Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/7/2015
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

White House Evaluating New Court Ruling Declaring NSA Data-Collection Program Illegal

Administration will continue to work with Congress to reform surveillance laws, NSC spokesman says.

The White House is evaluating a decision handed down Thursday by an U.S. appeals court holding the National Security Agency’s (NSA) bulk phone metadata collection program illegal.

"Without commenting on the ruling today, the President has been clear that he believes we should end the … bulk telephony metadata program as it currently exists," Edward Price, assistant press secretary and director of strategic communications at the National Security Council (NSC) said in an emailed statement to Dark Reading.

The goal is to create alternative mechanisms to preserve the program's essential capabilities without the government holding the bulk data, he said. "We continue to work closely with members of Congress from both parties to do just that, and we have been encouraged by good progress on bipartisan, bicameral legislation that would implement these important reforms," Price said.

Earlier today, the U.S. Court of Appeals for the Second Circuit ruled that the National Security Agency’s bulk collection of phone metadata records is illegal and exceeds the scope of what Congress has authorized the agency to do.

In a lengthy 97-page ruling, a three-judge panel from the court overturned an earlier district court ruling that had found the data collection program to be legal and remanded the case back to the court for further proceedings.

"The telephone metadata program requires that the phone companies turn over records on an “ongoing daily basis” – with no foreseeable end point, no requirement of relevance to any particular set of facts, and no limitations as to subject matter or individuals covered," Circuit Court Judge Gerard Lynch wrote on behalf of the panel.

"Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans," he said.

The ruling involves a lawsuit led by the American Civil Liberties Union challenging the legality and the constitutionality of the NSA phone metadata program. Former NSA contractor Edward Snowden revealed the existence of the program in June 2013.

Documents released by Snowden showed that the NSA had secretly been collecting phone metadata records in bulk from U.S. telecommunications companies since at least 2006 under the aegis of counterterrorism. Information collected under the program included details like the phone number from which a call was made, the number that was dialed, and device ID numbers on all calls made in the U.S.

The NSA claimed that a section of the USA Patriot Act called Section 215 gave it the authority to ask U.S. telecommunications companies to produce call detail records, every single day on every single call made through their systems. The agency argued that the data was critical to its effort to spotting potential terrorists activities being planned against the U.S at home and abroad.

Shortly after Snowden’s disclosure, the ACLU filed a lawsuit against the NSA challenging the metadata program's legality and constitutionality. The rights advocacy group maintained the metadata program exceeded the authorities granted to the NSA under Section 215 of the USA Patriot Act. In its lawsuit, the ACLU asked the court to declare the data collection program as illegal and to halt it.

The government on its part argued that the ACLU had no standing to bring the case against the NSA and claimed that its actions under Section 215 of the Patriot Act precluded judicial review.

In December 2013, a federal court judge in Manhattan sided with the government and threw out the ACLU's lawsuit on the basis that it indeed had no standing to bring the case against the NSA.

Thursday’s ruling reverses that decision and moves the case back to the court for further judicial review and proceedings.

"Because we find that the program exceeds the scope of what Congress has authorized, we vacate the decision," the court wrote without touching upon the constitutional issues raised by ACLU in its lawsuit. 

The court also refused to grant the ACLU's motion for a preliminary injunction against the NSA's metadata collection program.

Congress is scheduled to vote on renewing Section 215 on June 1. Since its inception, Section 215 has been renewed a total of 7 times, the court noted.

Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC) expressed satisfaction at the ruling. "We are very pleased with the decision today of the federal appeals court," he said in emailed comments to Dark Reading. "The court concluded that the “relevance” standard in section 215 does not permit the routine collection of all telephone records."

That has precisely been the argument that EPIC and others have presented to the U.S. Supreme Court in a petition about two years ago, he said. "We anticipate that other courts confronting this question will reach the same conclusion -- bulk collection of telephone records was never authorized by the Patriot Act."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Elose
50%
50%
Elose,
User Rank: Apprentice
10/14/2016 | 4:56:09 AM
Re: Must We Confront the Question?
how can we stop the NSA? There is more privacy ..
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/8/2015 | 5:19:46 PM
Must We Confront the Question?
In Docket No. 14-42-cv, it is stated that we "must confront the question whether a surveillance program that the government has put in place to protect national security is lawful.  That program involves the bulk collection by the government of telephone metadata created by telephone companies in the normal course of their business but now explicitly required by the government to be turned over in bulk on an ongoing basis."

It is noted in that same Docket that:

"Considering the issue of advocacy in the context of deliberations involving alleged state secrets, and, more broadly, the leak by Edward Snowden that led to this litigation, calls to mind the disclosures by Daniel Ellsberg that gave rise to the legendary Pentagon Papers litigation."

This is interesting as I have read many articles in which Daniel Ellsberg is quoted praising Snowden's actions as indicators of his moral character.

On that note of "considering" Dr. Richard Stallman of the Free Software Foundation places in every email the following statement:

[[[ To any NSA and FBI agents reading my email: please consider  
[[[ whether defending the US Constitution against all enemies,      
[[[ foreign or domestic, requires you to follow Snowden's example.

What all of this means, then, is that Information Security is more than the sum of its technical pieces, more than the data in various states and the need to protect that data in each state. But does that mean we as caretakers of sensitive data have to change our mindset because of "the question" posed in Docket No. 14-42-cv, or posed by Edward Snowden, Daniel Ellsberg, or Dr. Stallman? No, not at all. Because as caretakers of data it is not our job to ask that question, or to answer it. It is to protect the data we've been charged to protect.

I would say that once you start going down the road of asking the question, you may need to step away from your InfoSec role. I don't mean you step away from moral obligation - by all means, answer that call if you feel in your gut, as Snowden did, something is wrong and you believe you must help right that wrong. But don't mix that activity up with Information Security, with National Security, because that is how holes are formed and how we make mistakes when we aren't fully focused on the job we were tasked with.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.