The Third-Party Metadata Idea Is Fourth-Rate

Whether one supports the bulk collection program or opposes it, outsourcing it to a private corporation is not the right way forward.

March 10, 2014

Crossposted from The Wall Street Journal.

President Obama announced in January his intent to rethink the controversial "bulk collection" program that lets the National Security Agency collect and store Americans' telephone metadata. One option under consideration is to house the data with a third party, most likely a private corporation. The two of us disagree on the proper scope of national security surveillance—one would be content to see the metadata program continue while one would like to see it end—but we agree on this: Third-party retention is the worst of all options and should be taken off the table.

The ostensible advantage of third-party retention is to make it more difficult for the NSA to access the data improperly, thus addressing fears of potential abuse. There is little reason, however, to think a private contractor would view its role as policing the NSA's access. Government contractors see their job as serving the agency that pays them—not engaging in oversight or throwing up barriers to the agency's desired course of action.

Third-party retention would be more likely to create compliance and oversight problems than to solve them. For better or worse, the NSA and executive branch more generally are responsible and accountable for the appropriate handling of the data they collect. Removing data to a corporation would distance the government from its proper role—and obligations—as custodian of information collected for a national-security purpose. It would introduce ambiguity regarding which entity would be responsible for monitoring and ensuring compliance with legal requirements.

Oversight would be a challenge even if the roles were clear. Currently, the program is subject to internal executive branch review by NSA entities such as the Office of Compliance and Inspector General's Office. The Office of the Director of National Intelligence and the Justice Department also oversee the program. Regardless of one's views on the sufficiency of these mechanisms, it is unlikely they could be replicated under the third-party option. If the government were to try to continue existing oversight activities, that would create an odd, and likely unsustainable, government-private relationship. If the third party were to take on the task, that would entrust a core governmental function—ensuring fidelity to the rule of law—to a private entity that lacks the institutional competence or legitimacy to perform it.

From a security standpoint, the data would be a major and obvious target for cyberattack by criminal hackers or foreign nations. Our defense and intelligence agencies have their own challenges protecting their most sensitive information from breaches, so there is reason for concern about transferring the data to a private company that may or may not be equipped to handle the security risk.

The third-party option also would create a perverse incentive for the bulk collection program to continue indefinitely and even to expand. A private contractor would have a substantial financial interest in retaining and managing this data for as long as possible. Encouraging a well-heeled party to lobby for the program's longevity runs counter to the interest of privacy advocates who would like to see the program modified or ended.

It also runs counter to sound national security policy. Effective decision making requires periodic re-evaluation to ensure that collection programs meet a legitimate national security need. For whatever reason—be it diminishing returns over time, better technology, or the result of public and legislative debate—the government may decide to end the program in the future. If the data reside with a third party, ending the program—and ensuring proper disposition of the data—will be more complicated.

Whether one supports the bulk collection program or opposes it, outsourcing it to a private corporation is not the right way forward. It would dilute accountability, introduce potential security risks and create new pressure to continue the program regardless of its privacy implications or national security value.

Ms. Cordero, a former attorney with the Justice Department's national-security division, is the director of national-security studies at Georgetown Law. Ms. Goitein is co-director of the liberty and national-security program at the Brennan Center for Justice at New York University Law School.

Photo by univienna