President Obama announced in January his intent to rethink the controversial "bulk collection" program that lets the National Security Agency collect and store Americans' telephone metadata. One option under consideration is to house the data with a third party, most likely a private corporation. The two of us disagree on the proper scope of national security surveillance—one would be content to see the metadata program continue while one would like to see it end—but we agree on this: Third-party retention is the worst of all options and should be taken off the table.

The ostensible advantage of third-party retention is to make it more difficult for the NSA to access the data improperly, thus addressing fears of potential abuse. There is little reason, however, to think a private contractor would view its role as policing the NSA's access. Government contractors see their job as serving the agency that pays them—not engaging in oversight or throwing up barriers to the agency's desired course of action.

Third-party retention would be more likely to create compliance and oversight problems than to solve them. For better or worse, the NSA and executive branch more generally are responsible and accountable for the appropriate handling of the data they collect. Removing data to a corporation would distance the government from its proper role—and obligations—as custodian of information collected for a national-security purpose. It would introduce ambiguity regarding which entity would be responsible for monitoring and ensuring compliance with legal requirements.

Oversight would be a challenge even if the roles were clear. Currently, the program is subject to internal executive branch review by NSA entities such as the Office of Compliance and Inspector General's Office. The Office of the Director of National Intelligence and the Justice Department also oversee the program. Regardless of one's views on the sufficiency of these mechanisms, it is unlikely they could be replicated under the third-party option. If the government were to try to continue existing oversight activities, that would create an odd, and likely unsustainable, government-private relationship. If the third party were to take on the task, that would entrust a core governmental function—ensuring fidelity to the rule of law—to a private entity that lacks the institutional competence or legitimacy to perform it.

From a security standpoint, the data would be a major and obvious target for cyberattack by criminal hackers or foreign nations. Our defense and intelligence agencies have their own challenges protecting their most sensitive information from breaches, so there is reason for concern about transferring the data to a private company that may or may not be equipped to handle the security risk.