Telephony Metadata: Is the Contact-Chaining Program Unsalvageable?
An apparent disclosure from a congressional staffer on the Lawfare Podcast has generated considerable buzz regarding the fate of a part of the Foreign Intelligence Surveillance Act (FISA) that currently
Published by The Lawfare Institute
in Cooperation With
An apparent disclosure from a congressional staffer on the Lawfare Podcast has generated considerable buzz regarding the fate of a part of the Foreign Intelligence Surveillance Act (FISA) that currently is scheduled to sunset at the end of this year. Here’s an explainer, as well as a reminder (well, a warning really) that there is much more at stake here than the National Security Agency’s bedeviled telephony metadata contact-chaining program.
First, the historical context.
Nothing revealed by Edward Snowden sparked more controversy than the NSA’s bulk collection of telephone call records.
That program was designed to create a comprehensive historical archive of who had been calling whom, allowing a retrospective inquiry into a terrorism suspect’s contacts (and their contacts, and so on) when the government later came into possession of a phone number associated with a person it believed to be involved in international terrorism. That program had proceeded for years based on voluntary cooperation from companies, and then later gained approval from the Foreign Intelligence Surveillance Court (FISC) thanks to a creative interpretation of 50 U.S.C. §1861—a statute known variously as “Section 215,” the “business records” provision, “FISA BR” or even the “libraries provision” (a rather misleadingly selective moniker but a rhetorically effective one all the same).
Section 1861 was created in 1998 as something of a foreign intelligence analogue to grand jury subpoenas, in that its purpose was to empower the government to compel production of records held by third parties “for an investigation to gather foreign intelligence information or an investigation concerning international terrorism.” But the process was not just for any third parties. The statute was quite narrow at first, in two respects. First, the records had to pertain directly to the agent of a foreign power as defined in FISA, as opposed to spouses, friends or others whose records might well be relevant too. Second, the only types of businesses subject to the authority were telecom companies, public accommodation companies such as hotels and motels, storage facilities, and vehicle-rental companies (all reflecting recent experience with 1990s terrorism-related investigations in the U.S., where each of those scenarios had loomed large at least once).
The USA Patriot Act changed both these constraints in late 2001. Section 215 of that statute removed the restriction that limited this authority to just those certain types of companies, and it also allowed the authority to be used where the materials were sought for an investigation even if the materials did not belong to or pertain to the particular target (and thus the provision might be used to gather records about an associate of the target).
In 2006, Congress tweaked Section 215 further, clarifying that it required that the government’s application to the FISC specify “reasonable grounds to believe” that the records sought “are relevant to an authorized” foreign intelligence, international terrorism or counterintelligence investigation. Soon, the FISC had interpreted the word “relevant” to encompass the government’s comprehensive-archive theory. (That view says that all phone records may be understood as “relevant” in that having a comprehensive database is the key to useful contact-chaining, and we cannot know until later which numbers that contact-chaining might retroactively reveal to be relevant in a more literal sense).
When Snowden’s leaks began, the revelation of this, the Section 215 program, proved particularly surprising and—to the minds of a great many—quite upsetting. Debate followed over whether to end it outright, keep it going or perhaps find a middle ground. Ultimately, Congress and the Obama administration agreed on something that seemed designed to be that middle-ground approach. The 2015 USA Freedom Act is a complicated statute, but for our purposes the important points are these: On one hand, Section 215 (as well as other provisions, including the FISA Pen Register/Trap-and-Trace authority and the FBI’s National Security Letter authorities) was modified to preclude interpretations of “relevance” that would permit bulk collection. On the other hand, telecom companies were obliged to maintain a certain amount of call records within each of their own networks and to cooperate in conducting contact-chaining themselves upon order from the FISC. The FISC, for its part, would grant such an order if and when it found the government had reasonable and articulable suspicion demonstrating that a specific target was involved in international terrorism and that that specific person was linked to a particular selector (a unique phone number). In short, the government would have to get the FISC’s sign-off on its targeting, and then would depend on a series of telecom companies to replicate the contact-chaining inquiry seriatim, with the NSA left to consolidate and analyze the collective fruits from those company efforts. There is much, much more to the USA Freedom Act than that, but that’s the basic idea of the metadata contact-chaining program.
From the outset, the USA Freedom Act arrangement has been criticized from multiple directions, and with a sunset scheduled for December, it has been clear all along that there might be a battle over renewal this year. That prospect grew even more likely in June 2018, when the NSA and the Office of the Director of National Intelligence (ODNI) announced that some of the telecom companies had failed to implement or design their contact-chaining protocols correctly and, as a result, had been giving the NSA at least some substantial amount of metadata that the agency should not have. Worse, the NSA had concluded that they could not separate the wheat from the chaff and thus had decided to err on the side of privacy protection by deleting the whole mass of data that had been produced since the USA Freedom Act took effect. It was a stunning result. Some decried the loss of the archived dataset; others suggested that this development was a costly signal demonstrating that there was little real intelligence value in the project and hence it could safely be abandoned.
So what happened the other day that has everyone so spun up?
Well, when the intelligence community announced the error, the NSA stated that the technical challenge had been overcome; thus, many assumed that collection under the USA Freedom Act had resumed. But then came the unexpected statement of Luke Murry, national security adviser for House Minority Leader Kevin McCarthy, on Saturday’s episode of the Lawfare Podcast that collection under this program has not been taking place for the past six months after all. This in turn yielded a high-profile story by Charlie Savage in the New York Times and follow-on reporting at the Wall Street Journal and the Washington Post, placing the situation in context and emphasizing the possibility, suggested by Murry, that the administration might even decline to seek renewal of the current version of this statutory authority.
There are three things to bear in mind as you ponder all that.
1. Phone metadata ain’t what it used to be.
As Pat Gray, Thomas Rid, and others have observed, the utility of a contact-chaining program based on conventional telephone dialing records undoubtedly has been in steady decline for years, thanks to the massive growth of apps enabling alternative means of communication. Sure, we all still make lots of phone calls, and terrorism suspects likely do too. But as we have seen illustrated in innumerable investigations linked to the Islamic State in recent years, serious terrorism suspects are quick to move to communications channels that are end-to-end encrypted. The sort of comprehensive archive of communications that might once have been possible with phone metadata alone is not at all possible today. This is not to say that there’s no value in having a phone metadata archive, but if that’s all the information the government’s got, its utility for contact-chaining plainly is diminishing all the time.
2. Not using the authority in recent months may reflect nothing more than continuing technical challenges.
The recent round of reporting does not have confirmation that the authority has not been used over the past six months. But assuming that it hasn’t, it still does not follow, as some have suggested, that the NSA no longer thinks the program is worth pursuing. It seems at least as likely that this would instead simply reflect a continuing technical struggle to fix the error-prone protocols that led at least one telecom company to produce the wrong data in the past. It was clear last summer that this was a technical challenge of no small magnitude, and though the NSA stated at the time that the problem appeared to be fixed, it is not too shocking to think that this proved unduly optimistic. The point being: If the government has not been using the program, it may yet prove to be the case that the NSA or the ODNI has made a merits judgment against continuing this program, but it also may simply be an unexpected delay in fixing a flaw in what the companies have come up with in response to the demands that the USA Freedom Act placed upon them in lieu of the NSA itself.
Of course, it could be that this persistent flaw, if it exists, will not be fixed anytime soon. In that respect, the situation to some extent would resemble the technical issues plaguing Upstream “about” collection. Those technical issues ultimately led the NSA to drop that particular approach voluntarily, and that in turn was followed by calls to embed in statute a lasting prohibition on reviving the practice. Wisely, Congress opted instead for a two-part early-warning system should the government ever seek to revive “about” collection: It would first have to obtain FISC approval (upon an adequate showing of having resolved the earlier problem), and it would then have to give substantial advance warning to Congress. This choice reflected Congress’s understanding that the cost-benefit analysis for a program plagued by technical difficulties may seem quite different once such difficulties are overcome, as eventually they might be.
3. Be careful not to throw the baby out with the bathwater when it comes time to renew.
Even if the phone-metadata program should indeed be dropped, it does not follow that the next desired step would be simply to let Section 215 sunset in December. If a sunset occurs, much more than contact-chaining will be lost.
There is a huge distinction between using Section 1861 for telephone-metadata purposes and using that provision for the broad array of other, less controversial record-production purposes that have nothing to do with archives of phone metadata and contact-chaining. Remember: Contact-chaining was never the central point of Section 1861. Its original purpose was to ensure that foreign-intelligence collectors had at least something akin to the subpoena mechanism that law enforcement investigators working with a grand jury, ordinary civil litigants engaged in discovery and various civil regulatory authorities all enjoy—that is, the power to compel third parties to disclose relevant records. The original version of the authority from 1998 achieved this purpose only to a limited extent, with only a narrow set of business record categories subject to its reach and with a strict requirement that the records sought be those of an alleged agent of a foreign power. This restriction unwisely excluded all sorts of other potentially relevant business record categories, and it also precluded use of the provision to seek material records of persons (such as spouses and close associates) close to, but distinct from, the actual target. The USA Patriot Act fixed both those problems, making Section 1861 a far more useful instrument, though still weaker than the subpoena power routinely employed by grand juries, let alone civil litigants and some regulators.
If the sunset occurs this December? The statute will snap back to its quite-narrow 1998 iteration, taking with it much more than just contact-chaining.