By G.W. Schulz, Center for Investigative Reporting
While revelations from Edward Snowden about the National Security Agency’s massive database of phone records have sparked a national debate about its constitutionality, another secretive database has gone largely unnoticed and without scrutiny.
The database, which affects unknown numbers of people, contains phone records that at least five police agencies in southeast Virginia have been collecting since 2012 and sharing with one another with little oversight. Some of the data appears to have been obtained by police from telecoms using only a subpoena, rather than a court order or probable-cause warrant. Other information in the database comes from mobile phones seized from suspects during an arrest.
The five cities participating in the program, known as the Hampton Roads Telephone Analysis Sharing Network, are Hampton, Newport News, Norfolk, Chesapeake and Suffolk, according to the memorandum of understanding that established the database. The effort is being led in part by the Peninsula Narcotics Enforcement Task Force, which is responsible for a “telephone analysis room” in the city of Hampton, where the database is maintained.
The unusual and secretive database contains telecom customer subscriber information; records about individual phone calls, such as the numbers dialed, the time the calls were made and their duration; as well as the contents of seized mobile devices. The information is collected and shared among police agencies to enhance analysis and law enforcement intelligence.
The legality of the database is in question, however, and at least one law enforcement agency has declined to participate in the program due to legal concerns.
“My initial reaction is that it’s very disturbing and illegal under Virginia law,” said Rob Poggenklass, a staff attorney at the American Civil Liberties Union of Virginia, which was previously unaware of the database.
The system was set up with virtually no public debate or concern expressed by elected officials, who approved resolutions authorizing the database. Hardly anyone outside of the five participating police agencies knows about the sharing network, though its creation was not kept secret.
All over the U.S., local police agencies are collecting vast stockpiles of private information from people—some of it from people who have not been convicted of crimes but were merely stopped by police.
As an example of the amount of data being collected, in the first-ever transparency reports released by major telecoms earlier this year, AT&T revealed that between January and June, it received nearly 80,000 criminal subpoenas for customer records from federal, state and local law enforcement agencies, while Verizon disclosed that it had received over 72,000 subpoenas from law enforcement during the same period.
The Virginia system is yet another example of this creeping expansion of local law enforcement surveillance throughout the country.
Minimal public information about the sharing network exists, but it first made an appearance on the agendas of local government meetings, where it met no resistance. Elected city council members in Newport News and Chesapeake, for instance, passed resolutions approving the telephone data-sharing agreement without objection.
According to the memo establishing the information-sharing network, each participating city agrees to “share telephone intelligence information derived from any source with the (task force) including: subpoenaed telephone call detail records, subpoenaed telephone subscriber information, and seized mobile devices.” Participating agencies can query the system by phone or email. If a city chooses to withdraw from the agreement, any records it supplied to the database remain, according to the memo.
Details about the data collected from mobile phones and stored in the database are uncertain, but the data could be wide-ranging, since mobile users browse the Internet, exchange text messages and share contact lists, and technology available to police can extract much of this information from mobile devices, even if it’s hidden, deleted or password-protected.
Police departments involved in the sharing network are tight-lipped about the database’s contents, refusing to say whether the contents of seized phones includes contact lists and text messages.
Questions sent to each of the five cities contributing to the database were met with brief statements, when responses were provided at all. Sgt. Jason Price of the Hampton Police Division said his agency “gathers, shares and retains information in accordance with local, state and federal law.” More specific answers “could jeopardize on-going and future investigations,” he wrote in an email.
It’s unclear whether the data that’s collected stays with the task force or is further shared with agencies beyond, perhaps with so-called intelligence fusion centers that exist in every state except Wyoming to facilitate information sharing and coordination among local and state police, the FBI, the Department of Homeland Security and other agencies.
The ACLU’s Poggenklass said the database runs afoul of a privacy law in Virginia known as the Government Data Collection and Dissemination Practices Act, designed to curb the overcollection and misuse of digital personal information by state and local agencies.
He points to an interpretation of that law issued last year by Virginia’s attorney general in reference to controversial automated license-plate readers that police departments nationwide have adopted enthusiastically in recent years.
While law enforcers enjoy some exemptions from privacy laws during the course of an investigation, according to the opinion, those exemptions don’t apply when collected data “is of unknown relevance and not intended for prompt evaluation and potential use.” In other words, there must be a clear law enforcement need. Without it, Poggenklass said, police should not be permitted to collect and retain records indefinitely in a database for future queries.
Asked about the legal issues around the phone records database, Hampton City Attorney Vanessa Valldejuli said that due to recent court rulings, data in the system is gathered “only via search warrant or court order consistent with law.” Court orders, as well as subpoenas, have a lower legal standard than warrants, which require investigators to articulate probable cause of a crime to an impartial judge. Valldejuli did not elaborate on which rulings she was referencing, what records those rulings affected or what steps were taken to minimize the impact on people not accused of a crime. She also wouldn’t say whether policies were different before and after the unspecified rulings.
Not everyone in Virginia seems comfortable with the database. The Virginia State Police said through a spokeswoman that it opted not to join the phone record sharing network, even though it’s a member of the drug task force that helps oversee the database. It cited the state’s data practices act as the reason.
The attorney general’s finding isn’t the only legal interpretation of relevance for the database. In a surprisingly tech-savvy ruling (.pdf) in June, the U.S. Supreme Court ruled unanimously that because mobile phones contain highly personal records of nearly every aspect of our lives, police must obtain a warrant before downloading the contents of a mobile phone when they arrest someone.
Courts around the country are struggling to issue timely decisions telling police when and how they can use the rich amount of personal information now contained in smart phones. Federal appeals judges in Atlanta (.pdf) and New Orleans (.pdf), for instance, recently have issued contrasting opinions on whether police must meet the same standard to acquire historic cellphone records that would reveal a person’s movements. That creates continuing uncertainty for law enforcement investigators about what they can and cannot pursue short of a warrant.
Additionally, the practice of obtaining cell tower dumps without a warrant, in which police seek records for every cellphone that has connected with a tower over a specific period of time, is problematic. A federal magistrate judge in New York this summer found that no warrant was necessary for tower dumps, but he did instruct police to determine how they could better handle the private information of innocent people.
In the case of the Virginia database, it’s unclear whether content from seized cellphones—such as text messages— is included in the database or if it just contains so-called metadata describing the phone numbers called, the calls received and their date and duration. But even if only metadata is collected there is still a privacy concern, as the Snowden revelations over the last 18 months have made clear.
Christopher Soghoian, principal technologist and senior policy analyst with the ACLU in Washington, said metadata is useful for assembling portraits of people’s lives over a period of time.
“Metadata is structured. That’s the whole point of metadata,” Soghoian said. “ … Structured metadata enables really, really powerful analysis. If you have call records saying someone called a suicide hotline at 2 in the morning and was on the phone for an hour, you don’t need to know what they said. You know what they’re doing.”
Since the Snowden leaks, the White House has responded with promises to curtail the indiscriminate gathering of bulk records and to require the Foreign Intelligence Surveillance Court to give specific approval for more narrowly targeted requests.
Intelligence officials have at times argued that bulk records about individual communications didn’t threaten privacy when the actual contents of what was said weren’t included. But former NSA head Michael Hayden conceded during an April debate that metadata is revealing enough about one’s lifestyle and identity to target terrorism suspects abroad for attack.
“We kill people,” Hayden said at the debate, “based on metadata.”
This story was produced by The Center for Investigative Reporting, an independent, nonprofit newsroom based in the San Francisco Bay Area. For more, visit cironline.org. Schulz can be reached firstname.lastname@example.org. Follow him on Twitter: @GWSchulzCIR.