It's Never Too Late to Think about NSA's CDR Collection Program

I'm pleased to announce the publication of Examining the Anomalies, Explaining the Value: Should the USA FREEDOM Act's Metadata Program be Extended? in the Harvard National Security Journal. The USA FREEDOM Act (UFA) was passed two years after Edward Snowden's disclosure of the NSA's bulk collection of domestic Call Detail Records (CDRs). Much controversy ensued. UFA's passage was intended to improve Americans' privacy by having CDRs remain at the telephone service providers unless the government had an order approved by the Foreign Intelligence Surveillance Court for collection. In that case, the government would be able to receive CDRs within "two hops" of the original request. But the law did not work out as well as was hoped. Collection was high: 151 and 534 million CDRs in 2016 and 2017 respectively. Then in 2018 the NSA abruptly announced that it was purging several years of records due to technical irregularities. The agency indicated it was not interested in continuing the CDR program.

My paper, co-authored with Asaf Lubin, examines three critical issues in the NSA's collection of CDRs:

1. We show how 40 court orders resulted in the collection of 151 and 534 million CDRs in 2016 and 2017 respectively.
2. We show what "technical irregularities" might have caused the problem, providing the only public explanation that fits the known facts.
3. We examine the changes between the type of foreign terrorist threat the US faced in 2001, when the UFA's predecessor program was created, and the current foreign-inspired terrorist threat. We show that collection under section 215 authorities no longer fits the US national-security needs—and that it failed to do so even in 2015.

The last issue—the 2015 passage of a law authorizing NSA to gain access to CDRs within "two hops" of a suspected terrorist number—is one that bears serious examination. How was it that Congress passed controversial surveillance legislation at a time when the authorities were no longer necessary? In our paper we examine what went wrong, and how to get it right in future.

So far UFA's authorities are in a state of limbo. The law was up for renewal in December 2019; the law was instead extended until March 15, 2020 under a continuing appropriations act. The law then lapsed. Last month a bipartisan effort revamping UFA's surveillance authorities was well underway, when efforts rather abruptly collapsed after opposition from President Trump ended Republican support for a revised law.

It is likely that some effort at reform will be again attempted in the not-too-distant future. Read our paper to learn why the CDR collection was so high (there was no overcollection by NSA), how Congress, in passing UFA, got the terrorist threat wrong and what Congress can do to improve its oversight of national-security surveillance, including communications collection involving modern technologies.