In the post-HR 3361 passage press conference yesterday, Jerry Nadler suggested the only reason civil libertarians oppose the bill is because it does not go far enough.
That is, at least in my case, false.
While I have concerns about unintended consequences of outsourcing holding the call data to the telecoms (see my skepticism that it ends bulk collection here and my concerns about high volume numbers here), there are a number of ways that USA Freedumber is worse than the status quo.
These are:
- The move to telecoms codifies changes in the chaining process that will almost certainly expand the universe of data being analyzed
- In three ways, the bill permits phone chaining for purposes outside of counterterrorism
- The bill weakens minimization procedures on upstream collection imposed by John Bates, making it easier for the government to collect domestic content domestically
- The bill guts the current controls on Pen Register authority, making it likely the government will resume its Internet dragnet
The NSA in your smart phone: Freedumber codifies changes to the chaining process
As I have described, the language in USA Freedumber makes it explicit that the government and its telecom partners can chain on connections as well as actual phone call contacts. While the new automatic search process approved by the FISA Court in 2012 included such chaining, by passing this bill Congress endorses this approach. Moreover, the government has never been able to start running such automatic queries; it appears they have to outsource to the telecoms to be able to do so (probably in part to make legal and technical use of location data). Thus, moving the phone chaining to the telecoms expands on the kinds of chaining that will be done with calls.
We don’t know all that that entails. At a minimum (and, assuming the standard of proof is rigorous, uncontroversially) the move will allow the government to track burner phones, the new cell phones targets adopt after getting rid of an old one.
It also surely involves location mapping. I say that, in part, because if they weren’t going to use location data, they wouldn’t have had to move to the telecoms. In addition, AT&T’s Hemisphere program uses location data, and it would be unrealistic to assume this program wouldn’t include at least all of what Hemisphere already does.
But beyond those two functions, your guess is as good as mine. While the chaining must produce a Call Detail Record at the interim step (which limits how far away from actual phone calls the analysis can get), it is at least conceivable the chaining could include any of a number of kinds of data available to the telecoms from smart phones, including things like calendars, address books, and email.
The fact that the telecoms and subsidiary contractors get immunity and compensation makes it more likely that this new chaining will be expansive, because natural sources of friction on telecom cooperation will have been removed.
Freedumber provides three ways for NSA to use the phone dragnet for purposes besides counterterrorism
As far as we know, the current dragnet may only be used for actual terrorist targets and Iran. But USA Freedumber would permit the government to use the phone dragnet to collect other data by:
- Requiring only that selection terms be associated with a foreign power
- Permitting the retention of data for foreign intelligence, not just counterterrorism, purposes
- Allowing the use of emergency queries for non-terrorism uses
Freedumber permits searches on selection terms associated with foreign powers
On its face, USA Freedumber preserves this counterterrorism focus, requiring any records obtained to be “relevant to” an international terrorist investigation. Unfortunately, we now know that FISC has already blown up the meaning of “relevant to,” making all data effectively relevant.
The judicial approval of the specific selection term, however — the court review that should be an improvement over the status quo — is not that tie to terrorism, but evidence that the selection term is a foreign power or agent thereof.
Thus, the government could cite narcoterrorism, and use the chaining program to investigate Mexican drug cartels. The government could raise concerns that al Qaeda wants to hack our networks, and use chaining to investigate hackers with foreign ties. The government could allege Venezuela supports terrorism and investigate Venezuelan government sympathizers.
There are a whole range of scenarios in which the government could use this chaining program for purposes other than counterterrorism.
Freedumber permits the retention of any data that serves a foreign intelligence purpose
And once it gets that data, the government can keep it, so long as it claims (to itself, with uncertain oversight from the FISC) that the data has a foreign intelligence purpose.
At one level, this is a distinction without a difference from the language that USA Freedumb had used, which required the NSA to destroy the data after five years unless it was relevant to a terrorism investigation (which all data turned over to NSA would be, by definition). But the change in language serves as legislative approval that the use of the data received via this program can be used for other purposes.
That will likely have an impact on minimization procedures. Currently, the NSA needs a foreign intelligence purpose to access the corporate store, but can only disseminate data from it for counterterrorism purposes. I would imagine the changed language of the bill will lead the government to successfully argue that the minimization procedures permit the dissemination of US person data so long as it meets only this flimsy foreign intelligence purpose. In other words, US person data collected in chaining would be circulating around the government more freely.
Freedumber’s emergency queries do not require any tie to terrorism
As I noted, the revisions USA Freedumber made to USA Freedumb explicitly removed a requirement that emergency queries be tied to a terrorism investigation.
(A) reasonably determines that an emergency situation requires the production of tangible things to obtain information for an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism before an order authorizing such production can with due diligence be obtained;
That’s particularly troublesome, because even if the FISC rules the emergency claim (certified by the Attorney General) was not legally valid after the fact, not only does the government not have to get rid of that data, but the Attorney General (the one who originally authorized its collection) is the one in charge of making sure it doesn’t get used in a trial or similar proceeding.
In short, these three changes together permit the government to use the phone dragnet for a lot more uses than they currently can.
Freedumber invites the expansion of upstream collection
When John Bates declared aspects of upstream collection to be unconstitutional in 2011, he used the threat of referrals under 50 USC 1809(a) to require the government to provide additional protection both to entirely domestic communications that contained a specific selector, and to get rid of domestic communications that did not contain that specific selector at all. The government objected (and considered appealing), claiming that because it hadn’t really intended to collect this data, it should be able to keep it and use it. But ultimately, that threat (especially threats tied to the government’s use of this data for ongoing FISA orders) led the government to capitulate.
The changes in Freedumber basically allow the government to adopt its old “intentional” claim, reversing Bates’ restrictions. Read more →