In its 238-page report published on Thursday, the Privacy and Civil Liberties Oversight Board (PCLOB) provided the most robust and comprehensive argument against the government’s interpretation of its ability to collect bulk metadata under Section 215 of the Patriot Act.

The report gives 12 concrete recommendations that Congress and the White House should take. Some of these overlap with what President Barack Obama has said he would like to implement, but many suggestions go even further. For now, though, these proposals are just recommendations—they do nothing unless acted upon.

“The privacy board’s findings closely mirror many of the criticisms made by surveillance reform advocates. The bulk collection program was built on a murky legal foundation that raises many constitutional questions and has been proven to be an ineffective tool for collecting unique intelligence information," wrote Senator Ron Wyden (D-OR) in a statement on the report. "There have now been two in-depth studies of these programs by unimpeachable government entities that have come to the same conclusion: the bulk collection program should be effectively ended. As the president announced last week, the administration and the Congress will decide the fate of this problematic program in the coming weeks, and it is my belief that reports such as those from the PCLOB and the President’s Review Group should play a major role in any reform effort.”

In addition to ending the metadata program entirely over time, the Board recommended making some immediate changes to the program, including submitting the National Security Agency’s "reasonable articulable suspicion" to the Foreign Intelligence Surveillance Court (FISC) for review. In addition, as the president’s own recommendation said, there should be a "special advocate" who could argue the civil liberties perspective before the FISC. (Current hearings before the FISC are ex parte, where only one side—the government’s—is heard.)

Among other advisories, the PCLOB proposed for the first time that Congress specifically enact legislation that would allow appeals from the FISC to be heard by the Foreign Intelligence Surveillance Court of Review (FISCR), which could then be appealed to the Supreme Court.

The Thursday PCLOB report only addresses critiques of the Section 215 program, but it notes that a future report will address problems found in Section 702 of the Foreign Intelligence Surveillance Act Amendments Act (FISA AA). Meanwhile, the report describes the rules for targeting non-Americans outside the United States. The government argues that PRISM and related spying programs targeting non-Americans outside the United States are authorized under Section 702.

The new report comes about a month after President Barack Obama’s own panel recommended, among other things, that the NSA should no longer be in charge of holding its vast collection of telephone metadata. The PCLOB, unlike the president’s Review Group on Intelligence and Communications Technologies, was created by an act of Congress in 2007 as the result of recommendations from the 911/ Commission. It will continue its watchdog authority indefinitely.

It’s relevant because we say so

The report goes into great detail explaining both the mechanics of the bulk metadata collection program and how it began. It also emphasizes that under the Section 215 program, the NSA does not collect cell-site location information (CSLI), which can be used to provide geographic information about a call.

However, the report ominously notes:

In the past, the NSA has collected a limited amount of cell site location information to test the feasibility of incorporating such information into its Section 215 program, but that information has not been used for intelligence analysis, and the government has stated that the agency does not now collect it under this program.

The PCLOB concluded, as Ars has previously, that by allowing analysis of up to "three hops," this could potentially encompass around half the population of the United States:

If the NSA queries around 300 seed numbers a year, as it did in 2012, then based on the estimates provided earlier about the number of records produced in response to a single query, the corporate store would contain records involving over 120 million telephone numbers.

The meat of the PCLOB report concerns its legal and statutory analysis of the Section 215 program. The group opened up by noting its belief that "this program has been operated in good faith":

However, the Board concludes that Section 215 does not provide an adequate legal basis to support this program. Because the program is not statutorily authorized, it must be ended. Section 215 is designed to enable the FBI to acquire records that a business has in its possession, as part of an FBI investigation, when those records are relevant to the investigation. Yet the operation of the NSA’s bulk telephone records program bears almost no resemblance to that description. First, the telephone records acquired under this program have no connection to any specific FBI investigation at the time the government obtains them. Instead, they are collected in advance to be searched later for records that do have such a connection. Second, because the records are collected in bulk—potentially encompassing all telephone calling records across the nation—they cannot be regarded as "relevant" to any FBI investigation without redefining that word in a manner that is circular, unlimited in scope, and out of step with precedent from analogous legal contexts involving the production of records. Third, instead of compelling telephone companies to turn over records already in their possession, the program operates by placing those companies under a continuing obligation to furnish newly generated calling records on a daily basis. This is an approach lacking foundation in the statute and one that is inconsistent with FISA as a whole, because it circumvents another provision that governs (and limits) the prospective collection of the same type of information. Fourth, the statute permits only the FBI to obtain items for use in its own investigations. It does not authorize the NSA to collect anything.

The PCLOB report even digs into great detail, focusing on textual analysis of a single word:

Notably, Section 215 requires that records sought be relevant to "an" authorized investigation.

Elsewhere, the statute similarly describes the records that can be obtained under its auspices as those sought "for an investigation." The use of the singular noun in these passages signals an expectation that the records are being sought for use in a specific, identified investigation. This interpretation is reinforced by the requirement that the FISA court make specific findings about the investigation for which the records are sought—that it is supported by a factual predicate, conducted according to guidelines approved by the Attorney General, and not based solely upon activities protected by the First Amendment when conducted of a U.S. person. . . . At its core, the approach boils down to the proposition that essentially all telephone records are relevant to essentially all international terrorism investigations. The Board does not believe that this approach comports with a fair reading of the statute.

That pesky third-party doctrine

The PCLOB also took issue with the FISC judges’ conclusions, which concurred with the government’s perspective. That viewpoint says that not only is the metadata program legal, it's necessary. The report says:

At its core, the approach boils down to the proposition that essentially all telephone records are relevant to essentially all international terrorism investigations. The Board does not believe that this approach comports with a fair reading of the statute. . . . This rationale also is inconsistent with Section 215’s requirement that the government provide "a statement of facts" showing that there are "reasonable grounds to believe" that items sought are relevant to an investigation. Such language calls upon the government to supply a fact-bound explanation of why the particular group of records it seeks may have some bearing on one of its investigations. But because the NSA’s program depends on collecting virtually all telephone records, only two facts are cited by the government in support of its applications: that terrorists communicate by telephone, and that it is necessary to collect records in bulk to find the connections that can be uncovered by NSA analysis.

Beyond a rejection of the broad interpretation of "relevant" materials, the PCLOB also found that the Section 215 program violates the (much-maligned) 1986-era Electronic Communications Privacy Act (ECPA) as well as the United States Constitution. That law forbids providers from passing along customer data to any government entity, unless a warrant, court order, or other legal instrument requires it. In 2008, the FISC ruled that the Section 215 program was implicitly consistent with the ECPA. The report says:

Inferring an unwritten exception to ECPA based on an "anomaly" is particularly questionable when that exception is then used to permit the NSA’s bulk collection of telephone records. As noted, the FISA court concluded that it would be irrational to prohibit the government from obtaining telephone records through Section 215, which requires a judge to agree that the records are relevant to an investigation, when the FBI can obtain those same records through a national security letter, which requires no prior judicial approval. But the FBI already widely obtains telephone records through national security letters, and the FISA court’s ruling simply permits a second agency, the NSA, to obtain all telephone records. Even if an aggressive reading of Section 215 permits that result—which we believe is not the case—it clearly is not what Congress intended to achieve when it enacted Section 215.

Like many prior privacy-minded legal analyses, the PCLOB's report argues against the government’s claim that Americans do not have a reasonable expectation of privacy in the numbers that they dial (the metadata). The US government has cited the "third-party doctrine," which courts have historically upheld, finding that simply dialing a number requires giving up that number to the phone company in question, and therefore it cannot possibly be private. (The case in question is Smith v. Maryland.) The Supreme Court has not revisited the third-party doctrine since the 1970s, although Justice Sonia Sotomayor has expressed possible interest in hearing newer challenges.

The government has essentially argued that because it used a pen register to access Smith’s metadata over the course of two days, and because he had no privacy interests in that data, the more modern government has the authority to collect all metadata about all Americans all the time. The report says:

In contrast, for each of the millions of telephone numbers covered by the NSA’s Section 215 program, the agency obtains a record of all incoming and outgoing calls, the duration of those calls, and the precise time of day when they occurred. When the agency targets a telephone number for analysis, the same information [is obtained] for every telephone number with which the original number has had contact, and every telephone number in contact with any of those numbers. And, subject to regular program renewal by the FISA court, it collects these records every day, without interruption, and retains them for a five year time period. Sweeping up this vast swath of information, the government has explained, allows the NSA to use "sophisticated analytic tools" to "discover connections between individuals" and reveal "chains of communication"—a broader power than simply learning the telephone numbers dialed by a single targeted individual.

Privacy lawyers have roundly lauded the new PCLOB report and hope that it puts newfound pressure on the Obama Administration.

"In last week’s speech, billed as a major policy address on surveillance, the president ignored the vast majority of his own review committee’s recommendations, especially those on the structure, activities, and mission of the NSA," Fred Cate, a law professor at Indiana University, told Ars in a statement.

"He ignored entirely the fundamental issue provoked by Snowden’s disclosures of not just numerous surveillance programs, but a culture and approach of vacuuming up all available data, often in overlapping programs, without a clear mission or legal authorization or clear understanding of the competing interests. He didn’t even mention the emerging legal debate over the legality of bulk data collection or the dispute between two federal courts that reached opposite conclusions on that question in the past month."

Similarly, the Center for Democracy and Technology believes that Obama and Congress need to do more to rein in the NSA.

"The PCLOB report demonstrates that the president did not go far enough in his reform recommendations last week," said Nuala O’Connor, the group’s director, in a statement sent to Ars. "Rather than shifting bulk collection to another authority or narrowing the number of records accessed with each NSA query, the president should follow the recommendations of his handpicked Review Group and the independent PCLOB, and he should support legislation intended to end the program, like the USA Freedom Act."