Remember the Snowden disclosures? It may seem like an eternity ago, but it was in 2013 that Edward Snowden revealed to the public the government’s extensive warrantless domestic surveillance program. After he disclosed that the National Security Agency was scooping up millions of phone records showing Americans’ calling patterns, Congress responded appropriately by ending that bulk collection program through the USA Freedom Act in June 2015.
But Congress never actually finished the job. It replaced the bulk program with one that is narrower, yes, but that continues to allow the government to invade our privacy by collecting massive amounts of phone records. Now, it’s time for Congress to finish what it started almost five years ago.
On March 15, 2020, three U.S. surveillance law provisions are set to expire unless Congress reauthorizes them again. One of these is Section 215 of the USA Patriot Act of 2001, which authorizes the U.S. government to collect business records, such as financial or hotel records. The USA Freedom Act added new subsections to Section 215 to permit the collection of call detail records, or CDRs, on an ongoing basis. CDRs, as defined by Section 215, consist of “session identifying information.” They show which phone numbers (or other identifiers, like an international mobile subscriber identity number) are contacting which other numbers, and the time and duration of these connections. Congress created this Section 215 CDR authority in an attempt to replace the earlier bulk program with a more limited version. CDRs are the same kind of records that the NSA was collecting in bulk under the old program. When CDRs are assembled and analyzed at scale, the calling patterns can be highly revealing of very sensitive information; they can show your regular calls to a cancer clinic or a therapist.
As Congress debates reauthorization of the expiring Patriot Act provisions, there are many important reforms it should enact, such as explicitly prohibiting targeting on the basis of race, religion, and other protected classes. But ending the Section 215 CDR program is a necessary and critical first step.
As I have explained in more detail elsewhere, the current Section 215 CDR program is significantly narrower than the earlier bulk program, but the replacement authority still allows the government to collect vast quantities of information on Americans. The most notable post-Snowden improvement is that the government can no longer collect all the CDRs generated by any communications provider in bulk. Rather, providers store the phone records, and the NSA can only acquire CDRs associated with particular targeted numbers. In addition, the government must now get approval from the Foreign Intelligence Surveillance Court for each target.
However, the current program has still enabled the government to collect hundreds of millions of CDRs, and the program’s intrusiveness is compounded by permitting the government to collect calling records out to “two hops” from the person who is actually suspected of being connected to terrorism. The first hop involves collecting all the CDRs on an ongoing basis for a particular terrorism suspect, and the second hop permits collecting records for every person who has been in contact with the terrorism suspect’s number. These CDRs for the second hop show all of the calls to and from the first hop contacts, even though most of them will not have any actual connection to terrorist acts or planning. Thus, although allowing two hops is much narrower than the earlier, pre–USA Freedom Act bulk program that permitted collection out to three hops (since each hop exponentially increases the number of records), that second hop still allows the NSA to acquire calling records for vast numbers of people who are not suspected of any wrongdoing.
Perhaps more importantly, the Section 215 CDR program is not effective in producing valuable intelligence. Scholars who have examined the technical features of the Section 215 CDR program have concluded that not only has the program been ineffective since its inception in 2015, but it is unlikely to be effective in the future. In June 2018, the NSA announced that it had discovered “technical irregularities” in some of the CDRs it had acquired, and that the NSA had received records it was not entitled to collect. As a result, the NSA decided to purge all of the CDRs it had collected since the program began in late 2015. Several months later, the NSA suspended operation of the program altogether. As former Director of National Intelligence Dan Coats explained in an August 2019 letter to Congress, the intelligence community made the decision to suspend the program based on “balancing the program’s relative intelligence value, associated costs, and compliance and data integrity concerns caused by the unique complexities” of operating this program. The Privacy and Civil Liberties Oversight Board, which concluded in its 2014 report that the earlier bulk collection program had been ineffective, has also reviewed the current Section 215 CDR program and agreed with the intelligence community’s assessment that it should be suspended. In short, this highly complex authority simply isn’t worthwhile.
Nonetheless, after internal debates that lasted for many months, the Trump administration decided to seek permanent reauthorization of the CDR program in 2019. In hearings before the House and Senate Judiciary Committees this past fall, U.S. government witnesses asserted in their joint written testimony to the House that the “CDR program may be needed again in the future, should circumstances change,” and stated to the Senate that reauthorization would permit the government to “retain this potentially valuable tool should it prove useful in the future.” When Senate Judiciary Committee Chairman Lindsey Graham asked why Congress should reauthorize a program that the NSA itself had decided to suspend as ineffective, the agency representative responded that “in one year from now, two years from now, three years from now … we could find ourselves in a situation where this particular tool in our toolbox, we would want to have the agility to use it should it be valuable moving forward.”
In other words, the government asserts that Congress should let the intelligence agencies maintain the invasive, ineffective program as another “tool in the toolbox” because you never know when you may want it.
The key problem with the toolbox metaphor is that it leaves the impression that the Section 215 CDR program is something an intelligence analyst could simply grab and use in a hurry when it’s needed, like a hammer or a screwdriver. But the metaphor doesn’t hold. The Section 215 CDR program is a highly complex system that involves collecting electronic data—including the records of numerous Americans—from various communications service providers, analyzing this data, and storing it securely. It is so complex that it took the NSA 2½ years—from late 2015 until the spring of 2018—to discover that it had been collecting numerous CDRs contaminated by “technical irregularities” that were not readily apparent to analysts. And, as noted, “the unique complexities” of operating the program were among the factors that Coats cited to explain the NSA’s decision that the program was not worth restarting. The Section 215 CDR program is not something that could simply and safely be whipped out of the toolbox in response to an unknown future threat. It’s an ineffective, cumbersome system that even some of the nation’s brightest minds haven’t been able to legally wield in nearly five years.
Even if we did accept the administration’s “toolbox” metaphor, its reasoning is deeply flawed. If you discovered that a tool was more dangerous than helpful—say an electric saw that was hard to use without cutting off a finger—you would get rid of it and rely on other, safer alternatives. You wouldn’t store it in your toolbox for some hypothetical future use. And if, one day in the future, you learned that you had a project for which you really could use a mechanical saw, you would go out and procure a newer, safer version that met your new needs.
Finally, as a matter of principle, intelligence agencies should not be given every tool they may want, but only those that they need, and only those that can be implemented in a manner that protects individual rights. Intelligence work is difficult, and foreign intelligence information can come from unexpected sources. But this does not mean that intelligence agencies should be given broad authorities to monitor everyone all the time. If, at some future date, our intelligence agencies conclude that collecting a new type of “session identifying information” on an ongoing basis would provide needed intelligence on terrorists and other valid targets, they can go back to Congress at that time to seek a new authority tailored to the new need, one that incorporates robust safeguards for privacy and human rights.
Fortunately, during the House and Senate Judiciary Committee hearings last fall, many members of Congress seemed aware of these issues, and thus skeptical of the government’s request for reauthorization of the CDR program. And encouragingly, later in November, Sens. Richard Burr and Mark Warner, the chair and ranking member of the Senate Select Committee on Intelligence, respectively, introduced S. 2939, the Protecting Against International Terrorism Act, a bill that would “terminate” the Section 215 CDR program. Sens. Ron Wyden and Steve Daines and Reps. Zoe Lofgren, Warren Davidson, and Pramila Jayapal have also introduced the Safeguarding Americans’ Private Records Act, which would revoke the authority for the CDR program. It is likely that there will soon be additional surveillance reform legislation introduced in the House that would end the CDR program as well. As Congress considers key reforms to U.S. surveillance authorities, it is time to abolish the Section 215 CDR program.
The notion that we can never let a surveillance program expire because we never know when it may be useful may be tempting, but it is also dangerous. From the Church Committee’s comprehensive investigation of domestic spying in the 1970s to the Snowden revelations of the last decade, Americans have seen too many reminders of how surveillance powers can be abused.