Cloud
5/7/2015
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

White House Evaluating New Court Ruling Declaring NSA Data-Collection Program Illegal

Administration will continue to work with Congress to reform surveillance laws, NSC spokesman says.

The White House is evaluating a decision handed down Thursday by an U.S. appeals court holding the National Security Agency’s (NSA) bulk phone metadata collection program illegal.

"Without commenting on the ruling today, the President has been clear that he believes we should end the … bulk telephony metadata program as it currently exists," Edward Price, assistant press secretary and director of strategic communications at the National Security Council (NSC) said in an emailed statement to Dark Reading.

The goal is to create alternative mechanisms to preserve the program's essential capabilities without the government holding the bulk data, he said. "We continue to work closely with members of Congress from both parties to do just that, and we have been encouraged by good progress on bipartisan, bicameral legislation that would implement these important reforms," Price said.

Earlier today, the U.S. Court of Appeals for the Second Circuit ruled that the National Security Agency’s bulk collection of phone metadata records is illegal and exceeds the scope of what Congress has authorized the agency to do.

In a lengthy 97-page ruling, a three-judge panel from the court overturned an earlier district court ruling that had found the data collection program to be legal and remanded the case back to the court for further proceedings.

"The telephone metadata program requires that the phone companies turn over records on an “ongoing daily basis” – with no foreseeable end point, no requirement of relevance to any particular set of facts, and no limitations as to subject matter or individuals covered," Circuit Court Judge Gerard Lynch wrote on behalf of the panel.

"Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans," he said.

The ruling involves a lawsuit led by the American Civil Liberties Union challenging the legality and the constitutionality of the NSA phone metadata program. Former NSA contractor Edward Snowden revealed the existence of the program in June 2013.

Documents released by Snowden showed that the NSA had secretly been collecting phone metadata records in bulk from U.S. telecommunications companies since at least 2006 under the aegis of counterterrorism. Information collected under the program included details like the phone number from which a call was made, the number that was dialed, and device ID numbers on all calls made in the U.S.

The NSA claimed that a section of the USA Patriot Act called Section 215 gave it the authority to ask U.S. telecommunications companies to produce call detail records, every single day on every single call made through their systems. The agency argued that the data was critical to its effort to spotting potential terrorists activities being planned against the U.S at home and abroad.

Shortly after Snowden’s disclosure, the ACLU filed a lawsuit against the NSA challenging the metadata program's legality and constitutionality. The rights advocacy group maintained the metadata program exceeded the authorities granted to the NSA under Section 215 of the USA Patriot Act. In its lawsuit, the ACLU asked the court to declare the data collection program as illegal and to halt it.

The government on its part argued that the ACLU had no standing to bring the case against the NSA and claimed that its actions under Section 215 of the Patriot Act precluded judicial review.

In December 2013, a federal court judge in Manhattan sided with the government and threw out the ACLU's lawsuit on the basis that it indeed had no standing to bring the case against the NSA.

Thursday’s ruling reverses that decision and moves the case back to the court for further judicial review and proceedings.

"Because we find that the program exceeds the scope of what Congress has authorized, we vacate the decision," the court wrote without touching upon the constitutional issues raised by ACLU in its lawsuit. 

The court also refused to grant the ACLU's motion for a preliminary injunction against the NSA's metadata collection program.

Congress is scheduled to vote on renewing Section 215 on June 1. Since its inception, Section 215 has been renewed a total of 7 times, the court noted.

Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC) expressed satisfaction at the ruling. "We are very pleased with the decision today of the federal appeals court," he said in emailed comments to Dark Reading. "The court concluded that the “relevance” standard in section 215 does not permit the routine collection of all telephone records."

That has precisely been the argument that EPIC and others have presented to the U.S. Supreme Court in a petition about two years ago, he said. "We anticipate that other courts confronting this question will reach the same conclusion -- bulk collection of telephone records was never authorized by the Patriot Act."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Elose
50%
50%
Elose,
User Rank: Apprentice
10/14/2016 | 4:56:09 AM
Re: Must We Confront the Question?
how can we stop the NSA? There is more privacy ..
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/8/2015 | 5:19:46 PM
Must We Confront the Question?
In Docket No. 14-42-cv, it is stated that we "must confront the question whether a surveillance program that the government has put in place to protect national security is lawful.  That program involves the bulk collection by the government of telephone metadata created by telephone companies in the normal course of their business but now explicitly required by the government to be turned over in bulk on an ongoing basis."

It is noted in that same Docket that:

"Considering the issue of advocacy in the context of deliberations involving alleged state secrets, and, more broadly, the leak by Edward Snowden that led to this litigation, calls to mind the disclosures by Daniel Ellsberg that gave rise to the legendary Pentagon Papers litigation."

This is interesting as I have read many articles in which Daniel Ellsberg is quoted praising Snowden's actions as indicators of his moral character.

On that note of "considering" Dr. Richard Stallman of the Free Software Foundation places in every email the following statement:

[[[ To any NSA and FBI agents reading my email: please consider  
[[[ whether defending the US Constitution against all enemies,      
[[[ foreign or domestic, requires you to follow Snowden's example.

What all of this means, then, is that Information Security is more than the sum of its technical pieces, more than the data in various states and the need to protect that data in each state. But does that mean we as caretakers of sensitive data have to change our mindset because of "the question" posed in Docket No. 14-42-cv, or posed by Edward Snowden, Daniel Ellsberg, or Dr. Stallman? No, not at all. Because as caretakers of data it is not our job to ask that question, or to answer it. It is to protect the data we've been charged to protect.

I would say that once you start going down the road of asking the question, you may need to step away from your InfoSec role. I don't mean you step away from moral obligation - by all means, answer that call if you feel in your gut, as Snowden did, something is wrong and you believe you must help right that wrong. But don't mix that activity up with Information Security, with National Security, because that is how holes are formed and how we make mistakes when we aren't fully focused on the job we were tasked with.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.