"Data handshakes," call records, and the NSA's back door into telecom companies reveal that the Senate's plan to protect Americans' privacy would have done no such thing.
- By Marcy WheelerMarcy Wheeler is an independent journalist who covers civil liberties and national security.
A lot of seemingly nonsensical claims were made during Tuesday night’s debate on the USA Freedom Act, the bill that would have shifted control of Americans’ phone records from the National Security Agency (NSA) to telecom companies.
Sen. Marco Rubio (R-Fla.) claimed that if the government didn’t hold Americans’ phone records, they "may not be there" if and when the FBI needed them, even while noting that cops investigating common crimes routinely obtain those "very same records." Sen. Susan Collins (R-Maine) suggested that Americans’ phone records would be far more exposed to privacy abuses if held by phone companies than by the government — even though under the current scheme, two copies are held, one by the NSA and one by the telecom, whereas under the proposed plan just one copy would be held. Similarly, Sen. Saxby Chambliss (R-Ga.) said the intelligence community needs the dragnet to prevent people from carrying hatchets around the streets of New York — ignoring, of course, that Zale Thompson, the man who did just that last month, didn’t actually call any terrorists before carrying out his attack. He just surfed the web.
Some of these seemingly nonsensical claims — all made by Republicans on the Senate’s Select Committee on Intelligence who are privy to the most secret aspects of this program — might be explained by revealing comments from Dianne Feinstein (D.-Calif.), the committee’s chairperson. The USA Freedom Act failed to advance by a vote of 58 to 42. But a look at some of Feinstein’s comments during the debate over the bill reveal that protecting Americans’ privacy may not have been the only reason she supported the bill.
Under current practice, the NSA obtains some significant portion (the exact amount is unclear) of all the call records of all Americans every day and dumps them into a database along with all previously collected records. The NSA is allowed to do this under the authority of Section 215 of the Patriot Act, which is sometimes referred to as the "business records" provision because it permits the government to obtain any "business records" a company holds if they support a national security investigation.
The Foreign Intelligence Surveillance Court authorized the government to obtain phone records as business records and also permits the NSA to retain those records for up to five years. When the NSA finds someone suspected of having ties to terrorism, it can then go into the database and pull up not just the records of all the people the suspect has called, but also those of all the people those people have called, going back five years in time.
Opponents of reform efforts like the USA Freedom Act complain that the government will lose access to those five years of data. It’s publicly known that the major telecom companies differ in how long they hold call detail records. AT&T keeps records for five years or more, while other telecom companies keep records for a shorter period. The Federal Communications Commission requires telecom companies to keep 18 months of billing records, but given the number of people who no longer pay for each phone call made, that’s very different from detailed records that track each and every communication. At a Senate hearing in June, Verizon’s associate general counsel, Michael Woods, explained that Verizon keeps call detail records for just 12 to 18 months. "We don’t have data five years back," Woods explained in response to a question from Collins. "All collection would be from our ordinary business records."
In June, Woods made clear that Verizon objected to holding call detail records longer. His written testimony insisted that "national security is a fundamental government function that should not be outsourced to private companies." He described that if a telecom company were asked to "retain data for the use of intelligence agencies," it would be serving as "an agent" of the government.
On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. "Since that time, the situation has changed," Feinstein said. "Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons." President Barack Obama even vouched for the telecom companies’ willingness to hold the data. "The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this," Feinstein said.
Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a "data handshake."
The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a "personal testament." (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.
The government has repeatedly told courts that under Section 215, the NSA can only ask telecoms for business records they already hold. Yet Feinstein seems to have revealed, perhaps unintentionally, that under the new law the telecom companies would be willing to hold records at least an extra six months just so the government could presumably spy on their customers, if necessary. And to keep the records available under the law, the companies would claim they were keeping the records for business reasons. By doing this orally, no records could be obtained under discovery in a customer lawsuit or could be leaked by an NSA whistleblower like Edward Snowden. The telecoms could claim that they are not agents of the nation’s spies, even after they seem to have agreed to a handshake deal making them into just that.
Feinstein’s data handshake might explain Collins’s and Rubio’s seemingly illogical comments. This debate is largely about how the government will access records that aren’t currently retained long term as business records under a provision directed only at existing business records. Under the data handshake, telecoms like Verizon would hold records at least six months longer than they currently do. While there’s no reason to believe Verizon isn’t better than the NSA at securing these records or keeping them private, the added retention does leave the data available for collection. And telecoms would be holding records that the federal government could obtain but ordinary cops could not, which might explain Rubio’s comments.
Feinstein’s hints about data retention are particularly interesting given stories earlier this year about gaps in the NSA’s phone dragnet program. In February, several journalists covering intelligence, including the Wall Street Journal‘s Siobhan Gorman, reported the claim that the NSA was really only obtaining 20 to 30 percent of call records as opposed to 100 percent, as the Snowden leaks had led many to believe. (The reports didn’t say so, but those are records collected under the Section 215 business records provision; the government obtains tons of — in some cases redundant — records overseas under EO 12333, the 1981 executive order that gives intelligence agencies sweeping powers to collect intelligence overseas, so they’re getting some records involving Americans via a different source.) The reports explained that the gap came from cell-phone companies. And earlier reporting said that neither T-Mobile nor Verizon Wireless provided records directly to the NSA.
Before those reports, neither the Obama administration nor the House Intelligence Committee showed much interest in reforming the Foreign Intelligence Surveillance Act. After them, the House Intelligence Committee rolled out its own bill, bypassing the House Judiciary Committee. That bill would have set up an even more programmatic way to obtain records from the telecoms — yet another way to make telecoms agents of the government. This timing suggests that one real reason for the newly energized reform push was closing the gap in records the government doesn’t currently obtain from some cell-phone companies.
The existing gap in cell-phone coverage and telecoms’ practice of retaining call records for less than the NSA does should be — and may well be — entirely different issues: some technical reason that the NSA has had problems integrating a few providers’ cell-phone data into its dragnet, along with business decisions on the part of cell-phone companies on whether to hold phone records. But both seem to come down to how the NSA can access the records of certain cell providers. Republicans at least claim not to believe that the USA Freedom Act would solve the problem. Feinstein does, largely because of this apparent agreement where the companies would keep the records even without any provision in writing requiring them to do so.
NSA reform advocates, like the Electronic Frontier Foundation, were "disappointed" that the USA Freedom Act did not pass. If it had, it definitely would have, at the very least, improved the dangerous situation of the government holding all of Americans’ phone records going back five years. But in hindsight, the desire to close these various gaps appears to have been as much the focus of Tuesday’s debate as any effort to protect privacy.
And underlying the entire debate is a question of efficacy. Feinstein suggested that the government only needs telecoms to hold Americans’ records for two years, rather than five as it currently does. That’s broadly consistent with what intelligence officials have said in testimony over the last 17 months. And it does seem to confirm that the NSA could make do with keeping records for a much shorter time than it currently keeps them.
The debate over whether telecom companies need to retain records for two years or the NSA retain them for five takes place against the backdrop of even larger questions of efficacy. Sen. Patrick Leahy (D-Vt.), the bill’s sponsor, made a point he has repeatedly made since the Snowden leaks started: For the entire eight-year span of the program, it only ever identified one person with ties to terrorism, a San Diego taxi driver sending Somalia’s al-Shabab less than $10,000 to help it defeat U.S.-funded Ethiopian invaders. So with all these records — the five years of Americans’ call records the government currently retains or the two years Feinstein suggests telecoms should retain — it’s still not clear they serve a necessary intelligence purpose. The phone dragnet program really hasn’t achieved its supposed purpose, which is preventing terrorist attacks.
Those telecoms that entered into this data handshake probably calculated, correctly, that their customers’ privacy would be better served if the companies agreed to retain data they otherwise don’t need as a preferable alternative to having the government hold it. But it says something that they’re being forced to make such a Faustian bargain for a program that has never fulfilled the purpose it purports to serve.