Problems with the FISC's Newly-Declassified Opinion on Bulk Collection of Internet Metadata
Yesterday afternoon, the DNI declassified an 87-page FISC opinion authored by Judge Kollar-Kotelly that had allowed a bulk Internet metadata collection under FISA's version of the Pen Register statute, 50 U.S.C. 1842. In plain English, the government published a previously-secret opinion that had allowed for the bulk collection of non-content Internet metadata under a statute that provides very low levels of privacy protection. The program is now defunct, but the opinion gives us another chance to analyze the quality of legal analysis produced by the FISC.
I've read the opinion, and I find its analysis quite strange. In this post, I'll explain why I find the opinion a head-scratcher.
To understand my reaction, you need to understand the very low privacy protection of the pen register surveillance authorities. The federal pen register authorities use a mere certification standard. Under the national security version of the pen register statute, the FISC is required to approve an application for pen register surveillance whenever the Attorney General (or an attorney he designates) certifies under oath "that the information likely to be obtained" from the monitoring "is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities," 50 U.S.C. 1842(c)(2). As long as the government has issued its certification, and the judge concludes that the government's application falls within the statute, "the judge shall enter an ex parte order." 50 U.S.C. 1842(d)(1). The government doesn't have to say why it thinks the standard has been satisfied; it just certifies under oath that it does. And the judge has no authority to look behind the government's assertion to see if its factual basis is strong, weak, or completely absurd. See generally In re Application of the United States, 846 F.Supp. 1555 (M.D. Fla. 1994). The judge's only role is making sure the government checked the box and made the required certification under oath. See id.
If that seems strange to you, that's a fair reaction. I think the standard should require judicial review, too. But the thinking behind use of the certification standard is that pen register surveillance traditionally is not a big deal relative to other surveillance authorities. The pen register authority permits monitoring of a suspect's non-content metadata unprotected by the Fourth Amendment for a window of time, investigative steps outside the Fourth Amendment than are akin to tailing a suspect in public or obtaining a mail cover to monitor the outside of their mail. It was the judgment of Congress that for such a relatively small-scale form of surveillance, a certification under oath by the Attorney General was enough.
That brings me to the recently-declassified opinion. The Government's apparent theory was that it could compel the bulk acquisition and disclosure of Internet metadata to the government under a single pen register order. We don't know the details of what was happening, as the information about what information was collected and how many customers were affected was blacked out. But as far as I can tell, the government wanted to do bulk collection much like it did with its controversial Section 215 telephony metadata bulk collection program. That is, it wanted an order forcing a provider to record and disclose Internet metadata in real time on an ongoing basis for potentially tens of millions of customers, all with a single order obtained with no judicial review based on a mere certification by the Attorney General.
In light of this context, Judge Kollar-Kotelly's decision approving the program and granting the application strikes me as odd for a few reasons.
First, the opinion largely overlooks the statutory clues that the pen register statute was written for the micro scale, not the macro scale. In particular, key words of the pen register statute are written in the singular not the plural. The statute authorizes the judge to issue an order requiring the installation of "a" pen register to monitor "the person who is the subject of the investigation." 50 U.S.C. 1842(d)(1)-(2). This is written in the singular, suggesting that each pen register requires a subject. Judge Kollar-Kotelly hints at this problem around pages 21-24, but as far as I can tell she never dwells on it or addresses the issue squarely. That seems like a surprising oversight for a statute based on mere certification. If the statute allows bulk collection of all Internet metadata, it allows bulk collection of all Internet metadata purely on the AG's say-so with no review by the FISC. And because the criminal law version of the pen register statute uses the same language but allows any AUSA to get a pen register order, the court's reasoning would seem to allow the same bulk collection of all Internet metadata simply on the say-so of any random AUSA.
Is that really what Congress authorized?
But that's only the beginning. Recognizing that the government is asking for permission to conduct a program that Congress presumably did not contemplate, Judge Kollar-Kotelly goes on to ignore the statutory certification standard. She spends most of the opinion conducting her own review of whether she thinks the AG was correct in submitting his certification. Along the way, she adopts the Government's exceedingly strange suggestion that the relevance standard under the pen register statute is analogous to the reasonableness requirement of searches under the Fourth Amendment. (Huh??) She then concludes that the bulk collection is reasonable in a Fourth Amendment sense -- not that the Fourth Amendment applies, as this is just metadata, but rather in the policy sense that the program represents a sensible balance between security and privacy along the lines of that required under Fourth Amendment reasonableness precedents. The application is thus granted because, all things considered, the program does seem to be a pretty good way to find terrorists. See pages 49-54. Judge Kollar-Kotelly then goes on to impose strict limits on how the pen register order is to be implemented, imposing use restrictions on the data, mandating what kinds of queries can be made of the data collected, and the like.
But note how far we are from the actual language of the statute. None of this is contemplated in the pen register statute, which just requires a certification and (as far as I can tell) has no provisions authorizing judges to impose creative rules on what happens to the information obtained.
If you're of a civil libertarian bent, you're probably thinking that it was a good thing that the judge creatively read in all sorts of restrictions and heightened standards that are not actually found in the statute. But from a civil libertarian perspective, that's backwards. The reason is counterintuitive but critical to understand: The bare certification standard and absence of statutory authority to impose use regulations are important statutory clues suggesting that the pen register authority does not extend to bulk programmatic uses. The statute offers such little privacy protection because it was designed to have such limited use. When you start off by realizing just how little privacy protection the statute confers, you quickly confront the remarkable implications of squeezing a program of massive-scale bulk collection into its statutory language. The FISC's opinion didn't do that.
At least that's my initial reaction. It's entirely possible I'm just missing something. If so, I'll post a correction ASAP and apologize to Ben for ruining his fine blog. But at least based on my first read, the FISC's opinion seems to have major problems. By imagining that the statute provides more protection than it does, and by then construing the ambiguity in the statute in the government's favor, the FISC's opinion ends up approving a program that Congress did not contemplate using privacy protections Congress did not contemplate either. The resulting opinion endorses a program that appears to be pretty far from the text of the statute.