NSA Phone Metadata Collection: constitutional or not?

by ,

If you’ve been following the news headlines recently you could be forgiven for being a little confused. A couple of weeks ago: NSA phone surveillance program likely unconstitutional, judge rules. Then a couple of days ago: NSA phone records spying is constitutional, judge says. They are two separate cases although they cover very similar things.

The first is Klayman v. Obama. The plaintiffs are seeking a preliminary injunction preventing the Government from collecting their phone records and to delete past records. Judge Richard Leon did not uphold all aspects of the complaint but has granted this injunction on Fourth Amendment grounds. He has stayed his order pending appeal. I discussed some interesting parts of this ruling in a previous post. (Ruling PDF)

The second is ACLU v. Clapper. The plaintiffs are seeking a preliminary injunction preventing the Government performing future mass collection of phone records or using any queries associated with the plaintiffs. Judge William Pauley has dismissed essentially all arguments supporting this complaint, which were based on statutes and the First and Fourth Amendments. (Ruling PDF)

Obviously the two courts have some disagreements. Here are some of the main ones.

Smith v. Maryland

Both rulings consider Smith v. Maryland closely and this is probably the most important difference as it goes to the heart of whether the NSA’s program violates the Fourth Amendment (hence the dramatic headlines). To recap, without a warrant, police placed a pen register on Smith’s phone line to record what numbers he dialled. Back in 1979 the Supreme Court found that this did not amount to a search as defined by the Fourth Amendment so this surveillance did not impinge on constitutional rights. The argument came down to reasonableness—Smith’s reasonable expectation of privacy did not extend to the numbers that he dialled because he knowingly and voluntarily transmitted them to the phone company.

Leon refused to be bound by this precedent on the grounds that circumstances are substantially different—particularly the enormous quantities and indiscriminate nature of the NSA’s collection, the amount of historical data kept (five years), modern analysis to gain insights into people’s lives using the data, the changed relationships between governments and telecommunications companies, and the changed relationships between people and their phones.

Pauley ruled that Smith applies because the important factors have not changed. He states that “While people may ‘have an entirely different relationship with telephones than they did thirty-four years ago,’ [citing Klayman] this Court observes that their relationship with their telecommunications providers has not changed…” Because the kinds of data being collected now—phone numbers, time of call, duration of call, IMSI, IMEI, etc.—are not substantially different from the data recorded by the pen register, Pauley argues that the collection is much the same thing: “The collection of breathtaking amounts of information unprotected by the Fourth Amendment does not transform that sweep into a Fourth Amendment search.”

Pauley also adds that “the business records created by Verizon are not ‘Plaintiffs’ call records’”. He stands by the Smith conclusion that you forfeit the right to privacy for records that you voluntarily provide to your phone company. In one footnote he describes many examples from case law in which the individual surrenders their reasonable expectation of privacy, such as bank records, information given to an accountant, information given to a confidant, information given to a false friend, subscriber information given to an ISP and information from a home computer that is transmitted over the Internet.

Reasonableness of search

Leon ruled that the “plaintiffs have a significant expectation of privacy in an aggregated collection of their telephony metadata covering the last five years”. He then balanced this against the Government’s need for the data to maintain national security. He was not satisfied by the Government’s evidence that they needed the bulk telephony data to solve any problems that they would have been unable to solve otherwise. Thus he ruled that on balance the reasonableness tipped in favour of the privacy rights of the individual.

Pauley ruled that the plaintiffs had no reasonable expectation of privacy and also upheld the Government’s need for the data. He summarised three cases in which the telephony data explicitly assisted with counterterrorism investigations. He accepts that the Government is collecting virtually all telephone records in the United States and defends this: “without all the data points, the Government cannot be certain it connected the pertinent ones…all telephony data is ‘necessary’ to permit the NSA…to do the algorithmic data analysis to determine ‘connections between known and unknown international terrorist operatives.’”

Pauley rejects the ACLU’s claims that the quantity of data collected, particularly of irrelevant innocent people, reflects poorly on the collection program. He explains that courts routinely subpoena enormous amounts of data, only a small amount of which is relevant for a case and rules that this type of data collection is the same sort of thing as a grand jury subpoena. If there were other bits of metadata being included that were truly unnecessary then this argument might have traction but he is satisfied that all of the metadata currently being collected is relevant.

Compliance and oversight

Leon presented a negative picture of the Government’s compliance with FISC orders to minimise the amount of data they queried. “Judge Reggie Walton of the FISC concluded that the NSA had engaged in ‘systematic noncompliance’ with FISC-ordered minimization procedures… As a consequence, Judge Walton concluded that he had no confidence that the Government was doing its utmost to comply with the court’s orders…”.

Pauley’s view was a much more positive one. He made particular note of the iterative and consultative processes that occurred between the Government and the FISC to ensure that their activities under section 215 of the PATRIOT Act would be approved. “The iterative process Judge Bates describes is routine and demonstrates the FISC does not ‘rubberstamp’ applications for section 215 orders.” He paints a happy picture of the NSA reporting its own noncompliances on several occasions and then working with the FISC to implement remedial measures and ensure future compliance.

Pauley does note that the FISC is inherently less effective because of its ex parte nature (that is, there is no representative of “an American citizen” to argue against the government): “Its ex parte procedures are necessary to retain secrecy but are not ideal for interpreting statutes. This case shows how FISC decisions may affect every American—and perhaps, their interests should have a voice in the FISC.”

Queries and the three hops rule

Leon understands fully the quantities of data that can be received from a single query when you apply the three-hops-from-seed rule—he discusses how a single query could return records for potentially millions of numbers or more, depending on whether a pizza shop is included. This could allow the NSA to retrieve enormous amounts of data from the database even with only 300 authorised search terms in a year. He disregards the claim that the records returned by queries are “a very small percentage of the total volume of metadata records”, simply on the grounds that the total volume is probably extremely large.

Pauley rules that the controls on the NSA’s access to the database are appropriate. He is satisfied that the database is only being accessed lawfully: “First, without additional legal justification…the NSA cannot even query the telephony metadata database.” He views the three hops rule as a useful restriction: “Second, when it makes a query, it only learns the telephony data of the telephone numbers within three ‘hops’ of the ‘seed’.” He also considers the impact of this particular program in isolation: “Third, without resorting to additional techniques, the Government does not know who any of the telephone numbers belong to. In other words, all the Government sees is that telephone number A called telephone number B”.

I would add a couple of points of my own here. Ultimately we would like to reconcile the potentially enormous amounts of data under the three-hop rule with the Government’s claim that only a “small percentage” of the data is returned in queries. It makes a big difference if a “very small percentage” is 0.1% or 10%, and whether this percentage is spread out evenly geographically and demographically. Because of this uncertainty I take this claim with a hefty grain of salt.

Pauley’s claim that the government does not know the names of phone account holders is completely disingenuous. It has already been reported from the Snowden leaks that the NSA is collecting enormous numbers of electronic address books. What else is it going to use these for, other than to match up names, phone numbers and email addresses with superb accuracy?

Conclusion

For those of us hoping the courts would find that the NSA has crossed the line, Judge Pauley’s ruling is sobering. Although I think he relies on some misconceptions, he puts up some convincing arguments that this type of metadata collection may well be constitutional despite its enormous scope.

Perhaps the case will go to the US Supreme Court and it will rule that mass telephony data collection is constitutional. In this case it is important to remember that just because an activity is lawful does not mean that it is the best solution to a problem. It simply means that changes will need to be directed by legislation via Congress rather than the courts.

What’s more, these are lawsuits based on the very first of the Snowden leaks—the order forcing Verizon to hand over phone records on an ongoing daily basis. It’s could well be that other parts of the NSA’s conduct are unconstitutional. They are not being tried in these cases.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>