Photo via Library of Congress
One of the enduring questions about the ongoing NSA privacy scandals is how exactly broad wiretapping and data collections were ever deemed legal in the first place. The answer, it turns out, largely centers around the Foreign Intelligence and Surveillance Act (FISA), a counter-espionage law updated by the Patriot Act to allow broad spying powers for counter-terror efforts.
Six months ago, before the PRISM revelations blew the lid off the NSA's spying, the Supreme Court ruled 5-4 to refuse to hear a challenge that stemmed from the FISA Amendments Act of 2008, which gave even broader spying powers to the government and eliminated legal barriers to warrantless wiretapping by the NSA.
Even then, the revelation that the NSA was collecting millions of phone records from wireless carriers was astounding. An April 25 ruling from the Foreign Intelligence Surveillance Court (FISC), a secret court that rules on all things FISA, compelled Verizon to give up all phone records for all of its subscribers for a three month period that ended July 19th. Only now has the FISC released its ruling of how such broad data collection is legal.
In simple terms, enormously vague wording in the Patriot Act is to blame, namely the hugely controversial Section 215, which has been ruled to grant the NSA the power to collect phone numbers and call data—just no subscriber info or location data, as NSA Director Keith Alexander discussed at the Black Hat conference.
But how is such massive collection legal? The court explains on page 10 that Section 215 was created to guarantee the government access to information it needs for investigations while protecting the privacy of citizens. More importantly, such collection must pass a series of standards ensuring that the investigation is indeed relevant, is aimed at criminal acts instead of protected speech or the like, and that "adequate minimization procedures" are in place governing how much data is collected and retained.
Sounds pretty straightforward, but how are millions of phone records both relevant to an investigation as well as "minimized"? The relevant section concerning the court's opinion starts on page 18 of the linked document. Naturally, because we are talking about the Patriot Act, it involves terrorism:
Because known and unknown international terrorist operatives are using telephone communications, and because it is necessary to obtain the bulk collection of a telephone company's metadata to determine those connections between known and unknown international terrorist operatives as part of authorized investigations, the production of the information sought meets the standard for relevance under Section 215.
In other words, there are terrorists out there, but because their phone call habits can only be identified by collecting everyone's phone records, it's necessary for the investigation of both "known and unknown" (leaving options open is a theme here) terrorists to collect all that data.
Because that is clearly a ridiculous argument—there are bad guys out there we want to investigate, so let's collect everything and sort through it to see what fits—the court quickly shifts the blame to Congress.
As an initial matter and as a point of clarification, the government's burden under Section 215 is not to prove that the records sought are, in fact, relevant to an authorized investigation. The explicit terms of the statute require "a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant...." (emphasis added [by the court]). In establishing this standard, Congress chose to leave the term "relevant" undefined.
The entire reason the NSA can legally justify its massive dragnets of phone data is because Congress didn't explain what "relevant" means when legislating how such collections must be "relevant" to an investigation. Because of that, as well as the hilariously loose wording that the government must only prove that it thinks what it's looking for is relevant to the case, the FISA court says that even though it knows this argument is ridiculously broad, its hands are essentially tied (emphasis mine):
It is axiomatic that when Congress declines to define a term a court must give the term its ordinary meaning. Accompanying the government's first application for the bulk production of telephone company metadata was a Memorandum of Law which argued that "[i]nformation is 'relevant' to an authorized international terrorism investigation if it bears upon, or is pertinent to, that investigation." This Court recognizes that the concept of relevance here is in fact broad and amounts to a relatively low standard. Where there is no requirement for specific and articulable facts or materiality, the government may meet the standard under Section 215 if it can demonstrate reasonable grounds to believe that the information sought to be produced has some bearing on its investigations of the identified international terrorist organizations.
Imagine if cops got court approval—in secret, mind you—to kick in every door on your block if they were looking for weed because, statistically, someone in your neighborhood has probably got some, and thus such searches are relevant to their goal of arresting weed users.
Sure, this ruling only concerns phone call records, which the court claims have no personal data attached. But the fact that the court would acknowledge that a privacy law is poorly written and overly broad, and then sign off on it anyway, is an extremely troubling precedent.
It's clear that the FISC, perhaps due to its secret nature, is only going through the motions with regards to oversight. Already we saw the court admit that it knew the government was lying repeatedly about the scope of its spying activities, and signed off on them anyway. And here we have the admission that the laws are terribly written, but all we get is a shrug and a signature. When the courts allow highly questionable acts simply because admittedly bad laws say so, we've got a serious judicial problem on our hands.