Internet Metadata Collection

Challenges Ahead on Telephone Metadata Collection

By Carrie Cordero
Wednesday, April 2, 2014, 12:00 PM

With the White House conceptual framework and the HPSCI bill on the table, there may be a way forward on telephone metadata collection for foreign intelligence purposes. Of the three possible options that existed before March 28: (i) the data continuing to reside with the government in a modified program, (ii) the data residing with the telephone companies, or (iii) the data residing with a third party, it appears that one, if not two of the three options, are out of favor.  Thankfully, the third party option, which might have assembled all the same data in bulk but taken it out of the hands of the government and put it into the hands of a government contractor, appears to be firmly off the list of possible options.

Given that both the approach outlined by the President and the HPSCI bill---which, notably, was developed and introduced in a bipartisan effort---would provide a mechanism for NSA to submit requests to the telephone companies to query their records that already exist, it appears that this approach is carrying the most weight right now. So it is worth identifying some of the unknowns that will need to be addressed and resolved as the discussion and debate continues. To that end, a few questions and observations:

Will the reconstituted program retain equal efficiency in acquiring and analyzing the data as the current program? This is a big question, with a very unclear answer from where we sit today. Currently, it is impossible to tell, but also hard to imagine that it will. What we do know is that communications companies are in the business of providing communications services. And while they will respond to lawful legal process, they are not inherently suited to perform, nor are they interested in dramatically changing their business model to facilitate, intelligence collection and analysis. For example, it is generally understood that the companies do not want to retain the data longer than they need to for business purposes or to comply with existing laws and regulations. A shorter retention period of the telephone metadata, from, say, five years to eighteen months, is a significant decrease in utility. Articulating the view that the companies will only go so far in accommodating government needs, Verizon General Counsel and Executive Vice President Randy Milch wrote on the Verizon Policy Blog on March 27:

This week Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) released the “End Bulk Collection Act of 2014”, which would end bulk collection of data related to electronic communications. The White House also announced that it is proposing an approach to end bulk collection. We applaud these proposals to end Section 215 bulk collection, but feel that it is critical to get the details of this important effort right. So at this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes. If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes.

Accordingly, if we care at all about preserving operational utility, it will matter exactly how the data is retained---at each and every company---and how the government will be able to access and analyze it under a new framework. I could be wrong, but this seems a little more complicated from a technical and process standpoint than anyone in government is currently letting on.

Will a new collection framework require pre or post approval by the FISA Court of the query terms? According to the interim changes put in place by the President on January 17, the FISC is currently evaluating whether queries meet the reasonable articulable suspicion (RAS) standard before-the-fact---that is, each query is conditioned on getting court sign-off first.  That setup is reflected in the Administration's legislative proposal:  its March 27 fact sheet states that “absent an emergency situation, the government would obtain the records only pursuant to individual orders from the FISC approving the use of specific numbers for such queries….[,]” presumably, in advance. But the HPSCI proposal takes a quite different tack, opting instead for what Matt and Ben described as a 702-like, "basket" approach---a single judicial order authorizing collection on a programmatic, rather than individualized basis.

On this issue, it is really worth thinking through and articulating what goal would be met by prior Court approval. In conducting that analysis, factors to be considered could include whether prior Court approval would either detract from the Court’s timely consideration of matters more substantially impacting privacy and civil liberties (such as cases involving content collection or U.S. persons); or whether it might also delay intelligence acquisition and analysis that may not meet a statutory emergency standard but is still important enough to be conducted quickly. It is also worth considering what harm is incurred if post-query approval by the Court were implemented. Given that this is, after all, metadata and not the content of phone calls, is there really a harm if the Court disagrees with the government’s query and directes that the data be purged?

How can the new framework for telephone metadata collection restore public confidence? On this point, a modest suggestion: the text of the statutory language should be as clear as is possible. Whatever the merits of the various arguments that have emerged in the public debate, a lesson learned should be that whatever fix is implemented should address the primary thing that actually needs to be addressed: restoring public confidence that laws governing foreign intelligence collection are being implemented as intended.

What is the real timetable here? The Administration has publicly stated that it has asked the FISC to renew the current program for another ninety days. It has also stated that in order to shift the program to a new framework in line with the President’s vision, legislation is needed. While Presidential deadlines can be useful in motivating bureaucracy to move faster than it otherwise would, the stakes seem pretty high to rush getting this transition wrong. It would be remarkable, really, to achieve the trifecta of legislation, technological accommodation at the companies, and revised government process, procedures and oversight structures, that will be needed in order to implement a new program effectively, in ninety days. A more realistic timeframe might be to obtain the legislation by August recess, and before the off-year elections. That would give the companies and Intelligence Community time to get the technological infrastructure, procedures and process in place to be able to actually implement the legislation, if and when it is passed.