In response to widespread outrage about the National Security Agency’s work monitoring telephone and internet usage metadata, Barack Obama is gearing up to propose a range of (relatively minor) changes to how the NSA does at least some of its business.
Among his proposals is one that may actually mean that telecommunications companies will have heavier data retention obligations than before.
At the moment, the Federal Communications Commission requires telephone companies to retain data relating to long-distance and higher rate toll calls for 18 months. But it has been noted that it is not clear how this applies to phone packages that allow users to receive one overall bill rather than being charged per call. What Obama appears to be contemplating is a requirement for phone companies to now retain metadata for all calls and for the government to be able to access that information with some kind of court order. That would include the number dialled and the length of the conversation.
Obama would be wise to look to the experiences of Europe before going ahead. This type of retention has been permitted under the EU’s Data Retention Directive for some time, but that Directive has now been declared invalid by the Court of Justice of the European Union.
Under the Directive, telecommunications companies in Europe were required to keep communications metadata for up to two years, with state agencies being able to access it in relation to serious crime, although the precise workings of the Directive differ significantly from state to state within the European Union. However the Court of Justice ruled that the directive did not appropriately limit interference with privacy and the right to protection of personal data. That means that the EU is, at least for the time being, left without any data retention regime at all.
Similar difficulties could arise in the US in respect of such data retention. Of particular significance is the fact that a data retention system of this kind essentially amounts to blanket surveillance. That means the subsequent rules about accessing data must be as rigorous as possible if the system is to pass a basic test of proportionality.
The costs of the scheme will also be of concern to telecommunications companies. Even though the proposal seems to relate only to telephone rather than internet data, storing such data on every single telephone user in the United States for a period of 18 months will be extremely costly and that cost will have to be borne by the telecommunications companies themselves (and, one assumes, ultimately by customers).
Some pushback from these companies is already evident, even as the details of the scheme remain unannounced. Verizon’s general counsel, Randal Milch, wrote that “the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes”. Further resistance is likely from both commercial and civil liberties groups.
As the debate heats up, an important question will remain. If we accept that access to telephone metadata serves a genuine security goal (and even the European Court of Justice acknowledged that it can), how can that be facilitated without infringing unduly on individual liberties?
Presented in this light, a number of important principles for the design of the US scheme can be gleaned from the European example.
Data should be retained for the shortest possible period of time, for example. Evidence from the European Commission suggests that most requests for access to data take place in the first six months of their retention. If the US is to adopt an 18-month retention period some evidence base for this should be demanded. As discussed by the Court of Justice, it may be appropriate to have different retention time limits depending on the nature of the data in question and the identities of the person surveyed. This would also reduce the blanket nature of the infringement and is likely to make a scheme more proportionate and therefore more sound from a rights-based perspective.
An especially rigorous process for accessing this data should also be implemented so that justification for access is required. In reality, designing such a system is challenging: intelligence is not a science. There are few certainties and security professionals, as well as politicians and judges, are naturally cautious of making a mistake that may have catastrophic consequences. Requiring a court order, attained following arguments from both the government and someone who is responsible for civil liberties advocacy in the case, may well go some way towards addressing the problems experienced in Europe.
Furthermore, the permitted bases for accessing retained data should be clearly outlined: the Court of Justice noted that one of the difficulties with the Directive was that it did not outline objective criteria for accessing information in a way that ensured the retention system did not disproportionately infringe on rights.
The European example offers some interesting and useful lessons for the United States. Unless he learns from the mistakes made in the EU, President Obama may well stumble into even more controversy about surveillance.