By Hanni Fakhoury | (EFF)
Think mass surveillance is just the wheelhouse of agencies like the NSA? Think again. One of the biggest concerns to come from the revelations about the NSA’s bulk collection of the phone records of millions of innocent Americans was that law enforcement agencies might be doing the same thing. It turns out this concern was valid, as last week the government let slip for the first time that the Drug Enforcement Agency (DEA) had also been collecting the phone records of Americans in bulk since the 1990s.
From NSA to DEA
The government didn’t disclose this information in a report or in response to a congressional inquiry. Instead, it was quietly mentioned in a declaration by a DEA agent, in a criminal case brought in D.C. federal court. The defendant, Shantia Hassanshahi, is under indictment for allegedly conspiring to export electronic parts to Iran. The facts are important, as they highlight the problem with bulk collection.
An agent with the Department of Homeland Security (DHS) received an unsolicited email from a source who claimed that an Iranian emailed him seeking to procure electronic parts for a project in Iran. The email to the source contained the Iranian’s phone number and business address in Tehran. The DHS agent took that phone number and queried it in a law enforcement database, seeking to find US based phone numbers that had communicated with the Iranian. The results turned up one number that corresponded to a Google voice phone number. Via a subpoena to Google, the government was able to identify the number as Hassanshahi’s. After additional investigation, including a search of the TECS database, the government indicted Hassanshahi. Assuming the database was the NSA’s controversial phone records database, Hassanshahi’s lawyers moved to suppress the information learned from the search of the database. The government responded that it wasn’t the NSA database and refused to give the court or the defendant any more information about the database—but asked the court to assume the information had been obtained unconstitutionally. That’s right—the government stated that the database it used was unconstitutional. Unsurprisingly, such an admission got a few raised eyebrows, including the judge overseeing the case, who noted that the government left him in a “difficult, and frustrating, situation.” The judge ordered the government to submit an ex parte declaration “summarizing the contours of the mysterious law enforcement database.”
The government obliged by submitting a three page declaration from DEA Assistant Special Agent in Charge Robert Patterson. This declaration revealed, for the first time, the existence of a DEA phone records database that included phone numbers, the time, date and length of calls made from the US to designated specific countries. While we don’t have a comprehensive list of which countries were involved in the program, we know that Iran was on that list. Agents could query the database if they had reasonable articulable suspicion that a phone number was related to an ongoing criminal investigation. The government discontinued the program in September 2013 and apparently purged the records in the database.
The existence of another database of phone records collected in bulk for domestic law enforcement purposes raises serious legal questions.
Stretching Statutory Authority
The government’s claimed authority for this bulk collection was 21 U.S.C. § 876, which empowers the Attorney General to issue administrative subpoenas—not approved ahead of time by a grand jury or judge—which compel the production of records that are relevant and material to an investigation relating to drug crimes. But bulk collection of all call records based solely on the country a person called could never satisfy the statute, because most of the records are irrelevant to an active investigation. To be sure, the government may only have queried the database for records relevant to an active investigation, but the government was using § 876 to collect all records in anticipation of some future investigation. In other words, unless every person in the US who has ever made a phone call to someone in Iran or some other country contained in the database is considered a criminal suspect, the vast majority of records are irrelevant to any investigation.
Even more problematic, § 876 doesn’t have even the minimal safeguards or limitations contained in Section 215 of the PATRIOT Act. Bulk collection under § 215 at least requires the government to involve a court in the process; it requires the government comply with minimization procedures, and it only permits the government to query records for foreign intelligence purposes. While we have serious doubts about the effectiveness of these safeguards, they’re better than the total lack of safeguards in § 876.
As we’ve argued in our cases challenging bulk collection of phone records and Internet communications, this blanket collection violates the Fourth Amendment’s prohibition against unreasonable searches and seizures. And as we’ve repeatedly argued, people do have a reasonable and legitimate expectation of privacy in these communication records. When the US Supreme Court ruled in Smith v. Maryland 35 years ago that there was no expectation of privacy in phone records collected on a single phone number over three days, it certainly was not contemplating the bulk collection of communication records over an extended period of time that reveal all sorts of sensitive and intimate information about people.
Keep in mind that the DEA engaged in bulk collection not for national security purposes, but instead for routine criminal investigation. The government has consistently argued that the national security character of § 215 excuses the government from the Fourth Amendment’s warrant requirement. But the government cannot hide behind that argument here. While investigating and prosecuting drug trafficking is of course a legitimate law enforcement goal, Fourth Amendment protections are at their strongest when the government’s purpose is investigating crime, rather than some other non-criminal interest.
Ultimately, the constitutional harm is that the government’s bloated (and incorrect) interpretation of Smith, allows it to collect anything held by a third party, regardless of what it is and why they want it. That’s an incredibly overbroad interpretation of the workings of the Fourth Amendment, and in an increasingly digital world, where financial and health records, communications with loved ones and intricate maps of where we’ve gone and are going are sitting in servers controlled by others, there is no limit to this collection power.
The government’s concession that the search of the database was unconstitutional was not a sincere acknowledgement of a screw-up but rather a concerted effort to keep the details of this database secret. Had the court not ordered the government to explain the specifics of the database, the existence and details of the program would likely have remained out of public sight. This secrecy isn’t surprising, and the fact the DEA’s program was discontinued in September 2013 is probably not accidental.
That’s because on September 1, 2013, the New York Times reported for the first time the existence of a program known as “Hemisphere.” which allows the DEA and local law enforcement to obtain call records from AT&T. As government presentations about the program repeatedly make clear, law enforcement agencies are given instructions on “protecting the program,” and advised to “never refer to Hemisphere in any official document.” Earlier in 2013, Reuters reported about the DEA and IRS’s secret use of investigative tips provided by the NSA and other law enforcement and intelligence agencies. Like “Hemisphere,” agents are instructed to keep the true source of this information under wraps and to recreate the investigative trail through some other means. The government calls this practice “parallel construction” but it’s really “intelligence laundering,” designed to insulate surveillance programs from the scrutiny of defense attorneys and judges.
Given the DEA’s well-documented tendency to be less than truthful when it comes to explaining where it really got investigative information, it’s likely the DEA laundered the results of their bulk phone records database too. That puts criminal defendants at a serious disadvantage in defending their cases and undermines the courts ability to act as an effective check on government surveillance.
Illegal Spying, Whether by the NSA or DEA, is Illegal
The DEA’s bulk collection program confirms our worst fears about the scope of unconstrained government surveillance—it’s not just about national security but disregarding constitutional standards to collect as much information as possible.
But the Constitution doesn’t exist to make law enforcement’s job easy. It exists as a restraint on the government’s power. And at a time when the efficacy and legality of bulk surveillance for national security purposes is under serious scrutiny by all branches of the government, there should be no question that bulk surveillance for domestic law enforcement purposes should be off limits. While we’re glad the program has now been discontinued and the records purged, there are many more questions that need to be answered:
- What other countries are on the list?
- How many records were in the database?
- How many people had their phone information placed into the database?
- How often was the database queried?
- What other government or law enforcement agencies had access to the database?
- What other type of information is the DEA collecting in bulk?
- Who within the Department of Justice knew about the DEA’s bulk collection programs?
- Is there legal analysis that justifies bulk collection of these records?
Perhaps the most pressing question is this: what other government databases exist that the public doesn’t know about? The public shouldn’t have to count on an after-the-fact accounting pressed by one federal judge exasperated by the government’s obfuscation to learn about the bulk collection of its calling records. But with the knowledge of this database now public, the DEA and other agencies should be aware that we’re watching too.