Skip Navigation

The Third-Party Metadata Idea Is Fourth-Rate

Whether one supports the bulk collection program or opposes it, outsourcing it to a private corporation is not the right way forward.

March 11, 2014

Cross­pos­ted from The Wall Street Journal.

Pres­id­ent Obama announced in Janu­ary his intent to rethink the contro­ver­sial “bulk collec­tion” program that lets the National Secur­ity Agency collect and store Amer­ic­ans’ tele­phone metadata. One option under consid­er­a­tion is to house the data with a third party, most likely a private corpor­a­tion. The two of us disagree on the proper scope of national secur­ity surveil­lance—one would be content to see the metadata program continue while one would like to see it end—but we agree on this: Third-party reten­tion is the worst of all options and should be taken off the table.

The ostens­ible advant­age of third-party reten­tion is to make it more diffi­cult for the NSA to access the data improp­erly, thus address­ing fears of poten­tial abuse. There is little reason, however, to think a private contractor would view its role as poli­cing the NSA’s access. Govern­ment contract­ors see their job as serving the agency that pays them—not enga­ging in over­sight or throw­ing up barri­ers to the agency’s desired course of action.

Third-party reten­tion would be more likely to create compli­ance and over­sight prob­lems than to solve them. For better or worse, the NSA and exec­ut­ive branch more gener­ally are respons­ible and account­able for the appro­pri­ate hand­ling of the data they collect. Remov­ing data to a corpor­a­tion would distance the govern­ment from its proper role—and oblig­a­tion­s—as custodian of inform­a­tion collec­ted for a national-secur­ity purpose. It would intro­duce ambi­gu­ity regard­ing which entity would be respons­ible for monit­or­ing and ensur­ing compli­ance with legal require­ments.

Over­sight would be a chal­lenge even if the roles were clear. Currently, the program is subject to internal exec­ut­ive branch review by NSA entit­ies such as the Office of Compli­ance and Inspector Gener­al’s Office. The Office of the Director of National Intel­li­gence and the Justice Depart­ment also over­see the program. Regard­less of one’s views on the suffi­ciency of these mech­an­isms, it is unlikely they could be replic­ated under the third-party option. If the govern­ment were to try to continue exist­ing over­sight activ­it­ies, that would create an odd, and likely unsus­tain­able, govern­ment-private rela­tion­ship. If the third party were to take on the task, that would entrust a core govern­mental func­tion—en­sur­ing fidel­ity to the rule of law—to a private entity that lacks the insti­tu­tional compet­ence or legit­im­acy to perform it.

From a secur­ity stand­point, the data would be a major and obvi­ous target for cyber­at­tack by crim­inal hack­ers or foreign nations. Our defense and intel­li­gence agen­cies have their own chal­lenges protect­ing their most sens­it­ive inform­a­tion from breaches, so there is reason for concern about trans­fer­ring the data to a private company that may or may not be equipped to handle the secur­ity risk.

The third-party option also would create a perverse incent­ive for the bulk collec­tion program to continue indef­in­itely and even to expand. A private contractor would have a substan­tial finan­cial interest in retain­ing and managing this data for as long as possible. Encour­aging a well-heeled party to lobby for the program’s longev­ity runs counter to the interest of privacy advoc­ates who would like to see the program modi­fied or ended.

It also runs counter to sound national secur­ity policy. Effect­ive decision making requires peri­odic re-eval­u­ation to ensure that collec­tion programs meet a legit­im­ate national secur­ity need. For whatever reas­on—be it dimin­ish­ing returns over time, better tech­no­logy, or the result of public and legis­lat­ive debate—the govern­ment may decide to end the program in the future. If the data reside with a third party, ending the program—and ensur­ing proper dispos­i­tion of the data—will be more complic­ated.

Whether one supports the bulk collec­tion program or opposes it, outsourcing it to a private corpor­a­tion is not the right way forward. It would dilute account­ab­il­ity, intro­duce poten­tial secur­ity risks and create new pres­sure to continue the program regard­less of its privacy implic­a­tions or national secur­ity value.

Ms. Cord­ero, a former attor­ney with the Justice Depart­ment’s national-secur­ity divi­sion, is the director of national-secur­ity stud­ies at Geor­getown Law. Ms. Goitein is co-director of the liberty and national-secur­ity program at the Bren­nan Center for Justice at New York Univer­sity Law School.

Photo by univi­enna