Section 215: The “gentlest touch” or “database of ruin”?

On April 20, 2015, the Army Cyber Institute at West Point hosted a debate on the question, Privacy & transparency vs. intelligence collection capabilities: What takes precedence?

The debaters were General Michael Hayden, former Director of the NSA and CIA, and Dr. Christopher Soghoian, Chief Technologist, ACLU. The debate was moderated by Stephanie Pell, Ethics Fellow, Army Cyber Institute. A videotape recording of the debate is available on Youtube. We have excerpted Prof. Pell’s joining of the issues, and the points of view of Gen. Hayden and Dr. Soghoian.

Hayden-Soghoian debate - Army Cyber Institute, West Point - 20150425

Prof. Pell: In about six weeks, on June 1st of 2015, section 215 of The Patriot Act will expire unless Congress re-authorizes it. So the question for our debate today is whether Congress should provide a clean and unqualified re-authorization of this law, which would permit the government to continue its bulk collection of American telephony metadata. Now, what is section 215? It’s an intelligence collection authority, it’s a statute that allows the government to compel any tangible thing from a third part – like a phone company, or a rental agency, or a hotel – where there are reasonable grounds to believe that the information is relevant to an authorized investigation to protect against international terrorism. Sounds reasonable, correct? Government is doing a particular investigation to protect the United States against international terrorism, and it needs a particular set of records -whether they be phone records, whether they be hotel records. So why, then, was section 215 the subject of the very first story published about the Snowden disclosures in June of 2013? Well, here’s the controversy. This authority was actually being used to compel from phone companies on an ongoing basis to give the government records of every phone call that was being made, and when I say every phone call what I mean is numbers that every phone is calling, and numbers that are calling that phone, the time, the date, and the duration of those phone calls. Now we’re not talking about the content of the calls. What we later learned through declassified information – everything we’re talking about here today has been declassified – is that the NSA had created a massive database to collect all these telephony metadata records and here’s in a nutshell essentially what it was doing- again, with the idea of protecting against an international terrorist attack. Let’s say you have a seed identifier – s-e-e-d – usually a phone number, where there is a reasonable, articulable suspicion that that number is associated with a terrorist or a terrorist organization. What the NSA would want to know is if this known terrorist number was communicating with potentially unknown terrorists in the United States. So it would take that seed identifier and it would run it against the phone database and see, are there any connections with that seed identifier number calling any numbers in this domestic telephony database, or any numbers in the database calling that number? Now, when it was disclosed that the statute was being used to authorize this kind of bulk collection on an ongoing basis, there was criticism across the legal community. The question was, how could an entire database of phone records being collected on an ongoing basis be relevant to a particular international terrorist investigation? In fact, the Privacy and Civil Liberties Oversight Board, which is a bi-partisan, independent government agency, which is tasked with looking at the actions the Executive Branch takes to protect us against international terrorism and evaluates whether privacy and liberty considerations are appropriately being taken into consideration in the Executive Branch’s execution of those actions. Here’s one of things that the Privacy and Civil Liberties Oversight Board said:

In the Board’s view, this interpretation of the statute is circular and deprives the word “relevant” of any interpretive value. All records become relevant to an investigation under this reasoning, because the government has developed an investigative tool that functions by collecting all records to enable later searching. The implication of this reasoning is that if the government develops an effective means of searching through everything in order to find something, then everything becomes relevant to its investigation. The word “relevant” becomes limited only by the government’s technological capabilities to ingest information and sift through it efficiently.

So, General Hayden, let me stop here and turn to you. I’ve ended my understandably very brief summary of this program with one …

Gen. Hayden: It was very accurate, thank you.

Prof. Pell: … thank you … with one particular criticism levelled by the legal community and the Board –  the Board we’ll call them to be short – and forgive me, because I’m a lawyer, but this program has rendered the word “relevant” to be irrelevant. But you, perhaps, more eloquently than anyone in the past, have defended this program, please tell us why.

Gen. Hayden: The quotation that Professor Pell just read to you from the Privacy and Civil Liberties Oversight Board was a product about a year ago now of their look at the 215 program. The vote on the Board, a five person Board, the vote on the Board for that product, was three-to-two, and by and large the vote was largely along party lines, depending on who was appointed to the Board and what their background was. Um, it raised very important arguments, but a lot of people, myself included, wonder why the Privacy and Civil Liberties Oversight Board is second-guessing the American court system with regard to what a statute does or does not mean. This statute has been reviewed by judges about three dozen times – thirty-six, thirty-seven – right now, it’s thirty-six-to-one in the view of the court system, which is actually the organ of government that’s designed to make these kinds of decisions, that it was relevant, that is was lawful, and that it was constitutional in terms of what the 215 program did with regard to the records. Now I understand, Stephanie has a great point, that this was a story first pushed out there by Glenn Greenwald and Bart Gellman with the Snowden revelations because it’s a story about you, it’s your record, there is no ambiguity whatsoever about this, that’s a lot of American data sitting in servers at Fort Meade, Maryland – and that naturally, given our political culture and our history, raises a whole host of questions, with regard a concern of that much data being in the hands of the federal government. I think as we go forward what we need to discuss also then is what happens to the data, because it’s the totality of that, which I think gets us to both the relevance and the reasonableness – attributes that make this program both worth doing and legally worth doing. …

With regard to the Why of the program – I was the Director of the National Security Agency on September 11th, 2001. What we saw there, what we saw there was an erosion of some traditional divisions in our way how Americans decided to keep ourselves both safe and free. Over the long term we had decided we could, because of our history, and really because of our geography, put “foreign” over there, and “domestic” over here, we could put “intelligence” over there, and we could put “law enforcement” over here, and because of a lot of things – and we can discuss that if you like – because of a lot of things 9/11 showed us, those old divisions – foreign-domestic, law enforcement and intelligence – just weren’t quite as crisp as they were. And that simple separation of those things may not be the best way going forward for us to keep ourselves both safe and free. There was a committee formed, called the JIC, the Joint Inquiry Commission, it was an unusual thing – almost like the Civil War committee on the conduct of the war, which they combined both House and Senate to look at why did 9/11 happen? They levelled several criticisms at NSA. The core criticism of NSA by the American Congress within a year or so of 9/11 – was NSA was far too cautious, far too cautious, when it came to the kind of terrorist communications most important to defending the United States. And then they went ahead and defined what those communications were: terrorist communications, one end of which was in the United States of America. This program was the gentlest touch we could come up with to respond to that requirement and criticism, and still balance that security need with privacy.

Prof. Pell: So, let me turn to Dr. Soghoian and pick up on General Hayden’s “gentlest touch” language. Dr. Soghoian, it’s only metadata, a bunch of records of telephone calls, phone numbers, dates of calls, times of calls, durations of calls, what’s the big deal?

Dr. Soghoian: … So, to Professor Pell’s point – It’s true, the U. S. government has a database of records from most of the phone companies with a huge amount of information about telephone calls, and it’s true this does not include the names of people, this does not include what is said on the phone. But let’s just think for a second of what you get if you have a database of most of the telephone calls that take place in this country. Within that database are calls to suicide hotlines at 2 in the morning, within that database are calls to abortion clinics, or to gun stores, or to psychiatrists, does it really matter what you say, if the government knows that you were talking to someone at a suicide hotline for an hour? Does it really matter, if you’re calling an alcohol assistance hotline, or a gambling hotline? It doesn’t matter, that information could both be embarrassing to you personally, it could harm your career, it could harm your relations with your loved ones, and with others in your community, if it were to become known at a later date. One of my friends and colleagues, a professor in Washington, D.C., Paul Ohm [Director, Center on Privacy and Technology, Law Faculty, Georgetown University] describes a “database of ruin” – the idea that there is a database out there somewhere that contains information about all of us that, if it were to become public, could destroy our lives. Now, I’m not saying that the NSA is going to make that information public, but the U. S. government doesn’t have a particularly good track record of keeping things secret in the long term, and so I really want to push back on this idea that this is data that isn’t really that sensitive – I also want to quote from something that General Hayden has said in the past which is that the U. S. government kills people based on metadata, this is extremely sensitive and important stuff and that’s why the government wants it, let’s not kid ourselves.

Gen. Hayden: I did add, we didn’t use this metadata for that [laughs].

Dr. Soghoian: Right, yeah, you used data about other people in other countries. But metadata is powerful. In some ways, metadata is more important than content, for the simple reason that metadata can be analyzed at scale with computer software. If you have the content of an email or the content of a telephone call, you have to first somehow transcribe it, either with a computer or a human, you have to maybe translate it into a language that’s useful if it’s not in your native language, and then you just figure out what someone’s saying. If someone says, “The package is coming at midnight” does that mean that “FedEx is coming at midnight” or does that mean” there’s an attack happening at midnight”? With metadata you don’t have to deal with that. Every email, regardless of which country it is sent from, and regardless of which language the person who wrote it speaks, has a subject line, it has a To, it has a From, it has a Time, and that kind of structured data lends itself to large-scale, systematic analysis, the kind of analysis that the intelligence community does so well. That kind of data truly powers the oppressive surveillance that we are now operating under. I’m actually more worried about government collecting metadata than I am about content because I don’t the NSA or any other government could actually make full use of all of the content of our emails, but metadata they can use right now.

Note: Less than a month after this debate, the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper ruled that the NSA’s telephone records program went far beyond what Congress authorized when it passed Section 215 of the Patriot Act in 2001.