CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

US court says NSA phone data program is illegal

The US government has long argued that the program is legal under the controversial Patriot Act, but a federal appeals court sees things differently.

The NSA might have one less trick up its sleeve in the coming weeks. Declan McCullagh/CNET

A US Appeals court has sent shockwaves through the government and security industry after ruling that the National Security Agency's wholesale collection of phone call data is illegal.

The US Court of Appeals for the Second Circuit ruled on Thursday that section 215 of the Patriot Act doesn't authorize the NSA's practice of collecting metadata on nearly all phone calls placed across the US. The appellate judges said the program "exceeds the scope of what Congress has authorized" in the Patriot Act, adding that the case will now be handed back to a district court for further litigation.

The 97-page ruling has opened a new front in the ongoing war between privacy advocates, including the American Civil Liberties Union, and the US government. The Patriot Act, signed into law in October 2001, was pitched as a tool the government could use to more effectively combat global terrorism, but since the beginning, critics have characterized it as a massive privacy-infringement law.

After former NSA contractor Edward Snowden leaked documents in 2013 detailing the ways in which the secretive US government agency was collecting data, the already-heated debate over the Patriot Act intensified. The leaked documents revealed that, among other things, the NSA was collecting records on nearly every phone call placed in the US and then comparing that against known contact information of possible terrorists. Through the program, the NSA collects metadata -- including what phone numbers were on the call, when the call was placed and how long it lasted -- and saves that in a database.

Opinions have been split over the data collection. Both the Bush and Obama administrations, as well as many lawmakers and government officials, have argued that the collection of metadata is protected by the Patriot Act. They argue that since the actual phone conversations are not being recorded, there is also no violation to the US Constitution.

In 2013, US District Judge William Pauley ruled on the data collection case, saying that it's not only legal, but acting faithfully within the law:

There is no evidence that the Government has used any of the bulk telephony metadata it collected for any purpose other than investigating and disrupting terrorist attacks. While there have been unintentional violations of guidelines, those appear to stem from human error and the incredibly complex computer programs that support this vital tool. And once detected, those violations were self-reported and stopped. The bulk telephony metadata collection program is subject to executive and congressional oversight, as well as continual monitoring by a dedicated group of judges who sit on the Foreign Intelligence Surveillance Court.

Pauley went even further, saying that the data collection is a necessary component in the fight against terrorism. He even hinted that such data collection could prevent another attack on the scale of September 11.

"No doubt, the bulk telephony metadata collection program vacuums up information about virtually every telephone call to, from, or within the United States," Pauley said in his conclusion. "That is by design, as it allows the NSA to detect relationships so attenuated and ephemeral they would otherwise escape notice. As the September 11th attacks demonstrate, the cost of missing such a thread can be horrific."

The ACLU, which serves as the plaintiff in the case on metadata collection, has been one of the program's most outspoken critics. In a statement Thursday celebrating its victory, the ACLU said the appeals court's decision was the right step toward following the rule of law.

"This decision is a resounding victory for the rule of law," ACLU staff attorney Alex Abdo, who argued the case before the three-judge panel in September, said in a statement. "For years, the government secretly spied on millions of innocent Americans based on a shockingly broad interpretation of its authority. The court rightly rejected the government's theory that it may stockpile information on all of us in case that information proves useful in the future. Mass surveillance does not make us any safer, and it is fundamentally incompatible with the privacy necessary in a free society."

Indeed, the court's ruling provides further support for the ACLU and others who believe that Section 215 of the Patriot Act should be tossed out. A June deadline draws near for Congress to vote on whether it should renew Section 215. While many lawmakers have said that at least parts of it should be kept in place, Section 215, which the US government has said allows it to collect metadata, is potentially on the chopping block.

Last year, for example, President Barack Obama issued a new plan on data collection that took aim at Section 215. He said that rather than the US government collecting metadata, telephone companies would take up that task and keep the data on hand for a set period of time. Obama also said that access to the metadata should require a judge's approval based on national security concerns and would be available only for a limited time.

Whether even that would be legal is up for debate. The appeals court on Thursday not only said that phone call metadata collection under Section 215 is illegal but also that the entire, "unprecedented" activity of the wholesale collection of metadata could be called into question.

"If the government is correct, it could use Section 215 to collect and store in bulk any other existing metadata available anywhere in the private sector, including metadata associated with financial records, medical records and electronic communications (including e-mail and social-media information) relating to all Americans," the court wrote. "Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans."

Major technology companies agree. In March, Google announced that it had joined the Reform Government Surveillance coalition, made up of civil rights groups, trade associations and other companies -- including Apple and Microsoft -- in issuing a letter to Obama, Director of National Intelligence James Clapper and NSA Director Michael Rogers. That letter contained an outline of "essential" elements that must be included in surveillance reform:

There must be a clear, strong and effective end to bulk collection practices under the Patriot Act, including under the Section 215 records authority and the Section 214 authority regarding pen registers and trap & trace devices.

Any collection that does occur under those authorities should have appropriate safeguards in place to protect privacy and users' rights. [Any reform] bill must contain transparency and accountability mechanisms for both government and company reporting, as well as an appropriate declassification regime for Foreign Intelligence Surveillance Court decisions.

We believe addressing the above must be a part of any reform package, though there are other reforms that our groups and companies would welcome, and in some cases, believe are essential to any legislation.

So far, however, it's unclear what will actually happen to Section 215. The Wall Street Journal reported on Thursday, citing sources, that Senate Republican leaders are hoping to extend the program for at least three months. Democrats, led by Obama, would like to see Section 215 removed and data collection handed to phone companies. The House Judiciary Committee has already voted in favor of such a move, but privacy advocates have criticized the idea.

"The current reform proposals from Congress look anemic in light of the serious issues raised by the Second Circuit," Anthony D. Romero, executive director of the ACLU, said in a statement. "Congress needs to up its reform game if it's going to address the court's concerns."

Whatever Congress decides, it'll need to move quickly: the deadline is just weeks away.

The National Security Council, which is fielding the court ruling, had this to say about Thursday's court decision:

We are in the process of evaluating the decision handed down this morning. Without commenting on the ruling today, the president has been clear that he believes we should end the Section 215 bulk telephony metadata program as it currently exists by creating an alternative mechanism to preserve the program's essential capabilities without the government holding the bulk data. We continue to work closely with members of Congress from both parties to do just that, and we have been encouraged by good progress on bipartisan, bicameral legislation that would implement these important reforms.