Declassified Opinion Shows The NSA Exploited Pen Register Statutes To Collect Internet Metadata On Millions Of Americans

from the the-box-has-no-edges... dept

The Office of the Director of National Intelligence has just released a very large set of declassified documents, covering a variety of topics. (Just a friendly reminder: these documents are being released because of a court order, not because the ODNI loves transparency, no matter how it’s phrased at I CON THE RECORD.) Of particular interest is one that appears to be the original court opinion that gave the NSA permission to collect bulk internet metadata on Americans, better known as the Stellar Wind program, which ran for a decade before being shut down in 2011.

Orin Kerr, writing for (watch your step) the Lawfare blog, breaks down the questionable arguments the government presented and the leaps the presiding judge (Colleen Kollar-Kotelly) made to grant this request.

To begin with, the government presents this collection as nothing more than a modern-day pen register. As Kerr explains, the privacy bar for pen registers is set incredibly low.

The federal pen register authorities use a mere certification standard. Under the national security version of the pen register statute, the FISC is required to approve an application for pen register surveillance whenever the Attorney General (or an attorney he designates) certifies under oath “that the information likely to be obtained” from the monitoring “is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities,” 50 U.S.C. 1842(c)(2). As long as the government has issued its certification, and the judge concludes that the government’s application falls within the statute, “the judge shall enter an ex parte order.” 50 U.S.C. 1842(d)(1). The government doesn’t have to say why it thinks the standard has been satisfied; it just certifies under oath that it does. And the judge has no authority to look behind the government’s assertion to see if its factual basis is strong, weak, or completely absurd. See generally In re Application of the United States, 846 F.Supp. 1555 (M.D. Fla. 1994). The judge’s only role is making sure the government checked the box and made the required certification under oath.

There’s a reason why the bar is set so low. It’s inherently limited.

The pen register authority permits monitoring of a suspect’s non-content metadata unprotected by the Fourth Amendment for a window of time, investigative steps outside the Fourth Amendment than are akin to tailing a suspect in public or obtaining a mail cover to monitor the outside of their mail.

So, all a judge is looking for is a box ticked by a US Attorney. If that’s present, then the pen register collection can proceed. But this is a surveillance method that is targeted at one particular suspect. It’s not used to collect data on multiple persons at one time. Certainly multiple pen registers can be obtained in order to collect multiple sets of metadata, but each request is singular. Or was, until the NSA decided to extrapolate the singular pen register into a bulk collections program.

[I]t wanted an order forcing a provider to record and disclose Internet metadata in real time on an ongoing basis for potentially tens of millions of customers, all with a single order obtained with no judicial review based on a mere certification by the Attorney General.

The government took this low bar and convinced a judge that there was technically no difference between collecting metadata on ONE person and collecting metadata on millions. It wasn’t just the government doing the rhetorical legwork. Kerr points out that the presiding judge ignored several statutory clues within the pen register law that indicated it was never meant to be used for bulk, untargeted collections.

The statute authorizes the judge to issue an order requiring the installation of “a” pen register to monitor “the person who is the subject of the investigation.” 50 U.S.C. 1842(d)(1)-(2). This is written in the singular, suggesting that each pen register requires a subject.

Furthermore, she buys into the government’s arguments that the ends justify the means.

She then concludes that the bulk collection is reasonable in a Fourth Amendment sense — not that the Fourth Amendment applies, as this is just metadata, but rather in the policy sense that the program represents a sensible balance between security and privacy along the lines of that required under Fourth Amendment reasonableness precedents. The application is thus granted because, all things considered, the program does seem to be a pretty good way to find terrorists. See pages 49-54.

This argument has been used more than once by the government to defend the NSA’s collections. The government extrapolates from the fact that if something isn’t a violation of civil liberties for one person (i.e., bulk records collections) than it’s not a violation when the program collects records on millions. The courts have backed this up: rights do not spring into existence ex nihilo.

The government used this argument to address Basaaly Moalin’s claims that records obtained under the Section 215 program violated his constitutional rights. In the most basic terms, it claimed that if an intelligence (or law enforcement) agency can surveil one person without violating their Fourth Amendment rights (using bulk records, etc.), it can do it to everyone. (Perversely, it then spins around and claims this is why no one has standing to sue the government over these untargeted collections.)

So, the expansion of the previously targeted pen register program into a bulk internet metadata collection relied on the same basic argument. Even if the statute is written in a way that specifies singular targeting, the government would argue that the statute is equally applicable to collecting data on millions of people — all of it needing no more authority than a signature of a United States Attorney.

All things considered, it’s rather surprising the Stellar Wind program was shut down. The NSA certainly has shown no desire to eliminate a program, even if it produces large amounts of nearly-useless data. More than likely, the program was just supplanted by a better dragnet. Right about the time Stellar Wind shut down, a rules change to the Section 702 collections program gave the NSA “permission” (via a new loophole) to target Americans directly.

Also of note: while there’s no date on this document (redacted, of course), the internal citations [Lamie V. United States Trustee, 124 S. Ct. 1023, 1030 (2004), p. 7; Engine Mfrs. Ass’n v. South Coast Air Quality Mqmt. Dist., 124 S. Ct. 1756, 1761 (2004), p. 14] suggest this opinion was the end result of another post facto search for permission by the NSA. The program supposedly began in 2001, but the court doesn’t actually address the collection until 2004, at the earliest. This may be the point that the NSA first sought to collect metadata on Americans, with all previous collections being foreign only — but without further documentation (and factoring in the agency’s tendency to collect first, seek approval later), there’s no way to tell if the NSA was collecting internet metadata without even the barest minimum of legal approval previous to this opinion.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Declassified Opinion Shows The NSA Exploited Pen Register Statutes To Collect Internet Metadata On Millions Of Americans”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Mosaic theory

Yesterday’s article, regarding the FBI’s fears of the FOIA master getting too many puzzle pieces, seems applicable.

Invoking a legal strategy that had its heyday during the Bush administration, the FBI claims that Shapiro’s multitudinous requests, taken together, constitute a “mosaic” of information whose release could “significantly and irreparably damage national security” and would have “significant deleterious effects” on the bureau’s “ongoing efforts to investigate and combat domestic terrorism.” So-called mosaic theory has been used in the past to stop the release of specific documents

In that case, the FBI is saying that it’s right to secrecy springs up ex-nihilo because of the bigger view of the puzzle the information gatherer is getting. I think the same higher scrutiny should apply to these bulk collections. There is more information that the NSA is obtaining by having the ability to connect all the metadata, than what each each individual piece provides. That should result in higher court scrutiny than what is provided for an individual pen register.

Anonymous Coward says:

“The application is thus granted because, all things considered, the program does seem to be a pretty good way to find terrorists.”

This is hwo you know FISC isn’t a court. It’s trying to help the government rather than weighing the risks or means of the implementation.

This isn’t a court, a case, or a decision being made by a judge, it’s a rubber stamp even if the FISC court doesn’t want to admit it is.

“The courts have backed this up: rights do not spring into existence ex nihilo.”

This may have made sense before computers, social media, and the digital age in general, but it probably should be reviewed again. Still the real difference is the “targeting” portion. You can target a person or a (small/limited) group of people, but it becomes a dragnet/surveillance when you’re just gathering data because you can. That’s the difference and where the invasion of rights takes place.

out_of_the_blue says:

And that's why information held by corporations should be strictly regulated.

Including your precious Google.

Lawyers can always argue their way to any conclusion because never include human decency or morality in their “opinion”. Lawyers are as close to sharks and killer robots as is possible for human-shaped flesh and blood to be.

Lawyers created legal fictions called corporations precisely so that criminal acts can be done without personal responsibility, only money fines.

Every bit of info the legal fictions called corporations hold, gov’t will end up with — and it’s actually very little use for any honest purpose of gov’t, but IS of high value to the police state — and rest of time the corporations will only use it to annoy and control people. So why would anyone want to forego controlling corporations from collecting info in the first place? — The world worked just fine before computers made possible such collecting and collating. — And while dolts who wish to could always opt-in for perceived advantages, the problem is that there’s no way for anyone to opt-out: at best one is shut out of ordinary commerce; at worst, won’t be long before gov’t can with one click literally make anyone an “unperson” as in “1984”, cut off from all banking and literally not able to even buy food.

Collection of data on persons is just the first step to actual control, a high-tech police state that doesn’t even need to use machine guns, will just let dissidents starve.

And the mega-corporations are not just going along with the technocracy but driving.

Gwiz (profile) says:

Re: And that's why information held by corporations should be strictly regulated.

…won’t be long before gov’t can with one click literally make anyone an “unperson” as in “1984”, cut off from all banking and literally not able to even buy food.

Well, that’s one vision of the future. While I tend to agree that the gradual replacement of legal tender (ie: folding money) with electronic transactions is problematic in regards to privacy and control issues, I don’t believe it will ever reach such doomsday proportions that you are projecting here. Humans have bartered amongst each other for goods and services since the dawn of time and nothing will ever truly replace that.

Violated (profile) says:

Proof these FISA Judges are morons.

To spy on one person makes them a suspect. To spy on everyone makes the whole population a suspect even if there has been prior indication of wrongdoing.

They seem to have forget the aspect of “targeted” where that range should always be set as very narrow. So indeed a violation of the US Bill of Rights.

John Fenderson (profile) says:

Re: Re: Re:3 Re:

We can agree to disagree on this. In a sense, it makes no difference.

However, I’ve been seeing an increasing number of people saying that the actions of various peoples in power are coming from a place of stupidity. I think this is a dangerous thing to believe, because it can so easily lead you to underestimate those who are trying to oppress you.

The old adage of never attributing to malice what can be explained by stupidity is very, very often wrong.

Anonymous Coward says:

and still Congress doesn’t do anything to stop it from continuing now or in the future. there has been plenty of posturing but only one actual attempt to curtail the practices and that was booted into touch! what the hell is the point of continually moaning about something, having the opportunity of changing things for good and then turning backs to it? typical politician attitude of ‘we’ll keep taking the money but as soon as there is a up front vote needed, we’ll just step back and let things wash over us! nothing short of cowardly really!!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...