Wednesday, July 24, 2013

More Misleading Information from ODNI on NSA Telephone Metadata Collection

In its ongoing publicity offensive, the administration has put forward more detailed public arguments to justify the NSA obtaining and storing vast quantities of telephone metadata of U.S. persons in purported reliance on § 215, the "business records" provision, of the Patriot Act. A central pillar of the NSA/DOJ/ODNI argument is that government storage of this metadata is necessary because the telecommunications companies otherwise would not retain it. This argument is, at best, disingenuous and misleading.

In one of the most detailed defenses of the telephone metadata program, for example, ODNI General Counsel Robert Litt asserted last week in a prepared speech (see text or video clip) that "telephone companies have no legal obligation to keep this kind of information" ("information" he defines as "the number calling, the number being called, and the date, time and duration of the call") and that telephone companies destroy this data "after a period of time determined solely by their own business purposes" (emphasis added).  This is demonstrably inaccurate.  See, for example, the "legal obligation" found at 47 C.F.R. § 42.6, a regulation which requires that telephone companies:
retain for a period of 18 months such records as are necessary to provide the following billing information about telephone toll calls: the name, address, and telephone number of the caller, telephone number called, date, time and length of the call.  

Not only does this federal regulation provide a legal retention obligation, but it is also unrelated to the "business purposes" of the telephone companies and in fact was promulgated by the FCC at the specific request of the DOJ in order to aid in terrorism investigations.  The retention period had previously been six months, but the DOJ petitioned the FCC to extend it precisely because such telephone records "are often essential to the successful investigation and prosecution of today's sophisticated criminal conspiracies relating, for example, to terrorism . . . and espionage." The FCC therefore extended the legal retention period for as long as the DOJ said was necessary.

DOJ/NSA/ODNI may believe that this regulation, which became effective in 1986, is outdated or no longer adequate, but pretending that it (and many similar state regulations) doesn't exist or that those agencies couldn't have done more to update or expand this regulation to suit the Executive branch's current "needs" undermines their argument.

In fact, in early 2006, the FCC itself proactively solicited comments on the 18-month retention regulation and the DOJ submitted these comments which -- in light of what we know now and the government's current arguments -- is rather remarkable.

First, the DOJ's comments are dated April 28, 2006, which was reportedly just a month before the DOJ/FBI secured the first Foreign Intelligence Surveillance Court order for bulk collection of U.S. telephone metadata for the NSA under the "business records" provision.

Second, while the DOJ noted problems with the regulation (including that "some" phone companies read it narrowly and argued it would not apply if certain billing methods were used) the DOJ nevertheless stressed the regulation's continuing importance for counterterrorism, stating that telephone records were a "critical tool in the fight against global terrorism" that had "enabled . . . national security agencies to prevent terrorist acts and acts of espionage." Moreover, the DOJ stressed its role in setting the legal retention period at 18 months.

Third, the DOJ in fact suggested -- in a footnote, near the end -- that the FCC "should explore" whether "the existing 18-month rule should be extended," yet surprisingly the DOJ did not forcefully argue for such an extension.  You can decide for yourself, but the DOJ's comments don't read to me like they were written by the same DOJ that was simultaneously arguing to a secret court that the need to retain the telephone data longer than 18 months was so crucial and exigent that it necessitated the extraordinary remedy of ordering telecommunications companies to provide all telephone metadata in the United States to the NSA in reliance on a breathtakingly broad reading of "relevant" in a statutory text.

And of course, members of Congress have questioned whether the extended retention is really as important as the NSA claims, as Senators Udall and Wyden have stated, "the NSA still has not provided us with any examples of instances where it relied on its bulk collection authority to review records that the relevant phone company no longer possessed."

Lastly, the FCC's regulatory power over such records highlights sharply conflicting views within the government about the nature and value of such data that have been largely ignored.  DOJ/NSA/ODNI have gone to great lengths to downplay the importance of "telephony metadata" -- "it's just metadata, it's not content, it's like the information on the front of an envelope, it's not Constitutionally protected, there's no expectation of privacy," they say. Yet, Congress and the FCC have been working for years to protect the "confidentiality" of such information under the name "Customer Proprietary Network Information" (CPNI). The statutory definition is at 47 U.S.C. § 222(h), but in the plain language of the FCC: "Practically speaking, CPNI includes information such as the phone numbers called by a consumer; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting. CPNI therefore includes some highly-sensitive personal information" (emphasis added).

The issue of bulk telephone metadata collection is undoubtedly complex and difficult to simplify, but the DOJ/NSA/ODNI efforts to "explain" and justify the program and to lay out the "facts" (which repeatedly seem to be half-truths) is not creating trust, it's undermining it.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.