NSA says it can collect metadata for encrypted comms
- By Derek B. Johnson
- Nov 06, 2019
The Trump administration is pressing Congress to permanently reauthorize expiring surveillance authorities under the Patriot Act, including the controversial Section 215 powers that gave U.S. spies the greenlight to collect bulk phone call information on Americans.
At a Nov. 6 Senate Judiciary Committee hearing, officials from the National Security Agency and Department of Justice said that the Section 215 authorities, along with the ability to conduct "roving" wiretaps for individuals seeking evade monitoring and an as yet unused provision allowing surveillance of "lone wolf" terrorist suspects were needed.
Noting that communication methods from terrorists have shifted in recent years from telephony to encrypted communications, Sen. Chris Coons (D-Del.) asked if records from encrypted messaging services would fall under the scope of the authorities being discussed for renewal.
"So if there was a specific selection term we got the authority from the [court] and there were metadata records responsive to that… I believe we would be authorized to get that," NSA official Susan Morgan said.
Metadata, including information on when and where a phone call or text was sent and by what account or device does not encompass the contents of a conversation, but authorities have increasingly used metadata as circumstantial evidence in indictments to pinpoint when two suspects have communicated or coordinated during or after a criminal incident.
Brad Wiegmann, representing the Department of Justice, said that because the metadata around such communications is typically not encrypted, the government's collection would be legal under either the Call Detail Records program and the business records provision contained in Section 215 of the Patriot Act.
While government officials have often downplayed the value of such data, researchers have warned it can be used to uncover detailed information about the habits and behaviors of targeted individuals.
Michael Orlando, Deputy Assistant Director at the FBI, described the business records provision as "a building block" authority used during early stages of investigations "to build our case against national security threats" and obtain authorization for more targeted surveillance activities like wiretaps.
Digital rights groups have argued that the statute allows for broader search authority than the government generally claims.
"The statute specifies that it includes only things that can be produced in response to a standard grand jury subpoena, but of course that's an extremely wide range of documents and information," Andrew Crocker, an attorney at the Electronic Frontier Foundation, told FCW last year. "Our FOIA [requests] did provide some insight -- dealing with cell site location information and census data, for example -- but we still don't have a great idea where it stops."
Multiple executive branch officials declined under questioning from lawmakers to discuss examples of how or even whether the government had used the CDR program to uncover a previously unknown terrorist plot, but they characterized their reauthorization "vital" to national security.
Ranking Democrat Sen. Diane Feinstein (D-Calif.), who initially supported the NSA's surveillance program but has since become a critic, called that position "inadequate."
"I've been on the Intelligence Committee for 26 years now, we're in a public arena, I understand that," said Feinstein. "But if you can't give us any indication of specific value of the program, there's no reason for us to reauthorize it."
The primary metric provided by the government on how it uses the Call Detail Record program is the number of orders it issues every year, but that can obfuscate the scope of collection. For example, Sen. Patrick Leahy (D-Vt.) noted that in 2018, the government issued just 14 orders under the program, but that was enough to collect 434 million records related to 19 million individual phone calls.
In 2018, the NSA purged its CDR database after inadvertently collecting hundreds of millions of records outside the scope of the law. More recently, a declassified Foreign Intelligence Surveillance Court ruling last year found the FBI had systemically abused its authorities to search digital data sucked up by an adjacent NSA surveillance program, Section 702.
Despite shuttering the program, NSA is not keen to relinquish the authority that allowed it to exist.
"NSA's decision to suspend the CDR program does not mean that Congress should allow the CDR authority to expire. Rather, that decision shows that the executive branch is a responsible steward of the authority Congress affords it," NSA official Susan Morgan testified.
Concerned lawmakers have sent multiple letters over the past year to the Director of National Intelligence and Attorney General over the past year seeking details on the present state of the CDR policy – missives that Leahy said have yet to result in a "substantive response."
Wiegmann told the committee that DOJ had been unable to respond until the Trump administration finalized a formal position to request reauthorization in August. He said a draft letter was being developed and would be sent out this week – a response that did not satisfy some lawmakers.
"We're not messing around here," Sen. Mike Lee (R-Utah) warned. "These are the privacy rights and the constitutional rights of the American people. We represent them and we don't appreciate a nearly one-year delay...and it adds deeply to my suspicion."
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.