Protection from prying NSA eyes

A (Classified) proposal

Beginner's guide to SSL certificates

Comment From the US Fourth Amendment, the Stored Communications Act and US wiretap laws to the Pen-register statute, Mark Rasch looks at legal protections available to the telecommunications companies and individual Americans in the wake of the NSA's massive spying program.

Imagine being the head of a major telecommunications company in the United States. You and your lawyers have developed a carefully worded privacy policy to conform with the law. In it you tell your customers that you do not share information about your customers' use of your services except for particular business purposes, and to ensure that the calls get through. You also tell your customers that you, of course, give information in response to lawful subpoenas or lawful mandates of law enforcement agencies. And that's about it.

One day, you receive a visit from agents of the National Security Agency (NSA), who make a formal "request" that you, as a patriotic American company, turn over records of telephone calls made by millions of customers in the interests of "national security". If you don't do it, the agent reminds you, you probably wont get those lucrative government contracts, and you certainly won't get any work with any classified government agencies. If you do it, you may open yourself up to class action litigation. What do you do?

Unfortunately, there currently is no way for you do go to any court and get a definitive ruling on what you are allowed – or required – to do. I propose that we open up the super-secret FISA court to allow private citizens or companies that receive requests or demands from the government to demand judicial intervention in a way that would protect national security, and act as a check and balance on any unlimited powers of the Executive Branch.

NSA monitoring millions of Americans

On Thursday, 11 May, USA Today disclosed that several US telephone companies gave over records relating to telephone calls made by millions of Americans to the National Security Agency in the wake of the events of 11 September, 2001.

We do not know the scope of this program. As reported to date, the government requested that various telephone companies turn over calling pattern information on millions of US origin telephone calls – these are reportedly calls that both originated and terminated in the United States.

At least one report has suggested that the program worked as follows: the government would have a suspected al-Qaeda suspect, and would learn of telephone numbers he or she called, or merely possessed. If any of these telephone numbers were located in the United States, the NSA would then attempt to learn what these numbers were, and who these people had called. Thus, if you operate a local Dominoes pizza, and received a call from someone who received a call from someone who the government suspected was associated with a terrorist, then Dominoes would make it to the list of suspects.

The President has suggested that the program is more narrow than this, stating so in his weekly radio address on 13 May, 2006.

"It is important for Americans to understand that our activities strictly target al Qaeda and its known affiliates...The privacy of all Americans is fiercely protected in all our activities. The government does not listen to domestic phone calls without court approval. We are not trolling through the personal lives of millions of innocent Americans. Our efforts are focused on links to al Qaeda terrorists and its affiliates who want to harm the American people."

Does this mean that the records of telephone calls requested from the telephone companies were only those of al Qaeda and its known affiliates? Does that mean that the NSA neither sought nor received the records of phone calls of "millions of innocent Americans" so it could troll through them? Or does it mean that, while the government didn't listen in on purely domestic calls (where the source and destination were in the United States), the NSA might have obtained records of the calls made by many millions of other callers, but did so in order to "target" al Qaeda or others? Or that the President doesn't believe that reviewing the records of calls made and received constitutes "trolling" into a part of American's "personal lives?" Right now, we just don't know, and if the NSA has anything to say about it, we probably will never know.

Other reports indicate that the program may not have even been as narrow as suggested. It is possible that the NSA requested all calling data from the phone companies – that is every telephone number called by every other telephone number. Indeed, this would not be very different from what the government did with the airlines in the wake of 9/11, when it asked for records of every flight taken by every person in America, despite the fact that the airlines had promised they wouldn't give that information out.

In the airline case, at least one federal court held that these records, being records of the airlines themselves, could lawfully be turned over to the government (in that case, NASA, not the NSA) privacy policies notwithstanding. So it is altogether possible that the NSA has requested, and the phone companies have disclosed, records of every call made and received. Assuming this to be the case, is it illegal? The answer is not so clear.

Whose data is it anyway?

The reports to date tend to indicate that the records turned over to the NSA were records of telephone calls from numbers within the United States. This would essentially be "raw data" – for example, that telephone number (202) 555-1213 called telephone number (313) 555-0802 on a particular date, at a particular time, and that the conversation lasted for a particular period of time.

There are various laws that protect the privacy of telephone records in the United States. First and foremost, there is the Fourth Amendment which provides that:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

For some reason, when this Amendment was drafted in 1791, the drafters left out the terms "telephone records" and "intercepted communications" and "Voice Over Internet Protocol". Possibly just an 18th Century oversight. Indeed, the United States Supreme Court initially found in 1928 that you can't "seize" a telephone call, and therefore the Fourth Amendment didn't apply to phone calls. It wasn't until 1967 that the Court finally realised that the Constitution protects the rights of privacy of persons, not just places, and therefore warrants were required if you wanted to listen in on the contents of communications.

Providing a secure and efficient Helpdesk

Next page: Wrapper information

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
DVLA website GOES TITSUP on day paper car tax discs retire
Welcome to GOV.UK - digital by de ... FAULT
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.