Friday, July 5, 2013

Is it surveillance if only computers are watching?

Robert J. Litt, the NSA General Counsel, participated in a panel discussion last week giving some official details on the NSA surveillance programs. The video is here. Litt acknowledges certain things and makes other categorical denials, consistent with the denials President Obama has made that the government is not listening in on all our telephone calls. Because Litt kept referring to notes, it seems fair to assume he was choosing his words carefully, though his language and presentation style was informal and not robotic.

Litt first addresses the "telephone metadata" collection, which he says is authorized under Section 215 of the PATRIOT Act. Litt points out that the authorizing language is there for everyone to see, and here it is. It is entitled "Access to certain business records for foreign intelligence and international terrorism investigations"and it describes how certain government officials
may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.
Telephone call metadata, numbers calling and called and time of call, are surely business records of the phone companies (how else could they produce monthly bills?) and there is a long history of court affirmation that no wiretap order is needed for law enforcement to acquire such information. What this law provides that is unusual is a prohibition on telling the subjects of search that their records have been turned over to the government.

At about 18:00, Litt says,
Despite what you may have heard about this program, we don not collect the content of any communication under this program. We do not collect the identity of any participant to any communication under this program. And while there seems to have been some confusion about this …, I want to make perfectly clear. We do not collect cell phone location information under this program, either GPS or cell site tower information. Not sure why it has been so hard to get people to understand that because it has been said repeatedly.
I speculated a couple of weeks ago that the content of all telephone calls is being recorded, and cited a couple of odd statements that supported my speculation. Litt flatly denies that telephone calls are routinely being recorded. Or does he? He denies, not once, not twice, but three times in three sentences, that various things, including the capture of the content of telephone calls, are being done under this program. Of course that might just be lawyerly conservatism. He can speak only to what he knows about, or only to what he is authorized to speak about, and on this particular occasion that is the two surveillance programs Snowden disclosed. So we really can't conclude anything about the recording of voice conversations, except that if it is being done, it is not being done under this particular program under the authority of Section 215.

Moreover, Litt makes clear that (as the statute demands) the data is turned over to the authorities only upon execution of a specific request. "Each determination of a reasonable suspicion under this program," Litt says around 21:00, "must be documented and approved. And only a small portion of the data that is collected is ever actually reviewed, because the vast majority of that data is never going to be responsive to one of these terrorism related queries. In 2012 fewer than 300 identifiers were approved for searching this data."

So the government is not entitled to browse willy-nilly across this vast database, and does not do so. And, as Litt states elsewhere in this presentation, it does not do massive data analysis or pattern recognition on the database as a whole. It waits for a specific query to be authorized by the FISA court and then gets just the slice of the metadata-base associated with that identifier.

So here is my question. The Fourth Amendment states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
It seems that the government's position is that the telephone metadata is neither searched nor seized when it is recorded, only when it is produced in response to a query. Under what authority is the data collected in the first place? Litt explains,
In 2012 fewer than 300 identifiers were approved for searching this data. Nevertheless we collect all the data because if you want to find a needle in the haystack, you need to have the haystack, especially in the case of a terrorism related emergency which is … and remember this data is used only for terrorism related emergencies.
Emphasis mine. The italicized phrase is crucial, because it would justify recording anything, as long as the government doesn't peek at it until it has a specific court order. The mere collection of data raises no constitutional issue, because it is not a search or seizure. It's just the thing that you obviously need to have done to have any prayer of finding what you are looking for, once you are authorized to look for it.

We have recently learned that every piece of postal mail is photographed before it is delivered. Access is granted to law enforcement rather routinely, under much looser conditions than stipulated in the PATRIOT Act section authorizing access to business records. For example, the images of envelopes have been used to harass a political opponent of an Arizona official.

In relation to the PRISM program, the other of the two surveillance program Snowden disclosed, two law professors writing for the New York Times note that there are strict limits on surveillance of US citizens.

How could vacuuming up Americans’ communications conform with this legal limitation? Well, as James R. Clapper Jr., the director of national intelligence, told Andrea Mitchell of NBC, the N.S.A. uses the word “acquire” only when it pulls information out of its gigantic database of communications and not when it first intercepts and stores the information.If there’s a law against torturing the English language, James Clapper is in real trouble.

Once the database exists, it is going to be very hard to resist the temptation to use it. Depending on circumstance, terrorism may not be the worst crime that stored communications could help solve. Derek  Khanna asks in the Atlantic, If PRISM is good policy, why stop with terrorism? Child pornography for example --- how readily might countless horrible crimes against innocent children be solved if law enforcement could only access that database?

I am very troubled by the idea that gathering information requires no special authorization, as long as the gathering is done by some blind, automated process, and nobody peeks until a court authorizes it. The distinctions between "reading" and "searching" are human metaphors; the details of what the computers do are not precisely anthropomorphic. What sort of activity is automated indexing, for example?

Is it really true, either legally or morally, that the potential need someday to find a needle is all the justification that is needed to collect all our hay as it goes blowing by? Will we really be able to resist the temptation to use the data for other purposes? Surely we would want law enforcement to probe the phone records of a latter-day Timothy McVeigh, the Oklahoma City bomber who was a purely domestic terrorist. And once we begin, where will we stop? Why shouldn't law enforcement at every level be able to crack crimes by pulling data from these databases?

We are all guilty of something. Read Harvey Silverglate's Three Felonies a DayAnyone who thinks they have nothing to hide is a fool -- just ask the person whose mail was monitored by that bullying Arizona sheriff, or one of the blacks arrested for marijuana usage at a much higher rate than whites.

The only way to stop is not to begin. Collecting data willy-nilly is a constitutionally unlawful seizure. I hope the developing litigation puts and end to it.


  1. "It seems that the government's position is that the telephone metadata is neither searched nor seized when it is recorded, only when it is produced in response to a query"

    More likely they rely on the Supreme Court holding that telephone call records are not subject to 4th Amendment limits. That's from a 1979 decision called Smith v Maryland.

    1. Maybe, but then why all the fuss over how narrow the targeting is? Just for PR, given that it would not legally be needed? And what about the analogous claim the NYT op-ed quotes Clapper making about PRISM data, which has nothing to do with telephone metadata? I don't have his precise words, but the writers say he claims that NSA does not "acquire" PRISM data when it is recorded, only when NSA probes it. "Acquire" in that context presumably means "seize," except that by making the seizure a two step process it doesn't sound so bad (one step they take it but don't look at it, the other step they acquire it but really only from themselves).

    2. They claim that they collect all the metadata and then narrowly target further investigations - including ones that get content and need warrants and probable cause.

      There is a difference between acquire and inspect. Verizon already collects all call records - for its own purposes. When the government makes copies of that, it's certainly not violating anyone's privacy. Only when that data is searched and correlated does any privacy issue appear.

      I think the real scandal here is that contractors who have been vetted (badly) by other contractors are at great public expense given so much access to so much data.

  2. I agree - the difference between acquire and inspect is key but also a gray zone- if one has acquired information, the presumption is that it will be inspected ad hoc at any given time.

    I thought you might be interested:

  3. This comment has been removed by a blog administrator.