The Complex

Wrangling Over Spy Agency Program Went Down to the Wire

A database of millions of Americans' phone records that has been at the center of a national debate on government spying is going to be around for a while -- and getting bigger.

A judge on the Foreign Intelligence Surveillance Court, which oversees the controversial phone records collection program run by the NSA, ruled earlier this week that the government can keep those records longer than five years after their initial collection, which is the point at which they were supposed to be destroyed. The reason is to preserve the records as potential evidence in any one of a half dozen civil lawsuits currently pending against the government, including those brought by the American Civil Liberties Union and a conservative public interest lawyer, whose plaintiffs have been arguing for months that the program is illegal and that the government shouldn't be collecting the phone records at all.

Now, that database will include phone records that are older than five years -- not exactly the outcome that critics of the NSA program were hoping for. A dramatic series of legal maneuvers, which have not been previously reported, led the outcome. They show that the the phone records program has posed difficult legal and policy challenges for the Obama administration, which is still debating who should be the ultimate custodian of the massive databases, the NSA, the telephone companies from which the government obtains the records, or some other party.

The NSA says that the information, often referred to as metadata, is used to find connections among suspected terrorists based on their phone calling patterns. But many critics are concerned that the information could reveal intimate personal details about innocent Americans, including their medical history, travel patterns, and finances.

Despite the new ruling, the government will be prohibited from using those phone records that are older than five years for any intelligence analysis or investigations. But the records will still be in the government's hands, and for the time being, the NSA's. If history is a guide, the civil suits in which the phone records might be used as evidence could take years to resolve. That, in turn, means the records will remain under the government's control well into the future.

Justice Department and NSA officials had been contemplating for months whether to retain the phone records as potential evidence in the civil suits, according to U.S. officials involved in the discussions. On February 25, the Justice Department filed a motion with the Foreign Intelligence Surveillance Court asking to keep the records longer than five years. "[T]he United States must ensure that all potentially relevant evidence is retained which includes the [phone records] metadata obtained in bulk from certain telecommunications service providers," department lawyers told Judge Reggie Walton.

It can take as little as a day for the intelligence court to issue rulings, but in this case, Walton deliberated for ten days. On Friday, March 7, he denied the department's motion, finding that since none of the plaintiffs in the civil suits had asked a court to protect the phone records from being destroyed, he had no basis for overriding the five-year rule.

The same day, lawyers for the Electronic Frontier Foundation read Walton's ruling and wondered why he didn't acknowledge an order to preserve records that the group had sought in another lawsuit over government surveillance, Jewel v. NSA. At the same time, Justice Department lawyers sent word to all the plaintiffs in the civil cases, alerting them that unless someone tried to stop it, the government would soon start destroying records, said a Justice Department official who has been briefed on the matter.

Deputy Attorney General James Cole, the second-in-command at the department, got involved. His office called NSA officials and instructed them to hold off on destroying any phone records in case the plaintiffs in the civil cases petitioned a judge for an order to preserve the phone records. Justice and NSA officials determined that the destruction must begin on Tuesday, March 11.

On Monday March 10, the Electronic Frontier Foundation asked a judge in the Northern District of California to issue a temporary restraining order, preserving the records for one of the six civil cases, as well as the Jewel case. He agreed.

The Justice Department thus found itself in the awkward position of facing two contrary rulings: one instructing the government to destroy the data, another ordering its preservation. Department lawyers went back to Walton, the intelligence court judge, and presented their dilemma. It was March 11, the day that the NSA was supposed to start purging its systems of old phone records.

In light of the judge's order in California, Walton ruled the next day that the government could keep the records longer than five years. The crisis was averted, and the phone records would continue to be amassed.

A U.S. official familiar with the legal process said the question about what to do with the phone records needn't have been handled at practically the last minute. "The government was coming up on a five-year deadline to delete the data. Lawsuits were pending. The Justice Department could have approached the FISC months ago to resolve this," the official said, referring to the Foreign Intelligence Surveillance Court. The official noted that the department's National Security Division, which represents the government before the surveillance court, and the Civil Division, which is handling the lawsuits, had to coordinate with each other, and that the back-and-forth has at times been a cumbersome process.

Cole has been acting as a referee between the two sides, and he has made the final decisions on how to proceed with regards to the legal issues presented by the phone records program, the Justice Department official said. The involvement of such a senior official in managing the program underscores the degree to which it has become a particularly nettlesome challenge for the Obama administration to resolve.

"This is all uncharted territory," said Carrie Cordero, a former senior Justice Department official who recently served as the counsel to the head of the National Security Division. "Given the complexity and the novelty of this chain of events, it's a good thing that the deputy attorney general is personally engaged, and it demonstrates the significant attention that they're giving to it."

David Greene, a senior staff attorney for the Electronic Frontier Foundation, said he recognized that it was unusual for his group, one of the most stalwart opponents of government surveillance, to play a central role in preserving a giant database of personal information on Americans it would ultimately like to see destroyed.

"There is some irony to it," Greene said. "We would prefer these records didn't exist in the first place. But in order to prove wrongdoing, we need to know what the government did with them."

Saul Loeb / AFP

National Security

Next NSA Chief Urges Transparency … Then Says Nothing

There is little doubt that Adm. Michael Rogers will be confirmed as the next head of the National Security Agency and the U.S. military's Cyber Command. Sen. Jack Reed (D-RI) even preemptively congratulated Rogers during his confirmation hearing before the Senate Armed Services Committee this morning, drawing chuckles from the nominee. Sen. Mark Kirk (R-IL), who introduced Rogers to the committee (and has known Rogers since high school), said that, "Being a Republican, I have not supported a lot of the nominees of the president," but that "this is the best American you could have picked for the job."

Rogers has been tapped to succeed Gen. Keith Alexander, who will retire later this month. He'll take the helm of an NSA in crisis, struggling under new scrutiny that has resulted from former contractor Edward Snowden's ongoing leaks about its secret surveillance efforts.

Snowden is living in exile in Moscow, but he cast a shadow over the hearing all the same. Sen. Ted Cruz (R-TX) asked whether the NSA was infringing on the rights of ordinary citizens by collecting reams of so-called metadata on their phone calls, emails, and web surfing. The spy agency, he said, should instead focus its efforts on targeting individual militants and terror threats. "It seems to me," Cruz said, "the focus overall of our intelligence and defense community and law enforcement community is directed far too much at law-abiding citizens and far too little at individualized bad actors."

Cruz is an ultra-conservative Republican, but his comments echoed remarks Snowden made in a video presentation at Austin's SXSW technology conference. Speaking by video from Moscow yesterday, Snowden said that large-scale surveillance could be an obstacle to actually identifying terrorists, citing the Boston Marathon bombing and Umar Farouk Abdulmutallab, the 2009 "underwear bomber," as threats that were missed because the NSA was processing overwhelming quantities of effectively useless data.

Cruz followed up with questions about the Boston bombing and the Fort Hood shooting, which Rogers declined to answer.

In the months since his name first leaked as the Pentagon's choice for the job, an array of prominent current and former officers have argued that he is uniquely qualified for the job. Retired Adm. James Stavridis, the former head of the military's European command, called him "a walking résumé for this job." If there were any lingering doubts that he could also meet the political requirements of leading the embattled spy agency, that seems resolved now. Rogers, it turns out, is a consummate politician: He consistently suggested that he agreed with members of the committee, even as he just as consistently refused to give direct answers to their questions.

Rogers, for instance, repeatedly stressed that the NSA needed to be as clear with the public about what it does as possible. "I would attempt to be as transparent as possible with the broader nation about what we're doing and why. I would try to ensure a sense of accountability about what the National Security Agency does," he said. "The nation places a great deal of trust in this organization. It has an incredibly important mission. It's a mission that involves attention in our society, given the fact that the fundamental rights of the individual are so foundational to our very concept of a nation. I welcome a dialogue on this topic, I think it's important for us as a nation. I look forward to being part of that dialogue."

That dialogue, though, didn't take place during this morning's hearing.

"As a nominee," Rogers said, he "could not comment on the value of the [NSA's metadata collection program]." Nor, he said, was he prepared to discuss potential cyber-vulnerabilities in U.S. infrastructure without moving to a closed session. He demurred on questions about what the NSA could have done differently to prevent the Boston Marathon bombing and the Fort Hood shooting, citing a lack of familiarity with the intelligence efforts involved.

"To what extent do you believe Russia is conducting cyberattacks against the Ukraine, and what could the U.S. do to help the Ukraine better defend itself against cyberattacks from Russia?" asked Sen. Kelly Ayotte (R-NH).

"In an open, unclassified forum, I am not prepared to comment on the specifics of nation-state behavior," Rogers replied. (Though he went on to clarify that "As we will work with the Ukrainians and others to figure out what are the best ways to address [their issues], whether it's the Ukrainians ask for specific technological assistance -- I think we'd have to work through everything on a case-by-case basis.")

Later in the hearing, Rogers said that he understands the reasons behind the pressure for the NSA to become more transparent. The discussion frequently circled back to the leaked information about the agency's surveillance programs. Rogers said he supported new policies to move NSA-collected metadata to a third-party organization. "I believe with the right construct we could make that work," he told the committee. Rogers also agreed with Sen. Mark Udall (D-CO) that telecommunications service providers should be legally protected for sharing information with the government, saying that they should be afforded "some level of liability protection" and that businesses would be "much less inclined" to share their data without legal safeguards.

He also discussed -- obliquely, of course -- the NSA's internal investigation into the records stolen by Snowden and reiterated, as Snowden said yesterday, that "the United States government ... still [has] no idea what documents were provided to the journalists, what they have, what they don't have."

"We have an in depth and analytic effort ongoing within the department to determine that," Rogers said. "We have tried to identify exactly what the implications are of what he took."

Rogers said that the Snowden leaks had given U.S. adversaries "greater insights into what we do and how we do it" and said that the disclosures had increased the risks to American lives, though he did not specify how. But he declined to join Sen. Joe Manchin (D-WV) in calling Snowden a "traitor."

"I don't know that I would use the world ‘traitor,'" said Rogers, "but I do not consider him to be a hero."

Though much of the hearing focused on the challenges the NSA is facing, Rogers also made clear that he believed cyber capabilities would play an increasingly important role in the wars of the future. "Clearly, cyber will be an element of almost any crisis we're going to see in the future," Rogers said. "It has been in the past; I believe we see it today in the Ukraine, we've seen it in Syria, Georgia -- it is increasingly becoming a norm."

Rogers, despite pressure from members of the committee, refused to discuss the details of a high-profile cyberattack on an unclassified Navy Intranet that took place during his tenure as the Navy's chief of cybersecurity.

"As a matter of policy and for operational security reasons, we have never categorized who, exactly, publicly penetrated the network," he told Sen. James Inhofe (R-OK).

"Well, no," said Inhofe, "this has been discussed in an unclassified session for quite some time, that we're talking about Iran in this case."

"I'm sorry, sir, not to my knowledge," replied Rogers, who carefully omitted Iran from his discussion of the incident. Speaking about the cyberattack, Rogers said that the damage done "was of concern," but that "they did not decide to engage in any destructive behaviors. My concern was 'what if that was their intent?'"

All of which suggests that Rogers will be a fitting successor to Alexander. He has mastered the NSA's ability to pay lip-service to transparency, while publicly saying very little.

Rogers will likely be confirmed before Alexander's retirement later this month.