Blog No. 24 Whither NSA Metadata: The Judges and the Report to the President (Part II).

Part I of the Blog focused principally on the decisions of Judges Richard J. Leon and William H. Pauley III. This Part will discuss the Report of the advisory panel appointed by President Obama and its recommendations with respect to both the NSA metadata program and the protection of all classified data held by the NSA.

The Analysis and Recommendations of the Report With Respect to the Metadata Program

The Risks to Privacy. The portion of the Report dealing with the NSA telephone metadata program under Section 215 of the FSIA largely paralleled (in a calmer tone) the concerns of Judge Leon. Notably, analysis of the 215 program was preceded by a several-page discussion of various dangers inherent in, or associated with, “mass collections of undigested, non-public personal information.” The Section 215 program administered by NSA, of course, involves no such collection, but the Report expressed a concern that someday it could. Similarly, in the succeeding section, which asks “Is Meta-data Different?” the Report cites unidentified “critics” who “have observed [that] the record of every telephone call an individual makes over the course of several years can reveal an enormous amount about that individual’s private life.” And, like Judge Leon, the Report quotes Justice Sotomayor’s comments in United States v. Jones on information that can be derived from a GPS system. (Seldom, it may be said, has such an effort been made to draw an analogy to a dictum in a concurring opinion of a single justice.) What is missing from the Report is any assessment of how likely or unlikely it is that the metadata program would be converted from its present narrow, closely-regulated use to something infinitely broader and far more intrusive.

The Proposed Remedy. The remedy the Report proposes for the dangers it perceives is legislation that terminates the metadata program in its present form and “transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.” Whatever the position of the Obama Administration turns out to be, it is unlikely that the proposal, or anything like it, will be adopted by Congress.

A recent article in the Washington Post reported in detail a myriad of objections by industry representatives, civil liberties advocates and Congressional leaders to the idea of the data being held by the telephone companies. And the vague suggestion of creating “a private third party” raises a host of questions. How would the management of the private party be chosen? Who would provide security? Who would regulate and monitor the access to the data it stored? Such questions make it unlikely that a private party holder could be designed and gain political support in the foreseeable future.

Nor is it clear that the proposal would resolve the problems it envisions. Since the potential for abuse does not lie with the mere collection of data, but with the mining of it to determine identities or even content of messages, storing of the numbers with telephone companies or some private parties would provide only limited protection. That is, once numbers had been requisitioned by the NSA, they would be vulnerable to the hypothetical abuse. Moreover, there is no guarantee against abuse while the numbers are in the hands of the telephone company. The New York Times, in an editorial criticizing the Pauley Opinion, chided the judge for failing to mention a report of “a dozen instances in which government employees used the databases for personal purposes.” Clearly, that sort of mischief would be equally possible, or perhaps more so, when the numbers are held by a private entity.

Nevertheless, while the risk of actual invasions of privacy seems far less than portrayed by critics of the NSA, it cannot be denied that some risk is inherent in maintaining a vast collection of metadata. While the NSA and the FISA Court have attempted to minimize that risk, it likely cannot be eliminated. No system of management control is infallible.  Indeed, the most important lesson of the Snowden episode was not that the NSA was engaged in activities some would claim to be improper. On the contrary, as pointed out in Blog No. 5, published on June 27, 2013, the far more important lesson lay in exposing the management failure to control classified information–as dramatically demonstrated by the breadth of the information Snowden was able to obtain and disclose.

If, as suggested, the solution proposed by the Report proves impractical, inadequate or politically unacceptable, it is not clear what alternatives might exist. If none appear, and the risk to privacy is deemed too great, the only remaining option would be to discontinue the program altogether. How much of a danger that would pose to national security is uncertain. The Report explicitly down played the importance of the metadata in avoiding terrorist threats thus far: “Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks and could have been obtained in a timely manner using conventional section 215 orders.” On the other hand, it found the program sufficiently important to recommend that it be preserved in a modified form.

Judge Leon had also questioned the value of the metadata program and in particular the government’s emphasis on the speed with which the data allows the government to investigate leads: “[T]he Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack or otherwise aided the Government in achieving any objective that was time-sensitive in nature” (emphasis in original).  Judge Pauley, however, reviewed a similar proffer of evidence by the government and concluded that the metadata was indeed an important weapon against al Qaeda.

At this point, it is the Administration and Congress that must balance the risk to privacy and the risk from al Qaeda or other terrorists. RINOcracy.com lacks sufficient information to feel comfortable in making a definitive judgment as to how the balance should be struck. Our inclination, however, would be to defer to the interests of national security, recalling the wisdom of the 9/11 Commission quoted by Judge Pauley that “nothing is more apt to imperil civil liberties than the success of a terrorist attack on American soil.”

Protecting the NSA Data

It is stunning that several of the most important recommendations of the Report have gone virtually unnoticed by the media. Informed by the Snowden debacle, the Report makes no less than nine specific recommendations (Nos. 37-45) to improve radically the protection of classified information by the NSA. The recommendations are not focused on metadata but more generally on classified information developed by the agency under all of its programs. The recommendations are too numerous and comprehensive to permit a detailed discussion here. It is clear, however, that if adopted, they will require the NSA to make major reforms in its handling of classified information.

Blog No. 5 discussed at some length what Snowden had disclosed and emphasized “two areas that require intense scrutiny and remedial action: vetting of employees and controlling their access to highly classified information.” These issues, however, have been given appallingly little attention by Congress or the media. While the NSA has presumably taken some remedial steps, the Report suggests that much remains to be done. Among the more important recommendations, are several which call for the access to classified information to be strictly limited to a “need to know” basis. Other recommendations relate to the vetting of employees and urge that the use of private business corporations for that purpose be reduced or eliminated.  Whatever view one has of other recommendations in the Report, these deserve careful consideration and prompt action.