The recent terrorist attack in San Bernardino has kicked up yet another round of debate regarding NSA’s bulk phone records collection program, which was officially ended on November 29th, in accordance with requirements of the USA FREEDOM Act. According to the Associated Press, diagnosis “The U.S. government’s ability to review and analyze five years’ worth of telephone records for the married couple blamed in the deadly shootings in California lapsed just four days earlier when the National Security Agency’s controversial mass surveillance program was formally shut down.” Presidential candidates have picked up on this issues, with Jeb Bush and Marco Rubio both using the opportunity to criticize Ted Cruz for his support for the USA FREEDOM Act.
While we don’t have all the details yet, it is unlikely that federal authorities really lost any investigative opportunities with respect to this recent attack when the bulk collection program ended. That program wasn’t intended to help with incidents like these in the first place.
The database was intended to help preempt terrorist attacks by allowing the IC to find a phone number overseas (in Yemen for example), query the database to see if that overseas number was in touch with anybody domestic, and then investigate that domestic contact. The phone records database is NOT intended for retrospective investigation after a domestic terrorist attack. In those cases, standard subpoena authorities should suffice to allow authorities to gain access to the data they need.
There are a few issues that are useful to understand about this recently reformed program as we think about the attack and investigation.
Rather than the government preemptively collecting all records, USA FREEDOM shifts the burden of holding records to the phone companies. The Act attempts to preserve the value of the program by allowing the government to then request phone records from those companies when necessary. But, whereas NSA held records for five years, the Act doesn’t include any retention mandate for the companies. Those companies might hold records for five days or five years. If they hold them for five years, then the value of the program is preserved. If they hold them for five days, then law enforcement authorities could lose data that might be useful in an investigation.
Legislators debated whether to include a retention mandate in the USA FREEDOM Act, with some on the intelligence committees arguing in favor. In the end, they decided against it. Currently, many phone companies retain records between one and ten years. They do so for billing purpose; they need to keep call detail records around so that they can know how much to charge people. Verizon Wireless holds records for one year. T-Mobile keeps records for seven to ten years.
So, the questions then raised by the San Bernardino attack are: For whatever phone service the attackers used, what is the company’s records retention policy and how much does it differ from NSA’s five year retention time for the program it just shut down? And to what extent do we expect any data lose to have a real impact on the investigation?