Civil Liberties

Nothing Personal

The NSA's illegal data collection


In May, USA Today reported that the federal government is collecting data on the phone calls made and received by tens of million of Americans. According to the program's defenders, your grocery store, your cable company, and your credit card company can identify you based on your phone number, but the National Security Agency (NSA) can't. At least, that's the implication when people say the database is legal because the information in it has been "anonymized"—i.e., stripped of names and addresses.

But phone numbers can readily be linked to names and addresses using publicly available information. The claim that there's really nothing personal or private about the phone call records—which tell the NSA who calls whom, when, and for how long—is a tenuous basis for defending data collection that ordinarily requires a court order or the customer's consent.

One major phone company, Qwest, refused to give the NSA its customers' records. Officials there knew they could face hefty penalties under at least two statutes, the Communications Act and the Electronic Communications Privacy Act, if they revealed this information without their customers' permission unless they were legally required to do so.

The NSA's defenders cite Qwest's refusal as evidence the program is voluntary and therefore legal. In fact, it indicates just the opposite: Had Qwest been presented with a lawful subpoena or court order demanding the data, it almost certainly would have complied. If it hadn't, the government could have forced it to do so. Instead, USA Today reported, the NSA resorted to extra-legal methods, pressuring the phone companies to divulge the data through appeals to patriotism, warnings about terrorism, and threats of lost government contracts.

Presumably it took this route because it would have had a hard time convincing the Foreign Intelligence Surveillance Court that every American's phone records were "relevant" to a terrorism investigation. Maybe the NSA shouldn't have to meet that standard when it does automated analyses of such data aimed at preventing terrorist attacks. If so, there's a simple solution: Ask Congress to change the relevant statutes. Otherwise, divulging the records to the government violates the law.