Late Wednesday night, the website of the British broadsheet The Guardian broke the news that the National Security Agency (NSA) has been monitoring the phone activity of millions of Verizon cell-phone customers. Under a warrant approved by a Foreign Intelligence Surveillance Act (FISA) court, Verizon was required to provide “metadata” for all foreign-to-domestic and, critically, domestic-to-domestic calls for a three-month period starting on April 25. This metadata does not include the substance of any message or the personal information of the caller, but it does include numbers dialed, length and duration of calls, routing information, and International Mobile Subscriber Identity numbers (unique 15-digit identifiers assigned to each mobile device). The court order also expressly prohibited Verizon from publicly acknowledging the warrant.
Is the NSA’s program an unnecessary infringement of liberty? Many, including NRO regulars John Yoo and Andy McCarthy, argue that too much is being made of the story. McCarthy points out that the collection of telephone records (the “metadata” in question) is quite different from the monitoring of telephone calls for their content, and that the former is not covered under the Fourth Amendment. He writes:
Unlike the content of your communications, you have no expectation of privacy in your telephone activity records. If you think about it for a second, you know you don’t. If there were a mistake on your phone bill — for example, if you were charged for a long-distance call you didn’t make — you would expect to be able to call your phone company and have the problem addressed. That is because you understand that, when you make a call, that information is not secret: Your phone company keeps records of whom you called and how long the call lasted. A phone record is, by nature, a record of information shared with third parties. It is not like personal papers and other personal items you keep in your home — items the government may not search without a judicial warrant (except in certain circumstances not relevant to this discussion).
I will of course defer to the former federal prosecutor on the matter, but it seems to me two things make the NSA program different from the ordinary collection of phone records by law enforcement for a specific criminal investigation.
First, the sheer scale of the NSA program. As Benjamin Wittes notes at the Lawfare blog, federal law requires the government to submit “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought” by such a warrant “are relevant to an authorized investigation.” When the NSA story first broke, some speculated that the late-April timing of the order suggested it had to do with the investigation into the Boston bombings. But congressional sources have since made statements suggesting the leaked Verizon order is just the most recent in an unbroken chain of such orders that stretches back at least as far as 2006 or 2007, and that presumably is not just limited to one phone carrier.
As Wittes asks, what conceivable “statement of facts” could have produced such an open-ended series of orders? To what “authorized investigation” are seven years of exhaustive and uninterrupted phone records relevant? Some say the NSA is “mining” the data for suspicious patterns using complex proprietary algorithms, and that for such a process to be effective, the data have to be complete. But as Wittes concludes (indirectly touching on Andy’s point that “it would actually be easier for the government to get the information it is collecting by a grand jury subpoena than under the Patriot Act”), “The trouble is that if that constitutes relevance for purposes of [FISA] — or for purposes of grand jury subpoena, for that matter — then isn’t all data relevant to all investigations?”
George Washington University law professor Orin Kerr raises another question about the “relevance” of phone records on such an immense scale:
When dealing with a physical object, we naturally treat relevance on an object-by-object basis. Sets of records are different. If Verizon has a database containing records of billions of phone calls made by millions of customers, is that database a single thing, millions of things, or billions of things? Is relevance measured by each record, each customer, or the relevance of the entire database as a whole? If the entire massive database has a single record that is relevant, does that make the entire database relevant, too? The statute doesn’t directly answer that, it seems to me. But certainly it’s surprising — and troubling — if the . . . relevance standard is being interpreted at the database-by-database level.