False
Graham
The USA Freedom Act undercuts privacy because "the phone records will be in the hands of the phone companies with hundreds of people available to look at the records, versus 20 or 30 people in the government."

Lindsey Graham on Tuesday, June 2nd, 2015 in an interview with CNN's Jake Tapper

Lindsey Graham: Freedom Act means less privacy for phone records

The Senate passed the U.S.A. Freedom Act, which affects the National Security Agency's bulk phone data collection program, June 2, 2015.

Soon, the government will no longer be able to accumulate Americans’ phone records in bulk. But Sen. Lindsey Graham, R-S.C., says this doesn’t settle any concerns over privacy.

On June 2, Congress passed the USA Freedom Act, which altered parts of the Patriot Act, the anti-terrorism law passed soon after 9/11. The most significant aspect of the Freedom Act is that it effectively ends the National Security Agency’s bulk phone records collection program, made public by Edward Snowden’s revelations in 2013.

Graham, also a presidential candidate, was not present for the final vote on the bill. But in a CNN interview he gave from Manchester, N.H. he said he opposes the Freedom Act and would have preferred to keep the Patriot Act as is.

"The (metadata) provisions I don't like at all," Graham said of the Freedom Act in a June 2 interview with Jake Tapper. "Basically, you've undercut privacy now. All of the records will be in the hands of the phone company with hundreds of people available to look at the records versus 20 or 30 people in the government. So I think the (metadata) program has been undermined in terms of the (USA) Freedom Act, and quite frankly, we've told the enemy so much about it, I'm not sure it works anymore."

We took a look into Graham’s claim that because of the Freedom Act, hundreds of phone company employees will now have access to the phone records, as opposed to just a couple dozen government employees currently.

But here’s the rub: The phone companies have always held this data, and the new law doesn’t change that.

As it always was

Prior to the Freedom Act, major cell phone providers like Verizon, AT&T and Sprint would steadily hand over all of their phone records to the NSA, which maintains a massive database. The records include information like the location of a call, phone numbers involved and the length of the call, but not the content or audio.

Intelligence workers can then run a phone number with terrorist ties through the database to find out who they called and when. Even without the content, phone records metadata can reveal significant information about a person.

Government officials have said there are tight restrictions on who can access the database, with Justice Department oversight. Officially, only 22 NSA analysts are allowed to approve a database query, and only 33 can actually access the database. This is the "20 or 30 people in the government" Graham references. (The Electronic Frontier Foundation, a technology privacy advocacy group, told us that some people dispute these figures, but they are the best figures we have.)

The Freedom Act changes things by keeping these records in the hands of the phone companies. If the government wants to look at a suspected terrorist’s call data, they must get a court warrant first.

So in six months, when agencies have implemented the new law, will hundreds of phone companies employees have access to this data who didn’t before? Well, no. The Freedom Act doesn’t change much for phone companies in terms of how they maintain their records, so there is no reason to believe the law would dramatically increase the number of employees with access to the data.

"Cellular service providers have always had access to cellular metadata," said Stephen Wicker, a professor of electrical and computer engineering at Cornell University. "The expiration of various provisions of the Patriot Act has simply eliminated the authority under which the government requested the data from the service providers."

Phone companies hold onto these records, in some cases for several years, for business purposes. Per FCC regulations, phone service companies can only access these records with the customer’s permission or if required by law, such as providing information to aid a criminal investigation.

We weren’t able to pin down the number of employees who can lawfully access the records. We reached out to Verizon, AT&T and Sprint, and none were able to give us a head count. But with about 175,000 employees at Verizon alone, it very well might be in the hundreds.

Phone companies have customer service operators who can access an individual record to provide clients information about their account, and they have teams of lawyers who handle records requests for law enforcement. And an engineer might access the anonymous metadata for planning cell tower placement and optimizing coverage.

A spokesman for Verizon, the largest wireless communications service provider, said the company will not increase the number of employees with access to the records.

"Verizon takes seriously its commitment to protecting its customers’ privacy, and we have strict protocols that limit access to customer data unless there is a specific business purpose to do so," said Verizon spokesman Ed McFadden. "No additional Verizon employees will need access to those records as a result of the change in law."

Graham’s office told us that while phone companies will have the same access to all the data now as they did before, there are other privacy concerns, such as the fact that phone companies will now know things like which phone numbers the NSA is interested in.

The Freedom Act does not create any new database for phone companies or require them to keep any information they don’t already keep, though it does require the companies to standardize their records for ease of cross-referencing between carriers, said Julian Sanchez, senior fellow at the libertarian Cato Institute, who called Graham’s claim "bizarre."  

One might find cause for concern in the possibility that the new system would allow phone company employees to access other companies’ metadata, said Timothy Edgar, a fellow at Brown University’s Watson Institute and a former director of privacy and civil liberties at the White House under President Barack Obama. If the NSA wants to see all the calls connected to a phone number associated with terrorism, that might include calls to numbers belonging to other service providers.

But the ideal system would have security measures that would ensure that employees wouldn’t be able to access other companies’ information while still providing the NSA with a full picture, he added.

"I see very little prospect that the NSA queries of phone records held under the USA Freedom Act would result in more people having access to phone records than under the NSA bulk collection program," Edgar said.

Our ruling

Graham said that because of the USA Freedom Act, "the phone records will be in the hands of the phone companies with hundreds of people available to look at the records, versus 20 or 30 people in the government."

The premise of Graham’s statement is incorrect. Many phone service company employees already have access to their company’s phone records, and the law doesn’t increase that number.

Currently, the phone companies keep their own records, and the NSA collects these records in bulk. The new law eliminates the NSA bulk collection program, but it does not affect how the companies themselves maintain their records, other than some standardization measures. The law does not cause the phone records to change hands, nor does it create new databases or record-keeping systems.

We rate Graham’s claim False.