On November 8, 2007, Yahoo received its first order to comply with the Protect America Act, the original law authorizing PRISM. Yahoo immediately told DOJ it would challenge the order. On May 12, 2008 — even as Yahoo appealed FISC’s order to comply with those PAA orders — Yahoo started complying with its PAA orders.
It took 185 days for Yahoo to set up a content compliance system under PRISM and challenge the underlying orders. And along the way, FBI’s requests expanded, from just a few items to nine, which appear to span the four business units Yahoo had at the time. Yet even in spite of FBI’s moving target and its ongoing legal challenge, Yahoo was able to start complying in about 6 months.
And yet Richard Burr believes — rather, claims to believe — that providers who already have sophisticated compliance systems (either under upstream and daily call records production, in the case of the telecoms, or PRISM production, in the case of other providers, not to mention that AT&T already provides roughly what it will under the new program under a contract with the FBI) will not be able to implement a system that will allow them to turn over phone records within 180 days.
Now, perhaps Burr really believes it will be tougher for providers to set up a metadata compliance system than set up content compliance systems that involve a heavy metadata component.
If so, that ought to raise real questions about what he thinks these providers will be doing, because it won’t just be turning over metadata.
Alternately, he’s wielding his ridiculous concerns about compliance for the same hoped effect as his bill did. He claimed that bill would institute a 2-year transition period for this program, but what it did in fact was to immediately grant the Intelligence Community all the authorities it has wanted, vastly expanding the dragnet. Then, a year after giving the IC everything it wanted, it would conduct a 1-year review (before any transition happened) that would show that it would be cheaper for the government to remain in the dragnet business. Only after 2 years would any “transition” happen, and it would in fact happen, if it did, immediately, with no transition period (though it probably never would happen, given that the IC would have already gotten everything it wanted).
That is, Burr’s claim that providers that have been complying with significant government requests for 7 years would need 2 more years to learn how to do it are probably just a bid to prevent the move to providers in the first place, a bid to have one more chance to argue in 6 months or a year or 2 years that it’s okay for the government to hold onto all our phone and Internet metadata.
But if not — if the new system will require more from providers than it did when they started turning over records under PRISM — than that is itself news.