Raiding the "Corporate Store": The NSA's Unfettered Access to a Vast Pool of Americans' Phone Data
The director of National Intelligence declassified three documents on Wednesday related to the NSA's mass collection of Americans' telephone records. One of these — a so-called "primary order" issued by the secret Foreign Intelligence Surveillance Court (FISC) — describes in new detail the rules that the NSA must follow when it collects and queries this trove of sensitive telephone data. What it reveals is not reassuring. Despite intelligence officials' repeated assertions that their access to Americans' phone records is extremely limited and tightly controlled, the primary order suggests NSA analysts can sift through far more telephone data — with far fewer restrictions — than government officials have let on in public. In particular, the primary order shows that NSA analysts have unfettered access to a pool of telephone data called the "corporate store," which likely contains millions of Americans' calling records.
Intelligence officials have repeatedly said that the NSA queries its call-records database only when there is "reasonable suspicion, based on specific and articulated facts" that an identifier — such as a telephone number — is linked to specific foreign terrorist organizations. They have frequently cited one statistic to back up these assertions: According to officials, the NSA queried fewer than 300 unique identifiers under this program in 2012.
As we have pointed out, though, even if the government ran queries on only 300 unique identifiers in 2012, those searches implicated the privacy of millions of Americans. Intelligence officials have explained that analysts are permitted to examine the call records of all individuals within three "hops" of a specific target. As a result, a query yields call information not only about the individual thought to be associated with a specific foreign terrorist organization, but about all of those separated from that individual by one, two, or three degrees. Even if one assumes, conservatively, that each person has an average of 40 unique contacts, an analyst who accessed the records of everyone within three hops of an initial target would have accessed records concerning more than two million people. Multiply that figure by the 300 phone numbers the NSA says that it searched in 2012, and by the seven years the program has apparently been in place, and it quickly becomes clear that official efforts to characterize the extent and impact of this program are deeply misleading.
This much we've known for several weeks. But thanks to the documents released yesterday, we now have a better idea about what happens to the information that's pulled up through queries. All of this information, the primary order says, is dumped into something called the "corporate store." Incredibly, the FISC imposes no restrictions on what analysts may subsequently do with the information. The FISC's primary order contains a crucially revealing footnote stating that "the Court understands that NSA may apply the full range of SIGINT analytic tradecraft to the result of intelligence analysis queries of the collected [telephone] metadata." In short, once a calling record is added to the corporate store, anything goes.
More troubling, if the government is combining the results of all its queries in this "corporate store," as seems likely, then it has a massive pool of telephone data that it can analyze in any way it chooses, unmoored from the specific investigations that gave rise to the initial queries. To put it in individual terms: If, for some reason, your phone number happens to be within three hops of an NSA target, all of your calling records may be in the corporate store, and thus available for any NSA analyst to search at will.
But it's even worse than that. The primary order prominently states that whenever the government accesses the wholesale telephone-metadata database, "an auditable record of the activity shall be generated." It might feel fairly comforting to know that, if the government abuses its access to all Americans' call data, it might eventually be called to account—until you read footnote 6 of the primary order, which exempts entirely the government's use of the "corporate store" from the audit-trail requirement.
The FISC's rules provide the appearance of limited and targeted access to Americans' phone records — but the reality is far different. When a single query is, in fact, a three-hop frolic through American's phone records, the initial restraints lose much of their force. And, when the NSA can combine the results of all these queries for future, unrestricted analysis, the FISC's front-end protections have almost no significance at all. The weakness of the back-end controls renders the front-end protections all but irrelevant.