On June 2, 2015 the USA Freedom Act went into effect, providing a 180 day period for the NSA continue collection of telephony data while shifting to a new approach. The transition period concluded November 29, 2015, with that the government is prohibited from bulk collection of telephony metadata under Section 215. The agency is now required to first make a “specific query” prior to collecting domestic phone data. This “specific query” could be a name or device number, but it ultimately aims to rein in gathering and analysis of communication data en masse.
It’s worth noting, however, that other surveillance programs remain operational, like PRISM which targets internet communications. It’s been suggested that remaining programs may offer a workaround for the new limitations, which is something the NSA has managed in the past. Further, legislation is still in place to support surveillance, particularly internet traffic of foreigners. Section 702 of the Foreign Intelligence Surveillance Act was implemented in 2008 and not up for renewal until 2017. Another piece of justification comes in the form of Executive Order 12333, signed by Reagan in 1981.
In fact, former government official Richard Clarke explicitly stated that Section “215 produces a small percentage of the overall data that’s collected” at a Senate Judiciary Committee hearing in January 2014. This Executive Order, by contrast, has provided the authority for much of the NSA’s data collection activities. Unlike the other two legal authorities for the government’s information gathering, this Executive Order has yet to be subject to much debate. Its lack of any expiration date and recent concerns about potential “inadvertent or unintentional” resulting gaps in security means it’s likely to continue supporting intelligence collection for some time.
Persisting concerns related to privacy and civil liberties may further shape the approaches intelligence agencies take. Another factor, however, is the evolution of communication technologies like the increased use internet-based information exchanges such as social media and email. Steering toward web-based threat detection, then, is in keeping with the direction surveillance has been headed.