We know much less about what the NSA is doing than what the Postal Service is doing. Nonetheless, I believe that reasoning by analogy from what is acceptable for the postal service is a good way to decide what would be acceptable for the NSA.
We know that the NSA is collecting meta-data on all phone calls made in the country. What we do not know is what it is doing with all that information. The general guess is that it is doing one of two things. One possibility is that it is tracing calls of known and suspected terrorists to find their contacts and patterns of calls. For instance, if a terrorist attempts to thwart surveillance by changing phones, the new phone can be found by looking for a new number that has the same contacts and patterns of calls as the old one. It may trace terrorist phone numbers to find their contacts and calling patterns, and to see who needs further investigation. The other possibility is that the NSA is doing general data mining on this immense database, looking for possible patterns of terrorist activity. My position is that I consider the former use acceptable if appropriate safeguards are in place, and the latter use unacceptable. And I definitely do not want it to be within the NSA's unbridled discretion to decide what what it does with this immense database.
Why is overall data mining without particularized suspicion unacceptable to me? Maybe the simplest answer is that the invasion of privacy just feels creepy to me. Defenders would argue that I am being unreasonable, that my identity is not known to the people tracking my meta-data, that my meta-data is too small and insignificant to attract attention, and that nothing so abstract and impersonal could in any way be an invasion of privacy. I suppose my answer comes from Bruce Schneier. For data mining to be an effective tool, three conditions must be met. There must be a well-defined profile, reasonable frequency of attacks, and a low cost of false positives. Hence data mining works well for credit card fraud. Credit card fraud has a definable profile -- purchase of an expensive or easily fenced item, or a sudden change in the owner's spending habits. It is common -- out of 900 million credit cards in circulation in the US, about 1% are typically stolen or used fraudulently in a year. And the cost of a false alarm is no more than a phone call to verify that a purchase is genuine. Terrorism is a different matter altogether. It is by no means clear that there is a well-defined profile of a terrorist. But, even assuming that there is such a profile, terrorists are rare. Even a very low false alarm rate, false alarms will vastly outnumber real leads, to the point that frustrated law enforcement refers to them as "calls to Pizza Hut." Schneier focuses on this mostly as a waste of law enforcement resources, but it is more than that. It is an invasion of privacy for every innocent target investigated as a result of a false alarm. Then there is also the frustration factor in looking for a needle in a haystack and not finding one. The temptation will become great to sharpen a strand of hay and call it a needle. Certainly there is some evidence that at least some agencies, lacking terrorists to surveill, have gone looking for someone -- anyone -- else to keep an eye on. (Now if only someone could be caught conducting surveillance on the Tea Party!)
So, why is use of the entire national electronic communications database to track known and suspected terrorists acceptable to me? If there is a known target, why not use more conventional means to follow that target. Here I will have to plead lack of expertise and deference to the experts. The basic point appears to be that electronic communications are much more mobile, extensive, and easy to change than when most of the rules for wiretapping were made. People have more phones than in the past, and can switch numbers more quickly and easily. The pre-paid or disposable phone has replaced the pay phone as the best source of anonymity. And, of course, there are many forms of non-telephonic instant communication. So I am prepared to believe that given the mobility and interchangeability of communications these days, finding a terrorist every trying to evade surveillance might require access to a very large database. Maybe finding a terrorist's new phone by looking for a similar pattern really does call for extensive data mining. Maybe there are other uses in tracking terrorists that I never thought of.
What safeguards would I consider necessary for me to be comfortable with the NSA collecting all our electronic meta data? Probably something similar to what I would consider appropriate for the Postal Service. I consider it reassuring that in the case of the mail, the agency collecting meta-data and the agencies using it are separate. Even the minimal procedural barrier of having to make an application for information limits requests to cases of some sort of particularized suspicion. If the NSA is going to collect all our meta data, then the agency storing the data and the one using it should be separate. If the NSA is looking for something in the meta-data, it should require a court order and some sort of particularized suspicion. The current pen register rule for tracing contacts with a particular number is "relevance to an ongoing investigation." This is not a high standard. My understanding that it is theoretically what the NSA is still held to in its use of meta data, but it has evaded even that narrow standard by simply arguing that all meta data is relevant to its search for terrorist (can't find link). Clearly, then, something more specific is called for. I am open to persuasion as to whether it should require "specific and articulable facts" or even "probably cause," but simply that it might yield something some time is not enough. Regardless, once you authorize searching through such an immense database even with particularized suspicion, a lot of innocent data is going to be swept in. We therefore need stringent minimization procedures, that is rules forbidding follow-up on leads that turn out to be innocent, and destruction of information gathered that turns out to be innocent. And finally, on the subject of data destruction, we need some sort of expiration date on the information gathered. It may be that to properly trace a number requires information that dates back for a period of time, perhaps even years. But there must be a point beyond which the trail goes cold and the usefulness of meta-data is limited. No doubt there is always a faint possibility of some sort of use, but at some point it starts sounding like an excuse. We need an expiration date on meta data collected.
I intend to follow up with a few posts on other surveillance topics besides meta data.