There have been many critics of the Obama Administration's aggressive pursuit of leakers. But today's news offers a new line of attack on the Administration's tactics: they're apparently not working. The UK paper The Guardian was the beneficiary of a huge new leak, this one about a secret court order to a Verizon subsidiary ordering the company to turn over to the National Security Agency (NSA) "all call detail records or "telephony metadata" created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls." In other words, the NSA likely now has records pertaining to you, me and Grandma Marie. Officials suggest that other communications companies have received similar orders, as part of a program going back seven years. Banks, credit card companies, travel firms and many other businesses may have received similar directives. The order is actually not at all surprising to observers of intelligence matters. So far, the White House and some Members of Congress have staunchly defended the program. This stands in marked contrast to the scorn heaped a decade ago on Adm. John Poindexter and his proposed "Total Information Awareness" program, which would have done pretty much the same thing. So who's calling the Admiral to apologize?
The order was issued under Section 215 of the USA Patriot Act (codified at 50 U.S.C. § 1861), which allows the Foreign Intelligence Surveillance Court (FISC) to issue "an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities." To obtain such an order, the government must show only "that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation."
Opponents of the USA Patriot Act originally dubbed Section 215 "the library provision," because they feared it would be used to obtain records of the books people took out from the library. Silly them. That was always a laughable concern. The reading habits of terrorists and spies were never the government's focus. Bank, credit card, travel, email and phone records were more like it. And because of Section 215's broad scope, and the low bar for getting one (mere "relevance" to an investigation), it was clear all along that the government could use a 215 order to obtain records related to innocent people so it could sift through them to find intelligence; it was distinctly not limited to obtaining the records of suspected terrorist and spies.
The government tried to quell fears that Section 215 would be used in such a sweeping way by pointing out that it was really just an intelligence version of a criminal subpoena for business records. And, indeed, Section 215 was amended to make this limitation clear; it now stipulates that an order "may only require the production of a tangible thing if such thing can be obtained with a [grand jury] subpoena...or with any other order issued by a court of the United States directing the production of records or tangible things." That's never satisfied some critics, since a "tangible" thing can still mean pretty much anything other than the thoughts in your head. And, in the communications context, at least, the Electronic Communications Privacy Act (ECPA) allows the government to obtain electronic communications records of subscribers or customers pursuant to a subpoena or court order. Moreover, it allows the government to obtain the contents of some communications with a subpoena or court order, and of any communications with a search warrant (though the Administration has recently endorsed the view that the Fourth Amendment requires that a search warrant be obtained before the government can get a hold of all communications content). So, at least arguably, the government could get the same information it has gotten from Verizon using a subpoena or a so-called "2703(d)" court order under ECPA, though perhaps not as easily.
Notably, the Section 215 order does not require disclosure of the content of communications "or the name, address, or financial information of a subscriber or customer." The metadata the government seeks includes "comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call." The limitation to metadata may reflect a concern about having the FISC reject an application for content on statutory or constitutional grounds. Or it may reflect the Administration's own evolving view of the Fourth Amendment.
The White House is not denying the authenticity of the order published by The Guardian, but calling it a lawful and necessary part of its efforts to prevent terrorist acts. Some congressional Democrats and Republicans are defending it, too, and saying it is part of a routine reauthorization of a program they have long known about. Rep. Mike Rogers (R-MI), Chairman of the House Intelligence Committee, even said the program helped prevent a significant terrorist attack in the US in the last few years. So far, the most critical lawmaker has been Sen. Ron Wyden (D-OR), who confirmed that the order is part of the program that he and Sen. Mark Udall (D-CO) have been warning about, in a cryptic way, each time Section 215 has come up for renewal.
So what is the government doing with the information? It is likely trying to draw connections between known suspects and other unknown affiliates. It may also be looking for patterns (e.g., calls to Yemen or Pakistan, combined with calls to certain financial institutions known for laundering terrorists' money, etc.) to try to identify new suspects for further investigation. If the government is combining the communications data with other databases—such as bank, travel, educational, or purchase records—then it really would amount to the same thing as Poindexter's much-criticized Total Information Awareness program.
The big question is what the government is doing to "minimize" the innocent information about you, me and Grandma Marie that it does not need (or use). Section 215 requires that the government show the FISC the specific procedures designed "to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information." Note that the government is not required to destroy data about US persons that have nothing to do with foreign intelligence; it just has to "minimize the retention of it." Its minimization procedures thus may well allow the government to retain innocent communications for a period of time in case they may be useful in the future.
Now that the public is attuned to the problem, and civil liberties groups are apoplectic, we are likely to learn more about exactly how the program is used, and how information is minimized. There will be congressional hearings, in which embarrassed Members of Congress, who never bothered to attend briefings on the program, will grill Executive Branch officials for details. And there will be leaks. Oh yes, lots of leaks. Which means there will be leak investigations. Gee, I wonder who placed a call to Glenn Greenwald of The Guardian recently...
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
