The November NSA Trove II: Judge Kollar-Kotelly's Opinion on Internet Metadata
The NSA had come knocking. It sought judicial permission to obtain, by means of pen registers and trap and trace devices, vast swaths of internet metadata within the United States. That request’s staggering scope wasn’t at all lost on the Foreign Intelligence Surveillance Court (“FISC”) judge who, in 2004, heard the application and eventually granted it.
This much is clear from the introductory pages of the judge’s ruling---the first and arguably most significant of the November NSA Trove.
Published by The Lawfare Institute
in Cooperation With
The NSA had come knocking. It sought judicial permission to obtain, by means of pen registers and trap and trace devices, vast swaths of internet metadata within the United States. That request’s staggering scope wasn’t at all lost on the Foreign Intelligence Surveillance Court (“FISC”) judge who, in 2004, heard the application and eventually granted it.
This much is clear from the introductory pages of the judge’s ruling---the first and arguably most significant of the November NSA Trove. “This application,” writes Judge Colleen Kollar-Kotelly in an 87-page, redact-o-rific opinion and order, “seeks authority for a much broader type of collection than other pen register/trap and trace applications and therefore presents issues of first impression.”
Given that, the FISC’s then-presiding judge proceeds to explain the reasoning underlying her “findings” that (among other things) bulk internet metadata collection can proceed through the installation and use of pen register and trap and trace device surveillance, pursuant to 50 U.SC. §§ 1841-146 of the Foreign Intelligence Surveillance Act (“FISA”); and that such collection satisfies the First and Fourth Amendments. Necessity seems to matter here: the opinion notes the judge’s reliance, in reaching her decision, on the government’s representations about certain “current and near-term” threats, and about the “expected analytical value” of metadata that will be collected.
With that introduction out of the way, the Kollar-Kotelly opinion proceeds in four essential steps.
***
First is the court’s conclusion that the “proposed collection”---sweeping in email and related internet metadata, on a mass scale---counts as a “form of pen register and trap and trace surveillance” under the relevant provisions of FISA. Application of these key terms, in Judge Kollar-Kotelly’s view, boils down to two related questions. First, “[d]oes the information to be obtained constitute ‘dialing, routing, addressing, or signaling information’ that does not include the ‘contents’ of any communication?” Second, [d]oes the means by which such information would be obtained come within the definition of ‘pen register’ or ‘trap and trace device?’” The answer to question one is yes, according to the opinion, though it is tough to know precisely why that’s the answer---there’s a good bit of material blacked out here. We can see, however, language making clear that email addressing information---which would certainly be collected---does not amount to “content.” Kollar Kotelly likewise affirmatively answers the second question, regarding the proposed use of “pen register” and “trap and trace device[s].” Again, redactions frustrate clarity, but we can discern that the NSA aimed to collect different categories of metadata information---and, further, that the court finds that each category satisfies the statutory definitions. Notably, she surmises that all the collection proposed by the government could be accomplished by means of a pen register, Judge Kollar-Kotelly finds further that such collection could also be accomplished, at least in part, by means of a “trap and trace device,” as defined by statute. (Such a device, notes the court, “captures incoming electronic impulses which identify the originating number or other [non-content]” information.) Thus far, the court’s analysis has hewed closely to the plain meaning of statutory terms. Still, the opinion nevertheless finds that “any ambiguity on this point should be resolved in favor of including this proposed collection within [the statutory] definitions, since such an interpretation would promote the purpose of Congress in enacting and amending FISA regarding the acquisition of non-content addressing information.” Non-content metadata lacks Fourth Amendment protection; moreover, reasons Judge Kollar-Kotelly, a narrower reading of “pen register” and “trap and trace device”---that is, one excluding, internet metadata---“would remove this particular type of non-content addressing information from the statutory framework that Congress specifically created for it.” So the law isn’t ambiguous, in the court’s view. But even if it were, then Judge Kollar-Kotelly would read it so as to bring bulk metadata collection within the purview of FISA’s “pen register” and “trap and trace” provisions. A final point here: the proposed collection, according to Judge Kollar-Kotelly, is “consistent with other provisions of FISA.” She has in mind 50 U.S.C. 1842(d)(2)(A)(iii), which says, among other things, that any order authorizing a pen register or trap and trace device must set forth “the identity, if known, of the person to whom is leased or in whose name is listed the telephone line or other facility to which [device is to be attached].” No problem there, argues Kollar-Kotelly, despite the bulk nature of the surveillance at issue: “there is no requirement to state the identity of such a person if it is not known,” as it presumably isn’t, when the idea is to collect internet metadata a mass scale. And even if Congress generally expected that lines or facilities would be listed for or leased to a particular individual, “the language of the statute does not require that there be such a person for every facility to which a pen register or trap and trace device is to be attached or applied.” To conclude otherwise “would make the applicability of the statute depend on the commercial or administrative practices of particular communications service providers---a result that here would serve no apparent purpose of Congress.” The court suggests that her interpretation might have been different under prior versions of FISA, but says that the current version supports the reading adopted in the opinion. Next up is Judge Kollar-Kotelly’s explanation of why the statutory requirements for issuing an order authorizing pen register and trap and trace surveillance have been met. Naturally, the text is front and center in this portion of the ruling. The court ticks off the relevant statutory language: 50 U.S.C. § 1842(a)(1) authorizes the Attorney General to apply for the use of pen register and trap and trace devices, to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism; § 1842(c)(2) in turn requires such applications to contain “a certification … that the information likely to be obtained is foreign intelligence information not concerning a United States person or is relevant to an ongoing investigation to protect against international terrorism”---though investigation of a United States person cannot be conducted solely on the basis of First Amendment-protected activity. So has the government checked all of these boxes, to the judge’s satisfaction? As Judge Kollar-Kotelly notes, the government in fact has made the required application, which in turn contains the required “certification.” FISA, moreover, says that upon an application made pursuant to this particular provision, the judge shall enter an order as requested or as modified. This raises the question: having confirmed that the formalities have been observed, does the FISC’s review simply stop? No. Judge Kollar-Kotelly says she does not find “persuasive” the government’s claim that, under FISA, she is barred from any substantive review of the grounds underlying the certification put before the court. But she does not conclude that FISA requires a searching inquiry, either. Instead, she finds that the government has set forth, in some detail, the threat posed by the person or group at issue; how the sought information will contribute to FBI counterterrorism investigations; and the safeguards that will be observed so as to ensure proper access to and use of collected material. Having all this in hand, the FISC opts to “assume for purposes of this case that it may and should consider the basis of the certification under § 1842(c)(2). “ (An aside: the court makes clear that the assumed-but-not-mandated analysis is unrigorous at best. The pen register provision was designed so as not to impose significant burdens on the government, according to Judge Kollar-Kotelly; the USA PATRIOT ACT had lowered the pen register provision’s legal standard from “reasonable suspicion” to “relevance.” At the same time, the judge recognizes the need to defer to the executive branch’s judgment about how best to counter threats to the national security. The inquiry, such as it is, sure doesn’t seem tough.) So what to make of the grounds for the government’s request? It is true that the latter has provided “information in support of the certification of relevance,” writes the FISC. Unfortunately, owing once more to extensive redactions, it is awfully hard to tell what that information is. It is possible to get some sense, nevertheless. Reading the half-sentences along with unredacted stuff, it is obvious that the government had described the relevant national security threat, and how FBI uses collected information to track bad guys, to the judge. We also learn from the opinion that “the raw volume of the proposed collection is enormous;” that once populated, the metadata archive will furnish “a relatively rich environment for finding [REDACTED] communications through later analysis;” and that, if armed with a metadata trove, the NSA would enhance its ability to detect and identify terrorist threats. Next comes a discussion of what a certification of “relevance” really requires where---as here—a truckload of concededly irrelevant metadata will be swept up by the NSA. On that score, the court opens by accepting the utility, and even necessity, of bulk internet metadata collection, so far as concerns the agency’s analytic capabilities. (The more data it has, the more the NSA can figure out.) Still, the “question remains whether these circumstances adequately support” the government’s claim of relevance. Judge Kollar-Kotelly concludes that they do, chiefly because therelevance standard does not require a statistical ‘tight fit’ between the volume of proposed collection and the much smaller proportion of information that will be directly relevant to [REDACTED] FBI investigations. In reaching this conclusion, the Court finds instructive Supreme Court precedents on when a search that is not predicated on individualized suspicion may nonetheless be reasonable under the Fourth Amendment.A footnote attributes this somewhat eccentric move---linking the meaning of relevance, a statutory term, to the Supreme Court’s decisions on the reasonableness of certain searches and seizures---to arguments advanced by the United States in its briefing. At any rate, the FISC now marches through a particular line of Fourth Amendment authority, in which the Supreme Court has endorsed warrantless searches and seizures, conducted in the absence of individualized suspicion and in service of so-called “special governmental needs.” Such situations, writes Judge Kollar-Kotelly, call for balancing of public and private interests. And here, the public interest (national security, and the prevention of a then-predicted terrorist attack) is weighty, while the private interest (shielding of electronic metadata foisted upon third parties) isn’t really. Consequently, in the judge’s view, bulk collection by means of pen register or trap and trace devices can be legitimately analogized to other kinds of intrusive, large-scale, suspicionless but concededly lawful searches---drug testing high school students, breathalyzing drivers at highway checkpoints, and so forth. The FISC adds that, in the “special governmental needs” analysis, the government does not have to opt for the least intrusive means, only for reasonable ones; it also matters to her that senior government personnel “have articulated why they believe that bulk collection and archiving of meta data are necessary[.]” It is thus, in the FISC’s opinion, a reasonable approach the government has proposed. And that says it all, given Judge Kollar Kotelly’s equation of Fourth Amendment reasonableness with relevance under FISA’s pen register and trap and trace rules. She accordingly finds, for whatever it is worth, that “the certification of relevance is consistent with the fact that only a small proportion of the huge volume of information collected will be directly relevant to the FBI’s [REDACTED] investigations.” Additionally, the court then finds, over the course of three pages, that any FBI investigations of “U.S. Persons,” are not conducted solely on the basis of First Amendment-protected activities---as they must not be, under FISA. The government made a certification to that effect, though the document’s filing is not the end of the matter for Kollar-Kotelly. Obviously this is not the usual case, in which “the FBI conducts pen register and trap and trace surveillance of a particular communications facility (e.g. a phone number or e-mail address) because it carries communications of a person who is the subject of an investigation.” To the contrary, the initial collection “is not directed at facilities used by particular individuals of investigative interest, but meta data concerning the communications of such individuals’ [REDACTED].” Judge Kollar-Kotelly addresses the program’s breadth by tacking on further, First Amendment-protective restrictions to the program’s “querying” (that is, post-collection) stage. Which is to say: She orders NSA analysts not to query an identifier thought to be associated with a U.S. person, solely because that person has engaged in protected activities---like espousing jihadist rhetoric short of incitement, or posting on jihadist websites. The opinion then turns to its third part, in which Judge Kollar-Kotelly concludes that the “proposed collection and handling of meta data does not violate the First or Fourth Amendments.” That much was not required, evidently, by FISA’s rules for pen registers and trap and trace devices. And yet, the judge writes, “because this case presents a novel use of statutory authorities” regarding such things, some further explanation is in order. So far as concerns the Fourth Amendment, the court reiterates that the Amendment “does not apply to the proposed collection of meta data.” This is so chiefly because there is no reasonable expectation of privacy in metadata, under the Supreme Court’s ruling in Smith v. Maryland and longstanding third-party doctrines. And though bulk collection poses special circumstances, these “do not alter [the court’s] conclusion that no Fourth Amendment search or seizure is involved.” The (wildly broad) scope of collection, for one, doesn’t matter; what does matter is a reasonable expectation of privacy---which individuals simply do not have vis a vis internet metadata. Moreover, the investigative activity in question---querying of a metadata trove---raises no threat of any downstream Fourth Amendment violation. That leaves the First Amendment. The FISC had asked the government to brief the First Amendment implications, if any, rising from bulk collection; the United States responded by denying or minimizing the “First Amendment implications of surveillance that only acquires non-content addressing information.” The case law, writes Kollar-Kotelly, supports the government’s view, at least in the context of a criminal investigation conducted in good faith. At the same time, the government’s proposed controls for accessing, using and retaining the metadata will help to guard against any possible abridgments of First Amendment freedoms. In a fourth and final section, the opinion orders NSA to “comply with the proposed restrictions and procedures, as modified by the court.” “The proposed collection involves an extraordinarily broad implementation of a type of surveillance,” according to the FISC. Thus, Judge Kollar-Kotelly, in her opinion’s concluding portion, orders the NSA to abide by a battery of restrictions and controls on collected internet metadata: minimization, separation of collected stuff from other data, limitation of access to ten NSA administrators, querying through contact chaining analysis only, after a finding of “reasonable articulable suspicion” and with approval of select NSA officials, and so on. These protocols are described in detail, in an order which accompanies the opinion and grants the government’s application.
Wells C. Bennett was Managing Editor of Lawfare and a Fellow in National Security Law at the Brookings Institution. Before coming to Brookings, he was an Associate at Arnold & Porter LLP.