The Senate held an informative hearing on the NSA metadata collection program this morning. The purpose was to identify problems in the program and possible legislative changes. This article addresses one of those issues - Who should maintain the data.
By way of background here are links to the three documents that were declassified today regarding this program. 1) 2009 Report to Congress 2) FISA Court Primary Order 3) 2011 Report To Congress
Here's the issue. If the intelligence agencies have identified a phone number that they have a reasonable, articulable suspicion belongs to a person who has engaged in terrorism or is otherwise an enemy of the United States they investigate further. Most people believe that the Government should do something with that information, not just sit on it. The logical thing for them to do is see whether that phone number has contacted any phone numbers in the United States or any other country. At this point they do not know if there have been any contacts within the United States let alone who those contacts may be or where they may be located. Therefore they need to do as broad a search as possible to determine whether that phone number shows up in the call data of phone calls in the United States. To do that, intelligence agencies must have access to phone numbers in the United States that could have been contacted by that foreign number.
There are three ways to go about this. The United States can collect the phone call data from all of the phone companies and combine it in a way that enables the Agency to quickly do a search on the entire database. Keep in mind that at this point the only thing the government is trying to do is identify domestic phone numbers that communicated with the foreign phone number and, potentially, numbers that those people may be calling. That is what is currently happening.
There are two other ways to do this. Rather than collecting the data, the United States could require that the phone companies maintain the databases themselves. Then, when the agency wishes to see if a phone number that is linked to a terrorist has been in contact with any phone numbers in the United States it could send its agents to each of the phone companies and do separate searches of the individual databases to see if there are any contacts. Alternatively the United States could request that the phone company employees do the search and provide the information to the government.
For the system to work if the Government doesn't maintain the data, laws would have to be enacted which require the phone companies to keep the records for some period of time beyond what their pure business purpose is. The government generally likes to keep these records for up to five years whereas many phone companies may only keep them for a year or less. There will also be some other requirements. The phone companies will have to comply with government requirements for security. The data will have to be maintained in a way that is searchable for intelligence purposes, separate from the companies business purposes. In addition the phone companies will have to employ persons who have the proper security clearances and laws will have to be enacted similar to those applicable to government employees, which criminalize the unauthorized use of those phone data logs. And since all of these requirements will cost money the Government will have to pay the companies for carrying out these activities.
Also, the United States is going to have to feel good about having to ask China Mobile, Verizon, AT&T, and all of the other phone companies, whether domestic or foreign, that do telecon business in the United States, to carry out our foreign intelligence activities, essentially handing over an essential government function to private companies including foreign companies.
Most people, including me, have concerns about the way the current NSA program is being conducted. There are real concerns about transparency, monitoring and controls. But we need to think carefully before embracing alternatives. Turning each American phone companies let alone foreign companies into privatized NSAs is not a good idea. We need to address the concerns about transparency by addressing those concerns directly, not by privatizing the activity. We need to address the concerns about the FISA court directly, not by thinking they will go away if the databases are maintained and queried by private companies as opposed to the NSA.
One thing is certain. The American people will never accept a situation in which the US government obtains intelligence about potential terrorism in the United States and does nothing about it. It is hard to imagine many Americans, let alone Members of Congress, who would advocate ignoring actionable intelligence. Here is an excerpt from the 2011 memorandum that explains why:
Prior to the attacks of 9/11, the NSA intercepted and transcribed seven calls from hijacker Khalid al-Mihdhar to a facility associated with an al Qa'ida safehouse in Yemen. However, NSA's access point overseas did not provide the technical data indicating the location from where al-Mihdhar was calling. Lacking the originating phone number, NSA concluded that al-Mihdhar was overseas. In fact, al-Mihdhar was calling from San Diego. California. According to the 9/11 Commission Report (pages 269-272):
"Investigations or interrogation of them [Khalid al-Mihdhar, etc], and investigation of their travel andfinancial activities could have yielded evidence of connections to other participants in the 9/1] plot. The simple fact of their detention could have derailed the plan. In any case, the opportunity did not arise."
Today, under FISA Court authorization pursuant to the "business records" authority of the FISA (commonly referred to as "Section 215"), the govemment has developed a program to close the gap that allowed al-Mihdhar to plot undetected within the United States.
When overseas contact information is developed the first action is always to see whether a phone number of a suspected terrorist has been in contact with phone numbers in the United States or elsewhere in the world. That will not stop. The issue before the Congress now is to ensure that it is done in the most effective and efficient manner, that is as protective as possible of the privacy rights of Americans.
There are many good ideas that are being discussed in connection with the administration of the NSA's phone data collection activities. Clearly the issue of transparency is one that needs to be worked on. Also, there may be ways to make people have more confidence in the activities of the FISA court. But turning our private phone companies into arms of the federal government makes no sense at all. It is not only a logistic and operational nightmare but it furthers the process of turning government activities into corporate activities. We have been going down this road for many decades whether in the area of prisons, defense contracting, and virtually anything else you can name. In virtually every instance the result is higher cost, lower quality, and less accountability.
For people who are concerned about accountability of the government, imagine what happens if Verizon and China Mobile are storing the data and conducting searches. One can guess that most people will come to the conclusion that this is not the way we want to go.