably more lenient). Unlike FISC’s previous minimization procedures, it is not clear the bill’s language would require an implementation report or would be binding on any agency but the FBI.
Moreover, contrary to Rottman’s claim, the bill’s minimization procedures appear to allow the indefinite retention of records from anyone within two hops of a target, so long as that target is under investigation. It permits the retention of records that “relate to a person [second hop] who is … in contact with or known to … a suspected agent [first hop] of a foreign power who is associated with a subject of an authorized investigation.” If a target received money via Western Union, for example, it would permit the retention of records from the target, anyone sending him money (who would, given the nature of such funds, be a suspect), and anyone known — in any way — to those sending him money.
Thus, it’s not clear anything in the Leahy bill would change the status quo for the 97 percent of Section 215 orders for things other than the phone dragnet, and it’s conceivable the bill would even loosen controls on those programs.
As of June 19 this year, the FISC had approved 93 orders for things other than the phone dragnet and just three primary orders for the phone dragnet. The other orders continue to be the overwhelming majority of the Section 215 orders, if not the production. And yet for those orders, the Leahy bill may not do anything to improve on the status quo.
That’s why we’d do well to take Pohlman’s warnings seriously.
