Susan Landau & Asaf Lubin[*]
[Full text of this Article in PDF is available at this link]
Introduction
The first of Edward Snowden’s disclosures was a Foreign Intelligence Surveillance Court (“FISC”) order requiring that Verizon provide the National Security Agency (“NSA”) with daily Call Detail Records (“CDRs”) for all communications to, from, or within the United States.[1] The order, based on a FISC interpretation of Section 215 of the USA PATRIOT Act of 2001, required Verizon to release all call routing information, including session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (“IMSI”) number, International Mobile station Equipment Identity (“IMEI) number”), trunk identifiers, telephone calling card numbers, and time and duration of calls.[2] The Snowden disclosures and the public controversy that followed led Congress in 2015 to end bulk collection and amend the CDR authorities with the adoption of the USA FREEDOM Act.[3]
The bulk collection program was introduced in 2001 after a failure to recognize that an intercepted call occurred between an Al-Qaeda safe house in Sana, Yemen and a U.S. number.[4] But since then the terrorist threat had changed from a highly centralized, almost corporate structure to a more diffuse recruitment effort exemplified by ISIS. Communication technologies also changed. Both in the United States and around the world, there was a shift from wireline phones to mobiles to smartphones, and phone calls to Internet Protocol (“IP”)-based applications. When terrorists use mobile phones for communication, it is for IP-based communications, not for phone calls or short message service (“SMS”) texts.
These changes transformed the value of investigative tools provided under the Foreign Intelligence Surveillance Act (“FISA”). Collection of IP-based communications is conducted not under Section 215, but under FISA Section 702, which enables the Intelligence Community (“IC”) to target communications of non-U.S. persons reasonably believed to be located outside the United States.[5] Section 702 has become pivotal in tracking and preventing terrorist plots against the United States while the value of Section 215 collection has waned.
While controversy surrounded the USA FREEDOM Act’s passage in 2015, all appeared fine afterwards. Then in June 2018, NSA announced that it had found “technical irregularities” in the CDRs being provided by the telecommunications providers under USA FREEDOM Act[6] and deleted three years’ worth of records collected under the program.[7] More was to come. In March 2019, the Washington Post disclosed that the NSA had halted collection since at least September 2018;[8] the Wall Street Journal reported that the NSA recommended not seeking the program’s renewal.[9]
This Article explains why. This Article also explains the high number of CDRs collected under USA FREEDOM Act in 2016, 2017, and 2018, and possible reasons for the purge. This Article also shows how changes in technology and communication methods and the foreign-terrorist threat have sharply lessened the value of the CDR program and made its use largely unnecessary.
Section I begins this Article with a brief history of NSA’s telephony metadata and Section 702 programs and the foreign-terrorist threat. Section II examines the few orders for collection of CDRs, but seemingly disproportionately large number of CDRs collected, and the June 2018 purge of three years of collected CDRs. The analysis in this Article, based on the technical aspects of collection, goes a good way towards explaining the reasons behind these. This should move the discussion from concerns regarding overcollection to questions over the program’s efficacy—which is where the focus properly belongs. Section III demonstrates how terrorists’ utilization of IP-based communications has made the metadata program far less beneficial. Section IV probes Congress’s failure to carefully examine the efficacy of the CDR program prior to USA FREEDOM Act’s adoption in 2015 and examines what Congress should do. Section V provides a brief conclusion.
The value of investigative tools changes with time and circumstances. While almost all investigative tools can, on occasion, uncover some unknown information, it makes little sense to deploy surveillance tools when they cease to be efficacious. Focusing on Section 215 collection, this Article shows how the program lost usefulness, illuminating the need to carry out efficacy analyses on a continuing basis. Collection costs time and resources; increasing the size of the haystack may make it more difficult to find the needle.[10] Collecting all possible data does not necessarily make us safer.
[*] Susan Landau, Bridge Professor in Cyber Security and Policy, Fletcher School of Law & Diplomacy and School of Engineering, Department of Computer Science, Tufts University. Asaf Lubin, Affiliate at the Berkman Klein Center for Internet and Society and a Visiting Fellow at the Information Society Project at Yale Law School; the work was done while Lubin was a Cybersecurity Policy Postdoctoral Research Fellow, Fletcher School of Law and Diplomacy, Tufts University. This research was supported in part by funding from the William and Flora Hewlett Foundation under grant 2018-7277. We greatly appreciate the help provided by Steven M. Bellovin, Matt Blaze, Fred Cate, George Croner, David Crowe, Yves-Alexandre de Montjoye, Tom La Porta, Caroline Lynch, Rebecca “Becky” Richards, and Patrick Traynor. We also thank Anne Boustead, Bryan Cunningham, Jim Dempsey, Sharon Bradford Franklin, Amy Gaudion, Jennifer Grannick, Riana Pffeferkorn, Stuart Shapiro, Robert Sloan, and other participants of the 2019 Annual Privacy Law Scholars Conference for useful comments on an earlier draft.
[1] Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, The Guardian (June 6, 2013), https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order [https://perma.cc/F7BT-SQSZ].
[2] Order at 2, In re Application of the Fed. Bureau of Investigation for an Order Requiring the Production of Tangible Things from Verizon Business Network Services Inc. on Behalf of MCI Communication Services, Inc. D/B/A Verizon Business Services, No. BR 13-80 (FISA Ct. Apr. 25, 2013).
[3] Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring (USA FREEDOM) Act, Pub. L. No. 114-23, 129 Stat. 268 (2015).
[4] See Does State Spying Make Us Safer?: The Munk Debate on Mass Surveillance 25 (Rudyard Griffiths ed., 2014).
[5] Laura K. Donohue, Section 702 and the Collection of International Telephone and Internet Content, 38 Harv. J.L. & Pub. Pol’y 117, 120–21 (2015).
[6] NSA Reports Data Deletion, IC on the Record (June 28, 2018), http://icontherecord.tumblr.com/post/175347073998/nsa-reports-data-deletion-june-28-2018 [https://perma.cc/X3DT-F68T].
[7] Charlie Savage, N.S.A. Purges Hundreds of Millions of Call and Text Records, N.Y. Times (June 29, 2018), https://www.nytimes.com/2018/06/29/us/politics/nsa-call-records-purged.html [https://perma.cc/X9KZ-RHQN].
[8] See Ellen Nakashima, NSA Has Halted a Counterterrorism Program Relying on Phone Records Amid Doubts About its Utility, Wash. Post (Mar. 5, 2019), https://www.washingtonpost.com/world/national-security/nsa-has-halted-a-counterterrorism-program-relying-on-phone-records-amid-doubts-about-its-utility/2019/03/05/f2d2793e-3f80-11e9-922c-64d6b7840b82_story.html [https://perma.cc/LZP2-L8ZJ].
[9] See Dustin Volz & Warren P. Strobel, NSA Recommends Dropping Phone Surveillance Program, Wall St. J. (Apr. 24, 2019), https://www.wsj.com/articles/nsa-recommends-dropping-phone-surveillance-program-11556138247 [https://perma.cc/538R-SRSK].
[10] See Nat’l Research Council, Bulk Collection of Signals Intelligence: Technical Options 54 (2015) [hereinafter National Research Council’s Bulk SIGINT Collection Report].