We have always believed that it's important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters: http://goo.gl/OCFck Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.
As you can see below, NSA director Keith Alexander appears to have ruled out vacuuming up "Internet search records" using the Obama administration's secret interpretation of Section 215 of the Patriot Act. That's the section of the law that's used to obtain logs of domestic phone calls from Verizon and reportedly AT&T and Sprint too.
"Internet search records" are likely, legally speaking, content data. And Alexander said that has higher legal protections. But Alexander didn't rule out (as my article shows) vacuuming up non-content data such as logs of email correspondents and IP addresses visited.
SEN. DURBIN: My question to you is this: Section 215 can be used to obtain, quote, "any tangible thing," close quote. That could include -- could include medical records, Internet search records, tax records credit card records.
Last year, the government filed 212 Section 215 orders. That's an increase from 21 such orders in 2009. So clearly this authority is being used for something more than phone records.
So let me ask you: Do you think Section 215, giving you authority to secure tangible things, could include the categories of information that I just listed?
GEN. ALEXANDER: We don't. I don't use those, so I'm not aware of anything that goes that -- that would be outside of NSA. All we use this for today is the business records, FISA.
I would point out -- I just want to characterize something that you said here.
As you know, this was developed -- and I agree with you, we all had this concern coming out of 9/11, how are we going to protect the nation, because we did get intercepts on Mihdhar, but we didn't know where he was.
We didn't have the data collected to know that he was a bad person. And because he was in the United States, the way we treat it is he's a U.S. person. So we had no information on that. And if we didn't collect that ahead of time, we couldn't make those connections.
So what we create is a set of data and we put it out here, and then only under specific times can we query that data. And as you know, Senator, every time we do that, it's auditable by the committees, by the Justice Department, by the court and by the administration. We get oversight from everybody on this.
SEN. DURBIN: I'm over my time, but I want to -- here's the point. If you knew that a suspect had made a call into area code 312, the city of Chicago, it certainly defies logic that you'd need to collect all of the telephone calls made in the 312 area code on the chance that one of those persons might be on the other end of the phone.
Now, if you have a suspected -- a suspected contact, that to me is clear. I want you to go after that person.
GEN. ALEXANDER: Right.
SEN. DURBIN: What I'm concerned about is the reach beyond that that affects innocent people.
GEN. ALEXANDER: So the -- so we agree at least on that part. And the next step -- and I think in the debate that we actually need to talk about -- is, so what happens if you don't know he's in 312 yet? And so something happens, and now we say, who was he talking to?
So let's take Mihdhar. You had authorized us to get Mihdhar's phones in California. But Mihdhar was talking to the other four teams. Under the business record FISA, because we had stored the data in a database, we now have what we call reasonable articulable suspicion. We could take that number and go backwards in time and see who he was talking to. And if we saw there were four other groups, we wouldn't know who those people were; we'd only get the numbers. We'd say, this looks of interest, and pass that to the FBI. We don't look at U.S. -- the identities of it; we only look at the connections.
SEN. DURBIN: I'm way over time. I'm not going to dwell on it. You've just gave a clear illustration where you had specific information about telephone contacts, which I don't quarrel with. What I quarrel with is collecting all of the information in California on telephone records to try to find that specific case. That to me seems overly broad.
A secret interpretation of the Patriot Act led to the National Security Agency vacuuming up all of Verizon's phone logs. The NSA may be doing the same for e-mail and Web-browsing logs too. Read this article by Declan McCullagh on CNET News.
From +David Drummond, Chief Legal Officer: We cannot say this more clearly—the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box. Nor have we received blanket orders of the kind being discussed in the media. It is quite wrong to insinuate otherwise. We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. And we have taken the lead in being as transparent as possible about government requests for user information.
Sources challenge reports alleging National Security Agency is 'tapping directly into the central servers.' Instead, they say, the spy agency is obtaining orders under process created by Congress. Read this article by Declan McCullagh on CNET News.