Published by The Lawfare Institute
in Cooperation With
Last week, reports surfaced from the New York Times and the Wall Street Journal that the NSA may be shutting down the Section 215 program accessing domestic call detail records (CDRs). Asaf Lubin and I have been researching the program in light of the sunsetting of the USA Freedom Act later this year—and while we hadn't anticipated that the NSA might close down the program entirely, we are not entirely surprised. Controversy about the program was high, making it politically expensive to maintain. As Lubin and I examined the program, we became convinced that due to changes in technology and threats, the program was increasingly less useful. Meanwhile, it had been collecting flak for a number of reasons: the large number of CDRs it was amassing even as the number of people investigated dropped, along with the errors that led in June 2018 to the NSA’s deleting three years' worth of collected data. Lubin and I will have a longer analysis out later this year, but given the recent news, I thought I'd comment briefly now. Bobby Chesney has already given a history of the program here; I'd like to just add some detail before moving on to the recent issues.
Bulk collection of communications metadata had its genesis in the fall of 2001 under the authorization of President George W. Bush. In 2006, the program moved to a Foreign Intelligence Surveillance Court (FISC) process based on interpreting the "business records" provision of Section 215 of the USA Patriot Act to enable bulk collection. The FISC issued quarterly orders requiring communications service providers, both telecommunications companies and internet service providers, to serve up the equivalent of CDRs, namely, which number called which other number, when and for how long.
The email collection had a number of problems, but my focus here is on the CDRs, so I'll ignore the email issues. As Chesney wrote,
The FISC, for its part, would grant such an order if and when it found the government had reasonable and articulable suspicion demonstrating that a specific target was involved in international terrorism and that that specific person was linked to a particular selector (a unique phone number). In short, the government would have to get the FISC's sign-off on its targeting, and then would depend on a series of telecom companies to replicate the contact-chaining inquiry seriatim, with the NSA left to consolidate and analyze the collective fruits from those company efforts.
Although the NSA could perform a three-hop search from this identifier, almost all searches were confined to two hops.
Despite a May 2006 USA Today story reporting the bulk collection, the program was largely unknown until the Edward Snowden disclosures in 2013. At that point, the secret law—or secret interpretation of a known law—attracted a great deal of attention and concern. While initial statements by the intelligence community brought up 54 incidents in which the bulk collection played a role in thwarting terrorist attacks, a careful examination by the Privacy and Civil Liberties Oversight Board (PCLOB) in 2014 concluded that only a single case was uncovered by the bulk metadata program: that of Basaaly Moalin, who, with three others, arranged support of al-Shabaab, a terrorist organization in Somalia. The PCLOB concurred that the program had other uses, including corroborating other investigations and also "negative reporting" that enabled government investigators to focus attention elsewhere. But the PCLOB recommended that the government end its Section 215 bulk metadata collection. So did the President's Review Group on Intelligence and Communications Technologies, which recommended that third parties hold the data instead. The USA Freedom Act, which implemented that approach, passed 18 months later.
At first all looked good. But there were two flies in the ointment. First, the agency had been receiving large numbers of records. In 2016 and 2017, the total number of orders was 40 in each year and the total numbers of targets were 42 and 40, respectively. But the NSA received 151 million CDRs in 2016 and 534 million in 2017. The second concern became public in June 2018, when the NSA announced that it would be deleting three years’ worth of CDRs because of "technical irregularities in some data received from telecommunications service providers ... result[ing] in the production to NSA of some CDRs that NSA was not authorized to receive."
Lubin and I have spent some time looking at these issues. The large numbers concerned us less. This is how the NSA explained the huge numbers of records:
The metric provided is over-inclusive because the government counts each record separately even if the government receives the same record multiple times (whether from one provider or multiple providers). Additionally, this metric includes duplicates of unique identifiers—i.e., because the government lacks the technical ability to isolate unique identifiers, the statistic counts the number of records even if unique identifiers are repeated. For example, if one unique identifier is associated with multiple calls to a second unique identifier, it will be counted multiple times. Similarly, if two different providers submit records showing the same two unique identifiers in contact, then those would also be counted.
The situation around the “technical irregularities” resulting in overcollection is confusing. Marcy Wheeler suggested that the purge could be the result of misuse of location data. We think that is not correct—the NSA Transparency Report specifically says that it collects "session identifying information (such as originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call." We believe that, rather, the overcollection resulted from a subtle problem arising from the complexities of Signaling System 7 (the phone signaling protocols that connect and bill for phone calls) and/or mobile switching centers (telephone exchanges that connect mobile users to the public switched telephone network)—and that, as a result, incorrect numbers appeared in the records returned by the service providers. We do not have proof of this—the NSA is quite closemouthed about the specifics of the problem—but this seems the more likely cause. We will explain this issue in greater detail in our paper.
Let’s return to the June 2018 announcement that the NSA deleted three years’ worth of CDRs. In the initial announcement, the NSA did not say it can't fix the problem. Quite the contrary, the agency reported that the "root cause of the problem has since been addressed for future CDR acquisitions." So why is it reportedly considering closing down the program?
Studying which groups constitute the terrorist threat, their organizational structure, their communication methods and the change in communications technologies between 2001 and the present, Lubin and I conclude that Section 215 collection is no longer worth the effort. In 2001, telecommunications around the world were in transition between landline and cellular technology; within a half-decade, the shift to cellular had occurred. What that meant was that old telephone switches were replaced by modern ones. The consequence was that data about who was calling whom were much easier to discover. Among other things, with cell phones, you call a person, not a place.
The second transition was the change in the U.S. focus on terrorist organizations from al-Qaeda to the Islamic State. The issue is not simply that the Islamic State uses the internet to communicate; so does al-Qaeda. Instead, ISIS operates in a very different way than its predecessor did. Al-Qaeda used a top-down management style. No one who hadn't trained in terrorist camps in Pakistan or Afghanistan would be tasked with participating in a major attack. The CDRs are extremely useful for uncovering that type of organizational structure as well as finding its operatives within the United States.
The current threat of international terrorism, as manifested in the United States, operates quite differently. Its operatives are more often radicalized via the internet, at a distance. The group does not provide structured training or recruit operatives to work within an organization that CDRs can help reveal. And the communication techniques members use—encrypted chat, such as Telegram and WhatsApp—do not leave CDRs in their wake.
Section 702 authorities, which enable the intelligence community to target communications of non-U.S. persons who are outside the United States for foreign intelligence purposes, are quite valuable for these investigations. Section 215, not so much. That puts the disposal of three years of CDR records and the possible shutting down of the program in a very different light.
Congress and the civil liberties community have focused a great deal on what is being collected and how it is being collected. To be sure, both these issues are critical; one should never lose sight of the privacy and civil liberties concerns. But in the process, Congress appears to have ceased digging deeply into questions regarding efficacy of the collection, an issue that received a great deal of attention in 2013 following the Snowden disclosures. How has the change in terrorism threats, combined with the change in communications, changed the value of the program?
Some of these answers—unlike the ones about what went wrong in the collection between 2015 and 2018 that led the NSA to delete its records—are, in fact, quite visible. Technology keeps changing how the bad guys operate as well as how U.S. investigations work. The Section 215 case appears to be one in which the technical changes in terrorist communication methods and social changes in the terrorist threat combined to decrease the value of the program. Studying the change in the program’s value was something that could have been conducted largely through public examination. The lesson? In intelligence oversight, studying the trees is really important—but one should never lose sight of the forest while doing so.
Lubin and I expect to have our paper discussing these issues, including the technical aspects, out relatively soon.