WASHINGTON – A measure that President Barack Obama is considering as a way to curb the National Security Agencys mass storage of phone data is already facing resistance – not only from the intelligence community but also from privacy advocates, the phone industry and some lawmakers.
Obama last week suggested that he was open to the idea of requiring phone companies to store the records and allowing the government to search them under strict guidelines. Currently, the agency stores those records itself, part of a sprawling collection program that came to light through documents shared by former NSA contractor Edward Snowden.
But now, industry officials, privacy advocates and congressional officials are expressing resistance to any alternatives that involve mandating phone companies to hold the data for longer periods. And other possible scenarios, including having a private third party store the records, also raise concerns, they say.
Civil libertarians consider mandated phone-company or third-party storage an unacceptable proxy for the NSAs holding of the database. Last week, a group of privacy advocates met with White House officials and urged them not to seek legislation to mandate data retention, among other things.
They endorsed an idea by a surveillance review group appointed by Obama to halt the NSAs bulk storage of the phone logs. Although the panel did not recommend immediately requiring companies to retain the records, thats ultimately where the discussion is likely to lead, said David Sobel, senior counsel for the Electronic Frontier Foundation, who raised the concern at the meeting. Thats the obvious gorilla in the room.
The phone companies, for their part, argue that storing the data for the NSA would lead to a flood of requests from local prosecutors, federal agents and divorce attorneys, unless legislation mandates it be used strictly for government counterterrorism purposes. Even then, the companies see it as a major headache.
We dont want to keep these records, said an industry executive, who like several others interviewed for this story spoke on the condition of anonymity because they werent authorized to speak publicly. We end up with all sorts of litigation risks, privacy risks, hacking vulnerabilities. There is a huge cost involved in just protecting them. And truthfully, we just dont want to do it.
One major carrier estimated it would cost in the range of $50 million a year to maintain a five-year, searchable database, according to a company official.
The companies and security experts say the stored records would become an attractive target for hackers.
Weve always thought it was a bad idea, a second telecom industry executive said. What I find perplexing about this is privacy advocates dont like the idea, the intelligence community doesnt like the idea, and the carriers dont like the idea. So its not clear whether you are solving a problem or making the problem worse.
Industry officials also said legislating a requirement for them to hold the records would raise concerns about how broadly the mandate applies. Would it apply, for instance, to new technology firms that use voice applications?
The government could pay the companies to hold the data longer and convert it to a searchable format. After all, carriers in the 1990s resisted legislative mandates to help law enforcement wiretap criminals, then relented when the government agreed to pay companies to do it. But, said a third industry executive, we had fights with the government all the time about what were reimbursable expenses and what werent. Thats not a happy model.
The presidents surveillance review group, whose report the White House released last week, suggested that the carriers reach a voluntary arrangement with the government to hold the data. No way, the industry executive said.
If that arrangement fails, the review group said, then legislation to require companies to hold the records – perhaps for as long as two years – might be necessary.
Telecoms long-term retention of this kind of sensitive information is itself a privacy violation, said Jameel Jaffer, deputy legal director of the American Civil Liberties Union, who was not at the meeting. And the longer the information is retained, the greater the risk that it will be accessed by people who shouldnt have access to it.
Obama said he would consider the proposal over the holidays and make a decision in January.
On the Hill, the Senate Intelligence Committee explored the phone company alternative, a committee aide said. We rejected that proposal because it did not meet the NSAs operational needs and did not provide a clear benefit from the status quo, the aide said. Instead the committee advanced legislation that would preserve NSAs custodianship of the database.
House Intelligence Committee Chairman Mike Rogers, R-Mich., said he was reluctant to have the companies hold the data because I think it opens it up to more privacy violations. But on ABCs This Week on Sunday, he said its a debate that we should have – and its probably a good one.
In October testimony, then-NSA Deputy Director Chris Inglis said any alternative to the NSAs running the database must include four essential features. The first is privacy. Second is breadth. It needs to be the whole haystack, he said. It needs to be such that when you make a query, you come away confident that you have the whole answer.
Third is depth, he said. You have to know that you can look far enough back in time to include plots in incipient phases. Fourth, he said, the data needs to be in a form and format that makes it available in a timely way.