Intelligence Surveillance & Privacy

Julian Sanchez on the Issue Behind the Hospital Room Scene

Benjamin Wittes
Monday, July 22, 2013, 8:16 AM
Last week, I posted these thoughts on the remaining mystery surrounding what the 2004 dispute that led to the famous hospital room showdown. I offered a couple of theories, based on Snowen-disclosed documents, about the legal issue that precipitated the crisis.

Published by The Lawfare Institute
in Cooperation With
Brookings

Last week, I posted these thoughts on the remaining mystery surrounding what the 2004 dispute that led to the famous hospital room showdown. I offered a couple of theories, based on Snowen-disclosed documents, about the legal issue that precipitated the crisis. Specifically, I tried to think through why the Justice Department would have grown anxious about the bulk collection of internet metadata but not telephony metadata. Julian Sanchez of the Cato Institute has now offered his own set of thoughts on this subject. They are, broadly speaking, consistent with mine, though they differ in some respects too. He writes,
Obtaining the phone company’s own business records, the so-called Call Detail Records the carriers maintain anyway for business purposes, would not count as “electronic surveillance” as defined by FISA, and current (misguided) Supreme Court doctrine held that those types of records were not protected by the Fourth Amendment. There are other laws prohibiting the disclosure of those records to the government, but they can be obtained without judicial approval via a National Security Letter, and government lawyers may have concluded that, in any event, the relevant laws didn’t apply to the president’s inherent authority in the intelligence arena. The FISA statute, let’s recall, says that FISA and the Wiretap Act provide the “exclusive means” for governmental “electronic surveillance”—meaning, no presidential “inherent authority” loophole! But it doesn’t say that about things that don’t qualify as “electronic surveillance, even when FISA has procedures in place to cover those other types of data collection. Internet metadata, however, would have been trickier. To see why, it’s important to understand how the Internet works differently from the phone network. When the phone company connects a call on a traditional circuit-switched phone network, it naturally has to know which two numbers it is connecting, and for how long—which is pretty much the sum of the relevant “metadata.” But that’s not how a packet-switched network like the Internet works. Packets of Internet information actually have several layers of “metadata” at different “layers” of what techies call the OSI stack, and the many computers or programs involved in routing and processing that data may only need to “look” at one or two of those layers to do their job. Especially if it’s just routing traffic from one foreign computer to another—traffic that just happens to be passing through the United States because that’s the cheapest path—the company running an Internet backbone doesn’t need to “see” or make any record of, for example, who is supposed to receive a particular e-mail or what Web page a user is trying to browse. Oversimplifying slightly, the router only needs to know the Internet Protocol address of the computer that’s supposed to get a particular packet of data. If you send an e-mail tojsanchez@cato.org, the router doesn’t really need to know that’s what it’s passing along: It sees that the packet is addressed to a particular port at 72.32.118.3 (that’s Cato’s IP address) and just sends it along. Then it’s up to Cato’s servers to “look” deeper into the next layer of data and determine that, ah yes, it’s an e-mail message that should be delivered to the user named jsanchez. This is the so-called “end to end” architecture of the Internet: The “pipes” carrying data can be relatively dumb, just moving data to the right destination server, and letting the server take things from there. And that IP-level metadata wouldn’t even necessarily tell you whether the underlying communication was domestic or international. A packet of data traveling between Google’s servers and Yahoo!’s, for example, might actually be carrying a message from a Google user in Pakistan to a Yahoo! user in Yemen. What all of that means is that an Internet carrier like AT&T wouldn’t actually have any “business records” that contain the kind of metadata the NSA was interested in. That meant the NSA would have to analyze the entire traffic stream itself and pluck out the metadata (and content) to sift through. It did so, as we know thanks to an AT&T whistleblower, in a series of secret rooms containing powerful “semantic analyzers” that filtered all the traffic flowing through those fiber optic cables. That, however, would pretty clearly be “electronic surveillance” as defined by FISA, meaning it would require either a warrant or (if they just wanted the metadata) a pen register order from the secret FISA court.
It's a very interesting piece---well worth reading.

Benjamin Wittes is editor in chief of Lawfare and a Senior Fellow in Governance Studies at the Brookings Institution. He is the author of several books.

Subscribe to Lawfare