Square Peg, Round Hole – How the FISC has misapplied FISA to Allow for Bulk Metadata Collection

The recent treasure trove of NSA documents released by the Office of the Director of National Intelligence included an opinion by the Foreign Intelligence Surveillance Court that was the precursor to future opinions authorizing bulk collection of telephony metadata. This Pen Register Opinion, by Judge Colleen Kollar-Kotelly, authorized the bulk collection of Internet metadata under the FISA Pen Register/Trap and Trace (PR/TT). The bulk surveillance of Internet metadata was ultimately discontinued by Congress after it failed to produce useful intelligence.

Upon closer inspection, the Pen Register Opinion, which has been continually relied on to justify other bulk collection programs, does not adequately explain how the PR/TT provision, which has traditionally been used to authorize targeted surveillance orders, could provide for bulk collection.

In fact, none of the current FISA provisions support the NSA’s bulk metadata collection programs.

The government has relied on three separate FISA provisions to justify bulk metadata collection: The PR/TT provision, Section 215 of the USA PATRIOT Act, and the National Security Letter provisions. Each provision requires a (relatively) low evidentiary showing to gather information on individuals, but none expressly authorizes suspicionless collection of nontargeted metadata. Bulk collection is a square peg that the FISC has continually sought to fit into the round-holed surveillance laws enacted by Congress.

Under the FISA PR/TT provision, 50 U.S.C. § 1842, the government can apply for an order authorizing the use of a PR/TT device to obtain “dialing, routing, addressing, or signaling information” about electronic or telephone communications. As described in the Pen Register Opinion, the FBI typically conducts PR/TT surveillance “of a particular communications facility” identified as a phone number, e-mail address, or other designator. This usual practice “conforms to the clear statutory purpose” of the PR/TT provision.

But the Pen Register Opinion authorized collection of Internet metadata, “not directed at facilities used by particular individuals of investigative interest.” Judge Kollar-Kotelly found that this “unusually broad collection,” was acceptable in that case because “the legislative purpose is best effectuated at the querying stage.” In order to find support for an interpretation that Orin Kerr described as a “head scratcher,” Judge Kollar-Kotelly relied on congressional silence to support a broad construction of the PR/TT provision.

The Pen Register Opinion is difficult to square with many of the FISA statutory requirements, which indicate that PR/TT orders were meant to be targeted and individualized. For example, under the FISA a PR/TT order must include “the identity, if known, of the person to whom is leased or in whose name is listed the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied.” 50 U.S.C. § 1842(d)(2)(A)(ii). Judge Kollar-Kotelly acknowledged that this provision could be read “to imply that Congress expected that such facilities would be leased or listed to some particular person, even if the identity of that person were unknown in some cases,” but instead found that “even if Congress had such a general expectation, the language of the statute does not require that there be such a person for every facility.”

This conclusion significantly altered the scope and structure of the statute, which refers repeatedly to the “facility” at issue in each PR/TT order. A facility is a singular identifier associated with an existing communications service account. And Congress made clear since the enactment of the PR/TT provision in 1998 that an order must specify the target telephone number or facility.

When Congress amended the FISA in the USA PATRIOT Act, it expanded the definition of a PR/TT to allow for collection of e-mail and other Internet metadata. Congress also amended the other statutory requirements accordingly, and now the order must specify the “attributes of the communications to which the order applies, such as the number or other identifier.” The order must also specify the identify (if known) of (1) the investigatory target; (2) the owner/lessor; and (3) the location of the “telephone phone number or other facility.”

The PR/TT provision was written to allow for targeted orders to collect metadata about particular, identified communications facilities. The use of a new, technology-neutral description in the amended statute should not be viewed as an authorization of bulk collection. A footnote in the Pen Register Opinion acknowledged that the legislative history “does not suggest that Congress specifically gave thought to whether the new definitions would encompass collection in bulk from communications facilities that are not associated with individual users.” But Judge Kollar-Kotelly ultimately concluded that the “plain meaning” of the statute allowed for bulk collection because Congress did not expressly prohibit it.

This reasoning is problematic because the term “facility” is clearly used to denote a singular, identified communications service. The Pen Register Opinion is further undercut by Congress’ 2006 amendments, which allow the Government to obtain information about “the customer or subscriber using the service covered by the [PR/TT] order.” That authority would be unbelievably broad if a PR/TT order could authorize bulk collection. In fact, if it were read literally in conjunction with the Pen Register Opinion, it would allow the FBI to obtain detailed subscriber information about all users of the service monitored under the Internet metadata program.

The Pen Register Opinion also laid the groundwork for the NSA’s bulk collection of Americans’ telephone records by expanding the definition of “relevance” in the FISA context. The Opinion held that Internet metadata collected in bulk based on proposed “selection criteria” is “relevant” under the PR/TT provision because bulk collection was “necessary for the NSA to employ contact chaining” and other redacted techniques that “are likely to generate useful investigative leads,” the bulk records are “relevant to an ongoing FBI investigation.” Judge Kollar-Kotelly reasoned that “the meaning of ‘relevant’ is broad enough, at least in some contexts, to encompass information that may reasonably lead to the discovery of directly relevant information.”

This relevance analysis ultimately turned on a bizarre application of Fourth Amendment balancing and the “special government needs” doctrine. The Government had suggested that a “balancing methodology used to assess the reasonableness of a Fourth Amendment search or seizure is helpful in applying the relevance standard to this case.” The FISC accepted this even though the Fourth Amendment balancing test had never before been used to establish “relevance” under the statute.

The reasoning of the Pen Register Opinion was recently extended in a FISC Opinion by Judge Claire Egan authorizing bulk telephone metadata collection under Section 215, the “Business Records” provision. Judge Egan similarly held that post-collection minimization procedures, conducted without additional judicial oversight, were enough to make the program lawful. Judge Egan adopted the same “special needs” rationale in order to find that the metadata dragnet was reasonably calculated to meet the statutory relevance standard.

Earlier this year, EPIC filed a Petition for a Writ of Mandamus in the Supreme Court, asking the Court to vacate an earlier FISC order, and prevent future orders from issuing (the Court eventually declined to hear the case). In its petition, EPIC explained why bulk collection could never satisfy the “relevance” requirement of Section 215:

The statute requires that the FBI’s statement of facts show “that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) “Reasonable grounds” is not defined in the statute, but according to Kris & Wilson it has been treated as equivalent to “reasonable suspicion.” “Reasonable suspicion” requires a showing of “specific and articulable facts, which, taken together with rational inferences from those facts, reasonably warrant” intrusion into a suspect’s privacy. Given that the FISC Order commands disclosure of all domestic telephone records, it is acutely implausible that the FBI alleged specific and articulable facts about each of Verizon’s millions of customers.

What makes a tangible thing “relevant” to an authorized investigation is likewise not clearly delineated in the statute. However, in accordance with the foreign intelligence purposes of FISA, the Act says that tangible things are “presumptively relevant” if they

pertain to − (i) a foreign power or an agent of a foreign power; (ii) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or (iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the subject of such authorized investigation[.] Common sense dictates that the vast majority of Verizon’s customers will not fall into any of these three categories. Consequently, the vast majority of the telephone records conveyed to the NSA will not be presumptively relevant. The burden is therefore on the FBI to show, with specific and articulable facts, why those records are in fact relevant and should be included in the production order.

Moreover, the scope of the request cannot simply encompass all call records in the database. To define the scope of the records sought as “everything” nullifies the relevance limitation in the statute. If law enforcement has “everything,” there will always be some subset of “everything” that is relevant to something. At that level of breadth, the relevance requirement becomes meaningless.

EPIC’s Petition noted that the “use of pen registers and trap and trace devices is the classic technique that this Court has recognized for the collection of call detail records, which were originally simply telephone numbers dialed.” Though, for reasons given above, not even Pen Registers would allow for the NSA’s bulk collection programs.

The relevance standard is also used in the National Security Letter statute regarding the collection of telephone and Internet metadata. National Security Letters are administrative subpoenas, which, unlike either Pen Registers or Section 215 Orders, can be issued unilaterally without court supervision.

In 2010, the Inspector General of the Department of Justice released a heavily-redacted review of the FBI’s use of National Security Letters. The IG examined, among other things, the use of so-called “community of interest” NSLs, used to compel the production of information about a group of individuals related to an investigatory target. But even these community of interest NSLs involved small, discrete groups of individual records rather than bulk collection of all metadata.

The IG criticized the FBI for using NSLs to obtain information on non-targets. This was “improper” because the FBI had not met the NSL relevance standard. The report stated, “if the FBI did not establish the relevance of the [redacted] telephone numbers prior to the initial [redacted], reliance on the original NSL to obtain [redacted] telephone records violated the [Electronic Communications Privacy Act], the Attorney General’s NSI Guidelines, and FBI Policy.” The report concluded, “this relevance assessment must be made before issuance of NSLs.”

It is untenable for the FISC to find that all Americans’ call records are relevant under the FISA where the Inspector General found that relevance was not even satisfied when gathering data on a small subset of individuals related to a specific target.

In short, bulk metadata collection is not authorized under any of the stated FISA provisions. All of the legal terms, statutory amendments, and formal reviews only support a view that the NSA cannot continue to fit the square peg of bulk collection into the round FISA provisions drafted by Congress. 

About the Author(s)

Alan Butler

Electronic Privacy Information Center (EPIC) Appellate Advocacy Counsel Follow him on Twitter (@AlanInDC).

Amie Stepanovich

US Policy Manager at Access Follow her on Twitter (@astepanovich).