War Stories

Metadata Isn’t Going Away. Here’s How to Control It.

What we can learn from Judge Leon’s opinion and the recommendations of a presidential commission.

The National Security Agency in Fort Meade, Md.

Photo by Paul J. Richards/AFP/Getty Images

It’s a good bet that, in the next few weeks, President Obama will impose some serious reforms—and ask Congress to enact a few more—on how the National Security Agency scoops up and stores data from the phone and Internet records of American citizens.

The case for reform received two massive boosts this week: first, from a federal judge’s opinion that the NSA’s massive metadata program is probably unconstitutional; then, from a presidential commission’s report concluding that the program is not only dangerous but unnecessary on policy grounds.

In this one-two punch, the crucial blow will be dealt not by the dramatic (really, stunning) court ruling, but rather by the more prosaic—and, for all that, more potent—commission report.

Obama created the commission in August, soon after Edward Snowden’s first leaks about NSA domestic surveillance, and many predicted it would churn out the usual blue-ribbon slush, allowing the president to slap on a few cosmetic patches that let the gigantic machine at Fort Meade continue running unhindered.

But that’s not what happened here. This five-man panel produced a 300-plus-page report, containing 46 recommendations, which, if carried out, could make a genuine difference.

The report’s authors make no judgment on the surveillance program’s legality, though they do note its harsh dissonances with the Fourth Amendment, which guarantees the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” More to the point, they state that the NSA’s most indiscriminately intrusive program—the one that the federal judge denounced as “almost Orwellian” and probably unconstitutional—isn’t necessary.

This program—the one that the initial Snowden leaks uncovered—allows the NSA, conceivably, to sweep the phone calls of every American citizen—not their contents but where the calls are going and how long they last. It also allows the NSA to store this data and if necessary retrieve it, for many years.

In the course of their work, the panelists asked top NSA officials if they’ve ever gone back to look at data two, three, or five years after it’s been gathered. The answer: no, never.

One particularly contentious aspect of the NSA program is that it allows analysts to make three “hops” in tracing communications. Let’s say that an American suspected of terrorist activities has phoned 100 people in the last five years. The NSA can track not only the suspicious American’s calls but also the calls of those other 100 people. That’s just the first hop. Let’s say each of those 100 people also called 100 people in the last five years. The NSA can track all of their calls, too. That’s the second hop—and it puts (100 times 100) 10,000 people on the agency’s radar screen. In the third hop, the NSA can trace all the calls of those 10,000 people, and the calls of all the people that those 10,000 people call—for a total of (10,000 times 100) 1 million people.

In other words, tracking the calls of just one person allows the NSA to track the calls of as many as 1 million people.

The panelists asked how often they’ve actually made a third hop. The answer: an infinitesimally small number of times. How often have they made so much as a second hop? A very small number.

So, this wildly expansive program is almost entirely unused and almost certainly unnecessary. The report makes the latter point explicitly, in an all-too-low-key passage in the middle of Page 104:

Our review suggests that the information contributed to terrorist investigations by the use of Section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional Section 215 orders.

(Section 215 is the provision of the Patriot Act that allows bulk collection of data—though, as the Snowden documents have revealed, the collection has been quite a lot bulkier than all but a few outsiders had previously known.)

If that’s all there was to it, we could all rest easily: The metadata sweeps have resulted in almost nothing, and the NSA doesn’t really sweep as deeply as it allowed itself to sweep anyway. But just because the agency doesn’t sweep so deeply today doesn’t mean it won’t go very deep tomorrow. As the report’s authors put it:

[W]e cannot discount the risk, in light of the lessons of our own history, that at some point in the future, high-level government officials will decide that this massive database of extraordinarily sensitive private information is there for the plucking. Americans must never make the mistake of wholly “trusting” our public officials.

In other words, the same algorithms that enable NSA technicians to track suspected terrorists would also enable them, if so ordered, to track political opponents, street protesters, malcontents of all stripes—whomever and whatever sorts of targets a rogue NSA director, or more to the point an authoritarian president, might want to track.

To put it another way: Imagine if this technology had been around when Richard Nixon was president and J. Edgar Hoover was FBI director. Now assume that Nixon and Hoover were not the last of their kind. Our political system is not immune to the ascension of authoritarian leaders, especially if we were to come under another 9/11-type terrorist attack.

The commission report’s 46 proposals consist mainly of safeguards—speed bumps, hurdles, barriers—to prevent, or at least slow down, the erosion of civil liberties, whatever the political climate. (The report’s title is “Liberty and Security in a Changing World.”)

One of its main proposals is to store all metadata with a separate, possibly private, organization. (For example, data gathered by phone companies and ISPs would stay within the phone companies and ISPs.) If the NSA wanted to retrieve and search through these databanks, it would need to file a request for specific information with the Foreign Intelligence Surveillance Court.

Under current arrangements, the NSA can search the banks on its own. The internal requirements for doing so are much stiffer than they used to be. Not long ago, a clever analyst could dip into the data and check up on his girlfriend; there are a few cases in which someone actually did this. Now, according to one insider, any probes require two high levels of review and the approval of the agency’s general counsel. But of course, this isn’t enough. First, who’s going to believe that? Second, just as those compliance standards were put in place internally, they can be repealed internally (and without outsiders knowing it).

The report also proposes major changes in the FISA court, which rules on—and usually rubber-stamps—requests for surveillance. The authors recommend inserting a “public Interest Advocate” in the court’s hearings, installing tech-savvy advisers on the court’s staff, declassifying court rulings after a certain period of time, and drastically changing the way the FISA court judges are appointed. Currently, they’re all named by the Supreme Court’s chief justice; i.e., all the judges ruling on these beyond-top-secret matters today are Roberts-appointed Republicans. The report recommends spreading out the appointments among several justices. These ideas have been proposed by a number of outsiders, the last two by … well, me. It’s good to see them get some official imprimatur. (Any changes to the FISA court would have to be approved by Congress.)

In a surprise, little-noted chapter, the report also proposes reforms in the rules governing National Security Letters. These letters require people or institutions to turn over information to the government, usually to the FBI, and they are so secret that the recipients are forbidden from telling anyone that they received one. Many, perhaps most, of these letters are addressed to phone companies or ISPs and seek metadata to help agencies as part of criminal or terrorist investigations. Yet, unlike similar NSA requests for metadata sweeps, they require not even the fig leaf of FISA court approval. The report recommends that the National Security Letters go through the same oversight.

Of course, the commission’s recommendations amount to small stuff compared with the Dec. 16 opinion by U.S. District Court Judge Richard Leon that the NSA’s metadata program is probably unconstitutional. In an impassioned 68-page memorandum, Judge Leon argued that Smith vs. Maryland, the Supreme Court decision often cited to support the program’s legality, “simply does not apply” to the scope of surveillance revealed in the Snowden documents. If this opinion became law, metadata collection would simply be outlawed.

However, it’s very doubtful that Judge Leon’s opinion will survive an appeals court or, if it goes higher, the Supreme Court. First, district court judges don’t have the authority to reject the appropriateness of precedents cited by higher courts. (Judge Leon doesn’t quite go that far, but he skates right up to the edge.) Second, some constitutional lawyers, including those who sympathize with him politically, doubt the opinion’s legal validity. Third, higher courts tend to give even the slightest benefit of doubt to the executive branch in cases involving prerogatives of “national security.”

There’s no question, though, that metadata collection, as it exists, at the very least rubs up against Fourth Amendment guarantees, and someone—in the courts, the Congress, or the executive branch—is going to have to untangle the dilemmas at some point.

Meanwhile, the report by the President’s Review Group on Intelligence and Communications Technologies—as the commission is officially called—strikes a realistic and, as these things go, far-reaching set of checks and balances. Very likely, metadata collection is here to stay. It is simply too powerful a tool for any nation to abandon (and the United States is far from the only nation to have it). This being the case, the question is how to control the beast, how to keep it from becoming a truly dangerous weapon. The commission’s report does that, for now. If President Obama doesn’t adopt its key proposals, that will be a major failing.

Also in Slate, read more about the recommendations from the President’s Review Group.