Lawfare “Breaks” News: NSA Hasn’t Restarted the Section 215 CDR Function
Last week, Lawfare’s podcast had on Luke Murry, National Security Advisor to Republican House Minority Leader Kevin McCarthy, and Daniel Silverberg, National Security Advisor to Democratic House Majority Leader Steny Hoyer.
At 5:10, in response to a question from Margaret Taylor about what kind of oversight Congress will exercise in this Congress, one of them says,
I think my mind goes to the must-pass things. Let’s use that as lowest common denominator. One which may be must-pass, may actually not be must-pass, is Section 215 of USA Freedom Act, where you have this bulk collection of, basically metadata on telephone conversations — not the actual content of the conversations but we’re talking about length of call, time of call, who’s calling — and that expires at the end of this year. But the Administration actually hasn’t been using it for the past six months because of problems with the way in which that information was collected, and possibly collecting on US citizens, in the way it was transferred from private companies to the Administration after they got FISA court approval. So, if the Administration does ask on that, that’s inherently a very sensitive subject. And we’ve seen that sensitivity be true in other areas of USA Freedom Act so I think that’s going to be a real challenge for Congress. But I’m not actually certain that the Administration will want to start that back up given where they’ve been in the last six months.
The staffer seems a bit confused by what he’s talking about.
By description — the description of this being metadata turned over by providers — this must be the Call Detail Record of USA Freedom Act, not all of Section 215. It appears to be public confirmation that the government never resumed the CDR program after it announced that it had destroyed all its records last June (though that works out to be 8 months, not just 6).
That, in turn, suggests that the problem with the records may not be the volume or the content turned over, but some problem created either by the specific language of the law or (more likely) the House Report on it or by the Carpenter decision. Carpenter came out on June 22, so technically after the NSA claims to have started deleting records on May 23. It also may be that the the NSA realized something was non-compliant with its collection just as it was submitting the 6th set of 180-day applications, and didn’t want to admit to the FISC that it had been breaking the law (which is precisely what happened in 2011 when the government deleted all its PRTT records).
Just as an example, I long worried that the government would ask providers to use location data to match phones. Under the law, so long as the government just got the phone number of a new phone that had been geolocated, it might qualify as a CDR under the law, but would absolutely be a violation of the intent of the law. Such an application — which is something that AT&T has long offered law enforcement — might explain what we’ve seen since.
One other thing, though: The NSA almost never gives up a function they like. Instead, they make sure they don’t have any adverse court rulings telling them they’ve broken the law, and move the function some place else. Given that the government withdrew several applications last year after FISC threatened to appoint an amicus, and given that the government now has broadened 12333 sharing, they may have just moved something legally problematic somewhere else.
In any case, there’s no follow-up on the podcast, which might at least clarify the obvious parts of this revelation, to say nothing of asking for the underlying detail. So it will take some work to figure out what really happened.