NSA Bulk Collection, the “Corporate Store,” and the Forgotten ECPA Loophole

This weekend’s New York Times report on NSA aggregation of large databases to map the social networks of US citizens contains a reminder that the vast bulk phone records cache the agency obtains via §215 is not the only way the government collects large numbers of phone records:

N.S.A. officials declined to identify which phone and e-mail databases are used to create the social network diagrams, and the documents provided by Mr. Snowden do not specify them. The agency did say that the large database of Americans’ domestic phone call records, which was revealed by Mr. Snowden in June and caused bipartisan alarm in Washington, was excluded.

The §215 database may be the most comprehensive, at least with respect to domestic call records, but it also comes saddled with minimization procedures imposed by the FISA court, which may restrict how it can be used in programs of this kind by requiring queries to begin with a link—though perhaps an indirect one—to a number there is “reasonable articulable suspicion” to believe is linked with a particular terror group. The program described by the Times, on the other hand, appears to link phone records with other kinds of records, such as credit card bills, associated with individuals. Other phone databases, then, appear to be used here. David Kris, in a footnote to his excellent and thorough new paper on bulk collection, suggests some of the other ways NSA might have access to phone records freed from those pesky restrictions (with my emphasis):

Alternative methods of collection would include non-bulk FISA orders, or what prior NSA Directors in the past have referred to as “vacuum cleaner” surveillance outside the ambit of FISA, under Executive Order 12333 and its subordinate procedures, such as DOD 5240-1.R, and perhaps voluntary production if not otherwise prohibited by law. See NSA End-to-End Review at 15; August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); cf. 18 U.S.C. § 2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”). A purported September 2006 letter from the Acting General Counsel of NSA to the Counsel for Intelligence Policy at DOJ, Attachment B to the Wainstein Contact Chaining Memo, notes that “NSA acquires this communications metdata . . . under Executive Order 12333. All of the communications metadata that NSA acquires under this authority should have at least one communicant outside the United States.” For a discussion of “vacuum cleaner” surveillance, see Kris & Wilson, NSIP § 16:5 & nn.14, 31, § 16:12 & nn.16, 18, § 16:17. For a discussion of DOD 5240-1.R, see Kris & Wilson, NSIP §§ 2:7-2:9, Appendix J. The purported Wainstein Contact Chaining Memo discusses such contact chaining with respect to the “large amount of communications metadata,” including metadata associated with persons in the United States, contained in NSA’s databases. Wainstein Contact Chaining Memo at 3. The 215 Bulk Primary Order states that the FISA “Court understands that NSA may apply the full range of SIGINT analytic tradecraft to the results of intelligence analysis queries of the collected BR metadata.” 215 Bulk Primary Order at 13 n.15

The first thing worth calling attention to here is that some limitations on use of this data appear to apply only to the master database of all records, and not the huge but smaller “corporate store” database of numbers pulled up by contact-chaining queries of the master database. In other words, it may be that the complete §215 database of call records is “excluded” from automated scraping to generate social graphs of US citizens, but the enormous “corporate store” database is not excluded. That’s something, but given that the “corporate store” includes records of persons up to three “hops” from a suspect number, it seems all but certain that the overwhelming majority of those persons, too, are innocent.

The second, however, is that Kris flags a section of the Electronic Communications Privacy Act that played a key role in a largely forgotten story highlighting a major loophole in the statute’s protection for our phone records. As Marcy Wheeler ably summarizes, the Justice Department Inspector General’s report on “exigent letter” abuses called attention to a secret opinion issued by the Office of Legal Counsel in January 2010, which “allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.” The OIG seemed positively alarmed by this new interpretation, noting that it relied on a legal theory advanced by FBI “only after the OIG found repeated misuses of its statutory authority,” and suggesting that it “creates a significant gap in FBI accountability and oversight that should be examined closely by the FBI, the Department, and Congress.” Several senators did act on the OIG’s plea to scrutinize this further, but it’s not clear whether anything ever came of it.

In February 2011, however, a little-noticed McClatchy story pointed to the probable nature of the loophole. Though ECPA generally prohibits telecommunications providers from handing over customer records to “any government entity,” the section cited by Kris above, 18 U.S.C. § 2511(2)(f), carves out an exception for “the acquisition … of foreign intelligence information from international or foreign communications” by means other than FISA “electronic surveillance.” Since that carve-out specifies both “foreign” and “international” communications, we have to read “international” as meaning something distinct from “foreign” under ordinary rules of statutory construction—and the obvious reading is that it refers to “international” communications to or from the United States. (Just after finishing this post, I noticed—without much surprise—that the tireless Marcy Wheeler had already spotted and written up this very same issue.) This would, incidentally, square with Gen. Keith Alexander’s insistence, at today’s Senate Judicary Committee hearing, that social graph “chaining” through domestic numbers is strictly for foreign connections—a job for which a separate database of unrestricted “international” call records would be perfectly suited.

Though the OIG report says that the FBI did not (at that time) intend to rely on the loophole identified by OLC, the implication is that the FBI can obtain records pertaining to Americans’ international communications without any formal legal process, since the acquisition of such records is not FISA “electronic surveillance,” and therefore falls entirely outside the protections of ECPA. In theory, then, NSA could obtain those international bulk records from the carriers via voluntary production, free from any of the restrictions and minimization procedures imposed by the FISA Court for wholly domestic records obtained under bulk §215 orders. That would leave a huge cache of Americans’ phone records essentially fair game for unrestricted NSA exploitation, even as the public is being assured of the many strict and robust safeguards in place to protect such records… when they’re obtained via §215. If we think that millions of law abiding Americans who communicate with family, friends, and business associates overseas also have privacy interests worth protecting,this is a loophole worth revisiting now that NSA’s call records databases are back in the spotlight. 

About the Author(s)

Julian Sanchez

Senior Fellow at the Cato Institute, contributing Editor for Reason magazine. Member of the editorial board at Just Security. You can follow him on Twitter (@normative).