The November NSA Trove IV: The Internet Metadata Collection Story Develops

Judge Bates grants the application in part and denies in part, authorizing PR/TT collection but subjecting use of the information to strict privacy-protecting minimization procedures and prohibiting the government from accessing data previously accumulated through unauthorized electronic surveillance. The Proposed Collection Involves the Installation and Use of PR/TT Devices Because the government's application sought to "expand considerably the types of information authorized for acquisition," Judge Bates turns first to the authorizing statute to determine whether the data at issue is the type of data that Congress had envisioned for PR/TT collection. 18 U.S.C. §§ 3127(3)-(4)  defines the terms "pen register" and "trap and trace device" to include devices which record "dialing, routing, addressing, or signaling" (DRAS) information, but do not record the contents of a communication. This is a fraught distinction: Judge Bates explains that it is clear in person-to-person email communication that "contents" include the text of the message, attachments, and the subject line, but what constitutes "contents" is a much more complicated inquiry in the context of online interactions between a user and a provider of web services. The government had hoped to frame DRAS and "contents" as mutually exclusive categories of information; by forcing an either/or determination, the approved-for-surveillance DRAS category would presumably expand, and the prohibited-from-surveillance "contents" category would contract. But Judge Bates rejects that construction, and instead formulates a two-part test for PR/TT collection: "(1) is it DRAS information?; and (2) is it contents?" The application of the test to the categories of metadata sought for acquisition---a lengthy exercise in what Judge Bates describes as "difficult line-drawing"---is almost completely redacted. But two things are clear: first, that he approves "most, but not all of the proposed collection," and second, that Judge Bates interprets the PR/TT statute as follows:

PR/TT devices may not obtain any information concerning the substance, purport, or meaning of any communication, including those between account users and providers, and that communications actions that divulge any such information would be impermissible 'contents' for purposes of a PR/TT authorization. (emphasis in original)

The Application Satisfies the Applicable Statutory Requirements In its application, the government sought authority to acquire a greater volume of metadata while simultaneously "modifying---and in some ways relaxing---the rules governing the handling of metadata." NSA projected that the metadata collected during the period of the requested order "compared with the norm under prior orders . . . [would constitute] roughly an 11- to 24- fold increase in volume." A combination of factors gave Judge Bates serious pause: "The government's poor track record with bulk [pen register/trap and trace] acquisition . . . presents threshold concerns about whether implementation will conform with, or exceed, what the government represents and the Court may approve." Nevertheless, Judge Bates finds, "after reviewing the government's submission and engaging in thorough discussions with knowledgable representatives," that he now has a full and accurate description of bulk PR/TT acquisition. He thus approves the government's proposed modifications only insofar as they do not erode privacy protections for U.S. persons. It appears that the most controversial component of the government's application was whether wholly non-targeted bulk production of metadata could ever satisfy FISA's requirement that information collected be "relevant to ongoing investigations to protect against international terrorism." Judge Bates concludes that the relevancy requirement is satisfied because---and here Judge Bates quotes NSA Director Keith Alexander---it "will substantially increase NSA's ability to detect and identify the [terrorist-affiliated] Foreign Powers and those individuals affiliated with them." Because it is impossible to determine what information will be relevant in advance, and because internet information is ephemeral, the court concludes that bulk metadata acquisition---subject, of course, only to queries which meet the RAS requirement---is sufficiently relevant to terrorism-related investigations to satisfy the statute. The Court Approves, Subject to Modifications, Restrictions and Procedures Proposed by the Government Judge Bates notes that unlike other provisions of FISA, the pen register provisions do not contain required minimization procedures. But the government's application---as the government itself acknowledged---was so sweeping and non-targeted that some restrictions on retention, use, and dissemination of the information obtained through PR/TT were necessary to protect the privacy of U.S. persons. Searching for a statutory basis upon which to adjudicate the government's application, Judge Bates compares the government's proposed minimization procedures with requirements found in 50 U.S.C. §1801(h)---the procedures meant to protect the privacy interests of U.S. persons with regard to the contents of communications. Note that Judge Bates is holding the government to a very high standard here; in the absence of statutory mandate for any minimization procedures at all, he imposes the minimization procedures Congress found to be sufficient to protect U.S. persons' privacy with regard to content. By and large, Judge Bates finds that the procedures proposed by the government met these stringent requirements. The court allows some expansions of the authority that Judge Bates sees as essentially "not material," including adding two high-ranking NSA officials to the list of individuals suited to identify whether queries have a "counterterrorism purpose," as well as expanding the metadata retention period from four-and-one-half years to five-years. But the court denies others; specifically, it declines to accept the government's invitation to "review and pre-approve individual disseminations of information based upon the Court's own assessments of foreign intelligence value." As for oversight and reporting, the court includes two orders: (1) NSA's Office of the General Counsel and Office of the Director of Compliance must ensure that all NSA personnel who receive PR/TT query results receive appropriate training for the handling and dissemination of such information, and (2) NSA must submit a report every 30 days describing instances in which "NSA has shared, in any form, information obtained from the PR/TT metadata with anyone outside the NSA" and must certify that such disseminations were related to a counterterrorism mission. The Government May Access and Use Data from Previous Authorized Collections, but May Not Access Data from Unauthorized Collections Judge Bates concludes that the FISC "possesses authority to permit the government to query data collected within the scope of the Court's prior orders," but that it lacks authority to approve querying data that was collected in an unauthorized manner. The court reasons that that data collection constituted unauthorized electronic surveillance, and that the government officials responsible for making disclosures mostly knew that it was unauthorized. So the FISA itself prohibits---and indeed criminalizes in 50 U.S.C. § 1809(a)(2)---the use of erroneously accumulated surveillance. There is one category of unauthorized electronic surveillance not subject to the criminal prohibition: if the relevant government officials did not know, and had no reason to know, that the information was collected in contravention of law, then no provision of law precludes the court from authorizing the government to access and use such information. "The bigger question here," Judge Bates wrote, "is whether the Court should grant such authority." The court cautions that "[g]iven NSA's longstanding and pervasive violations of the prior orders in this matter, the Court would be acting well within its discretion in precluding the government from accessing such information." But given that government officials at the DOJ and NSA have asserted a "strong national security interest" in accessing the information---and that the court has no basis for questioning that interest---Judge Bates concludes that the "Court is prepared---albeit reluctantly---to grant the government's request with respect to information that is not subject to Section 1809(a)(2)'s prohibition."