Championing Responsible National Security Policy

It's Time to End the NSA's Metadata Collection Program

(Illustration: CJ Ostrosky/POGO)

This piece originally appeared on Wired.

“If it ain’t broke, don’t fix it,” the adage goes. But for the sunset of Patriot Act authorities later this year—including Section 215, a controversial provision that allows the National Security Agency to collect records, including those about Americans’ phone calls—the more applicable phrase may be “If it keeps breaking, throw it out.”

In 2015, Congress passed the USA Freedom Act to reform Section 215 and prohibit the nationwide bulk collection of communications metadata, like who we make calls to and receive them from, when, and the call duration. The provision was replaced with a significantly slimmed-down call detail record program, known as CDR. Rather than collecting information in bulk, CDR collects communications metadata of surveillance targets as well as those of individuals up to two degrees of separation (commonly called “two hops”) from the surveillance target. But this newer system appears to be no more effective than its predecessor and is highly damaging to constitutional rights. Given this combination, it’s time for Congress to pull the plug and end the authority for the CDR program.

When the issues are taken together—severe costs to privacy, no evidence of security value, technical flaws—they indicate that we are better off without the NSA's metadata collection program.

It’s unsurprising that just last week a bipartisan group in Congress introduced a bill to do so. Last month, the New York Times reported that a highly placed congressional staffer had stated the CDR program has been out of operation for months, and several days later, NSA Director Paul Nakasone issued comments responding to questions about the Times story by saying the NSA was deliberating the future of the program. If accurate, this news is major but not shocking; this large-scale-collection program has been fraught with problems. Last year, the NSA announced that technical problems had caused it to collect information it wasn’t legally authorized to, and that in response, the agency had voluntarily deleted all the call detail records it had previously acquired through the CDR program—without even waiting for a court order or trying to save some of the data—indicating that the system was unwieldy and the data being collected was not important to the agency.

Since its inception, we have not seen a single publicized instance of the program providing any unique security value—and in fact, the program has damaged privacy significantly. In its most recent transparency report, the NSA announced that it collected a staggering 534,396,285 call detail records during the 2017 calendar year; the NSA states the number includes duplicates, but we have no way of knowing if this is a frequent issue. Without knowing scale of duplicates issues or average number of CDRs per person, it’s difficult to say how many Americans this affects—the NSA claims it is unable to determine this, despite statutory requirement to do so and publicly disclose it—but the number is certainly enormous. Our communications metadata can be highly sensitive and can reveal intimate details of our lives. Americans should not be subject to this type of surveillance absent suspicion, particularly if the program conducting it has not yielded any demonstrated value in preventing or investigating terrorism.

When the issues are taken together—severe costs to privacy, no evidence of security value, technical flaws, the NSA’s willingness to broadly discard data it has collected, and a recent media report that the program has been shut down—they indicate that we are better off without this program.

But it’s important that Congress does more than just end the CDR program. Many in the privacy and civil liberties community worry that if the Section 215 metadata collection authority is no longer in use, the CDR program could still be active but justified with a different legal provision, and out of the public’s view. The public can only have confidence that congressional reforms are effective and not a meaningless game of whack-a-mole if lawmakers and the Privacy and Civil Liberties Oversight Board conduct rigorous oversight to find out whether such a shift happened with the CDR program. And if Congress does end the program, it should build in legal restrictions to ensure that the program cannot be restarted under a different authority.

The problems with the CDR program seem to be a continuation of the government’s misplaced faith in the nationwide bulk collection program that the CDR program replaced. After the government’s vehement defense of the need for bulk collection, the President’s Review Group on Surveillance, the Privacy and Civil Liberties Oversight Board, and eventually even the intelligence community’s top-ranking official stated that it had not provided unique value and was not necessary to fulfill counterterrorism goals.

As the December sunset approaches for several PATRIOT Act authorities, including Section 215, it is clear that the failed experiment of large-scale metadata collection needs to end. Prohibiting nationwide bulk collection received strong bipartisan support in 2015 during the USA FREEDOM Act debate. In the House, 196 Republicans and 142 Democrats voted for the bill—and most of those who voted against it did so because they felt the bill’s reforms did not go far enough—while over two-thirds of Senators also supported the bill. Further limiting mass surveillance of communications metadata is likely to receive bipartisan support again, especially given the lack of evidence that it aids security.

Congress should go farther than ending the CDR authority, to take on additional critical reforms. In the wake of the Snowden disclosures, public faith in the intelligence community and the Foreign Intelligence Surveillance Court that rules on data-collection efforts under Section 215 has degraded. And more recent inaccurate and unsubstantiated criticisms of these entities have harmed trust further. The USA FREEDOM Act took important steps toward restoring that faith by requiring that significant FISA court opinions be declassified, and creating a special advocate to represent privacy concerns in the court’s proceedings. But these provisions should be strengthened. For years, The Constitution Project has advocated for creating a more robust special advocate; strengthening provisions for FISA court declassifications would be a critical change as well.

Congress should also consider a range of other reforms during this year’s PATRIOT Act debate, relating to minimizing data retention of non-targets, civil rights, and transparency. But the first problem to address, and the one with the clearest solution, is authority for the CDR. It’s long past time to pull the plug.