Courtesy of Sen. Ron Wyden (D-Ore.), we now have a glimpse at what may be the next set of National Security Agency documents to drop from the Guardian and Washington Post. At a Senate hearing today, Wyden asked NSA Director Keith Alexander about the agency's collection of American cellphone geolocation data.
Under the formerly secret interpretations of Section 215 of the PATRIOT Act, the NSA had the legal authority to collect "telephony metadata" without an individualized order or warrant on everyone. (It now needs a certification of purpose, basically, from the FISA Court.) Whether that metadata included cellphone location information has been unclear. Currently, the NSA does not. But apparently, for a period of several years, the scope of the metadata collection included some type of location information.
To the tape!
Wyden: About two dozen other senators have asked in the past whether NSA ever collected or made any plans to collect Americans' cell site information in bulk. What would be your response to that?
Alexander: Under Section 215, NSA is not receiving cell site location data and has no current plans to do so. As you know, I indicated to this committee on October 20, 2011, that I would notify Congress of NSA's intent to obtain cell site location data prior to any such plans being put in place. As you may also be aware, I expressed...
Wyden: I think we're all familiar with it. That's not the question I'm asking, respectfully. I'm asking: Has the NSA ever collected or ever made any plans to collect cell site information? That was the question we still respectfully have not gotten an answer to. Could you give me an answer to that?
Alexander: We did.... As you're aware I expressly affirmed this commitment on June 25, 2013.... Additional details were also provided in the classified supplement to Director Clapper's July 25 response to this question. What I don't want to do, Senator, is put out in an unclassified forum anything that's classified here.... I saw what Director Clapper sent and I agree with it.
Wyden: General, if you're responding to my question by not answering it because you think that's a classified matter, that is your right. We will continue to explore that. I believe this is something the American people have a right to know: Whether NSA collected or made plans to collect cell site information.
Which means: At some point in the past, NSA "made plans" to collect this data in bulk, or did so, for a period of time. Apparently, such collection ended before October 20... a point "prior to such plans being put into place."
Not surprising: NSA would not self-limit what it could collect legally. No need to be opaque about it: Geolocation information is produced by the interaction of the cell device you own or rent with the wireless towers and transmission infrastructure that phone companies own. The companies must collect the data in order to make your call get to where it needs to go. It is a "business record." There is no reason why NSA would not think itself entitled to this data. The police can get it, often without a warrant, albeit from individuals. The government apparently wanted it in bulk, and I assume made this request to the phone companies at some point. Geolocation data, collected in bulk, does not enjoy any special protections, although it probably should.
The second revelation: We know that a bulk domestic internet metadata collection program was terminated by NSA in 2011 because it was not useful. This could mean that the aperture was too big, especially if the NSA was somehow trying to collect every bit of metadata collected by businesses involving email communication to or from the United States.
Since the original story, there has been little follow-up and no new leaked documents. We don't know whether NSA retains that data now, or what it did with it when it had access to it. We don't know whether parts of it have been folded into other collection programs. It is almost certainly the case that under the "transit" authorities granted to NSA by the FISA Amendments Act, quite a lot of U.S. persons' internet metadata goes through NSA filters.
In fact, in some ways, because phone calls, emails, and internet sessions are essentially the same thing, it would not make sense to assume that NSA was collecting only telephony metadata. Clearly, under Section 702 of FISA, it is analyzing all sorts of digital information that does not qualify directly as "content." It has had problems figuring out how to separate clean internet metadata from dirty internet metadata, which meant that it also had problems figuring out how to target only people it was supposed to target for content collection.
Under FISA 702, NSA could not and cannot collect internet metadata from or to U.S. persons just because. If it wanted to, another legal authority would be required, and, yes, Section 215 comes to the rescue again. NSA is not using Section 215 of the PATRIOT Act to collect such data directly from internet companies NOW. In the past, apparently, it did. We will find out soon enough, I hope, how, why, and when.