The (Il)legality of the NSA Phone-Records-Interception Program

Marty Lederman

My first reaction on reading the groundbreaking story in USA Today about the NSA's secret phone-records-interception program was that Qwest stock is going to go through the roof. Don't take that as a tip -- I'm woefully unreliable on such matters. But there are at least some customers who know a law-abiding, customer-protective company when they see it. (If you haven't yet read the USA Today story, do youself the favor of at least reading the section toward the end, on the hardball tactics applied to Qwest, and its very admirable resistance.)

My second reaction was to wonder about the legality of the program. It didn't strike me as violative of the Fourth Amendment, at least so long as the Supreme Court's unfortuante "pen register" precedent remains good law. But at first glance, it sure does appear to run up against several statutory restrictions that Congress and the President have enacted in order to protect the privacy of our phone calls and phone records, not least of which is FISA itself, which, for purposes of that statute, defines the "contents" of a communication quite broadly, to include "any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of that communication." 50 USC 1801(n).

Also, as the USA Today story noted, 47 USC 222(a) & (c)(1) provide that "Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier" and that "Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."

Fortunately for me, my friend Orin Kerr, who knows much more than I about the intricacies of these and other telecommunications statutes, has posted a preliminary review of the legal issues, which he has given me permission to cross-post here. The upshot is as I suspected: No serious constitutional issue (other than, of course, the gross violation of the separation of powers), but several very serious statutory questions. No wonder Qwest balked -- and no wonder NSA was fearful of asking the FISA Court for legal cover.

[UPDATE: To be clear, I have not yet studied these issues closely and therefore do not have a clear sense of which statutes, if any, would apply to the NSA program. This helpful post by Kate Martin suggests that the most serious legal impediment is 18 USC 2702. That argument appears to have some force; but I don't yet know whether the 47 USC 222 objection is more serious -- Kate does not discuss that provision.]

Here's Orin's extremely helpful preliminary take:

Thoughts on the Legality of the Latest NSA Surveillance Program

The USA Today has an important scoop today on a previously secret NSA surveillance program. Assuming the program was described accurately in the USA Today story, is this program legal? Here is a very preliminary run down of the issues. It’s not as complete as I would like, and it’s not something I have thought about as much as I would like before posting. But my grades are due very soon, and unfortunately I can’t spend as much time on this as I would normally like to spend. I hope this post is at least a helpful start.

The legality of the program touches on at least five laws: the Fourth Amendment, the Pen Register statute, the Stored Communications Act, FISA, and the Communications Act.

1) The Fourth Amendment issues are straightforward. It sounds like the program involves only non-content surveillance, which means that it presumably doesn’t implicate the Fourth Amendment under Smith v. Maryland.

2) The legality of the program under FISA is somewhat similar to the legality of the NSA program we learned about a few months ago. The key question is, did the monitoring constitute “electronic surveillance” under FISA, and if so, does the Authorization to Use Military Force allow it? Note that FISA’s definition of “electronic surveillance” goes beyond accessing only content information and extends to some non-content information. If the program did involve “electronic surveillance” under FISA, then we’re right back to the same question that has been raised about the legality of the known NSA domestic surveillance program. If that’s right, your views of the legality of the new NSA program will pretty much coincide with your views of the legality of the NSA program disclosed a few months ago.

3) The next question is, did the monitoring violate the Pen Register statute, and in particular the prohibition of 18 U.S.C. 3121? To boil down a complex area of law into a sentence, federal surveillance law calls any means of surveilling non-content telephone or Internet information a “pen register” or “trap and trace device.” Section 3121 then bans using such a device unless the government has a court order (either through the criminal investigative authorities or national security law authorities) or an exception to the statute applies. The exceptions in the statute don’t seem applicable here: They mostly involve monitoring to provide better service for the telephone company.

The USA Today story suggests that Qwest wanted the government to obtain a court order for the monitoring, and that the government refused because they concluded that the FISA court might not grant the order. The court order they are referring to is probably the FISA pen register order. Under 50 U.S.C. 1842, the Attorney General or his designate needs to approve the request for such an order, and must certify “that the information likely to be obtained . . . is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.” The order would then need to be renewed every 90 days under 50 U.S.C. 1842(f).

The legal threshold for a FISA pen register order is low: relevance to an ongoing investigation is a pretty easy standard to satisfy. At the same time, obtaining an order for this kind of monitoring would raise an issue that I have wondered about but I don’t think I know how to answer: Does FISA’s pen/trap authority in 50 U.S.C. 1842 permit the government to conduct massive-scale monitoring, or must monitoring be limited to a specific set of persons or accounts? When the USA Today story says that the government didn’t think the order would be granted by the FISA court, I gather they are saying that the FISA court judges didn’t think the FISA pen/trap authority permitted such massive scale monitoring. That sounds like a sensible conclusion: I would guess that the FISA judges wouldn’t interpret the FSIA pen/trap authority as permitting such massive scale monitoring (in that it trumps the need for any individual orders, which would be odd).

4) The next possible statute is the Stored Communications Act (SCA), and in particular the prohibition on disclosing records relating to wire communications to a government entity found in 18 U.S.C. 2702(a)(3). It’s not clear to me that the SCA applies: the SCA was designed to deal with one-time disclosure of stored communications and records, not real-time collection and repeated disclosure. At the same time, the statute doesn’t have an explicit exception for real time collection, so it’s at least plausible that it does apply. If it applies, disclosure is permitted only if an exception to the statute covers this. I don’t think that any of the exceptions apply, though: the emergency exception of 18 U.S.C. 2702(c)(4) seens to be the closest, but this doesn’t sound like there was an “immediate danger” here. This was an ongoing program, not a program responding to a sudden emergency.

5) A fifth possible statute, and one mentioned in the USA Today story, is the Communications Act of 1934, 47 U.S.C. 222. I have generally thought that the statutes discussed above trump this statute, but the USA Today story mentions it. In any event, I don’t know much about this one, as it’s a telecom statute and I don’t normally play in that sandbox. So I’ll punt on this one for now.

To summarize, my very preliminary sense is that there are no Fourth Amendment issues here but a number of statutory problems under statutes such as FISA and the pen register statute. Of course, all of the statutory questions are subject to the possible argument that Article II trumps those statutes. As I have mentioned before, I don’t see the support for the strong Article II argument in existing caselaw, but there is a good chance that the Administration’s legal argument in support of the new law will rely on it.
Posted 12:25 PM by Marty Lederman [link]