I’ll be testifying tomorrow afternoon before the Senate Select Committee on Intelligence, talking about the bill that bans NSA’s bulk collection of metadata.  It passed the House after small amendments that privacy groups are now complaining loudly about.

I don’t like the bill for quite different reasons.  My prepared testimony is here: Download Stewart Baker Testimony June 5 2014 to Senate Intelligence Committee

After explaining why bulk collection should not be banned, though it should be carefully regulated, here’s what I say about the privacy groups’ objections:

Everyone recognizes that if bulk collection requests are foreclosed, then the government must make individualized requests for data. And to do that, it has to give the companies specific search terms to use. Before amendment, the House bill said that the government could only ask the companies to use three kinds of search terms. They could only ask the companies to look for a suspicious “person, entity, or account.”

This was foolish. Clues come in many forms. What if the agency doesn’t know the suspect’s name but does know his internet address, or the unique identifier of his tablet? Those are properand specific search terms, and they are likely to be of value to terrorism investigators. So the bill was revised; now it allows the agency use search terms “such as … a person, entity, account, address or device.”

Some opponents have a beef with the addition of “address or device.” They claim that these words are too open-ended and ambiguous. But when asked to identify the ambiguity they fear, the critics offer only strained and unlikely interpretations. Senator Ron Wyden has said that the law as adopted by the House “could be used to collect all of the phone records in a particular area code, or all of the credit card records from a particular state.” This apparently rests on the remarkable view that a state or an area code is the same as an “address.” Wow. I knew Oregon was a big state, but I’m still surprised to hear that they’re using area codes as addresses out there.

Let’s be realistic. If that can be called an ambiguity, then no words will ever satisfy the critics. Why not object to the word “person,” for there are cases treating entire cities or counties as persons?

And dropping those words from the bill creates obvious and dangerous gaps in our ability to investigate terrorism. Take these examples:

  • Suppose that attackers use a VOIP phone as in Mumbai. The phone might have only an IP address. If we drop “address” from the list, the government can’t serve a 215 order asking for information about the online activities of that phone.
  • Or suppose that in a Mumbai-style attack the terrorists keep changing their SIM cards (and thus phone number); we would need to search not for the phone number but for the IMEI number that identifies the actual phone. Drop “device” from the list and the government can’t ask for that information.

Other opponents aim their fire at the words “such as.” They would drop those words, capping the list of search terms at five, or even three. This too is foolish and dangerous. Can the proponents of this change predict with perfect foresight which clues we’ll need to uncover the next conspiracy? I doubt it.

Again, a few examples show why we cannot foreclose the use of other specific search terms:

    • What if we pick up intelligence that tells us that a terrorist is staying in a particular hotel room and we want the hotel to produce his name? Is a hotel room an address? Without “such as” in the list, we’ll still be in court arguing about that when he checks out.
    • What if we face a terror attack like the Washington sniper case? Can we use section 215 to ask the phone companies to give us the numbers of any phones that were active in the vicinity of all five shootings when they occurred? That’s plenty specific, and a good idea too. I fear that even the current language might make it impossible for counterterrorism investigators to make such a request.
    • What if we learn a terror suspect’s license plate number? Can we use section 215 to search DMV records for his name? Not if we’re limited to the five terms listed in the statute.

I suppose that the practical answer to some of these questions is that the government won’t use its counterterrorism or national security authorities. It will rely on criminal subpoenas, which don’t come with any of these restrictions. But if that is so, if the intent is to let our intelligence agencies have all this information as long as they rely on law enforcement authorities, then we’re back to privacy theater.

Or privacy farce, since the result of the legislative changes is to put the United States Congress on record as giving fewer tools to those investigating terrorism and national security threats than to those pursuing muggers and embezzlers.