http://blog.foreignpolicy.com
Monday, June 10, 2013

This is, hands down, the scariest part of the NSA revelations
By Shane Harris 

Forget PRISM, the National Security Agency's system to help extract data from Google, Facebook, and the like. The more frightening secret program unearthed by the NSA leaks is the gathering and storing of millions of phone records and phone-location information of U.S. citizens.

According to current and former intelligence agency employees who have used the huge collection of metadata obtained from the country's largest telecom carriers, the information is widely available across the intelligence community from analysts' desktop computers.

The data is used to connect known or suspected terrorists to people in the United States, and to help locate them. It has also been used in foreign criminal investigations and to assist military forces overseas. But the laws that govern the collection of this information and its use are not as clear. Nor are they as strong as those associated with PRISM, the system the NSA is using to collate information from the servers of America's tech giants.

Metadata is not protected by the Fourth Amendment. Content of emails and instant messages -- what PRISM helps gather -- is. An order issued to Verizon by the Foreign Intelligence Surveillance Court instructs the company to supply records of all its telephony metadata "on an ongoing, daily basis." Although legal experts say this kind of broad collection of metadata may be legal, it's also "remarkably overbroad and quite likely unwise," according to Paul Rosenzweig, a Bush administration policy official in the Homeland Security Department. "It is difficult to imagine a set of facts that would justify collecting all telephony meta-data in America. While we do live in a changed world after 9/11, one would hope it has not that much changed."

By comparison, PRISM appears more tightly constrained and operates on a more solid legal foundation. Current and former officials who have experience using huge sets of data available to intelligence analysts said that PRISM is used for precisely the kinds of intelligence gathering that Congress and the administration intended when the Foreign Intelligence Surveillance Act was amended in 2008. Officials wanted to allow intelligence agencies to target and intercept foreigners' communications when they travel across networks inside the United States.

The surveillance law prohibits targeting a U.S. citizen or legal resident without a warrant, which must establish a reasonable basis to suspect the individual of ties to terrorism or being an agent of a foreign power. In defending PRISM, administration officials have said repeatedly in recent days that the FISA Court oversees the collection program to ensure that it's reasonably designed to target foreign entities, and that any incidental collection of Americans' data is expunged. They've also said that press reports describing the system as allowing "direct access" to corporate servers is wrong. Separately, a U.S. intelligence official also said that the system cannot directly query an Internet company's data.

But the administration has not explained why broadly and indiscriminately collecting the metadata records of millions of U.S. citizens and legal residents comports with a law designed to protect innocent people from having their personal information revealed to intelligence analysts. Nor have officials explained why the NSA needs ongoing, daily access to all this information and for so many years, particularly since specific information can be obtained on an as-needed basis from the companies with a subpoena.

Here's why the metadata of phone records could be more invasive and a bigger threat to privacy and civil liberties than the PRISM system:

1.  Metadata is often more revealing than contents of a communication, which is what's being collected with PRISM. A study in the journal Nature found that as few as four "spatio-temporal points," such as the location and time a phone call was placed, is enough to determine the identity of the caller 95 percent of the time.

2.  The Wall Street Journal reports that in addition to phone metadata, the NSA also is collecting metadata on emails, website visits, and credit card transactions (although it's unclear whether those collection efforts are ongoing). If that information were combined with the phone metadata, the collective power could not only reveal someone's identity, but also provide an illustration of his entire social network, his financial transactions, and his movements.

3.  Administration officials have said that intelligence analysts aren't indiscriminately searching this phone metadata. According to two intelligence employees who've used the data in counterterrorism investigations, it contains no names, and when a number that appears to be based in the United States shows up, it is blocked out with an "X" mark. 

But these controls, said a former intelligence employee, are internal agency rules, and it's not clear that the FISA Court has anything to say about them. In this employee's experience, if he wanted to see the phone number associated with that X mark, he had to ask permission from his agency's general counsel. That permission was often obtained, but he wasn't aware of the legal process involved in securing it, or if the request was taken back to the FISA court.

4.  The metadatabase is widely available across the intelligence community on analysts' desktops, increasing the potential for misuse.

5.  The metadata has the potential for mission creep. It's not only used for dissecting potential homegrown terror plots, as some lawmakers have said. The metadata is also used to help military forces overseas target terrorist and insurgent networks. And it is used in foreign criminal investigations, including ones involving suspected weapons traffickers.

For all these reasons, and probably more yet to emerge, it's the metadata that's of bigger concern. By comparison, PRISM is a cool name, a lame PowerPoint presentation -- and business as usual.

top