The debate about the National Security Agency’s bulk collection of phone records is focused too much on one side of the program.
As of Wednesday, when the Obama administration released some documents on the NSA’s activities and a Senate committee held another hearing, Americans already knew that the government has been indiscriminately collecting Americans’ phone records, but only accessing them under specific circumstances. The public already knew that the NSA keeps those records for five years. We already knew that the NSA has to document a “reasonable, articulable suspicion” that a phone number is linked to a worthwhile foreign intelligence target before entering the database to gather information on the contacts connected to it. We already knew that only 22 NSA agents have the authority to open the database. And we already knew that the Foreign Intelligence Surveillance Court reviewed the NSA’s activities, to an extent.
So, a lot of the recent discussion has concerned how much review goes into the decision to target an initial phone number when the NSA opens its database. One of the just-declassified documents, a 2011 white paper explaining the program to Congress, plays that up, too; it seems to have been an important part of selling lawmakers on the system. But all of this attention on the choosing of that initial number neglects the question of what happens after NSA agents go in.
Another document just released, a Foreign Intelligence Surveillance Court order authorizing the metadata program, explains that the NSA can query the database either manually or “through the automated query process.” The details of the automated process were redacted, but the document mentions that the results are “hop-limited.” Presumably that refers to how extensive NSA agents decide the query results should be; they might look not just at the contacts of the number that they initially input, but contacts of those contacts, and perhaps even another “hop” to another degree of separation out — contacts of contacts of contacts.
But in looking through all of that data, how do NSA employees decide when they need to perform more hops? And, once they have all of the resulting information, how do they decide which numbers to scrutinize, and which to discard?
At a Senate Judiciary Committee hearing Wednesday, NSA Deputy Director John Inglis explained that his agents “try to be judicious about when to do a second hop.”
“If on that second hop you see that that’s hopped to a foreign number already known to the intelligence community, because it’s a known terrorist, you’d want to make the third hop to understand what’s beyond that.”
Though that process would still probably rake in innocent Americans’ phone records, and though the automated query process is still a little mysterious, Inglis argued that it is a waste of time for the NSA to look closely at those of the “pizza delivery man” whose phone number gets churned up. He noted that NSA agents last year used 300 suspect numbers to begin queries of the database, and they ultimately passed 500 numbers to the FBI for further investigation based on their querying. The FISA order explains that, when passing on an American’s information, a qualified member of the NSA must claim that it is “related to counterterrorism information and necessary to understand counterterrorism information or to assess its importance,” though these claims don’t appear to receive much outside review.
Maybe that, along with the procedures we don’t know about, are enough. The trouble is that the NSA has, on its own hard drives, a very powerful tool with which its agents can easily and quickly learn a lot about how ordinary Americans live their lives, if the checks on the agency’s behavior are too weak, or if someone with power in the agency decides to bend or break the rules in place. That tends to encourage people outside the intelligence enterprise to want a lot of oversight. It is why assurances that NSA agents “try to be judicious” when they sift through many hops of metadata still make people nervous. And it is why, during and after the 2011 Patriot Act reauthorization, lawmakers whom those Americans trusted to write the law and oversee its implementation should have been asking a lot about the rules governing how the NSA sorts through its database, and how well those rules are followed. If they didn’t then, they certainly should now.