Costs of NSA phone records collection program outweigh the benefits

The National Security Agency (NSA) has often claimed that its data collection programs have helped thwart dozens of terrorist plots in the U.S. But an analysis of one such program, the NSA's controversial bulk telephone records collection initiative, suggests that the cost of running and maintaining the effort may far outweigh any benefits.

The analysis, conducted by John Mueller, an adjunct professor in the department of political science at Ohio State University, and Mark Stewart, a professor at the University of Newcastle in Australia, is based on published reports, court records and publicly released government data.

It considers the NSA's claimed successes in foiling terrorist plots with the costs that must have been incurred to stop any attacks.

The NSA has said that its surveillance efforts helped it disrupt 54 terrorism plots in the U.S. over the past several years.

The authors note that the overall number by itself is very small considering the tens of billions of dollars that must have been spent on counterterrorism programs established after the terrorist attacks of Sept. 11, 2001. The number becomes even smaller when only the bulk phone metadata collection program is considered.

According to Mueller and Stewart, a review of publicly available information shows that about 90% of the cases cited as successes by the NSA actually involved data gathered under PRISM, a separate program designed to gather information on non-U.S. terror suspects.

That means that the metadata program played a role in about five cases since it was launched. Of those cases, only one appears to have been a truly serious threat -- three Afghan-Americans were plotting to set off bombs in the United States, according to Mueller and Stewart. Even in that case, at least some of the information used to help thwart the plot came from other data collection programs.

In fact, just one of the identified cases relied on phone metadata in a major way; it involved a San Diego cab driver who was later convicted of sending money to a terrorist group in Somalia.

Neither the NSA nor the Obama Administration has so far publicly disclosed the costs of running the various data surveillance programs. The authors of the report surmise that government officials may not even know what the programs cost. Spending increases on counterterrorism in the aftermath of 9/11 attacks took place so fast that few kept track of it.

It is possible that the direct costs of maintaining the metadata collection program are quite low, the authors noted in their report. Even so, a full accounting should include not just the collection and storing of the data but also the costs of searching through and analyzing the data and developing and following through on leads.

Leads from the NSA metadata collection program are handed to the FBI, which then has to follow through and investigate them at additional cost. Public reports and disclosures in the media and by government officials suggest that many of the leads supplied by the NSA end up going nowhere. In fact, only 0.2% of the leads typically pan out enough for the FBI to follow through, the authors wrote.

The NSA's intense focus on "connecting the dots" over the past few years has led it to collect and analyze a vast amount of mostly useless information, according to Mueller and Stewart. Bits of data that ordinarily wouldn't have merited a second glance previously, are now collected, filed and analyzed at potentially great cost.

"There is very little evidence that any of this has done much good," Mueller said Friday. "The costs certainly outweigh the benefits, especially if you include things like privacy costs and opportunity costs," he said.

According to Mueller, even if the metadata program was to result in the NSA thwarting just one major terrorist attack every four years, it would still not be cost effective when all costs are accounted for.

Noted security researcher Bruce Schneier said the analysis of the value of the metadata program appears solid. "I think they have great framework for analysis, and -- given the information we have -- have demonstrated that [the data collection program] doesn't have value," he said

"Of course, it's possible that the NSA has secret information that proves that it does have value. But given that the NSA has been pretty desperate to show that they're actually keeping us secure, it's pretty safe to conclude that if they did have evidence they would have presented it," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.