By Qitong Cao
The National Security Agency (NSA)’s massive telephone metadata collection program was ruled illegal by the United States Court of Appeals for the Second Circuit last Thursday.
The federal appeals court ruling, the first of its kind since the program’s disclosure, refuted the NSA’s interpretation of Section 215 of the U.S.A. Patriot Act, which allows a high-ranking FBI official to order “the production of any tangible things” for terrorist investigations. According to the ruling, the Section “does not authorize the telephone metadata program.”
The telephone metadata program, which involved collecting Americans’ phone records systematically, and its counterpart, PRISM, that surveilled non-U.S. targets have prompted fierce debates on the merits and the legality of the NSA’s practices.
Since last October, Stanford has hosted the Security Conundrum discussion series that featured speakers ranging from General Michael Hayden, former director of the NSA, to Barton Gellman, the Washington Post reporter that broke the story of Snowden’s revelations. On May 15, Snowden, currently residing in Russia under temporary asylum, will hold a Skype session with the general public sponsored by the Symbolic Systems Program.
In an interview with The Daily, Jonathan Mayer J.D. ’13, a Cybersecurity Fellow at Stanford’s Center for International Security and Cooperation (CISAC) and lecturer at the Law School, talked about the impacts of the two NSA surveillance programs on the general public.
The Stanford Daily (TSD): From a legal perspective, what does the Second Circuit’s decision mean?
Mayer: There are, broadly speaking, two kinds of arguments about the legality of the particular surveillance program. The first argument is it’s unconstitutional. Usually the constitutional rights advocates refers to the Fourth Amendment protection against unreasonable searches and seizures. Another way of questioning the legality of a surveillance program is saying, “Hey, Congress didn’t say you could do that.” So, setting aside the constitutional issues, Congress just didn’t give the executive the power to conduct that surveillance program. That’s the specific challenge that came up in Second Circuit’s decision. The Court invalidated the NSA’s program on statutory grounds, but didn’t address whether the program is constitutional.
So what prevents the NSA from pointing to another statute, getting another statute, or doing this with something other than phones? The reason why I think the statutory analysis is such a big deal is that surveillance statutes, for the most part, share a lot of language. The law is frustratingly tangled, but there are some points of clarity. One of the points of clarity is this language about relevance. Over and over again in surveillance laws there has to be relevance in an investigation. By holding that relevance doesn’t support a bulk program of this sort, the Second Circuit hasn’t just narrowly ruled on this particular statute or telephones because that same statute applies to all the technologies and that relevance language shows up in all sorts of other statutes.
Let me give you a very concrete example. Until 2013, the Drug Enforcement Administration operated its own bulk telephone metadata surveillance program, and it did that under a different statute, but if that surveillance program were ongoing today, I think the Second Circuit’s reasoning would unambiguously have invalidated that program too.
TSD: Let’s now focus on the PRISM program. Is it susceptible to a similar statutory check?
Mayer: PRISM, I think, is a good example of a surveillance program that seems to be, for the most part, what Congress had in mind. PRISM is a closer fit to the statutory language, and it’s going to be a lot harder to mount a statutory attack on that program. I don’t think it’s a perfect fit, but the statute is worded very broadly and does seem to allow issuing directives, in essence formal letters, to claw services to hand over data. I think, as a matter of policy, PRISM definitely needs some reform. It already has had some. The President’s Intelligence Review Group recommended a series of important reforms. But there’s a lot more room to go.
TSD: When determining whether a target is within the United States, the NSA typically looks into his or her IP address. But the use of tools such as VPN or tor would make it difficult to determine the exact location of an Internet user. Say, if two Americans are talking online using VPN, will they be therefore regarded by the NSA as foreigners based on their apparent IP address?
Mayer: It depends. A lot will have to do with how they would communicate. Let me take this into two parts. A first issue is [if] the NSA can get its hands on that communication in the first place. There’s been a trend toward increasing use of encryption during online communications. That trend certainly accelerated substantially after the disclosures of 2013. So it’s kind of a first-order issue.
The second-order issue is, if the NSA could get those communications, would they properly distinguish whether they are American or not. If you had traffic getting routed outside the United States, and it wasn’t very clearly just bouncing through some networks outside the U.S. but actually was originating from there, then I think you could potentially have a real problem of Americans getting their data sorted out.
I think it’s a great example of an issue that would be relatively obvious to someone with even modest technical sophistication. Yet it’s the sort of thing that seems, for the most part, like, the NSA’s various overseers have not spent a lot of time thinking about. So it absolutely is a potential problem. The magnitude of the problem is difficult to assess. It doesn’t appear, at least thus far, that the NSA has made any serious effort to try to gauge its magnitude.
TSD: In these circumstances, do you think the NSA could come up with better ways to examine people’s geographical locations exactly? Or would that be a huge technical constraint?
Mayer: I think it is one of many reasons why un-targeted surveillance programs are highly problematic. The Internet doesn’t have clear geographical restrictions built in. That’s great. It’s one of the reasons why the Internet is awesome. But that means that rules that are geographically bound, some of the NSA’s restrictions, don’t clearly map onto the Internet. So I think there are some technical problems that should give the NSA overseers a pause in allowing certain programs to continue.
Outside the United States, the NSA has much broader authority to conduct surveillance. Congress has reined in what the executive branch can do inside the United States. That’s where statutory issues come up, like what happened with the Section 215 program. But outside the United States, for the most part, Congress hasn’t touched NSA operations, or doesn’t even ask a lot of questions about NSA operations. So it appears to be the case that the NSA is collecting a quite substantial amount of telephone and Internet content and so on outside the U.S. that absolutely could implicate Americans traveling abroad or redirecting communications abroad.
TSD: Is the NSA aware of such an issue? If so, why does it still choose to do so?
Mayer: I think the NSA is clearly aware that the issue exists, and there was a little discussion in at least one set of court filings in a court opinion. But there’s sort of a legalism around the NSA, the notion that, if the law is such, or at least could credibly be argued to be such, that circumscribes their permissible conduct. It’s fair to characterize the NSA’s mode of legal argumentation thus far as attempting to preserve the broadest possible range of operational flexibility, attempting to preserve programs that previously weren’t under a clear legal regime. It’s always like, shoot first, ask questions later; surveil first, figure out the law later.
Thankfully, I think that that amount of working outside the legal system no longer is the way the NSA operates. But instead it really stretched to the limits of the law that does clearly apply to it, a very aggressive legal interpretation, but still legal, just out of periphery.
TSD: Do you think that Stanford could do more to contribute to the discussion of cybersecurity issues and privacy issues?
Mayer: Yes. I think Stanford has very clearly positioned itself as a leading forum for government thought leaders on surveillance issues. There’s been the President; there’s been the Secretary of Defense; there’s been the director of the NSA. So, as a speaking venue, Stanford has done a lot. As a venue for building new directions for change, building consensus, producing research output that influences surveillance and cybersecurity debates, I think it’s fair to say Stanford has ways to go. There’s a difference between hosting speakers and contributing to a debate, and at least thus far Stanford has tended toward the hosting speakers side.
Contact Qitong Cao at qitong ‘at’ stanford.edu.