Robert Mueller's testimony today on the NSA phone monitoring (
F.B.I. Director Warns Against Dismantling Surveillance Program) had some fascinating tidbits. First, there's this (emphasis mine):
Testifying before the Senate Judiciary Committee, Mr. Mueller addressed a proposal to require telephone companies to retain calling logs for five years — the period the N.S.A. is keeping them — for investigators to consult, rather than allowing the government to collect and store them all. He cautioned that it would take time to subpoena the companies for numbers of interest and get the answers back.
“The point being that it will take an awful long time,” Mr. Mueller said.
“In this particular area, where you’re trying to prevent terrorist attacks, what you want is that information as to whether or not that number in Yemen is in contact with somebody in the United States almost instantaneously so you can prevent that attack,” he said. “You cannot wait three months, six months, a year to get that information, be able to collate it and put it together. Those are the concerns I have about an alternative way of handling this.”
Mr. Mueller did not explain why it would take so long for telephone companies to respond to a subpoena for calling data linked to a particular number, especially in a national security investigation.
I can tell you why it would take so long in one word: incentives. The NSA and FBI are incentivized to build a system that actually works efficiently and effectively. The phone companies, if faced with regulatory requirements to retain records, and incentivized to do it cheaply. Let's do some back of the envelope math here:
- The average person probably makes 5 - 10 phone calls/text messages a day on their mobile device.
- Wikipedia tells us that there are about
300,000,000 mobile phones in the US.
- That comes out to about 3 trillion phone calls in 5 years. Let's say a single carrier handles maybe 1/5 of that traffic, or 600 billion calls they have to retain.
- Assuming metadata on a single call (from, to, duration, date, time, and maybe
IMEI) takes up 1 kilobyte of data.
- Then the carrier is required to keep a rolling log of about
500 terabytes of call data
As bad as this sounds, it's not actually that big a deal. Facebook handles about this much data
each day. And using horizontally scalable key-value stores, like Cassandra or MongoDB, you can easily store the data and return the results in near real time, as long as you're willing to throw enough commodity hardware at it. But that's the real issue: the willingness. Verizon, AT&T, these guys don't really
want to be in the business of storing call log data and providing it to the government. It doesn't make them any money. So they would simply throw it onto a disk, making it unsearchable, and tell the government, "Sorry, your request will return in 3 - 6 weeks." You could in theory legislate that they return the results faster, but you can't actually legislate that people build competent technology infrastructure. Failure is a more likely scenario than compliance.
With all that said, though, the fundamental question in my mind is this:
What is the real difference between the NSA storing the data and the phone carriers storing it and producing it on request? I think this is an interesting philosophical question, and as a civil libertarian, not one I take lightly. The process is essentially the same:
Case 1: The FBI asks Verizon for calls relating to X, and they get an answer back.
Case 2: The FBI asks the NSA for calls relating to X, and they get an answer back.
Going through Verizon for the request may make it take longer, and that may be a good thing, if you're worried about abuse of the data. But, should we really be relying on incompetence as a safeguard against abuse? Frankly, incompetence is often the only thing that stands between us and abuse by corporations and the government. People who ascribe all things to vast complex conspiracies fail to appreciate the true depths of human fallibility and incompetence, in most cases. But, if the question is one of principle (legal, moral, or otherwise), it's worth asking ourselves if we'd be comfortable with Case 1, why are we fundamentally less comfortable with Case 2?