Back to News & Commentary

Let's Lock Down the NSA's Shadow Database

Privacy keyboard Photo source: g4ll4is from Flickr
Privacy keyboard Photo source: g4ll4is from Flickr
Patrick Toomey,
Deputy Director,
ACLU National Security Project
Share This Page
March 28, 2014

This is the final blog of a three-part series.

Less than a year after the NSA’s dragnet surveillance of Americans was first exposed to public scrutiny, the president has formally issued a proposal to end the bulk collection of our phone records. In this three-part series, the ACLU analyzes whether the president’s proposal goes far enough, particularly when there’s already strong bipartisan legislation in Congress that would end all bulk collection for good, the USA FREEDOM Act.

President Obama yesterday proposed the demise of the NSA’s bulk collection of Americans’ phone records—a move that the ACLU has called for since the program was publicly disclosed last June. But even if enacted, the president’s proposal is not the end of the story, at least not for Americans’ privacy. As we explained earlier, the NSA would continue to obtain phone records “two hops” removed from its suspects: i.e., the records of people who are not suspected terrorists themselves but who have called, or have been called by, suspected terrorists.

That’s still a lot of phone records—tens of thousands or more—and the question of what the NSA is permitted to do with all of that private information remains a crucial and pressing one.

That’s because, based on what we know now, the president’s proposal would do nothing to reform at least one troubling feature of the NSA’s phone-records program: the shadow database I’ve written about before, called the “corporate store.” Until the government places restrictions on how this data can be used, Americans cannot be confident that their private information is truly protected.

The corporate store is where the NSA socks away the results of all of its queries under the current program, including the second- and third-hop call records that it has previously collected. In January, the Privacy and Civil Liberties Oversight Board estimated that the corporate store held roughly 120 million phone numbers and the complete calling records of 1.5 million people — from 2012 alone.

The president’s proposal would leave the corporate store all but unchanged. The NSA would no longer collect all call records, but it would harvest query results from the phone companies and would continue to pool all of those results in the corporate store. Moreover, the size of this database may grow even more quickly going forward if the president’s proposal implements a new capability the government has long sought—the “alert list,” which would automatically run daily queries on every number approved under the new system.

Critically, this shadow database isn’t just enormous, it’s also entirely unregulated. Under current rules set by the secretive Foreign Intelligence Surveillance Court, the NSA is not limited in how it can search, analyze, or datamine the phone records it amasses in the corporate store. It can even combine those records—which include the phone records of millions of innocent people—with information collected under other surveillance programs. For this reason, the privacy board urged the president to immediately adopt limitations on the NSA’s access to this data.

That warning should not go unheeded—the NSA’s access to the corporate store should be far more limited than it is today. And that is one reason why ending bulk collection, by itself, is not enough. Even without bulk collection, the NSA can stockpile a vast quantity of data about Americans—and we must be vigilant in ensuring that firm limits on the NSA’s use of this data protect our privacy.

Learn more about government surveillance and other civil liberty issues: Sign up for breaking news alerts, follow us on Twitter, and like us on Facebook.

Learn More About the Issues on This Page