The NSA Panel's Pointless Private-Sector Fig Leaf

Turning phone-metadata collection over to telephone companies or a third party introduces new security risks without meaningfully addressing civil-liberties concerns.

Fabrizio Bensch/Reuters

One of the major recommendations of President Obama’s NSA review panel is that information about who Americans called (not what they said!) should no longer be stored by the NSA, but rather by either phone companies or a third party.

This may be good politics, but it is surely bad public policy.

As Michael Hayden, the former head of the NSA, told the BBC, this would undermine our ability to protect ourselves from terrorists and rogue nations—yet it seems necessary because unless the libertarian beast is fed some raw meat, it may devour the whole program (his point, my words). After all, the House came within a few votes of decreeing that the whole program should be defunded—i.e., killed—just months ago.

Before I spell out why we would live to regret implementing this key recommendation, let me note the irony that the same group is simultaneously calling for curtailing or terminating the use of private-sector background checks for those employed in security work, which failed to flag either Edward Snowden or Navy Yard shooter Aaron Alexis. Just as the group is criticizing the private sector’s security procedures, it calls for handing the very same sector a mission now carried out by the NSA! Although we have hard evidence of the damage done to national security by relying on the private sector, we do not know of a single person who has actually been harmed by NSA collection of phone records. Not one.

There are those who argue that collecting phone records does no good because there is no single incident in which these records prevented a terrorist attack. The same can be said about many other law-enforcement tools. Each provides a single piece of the puzzle; the more pieces we have, the more likely we are to catch someone seeking to blow up, say, the New York Stock Exchange or subway. Imagine: The FBI has just learned the identity of the two brothers who bombed the Boston Marathon, both of whom are still on the loose. They have additional bombs and are reportedly on the way to New York to create some more mayhem. Can you see that it might be helpful to know whom they recently or frequently called? And to find out in a short order?

Terrorists, like other criminals, use a variety of phones affiliated with different phone companies. If the government is to track their calls under the system recommended by the review group, it would have to approach AT&T, Verizon, T-Mobile, U.S. Cellular, Leap Wireless, and Sprint and ask them to release their records. Then, it would have to combine different databases and input them into its computers to conduct a search. Anybody who has combined large databases from different sources can attest to how time-consuming and challenging it is. There are compelling reasons for these combinations to take place before searches actually need to be carried out. Keeping the records in the hands of one, newly formed body would have the advantage of the data of the various companies being in one place where it could be prepared for search before one is needed.

But both arrangements must deal with one dirty little secret with enormous legal implications. Currently, the phone companies either keep the records for just a few months or else not at all. The government, by contrast, needs these records to be kept at least for five years, because terrorists, like spies, can form sleeper cells that remain inactive for years. For the review panel’s suggested arrangement to work, the government would have to require the companies or the new body to keep the records, thus making them in effect government agents. If it is unconstitutional for the NSA to keep these records—as one federal judge claims—the same could hold for those the government requires to keep such documents; law professors tell me it would depend on how the requirements are constituted.

In any case, it is obvious that if the government makes others do what it is banned from doing, the change is mainly cosmetic rather than substantive. If keeping the records is constitutionally kosher (as most observers expect appeals courts to hold when the judge's ruling is appealed), why not let the NSA hold them? And given the comparatively weak cybersecurity at private-sector companies, the Chinese and maybe the Iranians could know who Americans are calling—and well before the U.S. authorities.

As I see it, it would make much more sense to keep the records stored within the NSA, but add a layer of accountability to further ensure that the stored records are not abused. Indeed, the review group calls for creating a “civilian review board.” Such a board would review what the NSA does and inform the public as to whether or not the collected data helped to catch terrorists and abort attacks or if it was abused. This would be good public policy and—hope springs eternal—also good politics.