Monday, June 17, 2013

USA - Big Brother may not be listening, but he's watching: Why metadata snooping is legal

OFF THE WIRE
The debate about the NSA spying program feels like a bad game of charades. Members of Congress and leaders of three-letter agencies keep saying how much they welcome public debate about spying, then immediately regretting that they're unable to talk in public about it. Winks and ear pulls follow. But one phrase has permeated the discussion over and over.
“Nobody is listening to your phone calls.”
It’s a rare statement of clarity in an otherwise murky discussion. President Obama said it in his first comment about the NSA scandal, and it’s been echoed by members of Congress and law enforcement agency officials for days, with good reason. U.S. surveillance law has long drawn a distinction between the content of communication and information about that content, the “metadata.” For example, government agents can read the address on a piece of U.S. mail without much legal wrangling; opening the envelope technically requires a judge-approved warrant.
By drawing a hard line around this distinction — you might call it "watching" vs. "listening" — when it comes to phone calls, email and other digital interactions, NSA defenders think they are on high legal ground. But they also understand what most of the public does not: In the age of Big Data, collecting information about our conversations yields more intelligence than observing the content of the conversations themselves. And it has the added benefit of sounding less intrusive.
As my NBC News colleagues and others have persuasively argued, big data crunchers can play the “six degrees of separation” game with metadata, using, for example, a huge database of email transactions to connect you with potential suspects, something transcripts of emails might never yield. Phone call patterns reveal your whereabouts and life habits in a way that a conversation never could.
This is why some argue the disclosure that Verizon is sending lists of millions of phone call records daily to the NSA (reportedly along with other telecom firms) is the most disturbing revelation of the recent flurry. Some privacy advocates go so far to say that the legal distinction between content and metadata is now meaningless.
But it wasn’t always that way. The distinction evolved logically enough, through legislation and debate, long before anyone could fathom the potential value of 100 million phone call records.
Wiretaps and warrants
The Fourth Amendment stems from a simple idea: Law enforcement officials can observe your home from the street, but in most cases they can't barge in unless they prove to a judge they need to. In the digital world, the line between knocking on your door and barging in is much more complicated. And as the analogy breaks down, so too it seems has Fourth Amendment protection.
Telephone calls were the first technology to attack the notion. Are calls passing through wires inside or outside your home? Back in 1979, the U.S. Supreme Court clarified this issue and ruled that information about telephone calls — such as numbers dialed, or the length of phone calls — was distinct from the content of phone calls, and thus was not protected by the Fourth Amendment. Phone call information has come to be known as "pen register" data, a term that reaches back to the time of the telegraph, when records of transmissions was kept with ink on paper.
When the 1986 Electronic Privacy Information Act essentially codified these findings, Congress clarified that law enforcement officials can obtain data kept by a pen register with a simple subpoena, which doesn’t require a judicial review. Listening in on the content of phone calls — using a wiretap — required a finding of probable cause from a judge.
Fast forward 25 years, and the "pen register" vs. "wiretap" distinction remains a critical element of all surveillance debates. The pen register metaphor has been extended — most specifically by the original Patriot Act in 2001 — to cover a lot of other digital-age "metadata,” including email headers and cellphone location information. Law enforcement has come to expect liberal, easy access to metadata, evidenced by research last year from the American Civil Liberties Union, which revealed that even local cops make thousands of requests for the information every year. Cellphone companies have even set up self-serve Web portals so cops can easily obtain the data.
The Supreme Court explained its pen register vs. wiretap distinction in 1979 by calling on the "third-party doctrine." Americans lose their expectation of privacy, the court reasoned, whenever they voluntarily give information to a third party, such as a phone company. Telling the phone company who you call by dialing a number is enough to surrender your expectation of privacy that you are contacting that person, the court held. It did, however, preserve the letter analogy from law governing U.S. mail. That is, only what's on the envelope's outside is fair game.
But emails sent and stored on services such as Gmail seem to fall in between these two legal categories. Is the email content, like a call conversation or a letter sealed in an envelope? Or it is data freely given to a third party? Congress tried to split that baby with the Stored Communications Act back in 1986. The law’s messy subtleties are still the subject of debate in federal court, but suffice it to say it created some situations under which law enforcement officials can peek at any data given to third parties, including email, without needing to show probable cause.
This means law enforcement officials are sometimes not required to ask before they barge into your virtual home.
Foreign threats, domestic calls
Enter the Foreign Intelligence Surveillance Act, first passed in 1978. Its basic premise is simple: It made clear that U.S. security agencies didn't have to worry about the Fourth Amendment when surveilling foreign nationals overseas.
Over time, as the legislation has been updated, that definition has expanded to mean U.S. spies can monitor any communication, as long as they have good enough reason to believe that one of the parties involved is a foreign national on foreign ground. A 2006 update to FISA, renewed in January,
, explicitly permits warrantless electronic wiretapping of foreigners for up to one year, among other broadened powers.
Depending on circumstance, some FISA monitoring requires prior approval of a special, secret FISA court, and some only requires after-the-fact notification. The distinction appears moot, however. In its annual report to Congress on April 30, the Department of Justice said it made 1,789 requests to conduct electronic surveillance in 2012. None were denied, although 40 were "modified."
The 1986 laws don't apply to requests that come before the FISA court, but politicians often defend the NSA using the pen register vs. wiretap logic. Americans have — like it or not — tolerated the easy release of metadata for some time. Lawyers have always been more concerned with wiretaps, and the public has been conditioned, say privacy advocates, to think that the release of metadata has no impact on our Fourth Amendment rights.
That might be a mistake.
It’s almost certainly true that no one from the federal government is listening to your phone calls, or reading your emails. But this assurance should provide you with only cold comfort. The NSA has millions, and probably billions, of pieces of information about you and your neighbors filed away — that much is clear from the leaked Verizon FISA court order. Technology has long outgrown 50 years of U.S. surveillance law designed to protect you. Who cares if no one is listening? They are most certainly watching.
Follow Bob Sullivan on Twitter or Facebook.