Nine Reasons There Should Be No Bulk Phone Metadata Collection

Section 215 of the USA PATRIOT Act will expire on June 1, 2015, unless congress extends it. It is important to note that this is NOT the entire USA Patriot Act as many politicians have claimed with their fearmongering. Section 215 needs to expire if we want to protect our privacy rights, and to support international business growth; our national security will *not* be diminished as a result. The USA PATRIOT Act is a huge document (“the bill was 342 pages long, and many members of Congress now say they did not even read it before voting in favor”) that was hastily written and signed into law despite not being read by most of the lawmakers, forty-five days after the September 11 terrorist attacks in 2001. This massive bill authorized a wide range of surveillance activities that were meant to be temporary and serve to investigate and prevent follow-on attacks. The law permits mass surveillance with virtually no effective oversight for privacy rights, including under the 4^th Amendment to the United States Constitution, and no accountability for those performing the mass surveillance. Consider this: The U.S. Department of Justice Office of the Inspector General Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act found numerous problems with how the program was being run, and a significant lack of oversight, which likely applied to all sections. Here are just three excerpts to that effect:

• "poor supervision and ineffective oversight, contributed to the serious abuses"
• "three FBI media leak investigations in which the FBI sought, and in two cases received, telephone toll billing records or calling activity information for telephone numbers assigned to reporters, without first obtaining required approval from the Attorney General"
• "serious lapses in training, supervision, and oversight led to the FBI and the Department issuing these requests for the reporters’ records without following legal requirements and their own policies"

Section 215 allows the bulk (meaning they take all) collection of phone records metadata without a warrant signed by a judge (required by the U.S. Constitution), and with no accountability for the actions taken with all that data, how it is used and shared, or for any misuse or breaches. It is time to stop this unnecessary invasion of privacy and widening collection of bulk data by letting Section 215 expire as originally intended. Here are nine reasons there should be no bulk phone metadata collection:

• It does not catch terrorists. There is not a single instance where phone record metadata was used to identify, stop or prevent terrorist activities. This is clearly stated within a Privacy and Civil Liberties Oversight Board (PCLOB) report, which recommended doing away with the bulk data collection.
• Terrorists and crooks don’t usually (if ever any more) communicate using the mainstream telecommunications businesses. Those who plot and plan attacks know that the bulk data of major telecommunications and Internet services are being collected and analyzed. The Dark Web, Deep Web, untraceable pre-paid cell phones and other means are used to communicate without being surveilled. Those wanting to continue the collection always say, “If we had only had that phone metadata in 2001 we may have been able to prevent this tragedy” and similar sentiments. Well stop for a minute and think.
  1. That is speculation that cannot be proven. The phone systems in 2001 were vastly different than the capabilities of today’s phone systems, and the ability to analyze huge amounts of data was not easily done, if even possible. So yes, it may have been possible to have accidentally captured some data that would have revealed something, but without the analytics capabilities it is likely that any phone communications that did occur would not have been caught.
  2. Technology today has evolved by light years since 2001. We have so many other ways that terrorists are known to use for communication in addition to those mentioned earlier that they basically avoid traditional cellphone services for their communications.
• It does not protect our safety. Richard Clarke, counterterrorism adviser to presidents Bush and Clinton, called Section 215 “badly drafted,” “unnecessary” and “unproductive”. Other security experts agree.
• Those writing the law say it wasn’t meant for such surveillance practices. Jim Sensenbrenner, who wrote the USA PATRIOT Act, has publicly stated multiple times that the bulk collection of communications records goes far beyond the intent of the law as written.
• A federal court has ruled that it is illegal. The PCLOB has also stated that it is illegal. It is worth repeating: It is illegal!
• Legal scholars and the PCLOB say it is unconstitutional. The Fourth Amendment was established to eliminate the widely used general warrants which officials at the time used to go into people’s homes and do searches whenever they wanted, in the name of security. The unlimited, unchecked use of collecting phone records is the modern-day, digital form of this past abuse that our founding fathers fought to eliminate three centuries ago.
• There are vast amounts of other, more helpful, data publicly available and proper legal channels already exist to obtain that data. So much other available data has actually caught criminals and terrorists that there is no justification for bulk collection of private phone records of all U.S. citizens. Many have been caught using information found publicly available online, and on non-protected social media sites. Others have been caught using the surveillance camera image feeds found in an ever growing number of public places. And others have been caught because of their activities viewed in person, and the types of items they were observed purchasing. If probable cause truly exists to access phone metadata, a warrant can still be obtained in support of the United States Constitution to properly secure any records necessary related to that probable cause.
• Large numbers of people may have access to the data collected. There are an estimated 100,000 NSA employees and contracted workers. I know from my experience, and audits show, that a percentage of workers will take information for inappropriate purposes. We know ex-NSA worker Edward Snowden released reams of sensitive information for public perusal. Think about how many of those other NSA workers with access to the data are doing bad things we don’t know about. Also, think about all those who make mistakes and improperly expose that data, or do bad things with the data because they didn’t know better because of lack of proper training…this happens all the time as demonstrated by all the breaches reported almost daily.
• It suppresses business. Bulk collection of private communication records allows pervasive privacy invasion on every US citizen and those they communicate with worldwide. Many businesses in other countries do not do business with U.S. based organizations because of the pervasive surveillance, stifling full growth potential for the U.S. economy.

This is not to say that these other methods that have actually captured terrorists do not have privacy issues as well, or that they do not need to be improved upon (they do), but it is to point out the topic of focus for this writing; that Section 215 is not providing any value with regard to improving homeland security, and it is creating significant privacy problems simply by stockpiling the phone metadata of everyone in the U.S. and all those they communicate with, and the described associated risks. Politicians pushing for the renewal of Section 215 are using fear-mongering to justify this unnecessary mass data collection. They sidestep the facts and say there are no privacy issues with the metadata collected, then try to scare the public by saying mass surveillance using phone metadata is necessary to prevent widespread violence. Here’s what is truly scary: the former director of the NSA and CIA, Michael Hayden, said "we kill people based on metadata." Hayden’s statements, while flippant, show how much personal insights that phone metadata does reveal about individuals that result in such lethal actions. As a business owner who has worked in privacy and security for more than 25 years, I understand the enormous, negative impact Section 215 and other laws that permit unfettered access to personal data have on individual’s rights and lives when data is used or shared inappropriately. My technically astute privacy colleagues, and information security experts, also understand the impact. The deadline for expiration of Section 215 is quickly approaching. I encourage readers to engage on this issue to advance efforts to ensure Section 215 is expired; strengthening privacy and allowing private businesses to expand beyond U.S. borders without being thwarted by our own government’s unnecessary invasion of privacy and disregard for the 4^th Amendment.

Image

About the Author: Rebecca Herold has more than twenty years experience in matters related to law, infosec, and privacy, and is also an accomplished author and Adjunct Professor for the Norwich University Master of Science in Information Assurance Program. Herold, an attorney with wide-ranging subject matter expertise, and has led the NIST Smart Grid privacy group since 2009 where she also spearheaded the Privacy Impact Assessment (PIA) for utilities. She also worked with ENISA to produce their “Obtaining support and funding from senior management” guidelines for businesses, and currently advises healthcare organizations and their business associates on how to meet their HIPAA, HITECH and other information security and privacy compliance and risk mitigation requirements. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.