Further Thoughts on the Lawfulness of the Newly Disclosed NSA Program

Marty Lederman

In an earlier post, I offered some preliminary thoughts about the legality of the NSA program by which the NSA has asked telecommunications providers to disclose phone records (but not contents) of millions of domestic calls, presumably so that NSA might look for patterns in such calls indicating possible ties to Al Qaeda. I quoted Orin Kerr as identifying four possible statutes that might prohibit what the NSA and the phone companies are alleged to have done. (Both Orin and I concluded that under current Supreme Court doctrine, this program standing alone probably does not violate the Fourth Amendment. [UPDATE: That Fourth Amendment doctrine is, IMHO, seriously flawed, and has been subject to serious challenge, in part because it could lead to the conclusion that dragnets such as that at issue here are constitutional. See, especially, Patricia Bellia's powerful critique in Surveillance Law Through Cyberlaw's Lens, 72 Geo. Wash. L. Rev. 1375, 1397-1412 (2004), which can be found at pages 24-40 of the document downloadable here.]

After a bit more reflection, and as explained below, I think it's safe to say that at least some of the statutory arguments against the program might not be as strong as they first appeared -- depending on the particular details of the program, which we of course do not know. But at least two other statutory objections appear to remain very formidable.

It would be much easier to evaluate the various legal arguments if the Administration had simply come out and informed the Congress and the public that it was developing a phone-records database, and had offered a legal basis for doing so. Unfortunately, this Administration's modus operandi is to withhold from the public any information at all, even at a very general level, about what the government is doing in the war on terror -- and to keep the vast majority of Congress in the dark, as well. The President and his spokespersons are all over the television today arguing that disclosure of this program is a grevious blow to national security. But I've yet to hear any plausible justification for the secrecy of the program, or any serious argument about why its disclsoure is so dangerous. If, as the New York Times reports, the Administration thinks it's invaluable to have telecom companies provide phone records to the NSA "of most telephone calls in the United States," to be used "for the limited purpose of tracing regular contacts of 'known bad guys,'" and further believes that such a vast program is legal, why can't they simply announce those facts, and publicly make the case for why the program is legal? After all, if it is legal to collect such a database, wouldn't it make perfect sense for the government to do so? Why, if the program is legal, would it come as any surprise at all to Al Qaeda and its affiliates that the government is taking advantage of such a resource?

In any event, here are some further thoughts on the four statutory arguments. These reactions remain tentative. I welcome any corrections and further suggestions:

1. FISA. The phone records almost certainly are "records" of "electronic communications" under FISA. See 50 USC 1801(n). But FISA only restricts "electronic surveillance" of such communications, and it's not obvious that this NSA program involves electronic surveillance by the agency. "Electronic surveillance" is defined as the "acquisition" of such communications "by an electronic, mechanical, or other surveillance device." 50 USC 1801(f). The account in today's paper indicates that the NSA obtained the contents of phone records via simple requests to the phone companies, rather than by use of any "electronic, mechanical, or other surveillance device." If this is the case, then it would appear that this program (unlike the one revealed last December) would not involve "electronic surveillance," and thus would not violate FISA's limitations on such surveillance.

2. The Pen Register Statute. The Pen Register Staute, 18 U.S.C. 3121, bans the use of a "pen register" or "trap and trace device" unless the government obtains a court order, the use is authorized by FISA, or the use falls within an exception to the statute. As Orin indicated, the exceptions in the statute don’t appear to be applicable here. But has the NSA used a pen register or trap-and-trace device -- as those terms are defined in 18 USC 3127(3)-(4) -- to obtain the information? Certainly the phone companies have done so -- and their use is statutorily exempted. But it's not obvious that the government itself used a pen register or trap-and-trace device in order to obtain the infromation, especially if the NSA simply received the information directly from the service providers. To be sure, there are arguments that the NSA violated 3121 -- see the debates in the comment thread of Orin's post here -- but based solely on the words of the statute, the arguments do not appear be very strong.

3. The Stored Communications Act. This is the statute that Kate Martin emphasizes in her post.

18 USC 2702(c) prohibits a provider of electronic communication service from divulging to a governmental entity any "record or other information pertaining to a subscriber to or customer of such service" other than the contents of communications, unless the disclosure comes within one of the exceptions of 2702(c). (Somewhat surprisingly, section 2702 does not prohibit the provider from disclosing such information to non-governmental entities -- although other statutes (such as 47 USC 222, see below) may limit such disclosures.) Most of the 2702(c) exceptions are certainly inapplicable here. [UPDATE: Orin Kerr explains here why the other 2702(c) exceptions are inapposite. It appears that one of those exceptions might be at the heart of the Administration's defense of the program. According to a story in tomorrow's Washington Post, the government might be relying on the exemption found in subsection 2702(c)(2), which permits disclosure "with the lawful consent of the customer or subscriber." The theory is quite alarming:

One government lawyer who has participated in negotiations with telecommunications providers said the Bush administration has argued that a company can turn over its entire database of customer records -- and even the stored content of calls and e-mails -- because customers "have consented to that" when they establish accounts. The fine print of many telephone and Internet service contracts includes catchall provisions, the lawyer said, authorizing the company to disclose such records to protect public safety or national security, or in compliance with a lawful government request. . . . Verizon's customer agreement, for example, acknowledges the company's 'duty under federal law to protect the confidentiality of information about the quantity, technical configuration, type, destination, and amount of your use of our service,' but it provides for exceptions to 'protect the safety of customers, employees or property.' Verizon will disclose confidential records, it says, "as required by law, legal process, or exigent circumstances."

Yeah, that argument is sure to go over well with the public: Turns out that the millions of us have all agreed (in the fine print) to this data-mining program. Orin Kerr is fairly dismissive of this argument, based on the doctrine in the context of the analogous wiretap statute that what is required is not constructive consent but "consent in fact."]

If I'm right about this, then the only possible exception to 2702(c)'s prohibition relevant to the NSA program is found in section 2702(c)(1), which permits any disclosure "authorized in section 2703." And the only conceivably pertinent provision of section 2703, in turn, is subsection 2703(c), which provides as follows:

(1) A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity--

(A) obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant;
(B) obtains a court order for such disclosure under subsection (d) of this section;
(C) has the consent of the subscriber or customer to such disclosure;
(D) submits a formal written request relevant to a law enforcement investigation concerning telemarketing fraud for the name, address, and place of business of a subscriber or customer of such provider, which subscriber or customer is engaged in telemarketing (as such term is defined in section 2325 of this title); or
(E) seeks information under paragraph (2).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the--
(A) name;
(B) address;
(C) local and long distance telephone connection records, or records of session times and durations;
(D) length of service (including start date) and types of service utilized;
(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
(F) means and source of payment for such service (including any credit card or bank account number),

of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

None of the provisions of subsections 2703(c)(1)(A)-(D) is applicable here. Thus, under subsections 2703(c)(1)(E) and (c)(2), the NSA could compel such disclosure only pursuant to "an administrative subpoena authorized by a Federal or State statute." And there appears to have been no such administrative subpoena here. Ergo, the service providers appear to have violated section 2702(c).

[UPDATE: Previous discussion found here on National Security Letters moved to the end of this post.]

4. The Telecommunications Act of 1996. As I noted in my earlier post, 47 USC 222(a) & (c)(1) provide that every telecom carrier has a "duty" to protect the confidentiality of proprietary information of, and relating to, their customers, and that "[e]xcept as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."

The information disclosed to the NSA would appear to be customers' "proprietary information," defined in section 222(h)(1) as "(A) information that relates to the quantity, . . . destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier."

Accordingly, and without knowing more, the disclosure of such information to the NSA appears to have violated the Telecom Act of 1996, because it was not "required by law."


* * * *

The upshot of all this is that the NSA appears to have induced certain telecom providers to violate 18 USC 2702(c) and 47 USC 222.

Once again, however, I'm hardly an expert on these statutory questions, and I've spent only a couple of hours on them. Therefore I welcome any and all corrections, clarifications and other suggestions.

[UPDATE: In an earlier iteration of this post, I suggested that perhaps the Administration could have obtained the requisite authorization to require the disclosure under 2703(c)(2), and could have avoided application of 47 USC 222, by use of the so-called "national security letter" provisions of 18 USC 2709. I now have reason to think, however, that this was a mistake: Proper use of section 2709 likely would not permit the wholesale collection of the sort of undifferentiated database of phone records at issue here -- especially not by the NSA.

Section 2709, as amended by the USA PATRIOT Act of 2001, provides that a service provider "shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation," if the FBI Director or his designee certifies in writing "that the name, address, length of service, and toll billing records sought are relevant to an authorized investigation to protect against international terrorism . . . . , provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States." (Prior to the PATRIOT Act, the Director had to certify that there was reason to believe either that the information sought pertains to a person or entity that is a foreign power or an agent of a foreign power or that communications facilities registered in the name of that person or entity have been used to communicate with someone engaged in international terrorism or clandestine intelligence activities. The PATRIOT Act eliminated those much more substantial burdens. See also section 215 of the PATRIOT Act, 50 USC 1861, which authorizes the FBI Director, on the basis of a similar sort of certification, to apply for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism.)

In my previous post, I suggested that if only the FBI Director had tendered such a certification (an "NSL") to the service providers here, those providers would have been required to provide the records that they turned over to the NSA, which presumably would have nullified the prohibitions found in sections 2702(c) and 47 USC 222. But I am now led to understand that there are several reasons why that was not an option here. The principal reason is that section 2709 does not contemplate the sort of undifferentiated data-mining requests at issue here; instead, it requires the FBI Director to seek the records of particular persons (hence the requirement of specifying a "name, address, length of service, and toll billing records"). Also, the request must be in the service of an "authorized investigation" -- a term of art that I am told refers to an FBI investigation (not an NSA investigation) that is subject to particular regulations established by Executive Order 12,333, which limits the subject matter of investigations, sets standards for such investigations, requires intenral DOJ oversight, etc. (More along these lines from Kate Martin here.) In addition, any certified FBI investigation emerging from a phone-records database such as this one might well be deemed an "investigation of a United States person . . . conducted solely on the basis of activities protected by the first amendment" (those first amendment activities being phone conversations), which would disqualify it under the plain terms of section 2079 itself. Finally, if the FBI Director were to attempt to use an open-ended NSL for a fishing expedition to obtain from a service provider a vast swath of phone records of multitudes of persons, that might well raise serious Fourth Amendment questions in its own right, because even subpoenas must be sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unreasonably burdensome. See, e.g., Donovan v. Lone Steer, Inc., 464 U.S. 408, 415 (1984). See, for example, Doe v. Ashcroft, 334 F. Supp. 2d 471, 494-506 (S.D.N.Y. 2004) (declaring that an NSL issued pursuant to section 2709 itself violated the Fourth Amendment).]
Posted 10:08 PM by Marty Lederman [link]