This month two judges issued two different opinions about the NSA’s controversial bulk metadata collection program. Judge Richard Leon ruled in Washington, D.C., that the program likely violated the law. Judge William Pauley ruled in New York that the program did not violate the law. Judge Pauley’s opinion is both correct legally and more sensible than Judge Leon’s, but it’s not hard to imagine that even our conservative Supreme Court could go the other way.
Under the metadata program, the NSA vacuums up certain data associated with telephone calls—including the number called from, the number called to, and the time of the call—and stores them on its servers. Under the loose supervision of the secret Foreign Intelligence Surveillance Court, the NSA can search the data for evidence of terrorist connections. For example, if the NSA learns the cellphone number of a suspected terrorist, it can query the metadata for the phone numbers dialed on the terrorist’s phone, the phone numbers of the phones that called that phone, and other phone numbers associated with those phone numbers. The NSA turns over suspicious phone numbers to the FBI for further investigation.
Judge Pauley argued that under the Supreme Court case of Smith v. Maryland, which was decided in 1979, the metadata program does not violate the Fourth Amendment because the NSA collects the metadata from the telephone companies of the targets; the NSA does not monitor the phone itself. In Smith, the court held that the defendant did not have a “reasonable expectation of privacy” (the standard for a Fourth Amendment claim) in the phone numbers he had dialed, because by dialing them he communicated them to the phone company. So the police could install a device called a pen register at the telephone company’s premises to record those phone numbers.
The court reasoned that when people voluntarily divulge personal information to third parties, they “assume the risk” that those third parties will turn over the information to the police, and thus can’t complain when that happens, even if at the government’s request. Many commentators object that people do expect phone companies, banks, hospitals, and other trusted institutions to keep personal information secret. But the reason for the rule is that we do not expect many of our communications with other people to be kept secret, a simple rule is better than a case-by-case inquiry into how strong your privacy interest is every time you speak to a colleague or stranger, and law enforcement would be too difficult if police could not gather such information before obtaining a warrant. After all, police can’t obtain a warrant unless they already have reason to believe that someone has committed a crime, and that reason to believe has to come from somewhere.
Judge Leon argues that Smith v. Maryland is an analog case and we live in a digital age. At the time Smith was decided, there was no bulk metadata collection. The court’s bright-line rule distinguishing information we retain and information we turn over to third parties is no longer sustainable, Leon argues, because nowadays no one can go about one’s everyday business and personal life without turning over to third parties a Borges library of personal information that, thanks to search algorithms, can disclose far more about a person than in 1979. Leon cites a recent Supreme Court case, U.S. v. Jones, where a number of justices expressed skepticism about the continuing validity of Smith. That case involved the placement of a GPS device on a car, and the justices worried that even though tailing a car does not violate the Fourth Amendment because the car operates in plain view, digital monitoring of the location of a car might give the government too much power over our lives.
However, until the Supreme Court overrules Smith v. Maryland, Judge Pauley has the better legal argument. Judge Leon correctly notes that the government can more easily learn information about you from third parties today than in the past. But it can’t learn much more about you using the metadata program than it could learn using the pen register in Smith. The difference between then and now lies in the number of people whose data can be searched at reasonable cost to the government, not the amount of information obtained about any individual.
Moreover, the risk to privacy is only one side of the ledger. The other side is that criminals can use technology today in a way they could not in the past. There were no jihadi websites in 1979. It was harder for criminals to transfer money or communicate instructions across borders. Bomb-making directions were not available on the Web.
There are also major differences in public attitudes about privacy. People can more easily find out things about each other today than in 1979, thanks to the Web, and so people now expect strangers—including potential friends, mates, and bosses—to know more about them today than they did in the past. People can also more easily share personal information about themselves, and rather than refrain from doing so in order to protect their privacy, they enthusiastically post photos and videos of themselves on Facebook and other social media sites. Thus, it is possible that people’s sense of privacy is also greatly altered, as if the whole country moved from a big city to a small town, trading in the benefits of anonymity and independence for the advantages of community and security. If we’re going to update Smith to take into account technological change, we also need to update it to take account of changes in social altitudes flowing from that technological change, including the possibility that people’s sense of privacy has shrunk. According to a recent Pew poll, while most people wish they could use the Internet anonymously, most people do not expect anonymity ever to be possible and yet use the Web nonetheless.
Now consider how the metadata program actually invades your privacy. The phone numbers you call and receive used to sit on one third-party server—the phone company’s—but now sit on the government’s servers as well. Most people’s metadata linger there unexamined until the system purges itself within five years. There is a small probability that a suspected terrorist has ordered pizza from the same place you have, and if so, your phone number (but not your name) might be one of thousands that an NSA agent eventually sees. It is most unlikely that he will pursue the pizza connection, but if he does, the FBI takes over and must conduct the investigation in conformity with the Fourth Amendment. From a legal standpoint, then, the invasion of privacy is minimal.
Critics of the metadata program rightly worry about the risk of government abuse. The recent report on the NSA by the President’s Review Group on Intelligence and Communications Technologies points out that an NSA employee with a grudge against someone can look up that person’s phone number, plumb the metadata for evidence that he dials up Alcoholics Anonymous or a suicide hotline, and then blackmail or harass him. But the same point can be made about any government depository of information—your financial records (on file with the IRS) or your medical records (on file with Medicare or Medicaid)—and thousands of government employees can access those records, whereas only 22 NSA employees can access the metadata, according to the President’s Review Group. We should demand safeguards, but the metadata program has safeguards aplenty. If we accepted the theoretical risk of government abuse as a reason for shutting down government programs, we wouldn’t have many such programs.
According to that same President’s Review Group, there is no evidence that the government has abused the metadata program in the Nineteen Eighty-Four-ish sense of suppressing dissent or harassing innocent citizens. The risk of abuse must, for now, be considered remote. If the NSA ever does start blackmailing people, the information will come out because you can’t blackmail someone without talking to him. Until that happens, the Supreme Court should stay its hand. Judge Pauley got it right: The NSA’s metadata program is constitutional.