Last week’s surprisingly rapid approval of the USA FREEDOM Act by two crucial House committees cheered civil libertarians, even if some of the compromises required to move it forward did not. If the new version of USA FREEDOM doesn’t contain some of the key provisions privacy advocates had applauded in its original incarnation, it does at least still require advance judicial approval of specific “selectors” before records can be demanded from phone carriers, and it does limit the government to two “hops” from an initial “seed” number linked by “reasonable articulable suspicion” to a foreign terror group. Or does it? While the current incarnation of USA FREEDOM is clearly intended to impose the two-hop limit that President Obama has agreed is sufficient for intelligence needs, it does so rather differently than the original version—and is worded ambiguously enough that, it seems to me, a clever Justice Department lawyer might be able to construe it as permitting four hops, rather than the two Congress intends.
The original version of USA FREEDOM ended bulk collection—but still allowed the NSA to do “contact chaining” up to two “hops” from an initial suspicious number—using language unanimously approved by the Senate way back in 2005. That language would have allowed the government to demand records that were both “relevant to an authorized investigation” and pertained to a suspected foreign agent, the direct contacts of that suspected agent, or the “activities” of a suspected agent who was the subject of an investigation. (The latter category intended to cover scenarios where the government has a reasonably specific idea of what the suspect is up to, but perhaps not the name under which they’re doing it.) The phone records that pertain to the suspect would have contained identifying numbers for their direct contacts—hop number one—while the records that pertain to those direct contacts would contain the numbers of second-degree contacts, or hop number two.
The current version does things rather differently. First, across an array of different intelligence authorities, the bill attempts to preclude bulk collection by requiring the government to use a “specific selection term” approved by the FISA Court when it requests records. Second, it creates a special new form of §215 order specifically for “call detail records,” requiring phone carriers to provide technical assistance to enable rapid compliance with requests, and establishing a unique two-stage process meant to ensure that the government can get “two hop” information from a single request. These special 215 orders would:
(iii) provide that the Government may require the production of call detail records—
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production;
(II) using the results of the production under subclause (I) as the basis for production;
That sounds like it should give you the same “two hops” the original version did. But here’s how one could read it to go further than that.
The first stage of production above does not say (as the original version did, and as one might intuitively read it) that the government may obtain call detail records that belong to or pertain to the account associated with the terrorism-linked selection term. It says instead that this selection-term will be used as the “basis for production,” without spelling out precisely what this means. One way a number could be the “basis for production” would be if the carrier coughed up records for the account associated with that number. But another way to use the selection term as the “basis for production” would be to produce every phone bill, or whatever call-log file the carriers use to generate phone bills, in which the number (possibly owned by another provider) appears. This would be the §215 equivalent of “about” searches under §702 of the FISA Amendments Act, in which the government acquires communications that contain a reference to a targeted selector, even if they are not to or from the target.
What’s important to recognize here is that the government clearly needs to be able to do this sort of “about” query for foreign seed numbers, because that’s the only way they’re going to get any response from a domestic carrier like AT&T in response to an order using (say) a Yemeni number as the “seed.” Indeed, this is the whole point of the program—to reveal domestic links to phone numbers owned by overseas carriers that the government can’t directly subpoena. If this sort of “about” search weren’t encompassed by the “basis for production” language, the authority would be useless for most of their seeds. It is inconceivable that the intelligence community would have accepted this language unless they understood it to authorize using a foreign number as the “basis for production” by requiring the carriers to query all their domestic records and return those containing an incoming or outgoing call to or from that number.
If the “record” the carrier returns as a result of this about search is only a record of an individual call to or from the query number, then the bill functions as Congress intends, yielding two hops of information. But if the “record” produced in response to such a query is instead something akin to a monthly phone bill, the government effectively gets a free “hop” at each stage of production. The two stages authorized here would then yield as many as four hops.
Stage one would yield the suspect’s records, in the cases where they have an account with the served carrier, but also the records of first-order contacts in which the suspect’s numbers appear. Again, if those records are something akin to a phone bill—with the queried number included in a longer list of calls placed to or from some other account—then the list of other numbers in the same bill, hop number two, are already part of the results of the first stage of production. Those second hop numbers are then part of the input to stage two, and can be used as the “basis for” another round of production. Now we iterate it again: The government gets all the records belonging to or pertaining to those second-hop numbers from stage one, but also all the records containing those numbers. Again, if those records are phone bill style lists rather than individual calls, the owner of the record containing the second-hop numbers is hop three. The other numbers included in the same phone bill or list are hop four.
This wouldn’t be a complete set of four hops, of course, because presumably at some points you hit a non-U.S, carrier, and some carriers might at least draw the line at the particular bill containing the selection term. Moreover, my understanding is that the way carriers internally use the phrase “call detail record” is more consistent with a narrower construal, where the “record” contains information about a specific call, not the kind of information you’d find in a phone bill. But the definition in the statute is not, at least to my eye, obviously similarly narrow—a clever lawyer could at least plausibly argue that a phone bill appropriately scrubbed of personal information would meet the definition of a “call detail record.” Since history suggests that if NSA could make this argument, they probably will make it, a small tweak along the following lines could preclude any such shenanigans:
Production on the basis of a selection term under this subsection shall be limited to session information pertaining to communications to or from the accounts or facilities associated with that term.
Voila, back to two hops, as Congress intended all along.