During this time, the program cost about $100 million but resulted in only 15 intelligence reports - a number that by NSA's own assessment is low for a program of this scale and cost. From these 15 reports, only two reports gave the FBI unique information that it would not have had access to through other legal authorities.
Further, the program was plagued with repeated data integrity and compliance problems. NSA, to its credit, worked diligently to diagnose and remediate these, including deleting data that NSA had received due to providers' errors. Still, there is no indication that the conditions that led to the compliance errors are likely to change; nor can I see what NSA could do to avoid further problems should the program be restarted.
Emerging technologies are dramatically raising the stakes as policymakers decide which intelligence capabilities to authorize. Terrorists and other bad actors leave information trails that can identify them and expose their plans. At the same time, we all leave a copious trail of "data exhaust" that can reveal intimate details of our lives. While the privacy implications of each individual piece of data may not seem terribly revealing, the collection as a whole can disclose a great deal, especially where corporate "big data" technologies can reveal the intricacies of our private lives in ways our grandparents never imagined.
The risks and benefits of any data collection authority can be difficult to predict. It might not have been obvious in advance that court orders for two hops of CDRs from a few "seed numbers" would encompass the records of many millions of Americans. And it was surely not obvious that this process would be error-prone and would provide little intelligence value.Fortunately, we can learn from experience. Robust statistical reports on the uses of intelligence authorities are part of the answer, to ensure that Congress and the public understand the privacy impact of programs. Agencies have made important strides on statistical transparency. At the same time, we need independent, rigorous, and comprehensive oversight, so decisionmakers have the facts and analysis they need to make well-informed decisions. That's what the Board's report aims to provide.
Some have suggested that the problem with the CDR program was not that it was too broad, but that it was too narrow-that the statute could be amended to provide multi-hop authority for other ways in which terrorists may communicate other than by telephone, such as emails and encrypted messaging. But this would only raise further difficulties and questions about the privacy and civil liberties impact of such a program. The CDR program was tailored to telephony, a technology with a century-long history. Even in this highly regulated sector, American companies encountered significant data integrity issues. There is no reason to think the compliance or data quality issues encountered in the CDR program would have been less severe for other types of communications media. Working with a tech sector where developing new capabilities without fully weighing downstream impacts is a common business practice would not be conducive to stability and data accuracy - let alone compliance.
The CDR program was started in good faith, with the hope that it would yield valuable intelligence to protect the public, without too much impact on privacy and civil liberties. Those hopes were not realized. With the benefit of hindsight, we know that the program yielded little useful intelligence, impacted the privacy of millions of Americans, and struggled with data quality problems. What might have been defensible in principle turned out to be a poor bargain in operation.
NSA was right to shutter the call data records program. It's time for Congress to close the book on it.
Ed Felten is a member of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent executive branch agency that works to ensure that efforts by the executive branch to protect the nation from terrorism appropriately safeguard privacy and civil liberties. The views expressed in this article are his own and do not represent those of the PCLOB or the other board members.