Jochai Ben-Avie and Katherine Maher contributed to this post.
Although Amash-Conyers, the first attempt by the U.S. Congress to limit the surveillance power of the NSA, may have been unsuccessful, its narrow loss demonstrates the growing force behind the call to reform the NSA’s surveillance programs. The amendment lost by a much smaller margin than expected, 217-205, suggesting the issue isn’t going away soon — and that future reform efforts have a good chance of success. However, to know where we go from here, its important to look at what the impact of this amendment could have really been.
Section 215 of the USA PATRIOT Act, as currently interpreted, allows for the acquisition of all telephony metadata from U.S. network providers, retroactively imposing limitations on the NSA’s capability to ‘collect,’ or analyze, that data. The Amash-Conyers amendment sought to end this blanket surveillance by placing funding restrictions on investigations related to metadata collected under that statute, by limiting funding for ‘collection’ under Section 215 to only the data of people who are the ‘subject of the investigation’. This would have likely allowed the NSA to keep acquiring data, put an effective end to the use of 215 for conducting ‘multi-hop’ analysis — that is, the analysis and extrapolation of the subject’s contact networks — and compelled the NSA to utilize other authorities for investigations, some of which would provide greater protections against overreach.
Members of congress — arguing both for and against the amendment — suggested that the Amash-Conyers amendment would have prohibited the NSA from acquiring and storing the metadata of millions of innocent individuals. However, the restrictions offered by the Amash-Conyers amendment were on ‘collection’ of data — a term that the NSA has previously interpreted to mean analysis, not aquisition. Under this definition, the NSA would have likely been free to continue acquiring data from all network users, but with meaningful limitations on how the they could utilize that metadata acquired under 215.
Although the mass acquisition and storage of metadata would have been unaffected by the amendment’s restrictions, supporters expected it would have had dramatic impact on the scale of analysis. Current interpretations of Section 215 allow analysts to examine metadata up to three ‘hops’ away from a suspected terrorist. These ‘multi-hop’ analyses allows the analyst to process all of a target’s communications, all of the communications of their first-order network, up until three degrees of remove. Effectively, this means the metadata of a suspect’s landlord’s cousin’s coworker — someone completely unknown to the suspect — could be fair game.
Researcher Zeynep Tufekci has estimated that, with a conservative 300 network contacts per individual, three hops gets you to 27 million people: from one person to nearly 1/10th the population of the United States. The NSA claims they only queried the database of phone records 300 times. If that’s true, the theoretical extrapolation of Tufekci’s estimated data points exceeds 8 billion: more records than the number of people on the planet today. We believe that the Amash-Conyers amendment would have at minimum banned this type of ‘collection,’ preventing any ‘hop’ analysis beyond the subject of the investigation itself — in other words, limiting analysis to the metadata of the actual subject of the investigation.
The White House and NSA response to the Amash-Conyers was swift: they argued that any such limitation would be fundamentally detrimental to their ability to conduct legitimate foreign intelligence investigations with regards to matters of national security and terrorism. The White House issued a statement on the amendment, with bland calls for open debate. The NSA called an emergency meeting for U.S. legislators, inviting them to a closed door, top-secret briefing, hours before the vote.
This was a red herring. The amendment would have preserved the ability of the NSA to access and analyze information explicitly related to an investigation of a specific suspected terrorist. And the elimination of the hop provision would not have fundamentally prevented the collection of information about that individual’s network through other means — means that could, under reasonable legal interpretations, impose limitations on blanket collection while ensuring greater accountability, due process, and oversight.
The NSA would still have been able to open investigations on the contacts of suspects, granting authorities the ability to analyze their metadata based on “facts or circumstances” reasonably indicating a conspiracy to commit terrorism. Through this technique, the NSA could achieve contact chaining by opening investigations into the first, second, and third hop. However, this scenario is far from ideal — it could potentially replace existing blanket analysis with innumerable official counterterrorism investigations at any given time.
The NSA could also continue to acquire and ‘collect’ these data through pen register/trap and trace device orders, under Section 214 of the PATRIOT Act. This is the same provision which authorized the collection of internet metadata — email metadata includes IP addresses, sender, recipient, time sent, time received, mail server — under a program called Stellar Wind, which ran from 2001 until 2011, when it was discontinued following inquiries by Senators Wyden and Udall. The program operated in a similar fashion to current telephony metadata collection program, whereby the FISA Court granted authority for the bulk gathering of data, for analysis under certain criteria.
The language of the proposed Amash-Conyers amendment suggested the intelligence community would be required to operate more like the law enforcement community in its data acquisition and collection: begin its investigation with the actual subject of an investigation and build a case from there, requiring specificity on the target where known.
One of the possible reasons email metadata was collected under pen register/trap and trace authority (Section 214) and telephony metadata was collected under Section 215 is that the internet data was collected using a physical intercept, while telephony metadata is simply handed over to the NSA directly by the telecoms. If this is the reason for the different statutory authority, the NSA might be required to collect telephony data directly from the networks in order to justify surveillance under the pen register/trap and trace provision, rather than through the telecoms. This might not deter the acquisition or analysis of metadata, but it would place the blame squarely on the government.
Another possibility is that the Obama administration realized that their collection of bulk internet interpretation of Section 214 might not hold up under court challenge. The Foreign Intelligence Surveillance Court (FISC) authorized blanket gathering; however, Section 214 requires that a pen register/trap and trace order identify a specific target of an investigation, when known. When there is bulk acquisition of metadata, the likelihood that the government actually identified specific targets is extremely low, even for those individuals they did know. If this is the case, this may in fact preclude the use of the pen register/trap and trace provision for any continued bulk acquisition of telephony metadata.
Moreover, recent revelations have shown that the devil is in the details of the legal interpretations used by the intelligence community to authorize surveillance practices. While the restrictions suggested by the Amash amendment would have been significantly more rights-respecting than the status quo, it’s unclear whether they would be implemented in a way that fully comports with international law and human rights norms. The International Principles on the Application of Human Rights to Communications Surveillance, developed by Privacy International, EFF, and Access, provide a useful framework for evaluating current and future surveillance practices as this global public debate progresses.
The vote failed, but the debate is certain to continue. Congressional leadership and the Obama Administration should be on notice that U.S. citizens have significant concerns about the NSA gathering and analyzing their metadata based on highly tangential relationships to actual targets. The NSA can no longer justify total secrecy and should move to support due process in conducting contact chaining. That means implementing actual oversight, paper trails, time limits, and specificity in authorization orders, amongst others things. While it wouldn’t have ended government spying programs, the Amash-Conyers Amendment, even in losing, was the first step towards reasonable restrictions on surveillance.