Ever since the first Snowden leaks about the way the NSA interpreted Section 215 of the PATRIOT Act to allow it to collect all call records
from various telcos, one of the key arguments that has been made by the program's defenders is that it was necessary to have every single call record to make the important connections between terrorists. Multiple officials have argued that to find the "needle in the haystack" they need to be able to collect the whole haystack
. In fact, that was part of the argument made by the few judges who have reviewed and approved this program. In the very first FISC ruling
that actually analyzed the legality of the program (as opposed to earlier approvals that never bothered with an analysis), the court clearly indicated that it was necessary to collect everything:
The government depends on this bulk collection because if production of the information were to wait until the specific identifier connected to an international terrorist group were determined, most of the historical connections (the entire purpose of this authorization) would be lost. The analysis of past connections is only possible "if the Government has collected and archived a broad set of metadata that contains within it the subset of communications that can later be identified as terrorist-related." Because the subset of terrorist communications is ultimately contained within the whole of the metadata produced, but can only be found after the production is aggregated and then queried using identifiers determined to be associated with identified international terrorist organizations, the whole production is relevant to the ongoing investigation out of necessity.
That legal tapdancing aside, it basically argues that the only way this data makes sense is if the NSA has all of it. Similarly, when Judge William Pauley found the program legal
late last year, he too relied on the argument that the NSA needed all the data.
And yet... it appears that they're actually not getting that much data. A new report from the Washington Post claims that the NSA is actually only getting between 20 to 30% of the data
. The Wall Street Journal rushed out a quick story claiming it's actually less than 20%
Apparently, while the NSA has gotten approvals to get data on landline
calls from Verizon and AT&T, it actually hasn't yet gone after the same data from most mobile
phone calls. For example, even though it gets Verizon landlines, it apparently does not collect the data on Verizon Wireless. Nor does it collect the data from T-Mobile. There are somewhat conflicting reports as to why this is, but the Washington Post piece suggests that the incident in 2009 in which FISC chief judge Reggie Walton nearly shut the whole program down
over compliance failures has basically stopped the NSA from updating the program, because everywhere they look there have been more (you guessed it) compliance failures, and they're simply not set up to handle mobile phone data. Update
: And some are questioning the whole claim here, noting that the orders that have been revealed do appear to request IMEI and IMSI data
-- information that is only associated with mobile phones.
“It’s not simply the ability to go to the court and order some vendor to give you more records, but you have to make sure that the [agency’s collection system] is prepared and ready to take the data and meet all the requirements of the court,” the former official said. “You don’t want to turn it on and get hundreds of millions of records, only to find out that you’ve got the moral equivalent of raw sewage spilling into the Chesapeake Bay.”
The process of preparing the system can take months, said the senior U.S. official, adding that mobile calls have different data elements than land-line calls. “That’s a really detailed set of activities where we get sample data in, and we march it through our systems,” the official said. “We do that again and again and again. We put in auditing procedures to make sure it works. So before we turn on that mobility data, we make sure it works. . . . It’s very complex.”
Compounding the challenge, the agency in 2009 struggled with compliance issues, including what a surveillance court found were “daily violations of the minimization procedures set forth in [court] orders” designed to protect Americans’ call records that “could not otherwise have been legally captured in bulk.”
As a result, the NSA’s director, Gen. Keith Alexander, ordered an “end-to-end” review of the program, during which additional compliance incidents were discovered and reported to the court. The process of uncovering problems and fixing them took months, and the same people working to address the compliance problems were the ones who would have to prepare the database to handle more records.
Basically, there have been so many compliance problems that the NSA has had to work overtime to try to fix their systems and prepare for an influx of mobile phone data. The Wall Street Journal version of the report says that part of the problem is the NSA can't figure out how to strip location data from mobile phone data, and because collecting that information might lead to compliance issues, they haven't been able to figure out how to do it without running into more trouble down the road.
But fear not, surveillance state lovers, the NSA is getting ready and its goal is to get back to collecting nearly every phone record from every phone provider. Once the systems are in place, they appear to fully intend to send over some requests to the FISA court to get all those mobile operators to comply as well. One hopes that, this time, with so much more awareness of what's going on, at least one of those mobile operators will fight back.
Either way, this whole thing actually shows just how ridiculous the NSA's claims are that it absolutely needs all this data to keep us safe. The very fact that this report is coming out in both the Washington Post and the Wall Street Journal at nearly the same time suggests a stupid sort of PR attempt on the part of the NSA, which seems to think that after months of insisting they need it all, they can now placate people by saying "well, we really only collect about 20% of the data (though we're hoping to collect it all)." Not only does this actually highlight the widespread compliance problems with this data, it further shows that the argument that somehow collecting it all is necessary to keep us safe is just completely wrong.