Intelligence Surveillance & Privacy

Time to Resolve the Metadata Fight

Susan Landau
Friday, May 29, 2015, 5:29 PM

Congress is playing brinksmanship again, this time over the national-security metadata collection program. Until the Second Circuit concluded that Section 215 of the USA PATRIOT Act did not authorize bulk metadata collection, it looked as if the law would be renewed before its expiration at midnight on May 31.

Published by The Lawfare Institute
in Cooperation With
Brookings

Congress is playing brinksmanship again, this time over the national-security metadata collection program. Until the Second Circuit concluded that Section 215 of the USA PATRIOT Act did not authorize bulk metadata collection, it looked as if the law would be renewed before its expiration at midnight on May 31. Because of the court decision, a simple reauthorization of Section 215 is no longer possible. A hard decision has to happen. That has proved highly problematic.Last week the Senate failed to pass the USA FREEDOM Act, with opposition on various sides of the aisle. Tim has a good analysis of this; the short version is some hope to pass new legislation preserving bulk collection while others feel the USA FREEDOM Act doesn't go far enough. What will happen this weekend remains unclear. USA FREEDOM has been endorsed by many, including the president. The bill enables the IC to do its job while protecting the letter and spirit of the Fourth Amendment, and I believe it is a good solution. It's worth examining the alternatives to see what is going on, and why the USA FREEDOM Act should be passed.

As Jodie and Ben have already described, the USA FREEDOM Act requires that any government collection of a metadata be based on a narrowly focused "specific selection term." This precludes the broad collection that Section 215 had been alleged to permit before the Second Circuit ruling. By allowing call records can be obtained two "hops" from the initial data, the bill follows the standard for using the call metadata that has been in place since early 2014. The bill also provides an adversarial process in the Foreign Intelligence Surveillance Court (FISC) — amici curae to be appointed by the FISC. Finally the bill requires some public exposure: the government must disclose the number of orders and estimates on the number of people targeted and affected by the orders. While significantly more detail is available on Title III wiretaps in the annual Wiretap Reports, it is not unreasonable that information on national-security surveillance should be more limited.

The objections to USA FREEDOM largely lie in whether or not the call metadata the government might seek will actually be obtainable when the government needs it. Under the bill, government access to call records is limited to data that telephone companies store — and by the length of time they happen to store it. Thus instead of USA FREEDOM, some in Congress would prefer a "data retention" bill requiring telephone companies to store call detail records for a period of two to five years. This would change the system from government retention of bulk communications metadata to company retention. That is not a requirement that the telephone companies want, and they will fight hard against such a proposal. So decisions about which approach to pursue all come down to "How necessary is the data?"

The importance of call data records depends on whom you ask. While the FBI values the data collection — have you ever met an investigator who didn't think more information was beneficial? — both the President's Review Group on Intelligence and Communications Technologies, chartered in the aftermath of the Snowden disclosures, and the Privacy and Civil Liberties Oversight Board (PCLOB) recommended the end of Section 215 collection. PCLOB looked carefully at how effective the metadata has been in identifying and preventing terrorist plots and concluded that the data "has not proven useful in identifying unknown terrorists or terrorist plots." This was because the program largely corroborates information already obtained elsewhere. The one case in which the metadata program did help identify a previously unknown terrorist suspect involved a contribution of less than ten thousand dollars to al Shabaab (a terrorist organization in Somalia).

In 2006 the European Union tried the data retention route, passing a Data Retention Directive that required all member states to pass a law mandating retention of call records for six to twenty-four months. But last year, ruling on the basis of lack of "proportionality," the EU Court of Justice declared the directive illegal. Nonetheless the UK, which had already passed a data retention law, continued to require data retention. More recently, the newly re-elected UK Prime Minister David Cameron has promised a data retention bill requiring communications providers to store call data records for several years. Meanwhile in the wake of the attack on Charlie Hebdo, in May the lower house of the French Parliament passed a surveillance law enabling government collection of communications metadata.

Rachel Brand, who serves on PCLOB, expressed concern over whether USA FREEDOM Act would preserve the capabilities in Section 215. She asked whether private-sector companies storing the data could do so securely and whether the government could obtain the needed information in a timely fashion --- especially as data may be spread across several companies. And a recent National Academies study on technical alternatives to bulk collection of signals intelligence concluded, "There is no software technique that will fully substitute for bulk collection where it is relied on to answer queries about the past after new targets become known." (Disclaimer: I served on the committee.) But the committee was responding to a technical question. It was not making a recommendation on a policy choice, which any decision on bulk signals intelligence collection ultimately is.

So what's going on? Despite arguments that the data is not effective, some policy makers keep pushing for retention. Let's examine the various issues in turn.

As the Academies report noted, communications metadata provides crucial information — information impossible to obtain in other ways — by providing the ability to go back in time. When you discover a new party of interest and you want to know with whom he had been consorting in the past — before you knew the party was of interest — bulk collection, whether by the government or the private sector, will give it to you; nothing else will. But that doesn't mean that the information will help. In the case of Charles Hebdo, the attackers were brothers. All that the communications metadata would have revealed is that the two men were talking with each other, something that would not have raised red flags for investigators. As the New York Times reported, it is unlikely that the new French surveillance law would have helped in that situation.

Brand's concern about the insecurity of metadata if stored at the communications providers is valid. Back when AT&T was a monopoly provider, the Internet was something called the ARPANET and used only by scientists. In that era, communications metadata could be safely stored in filing cabinets in red brick buildings guarded by a single security guard sitting at the front desk. We're not in that world anymore. Instead we're in a world of networked electronic bits connected to the outside — and multiple communications providers who are tightly constrained on finances. Demanding data retention not only creates expenses, it increases new security risks. Yes, some companies will see business opportunity in the communications data, and for them, storing the data securely will be quite important (data is an asset) — and they are already doing so. For others, legal requirements on data retention will just introduce added costs and security risks. That's why providers have opposed data retention mandates.

There are two other pieces of context. The first is that telephony is only one form of big data that we litter as we go through our daily lives. It is increasingly difficult to live in modern society without leaving electronic traces of where you've been, with whom you've associated, and what you did. The second is that we need to focus on where the real risks in society are. ISIS and its possible threats to domestic tranquility grab headlines, but our serious national-security concerns include China's efforts in the South China Sea and expansion of naval forces, Russian efforts in Ukraine and threats in eastern Europe, Iran and North Korea's nuclear efforts. Bulk collection of domestic communications metadata is unlikely to provide major value to such investigations.

In theory, bulk collection sounds like a panacea. In practice, it has provided bits of data that are useful in filling out a picture but that have not been crucial. Bulk collection of communications metadata can help an intelligence agency map out who is important, where the real power lies, etc. But its use domestically for combating terrorism, the original argument, are far more limited. In the US, where the threats of domestic terrorism are quite different — and lower — than they are in Britain and France, the data on effectiveness does not support such collection and retention.

So what happens if USA FREEDOM Act doesn't pass? The Section 215 authorization ends on Sunday night. There will be a press to pass a brief extension. Such an attempt already failed last weekend. Senator Feinstein will introduce her bill. This proposal sufficiently broadens the definition of "specific selection term" to a point that it returns the metadata collection essentially back to the present bulk collection. This is not a solution.

The USA FREEDOM Act is a compromise approach that the intelligence community accepts and the president endorses. Using brinkmanship to press for greater government surveillance capabilities is not in the nation's national-security interest. Congress should pass the USA FREEDOM Act now.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare