Benjamin Wittes and Robert Chesney, who know a great deal about national security law, have an article urging people to keep the two revelations of government spying last week distinct from one another. There’s the Verizon metadata seizures and there’s the PRISM program, which are different in very important ways. First, we simply are not clear on what the PRISM program is and how it operates. Some have cast doubt, with seemingly reasonable arguments, on the PRISM revelations. But the Verizon leak we know is accurate because the actual order from the FISA court was leaked. And that might actually be the more significant problem:
At a high-level of abstraction, it does make some sense to lump these stories together. They both concern the tension between privacy and the need to collect intelligence in the context of evolving technologies—and the leaks, of course, came from the same source.
But at another level, conflating these two stories is a big mistake. They are by no means of equal weight and importance when it comes to informing the public about the government’s data-collection and monitoring powers. The Post story actually tells us little we did not already know—other than operational details that may prove of considerable use to those seeking to avoid NSA surveillance. By contrast, the Guardian story reveals a genuinely surprising and significant government legal position—albeit one apparently accepted by the FISA Court and congressional oversight leaders for a number of years—with important implications for the future of big data in government collection, surveillance, and intelligence authorities…
More importantly, the story, and the leak of the FISA Court order that underlies it, do reflect something significantly new concerning a claimed authority about which the public was not previously informed. Specifically, it reveals that the government was using a particular section of FISA—known as Section 215—as a way of accessing not just specific items about specific persons on a case-by-case basis, but also as a means to create giant datasets of telephony metadata that might later be queried on a case-by-case basis. As we move into the age of Big Data, it may not be surprising that the government would want to have authority to generate such a database; we all recall the Total Information Awareness initiative, after all. But it is surprising to learn both that the government thinks it already has this authority under Section 215, and still more so that the FISA Court agrees and that members of Congress know this as well.
Section 215 allows the government to seek and receive an order from the FISA court requiring third parties (like Verizon) to produce “tangible things” like business records, so long as the government can certify that the information sought is “relevant” to a national security investigation. It is the analog in the context of national security investigations to the grand jury subpoena in a criminal probe—the instrument by which the government can compel people to turn over material germane to the investigation. Most people assumed, prior to the Guardian story, that this provision was being used on discrete occasions to obtain individual collections of records about known counterintelligence or terrorist suspects—for records showing, say, that a certain person made certain purchases from a certain vendor or used a particular telephone to make specific calls. The government has, to some extent, encouraged this understanding, suggesting that Section 215 orders are comparatively rare and focused on specific business records.
There have been hints for some time that the government might be using Section 215 more aggressively. Senators Mark Udall and Ron Wyden, both members of the intelligence committee, have been warning for a while that the public would be shocked to know how government and the FISA Court had interpreted the provision. And Todd Hinnen, then acting head of the Justice Department’s National Security Division, testified in 2011 that “Section 215 has been used to obtain driver’s license records, hotel records, car rental records, apartment leasing records, credit card records, and the like. . . . Some orders have also been used to support important and highly sensitive intelligence collection operations, on which this committee and others have been separately briefed. On average, we seek and obtain section 215 orders less than 40 times per year” (emphasis added).
That said, until the Guardian story, it was not clear to the public that the government and the court had read the words “tangible things” and “relevant” so broadly as to permit the bulk pre-collection of records—including in particular “telephony metadata,” which includes all the non-content information pertaining to phone calls, such as the numbers involved and the physical location of the phones as indicated by the cell towers—much less that the government had been collecting such data for all calls within the United States and doing so for the past seven years, according to the leaders of the Senate intelligence committee.
That use of the business records provision for such a massive data-mining operation is, according to Wittes and Chesney, “different and grander in scope and scale from anything we had thought the law meant.” And unlike the PRISM program, there is no genuine dispute over what is happening.