Newly declassified National Security Agency documents reveal that the agency didn't ask for court approval before collecting the location data of some cellphone users. That's a problem because location data is far more personal and revealing than other forms of "metadata" that the courts have held the government can access without court approval.
An April 1, 2011 memo to a member of the Senate Select Intelligence Committee from an attorney with the NSA's Office of General Counsel states that the Department of Justice advised the agency that collecting cell site location data for testing was fine under the current order. But NSA didn't ask for specific sign-off from the Foreign Surveillance Intelligence Court (FISC), the secret court that oversees the spy agency's programs. Instead, the memo notes that the NSA believes that Justice "orally advised" the court that the NSA was collecting location data sets for test purposes.
Here's the memo's account:
Based on that account, it appears that the FISC did not issue a specific opinion explicitly authorizing the collection of cellphone site location data -- instead, they relied on Justice's legal interpretation of the existing metadata order, likely similar to the Verizon order revealed in June. That's not particularly surprising, because "location information is considered metadata, not content, and therefore the government believes there are lower standards governing its collection," explains Amie Stepanovich, the director of the Domestic Surveillance Project at the Electronic Information Privacy Center. Indeed, as recently as this summer NSA officials told reporters that the NSA is authorized to collect the location information of callers but that it chooses not to.
But Stepanovich believes that bypassing FISC approval for the collection of location data is a troubling practice. "By leaving the FISC out of the decision process," she argues, "the NSA is evincing a wanton disregard for meaningful oversight and for the sensitivity of the information at issue."
The big concern here is that cell site location data can provide a very detailed portrait of how an individual moves through the world -- essentially turning a phone into a tracking device that can help piece together the relationships and activities that are unique to that person. Because there are likely few, if any, people in the world who follow the exact same routine every day, collecting cell site location data is much like tracking a fingerprint. There's an ongoing legal debate over whether location tracking requires Fourth Amendment protections.
Much of the U.S. government's authority to collect metadata without a warrant is derived from a 1979 Supreme Court ruling over the small-scale collection of call records. But that ruling was made long before the widespread use of cellular technology and the surveillance applications that came along with it. The courts haven't set clear precedents on how location data should be handled given those more current applications.
A July ruling from the United States Court of Appeals for the Fifth Circuit held that individuals don't have a reasonable expectation of privacy for location data collected by phone companies, calling the data the equivalent of a "business record." But the U.S. Court of Appeals for the Third Circuit recently held that police need a warrant to attach a GPS tracker to the vehicle of a suspect. And in a ruling on similar GPS case last year, five Supreme Court Justice suggested that even without a physical trespass, ongoing electronic surveillance may be "an unconstitutional invasion of privacy." But the court did not rule specifically on how the government may use private data collected by modern technology.
So it's problematic that the NSA didn't seek judicial approval before embarking on trials with cell site data. The FISC is supposed to be the judicial oversight for legal issues involving sensitive national security concerns. But it never had an opportunity to weigh in on this case.