In the New York Times, Charlie Savage reports that the administration intends to propose legislation that would end the NSA’s bulk collection of phone records. The legislation would allow the government to obtain phone records in foreign-intelligence investigations only if it first satisfied the Foreign Intelligence Surveillance Court that there was a basis to believe that the records related to a person associated with a terrorist organization. Phone companies would be required to keep their records in a standardized format, but they wouldn’t be required to keep them any longer than they already do.

This is a milestone. The administration’s proposal is an acknowledgement that a program that was endorsed in secret by all three branches of government, and that was in place for about a decade, has not survived public scrutiny. It’s also an acknowledgement that the government’s legitimate intelligence interests can be accommodated without placing the entire country under surveillance.

But the New York Times’ sketch of the administration’s proposal raises many questions. Here are a few:

Does this proposal foreclose bulk collection of phone records under statutes other than Section 215? Foreclosing bulk collection of call records under Section 215 will be meaningless unless bulk collection of phone records is also foreclosed under the pen register and national security letter statutes. Whatever narrower standard is imposed for collection under Section 215 should be imposed for collection under those other statutes as well.

Does this proposal foreclose bulk collection of other kinds of records? What implications does the administration’s acknowledgement that bulk collection of phone records is unnecessary have for the government’s bulk collection of other kinds of records? What implications does it have for the CIA’s bulk collection of financial records, for example?

What’s a phone record? Savage’s report suggests that the administration’s proposal would end the bulk collection of “phone records.” What does the administration mean by “phone records” here? Would its proposal bar the bulk collection of location information?

How much suspicion is enough? Under the administration’s proposal, the NSA will be able to acquire phone records only if the FISC concludes that the records are “linked to phone numbers a judge agrees are likely tied to terrorism.” Is the reference here to a “reasonable articulable suspicion” standard, or to something else? If the reference is to a “reasonable articulable suspicion” standard, what, precisely, is that standard? In documents that have been released by the government over the last few months, part of the standard has been redacted:

FISC standard

What will the NSA do with the phone records it’s already collected? The NSA has been collecting call records in bulk for more than a decade. Will the agency purge that data? Intelligence officials are prepared to acknowledge that phone records older than eighteen months have little value—will the NSA now purge its massive database of Americans’ phone calls from 2012 and before?

In what circumstances will the NSA be permitted to obtain “second hop” data? That is, what conditions will apply when the NSA wants to obtain records of individuals who aren’t themselves suspected terrorists but who have made calls to (or received calls from) suspected terrorists? Is it the FISC that will decide whether the NSA is entitled to second-hop data in any particular instance? Or the NSA itself? In either case, will the NSA’s authority to analyze and disseminate second-hop data be more restricted than its authority to analyze and disseminate first-hop data?

How will the NSA’s new “alert” capability work? Under the administration’s proposal, phone companies will apparently be required to “mak[e] available, on a continuing basis, data about any new calls placed or received” after a FISC order is received. Will the NSA have to make a higher showing to the FISC to justify prospective surveillance (rather than production of historical records)? Will it have the authority to conduct prospective surveillance of second-hop phone numbers—that is, the phone numbers of people who aren’t themselves thought to be associated with terrorist organizations but who are thought to be associated with people who are associated with terrorist organizations?

What will the NSA be permitted to do with the phone records it amasses in the future? Once the NSA has acquired records from the phone companies, what restrictions will apply to its analysis and dissemination of those records? Currently, the records returned from queries of the NSA’s phone-records database are pooled in a database called the “corporate store”—a database that may contain millions of records. As the FISC’s Primary Order makes plain, there are essentially no restrictions on what the NSA can do with the records in this database:

FISC's primary order

The administration’s proposal, at least as described by the New York Times, would do little to shrink the size of the corporate store or add protections to the data amassed there. Will there be new restrictions on how the NSA may datamine the corporate store?

*          *          *

The proposal outlined in the New York Times is promising in many respects. But we don’t know the details, and the details matter.