Fact Sheet: Metadata
February 27, 2014
Issue: Under present legal authority, NSA is permitted to collect “telephony metadata” in bulk from citizens and foreigners alike.
Background: Metadata, also referred to as “telephony metadata” or “business records metadata” is defined by the Foreign Intelligence Surveillance Court (FISC) as “comprehensive communications routing information, including session identifying information (e.g. originating and terminating telephone number, telephone calling card numbers, and time and duration of call…” The FISC explicitly excludes the “substantive content of any communication” as well as “the production of cell site location information.” In practical terms, “metadata” is the digital equivalent of a telephone bill, absent the name and address of the subscriber or any other personally identifiable information beyond the phone number. Authority for the collection of metadata comes from a series of court cases over the past 30 years, which have determined that telephone records cease to be private due to their public transmission to telephone companies. The authority for the bulk domestic collection of metadata is derived from Section 215 of the USA PATRIOT Act. Metadata of non-U.S. persons is collected under Section 702 of FISA and Executive Order 12333 authorities.
The IC analyzes Metadata with “contact-chaining,” or the mapping of the contacts of a phone number suspected of having a connection to a foreign terrorist organization. “‘Contact chaining’ lets analysts to retrieve not only the numbers directly in contact with [the suspect phone number] (the ‘first hop’), but also numbers in contact with all first hop numbers (the ‘second hop’), as well as all numbers in contact with all second hop numbers (the ‘third hop’).”
Controversy: The collection of metadata has been criticized for its potential to reveal private aspects of an individual’s life. The Electronic Frontier Foundation, for example, has stated “[c]alling patterns can reveal all about your life: when you sleep, when you work, your friends and family, your civic and political participation and affiliation.” The ACLU argues “[t]he “who,” “when” and “how frequently” of communications are often more revealing than what is said or written. Calls between a reporter and a government whistleblower, for example, may reveal a relationship that can be incriminating all on its own.”
Assessment: These criticisms are wildly exaggerated. Press accounts make it sound like NSA has looked at millions of records. In practice, NSA queried only 288 primary “seed” phone numbers in 2012, and its ultimate contact chain analysis only touched 6,000 numbers connected to foreign intelligence activity. To search all records would be time-consuming and hinder analysis of relevant intelligence information.
Metadata collected under Section 215 is limited to the call-log records of a particular phone number. The metadata does not include the “content” of a call, nor does it include the names, addresses or any other personally identifying information; it only shows the links between phone numbers. Contrary to the ACLU claims, it cannot be used by the NSA to ascertain intimate personal information.
An analyst can look at metadata only after he or she has demonstrates a “reasonable, articulable suspicion” that a phone number is associated with a foreign terrorist organization, and only 22 NSA officials can authorize a query selector. Metadata queries are closely monitored through a series of minimization procedures, which limit the retention of and access to U.S. person data. Other procedural safeguards include limiting data access, creating auditable records of all searches, requiring monthly reports on activities, time limitations on the retention of data, as well as quarterly reviews by the Foreign Intelligence Surveillance Court.
Despite the care taken by the NSA to prevent the abuse of data, there is an expectation that a federal agency should not have the authority to approve its own search requests. The legitimacy of metadata program oversight may be improved if the NSA was required to get court approval for database queries.
Scott F. Mann is a research associate with the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2014 by the Center for Strategic and International Studies. All rights reserved.