This week, the Office of the Director of National Intelligence declassified a Foreign Intelligence Surveillance Court of Review (FISCR) opinion that has important broad implications for privacy and warrantless surveillance.
The opinion, issued on April 14 and released pursuant to the USA FREEDOM Act’s disclosure requirements, deals with government collection of the numbers one dials into a phone during a call, such as a credit card number or passcode (called post-cut-through digits), that’s done under the auspices of authorized Pen Register/Trap and Trace (Pen/Trap) surveillance. While this ruling may seem to deal with a very selective matter, I believe the substance of the ruling presents both concerning and promising big-picture issues, which have implications beyond the government’s ability to collect the numbers people dial during phone calls. (Marcy Wheeler has already discussed process risk of consolidating appellate review within the FISC system.)
The Troubling New “Content Information” Pseudo-Category
The FISCR opinion centers on treating post-cut-through digits as a new pseudo-category of “content information,” which does not receive the same Constitutional protection via a probable cause standard, as content at large. The opinion distinguishes “content information” from more fully “substantive” content based on two factors: the limited information collected as “content information,” and the limited technological ability to stop incidental collection of “content information.” However, the exact bounds of the distinction between content and “content information” were never clearly defined, and this in itself is the first major problem. All other exceptions for content collection that bypass the probable cause requirement are clearly defined. By creating a vague new pseudo-category of “content information,” the FISCR muddies legal standards and risks encouraging improper surveillance in the future.
Looking at the bounds of “content information,” to the extent that they exist, also raises concerns. The idea that “content information” is distinguishably different than substantive content is highly problematic. The FISCR dismissed the argument of Special Advocate of Marc Zwillinger that post-cut-through digits are content by maintaining that content is “information concerning the substance, purport, or meaning of [a wire, oral, or electronic] communication,” and therefore distinct from phone numbers dialed. By this rationale, an email whose contents are solely comprised of a 16-digit credit card number is somehow more substantive than a phone call where this same credit card number is entered.
Further, the FISCR errs in viewing post-cut-through digits as limited to things like “a password, a personal identification number …. A credit card number or a Social Security number.” Automated menu prompts to specific numbers can be much more revealing of substance. For example, the post-cut-through digits placed after calling the Substance Abuse and Mental Health Services Administration Hotline will reveal whether the caller is seeking information on local substance abuse treatment centers, information on mental health issues, or insurance information. Any type of distinction of some content as not sufficiently substantive to receive its full protections under the law will inevitably be vague, subjective, and detrimental to privacy rights.
Additionally, the distinction of “content information” based on limited technological ability to stop incidental collection raises serious privacy problems. The FISCR maintains that because post-cut-through digits are collected incidentally in attempt to merely obtain dialing information, the collection does not trigger probable cause requirements. While incidental collection is common, this opinion appears to be unprecedented in approving incidental collection of private information that should be protected at a higher standard than the that authorized by the initial surveillance order. The FISCR opinion itself acknowledges, “It may be that if a pen register interception were directed at the acquisition and use of content information, it would be unlawful in the absence of a court order issued on a showing of probable cause.”
Incidental collection has always been predicated on the notion that a court is authorizing invasion of a certain sphere of privacy, and that invasion may incidentally extend to non-targeted individuals. The idea that incidental collection may instead extend to a more protected sphere of privacy than was authorized is deeply disturbing, and could raise huge issues if applied to other areas.
Creating a looser “content information” category based on inability to limit incidental collection is also problematic in that the FISCR is responding to a technological limit. Whereas some incidental collection is a naturally unavoidable byproduct of surveillance (e.g., any wiretap will monitor conversations not just of the target, but of all individuals they speak to), collection of post-cut-through digits only occurs because of technological inability to limit collection to the initial dial. Taking away the label of content and full probable cause protections due to technological limits creates concerns in other areas, notably collection of multi-communication transactions and “About Collection” pursuant to the FISA Section 702 Upstream program.
Post Collection Limits Show Promise
While the FISCR treatment of post-cut-through digits in terms of Constitutional protection is worrisome, its practical approach to the policy questions raised is much more promising. The opinion required that, as a condition of allowing collection beyond the intended bounds of the Pen/Trap orders to occur, “the government is prohibited from making any investigative or evidentiary use of content information.” This is not a complete solution – even with full restrictions, collection augments the opportunity for unauthorized access and use – but it is a strong step towards addressing privacy concerns. While the creation of the “content information” pseudo-category is a worrisome, preventing all investigative and evidentiary uses of such information largely blocks this collection from being employed for improper police power.
Post collection limits – as applied here – give promise to balance legitimate privacy concerns with ongoing overcollection activities. I’ve previously written about this in the context of The Wall: We can address competing concerns regarding the need for Intelligence Community information sharing and appropriate limits on law enforcement use of intelligence surveillance by restricting investigatory and evidentiary use of information collected through nontraditional means, just as the FISCR did here.
Employing strict post-collection limits in response to overcollection caused by the technological inability to separate the type of information gathered could also impact “About Collection” pursuant to Section 702. Section 702 does not authorize collection About Collection; it is a byproduct of the Upstream program, and is highly problematic as it collects communications content of individuals who are not Section 702 targets without a warrant. Just like of post-cut-through digits collected pursuant to Pen/Trap, these communications are collected at a lower standard purely because of technological limits. A strong case could be made that based on the FISCR holding, communications obtained through About Collection should be barred from any law enforcement investigative or evidentiary use. Perhaps a Special Advocate or a company receiving a Section 702 Directive will use this FISCR opinion to make such a case in the future.
Despite applying to a seemingly minor issue the FISCR opinion should significantly worry privacy advocates, who should be vigilant that this relegation of certain forms of content to a second-class pseudo category does not expand to other areas. However, as we continue to address ongoing problems in areas such as Section 702 and EO 12333 without a guarantee that we can appropriately reduce overcollection, the FISCR’s strong post-collection remedy presents an opportunity that could protect privacy more broadly.