In the Washington Post, Bart Gellman has a fascinating story on the NSA’s surveillance practices. There’s a lot to chew on in the article, but one interesting part is a discussion of the legal issue that led to the Goldsmith/Comey confrontation over the legality of NSA surveillance in 2004. Gellman writes:
Telephone metadata was not the issue that sparked a rebellion at the Justice Department, first by Jack Goldsmith of the Office of Legal Counsel and then by Comey, who was acting attorney general because John D. Ashcroft was in intensive care with acute gallstone pancreatitis. It was Internet metadata.
At Bush’s direction, in orders prepared by David Addington, the counsel to Vice President Richard B. Cheney, the NSA had been siphoning e-mail metadata and technical records of Skype calls from data links owned by AT&T, Sprint and MCI, which later merged with Verizon.
For reasons unspecified in the report, Goldsmith and Comey became convinced that Bush had no lawful authority to do that.
. . .
In the urgent aftermath of Sept. 11, 2001, with more attacks thought to be imminent, analysts wanted to use “contact chaining” techniques to build what the NSA describes as network graphs of people who represented potential threats.
The legal challenge for the NSA was that its practice of collecting high volumes of data from digital links did not seem to meet even the relatively low requirements of Bush’s authorization, which allowed collection of Internet metadata “for communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States,” the NSA inspector general’s report said.
Lawyers for the agency came up with an interpretation that said the NSA did not “acquire” the communications, a term with formal meaning in surveillance law, until analysts ran searches against it. The NSA could “obtain” metadata in bulk, they argued, without meeting the required standards for acquisition.
Goldsmith and Comey did not buy that argument, and a high-ranking U.S. intelligence official said the NSA does not rely on it today.
As soon as surveillance data “touches us, we’ve got it, whatever verbs you choose to use,” the official said in an interview. “We’re not saying there’s a magic formula that lets us have it without having it.”
When Comey finally ordered a stop to the program, Bush signed an order renewing it anyway. Comey, Goldsmith, FBI Director Robert S. Mueller III and most of the senior Bush appointees in the Justice Department began drafting letters of resignation.
. . .
Then-NSA Director Michael V. Hayden was not among them. According to the inspector general’s classified report, Cheney’s lawyer, Addington, placed a phone call and “General Hayden had to decide whether NSA would execute the Authorization without the Attorney General’s signature.” He decided to go along.
The following morning, when Mueller told Bush that he and Comey intended to resign, the president reversed himself.
Three months later, on July 15, the secret surveillance court allowed the NSA to resume bulk collection under the court’s own authority. The opinion, which remains highly classified, was based on a provision of electronic surveillance law, known as “pen register, trap and trace,” that was written to allow law enforcement officers to obtain the phone numbers of incoming and outgoing calls from a single telephone line.
If Gellman’s story gets it right, the legal issues that Goldsmith & Comey were acting on were pretty different from what we used to think– and considerably more technical. Back in 2007, we all assumed that the monitoring involved contents of communications. We guessed — or at least I did — that the issue was whether Article II trumped FISA or the AUMF was a statutory authorization that allowed content monitoring. But it sounds like the dispute was actually about whether bulk collection of metadata amounts to a “pen register” or “trap and trace device” under 18 U.S.C. 3127(3)-(4), part of the low-profile Pen Register statute. (For an introduction to the Pen Register statute and its application to the Internet, see here at 623-48.)
Notably, unlike FISA’s prohibition on content monitoring, the Pen Register statute does not have an override for surveillance authorized elsewhere by statute. The prohibition against installing a pen register or trap and trace device in 18 U.S.C. 3121(a) requires a pen register order unless an exception is met, but most of the exceptions relate to either provider needs to monitor the network or else consent. There are some national security exceptions, but they are very narrow. So if you conclude that collecting bulk metadata amounts to the installation of a pen register and/or trap and trace device, you’re pretty much stuck with getting a pen register order (either through the criminal law authorities or FISA authorities) or else you’re committing a misdemeanor violation of the pen register statute. And that’s true even if the President has entered some kind of order — say, under the AUMF — authorizing the collection. It sounds like the FISC mooted the issue starting July 2004 by granting a database-wide pen register order. As I mentioned in my first post on the leaked Verizon order, the interpretive issue would have been pretty similar to that which was necessary to get a full-database collection order of stored records under Section 215.