End urged for NSA’s data culling

3 of 5 on panel say project illicit

Thursday, January 23, 2014

WASHINGTON - An independent federal privacy watchdog has concluded that the National Security Agency’s program to collect bulk phone records has provided only “minimal” benefits in counter terrorism efforts, is illegal and should be shut down.

The findings are laid out in a 238-page report, scheduled for release by today and obtained by The New York Times, that represents the first major public statement by the Privacy and Civil Liberties Oversight Board, which Congress made an independent agency in 2007 and which only recently became fully operational.

The report is likely to inject a significant new voice as the debate over surveillance continues despite a high-profile speech on the matter last week by President Barack Obama.

Obama consulted with the board, along with a separate review group that last month delivered its own report about surveillance policies. But while he said in his speech that he was tightening access to the data and declared his intention to find a way to end government collection of the bulk records, he said the program’s capabilities should be preserved.

The Obama administration has portrayed the bulk-collection program as useful and lawful while at the same time acknowledging concerns about privacy and potential abuse. But in its report, the board disagrees with the government’s legal theory behind the program. That theory holds that a law known as Section 215 of the Patriot Act, which allows the FBI to obtain business records deemed “relevant” to an investigation, can be legitimately interpreted as authorizing the National Security Agency to collect all calling records in the country.

The program “lacks a viable legal foundation under Section215, implicates constitutional concerns under the First and Fourth Amendments, raises serious threats to privacy and civil liberties as a policy matter, and has shown only limited value,” the report said. “As a result, the board recommends that the government end the program.”

While a majority of the five-member board embraced that conclusion, two members dissented from the view that the program was illegal. But the panel was united in 10 other recommendations, including deleting raw phone records after three years instead of five and tightening access to search results.

The report also sheds light on the history of the once-secret bulk-collection program. It contains the first official acknowledgment that the Foreign Intelligence Surveillance Court produced no judicial opinion detailing its legal rationale for the program until August, even though it had been issuing orders to phone companies for the records and to the National Security Agency for how it could handle them since May 2006.

The privacy board’s legal critique of the program was approved by David Medine, the board’s chairman and a former Federal Trade Commission official in President Bill Clinton’s administration; Patricia Wald, a retired federal appeals court judge named to the bench by President Jimmy Carter; and James Dempsey, a civil-liberties advocate who specializes in technology issues.

But the other two members - Rachel Brand and Elisebeth Collins Cook, both Justice Department lawyers in President George W. Bush’s administration - rejected the finding that the program was illegal.

They wrote in separate dissents that the board should have focused exclusively on policy and left legal analysis to the courts. Last month, two U.S. district judges reached opposite legal conclusions in separate lawsuits challenging the program.

Brand wrote that while the legal question was “difficult,” the government’s legal theory was “at least a reasonable reading, made in good faith by numerous officials in two administrations of different parties.” She also worried that declaring that counter terrorism officials “have been operating this program unlawfully for years” could damage morale and make agencies overly cautious in taking steps to protect the country.

But the privacy board was unanimous in recommending a series of immediate changes to the program. The three in the majority wanted those changes as part of a brief wind down period, while the two in dissent wanted them to be structural for a program that would continue.

Some of those recommendations dovetailed with the steps Obama announced last week, including limiting analysts’ access to the call records of people no further than two links removed from a suspect, instead of three, and creating a panel of outside lawyers to serve as public advocates in major cases involving secret surveillance programs.

Others - like deleting the data more quickly - were not mentioned in the president’s speech. And all members of the board expressed privacy concerns about requiring phone companies to retain call records longer than they normally would, which might be necessary to meet Obama’s stated goal of finding a way to preserve the program’s ability without having the government collect the bulk data.

The program began in late 2001 based on wartime authority claimed by Bush. In 2006, the Bush administration persuaded the surveillance court to begin authorizing the program based on the Patriot Act under a theory the Obama administration would later embrace.

But the privacy board’s report criticized that rationale, saying the legal theory was a “subversion” of the law’s intent and that the program also violated the Electronic Communications Privacy Act.

“It may have been a laudable goal for the executive branch to bring this program under the supervision” of the court, the report says. “Ultimately, however, that effort represents an unsustainable attempt to shoehorn a pre-existing surveillance program into the text of a statute with which it is not compatible.”

Defenders of the program have argued that Congress acquiesced to that secret interpretation of the law by twice extending its expiration without changes. But the report rejects that idea as “both unsupported by legal precedent and unacceptable as a matter of democratic accountability.”

The report also scrutinizes in detail a handful of investigations in which the program was used, finding “no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack.”

But in her dissent, Cook criticized judging the program’s worth based only on whether it had stopped an attack to date.

Also on Wednesday, Microsoft General Counsel Brad Smith announced that the company will allow overseas customers to have their personal data stored outside the U.S. in response to concerns about surveillance.

Smith said that while other technology companies oppose the idea, it’s become necessary since the U.S. data-collection programs were revealed. A spokesman for Microsoft Corp. confirmed his comments.

Technology companies from Microsoft to Google Inc. have been grappling with customer concerns after revelations about the programs were leaked by former National Security Agency contractor Edward Snowden.

In a panel discussion earlier Wednesday at the World Economic Forum in Davos, Switzerland, Smith said Microsoft doesn’t turn over information stored in its data centers and requires requests made by governments to go through the due process of law.

“It is not our right, no one elected us, to simply decide to turn over someone’s information,” Smith said.

Information for this article was contributed by Charlie Savage of The New York Times and by Dina Bass and Ian King of Bloomberg News.

Front Section, Pages 1 on 01/23/2014