Declassified Opinion Shows The NSA Exploited Pen Register Statutes To Collect Internet Metadata On Millions Of Americans

from the the-box-has-no-edges... dept

The Office of the Director of National Intelligence has just released a very large set of declassified documents, covering a variety of topics. (Just a friendly reminder: these documents are being released because of a court order, not because the ODNI loves transparency, no matter how it's phrased at I CON THE RECORD.) Of particular interest is one that appears to be the original court opinion that gave the NSA permission to collect bulk internet metadata on Americans, better known as the Stellar Wind program, which ran for a decade before being shut down in 2011.



Orin Kerr, writing for (watch your step) the Lawfare blog, breaks down the questionable arguments the government presented and the leaps the presiding judge (Colleen Kollar-Kotelly) made to grant this request.



To begin with, the government presents this collection as nothing more than a modern-day pen register. As Kerr explains, the privacy bar for pen registers is set incredibly low.

The federal pen register authorities use a mere certification standard. Under the national security version of the pen register statute, the FISC is required to approve an application for pen register surveillance whenever the Attorney General (or an attorney he designates) certifies under oath “that the information likely to be obtained” from the monitoring “is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities,” 50 U.S.C. 1842(c)(2). As long as the government has issued its certification, and the judge concludes that the government’s application falls within the statute, “the judge shall enter an ex parte order.” 50 U.S.C. 1842(d)(1). The government doesn’t have to say why it thinks the standard has been satisfied; it just certifies under oath that it does. And the judge has no authority to look behind the government’s assertion to see if its factual basis is strong, weak, or completely absurd. See generally In re Application of the United States, 846 F.Supp. 1555 (M.D. Fla. 1994). The judge’s only role is making sure the government checked the box and made the required certification under oath.

The pen register authority permits monitoring of a suspect’s non-content metadata unprotected by the Fourth Amendment for a window of time, investigative steps outside the Fourth Amendment than are akin to tailing a suspect in public or obtaining a mail cover to monitor the outside of their mail.

[I]t wanted an order forcing a provider to record and disclose Internet metadata in real time on an ongoing basis for potentially tens of millions of customers, all with a single order obtained with no judicial review based on a mere certification by the Attorney General.

The statute authorizes the judge to issue an order requiring the installation of “a” pen register to monitor “the person who is the subject of the investigation.” 50 U.S.C. 1842(d)(1)-(2). This is written in the singular, suggesting that each pen register requires a subject.

She then concludes that the bulk collection is reasonable in a Fourth Amendment sense — not that the Fourth Amendment applies, as this is just metadata, but rather in the policy sense that the program represents a sensible balance between security and privacy along the lines of that required under Fourth Amendment reasonableness precedents. The application is thus granted because, all things considered, the program does seem to be a pretty good way to find terrorists. See pages 49-54.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

There's a reason why the bar is set so low. It's inherently limited.So, all a judge is looking for is a box ticked by a US Attorney. If that's present, then the pen register collection can proceed. But this is a surveillance method that isat one particular suspect. It's not used to collect data on multiple persons at one time. Certainly multiple pen registers can be obtained in order to collect multiple sets of metadata, but each request is singular. Or was, until the NSA decided to extrapolate the singular pen register into a bulk collections program.The government took this low bar and convinced a judge that there was technically no difference between collecting metadata on ONE person and collecting metadata on. It wasn't just the government doing the rhetorical legwork. Kerr points out that the presiding judge ignored several statutory clues within the pen register law that indicated it was never meant to be used for bulk, untargeted collections.Furthermore, she buys into the government's arguments that the ends justify the means.This argument has been used more than once by the government to defend the NSA's collections. The government extrapolates from the fact that if something isn't a violation of civil liberties forperson (i.e., bulk records collections) than it's not a violation when the program collects records on. The courts have backed this up: rights do not spring into existence ex nihilo.The government used this argument to address Basaaly Moalin's claims that records obtained under the Section 215 program violated his constitutional rights. In the most basic terms, it claimed that if an intelligence (or law enforcement) agency can surveil one person without violating their Fourth Amendment rights (using bulk records, etc.), it can do it to everyone . (Perversely, it then spins around and claims this is why no one has standing to sue the government over these untargeted collections.)So, the expansion of the previously targeted pen register program into a bulk internet metadata collection relied on the same basic argument. Even if the statute is written in a way that specifies singular targeting, the government would argue that the statute is equally applicable to collecting data on millions of people -- all of it needing no more authority than a signature of a United States Attorney.All things considered, it's rather surprising the Stellar Wind program was shut down . The NSA certainly has shown no desire to eliminate a program, even if it produces large amounts of nearly-useless data. More than likely, the program was just supplanted by a better dragnet. Right about the time Stellar Wind shut down, a rules change to the Section 702 collections program gave the NSA "permission" (via a new loophole) to target Americans directly Also of note: while there's no date on this document (redacted, of course), the internal citations [, p. 7;, p. 14] suggest this opinion was the end result of another post facto search for permission by the NSA. The program supposedly began in 2001, but the court doesn't actually address the collection until 2004,. This may be the point that the NSA first sought to collect metadata on, with all previous collections being— but without further documentation (and factoring in the agency's tendency to collect, seek approval), there's no way to tell if the NSA was collecting internet metadata without even theof legal approval previous to this opinion.

Filed Under: colleen kollar-kotelly, email, fisa court, fisc, internet, metadata, pen register