Spy Tools In Need Of a Law

By David Ignatius
Wednesday, May 17, 2006

Let's take a hypothetical problem: An al-Qaeda operative decides to switch cellphones to prevent the National Security Agency from monitoring his calls. How does the NSA identify his new cellphone number? How does it winnow down a haystack with several hundred million pieces of straw so that it can find the deadly needle?

The problem may seem hopelessly complex, but if you use common sense, you can see how the NSA has tried to solve it. Suppose you lost your own cellphone and bought a new one, and people really needed to find out that new number. If they could search all calling records, they would soon find a number with the same pattern of traffic as your old one -- calls to your spouse, your kids, your office, your golf buddies. They wouldn't have to listen to the calls themselves to know it was your phone. Simple pattern analysis would be adequate -- so long as they had access to all the records.

This, in simple terms, is what I suspect the NSA has done in tracking potential sleeper cells in the United States. The agency can sift through the haystack, if (and probably only if) it can search all the phone and e-mail records for links to numbers on a terrorist watch list. The computers do the work: They can examine hundreds of millions of calls to find the few red-hot links -- which can then be investigated under existing legal procedures.

There's one overwhelming problem with this pattern-analysis approach: It may be illegal.

When the Bush administration ordered the NSA after Sept. 11, 2001, to use aggressive techniques to find al-Qaeda operatives, this sort of data mining was one obvious response. President Bush's lawyers argued that he had inherent authority as commander in chief to order such surveillance to protect the country. The NSA accepted the administration's position, but the potential privacy problems worried NSA lawyers enough that they also ordered extensive internal controls, including audit trails, restricted access to databases and other oversight. NSA officials feared there might eventually be a problem, and now there is a big one -- after a USA Today story last week disclosed the program.

Gen. Michael Hayden, who ran the NSA when the program began, will be questioned about it tomorrow when the Senate holds a hearing on his nomination to be CIA director. Hayden may not say much in public, but within the intelligence community he has long been an advocate of data mining and link analysis, calling it "the future of SIGINT," as signals intelligence is known. To explain the basic concept of pattern analysis, Hayden has told audiences that if you could monitor, say, the timing and pattern of calls on Super Bowl Sunday, you would know which teams were playing, how the game progressed and perhaps even who won.

The NSA program poses the most difficult questions about privacy, intelligence and the law. The first essential task is to strip away some of the legal misinformation, starting with constitutional issues. The Supreme Court for decades has accorded a lesser privacy right to calling-record data -- which the NSA likes to call "meta-data" -- than to the underlying content. The court held in a 1979 case, Smith v. Maryland , that "it is too much to believe" that telephone users expect the numbers they dial will be secret, when those numbers appear in bills, phone logs and other business records.

Though Congress in the 1980s legislated greater privacy rights for calling data than the court had found in the Constitution, it narrowed those rights in amendments to the Foreign Intelligence Surveillance Act, which allowed FISA warrants for searching call records if the information was "relevant to an ongoing investigation" of terrorism. Details about the numbers being examined had to be provided only "if known."

The breadth for surveillance power that already exists under FISA has led Rep. Jane Harman (D-Calif.) and others to argue that FISA itself can accommodate the NSA program without further amendments. She introduced legislation last week that would provide additional resources for the administration so that it can comply with FISA. There's also an argument that the administration could submit a general blanket request for data-mining authority, which House Democratic leader Nancy Pelosi described in January as "the mother of all FISAs."

These would be easy fixes, but they would duck the basic issue: Is it legal for the NSA to obtain and keep the nation's phone records to identify who is getting calls from terrorists? Do Americans support that trade-off of privacy for security? It should be obvious now, as the temporary anti-terrorist structure created after Sept. 11 begins to crumble, that the only stable framework going forward will be one that brings these programs clearly and firmly under the rule of law.


© 2006 The Washington Post Company