The Uses and Possible Abuses of Call Metadata
In a piece published Thursday a former general counsel for the National Security Agency argues that collection of call metadata is necessary to fight terrorism. But his hypothetical case fails to explain why the NSA needs data on local calls made within the United States or offer any assessment of how this information could be misused.
Stewart Baker is a former general counsel for the NSA. Writing at Foreign Policy he argues that the NSA gathering of metadata on calls is not a lawless invasion of privacy but a necessary step in safeguarding the country from foreign attack. Put aside the lawless question since no one is really claiming the law is being violated. The real question is why the NSA is collecting data on every American with a phone. Here Baker offers an answer by way of a hypothetical:
Imagine that the United States is intercepting al
Qaeda communications in Yemen. Its leader there calls his weapons expert and
says, "Our agent in the U.S. needs technical assistance constructing a weapon
for an imminent operation. I've told him to use a throwaway cell phone to call
you tomorrow at 11 a.m. on your throwaway phone. When you answer, he'll give you
nothing other than the number of a second phone. You will buy another phone in
the bazaar and call him back on the second number at 2 p.m."
Now, this is pretty good improvised tradecraft, and it would
leave the government with no idea where or who the U.S.-based operative
was or what
phone numbers to monitor. It doesn't have probable cause to investigate
any particular American. But it surely does have probably cause to
investigate any American who makes a call to Yemen at 11 a.m., Sanaa
hangs up after a few seconds, and then gets a call from a different
number three hours later. Finding that person, however, wouldn't be
easy, because the
government could only identify the suspect by his calling patterns, not
Baker goes on to argue that requesting the needed data from telecoms would require them to store all of this in massive servers in case a request comes in from the government. Therefore it makes more sense for the government to simply collect the metadata and have it on hand in case it is needed.
We clearly do need to monitor calls coming in and going out of the country, especially calls to places with active terrorist organizations. The FISA Act is specifically designed to allow this. What Baker's hypothetical does not address is the specific language of the court order which demands Verizon turn over data on all international and local calls:
all call detail records or "telephony metadata" created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.
If you scroll back up to Baker's hypothetical, you'll notice that it does not involve any local calls. It involves calls to and from a foreign country. Can we simply extend his hypothetical to include two parties inside the US? Perhaps one party makes a local call to the other party and gives them the information on when to make a call back to Yemen.
The problem with this scenario is that the NSA is, according to section 702 of the FISA Act, forbidden to look at "any communication as to which the sender
and all intended recipients are known at the time of the acquisition to
be located in the United States." Now, the word communication means the actual content of the call. The metadata of the call is not considered communication. Perhaps it is still valuable to have the metadata even if you are expressly forbidden to know what was said on the call.
So there is, at least hypothetically, a value to having this data. What about the hypothetical downside to collecting metadata on nearly every American? For instance, what if some of this information is misused by someone within the NSA or FBI. The obvious case would be a leak about a politician or businessman who calls an escort agency. And as Wired pointed out, every call to an AA or suicide hotline or every call to a whistle-blower hotline--it is all being grabbed and stored for potential future misuse.
The response to these concerns are those made by Baker at the end of his piece, i.e. "minimization" procedures are in place to insure the information is not misused. No doubt that is true. If everyone does what they are supposed to do, there is usually no problem. But we have had several scandals recently in which government employees--at the IRS and the EPA--made partisan leaks of information at their disposal. The lesson this should impress on us is that government employees sometimes break the rules.
When I worked for the Social Security Administration many years ago I had access to a database with the home address and earnings information of every US citizen. I never misused it because I did not want to lose my job but word spread that, occasionally, someone in the agency would pull up records on a celebrity they were curious about. They would of course be caught and fired for misusing the system but only after they'd seen the data. Metadata on local calls inside the US may be marginally helpful in stopping foreign terrorists but it is also going to be a temptation to bad actors inside the government itself.