The firestorm created by Edward Snowden's release of classified information earlier this year has forced at least some of the government's "dirty little secrets" about its monitoring of both citizens and foreigners out into the open. This post will briefly examine the legal issues confronting both the National Security Agency (NSA) and FISA (Foreign Intelligence Surveillance Act) Court with respect to the release of telecommunications metadata to federal agencies.
Regardless of one's political perspective, there are few people who don't understand that balance between national security interests and personal privacy is a delicate one. It is also fair to assume that for as many people who are outraged by the recent disclosure of the NSA's metadata capture, there are equally as many opinions about the validity and motives of the government's broad sweeping action.
However, without diving into the very dark swamp that surrounds this matter, I intend to use this space to present the concerns about both what metadata is, and some of the basic issues presented by its capture and manipulation, particularly with respect to the Fourth Amendment.
When word broke in June, 2013 that Verizon and other providers had turned over "metadata" to the National Security Agency (NSA) as the result of a direct order from FISA, all Hell broke loose. The order, which was issued in April of this year, relies on Section 215 of the Patriot Act. Under this section of the U.S. Code, the FISA Court found authority to require Verizon to produce, on a daily basis "all call detail records or 'telephony metadata' created for communications (i) between the United States and abroad or (ii) within the United States, including local telephone calls." (Section 215 of the Patriot Act is titled "Access to Certain Business Records for Foreign Intelligence and International Terrorism Investigations. (The full text can be found here.
* * *
The phrase "telephony metadata," as defined includes "comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call." What it does not include is content. (Specific information about precise definitions of these items, can be found here).
Like the information covered by earlier legislation CALEA (Communications Assistance for Law Enforcement Act enacted in 1994 and amended in 2006, which applies to all carriers and providers of VoIP services, the information that the FISA court has required from Verizon is information about the call itself, but not its content.
Additionally, the FISA order that has been published was directed solely to Verizon. That's not to say that other orders haven't been issued to other providers, but the one that has garnered all of the attention has been directed to Verizon alone. (In fact, a full copy of the order can be found here).
With huge volumes of metadata, what government entities are trying to identify is calling patterns. Who calls whom, and on what days and times calls are made. The process of identifying who calls who is called "contact chaining," and it's used to establish connections between individuals and organizations. This is what's happening technically. Legally, while books will be written about this matter, it's by definition, a different matter.
The Fourth Amendment of the U.S. Constitution
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Perhaps one of the most contentious aspects of this matter is whether the capture of "metadata" constitutes an illegal search and seizure covered by the Fourth Amendment. Case law and commentary require parsing of the words of the Fourth Amendment. Most notably, is the seizure of "metadata" a "search" and is it "unreasonable?" Further, to whom does this metadata belong? Is it the individual who uses the phone/Internet, or is it the provider who uses that information to connect Person A to Person B (or Person A to website C)?
Recent commentary suggests a favorite answer of mine..."it depends." In the 2012 case United States v. Jones, 132 S.Ct. 945 (2012), the concurrence of the court's majority opinion is, although not defining law, where at least some of these issues are confronted.
In Jones, the court opinion, written by Justice Scalia, addressed whether or not the placement of a GPS device on the vehicle of a suspected drug dealer violated his Fourth Amendment rights. The court held that it did. Unquestionably, the definition of property has changed since the Fourth Amendment was written and subsequently interpreted. The concept has expanded from physical trespass to initially include eavesdropping and now has expanded to include other much more sophisticated electronic monitoring capabilities.
Nonetheless, the Jones case is not the final word on the matter. This case, decided in early 2012, involved an individual while the current situation (and filed cases, most notably by the ACLU, with others sure to follow) involves a much larger scale. It also doesn't target a single individual for a specific purpose, but rather thousands, if not millions of people, for very different purposes.
Another critical legal question to be considered is "whose data is it?" Does the metadata belong to the individuals who made the calls, or does it belong to the carriers and other providers who use the information to establish connections between parties? If the data, which does NOT include content, belongs to the providers, then the problem of releasing it shifts to Verizon and away from individuals, since they never owned it in the first place.
Finally, the existence--or non-existence--of a warrant does not, in and of itself, make the collection of data "unreasonable." This too is another argument for another day, but case law exists that relaxes the warrant requirement in order to protect national security interests (see United States v. Brown 484 F.2d 418(5th Cir. 1973), among others.
One final note. In mid-August, the Washington Post published an article by Barton Gellman containing a stunning factoid. As many as 10% of those calls that were "surveilled" by the NSA in 2008, were the result of a programming error. The error confused the area code for Washington, DC (202) with the international dialing code for Egypt (20). Information regarding this colossal booboo was included in a quality assurance review that was not shared with the NSA's oversight staff, so I suspect that when the article appeared in the Post, many who should have known were surprised.
It's not what you know that can hurt you...it's what you don't know....
