In his post below, my co-blogger Stewart Baker points out DNI James Clapper’s statement about the FISC order requiring Verizon to turn over its entire call records database to the NSA. I was particularly interested in this paragraph:
By order of the FISC, the Government is prohibited from indiscriminately sifting through the telephony metadata acquired under the program. All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling. The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization.
So the FISC has a minimization order in place. I wonder, though, what’s the legal basis for that standard? The standard described here is a Terry standard, a Fourth Amendment standard for when the police can stop a person temporarily and subject them to questioning introduced by Terry v. Ohio. I’m not aware of anything in FISA that requires that standard. Nor is there anything in the Fourth Amendment that would seem to require it, as the call records are unprotected under Smith v. Maryland. Perhaps this is just the minimization standard that the FISC has imposed as a matter of policy?
I should add that the basic shift in surveillance practice to more emphasis on downstream use restrictions and minimization isn’t surprising. I wrote about that shift in this essay I wrote for Brookings in 2011:
The benefit of computer surveillance is that it can process information quickly and inexpensively to learn what would have been unknowable. Assembling and processing information may lead to plausible conclusions that are far more far- reaching than the information left separate. If so, data manipulation can have an amplifying effect, turning low impact information in isolation into high impact information when processed.
Reaping these benefits requires surveillance systems that allow the initial collection and processing. To reap those benefits, the best way to design surveillance systems is to allow the initial collection but then place sharp limits on the later stages such as disclosure.
The NSA call records program appears to be that idea on steroids: Collect everything, and then control access to the database created. But I’m left puzzled as to what the legal basis is for what appears to be happening. Where are they getting the Terry standard here?