One week after Congress voted to stop the National Security Agency from collecting and storing millions of Americans’ phone records, partisans on both sides are exaggerating the significance of this new reform. NSA supporters lament the loss of a key tool for fighting terrorists, while the agency’s critics hail the new law as (in Edward Snowden’s words) an “historic victory for the rights of every citizen,” with some calling its passage a vindication of Snowden himself as an authentic whistleblower who should be let back home as a hero, not a convict.
Both sides are off the mark.
The NSA’s bulk collection of telephone metadata was the subject of the first news stories based on the trove of highly classified documents that Snowden leaked, and it stirred the biggest commotion. But in fact the metadata program never comprised more than a tiny percentage of the agency’s vast and global surveillance net. The new law’s reform measure—to keep the metadata stored with the telecom companies, allowing NSA access only to specified materials, and then only through the Foreign Intelligence Surveillance Court—was first proposed not by some libertarian critic but by Gen. Keith Alexander, then-director of the NSA.
Under the system that has been in effect, as authorized by Section 215 of the Patriot Act (or, rather, by the FISA court’s now-discredited reading of that section), the NSA routinely collected metadata from some of the biggest cellular companies—not the contents of conversations, but the phone numbers, dates, times, and duration of the calls. If someone inside the United States called a number linked to one of three terrorist organizations (including al-Qaida), an NSA alert system would note that fact. The NSA could then ask the FISA Court for permission to search the database for a list of all the other numbers that the American phone had called, as well as all the numbers that those numbers had called, going back as far as five years. If this search revealed a suspicious pattern, the NSA would turn the materials over to the FBI, which could seek a warrant to listen to conversations.
Under the new reform law, called the USA Freedom Act, the NSA would no longer possess the database, so it would seek a FISA court order to get it from the telecom companies—and the FISA court would now include a privacy advocate who could argue against relinquishing the data. If the court sided with the NSA, what happened next would be exactly the same as before the new law passed.
So, it’s not exactly a giant step in the annals of either national-security risk or civil liberties reform—unless one of two things had been true. First, if the NSA had been abusing the process—if analysts or senior officials had been searching metadata for personal, political, or vindictive purposes—the changes in custody and oversight would have a huge impact. But neither Snowden’s documents nor any subsequent probes have uncovered any such evidence.
Second, if authoritarians or worse—say, modern-day versions of Richard Nixon and J. Edgar Hoover—were to come to power, they could suspend the internal controls at NSA and use the agency’s vast databases to track domestic enemies or any target of their choosing. In that case, the Freedom Act would serve as a powerful brake to oppression: Because the government would no longer possess the data, it couldn’t exploit the data.
That is the real—and the intended—effect of the reform: not so much to change the way surveillance technology is used today, but rather to limit the potential for abuse in the future.
For now, surveillance through telephone metadata is pretty sparse. In 2012, the NSA queried the database for 288 U.S. telephone numbers. As a result of those queries, the agency passed just 12 tips to the FBI. None of those tips led to the capture of a single terrorist or the halting of a terrorist plot. In fact, according to President Obama’s independent commission on NSA reform, the telephone metadata program has never had any impact on countering terrorism.
A separate program called PRISM—authorized under Section 702 of the Foreign Intelligence Surveillance Act—lets the NSA track foreign terrorists and adversaries by intercepting their Internet traffic as it zips through U.S.–based servers. (Because of the nature of the technology, about 80 percent of the world’s Internet traffic passes through U.S. servers at some point.) PRISM was another highly classified NSA program that Snowden uncovered. The Washington Post and the Guardian made it the subject of their Day 2 Snowden stories (right after the revelations about telephone metadata). Yet PRISM isn’t touched at all by the USA Freedom Act, nor does any serious politician propose overhauling it. This is the case, even though PRISM data-mining is a much bigger program than telephone metadata ever was, and it’s potentially more intrusive, since it’s hard to know whether, at first glance, an IP address belongs to an American or a foreigner.
The key difference is that PRISM has been a far more effective intelligence tool. Obama’s independent commission—the same body that refuted official claims about telephone metadata’s usefulness—concluded that PRISM had played an important role in stopping 53 terrorist plots.
Snowden’s documents cited the names of all nine U.S. servers that cooperated (or, in some cases, were compelled to cooperate) with PRISM. His documents also provided details about the interception of Taliban email on the Afghan–Pakistan border, the monitoring of Iran’s nuclear program, the line-item budget of the CIA, and the complete 50-page catalog of tools and techniques used by the elite hackers in the NSA’s Office of Tailored Access Operations. (This last document is so sensitive that no U.S. or British publication wrote about it, though Germany’s Der Spiegel reprinted it.)
This litany of leaks raises doubts about Snowden’s claims as a whistleblower (the vast majority of his documents have nothing to do with domestic surveillance or malfeasance of any sort), and it highlights the fact that the NSA is involved in a lot more than probing the metadata of a few hundred telephone calls a year.
One valid point that Snowden and his defenders make is that the disclosures have sired a public discussion about the balance between privacy and security that otherwise would not have taken place, because everything about the NSA—including, for many years, its very existence—has been shrouded in such extreme secrecy. (The inside joke used to be that NSA stood for “No Such Agency.”)
That said, the public discussion—despite a lot of good, well-informed articles in many publications—has, so far, been alarmingly shallow. Too many of these discussions, in the media and elsewhere, assume that the NSA “monitors” millions of Americans’ phone calls. Too many newspaper articles about telephone metadata have been illustrated by a photo of the NSA’s new 100,000-square-foot data center in Utah—when, in fact, all of its metadata files could probably fit in a camping trailer. And very little of the coverage draws a distinction—or know that there is a difference—between Section 215 metadata collection (which has had no effect on stopping terrorism) and Section 702 data-interception (which has been remarkably successful).
A debate is certainly worth having on the latest nugget from Snowden’s trove, reported in the June 5 New York Times, about an NSA program—secretly approved by the Justice Department in mid-2012—to monitor Internet servers for the presence of foreign hackers. The Times cites the concern of some legal scholars that the NSA may be crossing a line between intelligence and law-enforcement. In the wake of the Sept. 11 terrorist attacks, many criticized that the line had become too thick—so much so that the CIA, NSA, and FBI couldn’t share intelligence information about the plotters in the lead-up to the attack. Some of the subsequent laws, which are now being reformed or called into question, were answers to those critics: Their sponsors spoke of the need to “break down the walls” and “connect the dots.” Did we go too far in that direction, and are we going too far the other way as part of a backlash?
Ironically, right next to the Times’ front-page scoop about the NSA’s effort to track down hackers was a story reporting that China had hacked the personal data—including Social Security numbers—of 4 million U.S. government employees. A debate has been going on for some time—much of it outside public purview—over the extent to which the government should get involved in fighting hackers. One reason for the debate is that the NSA is the only government agency with the talent, technology, and resources to fend off hackers effectively. But letting the NSA loose on their trail discomfits many who contemplate the idea, because stopping hackers means monitoring the networks they’re hacking, which means accessing the communications of ordinary Americans. How, and where, to draw the line? This is very much a conversation worth having. No one is having it just now.
One disturbing tidbit in that Times story: The NSA asked for the legal authority to monitor malicious cyberactivity even if the agency’s analysts didn’t know if the cyberattacker was a foreigner. The Justice Department did not grant that authority. But this is a cautionary tale about the need for government oversight—and a reassuring tale, as far as it goes, that oversight, to some meaningful extent, does exist.
The whole point—really, the only point—of the USA Freedom Act, and the overhaul of Section 215 telephone metadata, was to strengthen that oversight, to erect yet another fence that the intelligence agencies have to hurdle to get access to private information.
But no one should infer from this that we’ve entered into a new era or that government surveillance and cyberespionage have been—for better or worse—dealt a serious setback. The NSA is not in retreat, nor are its counterparts in Russia, China, Israel, France, Iran, North Korea, and other countries. That’s not an excuse for complacency or alarm; it’s cause for vigilance, oversight—and an understanding of what these programs are about.