UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence

Illegal NSA Data Mining Highlights Need for Congressional Oversight

Center For Democracy and Technology

A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
Policy Post 12.8, May 11, 2006

(1) Illegal NSA Data Mining Highlights Need for Congressional Oversight

(2) Program Appears Illegal, Regardless of How Database Was Compiled

(3) Relevant Statutes for Access to Stored Records

(1) Illegal NSA Data Mining Highlights Need for Congressional Oversight

USA Today has revealed that the National Security Agency has been compiling telephone information on millions of innocent Americans that includes data about who, when, and where they are calling. Administration officials stressed that the program does not involve listening to the contents of communications, but the detailed calling patterns described by the data provide an extensive picture of an individual's business and personal associations and patterns of daily life.

CDT believes the program described in the article is illegal.

Moreover, this latest disclosure reinforces what CDT and others in the public interest community have been saying for months: Congress needs to conduct a comprehensive, in-depth and public inquiry into the scope of warrantless domestic surveillance.

Congress and the American people can no longer be asked to simply accept the administration's vague assurances that the NSA spying programs are not infringing on the rights of ordinary Americans. Congress has the power and the means to examine the scope and legality of the government's actions without compromising national security. Indeed, national security demands that there be a full understanding of how the government is invading the privacy of Americans and whether that snooping is properly focused.

In recent months, the President, the Attorney General, and other senior officials have stated that the President's program of eavesdropping without court order was narrowly focused on international calls of suspected terrorists. In public comments the Attorney General and others were being careful in their statements to leave open the possibility that the NSA was engaging in other, undisclosed programs to spy on Americans. The USA Today story revealed the details of one of those programs involving the compilation of a massive database of the domestic calling patterns of every American served by the major companies participating in the program.

Coming on the very day that the Senate Judiciary committee was due to consider legislation that would have weakened controls on the President's power to eavesdrop on Americans, the latest disclosure confirms that legislation is pre-mature.

(2) Program Appears Illegal, Regardless of How Database Was Compiled

It is not clear whether the government acquired the massive stream of data involved by tapping into the systems of telephone companies in real-time or whether the information was obtained retrospectively from records logged by the carriers. It does appear that the government intends to keep the data indefinitely.

Telephone companies store detailed transactional information identifying all the calls made by and to their customers for months in order to settle "reciprocal compensation" payments and other charges among carriers.

If the program involved real-time interception, it probably violated both the Foreign Intelligence Surveillance Act (FISA) and the statute on interception of call detail information in criminal cases. Both statutes require a court order for interception of information about calling patterns, even if the content of communications is not collected.

FISA, which makes it a crime to intercept the content of communications without a court order, has a broad definition of "content:" it includes not only information about the substance of communications, but also information about their very existence. Even under that definition, FISA also requires a court order for the interception of non-content information, using a so-called "pen register." 50 USC 1841-46.

The administration has not explained why it did not use FISA pen register authority to get a court order for interception of calling pattern data, especially after the scope of that provision was vastly expanded in the PATRIOT Act.

Congress, the Administration, and the public first have to come to an understanding of what the current surveillance laws mean, what they cover and don't cover, and how they are being interpreted before we can conclude that the controls need to be strengthened or weakened.

(3) Relevant Statutes for Access to Stored Records

If the government acquired the information not in real-time, but from the records of the communications companies, two separate provisions of law seem to prohibit the conduct at issue here.

Section 222 of Title 47 of the United States Code provides: "Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier."

None of the exceptions in section 222 cover the conduct at issue in the NSA data mining program:

"Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."

Also, Section 2702 of Title 18, part of the Electronic Communications Privacy Act, provides that "a provider of ... electronic communication service [including telephone service] to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service ... to any governmental entity" without the customer's consent or a subpoena or court order. Under section 2707, carriers face civil liability, including minimum damages of $1,000 per violation, punitive damages, and attorneys fees. Government employees who participated in a violation also may face administrative discipline.


http://www.cdt.org/publications/policyposts/2006/8/



NEWSLETTER
Join the GlobalSecurity.org mailing list