Executive Branch Intelligence Surveillance & Privacy

Bulk NSA Internet Program Shows the Complete Incoherence of Surveillance Law

Timothy Edgar
Friday, November 20, 2015, 9:45 AM

The NSA ended its program involving bulk collection of Internet metadata inside the United States in 2011. This Internet metadata program was the genesis of the legal theory that authorizes bulk collection under the Foreign Intelligence Surveillance Act. Its demise has always been a bit mysterious, and the government has only ever said that it determined the program was no longer sufficiently valuable to justify it.

Published by The Lawfare Institute
in Cooperation With
Brookings

The NSA ended its program involving bulk collection of Internet metadata inside the United States in 2011. This Internet metadata program was the genesis of the legal theory that authorizes bulk collection under the Foreign Intelligence Surveillance Act. Its demise has always been a bit mysterious, and the government has only ever said that it determined the program was no longer sufficiently valuable to justify it.

As it turns out, the widely-held theory that the NSA had figured out another way to obtain the data – with less oversight – is correct. According to a new document obtained under FOIA by New York Times reporter Charlie Savage:

The report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. . . .

The N.S.A. had long barred analysts from using Americans’ data that had been swept up abroad, but in November 2010 it changed that rule, documents leaked by Edward J. Snowden have shown. The inspector general report cited that change to the N.S.A.’s internal procedures.

The other replacement source for the data was collection under the FISA Amendments Act of 2008, which permits warrantless surveillance on domestic soil that targets specific noncitizens abroad, including their new or stored emails to or from Americans.

The document – which verifies some of the outstanding reporting by Savage in his book "Power Wars" – confirms that foreign collection of metadata, along with metadata harvested from PRISM and other collection under FISA section 702, provides the NSA all the data it needs. I am quoted in Savage’s piece and note:

“The document makes it clear that N.S.A. is able to get all the Internet metadata it needs through foreign collection,” [Edgar] said. “The change it made to its procedures in 2010 allowed it to exploit metadata involving Americans. Once that change was made, it was no longer worth the effort to collect Internet metadata inside the United States, in part because doing so requires N.S.A. to deal with” restrictions by the intelligence court.

Bulk collection of Internet metadata raises serious privacy concerns. This is both because of the difficulty of defining content in the context of Internet communications, as well as the particularly intrusive nature of tracking all of a person’s Internet communications.

Civil libertarians, like Christopher Soghoian, say bulk metadata collection is illegal. If only it were that simple! Bulk Internet metadata collection inside the US was approved by the Foreign Intelligence Surveillance Court. NSA programs that operate overseas are reviewed only by executive branch lawyers who – unsurprisingly – determine they are legal.

Under the law, metadata is not protected by the Fourth Amendment. See Smith v. Maryland. Even today, most of the debate focuses on telephone metadata, but the Internet is where the real action is and, in that context, we have virtually no useful guidance on the key questions. The government implausibly maintains that critical elements of its understanding of the Constitution – what categories of data it regards as metadata, and what categories are content – can and should be kept secret. It redacts key sections from documents it releases under FOIA, including this recent example.

One can see why the NSA would decide not to run the legal risks of collecting Internet metadata in bulk inside the United States, when it can collect metadata and content in bulk outside the United States – and do so without judicial oversight. Statutory protections under FISA do not apply to foreign collection that does not intentionally target an American, so the distinction between metadata and content is less relevant when data is collected overseas.

The lawfulness of bulk collection and applicable privacy rules should not depend on the technical details of the NSA’s collection – such as where the data is collected and exactly what fields are obtained – that have nothing to do with the privacy interests involved. But this is exactly how the law works today. Savage’s piece is a further reminder of just how incoherent our surveillance laws have become.


Timothy H. Edgar teaches cybersecurity and digital privacy at Brown University and Harvard Law School. He is the author of Beyond Snowden: Privacy, Mass Surveillance and the Struggle to Reform the NSA. He served as a privacy official in the National Security Staff and in the Office of the Director of National Intelligence, and was a legislative counsel for the American Civil Liberties Union.

Subscribe to Lawfare