In the wake of the publication of the Privacy and Civil Liberties Oversight Board (PCLOB) report into the NSA’s collection of domestic phone metadata, a number of voices in the US have echoed the Board’s findings that collection is neither effective nor legal. In the past 48 hours, both the New York Times and the LA Times have published editorials calling for bulk collection to be ended – and even the Republican National Convention has called for an immediate end to “unconstitutional surveillance” and a full investigation into the NSA’s activities.
The PCLOB report
The five-member PCLOB was set up in 2007, but this report marks the first time its opinion has been called upon. The 23 January report concerns the telephone records collection undertaken by the NSA under Section 215 of the Patriot Act. The board resolved by a 3/2 majority that the domestic metadata programme was neither effective not authorised in law. A second PCLOB report on the NSA’s foreign intelligence operations is still forthcoming.
While the report carries no legal force, its reception demonstrates that the US debate on domestic metada collection is rapidly moving beyond the modest provisions in President Obama’s speech of 18 January. The report has also drawn attention to aspects of the NSA’s operations that have only been suspected before now.
How proactive was the FISA court?
It has emerged that the FISA Court did not produce an opinion on the legality of domestic metadata collection until the existence of the programme was brought into the public domain, when the first of the Snowden revelations – the Verizon FISA Court order – was published in June 2013:
On June 5, 2013, the British newspaper The Guardian published an article based on unauthorized disclosures of classified documents by Edward Snowden, a contractor for the NSA, which revealed the telephone records program to the public. On August 29, 2013, FISC Judge Claire Eagan issued an opinion explaining the court’s rationale for approving the Section 215 telephone records program. Although prior authorizations of the program had been accompanied by detailed orders outlining applicable rules and minimization procedures, this was the first judicial opinion explaining the FISA court’s legal reasoning in authorizing the bulk records collection. (page 9, PCLOB report)
The corporate store
The PCLOB report also draws attention to the NSA’s “corporate store,” an overlooked secondary database produced from searches of call records. An initial search of the NSA’s call records data base requires an analyst to demonstrate “reasonable articulable suspicion” (RAS) about a potential search term to one of 22 designated officers within the agency. Once RAS has been demonstrated, the analyst can then use “contact chaining” to look at the records of contacts three (after Obama’s speech, two) degrees of separation away from the initial search term.
However, once a record has been touched by one of these searches, even if it is three degrees of separation away from a search term, it is put into a separate database – “the corporate store” – where there are fewer restrictions on its use. In particular, the need for an analyst to show RAS before searching records no longer applies once data has been copied into the corporate store.
The PCLOB report describes the full range of search, matching and analysis that can be applied to records in the corporate store:
In 2012, the FISA court approved a new and automated method of performing queries… The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”
According to the FISA court’s orders, records that have been moved into the corporate store may be searched by authorized personnel “for valid foreign intelligence purposes, without the requirement that those searches use only RAS-approved selection terms.” Analysts therefore can query the records in the corporate store with terms that are not reasonably suspected of association with terrorism. They also are permitted to analyze records in the corporate store through means other than individual contact-chaining queries that begin with a single selection term: because the records in the corporate store all stem from RAS-approved queries, the agency is allowed to apply other analytic methods and techniques to the query results. For instance, such calling records may be integrated with data acquired under other authorities for further analysis. The FISA court’s orders expressly state that the NSA may apply “the full range” of signals intelligence analytic tradecraft to the calling records that are responsive to a query, which includes
every record in the corporate store.
If the NSA queries around 300 seed numbers a year, as it did in 2012, then based on the estimates provided earlier about the number of records produced in response to a single query, the corporate store would contain records involving over 120 million telephone numbers. (page 30-31, PCLOB report)
It is to these 120 million records in the “corporate store” to which Edward Snowden directed these comments in the live webchat hosted on this website last Thursday:
When even the federal government says the NSA violated the constitution at least 120 million times under a single program, but failed to discover even a single “plot,” it’s time to end “bulk collection,” which is a euphemism for mass surveillance. There is simply no justification for continuing an unconstitutional policy with a 0% success rate.