The Internet Metadata Memo: A Summary
There is much to pore over in last week’s release by the Director National Intelligence. Responding to FOIA litigation, the DNI’s office posted more than thirty legal filings and related documents bearing on NSA’s historical, bulk collection of certain internet metadata---the addressing, routing, and header information in e-mails.
Published by The Lawfare Institute
in Cooperation With
There is much to pore over in last week’s release by the Director National Intelligence. Responding to FOIA litigation, the DNI’s office posted more than thirty legal filings and related documents bearing on NSA’s historical, bulk collection of certain internet metadata---the addressing, routing, and header information in e-mails. Some of this stuff is old, including the well-known fact of the program’s cessation some time back; some of it new.
In the latter category, and likely of interest to anyone seeking to know more about the larger bulk collection story, is this 2004 submission to the Foreign Intelligence Surveillance Court (“FISC”). The brief sought---and evidently, for a time, won---FISC sign-off for the NSA to collect internet metadata in bulk, pursuant to the Foreign Intelligence Surveillance Act’s ("FISA") pen register and trap and trace rules. That’s consequential, considering what had happened earlier. As is well known, that year Department of Justice officials, including then-Deputy Attorney General James Comey and then-Assistant Attorney General Jack Goldsmith (who had no role in editing this post) had protested the legality of highly secret surveillance program that President George W. Bush had authorized pursuant to his independent constitutional powers. The White House relented and agreed to changes---one being, apparently, a bid to bring the surveillance within the FISA framework.
Unsurprisingly, there’s a lot of detail missing here: about sixteen of the filing’s sixty-two pages are mostly or completely blacked out by redactions. Still, there’s more than enough to piece together some of the main arguments set forward in the brief. It bears signatures of then-Attorney General John Ashcroft, Comey, Goldsmith, and Justice Department Attorney James Baker, and consists of two essential parts: an introduction, and a legal analysis. This post broadly overviews both below.
Introduction
The introduction, naturally enough, previews contentions set out in greater detail later in the written submission. It begins with an explanation as to why the executive branch so badly needs to collect internet metadata in bulk, under the auspices of FISA's pen register and trap and trace (PR/TT) provisions, 50 U.S.C. §§ 1841-46. Broadly, the government highlights the practical difficulties associated with combating a non-state actor in the twenty-first century. One obviously is terrorist exploitation of electronic mail, something which makes identifying enemy operatives more complex. To solve the problem, the United States needs a way to identify unknown terrorists, who might be communicating and conspiring with the known ones. One effective option, the government argues, would be to sort through known terrorist communications and identify suspicious contacts in the individual’s broader network.
Having that in mind, the memorandum advances its essential claim: collecting a large pool of internet metadata---defined here as essentially the header, router, and addressing information associated with e-mail messages---is necessary to effectively uncover the sorts of connections the government needs to uncover; individually targeted collection, on the other hand, is “inadequate for tracking the communications of terrorists.” Similarly---and it’s hard to know exactly what’s going on, owing to redactions---the government says it will need a large collection of past communications to analyze in the future, including metadata on persons unconnected to terrorism. Without this cache of archived data, the memorandum claims, valuable information might prove unavailable, come time---and the government won’t be able to uncover critical connections among terrorist when it most badly needs to.
The memorandum broadly claims that at least two “invaluable capabilities” emerge from metadata collection. The first is a retrospective ability to engage in “contact chaining”---as readers well know, the linking of this person to another person, to still other persons, through analysis of metadata. We don’t learn about capability two, again because of redactions. But on the first point, the government makes clear that NSA analysts would be able to find possible contacts based on a “seed” e-mail address. With contact chaining, the government might be able to discern patterns and connections in terrorist communications that it might not otherwise, making the odds of thwarting an attack higher.
The government admits that because of large volumes of traffic, the “vast majority” of collected communications would not be terrorist-related, but nevertheless maintains that this is not an impediment to an application under the FISA. As an initial matter, once the U.S. Government certifies that the “information likely to be obtained” is relevant to an investigation, the Court’s role ends immediately. Thus, in the Justice Department's view, whether to label the data relevant to an investigation seems to be an executive prerogative only. Second, all bulk-collected metadata can be deemed relevant, in that it is necessary to collect data in bulk in order to analyze them. Third, the government asserts that nothing in Title IV of the FISA prohibits the collection of such information. Even if the FISC wanted to scrutinize the government’s relevance determination, and require some level of tailoring in order to reduce the volume of information collected, such tailoring would have to be justified using a balancing test—one pitting privacy interests against the government’s interests in ensuring national security. And here, the government claims that the state’s interest in preventing attacks during wartime outweighs any minimal intrusions into privacy. And, argues the memorandum, there “certainly [is] no constitutionally protected interest in the meta data from e-mails.” The government also points out a subtle limit. Despite the facially broad scope, the collection proposed is not necessarily “indiscriminate, random” data collection.
The government moves from initial collection to procedural safeguards for the collected material. Significant protections will be applied to data searches. For one, says the memorandum, the archived data would only be queried pursuant to a “reasonable, articulable” suspicions standard. Second, a query could only be approved by one of seven individuals. Furthermore, the government predicts that, on average, there will be less than one query per day. The government says several other oversight tools would be in effect too—minimization procedures consistent with USSID 18; admission of US person information only when the Chief of Customer Response determines that such information relates to counterterrorism; electronic records of analyst queries; and periodic review by the General Counsel, Inspector General and SIGINT Directorate Oversight Compliance Office.
The introductory part concludes by highlighting that the data would be accessible electronically only for 18 months, and then transitioned to a “tape system” where it would be inaccessible via software tools and electronic queries. In seeking reauthorization of surveillance under the PR/TT provision, the government would have to provide a report on the number of queries that have been made during the previously authorized cycle.
Legal Analysis
The memorandum now lays out in full the legal theory it overviewed earlier, beginning with the role of the FISC under the circumstances. The “FISA directs that the Court ‘shall’ authorize” a PR/TT device, in the government’s view, if an application meets four statutory requirements. First, the device must qualify as a “pen register” and/or “trap and trace device” within the meaning of FISA. Second, either the Attorney General or a designated government attorney must have approved the application. Third, the application must identify the U.S. government official seeking to use the device. Finally, the “applicant must certify that the information ‘likely to be obtained’ is ‘relevant to an ongoing investigation to protect against international terrorism.’” The remainder of the memo sets forth how the application in question satisfies the statutory requirements.
The government dispenses with the easy questions first, noting that the application clearly meets the second and third requirements. The Attorney General approved the application, and the application identifies the Director of the NSA as the official seeking to use the applied-for device.
But the first and last requirements warrant more careful explication. As to the first requirement, the issue comes down to whether a device that collects Internet meta data can qualify as a “pen register” or “trap and trace device.” Under FISA, a “pen register” is a “device” that “records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted,” while a “trap and trace device” is one that “captures the incoming electronic or other impulses with identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication.”
Notwithstanding that PR/TT devices commonly collect information from a single source, the government concludes that devices collecting Internet metadata surely fall within the scope of the statutory definitions. For one thing, “nothing in the statutory definition” of either term “requires . . . a narrow focus” on “information associated with a particular telephone number or e-mail account” (emphasis added). What’s more, courts have long eschewed “overly technical readings” of PR/TT provisions. Before the PATRIOT Act amended the definitions of PR/TT devices, FISA expressly required that PR/TT devices be associated with a “telephone line” or an “originating number”---and yet courts routinely approved orders authorizing the collection of information from Internet communications.
With respect to the last requirement, the question boils down to whether the court may evaluate the Attorney General’s certification that the information “likely to be obtained” pursuant to the application is “relevant to an ongoing investigation to protect against international terrorism.” The government concludes the court lacks any such authority. Chief among them is that Congress expressly allowed for judicial review elsewhere in FISA, yet provided no textual basis for such review when it came to government certification of PR/TT applications---and for a good reason, the government notes. Because the Attorney General’s certification has to do with whether the information sought is “relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities,” the certification subject matter is tantamount to “foreign intelligence information” and thus “uniquely within the competence of the Executive.” The government also notes that the type of information sought---”dialing, routing, addressing, or signaling”---does not implicate any constitutionally protected interest.
Legislative history also indicates congressional intent to leave out judicial review. Rather, Congress conceived the court’s only role with respect to certification to be “determin[ing] . . . that the certification is complete.” To drive the point home, the government highlights Sen. Patrick Leahy’s (D–VT) concerns, expressed during the debate over the PATRIOT Act’s amendments to FISA, that the statutes would continue to “‘bar[] the exercise of judicial discretion in reviewing the justification for the order’” to collect using a PR/TT device. The federal courts of appeals’ understandings of PR/TT certification bolster this view. The only circuits to have considered the issue---the Second, District of Columbia, Fourth, and Tenth Circuits---have “concluded that . . . the role of the reviewing court is to examine the completeness of the application and not to engage in an independent inquiry into the basis for the certification.”
The memorandum proceeds to argue in the alternative. Even if the court has discretion to review the Attorney General’s certification and assess whether the information sought is truly relevant to an ongoing international terrorism investigation, the government urges that the sought material satisfies the relevance standard. Here, e-mail meta data is relevant, according to the government, because it “provide[s] vital assistance to investigators in tracking down” suspected terrorists. Even though “a substantial portion of the e-mail metadata that is collected would not relate” to an investigation, collecting all of the meta data is “necessary for the success” of meta data analysis.
To the extent that the Court determines “relevance” requires some measure of tailoring to limit overbreadth, the government argues that the collection here is appropriately tailored already. The written filing advances three reasons. First, all the metadata collected is relevant to the FBI’s investigation, within that term's statutory meaning. Second, Title IV of FISA does not impose any requirement to tailor collection so that only strictly relevant communications are collected. And third, even assuming a tailoring requirement, the court must balance the national security interest against the nature of the privacy intrusion. Using the Fourth Amendment reasonableness balancing framework, the government seeks to show the overwhelming national security interest and the relatively minimal intrusion into an individual’s privacy interest.
There is no more compelling an interest than the security of the nation; and here, the government argues that the metadata collection can help locate terrorists and connect disparate dots. In contrast, the government characterizes metadata collection as causing only a slight intrusion into privacy interests. Relying heavily on Smith v. Maryland, the government insists that the privacy interests in email and other electronic metadata are no more protected than the dialed telephone numbers at issue in Smith---which received no protection under the Fourth Amendment in that case. The balancing test thus tips the government’s way: any privacy intrusion occasioned by bulk collection cannot compare to the national security interests which such collection advances.
The government then proceeds to alleviate the court’s potential fears that the government might peer extensively or freely into the collected material. To the contrary, data use will be strictly circumscribed. As a threshold matter, data can only be queried after the government has identified a particular email address that is associated with terrorists, based upon a “reasonable articulable suspicion” standard akin to that described in the Supreme Court’s famed Terry case. Second, and with respect to US person information, the government says analysts will follow minimization procedures approved by the Attorney General. Third, the government pledges to provide to the court reports regarding the searches conducted, when and if the executive branch elects to seek re-authorization of bulk internet metadata collection.
Constitutional avoidance fills the memorandum’s final pages. The government recites the familiar canon: if an otherwise permissible interpretation of a statute would raise significant constitutional concerns, then courts should interpret that statute differently, unless to do so plainly would contravene the intent of Congress. This doctrine is particularly weighty here, too, in the realm of national security---and accordingly, the government urges the FISC not to construe the statute so as to preclude the vital collection activities the Justice Department has proposed. A contrary approach would raise a grave question as to whether FISA impinges upon the President’s Commander-in-Chief power---which in any case has been interpreted to include some authority to conduct foreign intelligence surveillance, without a warrant.
The brief then closes, first with word about the stakes: this is, it says, no “run-of-the-mill” intelligence surveillance request, but instead a plea to conduct vital wartime surveillance needed to protect the country. It also matters that a ruling blocking the surveillance will hamstring the executive branch---which naturally cannot go to Congress to seek a legislative remedy without also compromising the secrecy of the program described in the application.
Wells C. Bennett was Managing Editor of Lawfare and a Fellow in National Security Law at the Brookings Institution. Before coming to Brookings, he was an Associate at Arnold & Porter LLP.
Jodie C. Liu formerly researched national security issues at the Brookings Institution as a Ford Foundation Law School Fellow and has worked at the Open Society Foundations in Budapest, Hungary. She graduated magna cum laude from Harvard Law School in 2015 and summa cum laude from Columbia College in 2012, with honors in economics.
R. Taj Moore is a graduate of Harvard Law School, where he served as an editor of the Harvard Civil Rights-Civil Liberties Law Review and Harvard National Security Journal. He was co-director of the National Security Research Committee at the law school. He has previously interned at the Department of Defense. Before law school, he worked as a Scoville Fellow at the Stimson Center. He graduated from Brown University in 2011 with an A.B. in Political Science.