Judge pulls no punches in ruling against NSA program

The author of the U.S. Constitution would be 'aghast,' Judge Richard Leon wrote

Judge Richard Leon ripped into the U.S. Department of Justice and the National Security Agency in his Monday ruling that the NSA's controversial collection of U.S. telephone records may violate the U.S. Constitution.

Leon, of the U.S. District Court for the District of Columbia, ruled in favor of four plaintiffs who challenged the NSA's bulk collection of U.S. telephone records.

Here are some highlights of the 68-page ruling:

On the NSA's policy of searching for phone numbers no more than three hops from a suspect's phone number: "It is likely that the quantity of phone numbers captured in any given query would be very large .... Suppose that one of the numbers [a suspect in New York City] calls is his neighborhood Domino's Pizza shop. The Court won't hazard a guess as to how many different phone numbers might dial a given Domino's Pizza outlet in New York City in a five-year-period, but to take a page from the Government's book of understatement, it's 'substantially larger'" than a 100-number estimate the judge used in an earlier example.

On whether Congress intended to allow a district court to review the NSA's surveillance programs, in addition to the Foreign Intelligence Surveillance Court's review: "Where, as here, core individual constitutional rights are implicated by Government action, Congress should not be able to cut off a citizen's right to judicial review of that Government action simply because it intended for the conduct to remain secret by operation of the design of its statutory scheme. While Congress has great latitude to create statutory schemes like FISA, it may not hang a cloak of secrecy over the Constitution."

On the DOJ's assertion that the plaintiffs, Verizon Wireless customers, don't have standing to challenge the NSA program because the leaked FISC order covering the NSA collection program covers only Verizon landlines: "The Government obviously wants me to infer that the NSA may not have collected records from Verizon Wireless (or perhaps any other [non-Verizon] entity, such as AT&T and Sprint. Curiously, the Government makes this argument at the same time it is describing in its pleadings a bulk metadata collection program that can function only because it 'creates a historical repository that permits retrospective analysis of terrorist-related communications across multiple telecommunications networks.' Put simply, the Government wants it both ways."

"To draw an analogy, if the NSA's program operates the way the Government suggests it does, then omitting Verizon Wireless, AT&T, and Sprint from the collection would be like omitting John, Paul, and George from a historical analysis of the Beatles. A Ringo-only database doesn't make any sense, and I cannot believe the Government would create, maintain, and so ardently defend such a system."

On whether the NSA program violates the Fourth Amendment to the U.S. Constitution: "The threshold issue that I must address, then, is whether the plaintiffs have a reasonable expectation of privacy that is violated when the Government indiscriminately collects their telephone metadata along with the metadata of hundreds of millions of other citizens without any particularized suspicion of wrongdoing, retains all of that metadata for five years, and then queries, analyzes, and investigates that data without prior judicial approval of the investigative targets."

"I have little doubt that the author of our Constitution, James Madison, who cautioned us to beware 'the abridgement of freedom of the people by the gradual and silent encroachments by those in power,' would be aghast."

On the DOJ's defense of the program, using the 34-year-old Supreme Court case, Smith v. Maryland: "The question in this case can more properly be styled as follows: When do present-day circumstances -- the evolutions in the Government's surveillance capabilities, citizens' phone habits, and the relationship between the NSA and telecom companies -- become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith does not apply? The answer, unfortunately for the Government, is now."

"The relationship between the police and the phone company in Smith is nothing compared to the relationship that has apparently evolved for the last seven years between the Government and telecom companies .... In Smith, the Court considered a one-time, targeted request for data regarding an individual suspect in a criminal investigation, which in no way resembles the daily, all-encompassing, indiscriminate dump of phone metadata that the NSA now receives. It's one thing to say that people can expect phone companies to occasionally provide information to law enforcement; it is quite another to suggest that our citizens expect all phone companies to operate what is effectively a joint intelligence-gathering operation with the Government."

On the changed use of phones since the Smith case: "It is now safe to assume that the majority of people reading this opinion have at least one cell phone within arm's reach. In fact, some undoubtedly will be reading this opinion on their cell phones. Cell phones have also morphed into multi-purpose devices. They are now maps and music players. They are cameras. They are even lights that people hold up at rock concerts. Put simply, people in 2013 have an entirely different relationship with phones than they did thirty-four years ago."

The Smith ruling and the NSA program "have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones."

On the effectiveness of the NSA program: "The Government does not cite a single instance in which analysis of the NSA's bulk metadata collection actually stopped an imminent attack."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of JusticetelecommunicationsecurityRichard LeonU.S. District Court for the District of ColumbiaCivil lawsuitslegalU.S. National Security Agencymobilegovernmentprivacy

More about Department of JusticeDOJDomino's PizzaIDGNational Security AgencyNSASprintVerizonVerizonVerizon Wireless

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place