Today on the IC On The Record Tumblr, the United States government published three declassified Foreign Intelligence Surveillance Court (FISA) primary orders regarding the controversial telephony metadata program that collects information about the phone calls placed by Americans. (One, two, three.)
The telephony metadata program, revealed last year in the opening salvos of the Snowden leaks, has been the subject of sustained controversy. Privacy advocates view the program as overly invasive, as it collects information about the daily activities of every American’s domestic communications. The program doesn’t collect content — i.e. the actual communications executed over the phone. Instead it collects information about the calls, such as when they were placed, to whom, and the like.
In 2006, then-Senator Joe Biden, now the United States Vice President, did an admirable job explaining why the collection of metadata is disconcerting:
I don’t have to listen to your phone calls to know what you’re doing. If I know every single phone call that you made, I am able to determine every single person you talked to. I can get a pattern about your life that is very, very intrusive.
And the real question here is: What do they do with this information that they collect that does not have anything to do with Al Qaeda?
And we’re going to trust the president and the vice president of the United States that they’re doing the right thing? Don’t count me in on that.”
Each of the newly released primary orders dates from 2009, stretching from July to December of that year.
That timeframe matters. It’s when the National Security Agency (NSA) made what it refers to as a “technical modification” to its internal policies, limiting its analysts from “going beyond three ‘hops’ from an identifier used to query the [business record] metadata” that it had collected. The three documents are interesting, because they demonstrate a change in policy at the NSA.
An NSA review document from June 2009 indicated the coming policy change, stating the following:
The date that the policy was changed was August 17, 2009. Both latter primary orders contain a footnote noting that date. It appears, therefore, that analysts had freer range before that data to query more than three hops. For clarity, I’ve asked the NSA to confirm the point.
According to IC On The Record, the court decisions detail authorization of the collection of telephony metadata “under Section 501 of the Foreign Intelligence Act [FISA].” It’s worth noting that Section 215 of the Patriot Act widened that FISA provision to allow for broader collection. That interpretation has proved controversial. [Update: The NSA indicated to TechCrunch that the change in place didn’t impact the number of hops allowed, indicating that it was at three before as well.]
President Obama has called for the three-hop rule to be cut down to two. That would dramatically curtail the program.
The documents are worth reading, but here are a few highlights:
- When the NSA wishes to share “any U.S. person identifying information,” a senior official of the agency must “determine that the information identifying the U.S. person is in fact related to counterterrorism and that it is necessary to understand the counterterrorism information or asses its importance.” That protection doesn’t apply in certain cases regarding the Executive and Legislative branches, however.
- The NSA has to check the database “at least twice before the expiration of the authorities granted” to make sure that it is not collecting “the substantive content communications.” This sounds reasonable, but is also troubling. That the NSA could accidentally collect content under a metadata program is unsettling.
- The order commands the following be supplied: “all call detail records or ‘telephony metadata’ created by [redacted] for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.” This mirrors our prior understanding of the program.
- The order refers to data that the NSA supplies to the FBI as part of the telephony metadata program as “passed, or ‘tipped,'” and notes that the FBI must follow “minimization procedures […] set forth in The Attorney General’s Guidelines for Domestic FBI Operations.” Presumably, those standards are less stringent. Thus, data from the telephony metadata program is passed to the FBI in an unminimzed fashion, it appears. I’ve asked the NSA for clarity on that matter. [Update: The NSA informed TechCrunch that the information passed to the FBI would first have to undergo its own “minimization procedures.”]
The documents are at times heavily redacted. The following is a good example:
That section, you might think, would be worth reading.